Teens await arrest after Comcast attack
Updated at 12:15 p.m. PDT to clarify that Comcast wasn't technically hacked, but that its domain and Web site were hijacked.
Two teenagers who say they hijacked Comcast's Web portal on Thursday also say they expect to be arrested for their actions.
"I wish I was a minor right now because this is going to be really bad," 19-year-old "Defiant" told Wired's Kevin Poulsen, who managed to get a one-hour phone interview with Defiant and his 18-year-old cohort "EBK."
"I slept in my clothes, because the last time they came, I was in my underwear with my dong hanging out and shit," Defiant said of a past raid.
On Thursday, Comcast's portal was defaced, leaving some e-mail subscribers without service. On the site, the hackers referenced their group: "KRYOGENICS Defiant and EBK RoXed Comcast."
The teens say that after they initially managed to take control of Comcast's registrar account at Network Solutions, they called the company's technical contact to tell him, but he dismissed their claim and hung up on them.
That response angered EBK, who says he then decided to redirect traffic from Comcast's site to other servers. "I wasn't even really thinking," he said. "Plus, I'm just so mad at Comcast. I'm tired of their shitty service."
Meanwhile, the teens say they did not grab user names and passwords during the hack, even though they could have.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 



Yeah, they should hire this guy and fire the guy who took the call.
I don't have any customers, but if I got a call about this it would be fixed ASAP!
It's Craptastic!
I and other part-time and full-time security researchers often find huge, gaping security holes, in ISPs and businesses and even institutions like banks, only to be ignored when the security holes are reported. I've personally seen ISPs refuse to fix security holes that allow every Web site they host to be hijacked, compromising the personal financial details of every business and ecommerce site on their server; I've seen people continue to host fake "phishing" sites that pretend to be sites like eBay or PayPal, and allow Net users to have their account names and passwords stolen. I've seen Net service companies become angry and hostile when told that the customer details they keep can be stolen, and refuse to fix the problem even when technical details of the security flaws are explained to them.
I've seen ISPs and businesses refuse to fix their site security when their Web servers are overrun by computer viruses that let the virus writer eavesdrop on everyone who visits the site, and capture credit card numbers as they're being typed in.
I've seen banks refuse to fix their Web security even when they know that their customers' bank account numbers and passwords are exposed. I've seen big-name retailers refuse to fix their security even when they know for a fact that their customers' credit card numbers are being stolen.
Does that make it OK to hack these sites? No, of course not. These kids deserve to be arrested.
But the Comcast technician who screwed up, and then hung up on them when they tried to tell him he screwed up? That guy deserves to be arrested, too.
Make a counter for each bad site to keep track of traffic to be able to tell how many users affected (and possible monetary losses). And offer the users a return to the company page link (if they really want to use it after that).
You might be brought up on charges, you might be brought to trial, and you might receive jail time and fines. But you can cripple these moronic companies with loss of business due to bad publicity. And who knows, maybe get them to actually fix their vulnerabilities.
I'd go so far to say that this is actually what the U.S. Government should be doing if they were really concerned about pro-active internet security.
- by The_Decider May 30, 2008 4:38 PM PDT
- There are more reasonable solutions to protest crappy service. The fact that they could have caused major havoc and didn't will likely net them less time. I just can't believe they would actually call them to tell them.
- Reply to this comment
-
Showing 1 of 2 pages (46 Comments)