Teens await arrest after Comcast attack

Updated at 12:15 p.m. PDT to clarify that Comcast wasn't technically hacked, but that its domain and Web site were hijacked.

Two teenagers who say they hijacked Comcast's Web portal on Thursday also say they expect to be arrested for their actions.

"I wish I was a minor right now because this is going to be really bad," 19-year-old "Defiant" told Wired's Kevin Poulsen, who managed to get a one-hour phone interview with Defiant and his 18-year-old cohort "EBK."

"I slept in my clothes, because the last time they came, I was in my underwear with my dong hanging out and shit," Defiant said of a past raid.

On Thursday, Comcast's portal was defaced, leaving some e-mail subscribers without service. On the site, the hackers referenced their group: "KRYOGENICS Defiant and EBK RoXed Comcast."

The teens say that after they initially managed to take control of Comcast's registrar account at Network Solutions, they called the company's technical contact to tell him, but he dismissed their claim and hung up on them.

That response angered EBK, who says he then decided to redirect traffic from Comcast's site to other servers. "I wasn't even really thinking," he said. "Plus, I'm just so mad at Comcast. I'm tired of their shitty service."

Meanwhile, the teens say they did not grab user names and passwords during the hack, even though they could have.

[The_Decider]

Holy crap Elinor, Comcast wasn't hacked. It was DNS poisoning. Maybe you should have read the feed back to the original CNET story as that writer got skewered for saying Comcasts web page got hacked. Comcasts home page was NOT hacked!!!!!!

[The_Decider]

Holy crap Elinor, Comcast wasn't hacked. It was DNS poisoning. Maybe you should have read the feed back to the original CNET story as that writer got skewered for saying Comcasts web page got hacked. Comcasts home page was NOT hacked!!!!!!

[The_Decider]

Holy crap Elinor, Comcast wasn't hacked. It was DNS poisoning. Maybe you should have read the feed back to the original CNET story as that writer got skewered for saying Comcasts web page got hacked. Comcasts home page was NOT hacked!!!!!!

[fafafooey]

They should string him up by his "dong". And what does this kid know about Comcast's "service" - his mommy is probably paying his cable bill.

[baswwe]

he is right. it is crap.

[ittesi259]

fafafooey, one doesn't have to pay the bill to understand whether or not service is good or bad. I bet constant router resets and dropped IP's that fail to renew like they should are all to be ignored because someone else my receive the bill? Oh and lets not forget that I'll never see the actual boadband speeds they advertise that I pay for because of unwillingness to upgrade infrastructure.

[bryanjavor]

Comcast should entertain the notion hiring him. Give him the tools he needs to become even more adept at hacking and pay him for everytime he can break in and explain the vulnerability...

[TV James]

Technical support. Ha.

Yeah, they should hire this guy and fire the guy who took the call.

[Zero187]

These kids shouldn't get in too much trouble for what they did, but definitely something. Kinda funny how it was really for nothing whatsoever. Hopefully these fools won't reproduce and spoil the evolution cycle any further.

[umbrae]

Any threat against a company should be taken seriously. If they warned Comcast and they did not fix it; then they got what they deserved. This should show Comcast customers how Comcast treats their security.

I don't have any customers, but if I got a call about this it would be fixed ASAP!

[CC_Reader]

Only if they have a dress code. Wouldn't want him working in his underwear with his dong hanging out. The kid's a train wreck.

[olderguy2]

The kid said, "the last time they came". So he was arrested at least once before for the same offense. A lot of good that did. Maybe some serious time should be leveled for his second offense. I'm tired of people being malicious thinking they have the right to injure a company and getting away with a slap on the wrist. Maybe chopping off the thumbs? smile

[olderguy2]

The kid said, "the last time they came". So he was arrested at least once before for the same offense. A lot of good that did. Maybe some serious time should be leveled for his second offense. I'm tired of people being malicious thinking they have the right to injure a company and getting away with a slap on the wrist. Maybe chopping off the thumbs? smile

[spruceman]

How Comcastic !!!!!

[kjam_productions]

While I'm not condoning what they did, they are right about one thing. Comcast's service sucks! Crappy customer service, worse technical support and on and on. Everyone thinks they are capping your upload speeds in Bittorrent...think again. They cap ALL uploads speeds regardless of what you're doing. I have a weekly podcast that takes over three hours to upload to Podbean. The truth is, they wouldn't give a damn what people are doing with their service if they would upgrade their infrastructure. Hell I'd even pay a higher price for a more stable and faster service. Instead, they oversell their capacity and then degrade the service of their users as a result. I just switched to AT&T, though I don't really believe they will be much better. However, as a former employee, I can honestly say they don't oversell their capacity. Once the limit is reached, they won't open additional accounts in that particular area until enough potential subscribers request the service and then they add the necessary 'pairs' to extend the service for that region...fingers crossed.

[zeroplane]

Comcast!

It's Craptastic!

[tacit]

It's easy to understand their frustration.

I and other part-time and full-time security researchers often find huge, gaping security holes, in ISPs and businesses and even institutions like banks, only to be ignored when the security holes are reported. I've personally seen ISPs refuse to fix security holes that allow every Web site they host to be hijacked, compromising the personal financial details of every business and ecommerce site on their server; I've seen people continue to host fake "phishing" sites that pretend to be sites like eBay or PayPal, and allow Net users to have their account names and passwords stolen. I've seen Net service companies become angry and hostile when told that the customer details they keep can be stolen, and refuse to fix the problem even when technical details of the security flaws are explained to them.

I've seen ISPs and businesses refuse to fix their site security when their Web servers are overrun by computer viruses that let the virus writer eavesdrop on everyone who visits the site, and capture credit card numbers as they're being typed in.

I've seen banks refuse to fix their Web security even when they know that their customers' bank account numbers and passwords are exposed. I've seen big-name retailers refuse to fix their security even when they know for a fact that their customers' credit card numbers are being stolen.

Does that make it OK to hack these sites? No, of course not. These kids deserve to be arrested.

But the Comcast technician who screwed up, and then hung up on them when they tried to tell him he screwed up? That guy deserves to be arrested, too.

[paulej]

If they were able to access Comcast's account at Network Solutions, then this suggests that Comcast has a real security issue. I think they deserve the kick in the rear. People want to punish the teenagers, but for what? Logging into an account and changing a few DNS values? Sure, quite disruptive, but if I were Comcast, I would be more worried about firing somebody for allowing such sensitive information to get out the door. If those boys were really bad, they certainly could have planned an elaborate scheme where they could have put up a fake Comcast, fake Google, and fake everything else ... collecting user's passwords for all kinds of sites. It's absolutely amazing that Comcast could be so careless. Or, was it Network Solutions that is to blame? In any case, they ought to find out how they keys to their little part of the Internet got out into the public.

[The Harper]

I don't get it... Wouldn't the teenagers have to perform DNS poisoning on one of the Comcast servers for this to happen? How loose is Comcast's infrastructure to allow that to happen? And if we're talking about Comcast's CORPORATE website... Isn't that hosted by some other ISP? I'm going to WHOIS and find out who that is, and advise my clients to never use them E V E R.

[The_Decider]

There are more reasonable solutions to protest crappy service. The fact that they could have caused major havoc and didn't will likely net them less time. I just can't believe they would actually call them to tell them.