• silicon.com
• Technology
• Security

By Elinor Mills, 23 June 2009 15:48

COMMENT

...challenge of getting it. I had to breach like four layers of security to get in. I'm not really proud of it because it was obviously wrong...I made a stupid and regrettable decision and decided to go after the source code.

When you say it was about the challenge of getting it, can you elaborate?
At the time I was actually a fugitive in Denver and one of my colleagues handed me a brochure of this phone and I thought it was ultra cool, like the iPhone of today. I really wanted to understand what are the protocols used, how does the phone talk to the communications network, how does the whole thing operate? And I thought maybe I could modify the firmware for the code in my phone and make it more difficult for the government to track me.

For example, there are certain methodologies the government uses, like any time your phone is on, it is communicating with the mobile telephone company. I wanted to be able to toggle that off and on, so basically take my phone offline and do extra things to it. At the time I had that idea but I never went through with it because I was so busy hacking...It was pretty much the trophy. Once I got the source code, that Motorola phone intrigued me. I looked at it, read through it, and tried to understand what I could understand.

After that I went after other different cell phone companies and it really was about the trophy. It was the challenge of getting in and getting the code, storing it at USC [University Of Southern California] in Los Angeles, and moving onto the next one. That's how I got caught. The USC administrators noticed that a lot of their disk space was being used and that their systems were breached and they called the FBI. The companies themselves didn't realise they were hacked. It was USC that discovered it... I didn't spend any time trying to hide it [the source code]. That was my downfall.

Did you know what you were doing was illegal?
I started hacking back in the 1970s and there were basically no laws against it, against phreaking or hacking. In school, my parents and other people actually encouraged it. There were no ethics taught. If you could hack into the school's computer you were considered a whiz kid.

Today if you do it you get expelled or they call the cops. It was like a reward of intellect back when I got started. Then they criminalised it later. I was so hooked into the adventure of the hacking game, doing it for a number of years even though it became illegal. It was thrilling, adventurous. It was all about solving the puzzle, using intellect to get around obstacles. It was like a huge game.

What would you do differently if you could go back in time?
In hindsight, I wouldn't do what I did because now I'm much smarter and wiser, and I caused a lot of network and systems administrators a lot of headaches undeservedly. It was the wrong thing to do.

But at the time there was no such thing as penetration testing and no school curriculum on security. You had to be self-taught. That's how I learned about security and systems - through hacking. I took the wrong road in doing it. I wouldn't repeat it. Today there are degrees, pen testing, books on the subject. At the time, a lot of companies and universities didn't give much thought to security.

If someone were to ask you what lessons you've learned, what would you say?
Don't break the law. Don't intrude on other peoples' property. It's just the wrong thing to do. It's unethical and immoral. And now of course it's illegal. It's trespassing. You're violating somebody's property rights. And they have the right to control and keep their property confidential. What I attribute my change of heart to is growing up. Back then I was young and immature, and never damaged anything intentionally.

Do you feel that your hacking has led to positive change in some way?
Yes. It led to my career. Today I speak around world, I do pen testing all the time - and deep penetration testing, where I go after the most sensitive credentials at a company to see if I can get to the crown jewels. I see what I can do as an ethical hacker. I really enjoy this work because when is it that you can take a criminal activity, legitimise it, and get paid for it? Ethical hacking...A lot of pen testers today have done unethical things in their past during their learning process, especially the older ones because there was no opportunity to learn about security.

Any advice for young hackers?
Yeah, don't follow in my footsteps. There are definitely other roads or other opportunities and ways that people can learn and educate themselves about hacking, security and pen testing. Today it's a huge market. It's become a huge issue within the federal government with critical infrastructure.

Some people say companies shouldn't hire former blackhat hackers. What are your thoughts on that?
I'm hired all the time. So far it has not really been an impediment. You have to evaluate the person's skillset, their maturity, and what they did before as a hacker. Were they getting credit card numbers and buying merchandise on the internet? Or were they hacking systems for their own intellectual curiosity?

You can't just lump blackhat hackers into one category. You have to look at what they did in the past, what they've done since then, and what credentials they have to get the job done. People who have operated on the other side of the law, like Frank Abagnale, he is a prime example. He reformed himself and now is the leading authority on counterfeit money and checks.

What are you doing now?
Consulting, author, public speaker. I go around the world speaking. That's my primary activity - ethical hacking, pen testing, system hardening, training, education. And I'm working on my autobiography. It's due out in spring 2010.