How a hacker went from prison to private security professional

30 April 2018

Inside the ‘white hat hackers’ policing the digital world

Tommy DeVoss stood out from most of the people he was in prison with. The other criminals around him were doing time for traditional, often violent, crimes: drug misdemeanours, possessing and using guns, and bank robberies. 
 
DeVoss, who goes by the online moniker of dawgyg, was imprisoned for hacking and served his time in medium and high-risk US prison facilities. “The reaction from most of the people was along the lines of: when we got out would I help them hack this or that, wipe their criminal record, or hack the US Bureau of Prisons and get them released,” says DeVoss. 
 
The hacker was just 19 when he was arrested, in 2002, after opening the front door of his house to 30 FBI agents. In 2005, he was convicted of breaking into US military and government computers and sentenced to two-and-a-half years in prison. He says he was involved with several hacking groups, one of which, known as World of Hell, scoured the web for websites with poor internet security.
 
‘The biggest thing that forced me to change is the threat of life in prison if I hack illegally again.’
Once a site was found to be vulnerable, it would be defaced with messages for its owners. These would say a problem had been found and an email address was included for further information. The tactic largely didn’t work, according to DeVoss, with victims instead contacting law enforcement.
 
“My main motivation was just boredom,” he says. “Most of us [in World of Hell] were bored kids who decided to push the boundaries of what we were allowed to do.”While dawgyg has now grown-up, teenagers – mostly male – are still part of hacking’s culture and often arrested.
 
In April 2017, Adam Mudd was jailed for two years for making and releasing malware from December 2013 when he was 16, from which he earned almost £400 000. In October 2017, Kane Gamble, from Leicester, admitted attempting to hack computers belonging to the director of the CIA, the deputy director of the FBI and other senior US officials, when he was 15.
 
Most hacks carried out by lone teens are relatively unsophisticated. At the other extreme are complex operations carried out by, or on behalf of, organised bodies including governments, security services and criminal gangs.
 
These include the global ransomware cyberattacks of WannaCry and NotPetya that spread rapidly in 2017, Stuxnet, which disrupted Iran’s nuclear weapons programme from 2010 and several hacks against power grids around the world. Members of advanced persistent threat (APT) hacking groups, some of which have been traced back to Russia, are known to have nine to five office-based hours and work to predetermined targets.
 
DeVoss says he became involved with hacking in the mid-1990s and has not considered it since his release from prison 10 years ago. “The biggest thing that forced me to change,” he says, of his decision to not reoffend, “is the threat of life in prison if I hack illegally again.”
 
After a spell working in software development, DeVoss began hacking again – legally. Legal hackers are known as white hat hackers, after the white-stetsoned good-guy cowboys in Hollywood films. Black hats are those who hack for criminal purposes and grey hats may break the law but not for malicious purposes.
 
He now works as part of HackerOne, an online platform of more than 100 000 white-hat hackers offered ‘bug bounties’. These offer cash incentives for locating security flaws in the code of a computer system of some of the world’s largest companies. HackerOne helps firms launch bug bounty schemes and connects these to its trusted network of operatives.
 
Facebook, Google, Yahoo and Microsoft have all worked with HackerOne, as has the US Department of Defense. From the latter, hackers earned about £225 000 in the year to November 2017, finding almost 3,000 vulnerabilities.
 
 
‘Not all hackers are bad. As people see the good hackers are doing to help keep their information and networks safe, public opinion will change.’
 
Google paid £2.3m in bug bounty rewards in 2016. Apple launched its own bug bounty scheme in August 2016 and offers up to £150 000 for uncovering serious flaws.Good hackers can be well-rewarded. White hat hacker Nathaniel Wakelam told The Guardian in 2016 that his average annual earnings are about £185 000.
 
A HackerOne survey found that the average bug bounty payment in the first half of 2017 was £1,432, up 16% on 2015.
 
DeVoss says the lifestyle of a professional hacker can be ‘very laid back’. Start-up costs are minimal: looking for security problems online requires only computer hardware and an internet connection.
 
“I spend about 10 to 20 hours a week at most working on different programmes,” he says. “I wake up when I want to, normally around 9am, then spend an hour or two looking for bugs, then take a break and go do something with friends or my dog, then jump back online later in the night for a little bit of time before I go to bed around 2h00 to 3h00.”
 
One of the biggest challenges for people working professionally as hackers is overcoming the connotations of the job title. The activity of illegal hacking groups, colossal data breaches and the continued spread of malware give all hackers a bad reputation.
 
“Not all hackers are bad,” DeVoss explains. “As more are given the recognition they deserve and more people see all of the good that hackers are doing to help keep their information and networks safe, public opinion will change.
 
But as long as the media continues to give more coverage to the bad hackers and not the good, the stigma of the word ‘hacker’ will stay in people’s thoughts.”
 
Matt Burgess is a staff writer at Wired and the author of Freedom of Information For Journalists (Routledge, 2015). This article was first published on The Stand.