The Wrong Geek

Adam L. Penenberg
Forbes, 04.03.00

THE WEEK AFTER THE MASSIVE DENIAL OF SERVICE attacks hit Yahoo!, E*Trade, Amazon, Buy.com and a score of other sites in mid-February, the FBI thought it might have found its malicious geek: a pimply faced 20-year-old “script kiddie” with low-level computer skills who, the bureau thought, launched the electronic barrage from his job in tech support at a major auto parts supplier in Dearborn, Mich.

A denial of service attack (DOS) hits a target with way more traffic than it can handle, sort of like a million irate PC owners simultaneously calling 20 frazzled tech-support operators. The result a stream of busy signals and a lot of frustrated customers. The company’s routers and servers hyperventilate from the onslaught, slowing traffic to a crawl and potentially shutting down the entire network. DOS is a prank looked down on by most hackers, which is why some have joined up with law enforcement to try and catch whoever is responsible.

“Hackers have known for a long time a large-scale DOS like this could be done, but no one’s had the chutzpah to do it before,” says “Tweety Fish,” a member of the Cult of the Dead Cow, an underground hacker organization. CDC is one of the hacker groups the DOS attackers sent “greets” to within the code of the electronic packets they used to bombard e-commerce sites.

Although speculation had been running wild as to the identity of the culprit, hackers, crackers, pirates and thieves treading on the seamy side of cyberspace were committing “serial bragging” taking credit for the attacks on hacker chat channels. Many blithely assumed the name “MafiaBoy,” one of the potential perps mentioned in a stream of news stories about the investigation. In fact, there were dozens of MafiaBoys running around the Internet in the days and weeks after the DOS attacks. But one hacker wannabe stood out from the rest. “Pig Farmer,” also known as “Eurostylin” and “Bean Farmer,” had reached out to dozens of journalists in e-mails right after the first wave of attacks, bragging about his exploits. When he couldn’t answer simple questions about the assaults, however, he was dismissed as yet another crackpot craving the limelight.

As the real culprits unleashed torrents of electronic packets at more e-commerce sites over the course of the week-Amazon, Charles Schwab, Datek, ZDNet and Lycos, among many others-Pig Farmer continued to frantically contact journalists from an America Online account in the hopes someone would listen to him. But nobody would. In an Internet Relay Chat (IRC) on Feb. 8 with some alleged cronies, Pig Farmer, ostensibly named because his parents have a farm where they raise pigs, beans and corn, wrote “I have sent 15 journalists an e-mail so we can get our message out. They have not responded to us, but the ones who have say we are not legit but we’ll show them.” He also brashly claimed he would hit CNN and Time Warner the next day, and they were attacked.

Brian Martin, Web master of Attrition.org, a site that tracks computer crime, engaged in a digital conversation with Pig Farmer to determine whether his claims could withstand scrutiny. When Martin asked him after the first wave of attacks why he was doing this, Pig Farmer responded, “If you notice the targets, They are all PUBLICLY traded companies.” This was an attempt to put a ‘Scare” into Internet stock holders. Also, “Attacks WILL be carried out against Online trading companies, Dow, Onlinetrade, Etrade, etc.” Subsequently, investigators found crammed inside the code of some of the electronic packets used to flood the targets references to the Internet as a “whorehouse of e-commerce” as well as greetings to some hacker groups Pig Farmer apparently admired.

But without hard evidence, Martin still couldn’t be sure. He then passed on the e-mail that Pig Farmer had sent him to several members of the computer security industry for analysis and evaluation. It was eventually transmitted to James M. Atkinson, founder of Granite Island Group of Gloucester, Mass. It took almost no time for Atkinson to locate Pig Farmer’s file directories and homepage on AOL, complete with pictures of a barn, trailer and souped-up car. Atkinson, who says he has conducted hundreds of analysis projects like this, is not in the business of catching digital criminals. His company focuses on conducting bug sweeps, wiretap detection, and protecting corporations and government agencies from illegal surveillance or technical espionage.

“It took me 23 minutes to find out who the guy was,” Atkinson says. “The way you catch mischief makers is you look for minutiae and small mistakes they make. When Pig Farmer reached out to media people, he left a trail that led back to him.”

On the AOL home page, Atkinson found a photo of a bright red 1999 Dodge sports car with chrome wheels and, most important, tinted windows. Pig Farmer had deleted the license number from the photo, but he kept the car waxed and shiny and Atkinson was able to extract an image of his target by taking a photo of his car with a Sony digital camera using a flash in bright sunlight. Pig Farmer had received a ticket for the tinted windows, something he seemed proud of since he tried to unsuccessfully scan the image into his homepage. But the file got corrupted. Of a 680 kilobyte file, only 630K got through. Atkinson downloaded the entire site into his Silicon Graphics workstation and recovered the fragments of the damaged document.

“On the ticket, he had eradicated his name and address, but not the number on the ticket, nor the license number of his car, the date or the time,” Atkinson says. “He must have thought that just by erasing his name and address he could avoid detection.” Having strong ties to the intelligence and law enforcement community, Atkinson made a call to the Michigan State Police and within 19 minutes an officer called back with the potential perp’s name, address and other relevant information. Pig Farmer “bragged about the attacks before, during and after,” Atkinson says. “He seemed to do everything he could to draw attention to himself.”

With all the evidence pointing toward Pig Farmer, the FBI got more than a dozen subpoenas and brought him in for questioning. But it didn’t take long for agents and Department of Justice attorneys to realize that all they had was a 20-year-old hacker wannabe who had wasted their time. Pig Farmer had been reading everything he could of the DOS attacks through the media, then immediately crowed about it online in chat channels and through e-mails.

If bragging were a crime, Pig Farmer might be serving a life sentence. Instead, the Feds had to let him go. Meanwhile, the search for the DOS attackers continues, but without Atkinson, who has gone back to hunting spies and searching for eavesdropping devices.

Copyright 2000 Adam L. Penenberg (penenberg.com)