http://www.infoworld.com/print/222266By Roger A. Grimes
Created 2013-07-09 03:00AM
Much of the world is just learning that every major industrialized nation has a state-sponsored cyber army [1] -- though many of the groups, including team USA, have been around for decades.
I've met a few cyber warriors. As you might imagine, they can't talk much about their duties. But if you work shoulder to shoulder with them long enough, certain patterns emerge. For starters, there are a lot of them. They are well armed with cyber weaponry, and they're allowed to experiment and hack in ways that, as we all now know, might be considered illegal in some circles.
[ It's over: All private data is public [2] | Learn how to secure your systems with the Web Browser Deep Dive PDF special report [3] and Security Central newsletter [4], both from InfoWorld. ]
I've been a longtime friend to one cyber warrior. On condition of anonymity, he agreed to be interviewed about what he does for a living and allowed me to record our conversation on a device he controlled, from which I transcribed our conversation. I was able to ask clarifying questions the next day.
We met in person in my boat off the coast of Florida, which might sound very clandestine, except that our primary goal was to catch some fish. It's interesting to note that he did not want me to contact him by email or phone during the months leading up to this interview or for a few months after, even though what he revealed does not disclose any national security secrets. The following is an edited version of our conversation. Certain inconsequential details have been altered to protect his identity.
Grimes: Describe yourself and your occupation.
Cyber warrior: Middle-aged, white male, not married. Somewhat smart. Music lover. Lifetime hacker of all things. Currently working on behalf of armed services to break into other countries' computer systems.
Grimes: What is your background? How did you learn to hack?
Cyber warrior: I got into computers fairly early in my life, though I grew up in a foreign country. My dad split when I was young, and my mom worked a lot. I got into computers by visiting one of the few Radio Shacks near my neighborhood. The sales guy hated me at first because I was always on their computers, but after I taught him a few things, we became good friends for years. I realized I had an aptitude for computers ... that most of the adults around me did not have. By the time I was 15, I had dropped out of school (it wasn't as big of a deal in the country I was in, as it is in most developed countries), and I was working a full-time job as the head IT guy at a federal hospital.
I was hacking everything. I hacked their systems, which wasn't too much of a problem because I was already the head IT guy. They had lost some of the admin passwords to the network and other computer systems, so I had to use my hacking skills to reclaim those systems. I hacked everything: door locks, Master locks, burglar alarms -- anything. For a while, I thought I was a master spy and thief, even though I never stole anything. I would spend all my earnings on buying security systems, install them in my house, then spend all my time trying to bypass them without getting caught. I got pretty good, and soon I was breaking into any building I liked at night. I never got caught, although I did have to run from security guards a few times.
Grimes: What did you like hacking the most: security systems or computer systems?
Cyber warrior: Actually, I loved hacking airwaves the most.
Grimes: You mean 802.x stuff?
Cyber warrior: How cute. How quaint. No, I liked hacking everything that lives in the sky. Computer wireless networks are such a small part of the spectrum. I bought literally dozens of antennas, of all sizes, from small handheld stuff to multi-meter-long, steel antennas. I put them all in a storage shed I rented. I put the antennas up on the roof. I don't know how I didn't get in trouble or why the storage shed people didn't tell me to remove the antennas. I had to learn about electricity, soldering, and power generation. I had dozens of stacked computers. It was my own little cloud, way back when. I would listen for all the frequencies I could. I was next to an airbase and I captured everything I could.
Back then a lot more was open on the airwaves than today. But even the encrypted stuff wasn't that hard to figure out. I would order the same manuals as the equipment they were using and learn about backdoors in their equipment. I could readily break into most of their equipment, including their high-security telephone system. It was fun and heady stuff. I was maybe 16 or 17 then. I was living and sleeping in the shed more than at my home.
One day I started to see strange cars show up: black cars and trucks, with government markings, like out of movie. They cut the lock off my shed and came in the door. My loft was up near the rafters, so I scooted over into the next storage area, climbed down, and went out the side door at the far end of the shed area. I walked off into desert and never went back. I must have left $100,000 worth of computers, radio equipment, and oscilloscopes. To this day, I don't know what happened or would have happened had I stayed -- probably not as much as I was worried about.
Grimes: Then what did you do?
Cyber warrior: My mom got married to my stepdad, and we moved back to the States. I was able to get a computer network admin job pretty quickly. Instead of hacking everything, I started to build operating systems. I'm a big fan of open source, and I joined one of the distros. I wrote laptop drivers for a long time and started writing defensive tools. That evolved into hacking tools, including early fuzzers.
Eventually I got hired by a few of the big penetration-testing companies [5]. I found out that I was one of the elite, even in a group of elites. Most of those I met were using tools they found on the Internet or by the companies that hired us, but all that code was so [messed up]. I started writing all my own tools. I didn't trust any of the hacking tools that most penetration testers rely on. I loved to hack and break into to things, but to be honest, it was pretty boring. Everyone can break into everywhere -- so I made it a game. I would only break in using tools that I built, and I would only consider it a success if none of my probes or attacks ended up in a firewall or other log. That at least made it more challenging.
Grimes: How did you get into cyber warfare?
Cyber warrior: They called me up out of the blue one day -- well, an employment agency on behalf of the other team. They were offering a lot more money, which surprised me, because I had heard that the guys working on behalf of the feds made a lot less than we did. Not true -- it's certainly not true anymore, if you're any good.
I had to take a few tests. I had a few problems getting hired at first because I literally didn't have a background: no credit, no high school or college transcripts. Even the work I had done was not something you could easily verify. But I scored really well on the tests and I was honest on what I had done in the past. They didn't seem to care that I had hacked our own government years ago or that I smoked pot. I wasn't sure I was going to take the job, but then they showed me the work environment and introduced me to a few future coworkers. I was impressed.
Grimes: Explain.
Cyber warrior: They had thousands of people just like me. They had the best computers. They had multiple supercomputers. They had water-cooled computers running around on handtrucks like you would rent library books. The guys that interviewed me were definitely smarter than I was. I went from always being the smartest guy wherever I worked to being just one of the regular coworkers. It didn't hurt my ego. It excited me. I always want to learn more.
Grimes: What happened after you got hired?
Cyber warrior: I immediately went to work. Basically they sent me a list of software they needed me to hack. I would hack the software and create buffer overflow exploits. I was pretty good at this. There wasn't a piece of software I couldn't break. It's not hard. Most of the software written in the world has a bug every three to five lines of code. It isn't like you have to be a supergenius to find bugs.
But I quickly went from writing individual buffer overflows to being assigned to make better fuzzers. You and I have talked about this before. The fuzzers were far faster at finding bugs than I was. What they didn't do well is recognize the difference between a bug and an exploitable bug or recognize an exploitable bug from one that could be weaponized or widely used. My first few years all I did was write better fuzzing modules.
Grimes: How many exploits does your unit have access to?
Cyber warrior: Literally tens of thousands -- it's more than that. We have tens of thousands of ready-to-use bugs in single applications, single operating systems.
Grimes: Is most of it zero-days?
Cyber warrior: It's all zero-days. Literally, if you can name the software or the controller, we have ways to exploit it. There is no software that isn't easily crackable. In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface.
Grimes: What do you like hacking now?
Cyber warrior: Funny enough, it's a lot of wireless stuff again: public equipment that everyone uses, plus a lot of military stuff that the general public knows nothing about. It's mostly hardware and controller hacking. But even that equipment is easy to exploit.
Grimes: Does your team sometimes do illegal things?
Cyber warrior: Not that I know of. We get trained in what we can and can't do. If we do something illegal, it's not on purpose. Well, I can't speak for everyone or every team, but I can tell you the thousands of people I work with will not do anything intentionally illegal. I'm sure it happens, but if it happens, it's by mistake. For instance, I know we accidentally intercepted some government official's conversations one day, someone high-level. We had to report it to our supervisors and erase the digital recordings, plus put that track on our red filter list.
Grimes: You say you don't do anything illegal, but our federal laws distinctly say what we cannot offensively hack other nations. And we are hacking other nations [6].
Cyber warrior: They say we can't hack other nations without oversight. John Q. Public and John Q. Corporation can't hack other nations, but our units operate under laws that make what we are doing not illegal.
Grimes: I know you from many years ago, and I think the young you would revile hacking any government by any government. I think I heard you say this many times, and you were passionate about it.
Cyber warrior: I'm still passionate about it, but the older self realizes that the young self didn't have all the facts. We have to do what we do because [other nation states and other armies] are doing it. If we didn't, we would literally be dead. It's already something that I don't know if we are winning. I know we have the best tools, the best people, but our laws actually stop us from being as good as we could be.
Grimes: What about your job would surprise the average American?
Cyber warrior: Nothing.
Grimes: I really think the average American would be surprised you do what you do.
Cyber warrior: I don't agree. I think everyone knows what we have to do to keep up.
Grimes: What does your work location look like?
Cyber warrior: I work in obscure office park in Northern Virginia. It's close to DC. There's no lettering or identifiers on the building. We park our cars in an underground garage. There are about 5,000 people on my team. I still work for the same staffing company I was hired by. My badge does not say "U.S. government" on it. We are not allowed to bring any computers, electronics, or storage USB drives into the building. They aren't even allowed in our cars, so I'm the guy at lunch without a cellphone. If people were to look around, they could spot us. Look for the group of people being loud that don't have a single cellphone out -- no one texting. Heck, they should let us carry cellphones just so we don't look so obvious.
Grimes: What do you do for a hobby?
Cyber warrior: I play in a hardcore rap/EDM band, if you can imagine that. I play lots of instruments, make beats and percussion stuff. I wish I could make more money doing music than hacking. I'm even considering now leaving my job and doing music. I don't need much money. I have enough for retirement and enough to support my lifestyle.
Grimes: What do you wish we, as in America, could do better hacking-wise?
Cyber warrior: I wish we spent as much time defensively as we do offensively. We have these thousands and thousands of people in coordinate teams trying to exploit stuff. But we don't have any large teams that I know of for defending ourselves. In the real world, armies spend as much time defending as they do preparing for attacks. We are pretty one-sided in the battle right now.
Grimes: What do you think of Snowden [7]?
Cyber warrior: I don't know him.
Grimes: Let me clarify, what do you think of Snowden for revealing secrets [8]?
Cyber warrior: It doesn't bother me one way or the other.
Grimes: What if it could lead to your program shutting down? You'd be without a job.
Cyber warrior: There's no way what we do will be shut down. First, I don't intentionally do anything that involves spying on domestic communications. I don't think anyone in my company does that, although I don't know for sure. Second, it would be very dangerous to stop what we do. We are the new army. You may not like what the army does, but you still want an army.
If I was out of job I'd just get better at playing my instruments. I like to hack them, too.
This story, "In his own words: Confessions of a cyber warrior [9]," was originally published at InfoWorld.com [10]. Keep up on the latest developments in network security [11] and read more of Roger Grimes' Security Adviser blog [12] at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter [13].
Security Hacking Government Security
--------------------------------------------------------------------------------
Source URL (retrieved on 2013-07-17 03:40PM):
http://www.infoworld.com/d/security/in-his-own-words-confessions-of-cyber-warrior-222266Links:
[1]
http://www.infoworld.com/t/data-security/us-china-please-stop-hacking-our-companies-if-you-dont-mind-214322[2]
http://www.infoworld.com/d/security/its-over-all-private-data-public-220901?source=fssr[3]
http://www.infoworld.com/browser-security-deep-dive?idglg=?ifwelg_fssr[4]
http://www.infoworld.com/newsletters/subscribe?showlist=infoworld_sec_rpt&source=ifwelg_fssr[5]
http://www.infoworld.com/d/security/penetration-testing-the-cheap-and-not-so-cheap-050[6]
http://www.infoworld.com/d/security-central/stuxnet-marks-the-start-the-next-security-arms-race-282[7]
http://www.infoworld.com/t/cringely/snowden-has-answers-nsa-still-holds-the-questions-220881[8]
http://www.infoworld.com/t/government/nsa-leaker-snowden-leaves-hong-kong-reportedly-russia-221306[9]
http://www.infoworld.com/d/security/in-his-own-words-confessions-of-cyber-warrior-222266?source=footer[10]
http://www.infoworld.com/?source=footer[11]
http://www.infoworld.com/d/security?source=footer[12]
http://www.infoworld.com/blogs/roger-a.-grimes?source=footer[13]
http://twitter.com/infoworld