Update: David Helkowski cooperated with federal authorities, and the University of Maryland and Department of Justice declined to prosecute the case. He has since moved on to other employment. Our original story follows.
David Helkowski stood waiting outside a restaurant in Towson, Maryland, fresh from a visit to the unemployment office. Recently let go from his computer consulting job after engaging in some “freelance hacking” of a client’s network, Helkowski was still insistent on one point: his hack, designed to draw attention to security flaws, had been a noble act.
The FBI had a slightly different take on what happened, raiding Helkowski’s home and seizing his gear. Helkowski described the event on reddit in a thread he titled, “IamA Hacker who was Raided by the FBI and Secret Service AMAA!” Recently Ars sat down with him, hoping to get a better understanding of how this whitehat entered a world of gray. Helkowski was willing to tell practically everything—even in the middle of an ongoing investigation.
Until recently, Helkowski worked for The Canton Group, a Baltimore-based computer consulting firm serving, among other clients, the University of Maryland. Helkowski’s job title at The Canton Group was “team lead of open source solutions,” but he began to shift his concerns toward security after identifying problems on a University of Maryland server.
That transformation from developer to hacker came to a head when Helkowski decided that the vulnerabilities had gone unfixed for too long. He set out to prove a point about computer security both to the University of Maryland and to his employers. In early March 2014, working from a computer in his Parkville, Maryland home, Helkowski said that he exploited a misconfigured Web server and some poor database security in order to duplicate the results of a recent data breach that exposed the Social Security numbers and personal information for more than 300,000 current and former University of Maryland students and staff.
On March 14, Helkowski made his point rather dramatically by posting the university president’s Social Security number and phone number to reddit. He then sent an anonymous e-mail to the members of the university’s newly formed security task force, telling them in no uncertain terms just how horrible their security was.
Though he claims the message was not meant to sound threatening, it included lines like, “Out of politeness I’ll give you a chance to respond directly about this to me, and I’ll consider pulling it off the public Internet...Your internal IDs are listed below to get your attention.” If the security task force wouldn’t work with him, Helkowski told them to “consider this your fair warning and last contact from me.”
Despite his use of proxy and VPN services, the FBI began asking questions around Helkowski’s workplace the very next day. On the afternoon of March 16, agents investigating the case obtained a warrant. They kicked in the door of Helkowski’s home at 7pm that night. He was not arrested during the search, but his electronics were seized, his dog was (temporarily) lost, and federal charges may well be forthcoming.
The picture Helkowski painted of the circumstances leading up to his brush with law enforcement—and the still-present possibility that he will face criminal and civil charges—bears a strong resemblance to stories of information systems projects gone wrong at other universities and institutions. It has particular resonance for the public sector, where contractors can sometimes find it easier and safer to turn a blind eye to security problems rather than disclose them.
An unlikely hacker
Helkowski looks a bit older than his 32 years, with a slight build and a few gray hairs among the wiry black ones pulled back into his ponytail. He’s clearly confident in his abilities and confident that what he’s done is morally, if not legally, right. Helkowski told Ars he would act in exactly the same way if he had to do it all again.
An avid Steam gamer and anime fan, Helkowski is also a self-described computer keyboard aficionado. At one point, he had a collection of more than 35 keyboards, starting with a Northgate OmniKey that he picked up at a yard sale for $10. When the FBI raided his house, the agents had difficulty dealing with his current preferred keyboard—a Japanese keyboard with an English alphabet that he bought in the Akihabara district of Tokyo. The characters for each key are printed on the front of the key instead of its top, and its symbols don’t properly map to US standards.
“I figured out how to make it work with Windows by going in and making Windows Registry changes,” he told me. “But now I’ve just memorized which key maps to which symbol.”
Helkowski’s travels to Japan weren’t just driven by a desire for a clicky keyboard. Helkowski’s wife, a pianist and music teacher, is from Japan. He met her while she was in the US studying at Berklee College of Music. They dated but once. A few years later, after another relationship ended, he started communicating with her over the Internet again, finding she moved back to Japan to get a degree in music therapy. He traveled to see her, and they married six years ago.
“She teaches piano to kids 3 to 12 years old, and we have two grand pianos in our living room,” he said. 
Helkowski has been a developer for a number of Maryland tech companies, doing everything from Web scripting to hardcore C development. Before joining The Canton Group last July, he worked as a contractor for a year at T. Rowe Price. But it was his experience in dealing with ColdFusion and doing data conversion work that greased the chain of events leading to the FBI.
(In what follows, all technical details were provided by Helkowski; neither the university nor The Canton Group agreed to speak with Ars about his account.)
In November of 2013, Helkowski said, he was asked by a co-worker on The Canton Group’s team responsible for work with the Drupal Web content management system to help migrate data from a legacy ColdFusion site belonging to the University of Maryland’s School of Public Health. Using the team’s access to the server, Helkowski said he downloaded the contents of the site’s directory from the server to his work computer.
That download set off his malware scanner. Helkowski started to investigate why, and he found that one of the files on the server was a PHP script file. The code in the file had been compressed and obfuscated to hide its purpose, so Helkowski began decompressing and analyzing the code to find out just what it did.
The script turned out to be a piece of Web server malware known as C99Shell—a backdoor script that allows a remote user to execute arbitrary commands on the server, search through the file system, and upload files among other things. Because of the configuration of the server, the remote user was able to execute commands with the permissions of the Web server (httpd) user account. That included access to other University of Maryland websites, which resided in other directories on the same file system. It also came with the ability to change file permissions. “It was pretty close to root access because the user was so widely capable,” Helkowski said.
Based on its creation date in the file system, Helkowski said, the backdoor script had been on the server since 2011—meaning that the server was breached at least once over the last two years. He found another similar script not detected by the malware scanner. It appeared that the scripts were both uploaded to the site through a Web interface that allowed site users to post images to the website. The directory the upload page put files in was configured to allow PHP scripts within it to be executed by the Web server. Not good.
reader comments
149