In Pursuit Of Employment: mafiaboy @ it360: The Dark Side Has Learned

Screenshot: it360.ca: Opening Keynote: Mafiaboy: How I Cracked the Internet
and Why It's Still Broken
By Michael Calce with Craig Silverman
Credit: it360.ca

I don't normally condone the lionising of crackers; it only encourages the little pests. (It's like calling graffiti vandals "artists".) Allowing a major exploit the foundation of a security career also strikes me as a perverse incentive. However, a suitably public recantation and credible evidence of reform should be accepted, so I was prepared to listen to the keynote dialogue between Craig Silverman and Michael Calce (Mafiaboy) at IT-360.

Like Torvalds, Calce was introduced to computers extremely young, and began to explore their internals very thoroughly. Unlike Linus, he had the misfortune to fall in with the wrong "community".

The famous exploit that took down Amazon and Yahoo was devised as a weapon for use in juvenile gang warfare on the Internet, but the damage it caused was not so much deliberately anti-social behaviour, more an example of "Sorcerer's Apprentice Syndrome". Like Robert Morris' 1988 worm, a combination of misapplied (and inadequately tested) skill and adolescent lack of foresight caused damage way beyond its instigator's intentions, and promptly terrified him with its consequences.

Although he still wants to be acknowledged for the technical skill, knowledge, and (perverse) creativity he clearly displayed, Calce seems to have acquired a moral compass as a result of his experiences, and aims to use those attributes in a positive way. What he had to say about the evolution of the Internet since 1998 wasn't really news to anyone who's been watching. (There was some novelty in his suggestion that the fuss over Conficker and April 1. was a diversionary tactic to conceal some other timing or target.)

The Dark Side has learned, and morphed from pointless and largely inconsequential, (to anyone else), tribal squabbling, to serious, financially-motivated crime, with large potential rewards. The threats are greatly enhanced by the multiplication of the bandwidth available to individuals for attacks like DDoS.

The forces of good, on the other hand, are still stuck with an architecture designed for a basically trustworthy environment. In particular, BIND and named are fundamentally broken. Unlike the bad guys, the commercial world appears not to have learnt very much, because it keeps enabling the same old exploits, (buffer overflows, memory corruption, &c), and enabling new ones (XSS &c.).

I'll attribute to youthful naivety his proposed solution of government-level certification of programs. Even if it were possible to restrict the code visible to the Internet, the demonstrated ineptness of government and law-enforcement in networking matters makes any idea of officially-inspired solutions a bad joke. (That's my opinion, not Calce's.)

Even if there were no world-class insights revealed, the event was sufficiently interesting that I might take the book out of the Library.

2009 © AR