A former Canadian hacker is back in the limelight – this time, with a documentary preaching cybersecurity, and a top film festival slot. So how did Michael Calce get from there, to here?
Back in 2000 when Calce was 15, he was better known as Mafiaboy. He became infamous for discovering a common weakness in some of the web’s largest sites, including Yahoo!, and using it to bring them to their knees. Law enforcement caught him after he was too vocal on IRC networks, and he spent a long time working his way back from a period of jail time.
Calce had been using computers since he was six years old, when his father bought one home from work. He spent his younger years getting to know his way around his machine, and the online services it connected to. Aged nine, he hacked AOL so that he could stay online past the 30-day free trial period that the service offered.
By 15, his skills had evolved. He was heading up a crew of hackers that he interacted with online, but he wanted to pull off a large stunt. He enlisted the help of another hacker, called ‘Sinkhole’, who had written a denial of service (DoS) attack tool called Slice. Sinkhole agreed to modify the tool, while Calce built out networks of compromised computers that he eventually used to attack a variety of sites.
On Feb 7th 2000, the day he bought down Yahoo!, Calce wasn’t even paying attention. The teen set his tool on a timer and headed to school. While he was there, he knew that it would point his network of compromised machines at the search site, but he assumed that the attack would fail. He simply hoped to learn something in the process. It was only when he got home that afternoon that he realized how successful the software had been. Yahoo! had gone offline.
Calce may have had a colleague create his attack tool for him, but he was no script kiddie. “I always had a good base of knowledge and skills to start with,” says the security consultant, who is entirely self-taught.
Nevertheless, that knowledge didn’t stop him getting caught. After further demonstrating his power by taking down eBay, Amazon, Dell, E*Trade and CNN, RCMP officers working with the FBI apprehended him in a nighttime raid. He served eight months at a halfway house, and the judge restricted his use of computers for two years. That made it impossible for him to pursue a college degree or university course.
After the restriction was lifted, he focused on refining his knowledge, and started offering his services on a freelance basis. He banged the cybersecurity drum in the early days, using his notoriety as a way to grab attention.
“For the first few years after my release I worked on raising awareness and started using my story as catalyst to make companies and people understand that there was a real threat,” he says.
Nevertheless, it was hard getting his foot in the door. Some companies – particularly in financial services – found his past distasteful and at odds with their values.
“I started slow, not just to establish myself in this industry, but also to rebuild credibility,” he says. “They’re obviously very wary about having a reformed hacker poking around in their networks.”
Most of his early work after getting back online was by word of mouth. He eventually released a book in 2008 and began working with a penetration tester in Canada (whom he will not name). The professional took the young Calce under his wing, and helped him hone his technical skills.
For the past eight years, he has been pen testing on a freelance basis, and finally started his own company, Optimal Secure, 18 months ago. He waited to take that step until he was sure that his technical skills were sharp enough, he says.
Now, the partnership with HP on the movie Rivolta (which was also the name for his Yahoo!-killing hacking tool), is likely to bring him further into the media spotlight. The 20-minute short, which talks about his early exploits and how cybersecurity has changed, airs at HotDocs in late April.
While it may rankle with some in the early days, a little lock down time doesn’t necessary harm a hacker’s long-term career. Famed hacker Kevin Mitnick, incarcerated from 1995 until shortly before Calce went to jail in 2000, was the subject of the movie Freedom Downtime, made by the organizers of 2600 magazine. They also famously supported him with their Free Kevin campaign.
Mitnick has also authored several books, including his own tell-all ‘black hat turned white hat’ bio. He now works as a cybersecurity consultant and speaker.
Some companies may be wary of former black hats, but over time, Calce’s past has helped him from a marketing perspective, he admits, especially now that he has spent more than a decade building his credibility as a pen tester. After all, it must have been instrumental in landing him HP’s help, and a slot at HotDocs, which will in turn give his fledgling company a boost.
Companies have finally learned to trust him. “I don’t think they realized the benefit of being a reformed hacker at that point,” he says, but being able to think like a black hat is vastly underrated.
“Nowadays,” he concludes, “it’s probably the strongest asset that I have.”