Posted 20 Apr 2000 00:00:00 UTC

We'd like to officially express our skepticism on the recent arrest of a Montreal teenager for the Denial of Service attacks back in February. Naturally, we always have reason to be somewhat doubtful whenever the authorities claim to know the first thing about the Internet. But in this case, we wanted to see just how clueless they could possibly be. When the name "mafiaboy" was first mentioned months ago, a couple of us hopped onto IRC using that nick. Sure enough, within seconds, we were being messaged by people who believed we were the person responsible. Amazingly, the person who fell for it the hardest is the very person now being quoted widely in the media as having caught the perpetrator. Now perhaps this is all just a big coincidence. But as you can see from the IRC logs below, we dropped a few clues that the person was in a country with snow and at one point "accidentally" spoke French to imply the province of Quebec. We were amazed when the blame actually landed on someone from Montreal.

A good question to ask is why we would want to cause such confusion and mayhem. The answer is to prove a point. That all one needs to do to be considered a suspect is change a nickname on IRC. We had absolutely NO proof that we could provide to make this fictitious person responsible in any way for the attacks. Yet we were believed by countless people, including the "expert" who is taking credit for the arrest. And now we see that the main piece of evidence against the real person who was arrested is the fact that he was "bragging" in an IRC channel. Please. If this is indeed the person responsible (and what a geographical coincidence THAT would be), we'd like to see them held accountable to a REASONABLE degree. But in order to do this fairly, the evidence must be made public. Otherwise, we will continue to believe that the authorities and the media are more interested in sending a message than actually achieving justice.

[We begin the log after a brief conversation explaining why and how we are on IRC from a different address.]

  • *icee* is the "security expert" who first pointed the finger at someone named mafiaboy, based solely on conversations he had on IRC.
  • [mafiaboy] is 2600 staff posing as someone on IRC named mafiaboy, shortly after his name was first reported in the news.

    February 10, 2000 1:07:35 AM
    [mafiaboy] if they are looking for this person, they sure as hell would be
    *icee* now that is ALL I CAN SAY until i hear more from you
    *icee* my docs are this: Michael Lyle, 408-238-3090
    *icee* go to a payphone for all the fuck i care
    *icee* that way, if you really want, you can take the communications out of band.
    *icee* But before i can talk to you, i need that piece of information.
    [mafiaboy] one question
    *icee* sure.
    [mafiaboy] if you have this info. who have you told?
    *icee* I can't tell you that, until you tell me the other piece
    *icee* but i told no one anything that wasn't already out there.
    [mafiaboy] well no one was fucking msging me an hour ago
    *icee* look, i'm neither your friend nor your enemy.. i'm an interested party
    [mafiaboy] brb
    *icee* I'm much closer to a friend than your enemy, though.
    [mafiaboy] ok
    [mafiaboy] since we need to build some trust here
    [mafiaboy] let's cover some things that don't involve disclosing anything non-public
    *icee* okay.
    [mafiaboy] i need to know why people just started msging me.
    *icee* because information about you was disclosed about you on a news broadcaast by my company.
    [mafiaboy] you work for a news agency?
    *icee* i can't tell you where that information was obtained until I build some trust with you
    *icee* no, i work for a computer security firm.
    *icee* Please don't wig out at that
    [mafiaboy] so is that your interest in this?
    *icee* Not really.
    *icee* Pieces of it.
    *icee* If i can benefit myself without hurting you, i'll take advantage of it.
    *icee* But um, i've been in a situation similar to yours before
    [mafiaboy] so then, why did you go to the media if no one knew yet?
    *icee* i can't really talk about that until we build more trust
    *icee* because everyone already knew-- just no one had broken the story hurt you
    [mafiaboy] whois everyone?
    *icee* fuck.
    *icee* look, i need to know more from you
    *icee* before i can go into this.
    [mafiaboy] well wtf
    *icee* and i need to be on a secure mode of communication
    [mafiaboy] "everyone" USUALLY includes the media!
    *icee* i need to be assured you're not calling into a dirty provider
    *icee* or you need to call me or something
    *icee* and you need to provide me with that secret
    *icee* so i know i'm talking to you
    *icee* here's why:
    *icee* i'm not doing anything illegal
    *icee* but the information that i would give you
    *icee* has no value
    *icee* if other people get it.
    *icee* if not, it stops here: I suggest you talk to a lawyer, and I wish you honestly the best of luck.
    [mafiaboy] so let me get this straight
    [mafiaboy] 3 days, this is one of the top international news stories. everyone wants to know who is responsible. the fbi and the president make speeches saying they are clueless. You say "everyone knows" and you fucking tell the media????
    [mafiaboy] i mean
    *icee* look
    [mafiaboy] i'mjust trying to make sure i have the full picture
    *icee* will you take a valium or something, maybe have a swig of alcohol or three..
    [mafiaboy] not that it's me or anything
    *icee* and just realize the truth here: I'm trying to be your friend.
    *icee* doesn't put you in any more danger
    *icee* if i was a fed, and i didn't know who you are
    [mafiaboy] i think perhaps you should take a step back and think about this from my end
    *icee* by now, someone would have installed logging access lists and figured out your ultimate source address
    *icee* and coordinated the data from calling records
    *icee* and know exactly where you are right now.
    *icee* Keeping you in the conversation this long would have been enough
    *icee* but that was not my objective.
    *icee* nor am i working with the FBI
    [mafiaboy] i nver said you were
    *icee* so please realize you're giving me nothing more, and get a secure line of communication with me, and talk to me
    [mafiaboy] i know you're not a fed. you're with Recourse Technologies in sunny palo alto
    *icee* I understand it has to be scary as fuck, and i understand i'm not being easy to work with
    *icee* oh, did you listen to our radio stuff up there in Canada, too?
    [mafiaboy] you were on the radio too???
    *icee* i think they're the only people i talked to who called it sunny palo alto
    *icee* I am not out to get you.
    [mafiaboy] who are you fucking Shimomura?
    *icee* yes.
    *icee* no
    *icee* I am not out to get you.
    [mafiaboy] we don't even know eachotehr and you're already looking for your markoff
    *** icee has changed the topic on channel #recourse to: *mafiaboy* who are you fucking Shimomura?
    *icee* No I'm not.
    *icee* I'm not trying to go down as the person who nailed you
    *icee* people already did that
    *icee* And i could tell you more about it
    *icee* if you'd just fucking talk to me
    *icee* but listen to why i can't:
    *icee* if you are not the mafiaboy i think
    *icee* and i reveal the information
    *icee* i've destroyed its utility
    *icee* and then i wouldn't have done you much of a favor now, would i have?
    [mafiaboy] if i'm already nailed, how come no raid?
    *icee* do you know what flow stats are? logging access lists?
    *icee* i can tell you quite clearly how you were nailed
    *icee* and i can tell you why there's no raid
    *icee* but i NEED INFORMATION
    *icee* and the thing is
    *icee* I'm willing to help you for two reasons:
    [mafiaboy] it's going to be a while before i can get to another means of communication
    *icee* I was in a situation once similar to yours, sort of
    *icee* and I'm hoping that if i help you a bit, maybe you'll help me a little too
    *icee* well, are you on sympatico now?
    [mafiaboy] no
    [mafiaboy] one question though, is it politics?
    *icee* Okay, then can we take it to DCC? I consider that safe.
    *icee* why you're not?
    *icee* yes.
    *icee* that'll buy you a couple of days at most.
    [mafiaboy] they're capitalizing off it
    [mafiaboy] ?
    *icee* that and the fact the FBI got a little confused
    *icee* it's the fact that it crosses national borders, and there's difficult procedural problems to solve.
    *icee* none of the evidence is in .ca
    *icee* or very little of it.
    *icee* that and the fact the FBI got a little confused
    *icee* it's the fact that it crosses national borders, and there's difficult procedural problems to solve.
    *icee* none of the evidence is in .ca
    *icee* or very little of it.
    *** DCC CHAT (chat) request from icee[icee@dragon.ender.com []]
    *** BitchX: Type /chat to answer or /nochat to close
    >>> icee [icee@dragon.ender.com] requested DCC CHAT from mafiaboy
    [mafiaboy] won't accept
    *icee* okay.
    *icee* how do we do this, then?
    *** DCC Auto-closing idle dcc CHAT to icee
    *icee* I'm willing to do it on your terms, within reason.
    *icee* look, i'm just a 20 year old guy, i'm sitting in my computer room, my girl's sitting here by me, we're eating pizza
    [mafiaboy] ok. this whole stalling because of politics thing. is that your analysis or do you ahve a source on this?
    [mafiaboy] (i don';t need your source)
    *icee* look
    *icee* This is where it stops
    *icee* yes i have a source
    *icee* i can't say any more.
    *icee* until we get out of band somehow.
    [mafiaboy] i'm just trying to guage credibility here
    *icee* look
    *icee* hint: i used to work for exodus communications.
    *icee* where is buy.com? where is ebay?
    [mafiaboy] hmm
    [mafiaboy] is it an official delay? 2600.com is talking about conspiracy shit
    *icee* that's where we're getting to things i don't know , but i don't buy it's a conspiracy in my personal opinion to be honest
    *icee* 2600 isn't worth the paper it's printed on
    [mafiaboy] that # you gave me, where is it?
    *icee* San Jose, CA.
    *icee* It's my main home phone number.
    *icee* I'm trusting you.
    [mafiaboy] k, landline?
    *icee* yes.
    *icee* it'll be answered on a cordless phone if that's okay
    *icee* i doubt the feds are outside my house.
    *icee* And if so, they could just bug the actual line ;P
    [mafiaboy] 900mhz?
    *icee* or use LMOS and make it easy
    *icee* 2.4GHz spread spectrum (CDMA)
    [mafiaboy] k, call you from prison ;)
    End log

    IRC log started Thu Feb 10 19:23
    *** Value of LOG set to ON
    *** mafia_boy has joined channel #recourse
    *** Users on #recourse: mafia_boy Telastyn meesh ssorkin @rross icee
    *** #recourse 949885504
    *** mafia_boy has left channel #recourse
    *** No target, neither channel nor query
    *** You have been marked as being away
    *** Signoff by mafiaboy detected
    *icee* is that you?
    [mafiaboy] no THIS is me
    *icee* yah?
    *icee* so what's up?
    [mafiaboy] watching cnn, haha
    *icee* yah?
    *icee* so did you see me?
    [mafiaboy] no, just started
    *icee* Look, here's the deal. ssh to some account somewhere that they didn't know about, or something, so we have a secure channel, so we can talk.
    [mafiaboy] why
    [mafiaboy] they dont know about this one, not yet anyway
    *icee* okay, then let's take it out of band, in DCC.
    *** DCC CHAT (chat) request received from icee
    *** DCC CHAT connection with icee[] established
    =icee= okay. we talked last night, right?
    [mafiaboy] yep
    =icee= (i'm asking because with the circumstance, there's fair odds someone might message me and pretend to be you)
    =icee= okay, we need to solve this trust problem, and prove you are who you say you are.. so the name of the channel.. it starts with a m. can you tell me it?
    =icee= #bifemunix is a rival.
    [mafiaboy] 3090
    [mafiaboy] good enough?
    =icee= okay, that's good enough, but i don't know if that was the brightest thing to say when we could be possibly listened to
    =icee= Okay:
    =icee= here's the deal:
    =icee= the authorities have a large amount of information which has been salvaged from machines taken into evidence, as well as:
    =icee= flow statistics on routers
    =icee= routers keep information on all layer 4 connections for the purpose of ensuring quality of service
    =icee= because the information is kept in the router for a length of time, it serves as a pretty accurate way to see what host has talked to what other host recently
    =icee= sprint, mci, abovenet, and exds all worked together and put the flow information together
    =icee= they were also able to correlate information from a number of different sources, like logging access lists on routers
    =icee= From teh RUMORS i'm hearing, the only thing keeping you out of jail at the moment is geopolitical issues, and the fact that they don't think you're behind all of the attacks
    =icee= I think the general idea is, they're going to swoop in, get you in custody, and then when you can't talk to anyone else or do anything else, completely fuck you over
    =icee= So I have a couple of different recommendations, depending on what road you want to take
    =icee= 1) get a lawyer, surrender to custody, try to plea bargain
    =icee= or 2) publically make a statement
    =icee= because if you don't do something now, your ability to talk to the rest of the world is going to be limited
    =icee= if it looks like you didn't know what the fuck you were doing, things can turn out a lot better
    =icee= and I have some information, that i certainly can't say over the phone, that could be of great value to your defense attorneys
    [mafiaboy] and whats in it for you
    =icee= What is in it for me?
    =icee= You pick option #1, nothing
    =icee= You pick option #2, I'd like to be the person who leads you forward.
    =icee= But that's also up to you
    [mafiaboy] and then you write a book
    =icee= I don't want to write a book
    =icee= i want to sell software
    [mafiaboy] i have sme software here
    =icee= what's that mean?
    =icee= recourse technologies is a softawre company
    [mafiaboy] haha
    =icee= The other thing is: i might be able to be a witness in your favor
    =icee= and I could certainly help in substantiating you didn't launch all of the attacks
    =icee= I only know for certain you nailed CNN.
    [mafiaboy] but you dont really
    =icee= okay, here's the things i know
    =icee= i know a sympatico ip, and a time; i know everyone says you did it; and i know you use sympatico.ca
    =icee= or used.
    =icee= the second set of facts help me more than the FBI; but the first is enough for them to nail you.. see?
    =icee= btw, don't call me now, i'm not at home.
    =icee= of course, you could call me at work, 650-565-8601 ext 107
    =icee= let me tell you my personal opinions: i think denial of service is lame as fuck
    =icee= and i don't think what you did was particularly cool
    =icee= i think you probably didn't realize the implications though, either
    [mafiaboy] i gotta smoke and walk around a while
    =icee= *nods*
    =icee= Just look:
    =icee= if you think carefully, and don't freak out
    =icee= you can get community service, and end up picking up trash or something
    =icee= for 300 hours.. not fun, but better than spending time in juvvie
    [mafiaboy] oui
    [mafiaboy] ack
    [mafiaboy] misfire
    =icee= re
    =icee= so, any clue what you're going to do?
    [mafiaboy] no, i was just talking to a friend on the payphone
    =icee= bleh, not talking to me anymore?
    [mafiaboy] i dont think i'm in any danger here
    =icee= um, why not?
    [mafiaboy] many reasons
    =icee= Look:
    =icee= i don't know if you've heard of me or not
    =icee= but at one time i was considered the very, very best
    =icee= and i don't possibly understand how you could consider your position safe.
    [mafiaboy] why arent you best any more
    =icee= you have lots of people who are willing to rat on you who saw you demonstrating your might, there's definite information which ties you to a dialup address.. and i don't see what diversion you could have done through the phone system to adequetely protect yourself
    =icee= I'm best in something different, now.
    =icee= I do mathematics and analyze networks.
    =icee= I broke in to things to find out about computers and learn
    =icee= once i got legitimate access to them, there wasn't a lot of reason to do it anymore
    =icee= and besides: computer security is a much tougher problem than breaking something to take it down or break in
    [mafiaboy] you still know ppl in the scene??
    =icee= I know a lot of people
    =icee= but to be honest:
    =icee= the scene is very lame
    =icee= 99.9999% today have never written exploit code
    =icee= i come from a different time, and a different ethic
    =icee= what we were doing used to stand for something
    =icee= now it's just not the same anymore.
    [mafiaboy] dont know much bout thepast
    =icee= well, i'd like to tell you about it, sometime.
    =icee= see, i'm sure you've read some shit by the mentor, right?
    [mafiaboy] but you sound like a friend of mine
    =icee= i knew the mentor, even hear from him time to time
    =icee= his name came from the fact that he took an active part in taking people new to the scene, who showed promise, and showed them how to move forward and what to learn
    =icee= i kinda have had that role in the past
    =icee= a lot of people who you probably know now have learnt from me
    =icee= Basically, I've never wanted attention or anything
    =icee= the only reason i'm on TV now, is the fact that I have 20 people whose livelihoods depend on the fact they've trusted me
    =icee= and what is good for my company is good for them
    =icee= to be honest i was terrified to death of it and wanted to go home after the second radio interview
    =icee= here's the deal though:
    =icee= i'm your friend, and i'm available to provide you with information
    =icee= but, these are the conditions:
    =icee= I am not going to do anything that incriminates myself
    =icee= and if i get subpoenaed i will cooperate, so you want to limit that which you say to me
    =icee= and if there's something you can do in the future that benefits me, without hurting you, i'd like you to please consider it.
    =icee= if you want to come forward, and get your situation known to the public...
    =icee= then i would like to facilitate that.
    =icee= but it's jsut if you choose that road.
    [mafiaboy] see
    [mafiaboy] i dont know you
    =icee= *nods*
    =icee= and there's one last thing:
    =icee= i have a piece of information which is extremely valuable in your defense
    =icee= regarding the handling of the case, and a crucial mistake which was made
    =icee= Look, you've gained favor among a little crowd, but be honest with me, you know that almost anyone could install the tools that you did
    =icee= I could show any 12 year old who could read how to in an hour
    =icee= run exploit, compile, install program, put in startup scripts.. rinse, repeat, whatever
    [mafiaboy] yes but nobody did it
    =icee= but WHY do it?
    [mafiaboy] snowday
    [mafiaboy] haha
    =icee= right now they're blaming a 500 point drop in the Dow on you; saying you had tens of millions of dollars of economic impact
    =icee= you think they're not going to put the pieces together?
    =icee= there's an infinite set of different kinds of information which can be used to nail you; forensic data on the machines you compromised (deleted files; residues in kernel memory if the machine was taken down), there's residues of the information in the routers; in SNMP audit logs in hp openview
    [mafiaboy] maybe people will invest in something else and the dow will go back up?
    =icee= RADIUS logs
    [mafiaboy] but nobody will give credit for that
    =icee= Hey, you and I both know nothing has changed; the Dow ounced backed today, people will re-invest in ecommerece, it won't really change anythying
    =icee= but the fact is: Janet Reno has put her career on teh line saying they'll catch you
    =icee= and the entire FBI reports to her
    =icee= and like, i don't know if you did etrade or datek, but if you did either of those, you're likely to be particularly fucked.
    [mafiaboy] no comments
    [mafiaboy] ;]
    =icee= well, obviously: i don't want to know.
    =icee= But i can tell you this: you're definitely fucked on CNN.
    [mafiaboy] you mean aol?
    =icee= well, BBN
    =icee= did you just mean to take down AOL, and nailed CNN, too?
    [mafiaboy] see above no comments
    =icee= heh
    =icee= that's a bummer

