"Mafiaboy" Sentenced
by M. E. Kabay, PhD, CISSP
Associate Professor, Computer Information Systems
Norwich University, Northfield VT
"Mafiaboy," the Montreal-area youth who attacked Amazon, Buy.com, CNN, Dell, eBay, Excite,
U. Mass., U. Cal. Santa Barbara, Yahoo and other prominent Web sites in February 2000, was
sentenced in Quebec Youth Court on 12 Sep 2001 to 8 months in a juvenile detention center and
fined C$250 (~U$165) to be given to charity. He will enter one year of probation after his jail
term.
The youth, now 17, was caught when Royal Canadian Mounted Police wiretaps captured him
bragging about his exploits.
The boy had pled guilty to 58 counts of mischief for launching distributed denial-of-service
(DDoS) attacks against sites in the US, Canada, Denmark and Korea.
Judge Ouellet emphasized the grave nature of the attacks but said that the youth had criminal
intent but did not have a goal of fraudulent gain; he said the defendant was seeking enhanced
reputation for his coup among criminal hackers. The judge rejected excuses presented by the
boy, who claimed that he was testing sites with the goal of improving their security but said he
thought "Mafiaboy" was unaware of the full extent of the damages caused by his DDoS attacks.
According to press reports, the youth showed no emotion during the trial; his attorney, Yan
Romanowksi, is reported as saying that his client was distressed by the jail sentence and might
launch a judicial appeal: "He hoped the judge had understood that he had had his lesson and that
detention was not a proper remedy in these circumstances. . . . Detention is too much as far as I
am concerned."
***
What strikes me about this case is the reported attitude of the defendant. As far as I can see from
the news stories listed at the end of this newsletter, the boy seems to have expressed no regret
over his actions; on the contrary, his excuses about testing security are the classic defense of the
unrepentant criminal hacker. The boy's parents, understandably, had expressed hopes that their
son would avoid prison; the attorney's comments are also understandable given his role in
defending his client's interests. Nonetheless, it is clear from these responses that the boy is
surrounded by adults who do not themselves grasp or admit the gravity of the crimes he carried
out. Stock prices of some of the affected sites dropped noticeably during and immediately after
the attacks and estimates of lost business reached into the millions of dollars. Had the youth
robbed a bank of equivalent amounts, I doubt that anyone would be bleating about the injustice
of eight months in detention.
The general public still does not understand the consequences of criminal hacking. Network
specialists such as the readers of this column can help to change this lack of knowledge by
contributing to education of students, teachers and parents. See the resources in the Ethics
section of my new Web site at < http://www.mekabay.com/ethics/index.htm >.
***
http://www.canoe.ca/CNEWSTechNews0109/12_mafia-cp.html
http://www.cyberpresse.ca/reseau/actualites/0109/act_101090013799.html
http://www.wired.com/news/lycos/0,1306,46791,00.html
http://ca.news.yahoo.com/010912/5/abaa.html
http://www.zdnet.com/zdnn/stories/news/0,4586,2812177,00.html?chkpt=zdnnp1tp02
***
M. E. Kabay, PhD, CISSP is Associate Professor in the Department of Computer Information
Systems at Norwich University in Northfield, VT. Mich can be reached by e-mail at <
mkabay@compuserve.com >. He invites inquiries about his information security and operations
management courses and consulting services. Visit his Web site at <
http://www.mekabay.com/index.htm > for papers and course materials on information
technology, security and management.
Copyright  2001 M. E. Kabay. All rights reserved.
Permission is hereby granted to Network World to distribute this article at will, to post it without
limit on any Web site, and to republish it in any way they see fit.