Why I did it: Former hacker Mitchell Frost explains his motivation
CSO - In 2006, Mitchell Frost, then a 19-year-old college student at the University of Akron, used the school's computer network to control the botnets he had created. Authorities say between August 2006 and March 2007, Frost launched a series of denial of service (DDOS) attacks against several conservative web sites, including Billoreilly.com, Anncoulter.com and Rudy Giuliani's campaign site, Joinrudy2008.com. He is accused of taking down the O'Reilly site five times, as well as disrupting the University of Akron's network during a DDOS attack Frost allegedly launched on a gaming server hosted by the university.
Frost's dorm room at the university was raided in March 2007. What followed, according to Frost, was a long, complicated legal battle that ultimately lead to him spending over two years behind bars and owing thousands of dollars in legal and restitution fees for his crimes. Frost was released from prison in 2012 and is now serving probation.
Frost took the time to talk to CSO about his experience and delves into the reasons why he did it, his thoughts on the punishment he received and his plans for the future.
Tell us about your background. How did you become so knowledgeable about computers and when did hacking become something that interested you?
I started on computers around a young age and I have always had a mind that wants to keep exploring and learning. Hacking didn't start overnight, it all started by networking really. First I wanted to be able to have music without paying for it, so I joined some chat rooms on IRC (Internet Relay Chat). IRC is not used much, it's typically used only by smaller groups of hackers and gamers. When I was younger I would spend many hours in a row on the computer, and when I woke up or had free time, just continue on with what I was working on. You build skills and make connections with others and keep moving up until you have background in hacking. Let's just say I built my way up over the years 2000-2007.
What inspired you to do the kind of hacking you did in 2006 and 2007 to those conservative web sites? What were you hoping to accomplish by hacking those particular sites? How did you choose your targets and why?
In 2006, I was young and, even at that age, I could see there was a lot of corruption and media propaganda going on in newspapers and on television. At that time, I had a rather large and complicated botnet. With the botnet, I was able to use the compromised computers for almost anything; key strokes, DDOS, servers, passwords, pranks. I had several botnets over the years from a few to thousands and didn't do a whole lot of DDOS on servers because I had no need to.
I decided that I had to do something about what I was seeing in the world around me, so I knocked a couple of websites offline at the time thinking it will prevent the hate and conflict and fear mongering from being seen by people.
When it became clear you were going to face punishment for the attacks, did you think it would mean jail time?
They raided me in March of 2007 right after spring break. They took some computer stuff and took my roommate's stuff and had three agencies do the raid (FBI, Secret Service, Homeland Security) all with guns pointed right at my head. They brought me into a room and said "if you help yourself now it will be easier at sentencing." I didn't answer any questions. They released me and didn't say much. I was scared shitless after that. I didn't know what to do. I remember now going to a class after the raid to take a math test and was shaking so bad.
About one day later, they expelled me from the school, even though I was not charged with anything yet. I moved back home and then contacted the Federal Public Defenders office in Cleveland and was assigned a lawyer. He said cases like mine take time and to stay out of trouble and he would get back to me.
I moved back home and got a job working as a carpet-cleaning technician. From 2007 and on, I tried to live a normal life but had that fear that something was coming. I ended up meeting my wife. We fell in love and she got pregnant in December of 2009.
Around May of 2010, my lawyer said I randomly received a judge and that it didn't look good because of her previous sentencing history. I was hoping for maybe a small amount of time or probation, considering I did not get arrested at the time of the raid in March 2007 and had not yet. I was living in fear for almost 4 years, not going to friends or out to parties and all that.
The judge ended up giving me 30 months and tried to place me under arrest right at the sentencing hearing. When she did this, it took the prosecutor and my lawyer to walk up to the bench and say I am not a flight risk with a newborn on the way and I knew about these potential charges for three years, so why couldn't I self-report? She finally agreed to let me self-report so I can tie up some things with my family before my time.
There was some debate after your sentencing about whether or not the penalty was too harsh. Do you think it was too extreme?
Way too extreme. Who was the victim? Yes, a couple of people had their servers down for a small period of time, but the jacked-up estimates of the damages were over inflated. Example: they said it took $10,000 for them to press one button on one switch to get access back to the network. The reasoning for the sentence has to do with amount of money lost, etc. Bill O'Reilly said he needed to spend $300,000 to upgrade his systems. My lawyer did not fight or really look into their claims of money loss.
I think they should of come to some plea with me within a year of the initial raid so I could of dealt with this problem and moved on with my life. Maybe do 3-4 months in some low-security prison and some intensive probation would have been the same. Now it will end up costing me about 10 years of my life -- 2006 started it and by the time I'm off probation it will be 2016. All for taking some servers offline. You tell me: is that fair?
What has this experience taught you?
The experience is not over yet and is far from. I have learned to keep to myself when I see something unjust or unfair or unbalanced all I can do is stay clear of it and talk to people I know or influence and explain my point of view without any damages, physical or monetary.
Last year, there was a lot of sadness and discussion around the suicide of Reddit co-founder Aaron Schwartz. As you know, Schwartz was facing a trial after being arrested on allegations of breaching a computer network to download millions of pages of documents kept at MIT. Many feel he was being too harshly prosecuted for the crime and it drove him to suicide. What are your thoughts on that, having faced a sentence yourself?
I am very familar with Aaron Schwartz. Did you know he chose to take his case to trial because he was not guilty? He was murdered and it was made to look like a suicide. Who would ignore a plea deal with no jail time, wait for trial and then commit suicide? All he did was download some stuff from the MIT library -- most of it was like 30 years old. He was prosecuted because of his ties to a grassroots movement for Internet freedom.
What's next for you? What are you plans for the future?
I am rebuilding my life the best I can for having limited resources. I was released Election Day 2012. I was stuck living in a halfway house in the slums of Toledo, Ohio. Then I had to go up the chain of the BOP and the halfway house to get released to home detention. That took about 2.5 months.
I started probation on March 8th, 2013. I work at a small store in a town where my wife's parents let us live in a rental, so we pay them what we can. I pretty much cannot go to school because I owe so much to U of Akron and I have $50,000 in fines and restitution. They take a percentage of my pay each check to give to Bill O'Reilly. I guess when you're worth $50 million, why not ruin some guy's life and future and suck every check he makes?
I guess my life is not going anywhere until I am off probation. I would like to be a wireless network security consultant, or a real news reporter for the independent media. I will continue to try and make my son and wife's life the best I can for the position I am in.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Infographic: Converged Infrastructure Benefits This Infographic quantifies the savings organizations are realizing from increased deployment speed, higher availability, and lower annual costs.
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Going Paperless? Here's What You Need to Think About As makers of some of the world's most popular PDF solutions, we often consult with businesses & governmental agencies that have the goal...
- The Big Data Opportunity for HR and Finance If CEOs, CFOs, CIOs, and CHROs want to drive their businesses forward, they will need to quickly recognize the enormous value of big...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Cyberwarfare White Papers | Webcasts