When Hackers Fight

Many subcultures revolve around secret codes—but none do it quite like computer hackers. In our peculiar corner of the world, everyone’s identity is masked by a codename, and the lingua franca relies heavily on coding jargon. When we hackers unite to work towards a common goal, our codes can have enormous power. But, as is true in many cultures, we wield our codes to most devastating effect when we are in conflict with each other.

When I was 15 years old, the codename I was known by in my clandestine online circles was Mafiaboy. It was an apt description. My crowning glory was to shut down Yahoo!, eBay, CNN, Dell, and Amazon, all within a single week, causing more than $1 billion in damage. Bill Clinton and Janet Reno organized a conference on cyber-security in response to my handywork. I was proud of myself at the time, though I couldn’t have done it without the community of hackers I belonged to. That was where I learned most of my skills.

Nautilus Members enjoy an ad-free experience. Log in or Join now .

We would gather on Internet Relay Chat, or IRC—a legitimate public chatroom that had an underground layer.¹ If you were just an ordinary IRC user, you wouldn’t know where to find us because it would require using quite a few specific UNIX commands.² We kept our chats hidden from the public, similar to the manner in which one keeps hidden directories on a PC.

My crowning glory was to shut down Yahoo!, eBay, CNN, Dell, and Amazon, all within a single week, causing more than $1 billion in damage.

Nautilus Members enjoy an ad-free experience. Log in or Join now .

Like any society, IRC had its cliques. Hackers broke into computer systems. Crackers cracked UNIX passwords. Phreakers fiddled with telecommunications to make free phone calls, and carders bought and traded stolen credit card numbers. My home in the IRC world was TNT/pHORCE, an exclusive group created by the elite Russian hacker DreamWalker. TNTers were like the New York Yankees of hackers.

Inside TNT, code was the universal language. Everyone was anonymous, hiding behind their codenames—Mafiaboy, Jedi, str69er, and so on. I didn’t know their real identities, and they didn’t know mine. Many hackers spoke Russian, others English, and so we constructed an eclectic mix of Internet and network terminology, chat abbreviations, and code words to converse. A typical style was to substitute letters for numbers as in I’m gonna hack your b0x. Some messages were more cryptic—for example the statement

this guy is 1337

coded for “this guy is leet,” where “leet” meant an “elite hacker.” And of course there was lots of trash talk, with shout-outs to friends and f-yous to enemies.

Nautilus Members enjoy an ad-free experience. Log in or Join now .

In the early 2000s, hackers weren’t motivated by monetary gains. If we broke into financial systems, it was to show that we could. Hacking was about skill and knowledge, power and respect. The most direct demonstration of these abilities was to challenge each other to a fight. It was like a talent show. In fact, I never intended to take Yahoo! out of service. I was just testing a powerful piece of malware called a “botnet” that I planned to use on my IRC frenemies. I actually didn’t expect my botnet to work—but to my surprise it did. The next day, someone else orchestrated a similar attack on Buy.com and I thought he was challenging my achievement. To this day, I don’t know who he was, but I responded to the challenge by launching an attack on eBay. And when someone in IRC stated that CNN would be impossible to bring down, it immediately became my next target.

The Buy.com attack might’ve been an implicit challenge. But we also had explicit challenges: one-on-one showdowns. When these happened, all bets were off. The losing duelist could get pwned, which is jargon for owned, or doxed—meaning that his opponent had blown his cover and made his real identity public in IRC. That could include his address, phone, and even his social security number.

Most of our direct fighting was low-stakes and revolved around taking over each other’s IRC channels. A channel is essentially a chatroom with controlled access. You’d start out by logging on to an IRC. Once connected, you could join as many channels as you wanted, subject to certain restrictions. Some were set by their operators to have special permissions. For instance keying +i would make a channel invite-only³ while +s would make it secret, hiding it from the standard channel search feature, much like the hidden files on your computer. They were invisible to ordinary users.

Nautilus Members enjoy an ad-free experience. Log in or Join now .

Once you were inside a channel, you could see who else was there with you. Different people had different privileges. A + sign next to a user’s name meant the person knew a channel operator and had the power to get you kicked out by messaging him. An @ sign next to a name meant that the person was the administrator of the channel and owned it (an operator had fewer privileges). Often the administrator had the help of a bot or botnet.⁴ Hackers are only human and can’t monitor their networks around the clock, so they use bots. If someone wanted to log in to my channel and chat with other users while I was in school, my bots would let them in. But if he tried to flood the chat, my bots would kick him out.⁵

If you’re getting the impression of an underground warren of caves, you’re not far off. Each cave was protected by codes, controlled its users with codes, and could be taken over by codes. And that’s what we spent much of our time and effort on.

You could seize channels in three different ways. One was to join the channel, collect the names of the administrators, and get their IP addresses by typing the following command

/whois{nickname}

Nautilus Members enjoy an ad-free experience. Log in or Join now .

Once you had their IP addresses, you could then scan their networks for vulnerabilities.⁶ If a network was held by a botnet, you could modify the bot to give you operator’s status, remove or deop the channel’s original operators—and install your own botnet. Alternatively, you could pose as another user and join a channel through an access program, like psyBNC, also known as bounce. Or you could use a potent Distributed Denial of Service (DDoS) botnet to launch a simultaneous attack against all the IP addresses in the room, wait for them to drop from IRC, and attack the IRC server itself—ultimately taking control over it and all its channels.⁷ The more channels you owned, the more powerful you were by hacker standards.

In the early 2000s, hackers weren’t motivated by monetary gains. If we broke into financial systems, it was to show that we could. Hacking was about skill and knowledge, power and respect.

The most spectacular code wars took place on conference phone calls when hackers would try to shut each other down in real time and embarrass the loser in front of his peers. Every few months, a random carder would buy a conference call line with a stolen credit card and post the phone number. A few dozen anonymous spectators would dial in to listen while cheering on in IRC. That’s where I witnessed one of the most remarkable hacks I can remember.

By the time I joined, there were about 60 hackers on the call. There was the usual boasting about who was the best. Soon enough we had the two duelists: a passive one with a thick Russian accent and an aggressive one who sounded like an American kid. “Hey, what’s your handle, give me your handle, I’m gonna shut you down right now!” the young hacker kept saying. The older one agreed. They exchanged their codenames, which I won’t mention here, and the war began. Everyone on the phone fell dead silent, except for the two opponents.

Nautilus Members enjoy an ad-free experience. Log in or Join now .

“Wait and see, I got something for you, I’m breaking into your computer right now,” the younger one kept repeating. The passive hacker mostly kept quiet, responding to the kid with short phrases. “Ok, we’ll see about that.” This continued for about half an hour. The passive hacker began to taunt the younger one. “What’s going on there? I’m still waiting.” His opponent responded, “I’m almost in, you’ll be sorry soon enough.” It was a typical war exchange, but what ensued blew my mind away.

Suddenly, the passive hacker said, “Ok time’s up, and by the way your dad’s name is such-and-such.” The younger hacker was in awe, and responded with “What? How did you know that?” The passive hacker began spewing out his opponent’s address and phone number followed by his parents’ names, social security numbers, and even the types of cars they drove. The audience exploded, tapping out “Ouch!” “Pwned!” “D0xed!”

The aggressive hacker was not only embarrassed, but frightened. Whom had he picked a fight with? I actually knew the passive duelist was an elite Russian hacker, a well-known exploit coder, so this was bound to turn ugly. “Please stop, I’m really sorry,” the poor kid pleaded. “Please, please, I’m just kidding around, I’m not hacking your network.” There was a slight pause. The audience held its breath. Then the Russian responded with, “I think you should go to bed.” The poor kid began pleading. “Pleaseeeeee, I’m sorry!” And just as I thought I had seen it all, the kid screamed, “Oh my god, what the f..k did you do? You cut off the power at my house!”

The Russian hacker had not only doxed him, but broke into the power grid and cut off power to his home. Doxing wasn’t my specific niche, but I could see that the first portion of this attack wasn’t too complicated. The Russian hacked the kid’s bounce program to unmask his IP address. Once the Russian had the IP, finding the kid’s postal address, the property owners’ names, and even their socials wasn’t that hard. Most Internet service providers, or ISPs, ask for such information when setting up an account.

Nautilus Members enjoy an ad-free experience. Log in or Join now .

The second part was a bit tricky. I was so awed by the Russian’s break-in to a power grid some 5,000 miles away that I began researching it. Eventually I figured it out. He must’ve dialed into a remote terminal—a computer at the power company that only employees have access to. It may sound like magic, but the feat is entirely possible, according to the security expert and penetration-testing consultant, Ira Winkler. Moreover, I realized that power and utility facilities are quite vulnerable to such attacks—this is a hot topic at today’s security conferences.

The Russian hacker had not only doxed him, but broke into the power grid and cut off power to his home.

These attacks require a lot of research and aren’t easy to launch, even for a skilled hacker. That made the Russian’s 30-minute stunt even more amazing. As for his opponent—I saw him lurking on IRC after the battle, but he mostly kept a low profile. The rest of us resumed our petty channel fights.

My own hacking endeavors came to an abrupt end on April 15, 2000, when the FBI and Royal Canadian Mounted Police finished their joint international manhunt, culminating in the search of my family home, the seizure of numerous electronics, and my arrest. I was charged with 65 counts of computer crime, 55 of which I pled guilty to after a lengthy trial. I paid a fine, and was sentenced to 8 months of open custody detention and one year of probation. Since then I’ve become a computer security consultant and a certified Ethical Hacker. Instead of launching DDoS, I mentor companies on how to mitigate them and prevent data theft. I published a book about my exploits, and now I write tech articles and speak at computer conferences.

Nautilus Members enjoy an ad-free experience. Log in or Join now .

In my job, I have to be a step ahead of hackers, so I periodically visit IRC as you would a library. I tend to keep a low profile, but I have a few key contacts who keep me in the loop about the latest network vulnerabilities and malware. I just don’t take part in their activities.

A lot of the people I once knew are still on IRC, but the overall hacker mentality has changed. The older playful culture of challenging the status quo and pushing the limits is a thing of the past. Contemporary cyber-criminals are driven primarily by monetary gains and occasionally by political agendas. The mischievous youngsters who wielded their codes against each other have grown up and realized that they can make a fortune. That’s one reason why it’s increasingly difficult to circumvent their exploits. In the modern day hackers’ culture, money rules the world.

Michael Calce is a certified Ethical Hacker, a computer security consultant, and a co-author of Mafiaboy: The portrait of a hacker as a young man. He loves calculating odds at a Texas hold ’em poker table in his spare time.

Nautilus Members enjoy an ad-free experience. Log in or Join now .

Footnotes

IRC ran on a UNIX server named, for no apparent reason, Prison.net, hosted on efnet.org. Whether the hosting company knew of all the underground worlds that eventually sprouted on IRC is hard to tell.
I found the hacker hangouts while looking around for pirated software, or warez, as we called it. I was trying to download free games, but the process was taking too long so I began to poke around to see if I could somehow skip the queue—and stumbled upon a hacker group running a warez channel. Eventually, they invited me to join.
For example, the TNT/pHORCE chat was set up as +i at all times. No outsiders were allowed to enter and you had to send a request to get an invitation.
“Bot” is short for web robot. It is a software application that performs simple repetitive tasks. Bots that can self-reproduce and work together are called “botnets.” For example, a network of computers which have been hacked and are controlled by a group of bots is a botnet.
There were different methods of launching flooding attacks. Most of the time it was a program written in the programming language C, such as sheep.c or clone.c; such programs would be able to load numerous clones of themselves and flood a channel to the point that it would no longer function.
Hackers would always have an arsenal of exploits they could use to break into networks. Every software package has some loopholes in it and your job as a hacker was to find the right back door for the right loophole. Let’s say I had a program capable of tricking rpc.mountd—a Unix system daemon responsible for granting access to legitimate users— into giving access to me as well. I would run a scan to see if the network I wanted to breach was running the right version of the daemon, with a particular loophole that I could exploit.
Such an attack would cause the server to break off from the IRC network. You would then log on to the disconnected IRC server, take control over it, and make yourself an operator. Once the server rejoined the IRC, it would let you keep your operator status. If a channel was empty, the server would automatically grant the first person operator status, so you could pretty much become an operator for all of the channels on that server. This is basically how you would create new channels from scratch, but it could also be used as a loophole for taking over channels.