The case of the unhappy hacker

As hackers go, Nicholas Middleton will never be confused with Kevin Mitnick or Kevin Poulsen. Middleton has neither the criminal sophistication nor the hacking track record for entry into the Hacker Hall of Fame.
Written by Paul Elias, Contributor

Mitnick was caught by computer security specialist Tsutomu Shimomura and a huge FBI manhunt; Middleton was simply tripped up by a caller I.D. box. Middleton didn't even have the common sense of Mitnick and Poulsen to cry 'Uncle' and admit that the government had him beat. And because of that, Middleton's going to prison.

On Tuesday, a federal jury convicted Middleton of hacking into the San Francisco ISP Slip.net last year and knocking it offline for several hours. Because Middleton demanded a trial, he faces a prison sentence of six months to three years. Had he agreed to a plea bargain, he probably could have managed to get off with probation. "We've had a number of computer hacker cases," said Assistant U.S. Attorney Matt Jacobs. "But we've never had one go to trial."

These kind of cases don't go to trial because the hackers, even the best of them, invariably leave behind tell-tale footprints. Middleton was no exception. He left behind so much incriminating evidence that he all but admitted that he was indeed the hacker who damaged the ISP's computers on March 14, 1998. What the six-day trial essentially boiled down to was whether or not Middleton caused more than $5,000 damage -- the minimum damage needed to get a felony hacker conviction.

A jury agreed with Slip.net's founder Ted Glenwright that more than $40,000 worth of damage occurred. Here's what happened: In February 1998, Middleton quit Slip.net in a huff. He had been in charge of the company's internal operations. On March 10 1998, Middleton, using a current employee's name and password, entered Slip.net's computer system and created two bogus accounts: "Santos" and "Torpid." The Radius log for that session had a caller I.D. function that showed the telephone call came from Middleton's San Francisco apartment.

Four days later, beginning at about 1:30 a.m. Middleton, using the "Santos" and "Torpid" names, logged on to Slip.net's system and damaged and destroyed data on a computer named "Lemming." Middleton logged on several times during that morning and each time the caller I.D. function showed the call came from his house. So when Slip.net's founder Glenwright called the FBI about the hacking, they didn't have to do much sleuthing to prove Middleton was the culprit.

In addition, Middleton also sent an e-mail to another former disgruntled employee saying "I'm gonna see if I can fry me up a Lemming." The problem with that e-mail was that instead of just going to the former employee, Glenwright ended up receiving the e-mail too because accounts of former employees are routed into one account at Slip.net.

Middleton ended up knocking some of the biggest of Slip.net's 16,000 customers offline, as well as erasing the computer passwords for employees. He also deleted the company's new billing system.

Senior U.S. District Judge William Orrick Jr. is scheduled to sentence Middleton on Aug. 4.

Editorial standards