Profile? We did better than that. We turned over actual names.

How long a list are we talking about?

Three people. But the profile we initially produced suggested the attacks had been mounted by three to six people.

What else did your profile say?

We said the majority, if not all, of these attackers were operating in the United States. We said 35 to 100 computers had been used in the attacks. We said these people were socially motivated, since we never bought into all the speculation that this was the act of a group looking to manipulate market behavior. And we also said we thought the attackers were in their late teens or early 20s.

What told you that?

Well, for one thing, these denial-of-service attacks haven't really been around for all that long. The utilities the attackers used didn't even become publicly available until the latter part of last year. So there really wasn't a whole lot of time for these people to install their software on all these hacked computers. Imagine installing software on 100 computers. It's a time-consuming process. It's also boring and repetitive.

Now further imagine that before you install all that software, you first must break into each computer, and once you're done loading the goods you have to erase any evidence that you were ever there. That just makes an already time-consuming process a lot longer. So we believe it has to be a group of people who worked together to break into all those sites, install the software and then combine their lists into some master list.

For psychological reasons, these groups tend to always include three people or more, but almost never more than six. Because the hacker culture tends to be rather volatile and very ego-driven, groups of more than six are inherently unstable. In any event, had this group included more than six people, leaks would surely have begun to appear long before now. As for why we focused right from the start on hackers in their late teens and early 20s, that was mostly because people older than that typically won't run these sorts of risks purely for peer acceptance. That's just one of those things most people grow out of as they mature. We're also fairly certain they couldn't be any younger than their late teens simply because they've been mature enough to keep quiet.

Be that as it may, do you think they're going to get nabbed?

Well, like I said, we turned over three names and explained to the FBI why we think these are the responsible parties. But one of the things that's hurt this case has been all the publicity seekers. Here you have all these security companies that came out and did investigations, only to announce their findings to the press before going to the FBI. So, in the course of monitoring hacker postings to the IRC [Internet Relay Chat], we came across someone in the security industry posing as mafiaboy, obviously in hopes of finding [someone] who would try to contact him. But while he was trying to figure out who mafiaboy's friends were, some other security companies were posing as mafiaboy's buddies to see if they could get in touch with him directly. So these two security companies ended up having several interesting conversations with each other. It was really funny, actually. I spent many a night watching the IRC space, just howling. But, unfortunately, this also helped to create a very confusing picture for the FBI.

Is there anything that could be done to stop distributed denial-of-service attacks?

Not really. That's what's so funny about all this.

Don't you think the recent attacks may have raised awareness enough to encourage people to start thinking about plugging the holes hackers can use to hijack their computers?

That's never going to happen. Honestly. There's always going to be someone like my mother who doesn't know about the latest Windows 98 service package she needs to install. There are so many people online anymore that that's become unrealistic.

So that leaves you to lurk in the dark recesses of the IRC in hopes of gathering all the hacker intelligence you can?

I wouldn't use the word "lurk." We simply monitor public IRC space -- about 142,000 forums at present. That includes Web pages, forums, IRC channel newsgroups, mail lists -- you name it.

On your Web site, you talk about how the intelligence you gather can be used to stop attacks before they start. Walk us through how that works.

That can happen in many different ways. One obvious example came about when we could see that a group was planning to attack the FAA's [Federal Aviation Administration's] Web site and we had a good idea of how they meant to go about it. So we simply called the FAA and said, "We know of a hacker group that in 15 minutes plans to break into your site using this vulnerability. You might want to patch it." That was pretty straightforward. At other times, we've obtained more subtle clues. One individual's motivations, for example, might tell us what sort of targets they're likely to go after.

The Free Software Project
Read Andrew Leonard's book-in-progress on Linux and open source -- and post your comments.