The infamous 15-year-old hacker who successfully launched a series of denial-of-service attacks in early 2000 that brought down Yahoo, Amazon, eBay and CNN, among others, is coming to Toronto next month.
The attacks, which took the FBI and RCMP two months to trace back to the Montreal high school student, led Michael "Mafiaboy" Calce to plead guilty to 55 counts of mischief, serve eight months juvenile detention and remain silent for eight years.
Calce, now a 23-year-old security consultant, agreed to his first media interview last fall. This coincided with the release of his book, Mafiaboy: How I Cracked the Internet and Why It's Still Broken, which Calce co-authored with journalist Craig Silverman.
Currently in the process of incorporating a pen testing company, Calce plans to share his past experiences and knowledge of hacker practices with the IT and business communities through lectures and seminars at upcoming conferences.
"Hopefully my experience will educate the business and IT world. I'm hoping to better the community and industry," he said.
Remaining silent helped Calce gain maturity and perspective on his crimes. "I was extremely young when I committed the crimes and didn't think I was ready to deal with the media at the time. I didn't even fully understand what I had done myself. I knew from the technological perspective what I was doing, but in terms of the collateral damage, I had no idea," he said.
Over the years, however, he watched as hackers and fraudsters evolved. "When I was sitting back and not going public with anything, it was just getting a lot worse," he said. "The hacking industry is huge right now. That's why I decided to step forward and tell my story. The whole idea to write a book was to get a message across."
But Calce hasn't stopped attracting controversy.
Criticisms range from attacks on the media for giving a former criminal further publicity to debates within security and hacker communities on whether Calce's fame exceeds his abilities.
"There's a lot of haters out there," said Calce. "They don't like the fact that I did that when I was 15."
In response to adversaries who label his feats as "script kiddie" exploits, Calce said some people just "don't know what they're talking about" when it comes to Yahoo! or CNN networks. "We're talking about high-profile networks here. These aren't kiddie servers," he said.
A lot of people will instantly stamp any type of denial-of-service as a script kiddie maneuvre because you are mass scanning and need to acquire a lot of computers under your control, Calce explained.
But script kiddie attacks normally entail pushing one button and having an automated script doing everything for you, he noted. "I manually built the whole network," he said.
Calce advised critics to read his book.
"It was a well-co-ordinated attack, it was one of the first to be done and it was anything but a script kiddie attack," he said.
Calce will address Canada's IT community at the IT360 conference in Toronto next month, where he is scheduled to present the opening keynote alongside Silverman.
"I've gone to the good side now, but I'm going to talk about my experiences in the dark side, so to speak. It's an in-depth look at a community that not many people were a part of. They know of it, but they didn't really get the chance to be part of that community," said Calce.
The lecture will also address threats from criminal organizations and how serious this has become.
"I'm going to be giving them a look into the underground," said Calce. "When you work on the white hat hacking side of the fence, you don't really get the kind of info leaks you would if you were a black hat hacker, so that's going to be a big turn in this conference."
Calce said it's hard to pinpoint what the typical hacker was like eight years ago because normally they would only talk business and were very discreet about their personal information.
One mistake people make is underestimating the size of hacker communities, Calce noted. "I think people really underestimate how many scammers and fraudsters there are out there. There's a huge number and it's growing rapidly," he said.
Motivations are also changing. Ten years ago, hacking was about exploration, Calce pointed out.
"I think the biggest factor and biggest change we can see over the past decade is that money has become the No. 1 issue. It's the No. 1 motive for everyone these days it seems -- hackers, fraudsters, whoever you want to single out -- it's all about money now. They're not really doing it just to explore technology anymore," he said.
Calce's motivation was status. "I just wanted to be the best hacker and I was going to do whatever it took to be notified as one of the elite hackers in my community ... that was more my motive -- to experiment, see how far I could go and gain reputation and status amongst my peers," he said.
While 15-year-olds aren't the main concern for organizations today, Calce said they shouldn't be dismissed either.
"It is older, organized criminals that are actually the real problem, but 15-year-olds can still do a lot of damage and they're not to be taken lightly. When they are 15, that just means they are more reckless and don't really have a sense of which direction they are headed in, which can be a very serious threat for companies," Calce explained.
Calce suggested organizations hire outside penetration testers to make sure their networks are secure.
"A lot of companies don't even bother getting penetration testing, which in this day and age is starting to become a detriment to their company because as soon as you get compromised, your credibility as a company or corporation as a whole can shut down in a matter of minutes," he said.
When asked what he would do if he were an IT manager, Calce said his first priority would be to stay on top of everything.
"Knowledge is power in this industry," said Calce. "The more you know, the better off you'll be ... the idea is to stay on top of everything that's being realized for that operating system. The No. 1 thing I would do is stay on top of all the latest patch nodes and updates that are coming out for the operating system that the company would be running."
He would also focus on budgets. "I don't think IT departments are getting as much budget as they should be," said Calce. "I think they are putting too much into marketing rather than security, when security is the biggest factor today. Cybercrime is now the biggest industry in the world, so I think people need to step back and realize that."
Calce's future plans include speaking to younger generations.
"The fact of the matter is, when you're behind the computer, it's not like punching a kid in the face where you can see his reaction or get that sense of emotion from him. You don't get that same morality because you're behind the computer. You're launching packets from one computer to another, it's not a bodily harm crime, so it's very hard to get the sense that what you are doing is wrong when you are at that age," he said.
The IT360 Conference & Expo will take place at the Metro Toronto Convention Centre on April 8, 2009. Michael Calce's keynote with Craig Silverman is scheduled for 9:30 a.m.