Policy —

Whitehat hacker goes too far, gets raided by FBI, tells all

Hacker exposed client’s data to teach a lesson, was "tired of being ignored."

A whitehat hacker from the Baltimore suburbs went too far in his effort to drive home a point about a security vulnerability he reported to a client. Now he’s unemployed and telling all on reddit.

David Helkowski was working for Canton Group, a Baltimore-based software consulting firm on a project for the University of Maryland (UMD), when he claims he found malware on the university’s servers that could be used to gain access to personal data of students and faculty. But he says his employer and the university failed to take action on the report, and the vulnerability remained in place even after a data breach exposed more than 300,000 students’ and former students’ Social Security numbers.

As Helkowski said to a co-worker in Steam chat, “I got tired of being ignored, so I forced their hand.” He penetrated the university’s network from home, working over multiple VPNs, and downloaded the personal data of members of the university’s security task force. He then posted the data to Pastebin and e-mailed the members of the task force anonymously on March 15.

One day later, the FBI obtained a search warrant for Helkowski’s home. While no charges have yet been filed against him, Helkowski’s employment with Canton Group has ended. And yesterday, he took to reddit to tell everyone about it in a post entitled “IamA Hacker who was Raided by the FBI and Secret Service AMAA!” To prove his identity, he even posted a redacted copy of the search warrant he was served.

How did the FBI track him down so fast? It turns out that Helkowski told just about everyone (including co-workers) about what he was doing. And since the vulnerability he used was the same one Canton Group had reported to UMD on February 27, it didn’t take a lot of sleuthing to follow a trail that pointed straight back to Helkowski’s home in the Baltimore suburb of Parkville.

On the night of March 16, Helkowski and his wife arrived home to find the raid in progress.

There were 12 or so people. I wasn't home when they busted in my door. They actually busted in the side door. My dog was home. He ran out the doggie door then ran out the gate that they had opened. They let my dog run away basically.

I was driving up to my house, returning from dinner, and all the lights in my house were on, many cars parked out front, and cars in my driveway. I saw people walking around out front. I wondered why there was a party at my house.

As I slowed down to take a look, they yelled at me, pointed a gun (I saw one at least), and ordered me to stop the car and put my hands out the window. I did so. They then told me to use one hand to shut off the car and hold the key out the window as well. I did that. They took the key, and then demanded I get out of the car.

They then [put my hands] against the car and frisked me. They immediately took my cellphone from me, and then led me inside.

Helkowski asked permission to call for his father to retrieve his dog while agents detained him and his wife. An agent called Helkowski’s father, saying he was a friend and had noticed the dog was loose, Helkowski said. His father came to the scene to retrieve the dog—and was then detained by federal agents. “My dad of course had to accuse me in front of the FBI ‘Are you gonna learn your lesson now and not do stuff like this?’ or something like that... in front of the FBI. Geez dad. Thanks.”

Helkowski said that he cooperated fully with the agents. “During the RAID I provided my 20+ character system encryption password, my Keepass password, the location of my keyfiles, and a full description of everything. I basically 'confessed' everything to the FBI already. My stance is that I did nothing 'morally wrong.' My attempt the entire time has been to help the university improve their security.”

In a March 20 staff memo published by the University of Maryland from Ann G. Wiley, UMD’s interim vice president and chief information officer, Wiley wrote, “The FBI has informed the University that the intrusion resulted in no public release of any information and no damage to the institution, except for the release of personal data of one senior University official, who has been notified. We are unable to comment further on the intrusion at this time."

Channel Ars Technica