Internet Private Eyes Hinder FBI Hunt for Hackers 5:14 p.m. ET (2214 GMT) February 17, 2000 By Patrick Riley

NEW YORK  The FBI's probe into last week's attacks on major Web sites has just begun, but it is already running into numerous problems, including false leads and interference from the burgeoning Internet security field.

J. Scott Applewhite/AP FBI Director Louis Freeh and Attorney General Janet Reno testify about Internet attacks before the Senate subcommittee on commerce

News media have widely reported the bureau's first efforts at tracking down the people responsible for the "denial of service" (DOS) attacks on such high-profile Web sites as Yahoo!, eBay and CNN.com. The focus has reportedly been on three people using the nicknames mafiaboy, nachoman and Coolio.

Coolio was reportedly questioned by the FBI earlier this week, but according to John Vranesevich, founder and head of Antionline.com, a security site that tracks hackers, the FBI "apparently talked to the wrong Coolio."

The Coolio they spoke to, allegedly a teen-age member of the California-based hacker organization Global Hell, was actually shut down by the FBI a year ago, Vranesevich said, adding that agents raided the teen's house and took his computer equipment.

"From what I heard from his friends, his parents basically took away his Internet access and haven't let him have a computer," he added. "The only times he's been online is at the local library on occasion, so he's pretty much been out of the scene for the past year."

As for the FBI's attempts to track down mafiaboy and nachoman, "None of that has been fruitful," said Vranesevich.

An FBI spokesman, however, refused either to confirm Vranesevich's allegations or to discuss details of the case. "Our investigation is going forward vigorously and thoroughly," he said.

Slowed Down by Experts

The scores of security consultancy firms joining in the hunt might actually be impeding the investigation, Vranesevich said, "so that their company can be the first to say, 'We caught him,' and garner the attention that comes with that."

What these firms are doing, he said, is making a mess of the situation. A tactic he described as common is for Internet PIs to enter discussion groups and pose as "mafiaboy" to see who tries to contact them. They then pose as mafiaboy's "friends" in hopes of talking to him themselves. Internet chat rooms rarely require users to verify their identities.

The problem, Vranesevich said, is that the cyber-sleuths are not working in tandem. "You have the security organizations that are posing as mafiaboy's friends trying to talk to another security organization posing as mafiaboy," he said.

Art Wong, CEO of SecurityFocus.com, agreed that such tactics can get messy. "You don't know who's actually who in these cases," he said. "I think that law enforcement should be left to law enforcement."

Vranesevich said he has observed as many as a dozen security firms engaging in this vicious circle at once. They stick out, he said, because they log on from regular Internet services, whereas true hackers might appear to be coming from a government agency or a university server they have broken into.

Still, he said, the fact that individuals are trying to find the perpetrators is not a bad thing in and of itself.

"I think the concern is the fact that they're going to the press before they go to the authorities with information that could be sensitive to an ongoing investigation," he said. "It could jeopardize it flat out."

Recourse.com's Michael Lyle was quoted by a number of news organizations this week talking about his online discussion with mafiaboy, transcripts of which he reportedly turned over to the FBI.

Lyle did not return phone calls seeking comment.

Now, if the FBI is searching for mafiaboy, it lacks the luxury of doing it clandestinely.

With the whole world on the prowl, Vranesevich said, the suspect "would have to be pretty dense as a criminal to have any sort of incriminating evidence left on anything that belongs to him."

http://www.foxnews.com/vtech/021700/hack.sml

-- Martin Thompson (mthom1927@aol.com), February 17, 2000