Ten Teens and a Server Room

by Péter György Szabó and Lucas Vially

This story involves nerdy teenagers, a small ISP company located near Budapest, as well as an exploit which would spawn international prestige and local havoc.  This is a work of semi-fiction.  While the main facts are accurate, some blanks were filled in.

We were high schoolers in the early 2000s and part of our free time was spent playing on bulky computers.  We would excitedly talk about new software, share game discs, trivia, and tips.  All of us except for one classmate, more of a recluse, a tinkerer who was happy to spend time poking at systems instead of playing with friends.  He could have felt left out but didn't mind.  He knew that whenever he found something exciting, he would be at the center of our attention for a while.

It was common knowledge that with every contract, our local Internet company would offer 500 MB of server storage (huge at the time!), but he was the one who found a flaw while registering for it: all new users had the same default password and were simply prompted to change it.  The majority of customers never used that free service (what is FTP??), much less changed their password, so the result was plenty of storage up for grabs.  When he told us, we knew we had to profit from it.  But the master password we had was of little use without usernames.  How could we get those?  What we needed was an inside man.

Lucky for us, another classmate had an older brother working at that very company.  We all knew him; he'd been in our school.  One of the much older kids you only notice because a friend pointed him out as family, as friendly.  Now he was barely 20, given too much responsibility at his first job.  The ISP only had a handful of employees, so there weren't plenty of clearance levels in place to protect data.  And when we asked him for a list of users' emails, he actually got his hands on them.

We had what we needed, a file containing the info of all customers!  And work began.  We painstakingly checked every email with the master password until we'd amassed a great list of available accounts.  We now had plenty of gigabytes of cloud storage for our own personal use, and let me tell you we used it for any and every thing.  Studying material from our class were on there, music, games too.  Kings of the world!  We felt like top hackers.  And for more than a year, everything went well.  It was a victimless crime and we were being discreet about it, so there was no way we got caught, right?  Unless we made any stupid move.

In 2004, Half-Life 2 came out.  A revolutionary game, it also came with the multiplayer shooting game Counter-Strike: Source.  By then, we were used to sharing the files of pirated games on our cloud, even though not all of them met the same success.  Galactic Civilizations would be popular among some members of our group,  Beyond Good & Evil would be downloaded by a couple of us.  But Counter-Strike was a success.  Within days, we all had downloaded the cracked game, every single one of us playing together for hours on end.  We were hooked, and it soon became clear that it had the potential to federate more than a specific niche like other games did.

It was the one game.  We had to spread the word.  We had to spread the files.  One night, a link appeared on some Hungarian PC forum.

Game piracy wasn't as easy as it is now.  Torrenting wasn't as convenient, so sharing access to our private folder was met with great success.  The link spread around forums like wildfire.  Across the world, from as far as Thailand, people were downloading files hosted in a small server room in a wooden shack.  The employee who had gotten us those emails nearly had a heart attack when he saw the abnormal traffic.  He pulled the alarm and the whole company stopped to investigate the issue.

The news quickly came to us and we got panicky, even more when we learned the stolen account actually belonged to a cop.  We had been cautious, always uploading illegal files from the public library instead of our homes.  But how easy would it be to track us down?  We had so many weak links, we'd left so many traces and clues!  Not to mention how easy it would be for our friend at the company to put two and two together and point a finger at us.  We were scared!  It had all been in good fun, but now that they knew someone had been sharing illegal files to the point where business had to be closed for a day, we didn't know what we risked.

We decided to scrub the servers of any file which would identify us, then lay low.

Of course, we were eventually found out.  But things ended up much better than we had feared.  They let us off the hook after finding out we were just a bunch of 17-years-olds, and our only punishment was the revocation of the FTP privileges we had acquired.  The unsecure password system was updated, and so, our cloud reign ended.

The company resumed its activities, we moved on.  But all involved remember the stupid mistakes they made, and how to not repeat them.