Criminal - Break The Internet
Episode Date: November 26, 2014In 1999, most of America's tech hysteria centered around Y2K. But at that same time, a teenager in Canada named Mike Calce was messing around in chat rooms, meeting hackers, and learning tricks. At 15..., he decided to put his knowledge to the test. To push up against the Internet's limits, and in some places, break them. In the end, he managed to pull off something no one had ever seen before. Today, we talk to the self-proclaimed “MafiaBoy.” Say hello on Twitter, Facebook and Instagram. Sign up for our occasional newsletter, The Accomplice. Follow the show and review us on Apple Podcasts: iTunes.com/CriminalShow. We also make This is Love and Phoebe Reads a Mystery. Artwork by Julienne Alexander. Check out our online shop. Episode transcripts are posted on our website. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Support for Criminal comes from Apple Podcasts.
Each month, Apple Podcasts highlights one series worth your attention,
and they call these series essentials.
This month, they recommend Wondery's Ghost Story,
a seven-part series that follows journalist Tristan Redman
as he tries to get to the bottom of a ghostly presence in his childhood home.
His investigation takes him on a journey involving homicide detectives,
ghost hunters, and even psychic mediums, and leads him to a dark secret about his own family.
Check out Ghost Story, a series essential pick, completely ad-free on Apple Podcasts.
Your own weight loss journey is personal.
Everyone's diet is different. Everyone's bodies are different.
And according to Noom, there is no one-size-fits-all approach. Thank you. for a healthier lifestyle. Stay focused on what's important to you with Noom's psychology and biology-based approach.
Sign up for your free trial today at Noom.com.
How easy would it be for you to hack into my stuff right now?
If I really wanted to and I was at a computer,
it would probably take me about half an hour.
And you could find out everything?
I'd find out everything. Your bank account information, your Twitter password, all your passwords to all your accounts.
Half an hour?
Give or take.
This is Mike Calci. Like so many of us, he first accessed the internet in the early 90s,
when AOL started sending their floppy discs and later CDs through the mail. At one point, half of the CDs in the world are being
produced for AOL's direct mail campaign. Every six seconds, someone new signed up.
Welcome.
Kalche was nine or ten years old, living with his parents in Montreal.
AOL is actually what made me want to be a hacker or kind of forced me to be a hacker
because that 30-day process where they allow you internet for free 30 days
I wasn't sure if my father was going to give me his credit card number to reinstate the service
so what I had to do was I found an application that allowed you to log on to AOL
and appear to other people as if you were an administrator of AOL.
And I was messaging other users saying, excuse me, due to a power outage at one of our facilities, we need to verify your password.
And sure enough, the first four out of four gave me their passwords.
And I was using other people's AOL account information to stay online.
Wait a second, you're 10 years old. Are you thinking the whole time, oh my god, this is working, I can't believe this is working, this trick?
I was kind of, I guess, surprised in the sense that it was this easy.
I would have figured it would have taken a few attempts.
I knew I would have got somebody at some point, but to go four for four on the first attempt, I was like, okay, this is like, no problem. I have internet permanently now.
Of course, most kids feel like they can get away with anything. But if by fifth grade,
you're already smarter than most of the adults around you, maybe you actually can.
I'm Phoebe Judge, and this is Criminal.
In many ways, Calche's early experience with the internet wasn't so different from a lot of people's.
It started with AOL, but then he found out you could download stuff,
movies, music, games, all free, albeit illegal, if you knew where to look. But the thing was, there was like a queue list where you had to
wait in line because other people wanted the software as well. So I kind of wanted to find a
way to like, you know, skip the system and be able to just download whatever I want. Access to this
free stuff was run by hackers, and Kalche realized he could skip the
line if he found a way to work with them. So he sent a message to someone he thought was in charge.
And he said, oh sorry, look, we're only looking for experienced hackers already. We're not
interested in noobs, which is basically like someone who has no idea what they're doing and
is new to the industry. I said, look, give me two weeks, give me a trial period. I'm a very fast learner
and I promise I won't disappoint you. The guy gave Calche a series of tests and he passed.
He was good, really good. He was breaking into university networks. Yale, UCLA, Harvard.
So you're 11 or 12 now and you're trying to break into UCLA and Harvard.
Exactly. So I had to like pretend to go to sleep then wake up, and then go back on the computer.
And typically I would sleep through the first two classes of school every morning
because I spent most of my hacking activities at night.
By high school, Kalchei had hooked up with what he describes as basically a group of elite Russian hackers.
He considered them his friends. But there was a lot of paranoia.
You couldn't really be sure of who you were talking to
or what they were capable of.
And it wasn't just online.
They also talked on the phone.
As Kalche explains it,
someone would steal a credit card number
and use it to buy a conference call line.
It was kind of like a Friday night thing.
And someone would post a phone number and post a pin,
and a bunch of hackers would go on this conference call line.
And what would you do once you got there?
Every instance was a bit different, but a lot of it is mumbo-jumbo
because there's, you know, 30 hackers, like, basically talking trash to each other.
But in one instance, there was an American hacker on one end,
and there was a Russian hacker on the other end.
And they were basically calling each other out.
The American was threatening to divulge the Russian's personal information.
The term is doxing.
And in this hyper-anonymous world, it basically shows your own skill while embarrassing the other guy.
And, you know, a few other of the hackers were egging them on and saying, like, all right, let's see what you guys got.
Let's go, let's go.
And so they started going at it and like throughout the process of the phone call the american hacker was kind of like taunting the russian like oh yeah i'm getting it i'm getting
your information right now as we speak yeah but i will find it he's like don't worry and the russian
was really silent not really saying anything at some point like 20 minutes down this conversation the American's like
all right I'm getting pretty close I'm accessing some of your information and and the Russian
finally speaks up and he's like well you don't have to do that and the American's like what are
you talking about and then the Russian starts going off listing off his parents name his home
address and social security number the american like
started admitting defeat like he started pleading he's like please no no like all right i i give
and the russian's like no i'm not done with you you were talking a big game like now let's see
what's going on and the american started screaming on the phone and he's like he's like what the hell
did you just do what the hell did you just do? What the hell did you just do?
And the Russian's like, bye-bye, kiss mommy goodnight for me.
And, I mean, I don't know if I want to say this too explicitly,
but the American was like, holy shit, you cut the fucking power from my house.
So he's sitting there in the dark.
He's sitting there in the dark, and he's on the phone line.
He was just freaking out, losing it, and then people started exploding on the dark. He's sitting there in the dark and he's on the phone line. He was just freaking out, losing it. And then people started exploding on the chat. I was very impressed and in awe with
what he was capable of doing. Just for context, that was 1999, the same year that people were
freaking out about Y2K and Al Gore claimed to have created the internet. So much of these chatroom pranks were about one-upmanship, about making other hackers
afraid of you, and Kalche had yet to try. So the following year, in February of 2000, he made his
move. And I basically shut down eBay, CNN, E-Trade, Dell, and Amazon.com. How did you do that?
Basically what I did is I hacked into almost every major university, college in America,
and I combined them all together.
I made a massive network by combining all the universities and colleges that I had compromised together.
And I basically set them up as slaves. And I set one master network.
That was like the boss let's say.
And when I would tell that master computer.
To shoot all your bandwidth.
All your internet speed.
That you have available.
To this one designated site.
All the other universities and colleges.
That I had compromised.
Would respond at exactly the same time.
So it would launch like a coordinated attack. And so I would say, all right, I'd go to the master computer and
say, all right, here's eBay's IP address. Let's target eBay. At this point in time in 2000,
on the scale of large business hacks, where did this rank? At the time, it was definitely the biggest hack.
Over the course of a week, Calche basically broke the websites of E-Trade, Yahoo, Buy.com, eBay,
Dell, CNN, and Amazon. By most estimates, the attack caused $1.7 billion in lost revenue,
even though the sites were only down for a few hours.
We asked a couple of other hackers what they thought about it, and they said Calche demonstrated
what many in the community already knew was possible.
He basically proved just how powerful the technology could be.
So where were you when you got arrested?
I was at a friend's house, actually, ironically, watching a Goodfellas movie.
It was three in the morning, give or take, and I received a phone call from my father saying, you know, they're here.
And I'm like, pardon me? Who's there?
But I could tell by the tone of his voice that, you know, the show was over, basically, and that the RCMP, which is like the Canadian version of the FBI, and the FBI as well, were in a joint task force
and they had raided my house.
And your parents, I mean, your parents know nothing of what's going on when the police
and the FBI show up at the door?
My dad knew at this point because I had told him prior to getting raided
that I was the person responsible for these attacks.
What was his response?
You know, I was pretty smart about it.
Like, basically, I had to pick the right time to tell him,
and I picked a Sunday when he was, like, you know, eating a nice panini and...
Wait, I don't know.
He's got the panini so he doesn't care about the New York Stock Exchange.
It's okay, he's got the sandwich.
Right, he's got the sandwich, you know.
So I figured like the best time to deliver this kind of news
is when you're in the process of eating some good food.
I figured it would kind of alleviate some of the stress involved
with what I'm about to tell him.
And, you know, my dad's a cool, calm, collected kind of guy.
So he took it rather well.
He was kind of shocked.
But he was very professional about it and said,
listen, we need to go see a lawyer.
We need to get prepared.
And that's exactly what we did.
Before they even raided me,
I had already seen a lawyer on three, four, several different
occasions. But they couldn't protect you from jail? Nobody could at this point. And, you know,
quite thankfully, I guess I was 15 years old at this point, because if I was 18, I don't think
we'd be talking over the radio right now. Because Calche was a minor, the police couldn't release
his name. Media outlets referred to him only as his alias, Mafia Boy.
Janet Reno, the attorney general, referred to him only as Mafia Boy.
The suspect who goes by the online name Mafia Boy has been charged in connection with a cyber attack on the CNN network website.
I believe this recent breakthrough demonstrates our capacity to track down those
who would abuse this remarkable new technology. He pleaded guilty to 57 counts of, quote,
mischief to data in the Montreal Youth Court and was sentenced to eight months in a youth
detention center and a year of probation after that. He could go to school, but he couldn't use
a computer. Wired magazine reported it as, quote, the cyber
strike that put the internet security issues on a national stage and inaugurated an era where any
pissed off script kitty could take down part of the web at will. I was very content that I was
able to accomplish this goal. I felt like a sense of accomplishment when I was, you know, hacking and
able to infiltrate such high profile targets.
If you hadn't gotten caught, would you still be, would you still be hacking?
Absolutely not. Because to be quite honest with you, if I wanted to hack, I still could hack.
They caught me for those attacks because I was boasting about them in public chats.
And that's when they started to like single me out and, you know, really divert
their attention towards me. They never found me through technical means. It's not like I left
digital footprints anywhere. I knew what I was doing. The point is, is that it's wrong.
When Calche got caught, a reporter pointed out to Janet Reno that Calche was a minor and asked
how the justice system was equipped to handle kids that caused so much damage. She didn't say we'd be able to stay one step ahead of
them. She said she thought we needed to teach them better manners.
That they are not going to be able to get away with something like this because
of age. There has got to be a remedy, there's got to be a penalty, but more importantly,
we have got to renew our efforts to teach young people,
children, young people, cyber ethics, so that we ensure that this tool is used by all concerned
to expand our opportunity for learning, for communication, for commerce.
It's like a game of cat and mouse, where the cat is asking the mouse to slow down and play nice.
Kalche is 31 now. He makes a living trying to help companies find weak spots in their networks.
A lot of people in the cybersecurity industry are like him.
Kids who started out breaking things, all grown up and now in high demand.
Criminal is produced by Lauren Spohr,
who debuted on AOL as the book princess,
Eric Menel, a.k.a. Red Sox 1302,
and me, Phoebe J. 44,
that's unchanged for 20 years.
Julianne Alexander does our episode art.
You can find all of our episodes on iTunes,
where you can subscribe to the show.
Our website is thisiscriminal.com.
We're on Facebook and Twitter,
at Criminal Show.
And thanks to all who donated to the Radiotopia Kickstarter.
We made the goal and we're looking forward to bringing you more new shows next year.
As part of Radiotopia, we'll be working with shows like Benjamin Walker's Theory of Everything.
His newest episode features Ethan Zuckerman,
the guy who invented the pop-up ad.
Turns out he thinks internet advertising has gotten out of hand.
To try to convince investors that ads are somehow going to be worth money,
because it's very clear that no one likes them, no one wants to encounter them,
we've had to make them more and more intrusive,
and we've functionally had to put people under surveillance.
That's Benjamin Walker's theory of everything.
I'm Phoebe Judge. This is Criminal.
Goodbye.
What scares you?
What scares me is that if this gets to the level of terrorism one day,
where people, you know, water sanitation sites and stuff,
like the water being pumped into your home is pretty much all automated these days and you know they put fluoride in our water they
put different chemicals and it's it's mainly all balanced to be safe but what if a hacker obtains
access to one of these uh water facilities and and changes the the fluoride levels so that it's
actually poisonous and harmful to human beings uh These are the type of things that scare me.
Shutting off power in hospital facilities,
making automated defense missile systems launch against their own nation.
These are things that really scare me.
Support for this podcast comes from Anthropic.
It's not always easy to harness the power and potential of AI.
For all the talk around its revolutionary potential,
a lot of AI systems feel like they're designed for specific tasks performed by a select few.
Well, Claude, by Anthropic, is AI for everyone.
The latest model, Claude 3.5 Sonnet, offers groundbreaking intelligence at an everyday price.
Claude's Sonnet can generate code, help with writing,
and reason through hard problems better than any model before.
You can discover how Claude can transform your business at anthropic.com slash Claude.
Do you feel like your leads never lead anywhere and you're making content that no one sees
and it takes forever to build a campaign? Well well that's why we built HubSpot it's an AI powered customer platform
that builds campaigns for you tells you which leads are worth knowing and makes writing blogs
creating videos and posting on social a breeze so now it's easier than ever to be a marketer
get started at HubSpot.com marketers