Hard Time for E-Commerce Saint?
By Michelle Delio

2:00 p.m. Apr. 22, 2001 PDT

The so-called Saint of E-Commerce may be off to jail next Friday.

Raphael Gray, a Welsh teenager who styled himself as a sort of virtual avenging angel, said he was on a mission to prove the dangers inherent in shopping over the Internet.

To make his point, last year Gray embarked on a month-long crusade to see how many e-commerce systems he could crack.

See also:
Discuss this story on Plastic.com
OpenHack: Did He Win or Not?
IE Hole-Finder in Odd Position
Mind your own Business news

Between February and March of 2000, Gray cracked thousands of networks, obtained at least 23,000 credit card numbers, and then posted thousands of those card numbers and expiration dates on his own websites, resulting in the closure of two companies and an estimated 2.8 million dollars in fraudulent Visa and MasterCard charges.

One of the credit card numbers that Gray managed to obtain belonged to Bill Gates. According to court records, Gray used Gates' own credit card to charge and send a large shipment of Viagra to the Microsoft chairman and chief software architect.

Gray had a particular problem with Microsoft, believing that many of their products were inherently insecure.

Gray, who lives in a tiny village called Clynderwen in western Wales, was arrested last March by FBI agents who were "greatly troubled by his disturbed crusade " said Leighton Davies, the prosecution lawyer, during his closing remarks in court for Gray's trial on Friday.

Davies also said that, despite Gray's unshakeable belief that he was a saint, his "plundering" crusade was "criminal, unnecessary and extreme."

Gray has pled guilty to eight counts of cracking into the customer databases of computers located in the United States, Canada and Britain, and two counts of "obtaining services by deception" for making purchases with illegally accessed credit cards.

He will be sentenced next Friday.

Colin Nicholls, Gray's lawyer, argued that Gray felt it was all right to crack into the sites, because there was no notice that accessing them was prohibited.

That excuse is akin to a burglar proclaiming his innocence when he finds and enters an unlocked window, rebutted prosecutor Davies.

Gray said that he attempted to notify companies of the holes in the e-commerce software that they were using, but was often rebuffed or ignored. Only after a company had failed to react to his warnings, said Gray, did he post stolen credit card numbers on his websites.

Gray maintained several personal websites, now closed, where he published the purloined credit card numbers, along with details of his database cracks and his own rants boasting that law enforcement officials would never catch him, "because they never catch anyone. The police can't hack their way out of a paper bag."

The police, however, knew enough about hacking to track Gray by analyzing the logs of a server he had cracked into.

Gray had scripted a program that tapped into databases, extracted information, and then crashed the site's server after he was done.

The crash was intended to wipe out any traces of his crack.


But the program failed to crash a server on at least one occasion, and the FBI and Royal Canadian Mounted Police used that server's logs to track Gray to the small cottage that he lives in with his mother and two sisters.

He was at his computer when law enforcement showed up at the door.

Gray, who currently is a college student, announced in court that he had been offered a job as a security consultant for a software company. The company was not identified.

A friend, Rhodri Jones, said in an e-mail that Gray is "brilliant with computers but rather bad with people."

"Raph had a bad accident at school when he was about 14," Jones said. "He fell and banged his head pretty bad. Ever since then he's been very nervous."

"And since that bang on his head he gets really obsessed by things. He was really consumed by the idea of saving the world from the evils of e-commerce. He said that the software was so full of holes it was criminal and people had to be told how dangerous it was to shop over the Internet," Jones added.

Jones said that the arrest was the talk of Clynderwen.

"Eight police officers pulled up in front of his house in a riot van shortly after dawn. This is not the sort of thing that ever happens in the village. The FBI men were even wearing trench coats! It was like something out of a movie."

No word from Microsoft on how Gates greeted the shipment of anti-impotency drugs that were charged to his credit card and sent to him from Gray.

The Microsoft billionaire is probably feeling a little limp anyway, what with Saturday's announcement that he has been ousted from top place in England's Sunday Times newspaper's annual list of the World's Richest People.

Gates, whose name has topped the prestigious list for many years, now comes in second, with Sam Robson Walton, the head of the Wal-Mart retail empire in first place.

Gates had a personal fortune of $76.50 billion in 2000, which dove to a mere $54 billion this year, due to a slump in high-technology stocks. Walton is now said to be worth $65.4 billion.


Related Wired Links:

Will the Real Hackers Stand Up?
Apr. 20, 2001

Teaching Kids About Hacking
Apr. 14, 2001

Russian Hacker Rebuffs U.S.
Apr. 11, 2001

German Threat Raises Infowar Fear
Apr. 9, 2001

IE Hole-Finder in Odd Position
Apr. 3, 2001

OpenHack: Did He Win or Not?
Mar. 30, 2001

Inside Russia's Hacking Culture
Mar. 12, 2001

Honeypots: Bait for the Cracker
Mar. 7, 2001

The Greatest Hacks of All Time
Feb. 6, 2001

The Internet: It's Full of Holes
Feb. 6, 2001



Copyright © 1994-2001 Wired Digital Inc. All rights reserved.