A security consultant and ex-hacker from Ottawa, Davis tracked down Curador, an 18-year old hacker from South Wales who in 2000 stole an estimated 26,000 credit card numbers from e-commerce web sites and posted them online.

It was around the second or third of February, on a web site I go to all the time called hackernews.com. And he had posted a little news story there that he'd broken into a couple of different e-commerce sites, and stolen 3,000 or 4,000 credit card numbers at this time, and was just sort of bragging about it. . . .

So why did you go after him?

One, he broke into a Canadian web site, this web site in Markham. The second reason was that he just didn't really seem to have any kind of ethic, be it good or bad. I mean, even the bad guys that I deal with on a daily basis in this hacker subculture still have some type of ethic. . . . Hackers have a sort of honor among thieves. There's this hacker ethic, and this guy just didn't seem to have that. So, I think that's kind of what drove me to go after him a bit. . . . It was just this bragging and the lack of ethic.

And when did you hear the bragging?

. . . He wrote a little news blurb for hackernews, bragging about breaking into these two sites and stealing 4,000 or 5,000 credit card numbers at the time. He also contacted the media, NBC, CNN, all these people. And at first, they pretty much just ignored his emails. He was telling them, "I've broken into these sites. I've stolen these many credit card numbers. Do you guys want to interview me?" And they were ignoring him. But there was a smaller news agency, internetnews.com, and a guy named Brian McWilliams . . . did an interview with him. And in that, he was taunting the police, just bragging profusely about his skill and how great he was and things like that. And that also really just kind of kept the fuel going for the fire. It really kept me after him.

So, in the end, when you said you'd go after him, how difficult was it to find him?

For me to actually find out where he was coming from, not difficult at all. . . . For me to trace him back to the internet service provider in the UK that he was using, that really took like an hour. So that wasn't very difficult to find. From the internet service provider actually to his house took a couple of weeks.

What was the initial response of the authorities when you contacted them?

. . . The FBI was actually quite easy to deal with, although technically, they didn't really understand what it was I was explaining to them. The local police were also very polite, but they didn't understand it. . . .

How would you characterize the police level of knowledge on this sort of crime?

Well, the police's level of knowledge in this is low. I don't think that they're properly prepared or they don't have the proper skill sets on board within their departments to deal with this, even within the computer crime department. . . . So I ended up doing a lot of explaining. But I think that probably the police need to find people in the industry and get them on board to help, because most of the people that are in the security field are getting much larger paychecks than what police agencies are willing to pay out. So this is why they don't end up with people with those types of skill sets, the people that they need to be able to find these guys. . . .

In the case of Curador, what was the scale of what he did?

He had stolen in excess of 26,000 credit card numbers. He'd used a few credit cards online to purchase certain things, and he publicly published them out to the internet for anybody else to use. . . . A couple of the sites that he broke into are no longer in business. People just won't shop there anymore . . . .

Do you have any sympathy with the view that these sites should have been protected?

I do think that these sites probably should have been more secure than they were. But a lot of them are very small, sort of mom-and-pop type operations. They were a couple of guys. They put up a web server and tried to make a couple of dollars off the internet. And they don't really have the money to go hire a security consultant to come in and make sure that they're secure. A lot of them just assumed that the Microsoft products they're using are inherently secure, which is unfortunately not the case.

So many people just don't have that knowledge. They don't know that there are these gaping holes in their Microsoft web server. There are gaping holes in Microsoft Windows NT, by default. They don't understand that. So you end up with a lot of people just throwing these things up, thinking that they're secure, and they're not. I do agree with the fact that maybe they should have done their research; should have found out what the vulnerabilities were, and how to fix them prior to opening up for business. But I definitely don't agree with what Curador did to try and prove a point. . . .

Isn't it a little frightening to think that an 18-year-old in South Wales, on a second-hand computer, can get 26,000 credit card numbers off the web?

Yes, that is a little scary. It happens every day, though. We have 14-year-old, 13-year-old, 12-year-old kids that are defacing major web sites: government web sites, NASA web sites, things like this. They're breaking into the computers and . . . changing the sites. It's the equivalent of graffiti, really. They're sort of this cybergraffiti. . . . On average, a little less than 20 times a day are reported. I don't know how many times it happens where they're not reported. . . .

And is one to assume that if an 18-year-old in South Wales can get 26,000 credit card numbers, then organized crime could do the same?

Yes, absolutely. I know that Curador said that he was contacted by a couple of different criminal organizations that offered him quite a bit of money. Other associates of mine have been contacted by various different organized crime. . . . I'm sure it happens a lot.

How would you characterize the internet's vulnerability . . . to criminals or terrorists?

. . . There are ways that you could shut down the internet in two or three hours. I know people that have the ability to do it. Just thankfully, they don't want to do it. They're ethical people. . . . But people who are working for things like organized crime, or in terrorist groups, thankfully don't have that type of skill set at this point. I think it's possible that they would be able to find people with that skill set, and at that point, it would start to get really scary. . . .

What sort of vulnerabilities are there? What could be done?

The major vulnerabilities that we see right now are in the Microsoft products. Microsoft has a web server out that has 15 or 20 fairly large security problems with it. There have been three or four really major ones over the last couple of years. And this is what we see the young kids using right now, because there's a lot of programs out there that you could just download, run, and it'll re-write the web page for you. One gives you full access to the remote, to the web server in about four seconds. There's another one that will completely shut down the web servers in a second. There are all kinds of tools out there that these kids can download and they don't have to understand how they work. They don't have to understand how to write it. The only thing you have to do is understand how to click a mouse. So that does cause a lot of issues and a lot of problems. . . .

What were you feeling when you decided to go after Curador?

When I first decided to go after Curador . . . I think that the bragging got to me. I just wanted to say, "Okay, look, you're really not this good. You're not as good as you think you are. I have a really good idea how you're doing this." So that's what started it. And then, it progressed and he started taunting people and the police. And he and I did a couple of online radio interviews. They'd take a sound bite from me and then one from him, and play it. It became this large game of cat-and-mouse. And then it was almost an obsession. I went a couple of days with barely sleeping or eating, trying to get everything together properly for the police.

But what was I actually feeling? Just the frustration, I guess, mostly. What I obviously thought that this was wrong and this guy was getting away with it. I guess that's really the main thing. . . .

And when you were chasing him, what did you think? What sort of picture did you have in mind of the person you were chasing?

Obviously, I thought he was a young individual. His spelling was terrible. Every time he put up a new web site, his spelling would get worse. So I thought that he's obviously not well schooled. It doesn't mean that he was not intelligent, but. just obviously not well schooled. And young. . . . As you mature, you make choices that don't involve stealing credit card numbers. But outside of that, I had no other picture of him, really.

What's happened to him now, as far as you know?

Just a couple of days ago, he was formally charged . . . with ten counts against the Computer Misuse Act of 1990 in Britain, and two counts of the British equivalent of fraud. So he's in fairly serious trouble.