01:36 am - Teenage Hacker Is Blind, Brash & in the Crosshairs of the FBI
Teenage Hacker Is Blind, Brash and in the Crosshairs of the FBI
By Kevin Poulsen
Wired News
02.29.08 | 12:00 AM
http://www.wired.com/print/politics/l
At 4 in the morning of May 1, 2005, deputies from the El Paso County
Sheriff's Office converged on the suburban Colorado Springs home of Richard
Gasper, a TSA screener at the local Colorado Springs Municipal Airport.
They were expecting to find a desperate, suicidal gunman holding Gasper and
his daughter hostage.
"I will shoot," the gravely voice had warned, in a phone call to police
minutes earlier. "I'm not afraid. I will shoot, and then I will kill
myself, because I don't care."
But instead of a gunman, it was Gasper himself who stepped into the glare
of police floodlights. Deputies ordered Gasper's hands up and held him for
90 minutes while searching the house. They found no armed intruder, no
hostages bound in duct tape. Just Gasper's 18-year-old daughter and his
baffled parents.
A federal Joint Terrorism Task Force would later conclude that Gasper had
been the victim of a new type of nasty hoax, called "swatting," that was
spreading across the United States. Pranksters were phoning police with
fake murders and hostage crises, spoofing their caller IDs so the calls
appear to be coming from inside the target's home. The result: police SWAT
teams rolling to the scene, sometimes bursting into homes, guns drawn.
Now the FBI thinks it has identified the culprit in the Colorado swatting
as a 17-year-old East Boston phone phreak known as "Li'l Hacker." Because
he's underage, Wired.com is not reporting Li'l Hacker's last name. His
first name is Matthew, and he poses a unique challenge to the federal
justice system, because he is blind from birth.
If he's guilty, the attack is at once the least sophisticated and most
malicious of a string of capers linked to Matt, who stumbled into the
lingering remains of the decades-old subculture of phone phreaking when he
was 14, and quickly rose to become one of the most skilled active phreakers
alive.
"Who's the best out there?" says Jeff Daniels, a veteran phone hacker and
an admitted mentor to Matt. "The little blind kid is one of the best. And
that's a fact."
Innocent at first, Matt's worst instincts surfaced after he fell in with a
gang of telephone ruffians -- men as old as 40 -- who eventually fingered
the teenager when they were swept up in an FBI crackdown on swatters late
last year. The government says the gang launched swatting attacks in over
60 cities, leaving hundreds of victims and chalking up over $250,000 in losses.
Interviews by Wired.com with Matt and his associates, and a review of court
documents, FBI reports and audio recordings, paints a picture of a young
man with an uncanny talent for quick telephone con jobs. Able to commit
vast amounts of information to memory instantly, Matt has mastered the
intricacies of telephone switching systems, while developing an innate
understanding of human psychology and organization culture -- knowledge
that he uses to manipulate his patsies and torment his foes.
The holes he's exploiting are in large part the same ones a previous
generation of phreaks relied on. He's running variations of the same old
scams. Daniels notices this as well. "He is nasty as the day is long
because he knows a few tricks from the old days," he says.
It's as though the phone companies -- which enjoy notoriously close
relations with the feds -- are so adept at getting their hackers arrested
that they're little motivated to spend money securing their sprawling
infrastructures. If malicious phone phreaks were the only threat to telecom
customers, that might be a sound strategy. But as the pretexting scandals
of 2006 showed, the same vulnerabilities make things easy for snoops and
criminals of all stripes, and a report released this week tallying identity
theft complaints ranks AT&T and Sprint customers as the second and third
most victimized, respectively.
(Disclosure: The author is a one-time phone phreak.)
Matt appeared on the phone phreaking scene in late 2004, when a neighbor
gave him the number of a telephone party line called the Boston Raven.
Party lines are privately run telephone-conferencing facilities where
people from around the country dial in and socialize, forming friendships,
romances and, at times, bitter enemies.
While similar to online, text-based chat rooms, the party lines are
actually an echo of a much older phenomenon that began in the early 1980s
with home-brew phone conferences boasting anywhere from two to eight
call-in lines. Today's computerized party lines offer virtually limitless
capacity, and include features like multiple "rooms" for different groups
to congregate.
Like those early conferences, modern party lines are also home to a small
cohort of phone phreaks -- hackers who specialize in telephone systems.
It's a subculture that immediately appealed to Matt.
"I've been interested in phones since I've been about 8," says Matt, who
lives with his single mother, and older brother and younger sister in an
East Boston apartment. "I talked to technicians when they came down here to
do things on my phone."
Blind hackers were a part of the first generation of phone phreaks in the
1970s, and it's easy to see the draw. On the phone, Matt's handicap is
irrelevant, and his gifts -- which include his ironclad memory, and vocal
skills that can mimic a much older man, or masquerade as a woman -- make
him an impresario. A party line denizen called "Lotus" remembers the first
time he encountered Matt at a Boston conference. "He was sitting in the
room beat-boxing. And I was like, who's playing the drums in here? And it
was just Li'l Hacker."
Matt started asking questions about phone phreaking, learning a little. The
party lines are a gladiator school of mischief, and Matt began challenging
experienced phone hackers with the obscenity-laced bravado of a teenage boy
feeling power for the first time.
"We're enemies at this time," says Daniels, a 36-year-old Alabama man who
runs one of the party lines. "And he's telling me in this little
12-year-old sounding voice what he's going to do to me." He laughs. After
Matt lost a phone war with Daniels, the elder phone phreak became Matt's
closest friend and mentor, schooling him in the ins-and-outs of the phone
system.
Perhaps grateful to have a worthy protégé to receive his knowledge, Daniels
didn't give much thought to how Matt would use it. "I don't sit down and
say, 'Hey Matt, I'm going to teach you how to infiltrate such-and-such,'"
Daniels says. "The conversation starts with a discussion about how
equipment operates."
Matt says he ordered phone company switch manuals off the internet and paid
to have them translated into Braille. He became a regular caller to
internal telephone company lines, where he'd masquerade as an employee to
perform tricks like tracing telephone calls, getting free phone features,
obtaining confidential customer information and disconnecting his rivals'
phones.
It was, relatively speaking, mild stuff. The teen though, soon fell in with
a bad crowd. The party lines were dominated by a gang of half-a-dozen
miscreants who informally called themselves the "Wrecking Crew" and "The
Cavalry." The group was led by a 40-year-old Cleveland ex-con named Stuart
Rosoff, a.k.a. "Michael Knight," and Guadalupe Santana Martinez, Jr.,
a.k.a., "Wicked Wizard."
The gang specialized in serving up trouble to people who defied them on the
party lines. Their most common tactic was swatting. Using a commercial
caller ID spoofing service called SpoofCard, they'd call police departments
around the country with false alarms, triggering tense confrontations
between armed cops and the victims, at least two of whom have suffered
injuries.
Matt's phone friends -- some of whom had being trying to get Rosoff and his
associates arrested for years -- cautioned Matt to steer clear of the
group. But the teen was cocky and arrogant, and was swept in by Rosoff's
goading, even coming to believe he was invulnerable to prosecution. "They
told him things like, 'You don't have to worry about this, you're a blind
kid, you're a minor,'" says Lotus. "They would feed this kid this bullshit,
and eventually he'd start to believe it."
That's when Danielle Gasper, then 18, met "Hacker Matt" on a party line in
late April 2005.
Though Danielle doubted his claim that he was only 15, and blind (she
thought he could be as old as 20), Hacker Matt seemed like a nice guy, she
later told investigators. But as she spoke with him twice a day for about a
week, he became less nice, and started pressing her for phone sex.
Their relationship soured for good when the family phone rang at 3 a.m. on
May 1 of that year, a few hours before Richard Gasper was scheduled to
start his shift as a screener at the Colorado Springs Municipal Airport.
Hacker Matt asked for Danielle, who was asleep in the other room. "I want
to have phone sex with her," the caller told Gasper.
Gasper called the man a pervert and hung up, perhaps thinking that ended
the matter. But Hacker Matt was persistent. "What's the matter?" Gasper
asked on the next call. "Can't you get sex from a real woman?" On the
fourth call, the caller threatened to "knock the dimple off" Danielle's
chin and to "blow up the fucking airport with (Gasper) in it."
Minutes after the Gaspers hung up on Hacker Matt for the fifth time, the
phone rang at the Colorado Springs Police Department. A recording of the
call was obtained by Wired.com.
"Now listen here," the caller growled. "I've got two people here held
hostage, all right? Now you know what happens to people that are held
hostage. It's not like on the movies or nothing, all right? You understand
that?"
"OK," the female dispatcher replied calmly.
"One them here's name is Danielle, and her father."
Identifying himself as John Defanno, the caller claimed to be armed with a
.22 caliber handgun, and said the hostages were duct-taped, and the father
injured. "Defanno" warned dispatchers not to send armed police into the
house. "I will shoot," he said. In an effective touch, he seemed to address
someone in the room "Shut up!" he barked.
The Sheriffs Office responded quickly. They called Gasper's number, and
Gasper told them about the phone calls and the bomb threat. But they didn't
believe him. Shortly after 4 a.m., deputy sheriffs showed up at his house,
ostensibly to take a report. When Gasper stepped outside to meet them, he
was taken into custody while police stormed the house. His daughter and his
parents were inside, but, of course, there was no gunman.
The next day, Gasper's phone was mysteriously forwarded to the FBI's office
in Washington DC.
In the aftermath of the swatting, Karl Mai, a deputy sheriff detailed to
the FBI's Joint Terrorism Task Force in Colorado Springs, started looking
for Hacker Matt. Adam Panagia, the head of AT&T's fraud division, passed on
a tip from an informant that Li'l Hacker had been heard bragging about the
Gasper swatting. But the investigation petered out after two months.
In two phone interviews with Wired.com, Matt was evasive and taciturn. He
spouted angrily about the crimes committed by other party liners,
particularly Rosoff and Martinez, but declined to answer questions about
his own activities. He denies making any swatting calls.
But Daniels says Matt, particularly in his younger days, was capable of
unleashing hell on his perceived enemies. "You don't have a clue," says
Daniels. "He was a raving lunatic ... He could decide he doesn't like you,
and he could make your life a living hell, and there's nothing you could do
about it."
"I give that guy props, but in some respects he's not smart enough for his
own IQ," says Jered Morgan, a phone phreak known as Lucky225.
Unlike Rosoff and the others, though, Matt seemed to develop some restraint
as he grew more skilled. Instead of sending police out to people's houses,
or phoning Child Protective Services with false abuse reports, Matt spent
more of his time calling internal phone company numbers and flexing his
growing access to phone company systems.
According to the government, between August and October 2006 Matt logged
more than 50 pretext phone calls to Verizon's provisioning center in
Irving, Texas. He also told party liners that he could eavesdrop on calls
on Verizon's network with the help of a credulous employee.
Verizon admits to suffering some breaches, but emphasizes that it was
purely indirect. "No one has literally accessed a Verizon computer, but
there has been social engineering taking place," says Verizon spokesman
William Kula.
To hack AT&T, Matt boldly adopted the identity of a real phone company
security agent named William Jones. In a series of undated recordings
obtained by Wired.com, Matt is heard repeatedly phoning AT&T's internal
help desk to get workers to disconnect the phone of Kenneth McComas, a
party line rival who lives in Ohio.
"We're looking at a fraud account," he said in one call, affecting a
confident baritone. "We're just gonna have to take that out of there."
While the worker processed the order, Matt kept him engaged in jocular
small talk thick with camaraderie.
His enthusiasm sometimes chaffed other hackers. At one point, Matt
allegedly hacked into a Verizon recorded-announcement system that tells
callers when a number has been disconnected or changed. Other hackers were
exploiting the system for more subtle pranks, until Matt stomped over the
recordings with his own voice. "If you called any number that was not in
service, you would hear him say some weird shit," says Teli Brown, a former
phone hacker known as "Gray Area." "It was funny, but it ruined it."
By then, Matt's reputation had taken on a life of its own, and tales of
some of his hacks -- perhaps apocryphal -- are now legends. According to
Daniels, he hacked his school's PBX so that every phone would ring at once.
Another time, he took control of a hotel elevator, sending it up and down
over and over again. One story has it that Matt phoned a telephone company
frame room worker at home in the middle of the night, and persuaded him to
get out of bed and return to work to disconnect someone's phone.
To Matt's family, the teen's interest in telephony seemed harmless. His
18-year-old brother would read him articles on hacking, according to Lotus.
And while Matt was on the party lines, his mother, Amy Kahloul, could
sometimes be heard in the background playfully imitating his frequent pose
as an AT&T technician.
"I think that she has concerns," says a Boston phone phreak who was Matt's
only real-life friend from the party lines. "She's like, 'Don't get
yourself into trouble.' But I know that she also respects Matt's interest.
She knows that it makes him happy, and she's proud of how much Matt's
learned." (Kahloul could not be reached for comment, and the family's
lawyer did not return repeated phone calls).
The Boston phone phreak, who spoke on condition of anonymity for fear of
FBI attention, is the only party liner to meet Matt in person. In the
summer of 2006, he showed up at Matt's home to intercede in a brewing
confrontation between Matt and another Boston party liner.
The visitor chatted with Matt's family for a few minutes, before meeting
Matt, a heavyset kid with a shaved head. The visit was a rare incursion
into Matt's real life from the phone world, and Matt was shaking with
nervousness. "I showed up unexpected, and he didn't know what was going on
when I rang the bell," says the phone phreak. "But after a few minutes he
calmed down."
On another day, the Boston phone phreak met up with Matt at an East Boston
plaza while Matt's mother was shopping. Often brusque and abusive on the
party lines, "in person, he's a very friendly guy," the phone phreak says.
"Easy to get along with and have a conversation with." The friends hacked
on a pay phone for an hour-and-a-half.
But the Boston phone phreak eventually distanced himself as Matt became
more involved with Stuart Rosoff and the other swatters -- a relationship
characterized by posturing and mutual harassment.
"Stuart E. Rosoff is going get on his knees and suck my pole, dude," Matt
taunted one day, in a recorded party line conversation. "He cut my phone
off three times today ... But I got it back on, three times."
"You won't get it back on any more," Rosoff responded, incorrectly.
Matt's roughhousing with the swatters alarmed his party line friends, who'd
become protective of the sharp-tongued teen. When Rosoff began harassing
Matt's mother, another phone phreak sent $800 to help the family move.
Their new location didn't stay a secret for long, though. "He moved,
literally, right around the block," says Lotus. "He had his phone all
rigged so it was showing different locations, and they still tracked him
down. They started to harass him again and sucked him back in."
But time was running out for the swatters. They'd gotten away with their
harassment in large part because each individual swatting call was
considered a minor, local offense -- a misdemeanor in some jurisdictions.
No law enforcement agency had ever stitched them all together.
Then, on Oct. 1, 2006, Martinez staged a swatting attack against Stephanie
Proulx, a female party line participant in Fort Worth, Texas. When police
arrived, expecting to find a shooting in progress, a detective on the scene
realized he'd already been to the apartment on an earlier false emergency
call. He interviewed Proulx, who told him all about Rosoff, Martinez and
other members of the gang. Martinez had even swatted her father in
Cleburne, Texas. The detective called in the FBI.
Special agent Allyn Lynd, from the FBI's nine-person Dallas cyber-crime
squad, began an investigation. A West Point graduate and a veteran of the
Global Hell defacement gang prosecutions of the late 1990s, Lynd phoned up
corporate security officers at Verizon and AT&T, who had been tracking the
party liners for years.
Verizon sent Lynd their file on Li'l Hacker, complete with call logs
showing Matt phoning a variety of internal Verizon offices, including
RCMAC, an office responsible for entering commands directly into telephone
switches. AT&T security agent Gary Beaulieu had a hotter tip: He told Lynd
about Rosoff, who at that very moment was serving time for telephone
harassment in a county jail in Cleveland.
Lynd booked a flight to Ohio. Before he left he ran a check through the
FBI's computers for incidents similar to the Proulx case. He found the 2005
Colorado Springs case linked to "Hacker Matt," and contacted Karl Mai to
see if he had any questions for Rosoff. Mai had a request, according to a
task force report on the case. "Any information developed as to the real
identity of Hacker Matt would be helpful."
On Nov. 21, 2006, Lynd and a partner interviewed Rosoff in jail. The
details of the conversation are hard to come by, but court records indicate
that on that day, Lynd obtained a new confidential informant. The informant
provided ample details about the swatting incidents, naming Martinez, a New
York man named Chad Ward, and Jason Trowbridge, a bill collector who'd used
his access to a consumer database to get information on the gang's targets.
The anonymous informant, Lynd admitted in an affidavit, "has been accused
by members of the party lines as being engaged in telephone harassment."
The informant also gave Lynd something the FBI had been looking for since
2005: the real name of Little Hacker.
Two weeks later, the FBI held the first of several meetings with Matt in
the East Boston apartment, while his worried mother looked on. The teenager
proved to be a fount of information on Rosoff's and Martinez's actions, but
he became evasive when the feds asked him about his own hacking. "They
asked, hey, are you able to drop in on lines?" Matt recalls. "And I told
them, I'd rather not talk about things like that."
Lynd began grooming Matt as a confidential informant, a path that would
make it easy to let the teen emerge relatively unscathed from the looming
swatting prosecutions. But the phone companies Matt so effortlessly
manipulated were less forgiving of the blind teenager. AT&T investigator
Gary Beaulieu began monitoring the phone numbers Matt called.
When Beaulieu saw Matt dial into a party line just a few days after the
hacker made a deal with the FBI, the phone cop called in to listen. He
heard another phone phreak describe a new way to forward somebody's phone
without their knowledge using a particular AT&T facility. Matt's phone was
soon seen calling the AT&T number.
Beaulieu passed the information onto Lynd, and Matt was in hot water again.
Prosecutor Linda Groves called Matt's attorney, and warned that if Matt
continued to hack the phone companies, he'd lose his status as a protected
informant.
Matt agreed to record some phone calls with Rosoff's crew for the FBI, and
in January he turned over four cassette tapes filled with calls. But he
didn't stop hacking. By February, the FBI had formally revoked his status
as a confidential informant, and began planning for his indictment. Lynd
told Mai that Matt couldn't stop hacking for more than 72 hours.
Daniels agrees, but says his protégé can't help himself. His entire world
is on the telephone.
"Instead of looking at him as some malicious kid who's out to do no good,
maybe you should look at him as a 17-year-old blind kid with an addiction,"
says Daniels. "Maybe the adults should think about that."
The federal government has gone after juveniles in only a handful of
computer crime cases. In the first one, in 1997, a hacker named "Jester"
phoned into an unprotected Bell Atlantic (now Verizon) dialup and crashed a
subscriber loop carrier system, killing phone service for Rutland,
Massachusetts for six hours. He was sentenced to two years probation and
250 hours of community service.
In 2000, a 16-year-old Miami youth became the first juvenile to go to jail
on federal computer crime charges, when he was sentenced to six months for
hacking NASA. In 2005, a Boston phone hacker, who made a bomb threat
against a Florida school, was sentenced to 11 months detention. In the most
recent case, a teenage bot herder called "SoBe" pleaded guilty in February,
and faces 12 to 18 months in jail.
Complicating matters in Matt's case is that there's no federal law against
pretext phone calls. So in court filings in related cases, the feds have
invented a novel legal theory just for the blind hacker. Matt, they argue,
violated the Computer Fraud and Abuse Act by persuading phone company
workers to access their computers on his behalf. He hacked by proxy, using
his voice instead of a computer.
Prosecutors may not be eager to test that theory in court, though, and
going after minors can be complicated. Former Dallas cyber-crime prosecutor
Matthew Yarbrough, who worked with Lynd on the Global Hell prosecutions,
says it's usually not worth the trouble. "Those 20 guys in Global Hell, I
only ended up prosecuting three or four of them because most of them were
minors," says Yarbrough. "I remember looking back and thinking this was
just too much a pain to do this."
When the swatter indictments came in last June, Matt was spared. FBI agents
in 11 cities swept in on the swatters and their associates, arresting five
of them: Rosoff, Martinez, Ward, Trowbridge, and Trowbridge's girlfriend,
Angela Robberson. All five have since pleaded guilty, and are scheduled for
sentencing in March. All but Robberson are in custody. All of the swatters
named Matt as a co-conspirator in their plea agreements, claiming he'd used
his access to the phone companies to get information on swatting victims.
Rosoff agreed to cooperate against his associates. In exchange, Dallas
assistant U.S. attorney Linda Groves, who declined to comment on the case
to Wired.com, persuaded a Michigan prosecutor not to go after Rosoff for
one of the nastier phone attacks -- a false report Rosoff allegedly made
against a female party line user in which he claimed that she was abusing
her child. Groves also promised to recommend a sentence below federal
guidelines if Rosoff's cooperation was found to constitute "substantial
assistance" to the government.
Matt was re-interviewed, but not charged. But the indictments didn't end
the FBI's investigation. In the wake of the arrests, party liners in
California, New York and Omaha, Nebraska. contacted Lynd to complain that
they were being harassed by unindicted members of the conspiracy, who were
pressuring them to stop providing information to the FBI, according to an
October 2007, affidavit by Lynd.
The phone companies were also still on the case. Referring to Matt by his
initials, because of his underage status, Lynd wrote, "I was contacted
multiple times by employees of both AT&T and Verizon and was told that the
illegal activity was continuing and was now being orchestrated by M.W. and
other unindicted co-conspirators."
Then the FBI agent caught a remarkable break. In October, Lynd was tipped
off that somebody was still using Chad Ward's SpoofCard account. He checked
in with the company that runs the caller ID spoofing service, and learned
that SpoofCard offers a special option: With the press of a touch-tone
button, users can have SpoofCard record their spoofed calls. The recordings
stay on SpoofCard's servers for retrieval.
Ward and the other swatters had used that option. Over the next two weeks,
Lynd obtained recordings (.pdf) from 17 SpoofCard accounts in three search
warrants. One warrant alone, targeting nine accounts, produced recordings
of 98 calls, including two swatting attacks, countless harassing phone
calls, a false report to Child Protective Services and a series of
extortion threats. Court records don't indicate who was on the recordings.
With the recordings in hand, the FBI is preparing for another round of
indictments. For his part, Matt denies trying to hush up any witnesses.
"There's a lot of gossip about it, the investigation," Matt says. "A lot of
gossip about when people are getting out of jail -- a lot of he-said,
she-said. Nobody has to worry about me doing anything to anybody out there."
Matt's friends say he's the one who's worried. But he's also not stopping.
Several phone phreaks and party liners told Wired.com that Matt is still on
the party lines daily, openly bragging about his ongoing social engineering
successes against the phone companies. He's also popping up on private,
unpublished conference bridges, where phone hackers run their exploits live
on three-way. If recent history is a guide, AT&T's security agents are also
on the line, listening in.
Matt will turn 18 on April 7, and many expect him to be picked up by the
FBI before the candles have gone out on his birthday cake. In truth,
though, turning 18 doesn't affect Matt's federal exposure for actions
committed as a minor.
But if Matt celebrates his birthday by disconnecting a party liner's phone,
or wheedling someone's Social Security number out of a Verizon
representative, or forwarding someone's line to the FBI's number in
Washington . Then all bets are off. Nobody interviewed for this story
believes that Li'l Hacker will stop. And he's not fooling anyone by using
the pay phone down the street.
"One of the reasons he's so effective ... is because that's all he does,"
says Daniels, the veteran phone phreak. "All he knows is what he knows.
He's completely consumed with telephone party lines all the day, all the
time. It's depressing, but at the same time he has become quite a force."
"He doesn't understand what it took a long time for me to learn," Daniels
adds. "Everything you think is another world is really the same old world."
Blind hacker
Why didn't this kid's mom disconnect the phone???
http://www.talkee.com
among others.
Ray T. Mahorney
WA4WGA