When did you first hear of Curador?
A security consultant and ex-hacker from Ottawa, Davis tracked down
Curador, an 18-year old hacker from South Wales who in 2000 stole an
estimated 26,000 credit card numbers from e-commerce web sites and posted them
It was around the second or third of February, on a web site I go to all the
time called hackernews.com. And he had posted a little news story
there that he'd broken into a couple of different e-commerce sites, and stolen
3,000 or 4,000 credit card numbers at this time, and was just sort of bragging
about it. . . .
So why did you go after him?
One, he broke into a Canadian web site, this web site in Markham. The second
reason was that he just didn't really seem to have any kind of ethic, be it
good or bad. I mean, even the bad guys that I deal with on a daily basis in
this hacker subculture still have some type of ethic. . . . Hackers have a sort
of honor among thieves. There's this hacker ethic, and this guy just didn't
seem to have that. So, I think that's kind of what drove me to go after him a
bit. . . . It was just this bragging and the lack of ethic.
And when did you hear the bragging?
. . . He wrote a little news blurb for hackernews, bragging about breaking into
these two sites and stealing 4,000 or 5,000 credit card numbers at the time. He
also contacted the media, NBC, CNN, all these people. And at first, they
pretty much just ignored his emails. He was telling them, "I've broken into
these sites. I've stolen these many credit card numbers. Do you guys want to
interview me?" And they were ignoring him. But there was a smaller news
agency, internetnews.com, and a guy named Brian McWilliams . . . did an
interview with him. And in that, he was taunting the police, just bragging
profusely about his skill and how great he was and things like that. And that
also really just kind of kept the fuel going for the fire. It really kept me
So, in the end, when you said you'd go after him, how difficult was it to
For me to actually find out where he was coming from, not difficult at all. .
. . For me to trace him back to the internet service provider in the UK that he
was using, that really took like an hour. So that wasn't very difficult to
find. From the internet service provider actually to his house took a couple
What was the initial response of the authorities when you contacted
. . . The FBI was actually quite easy to deal with, although technically, they
didn't really understand what it was I was explaining to them. The local
police were also very polite, but they didn't understand it. . . .
How would you characterize the police level of knowledge on this sort of
Well, the police's level of knowledge in this is low. I don't think that
they're properly prepared or they don't have the proper skill sets on board
within their departments to deal with this, even within the computer crime
department. . . . So I ended up doing a lot of explaining. But I think that
probably the police need to find people in the industry and get them on board
to help, because most of the people that are in the security field are getting
much larger paychecks than what police agencies are willing to pay out. So
this is why they don't end up with people with those types of skill sets, the
people that they need to be able to find these guys. . . .
In the case of Curador, what was the scale of what he did?
He had stolen in excess of 26,000 credit card numbers. He'd used a few credit
cards online to purchase certain things, and he publicly published them out to
the internet for anybody else to use. . . . A couple of the sites that he
broke into are no longer in business. People just won't shop there anymore .
. . .
Do you have any sympathy with the view that these sites should have been
I do think that these sites probably should have been more secure than they
were. But a lot of them are very small, sort of mom-and-pop type operations.
They were a couple of guys. They put up a web server and tried to make a
couple of dollars off the internet. And they don't really have the money to
go hire a security consultant to come in and make sure that they're secure. A
lot of them just assumed that the Microsoft products they're using are
inherently secure, which is unfortunately not the case.
So many people just don't have that knowledge. They don't know that there are
these gaping holes in their Microsoft web server. There are gaping holes in
Microsoft Windows NT, by default. They don't understand that. So you end up
with a lot of people just throwing these things up, thinking that they're
secure, and they're not. I do agree with the fact that maybe they should have
done their research; should have found out what the vulnerabilities were, and
how to fix them prior to opening up for business. But I definitely don't agree
with what Curador did to try and prove a point. . . .
Isn't it a little frightening to think that an 18-year-old in South Wales,
on a second-hand computer, can get 26,000 credit card numbers off the
Yes, that is a little scary. It happens every day, though. We have
14-year-old, 13-year-old, 12-year-old kids that are defacing major web sites:
government web sites, NASA web sites, things like this. They're breaking into
the computers and . . . changing the sites. It's the equivalent of graffiti,
really. They're sort of this cybergraffiti. . . . On average, a little less
than 20 times a day are reported. I don't know how many times it happens where
they're not reported. . . .
And is one to assume that if an 18-year-old in South Wales can get 26,000
credit card numbers, then organized crime could do the same?
Yes, absolutely. I know that Curador said that he was contacted by a couple of
different criminal organizations that offered him quite a bit of money. Other
associates of mine have been contacted by various different organized crime. .
. . I'm sure it happens a lot.
How would you characterize the internet's vulnerability . . . to criminals
. . . There are ways that you could shut down the internet in two or three
hours. I know people that have the ability to do it. Just thankfully, they
don't want to do it. They're ethical people. . . . But people who are working
for things like organized crime, or in terrorist groups, thankfully don't have
that type of skill set at this point. I think it's possible that they would be
able to find people with that skill set, and at that point, it would start to
get really scary. . . .
What sort of vulnerabilities are there? What could be done?
The major vulnerabilities that we see right now are in the Microsoft products.
Microsoft has a web server out that has 15 or 20 fairly large security problems
with it. There have been three or four really major ones over the last couple
of years. And this is what we see the young kids using right now, because
there's a lot of programs out there that you could just download, run, and
it'll re-write the web page for you. One gives you full access to the remote,
to the web server in about four seconds. There's another one that will
completely shut down the web servers in a second. There are all kinds of tools
out there that these kids can download and they don't have to understand how
they work. They don't have to understand how to write it. The only thing you
have to do is understand how to click a mouse. So that does cause a lot of
issues and a lot of problems. . . .
What were you feeling when you decided to go after Curador?
When I first decided to go after Curador . . . I think that the bragging got to
me. I just wanted to say, "Okay, look, you're really not this good. You're
not as good as you think you are. I have a really good idea how you're doing
this." So that's what started it. And then, it progressed and he started
taunting people and the police. And he and I did a couple of online radio
interviews. They'd take a sound bite from me and then one from him, and play
it. It became this large game of cat-and-mouse. And then it was almost an
obsession. I went a couple of days with barely sleeping or eating, trying to
get everything together properly for the police.
But what was I actually feeling? Just the frustration, I guess, mostly. What
I obviously thought that this was wrong and this guy was getting away with it.
I guess that's really the main thing. . . .
And when you were chasing him, what did you think? What sort of picture did
you have in mind of the person you were chasing?
Obviously, I thought he was a young individual. His spelling was terrible.
Every time he put up a new web site, his spelling would get worse. So I thought
that he's obviously not well schooled. It doesn't mean that he was not
intelligent, but. just obviously not well schooled. And young. . . . As you
mature, you make choices that don't involve stealing credit card numbers. But
outside of that, I had no other picture of him, really.
What's happened to him now, as far as you know?
Just a couple of days ago, he was formally charged . . . with ten counts
against the Computer Misuse Act of 1990 in Britain, and two counts of the
British equivalent of fraud. So he's in fairly serious trouble.
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodisc
web site copyright 1995-2014
WGBH educational foundation