David Paul Helkowski, the Canton Group employee who is the focus of an FBI probe of the data breach at the University of Maryland, participated in a Ask Me Anything discussion yesterday on Reddit to answer questions about the university's compromised computer network, the FBI raid, his hacking experience, and more. As proof of his identity, Helkowski, posting under the username "krage28," uploaded a scan of the search warrant used by authorities to enter his house.
Among some of the tidbits relevant to the University of Maryland breach:
How were you caught?
I am not quite sure exactly. The things that led me to be a suspect in this case were grey hat hacking. I wasn't selling information or breaking anything, so I wouldn't quite say I was 'caught'. No charges have been pressed against me thus far, either by the university, the state, the secret service, or any other group.
To answer your question more directly, I'm not exactly sure how I got caught. I know friends of mine were questioned before I was. My parents got calls from the FBI asking for my online only alias 3 weeks before. There were signs something was going down.
What the FBI did have was a print out of a Stream chatlog. Apparently they got it from Steam themselves and/or got it from someone else I was talking to about the hacking I was involved in. The Steam chatlog is the only evidence I know of that they had that I was doing anything that would classify as 'hacking'. I was stupid. I told my friends what I was doing, and I used Steam to tell them.
Is there currently a case against you? If so, does this post act as admission of guilt?
I believe I am a suspect in the current ongoing case that was in the news about someone stealing 300k+ identities.
I did have more access than whoever that was, but I didn't do anything "bad" with that information or access imo.
I have not been pressed with any charges, so to my knowledge there is no case against me thus far.
Most everything I've stated here I've stated freely to the FBI ( I have continued cooperating with them after the RAID ).
During the RAID I provided my 20+ character system encryption password, my Keepass password, the location of my keyfiles, and a full description of everything. I basically "confessed" everything to the FBI already.
My stance is that I did nothing "morally wrong". My attempt the entire time has been to help the university improve their security.
As far as being "guilty", I assuredly did have more access into their systems then I should have been able to have, but some of this they were fine with and I told them about freely before the RAID.
Whether or not I broke any laws, I am uncertain of. I have and will repeatedly apologize for any wrongdoing I may have done, and I will simply continue to reiterate that I was only trying to help.
There is sufficient evidence to demonstrate I mean well.
Did you think that you weren't on anyone's radar or just that you were too good to leave footprints?
I used VPN access through Sweden, Switzerland, and Hong Kong to do the testing. I did mess up and do 1 or 2 things that could be traced back, but the majority of anything that would get me in any trouble there was little to no evidence of.
The only thing that alerted anyone was myself. I told the university that I hacked their systems ( specifically I sent an email to all 20 members of the task force for UMD in charge of security ) In the email I listed out all the names and internal employee numbers of all of the people on the task force. That is what triggered the FBI and Secret Service to start digging and eventually arrive at my door.
-I did good things through my actual job
-I did more good things, to try and help security, outside of my job ( albeit things that I could very well got in a lot of trouble for now )
-I communicated exactly what I did in detailed steps to the university ( to help them patch their holes ) - albeit "anonymously"
-University involved FBI and Secret Service
-Authorities questioned other people at my work, as well as clients
-Authorities then realized it was me, due to me having told other people at work what I was doing
-Was then raided
-Told my job I was raided
-My job laid me off, despite me cooperating with authorities and not having got in any legal trouble thus far. ( may yet )
It's still unclear to me what activities you were alleged to be participating in. Care to elaborate?
It was suspected that I was the person responsible for this: http://www.diamondbackonline.com/news/article_b8236dea-99b6-11e3-92eb-0017a43b2370.html
I believe I am still an active suspect in that case. There is more than enough evidence to demonstrate my innocence of being involved in that particular "data breach" involving the university though.
There are 3 things I did that got me in trouble:
-I was working on a UMD website through my company, and I downloaded a portion of the site to work on it. My computer virus scanner picked up a virus ( a shellscript ) on their site. I reported it to my coworkers and my boss ( VP of the company ). The VP did nothing and didn't tell the university.
-I later, after the 300k incident was in the news, checked if the shellscript was still there. It was. I freaked out and told my coworkers. They immediately told the VP and CEO of my company. Several days later I was in a conference call with people from UMD. Basically nothing was done about the shellscript besides removing it.
-I waited 2 weeks and then continued, outside of work, investigating to see how bad UMD security was. ( eg: pentesting ) Their security was and is horrendous. I detailed what I found and communicated it to the university...
You can read the entire AMA here