Curador is a 18-year old hacker from rural Wales who in the winter of 2000 stole an estimated 26,000 credit cards numbers from a group of e-commerce web sites and posted the numbers on the web. After ex-hacker Chris Davis tracked him down, he was arrested on March 23, 2000, and charged under the United Kingdom's computer crime statute.
INTERVIEW: RAPHAEL GRAY AKA CURADOR
Q. What kind of thrill do you get out of hacking? Is it sort of the New Age equivalent of sex, drugs and rock-and-roll?
I suppose you could call it that, in a way. After the first ten minutes, when I was waiting for the five and a half thousand credit cards I was to download from the first site . . . certainly there was a great rush, so to speak. You do get a rush from doing it--definitely. There is a lot of adrenaline, if nothing else, while you're trying to track it down. I sometimes spent two days solid trying to do something without sleep, without anything, just constantly trying to do it. And when you finally get through, the relief is not just from the fact that you got it, but now you can sleep. . . .
Q. But what is the incentive that keeps you doing it? It's not as if you're going to get the secrets that are going to make you a wealthy man all of a sudden.
I'm just a very nosy person. I'm like your nosy neighbor on steroids, basically. ...You can see a lot of someone's life just from the contents of their PC.When I'm 28, definitely, I'll have either gone to university or be starting. You never know who's got what in their PC at the end of the day. When you get on to one PC and one network and that network's getting through another network, you might get in somewhere really interesting. You might find out that there's going to be a new "X-Files" show. You might find anything.
Q. Is that really worth staying up all night for?
I think so yes, basically. . . .
Q. What do computers give you back?
Computers are my career as well. I can get paid for doing the kind of work that I do. And you get a lot back in satisfaction, really, from writing programs and things like that, finding new ways of doing things, maybe figuring out a new way to perform a neural network for artificial intelligence, which is something I'm really interested in. . . .
Q. But you're like a burglar who breaks into the houses just to see what's in there. You don't take anything. What's the point?
I think, obviously, I'm just a very nosy person. I'm like your nosey neighbor on steroids, basically. It can be interesting, because when you see into someone's computer, it gives you an idea of how they work, who they speak to, what they're interested in, whether they actually do any work, what their job is. You can see a lot of someone's life just from the contents of their PC. Some people even have correspondence with their family at home from their PCs, and so on. So it just depends.
Q. What are you going to be doing in ten years?
I do want to go to university at some point in time. I'd like to try and get some kind of research grant or something, and . . . go into artificial intelligence in a big way, robotics, making equipment for the disabled, basically increasing the quality of their lives. Just looking for things and ways for computers to interact with people better, so that you feel a lot more at home with the computer. . . .
Q. That's what you're going to do . . . if you're not in jail?
Indeed, if I'm not in jail. If I'm in jail, then I'm going to lift a lot of weights. Not much else. . . .
Q. You didn't break in and take all those credit card numbers just to show the world how stupid and sloppy these people were. What were you really after?
Well, if I was trying to do something else, you seem to know more about it than me, because quite literally, I don't know. . . .
Q. What's your fascination with credit card numbers?
They're a good choice. People don't like other people to know they have their credit card numbers. . . .
That's because people that get them use them to buy stuff.
Yes.
Q. Is that why you were getting them?
No, I didn't try and buy anything with them that wasn't refunded. . . . There are loads of things I could've used them for. . . . But I didn't. The whole point of it was the message.
Q. And what was the message?
There are a lot of people out there who won't even safeguard their own safety, let alone the safety of their customers. At the end of the day, it's the fault of these companies. The buck does stop with them. . . . But they're not even trying to protect their own business from that.
I suppose you could call it that, in a way. After the first ten minutes, when I was waiting for the five and a half thousand credit cards I was to download from the first site . . . certainly there was a great rush, so to speak. You do get a rush from doing it--definitely. There is a lot of adrenaline, if nothing else, while you're trying to track it down. I sometimes spent two days solid trying to do something without sleep, without anything, just constantly trying to do it. And when you finally get through, the relief is not just from the fact that you got it, but now you can sleep. . . .Q. But what is the incentive that keeps you doing it? It's not as if you're going to get the secrets that are going to make you a wealthy man all of a sudden.
I'm just a very nosy person. I'm like your nosy neighbor on steroids, basically. ...You can see a lot of someone's life just from the contents of their PC.When I'm 28, definitely, I'll have either gone to university or be starting. You never know who's got what in their PC at the end of the day. When you get on to one PC and one network and that network's getting through another network, you might get in somewhere really interesting. You might find out that there's going to be a new "X-Files" show. You might find anything.
Q. Is that really worth staying up all night for?
I think so yes, basically. . . .
Q. What do computers give you back?
Computers are my career as well. I can get paid for doing the kind of work that I do. And you get a lot back in satisfaction, really, from writing programs and things like that, finding new ways of doing things, maybe figuring out a new way to perform a neural network for artificial intelligence, which is something I'm really interested in. . . .
Q. But you're like a burglar who breaks into the houses just to see what's in there. You don't take anything. What's the point?
I think, obviously, I'm just a very nosy person. I'm like your nosey neighbor on steroids, basically. It can be interesting, because when you see into someone's computer, it gives you an idea of how they work, who they speak to, what they're interested in, whether they actually do any work, what their job is. You can see a lot of someone's life just from the contents of their PC. Some people even have correspondence with their family at home from their PCs, and so on. So it just depends.
Q. What are you going to be doing in ten years?
I do want to go to university at some point in time. I'd like to try and get some kind of research grant or something, and . . . go into artificial intelligence in a big way, robotics, making equipment for the disabled, basically increasing the quality of their lives. Just looking for things and ways for computers to interact with people better, so that you feel a lot more at home with the computer. . . .
Q. That's what you're going to do . . . if you're not in jail?
Indeed, if I'm not in jail. If I'm in jail, then I'm going to lift a lot of weights. Not much else. . . .
Q. You didn't break in and take all those credit card numbers just to show the world how stupid and sloppy these people were. What were you really after?
Well, if I was trying to do something else, you seem to know more about it than me, because quite literally, I don't know. . . .
Q. What's your fascination with credit card numbers?
They're a good choice. People don't like other people to know they have their credit card numbers. . . .
That's because people that get them use them to buy stuff.
Yes.
Q. Is that why you were getting them?
No, I didn't try and buy anything with them that wasn't refunded. . . . There are loads of things I could've used them for. . . . But I didn't. The whole point of it was the message.
Q. And what was the message?
There are a lot of people out there who won't even safeguard their own safety, let alone the safety of their customers. At the end of the day, it's the fault of these companies. The buck does stop with them. . . . But they're not even trying to protect their own business from that.
Raphael was arrested at his home on the 23 March 2000. Police and FBI agents arrived in the early hours of the morning. It was alleged that he had intruded into nine e-commerce websites in Britain, America, Canada, Thailand and Japan and taken details of some 26,000 credit card numbers and disclosed some of the credit card information on the Internet.Raphael, who was only 18 at the time explained to the police and FBI when he was interviewed that he had been concerned for sometime at the inherent security weakness in one particular make of software called Microsoft Internet Information Server. This inherent weakness enabled remote users to access information stored on computers using this software. Raphael explained he had contacted a number of e-commerce sites using this software and pointed out the security weakness but they had ignored him, and he had also contacted Bill Gates, the Microsoft Chief who again ignored him. He went on to explain that he was known on the website as “Curador”, “Custodian” or “The Saint” and he finally decided that the best way of bringing this to public attention was to publish some of the credit card numbers on a website which he set up. The prosecution accepted throughout that Raphael’s motivation was to expose and publish the fact that the e-commerce retailers were not security conscious, and secondly to broadcast the message that due to their indifference to security, individuals ought not to entrust e-commerce retailers with their credit card details. In this case Raphael initially faced a ten count indictment, each count alleging he caused a computer to perform a function with intent to secure unauthorised access and with attempt to facilitate the commission of an offence to which section 2 of the Computer Misuse Act 1990 applied. The case involved complex and novel points of law, and from the start there was intense media interest both in this country and abroad. At the plea and directions hearing on 20/10/00 Raphael entered not guilty pleas to all counts and the prosecution indicated they wish to serve an amended indictment. This was served a month later when the prosecution put their case in an entirely different way. The new indictment had six initial counts alleging an offence under the Computer Misuse Act 1990 section 2(1), alleging the defendant had committed an offence under section 3(1) of the Computer Misuse Act by doing an act which caused an unauthorised modification of the contents of a computer. The remaining four counts alleged obtaining services by deception on two separate occasions, by using a credit card number he had downloaded to set up two separate websites upon which to display the credit card information. and the related offences under the Computer Misuse Act section 2(1). This raised the totally new issue of modification. The defence instructed a computer security expert, Mr Peter Sommer to advise on the complex issues of authorisation and modification, and he advised that what Raphael had done did not amount to modification of the contents of a computer as alleged by the prosecution in the first six counts.
On 28 March 2001 the prosecution indicated they would reduce the first six counts to section 1 charges of simple unauthorised access if the defendant pleaded guilty to the remaining four counts. After lengthy discussion Raphael agreed to this compromise and was finally given a two year community rehabilitation order.
As there was no trial the complex and novel issues of unauthorised access and modification of a computer were never decided, but undoubtedly these issues will come before the court again in the near future.
ITIE Summary of Raphael Grey aka Curador
At age 19, Raphael Gray was able to hack several computer systems around the world in just a matter of one month. His mission was to gain unauthorized access to credit card information, which eventually netted him millions of dollars. Dubbed “The Bill Gates Hacker,” Gray broke into secure computer systems and published all the credit card information he accessed as part of his multimillion credit card pound mission.
