An interview with hacker 'MafiaBoy' on the Heartbleed bug

The Interview: ‘MafiaBoy’ speaks up

Michael Calce, ‘MafiaBoy’ turned security consultant, on the Heartbleed bug, and why the cloud and fingerprint scans will be hacked

Photo by Vincenzo D'Alto

Photo by Vincenzo D’Alto

Once known as the hacker MafiaBoy, Michael Calce was only 15 years old when he shut down websites for Amazon, CNN, Dell, E*Trade, eBay and Yahoo! for several hours. The major online breach caused widespread panic from Silicon Valley to the White House. President Bill Clinton held a special cybersecurity summit, as police took months to track down what turned out to be a kid from Montreal. Now 29, Calce works as a “white-hat hacker” to help companies with online security.

Q: How has Internet security changed since your attack?

A: In the hacking world, security is more of a response than a proactive measure. They wait for hackers to attack and then they patch, based on the attacks. There are more hackers breeding every day, and more brilliant minds are turning into hackers. Security has advanced, but so have hackers.

Q: Do you still talk with people in the hacker community? Do you know their goals?

A: Yes. It’s definitely shifted. When I was hacking, it was more pushing the status quo and seeing how far you can go. A lot of people would enter restricted sites just to say they can, and then log out. Today, everything related to hacking seems to be for monetary gain.

Q: How successful are they?

A: Very, very successful. As the world becomes more digitalized, there are more entry points for hackers. Ten years ago, there was some information being put online, but not to the magnitude of today. All records are being stored in computers—sensitive information, credit cards, even personal information through social networking sites.

Q: So how safe is people’s information?

A: Not very safe at all. Where there’s a will, there’s a way. Hackers tend to find a way. Code is also expanding. More lines of code means more probability that there is an exploit that can be [used]. Humans make mistakes. Programmers are bound to make mistakes. Hackers, you can bet your life, are going to be there to exploit those mistakes.

Q: My understanding is that the Heartbleed bug was caused by a mistake in the coding.

A: Absolutely. Almost all exploits are simple mistakes. The way I heard about it in the community, Heartbleed has been going around for a little while, and just now has it surfaced in the public. You’ve got to understand that, when hackers have this type of sensitive code, they are going to keep it private for as long as they can. When it’s kept private, it’s called “zero-day.” “In the wild” means it has become public. Now Heartbleed is “in the wild.”

Q: For how long was Heartbleed zero-day?

A: There are several different estimates; I don’t know which is accurate. I don’t get my feet wet with that because I’m a security consultant. But I asked around and apparently it’s been zero-day for up to a year. That’s very bad for a lot of companies.

Q: Can you explain what Heartbleed is and how it affects the average person?

A: Heartbleed is an exploit that takes advantage of SSL, which stands for Secure Socket Layer. Typically, on high-profile sites, they have SSL certificates. Emails, passwords, sensitive data, credit card information—it’s all encrypted by this special certificate and you are granted private keys. Heartbleed takes advantage of SSL, and some hackers boast that they are able to get private keys and, in turn, are able to retrieve sensitive data. One of the biggest issues is that hackers would then be able to impersonate websites on a more serious level than before. A lot of hackers set up scam sites. They can impersonate a site like PayPal, for instance. They’ll change the functions, or the domain will be a little bit off. A lot of people would know that it’s not the real site because they don’t have the certificate or they don’t have the private keys. Now with this, they would be able to impersonate the site so that you would barely be able to tell the difference.

Q: If someone emailed a fake link to “PayPal,” the user could be directed to a false site?

A: Exactly. It’s called “spoofing” and it is going to become way more effective. There are a lot of different theories on [Heartbleed] in terms of what you can do. Some companies have set up competitions where they put a bunch of white-hat hackers in a room and say: “Let’s see what you can do.” [In one competition], only one hacker was able to gain the private keys through the SSL exploit. The majority of the white-hat hackers—which are basically security consultants who are hacking for the good—have said it’s not as catastrophic as people might think. It has been tagged as critical because every major corporation—Facebook, Google—uses SSL technology. I don’t know if they are downplaying it because they don’t want mass panic. To be able to retrieve the data from it would be monumental. In the hands of the right hacker, it can retrieve everything.

Q: What about people who keep all their information in the cloud?

A: I have done conferences explaining that cloud is a bad idea. It’s putting all your eggs in one basket. Even though it is practical, they are protected by SSL, as well. If it is the right cloud that the hacker gets into, who knows the amount of information they’ll be able to access? There is a patch for [Heartbleed], but if they already get in before you patch, they’re still going to have your key and the data, because they’ve already accessed it.

Q: What about the iPhone’s ID touch? Will this solve the security problem in future?

A: Someone is going to be able to hack that technology. Is it a good security measure? Sure. Finger, retina scan, all these security layers that are being put in place right now can still be compromised. Everything is set up with a computer, so if someone can hardwire into the software, they might be able to hack it and override whatever scan or fingerprint is required.

Q: What are your thoughts on Edward Snowden leaking that the NSA was spying on phone calls and emails?

A: I didn’t need him to tell me that. Go watch Enemy of the State with Will Smith. That movie is obviously fiction, but what the NSA is doing in that movie is non-fiction. They have more than enough capabilities of stealing people’s information, going through cellphones, setting up trigger words. This is not surprising. The fact that he [leaked the information] just confirmed it, but hackers already knew this.

Q: What is your life like now? How has it changed since your arrest?

A: I served eight months and I had a lot of time to think about what I did. It kind of got out of hand when I was 15—people tend to forget that I was 15 when I launched those attacks. I’m not malicious by nature and there was no monetary gain involved. I took a little break and figured: I can help make people aware of what’s going on.That would be my way to make amends. I decided to write a book. The first half is my story; what I did and how I did it. The other half is how you can protect yourself. Then I started to transition into the security world, because that’s where I belong. I work with a few of the higher-profile security companies in the world. I test their software, evaluate it and give them results. “Penetration test” is the term; they think they might be safe and I’ll show them where the holes are and patch them up.

Q: What’s the ratio of hackers to white-hat hackers?

A: Oh God, probably 10 to one, if not more. It’s much easier to become a hacker now. It was a private community before and you had to find your way in, like tumbling down a rabbit hole. Today, there are all-in-one desktops fully equipped with tools pre-built into the operating system, all related to hacking. They are all very powerful tools and free to download.

Q: Do you ever feel paranoid about your own personal information?

A: Absolutely. I tread cautiously, cover my end and do what I can to protect myself. The security world needs to take a more proactive approach. A lot of companies will know an exploit exists and they’ll release the software anyways, and the patch later on. Stuff like this needs to stop. There needs to be some kind of agency that verifies code before it’s released, maybe a grading system for code. A+ is very secure. B is potential threat, something along the lines of how meat is graded Triple A.

Q: Where did the name MafiaBoy come from?

A: It came from my brother. My original name was Archangel. My brother wasn’t that computer literate, but I showed him how to download music through this online chat. One day, I logged on and he forgot to change the nickname. It said MafiaBoy. I thought, “This seems more intimidating. I’m going to adopt this name.” Back in my era, hacking was all about messing with other hackers. It was a hacker war.

Q: Do you still go by MafiaBoy for online gaming?

A: Even if I wanted to use MafiaBoy, it’s used everywhere.

Q: So do you have a new handle?

A: Right now, my name on XBox Live is Primehacker.