Inside the ‘white hat hackers’ policing the digital world.
Tommy DeVoss stood out from most of the people he was in prison with. The other criminals around him were doing time for traditional, often violent, crimes: drug misdemeanours, possessing and using guns, and bank robberies.
DeVoss, who goes by the online moniker of dawgyg, was imprisoned for hacking and served his time in medium- and high-risk US prison facilities. “The reaction from most of the people was along the lines of: when we got out would I help them hack this or that, wipe their criminal record, or hack the US Bureau of Prisons and get them released,” says DeVoss.
The hacker was just 19 when he was arrested, in 2002, after opening the front door of his house to 30 FBI officers. In 2005, he was convicted of breaking into US military and government computers and sentenced to two-and-a-half years in prison. He says he was involved with several hacking groups, one of which, known as World of Hell, scoured the web for websites with poor internet security.
The biggest thing that forced me to change is the threat of life in prison if I hack illegally again
Once a site was found to be vulnerable, it would be defaced with messages for its owners. These would say a problem had been found; an email address was included for further information. The tactic largely didn’t work, according to DeVoss, with victims instead contacting law enforcement. “My main motivation was just boredom,” he says. “Most of us [in World of Hell] were bored kids who decided to push the boundaries of what we were allowed to do.”
While dawgyg has now grown-up, teenagers – mostly male – are still part of hacking’s culture and often arrested. In November 2016, an unnamed 17-year-old man from Norwich pleaded guilty to hacking the communications firm TalkTalk the previous year. In April 2017, Adam Mudd was jailed for two years for making and releasing malware, from December 2013 when he was 16, from which he earned almost £400,000. In October 2017, Kane Gamble, from Leicester, admitted attempting to hack computers belonging to the director of the CIA, the deputy director of the FBI and other senior US officials, between June 2015 and January 2016, when he was 15.
Most hacks carried out by lone teens are relatively unsophisticated. At the other extreme are complex operations carried out by, or on behalf of, organised bodies including governments, security services and criminal gangs. These include: the global ransomware cyberattacks of WannaCry and NotPetya that spread rapidly in 2017; Stuxnet, which disrupted Iran’s nuclear weapons program from 2010; and several hacks against power grids around the world. Members of advanced persistent threat (APT) hacking groups, some of which have been traced back to Russia, are known to have 9-5 office-based hours and work to predetermined targets.
DeVoss says he became involved with hacking in the mid-1990s and has not considered it since his release from prison 10 years ago. “The biggest thing that forced me to change,” he says, of his decision to not reoffend, “is the threat of life in prison if I hack illegally again.”
After a spell working in software development, DeVoss began hacking again – legally. Legal hackers are known as white hat hackers, after the white-stetsoned good-guy cowboys in Hollywood films. Black hats are those who hack for criminal purposes; grey hats may break the law but not for malicious purposes.
He now works as part of HackerOne, an online platform of more than 100,000 white hat hackers offered ‘bug bounties’ (cash incentives offered to security consultants and white hat hackers, in return for locating flaws in a computer system] to find security flaws in the code of some of the world’s largest companies. HackerOne helps firms launch bug bounty schemes and connects them to its trusted network of operatives.
Facebook, Google, Yahoo and Microsoft have all worked with HackerOne, as has the US Department of Defense. From the latter, hackers earned about £225,000 in the year to November 2017, finding almost 3,000 vulnerabilities. Google paid £2.3m in bug bounty rewards in 2016. Apple launched its own bug bounty scheme in August 2016 and offers up to £150,000 for uncovering serious flaws.
Good hackers can be well-rewarded. White hat hacker Nathaniel Wakelam told The Guardian in 2016 that his average annual earnings are about £185,000. A HackerOne survey found that the average bug bounty payment in the first half of 2017 was £1,432, up 16 per cent on 2015.
DeVoss says the lifestyle of a professional hacker can be “very laid back”. Start-up costs are minimal: looking for security problems online requires only computer hardware and an internet connection. “I spend about 10-20 hours a week at most working on different programs,” he says. “I wake up when I want to, normally around 9am, then spend an hour or two looking for bugs, then take a break and go do something with friends or my dog, then jump back online later in the night for a little bit of time before I go to bed around 2-3am.”
One of the biggest challenges for people working professionally as hackers, is overcoming the connotations of the job title. The activity of illegal hacking groups, colossal data breaches such as the 2017 hack of US credit bureau Equifax and the continued spread of malware give all hackers a bad reputation.
“Not all hackers are bad,” DeVoss explains. “As more are given the recognition they deserve, and more people see all of the good that hackers are doing to help keep their information and networks safe, public opinion will change. But as long as the media continues to give more coverage to the bad hackers and not the good, the stigma of the word ‘hacker’ will stay in people’s thoughts.”
Matt Burgess is a staff writer at Wired and the author of Freedom of Information For Journalists (Routledge, 2015).