Inside a darkened conference room in the Miami Beach Holiday Inn, America’s most badass hackers are going to war – working their laptops between swigs of Bawls energy drink as Bassnectar booms in the background. A black guy with a soul patch crashes a power grid in North Korea. A stocky jock beside him storms a database of stolen credit cards in Russia. And a gangly geek in a black T-shirt busts into the Chinese Ministry of Information, represented by a glowing red star on his laptop screen. “Is the data secured?” his buddy asks him. “No,” he replies with a grin. They’re in. Fortunately for the enemies, however, the attacks aren’t real. They’re part of a war game at HackMiami, a weekend gathering of underground hackers in South Beach. While meatheads and models jog obliviously outside, 150 code warriors hunker inside the hotel for a three-day bender of booze, break-ins and brainstorming. Some are felons. Some are con artists. But they’re all here for the same mission: to show off their skills and perhaps attract the attention of government and corporate recruiters. Scouts are here looking for a new breed of soldier to win the war raging in the online shadows. This explains the balding guy prowling the room with an “I’m Hiring Security Engineers. Interested?” button pinned to his polo shirt. Hackers like these aren’t the outlaws of the Internet anymore. A 29-year-old who goes by the name th3_e5c@p15t says he’s ready to fight the good fight against the real-life bad guys. “If they topple our government, it could have disastrous results,” he says. “We’d be the front line, and the future of warfare would be us.” After decades of seeming like a sci-fi fantasy, the cyberwar is on. China, Iran and other countries reportedly have armies of state-sponsored hackers infiltrating our critical infrastructure. The threats are the stuff of a Michael Bay blockbuster: downed power grids, derailed trains, nuclear meltdowns. Or, as then-Defense Secretary Leon Panetta put it last year, a “cyber-Pearl Harbor... an attack that would cause physical destruction and the loss of life, paralyze and shock the nation and create a profound new sense of vulnerability.” In his 2013 State of the Union address, President Obama said that “America must also face the rapidly growing threat from cyberattacks.…We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.” The pixelated mushroom cloud first materialized in 2010 with the discovery of Stuxnet, a computer worm said to be designed by the Israeli and U.S. governments, which targeted uranium-enrichment facilities in Iran. Last fall, Iranian hackers reportedly erased 30,000 computers at a Middle Eastern oil company. In February, security researchers released a report that traced what was estimated to be hundreds of terabytes of stolen data from Fortune 500 companies and others by hackers in Shanghai. A leaked report from the Department of Homeland Security in May found “increasing hostility” aimed online against “U.S. critical infrastructure organizations” – power grids, water supplies, banks and so on. Dave Marcus, director of threat intelligence and advance research at McAfee Federal Advanced Programs Groups, part of McAfee Labs, a leading computer-security firm, says the effects would be devastating. “If you shut off large portions of power, you’re not bringing people back to 1960, you’re bringing them back to 1860,” he says. “Shut off an interconnected society’s power for three weeks in this country, you will have chaos.” Hence, events like HackMiami, where the competition to hire cyberwarriors is increasingly intense. “There’s too much demand and not enough talent,” says Jeff “The Dark Tangent” Moss, founder of the largest hacker convention, DefCon, held annually in Las Vegas. Despite the threats, a report by the Commission on the Theft of American Intellectual Property, a group comprised of former U.S. government, corporate and academic officials, recently concluded that so far the feds have been “utterly inadequate [in dealing] with the problem.” While Uncle Sam is jockeying for the Internet’s best troops, private security firms are offering way more pay and way less hassle. Charlie Miller, a famous hacker who exposed vulnerabilities in the MacBook Air and iPhone, spent five years with the National Security Agency before joining Twitter’s security team. Earlier this year, the DHS lost four top cybersecurity officials. In April, Peiter “Mudge” Zatko, a renowned member of the pioneering hacker collective Cult of the Dead Cow who was working at the DOD’s Defense Advanced Research Projects Agency, split for Silicon Valley to join his former DARPA boss, Regina Dugan. “Goodbye DARPA,” he tweeted. “Hello Google!” As a result, there’s a metawar taking place: one between government and industry to score the country’s toughest geeks – like the ones here this weekend – to join their front lines before it’s too late. “We need hackers,” Janet Napolitano, secretary of the Department of Homeland Security, told Rolling Stone in June, “because this is the fastest-growing and fastest-changing area of threat that we’re confronting.” A month later, however, she announced that she was leaving DHS too – stepping down from her post to head the University of California system. Photos by Charles Ommanney/Reportage by Getty Images Hey, dude!” says David Bonvillain. “Let me buy you a mojito!” It’s not even noon at the Holiday Inn bar, but Bonvillain, head of the Denver-based Accuvant LABS, one of the most elite and flashiest computer-security firms, is already working the crowd because, as he puts it, the competition is “feverish.” A brash, Ferrari-driving 40-year-old who chain-puffs an e-cigarette and is sleeved with tattoos, Bonvillain is among the country’s top hacker scouts. While the feds try to recruit hackers on the glory of public service, Accuvant has honed a sexier pitch. “We built an environment that allows people to legally do the things that would put them in jail,” Bonvillain says, exhaling vapor, “and we have a great time and make a good living doing it.” Accuvant represents an upside to cyberwar: a booming market. Corporations spent $60 billion worldwide on information-security services last year, according to a report by Gartner, a technology-research firm, and are expected to shell out a whopping $86 billion in 2016. To the consternation of businesses around the world, entrepreneurial hackers hunt for security flaws, then sell the technical info to governments from Russia to North Korea, as well as the National Security Agency here. Google and Microsoft are among those who pony up as well, hoping to improve their products. Technical details on a single vulnerability go for as much as $150,000. Accuvant specializes in attack and penetration, or “attack and pen” for short, infiltrating their clients’ computer systems to expose and improve weaknesses. Their clients include everyone from banks and hotels to federal agencies, which can pay upward of $100,000 for a single test of their services. To maintain integrity during a penetration test, the client’s underlings aren’t told they’re being targeted. A Minnesota casino hired Accuvant to try to break into its computer room and access its most sensitive data. Not only did the team succeed – convincing workers they were tech-support staff – they walked out the door carrying the casino’s computer servers. They then posed with their bounty by the slot machines, flipping off the camera for a picture they sent to the casino’s boss. Another time, they hacked a Department of Defense contractor by parking a rental car outside a warehouse and scanning the wireless network with laptops and antennas. “It’s sad, honestly, how vulnerable they are,” Bonvillain says. Accuvant understands the talent better than most, because they rose from the hacker underground themselves. Bonvillain, a metal guitarist who spent a night in jail in high school after getting busted riding his motorcycle over 100 mph, started hacking computers and phone phreaking while at James Madison University in Virginia in the mid-Nineties. “I wanted to break into stuff,” he says. “I thought it was the coolest thing.” Inspired by the movie War Games but eager to stay out of trouble, he eventually put his skills to use as a professional hacker testing security for companies that paid him. “As soon as I found out that information security was actually a job and, even better, a job you could make some good cash at, that was all I wanted to do,” he says. Jon “Humperdink” Miller, a hulking, goateed 31-year-old in a backward baseball cap and shorts, who, as head of research and development, oversees Accuvant’s military clients, is like a supersmart Chris Farley. He started attending hacker conventions at age 13 and became notorious when he appeared at DefCon with no shirt and a vanity license plate of his nickname around his neck. He jokes that his greatest hacker skill is “drinking,” for which he has an award named after himself at the Vegas confab. When he was in high school in San Diego, he says, he made $80,000 a year doing his own attack-and-pen operations. At 17, the National Security Agency offered him a college education, a company car and a substantial stipend if he agreed to work for them after graduation. But he passed on the offer. “Guys like me refuse to get clearance,” he says, gulping a beer. “You have to be professional. You have to be reserved. Here, like, if you’re a loud asshole and you’re smart, sweet! We know a lot of loud assholes.” Bonvillain balks over security clearance too. “If you’ve smoked pot more than six times, you can’t join the FBI,” he says. “When they interviewed me, I asked, ‘In one day?’” The drug test is no small issue. A three-year no-use policy eliminates a huge slice of the young hackers coming out of school into the workforce. “That disqualifies a bunch of people that would be perfectly skilled and trustworthy,” says Moss, “just because they smoked pot in college.” Attracting and keeping cyberwarriors is as much about marketing a lifestyle as it is offering big bucks. (The money is good, though, with salaries for top contractors at firms like Accuvant easily topping $200,000 a year.) “Look at Alex,” Bonvillain says, pointing at Accuvant’s head of security architecture, Alex Kah, a tatted-up Kentuckian with a slacker drawl. “Could you imagine him trying to go into the NSA with ‘Louisville’ tattooed across his neck?” Accuvant hires electronic-music duo the Crystal Method for its parties and makes the hippest swag in the business: bootleg Adidas tracksuits, stickers and T-shirts modeled after Iron Maiden’s “The Trooper.” To score one notorious hacker, they agreed to buy him his own gold-plated, $1,000 espresso machine. “The reason we’re successful is because we market this like a metal band,” Bonvillain says. And they’re fired up by the enemy. Humperdink grows red in the face when he starts ranting about how China gives a pass to its rogue army of hackers. “If you’re a lone Chinese hacker not employed by the Chinese and you want to hack Charles Schwab, go for it,” Humperdink says. “Consequence-free. Do whatever you want. You’re fighting the great Satan. They’re completely covert about operational security. They don’t talk about active hacks against the U.S. That’s completely off the record. That shit happens every day.” Their outrage makes them even more patriotic. Humperdink comes from a family of Marines and law enforcement. Bonvillain draws inspiration from his dad, a retired lieutenant colonel in the Army, who now works as an intelligence officer for the Defense Intelligence Agency – serving posts in the Balkans, Afghanistan and Iraq – and has been nominated for the counterintelligence’s hall of fame. “I’m deeply patriotic,” Bonvillain says. It’s the same blend of working-class blues and American pride that fueled the old military. “Every serious hacker that I know came from very, very blue-collar or underprivileged backgrounds,” he says. “It made them hungry. They’re willing to do whatever it takes.” To get a sense of just how weak our cyberdefenses are, I take a trip with Jayson Street, Chief Chaos Coordinator for another firm, Krypton Security, into the basement of a hotel in South Beach. We breeze past an open door with a taped sign that reads, “Doors must be closed at all times!!!” This is where the brains of the building live – the computer network, the alarm system, the hard drives of credit-card numbers – but, as Street tells a brawny security guard, he’s here on the job, “doing a Wi-Fi assessment.” Street, a paunchy, 45-year-old Oklahoman in a black T-shirt and jeans, flashes the hulk some indecipherable graphs on his tablet and says, “We’re good,” as he continues into another restricted room. The doors aren’t locked. No one seems to be monitoring the security cameras. The wires for the burglar-alarm system are exposed, ready for an intruder to snip. We make our way to the unmanned computer room, where, in seconds, Street could install malware to swipe every credit-card number coming through the system if he wanted to. “They’re like every other hotel I’ve tried to go into,” he tells me. “They fail.” Government agencies and corporations fly Street around the world to see if he can bullshit his way into their most sensitive data centers. He has scammed his way into a bank in Beirut, a financial center across from Ground Zero, a state treasury department. He usually records his infiltrations on a spy watch, a 16-gigabyte HD video recorder with infrared lights, then turns over the footage to his clients. When I ask Street the tricks of his trade, he tells me there are two keys to stealing data in person: act like you’re supposed to be there and carry a tablet PC, which convinces victims he’s a tech-support worker. “People see this thing,” he says, waving his tablet, “and think it’s magical.” Street, who has authored a book about security flaws called Dissecting the Hack, is a highly sought-after speaker at hacker conventions from ones in China to this weekend’s in Miami, and has consulting gigs in Cyprus, Jamaica and Germany. “I am not an American hacker,” he says. “I am not a Oklahoma City hacker. I am a hacker. I don’t care what country you’re from. If you’re trying to defend yourself and you’re trying to work to better protect your company or your country, I’m all for it. I’m here trying to help secure the Internet.” But there’s one job he’ll never take: working for the feds. “The American government has to understand that to get someone who thinks outside the box to work for you, you can’t immediately put them in a box,” he says. “And that’s the problem.” Street is among the many who cite the legacy of the late hacktivist Aaron Swartz as a cautionary tale. A research fellow at Harvard, Swartz accessed the MIT computer system and downloaded millions of academic-journal articles. He was charged with violating the Computer Fraud and Abuse Act and, facing decades in prison and $1 million in fines, committed suicide in January. “The government says, ‘Hey, we really need your help, can you hack for us?’” Street says of Swartz. “And then, on the other hand, it’s like ‘Oh, you’re a hacker, you’re going to jail! We’re going to hound you until you kill yourself.’” Photos by Charles Ommanney/Reportage by Getty Images Gregory “Mobman” Hanis kicks back with his laptop on a florally upholstered couch in the Holiday Inn lobby, ready to annihilate another 45 million people. He’s not doing it in warfare, though: He’s hacking Candy Crush Saga, the most popular game on Facebook. As rows of sparkly treats fill his screen, he opens a second window, which contains a program he wrote. With a few deft strokes, he casually cranks his Candy Crush score to 10 million, earning the high score and swiftly crushing the dreams of players who devote hours a day – not to mention real money, which they use to buy extra lives – to the game. “It’s literally taking candy from babies,” he says, with a sigh. There’s a reason he sounds so weary. Mobman is a 32-year-old wizard who can hack just about anything but has to settle for a job as a network admin for an online-poker company. That’s because he’s a convicted felon, a black hat who, because of one major fuck-up as a teen, can’t get hired directly by the feds or most private companies. His story represents another hitch in the cyber-recruitment race: the brilliant hackers who’ve crossed the line earlier in life. “I’ve been in there. I know it, and I’ve done it,” he says. “That’s what you would get from me.” Like Street and the others, Mobman fits Bonvillain’s bill of being damaged and hungry. The son of a U.S. Marshall mother and an absentee father, he got A’s in schoolwork but F’s in conduct. “I was bored,” he says. “They didn’t push me.” Instead he pushed himself, writing a program that let him cheat in his favorite game, Ultima Online. Mobman just wanted to steal virtual weapons and gold to get an edge. But when the program, Sub7, leaked onto the Net, black hats around the world discovered it could be used to steal all kinds of things, including AOL accounts and credit-card numbers. Sub7, the first hacking tool of its kind, went viral. “I was like, ‘Holy shit,’” he recalls, “‘I’m gonna get in trouble.’” Sub7 itself wasn’t illegal; it was the criminal use of it that was a problem. But in 1999, when Mobman was 19, after getting pissed at AT&T for refusing to fix his overcharged cellphone bill, he hacked into the company to change it himself. Instead, he says, he accidentally took down the entire AT&T network in California and Nevada for almost two days. (An AT&T spokesperson won’t confirm or deny the attack.) After pleading to a charge of “modification of intellectual property,” Mobman spent seven months in jail awaiting trial before receiving five years' probation – and then spent months living on the streets after his mom refused to take him back in. The experience left him changed and determined to put his skills to good use. “That’s why I want a job,” he tells me. “So I can do it legally.” The federal cyberforces, though, generally don’t hire felons. But private contractors like Accuvant are technically free to employ whomever they want. “For me – it depends on the felony :),” Bonvillain writes me in an e-mail. “There was a day (10 years back or so) that such a conviction would have prevented his employment. Today, that’s not as strict of an unwritten rule.” Though a felon would have trouble getting security clearance for more hands-on jobs, he could still contribute as part of the security team. For now, this leaves guys like Mobman to hustle work on the private side, which he’s busy doing here this weekend. To help amp up his image, Mobman has been conducting his own security research at home, sometimes involving a bit of hacking. He gives companies the opportunity to fix bugs, then posts his findings in white papers online. One was about how hacking a single computer could take the entire country of Australia offline. Another one detailed security holes in the popular Web-page-programming software Joomla. However, a few days after he posted the former, he got a letter from the Department of Homeland Security. They weren’t impressed. They were informing him they’d taken the paper down. Cyberwar, like any war, never rests. Neither does the simulated one taking place at HackMiami, where co-founder Rod Soto, a 38-year-old computer-security specialist from the area, is running a cyberwar game. Though the consequences of their hacking are fake, the technology they’re breaking is real. They actually are hacking Fedora, an operating system used by computers in China, infiltrating Zeus, a malicious “botnet” army of computers, and commandeering North Korean industrial controls for power-plant systems. It’s just that everything’s simulated and run on a closed network, so as not to inadvertently start World War III. The purpose of this event, besides the recruiting going on, is to teach the hackers how to find vulnerabilities in other nation’s machines. “It gives you the blueprint and the knowledge if you ever want to attack them,” Soto says. So far, the truth about the extent of the U.S.’s offensive attacks against other countries has been shadowy at best. There’s Stuxnet, which has yet to be officially attributed to the U.S. (or Israel), and NSA leaker Edward Snowden’s recent claim the U.S. has launched widespread cyberattacks against China. Beyond that, the closest we’ve come was Hillary Clinton’s admission last year of a State Department attack on an Al Qaeda propaganda site in Yemen. Related: Julian Assange Opens Up About Wikileaks Battle, House Arrest and the Future of Journalism The tensions around this topic are partly because the laws governing cyberwar are still being determined. As Rear Adm. Margaret Klein, chief of staff of Cyber Command, the Ft. Meade-based defense center for U.S. military networks, put it last year, “Attorneys and scholars face a variety of complex legal issues arising around the use of this new technology.” But experts are pushing for more offensive measures regardless. The Commission on the Theft of American Intellectual Property concluded that “new options need to be considered.” It seems our government is already heeding the call. A June leak of a presidential directive from Obama, which had been issued in October, reveals that the U.S. is, at the very least, getting its cyberwarriors in line. In addition to calling for a list of international targets, the directive argued that “Offensive Cyber Effects Operations... can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.” But while the government remains quiet about the existence or extent of their offensive measures, hackers and contractors I spoke with are, albeit cautiously, more forthcoming. HackMiami organizers James Ball and Alex Heid, security specialists for a major financial company they prefer not to name so as not to anger their bosses, say they have based this weekend’s cyberwar simulation on real-life hacks they conducted on their own of terrorist networks and organized-crime groups. Ball infiltrated an Al Qaeda forum online and posted the archives on his site, TerroristMedia.com. Heid became notorious for hacking the stealthy Zeus botnet in Russia. But the government hires private contractors to do such attacks on its behalf as well. The cyberwar underworld is rife with contractors who fashion themselves to be “the Blackwater of the Internet,” as Heid puts it, “information mercenaries…private sector guys who are going on the offensive, but you don’t hear about it.” At least not usually. Companies like Accuvant are capable of creating custom software that can enter outside systems and gather intelligence or even shut down a server, for which they get can paid up to $1 million. For example, Humperdink says, they would be able to unleash an attack to take a country like China completely offline. “We could stop their cyberwarfare program,” he says. “Five years ago, I remember the North Koreans were doing missile testing, right? If [the U.S. government] came to a company like us and said, ‘Here’s $15 million,’ we could turn a North Korean missile into a brick. If you came to us with $20 million and said, ‘We wanna disable every computer there in Iran, and they’d have to replace them’ – not a problem.” For added flair, each program Accuvant sells gets its own cyberpunk handle – like Purple Mantis – and is delivered on a jet-black thumb drive inside a custom case with the name laser-etched on a plaque. “So how many offensive plays are going on now?” I ask. “A lot,” Bonvillain says. “More than people would realize?” “Yes,” he replies. Then Bonvillain falls silent. He puffs his e-cigarette, considering a more diplomatic response. “The U.S. government,” he says, “is great at hiding everything they do.” Photo by Jim Watson/AFP/Getty Images To see what the front line of cyberwar really looks like, I visit the National Cybersecurity and Communications Integration Center in Arlington, Virginia, the Department of Homeland Security’s mission control. It’s one of our most important hubs in digital warfare, alongside the FBI and NSA. A wall of video screens show online the attacks on the IRS and NASA – both agencies were compromised by a Distributed Denial of Service Attack, a technique that floods a site with access requests, slowing or downing it completely. The four-year-old NCCIC – employees pronounce it “enkick” – is the country’s nerve center for online threats. Twenty-four hours a day, teams drawn from a pool of 500 DHS cyberpersonnel sit at the ready in this sprawling, windowless command cave. Flickering diagrams on the front wall track the dangers in real time: traffic anomalies at federal agencies, cyberalert levels for each state’s website, a map of our country’s telecommunications system (“There’s no cyber without fiber!” a steely engineer tells me). Fortunately, at the moment, the threat against the IRS and NASA proves to be relatively harmless. However, the number of cyberincidents is on the rise. Fiscal year 2012 saw 190,000; this year’s number is already over 214,000. Overhauling the feds’ image to lure young tech talent has become a major priority. In a way, it’s akin to the shift in Silicon Valley – away from the business suits of IBM to the Adidas sandals of today. The National Science Foundation now offers a CyberCorps Scholarship for Service program that places winning students in government agencies. The DHS is among the sponsors of the invite-only “Cyber Camps,” which hold hacking contests for prospective employees. Aside from the “sense of duty” and high-level security clearance that NCCIC director Larry Zelvin tells me lures his team away from fat paydays elsewhere, the power of being inside the government system is the greatest perk. “You just don’t get that in a corporation,” he says. Last year, the DHS assembled a cyberskills task force, which drew from hacker hubs including Facebook and DefCon, to recommend changes in their recruiting. To get the estimated 600 more hackers the DHS needs, the report concluded, the agency should “focus more attention and resources on…‘branding’ of cybersecurity positions,” including “cool jobs.” Napolitano says that “the money and the culture” are the chief obstacles the Department of Homeland Security runs into when recruiting hackers to join. “We don’t require our folks to wear a coat and tie,” she says, “and I’m not interested in the precise hours they work as much as I’m interested in getting the work done” – but she stops short of saying hackers can work from home in Teenage Mutant Ninja Turtle pajamas. But maybe if you’re young and brilliant and looking for online action, there’s something undeniable about working for the biggest, baddest government on the planet. Sitting here under the dormant red warning lights, there’s a sense of being at the center of the matrix – and this is plenty tantalizing for some, including th3_e5c@p15t, winner of the cyberwar contest back at HackMiami. With his skills, he can write his own ticket, which he hopes to cash in with the feds. He says he wants to be as close to the front line as he can get: “I see it as a righteous cause.” Rolling Stone contributing editor David Kushner is the author of “Jacked: The Outlaw Story of Grand Theft Auto.”
Sombra ao Sol
Para quem precisa de sombra para os sois que nos afectam no dia-a-dia...