Hi, I'm Steve. professional penetration tester/security expert. This is my success story, from kid to cyber terrorist to EU top 25 security auditor
From Vtech kiddie to professional security expert - The self taught way.
Sure, we've had a commodore at home, but my first real steps in self teaching computer language was on the toy computer that belonged to my sister. Along the games, it has some very minimal Qbasic shell to program small tasks. I've spend hours doing input/output examples, showing off my skills to my parents at that time. Soon enough, i've ran out of options after having used and combined all techniques in the /help menu.
Like a perfectly timed coincidence my parants managed to get a brand new Pentium 90Mhz, 8Mb (yes, MB not Gb!) Windows 3.1 desktop costing a small fortune at that time. Remember, internet still didn't existed back then for the general public. Out with the Vtech, in with MS-DOS and full blown Qbasic !
Line after line, my programs started to become more evolved and complex. With every issue i've encountered (yes, no google to grab some examples), i'd only became more passionate to solve the issue.
As the years and technology evolved in a rapid paste, it was a real struggle to keep up with the new technology and programming languages. While i was still playing around in Basic, Visual basic stood out. When i started to master Visual Basic, .NET came out, and so on.
I've had the urge of mastering every single command that could be found in the syntaxis help menu before switching to another language.
By now, i have a perfect knowledge of the following languages, all self taught over the last 20 years of my life
- Visual Basic / VB.net
- C / C++
- Batch / Shell
- All major web programming languages/platforms
Those are the languages that i truly master, without the help of the allmighty Google. Most of any programming language is just a dialect derived from these, so in general, i could work with any language.
Did i mentioned that i rarely use any kind of IDE? My workspace is mainly Notepad++. Yup, that's oldskool!
Mastering my skills for fun and profit and taking the biggest loss of my life.
The upside of self taught coding is knowing the flaws and weaknesses of code. When running penetration tests it's sad to conclude that the majority is blindly using third party packages, or using code they've found on Google somewhere.
Using Google found code for authentication systems is like a Google self-diagnosis when you're ill.
While there are solid, trusted, open source platforms available that will do most of the heavy lifting for you, never use it without understanding every single line of code when it comes to sensitive data, and all data related to any customer should be considered sensitive!
Around the age of 16, i've created my first full blown application for a middle size company to keep track of their supplies, staff, working time, bills, inventory, you name it, my program did it. Around 27.000 lines of code written from scratch and uncountable hours in front of my screen, almost 18h per day for about 3 months straight.
I've been skipping school just to finish up this application, believing it would make me a rich man and my future would be bright. I've dreamt about my own big building with my name plate on it, sitting next to Bill Gates drinking coffee.
Every problem i faced was just a challenge to see how much i wanted to reach my goal!
What happened then really blew up in my face. The company was very excited about my application, so they offered me a good deal (at that moment, from a poor 16yr old kid point of view).
I got payed 2500€ for the application (jackpot!!) and an additional 500€ for handing over the rights on my application on a legal ownership agreement. Jackpot again! 500€ just for that? Count me in!
There i am, 16 years old with 3000€ in my pocket. But why did they wanted the ownership over my application anyway? It's just stupid lines of code, why on earth would someone pay me 500€ extra?
Well it turns out the company commercialized my application using a license system. They've sold over 450.000 licenses in the past 15 years at 900€/year and it's still selling today in a more polished, up to date GUI version.
That could've been my income! There goes my dream of getting rich doing what i like most in life.
400.000.000€ yearly revenue. How could i've not seen this happening when they offered me 500€ extra?
I'll beat them at their own game - From outraged to security expert.
I've had a main advantage over the company's IT departement, that's the fact i've written the code from scratch. Even tough i've spend an excessive amount of time on security, code will never be 100% failure proof.
Around the time their userbase passed the 100k customers, i've send them a highly detailed security report pointing out all flaws their application suffered.
When the inital transfer of the application was done, i was supposed to do the maintenance of this application and patch up the 'small flaws' still present at the time of delivery since their priority was a working application first, patching small issues later. But with transferring the ownership, this part of the agreement was no longer needed in their eyes - So don't think i deliberately implented some bugs when reading this.
This time i've outsmarted them at their own game. I've had one condition to fix all the bugs that mainly came from their IT departement putting their own code on top of mine instead of altering the source.
"You'll send a mail with my name and contact details to every customer when notifing them for a downtime due to security maintenance."
Sure enough, after a couple of weeks, the first customer sent me an email regarding a security audit.
The game is on again!
Making some name and fame - Hacking my governement.
Years passed by, evolving from a 16yr old programming kiddie to a fulltime security auditor/freelance programmer. I've had a good amount of customers, enough to make a decent living. But then i woke up one day, still thinking about those missed millions, and that's when i decided to become known to the world.
When searching for some information on my governement's website, i've already noticed there was a intranet login button but i didn't really payed attention to it, until that one morning.
I ran some basic tests (well, basic to me anyway!) and discovered the webserver running on ASP.NET + SQL. ASP + SQL??? That's not even like leaving your frontdoor key under the door mat, it's more like having just a frontdoor standing up without walls to surround it.
Sure enough, i've discovered a time-based SQL attack possibility after 15 minutes of testing. Well played governement. This is how you spend my tax dollars on security?
It took me about 4 hours of time-based attacks to reveal the password of our prime minister. After having the password, i felt like a fool since the password was "Belgium-we-love". It would have taken less time just to guess it :)
I've seen many intranets before, but the things our prime minister could do was beyond any logical expectation you have when thinking intranet.
The governement's intranet was more like a nuclair command center. He had access to TOP SECRET level 0 documents, highly sensitive meeting reports, upcoming parlaiment votes and debates, half of Belgium's politicians, judges, police officers addresses and phone numbers, and many more information considered 'sensitive'.
I've managed to access a dozen of accounts just to proof this attack was not a lucky shot.
"Hello admin? I'd like to report a bug" - From testing to jail in under one week.
To be honest, i never intended to do some harm. I wanted to work for the governement as a security auditor, and this felt like it was my golden ticket in.
So i did the obvious thing, report the bug along with some less sensitive data to the general email address of the governement due to abscense of any administrator mail on the site. Exciting! All i've had to do was wait for an email to invite me for a job offer right?
4 days later goes the doorbell. I'm just sitting in front of my computer as my dad opens the door like he always does. Goes who? The SWAT team in true A-TEAM style (we love the A-team, admit it!) with pulled weapons making lot's of noise. When i look out the window i see my dad on the floor with a gun pointed at his head, not knowing what's happening since the only thing i see are masked guys in black clothes and 2 black cars in front.
I guess my job invitation just arrived?
Surely enough, the cops overpowered my parents and myself with brute force and violence. This all happens in seconds but trust me, you have no logic sense thinking 'Oh, these are cops, ok, i'll just lay down'.
I got cuffed and carried (literally) away in the back of the black car and brought to the police station where i've got charged with hacking, cyber criminality and terrorisme accusations. All our computers got seized, every CD-OM, every floppy, every printer, anything that was digital got seized never to be seen again.
I've been questioned and interogated for over 20h straight before seeing a judge who sent me to jail in temporary custody. I've spend 7 weeks in temporary custody before being probationary released.
Well, at least i made some name and fame now, didn't I?
Judged like a criminal, welcomed like a hero
I got judged for a 5 year probational sentence with a dozen of rules to abide. Yet somehow, my 'work' impressed the IT guys that manage my country's websites and platforms.
I did get my job interview shortly after being sentenced as a cyber criminal, suspected of cyber terrorisme.
However, i was do disgusted by my governement that i refused the job offer.
Having millions of $$$ one mouseclick away but leaving them.
Cryptocurrency was a big game changer. All the sudden my penetration testing objectives went from finding and protecting sensitive user data, to having millions of dollars just one mouseclick away.
It's needless to say that I surely had some doubts at some moments in the course of my penetration testing audits.
In 2014, i've gained complete root access over a server hosting +8000 BTC. This server belonged to a big exchange that's still active and running up to date.
I've successfully exploited over 40 exchanges, found vulnerabilities on most web-based wallets running, including blockchain.info, detected malicious code in cryptocurrencies sources, exploited ASIC miners so they could be operated from the outside world, got access to well over 1000 servers running wallets and pools, you name it, i've done it.
One thing i've never done so far is take even one cent for my own profit.
Every bug i find get's reported to the administrators, and a small public notice will be posted to make sure they'll get onto it.
Recently i found a bug on steemit that could lead to a session hijacking. I've reported the issue along with a simple fix and posted a small notice to warn users about a potential security risk. I'm sure the administrators are working hard to fix this issue.
Allright Mr morality, then why are you doing all this?
You see, i'm making my living being a security auditor/programmer. I'm not making millions, but enough to have a comfortable life. Even tough i could pull off a perfect theft, stealing millions of dollars in Bitcoin, i find myself having enough arguments no to do so:
- I'd rather be named and famed than being blamed and shamed.
- The chase is better than the catch - I really love coding and finding bugs!
- I'm a strong believer of Karma. What comes around, goes around some day, some how.
- I take more pride in getting a thank you and protecting thousands, than being selfish and having money
- I just really love what i'm doing!
Conclusion: Never be greedy in life and do what you've always wanted to do!
There's no price to set on happiness. I've walked on a thin line on having millions of dollars at my disposal, but somehow i've always failed or refused to take that path.
Does this means i'm simply a fool? Or maybe it means that this is the way my life was ment to be. Doing what i enjoy the most for the last 20 years of my life. Being happy. Good Karma.
I'm amongst the top 50 security experts in Europe, i've got to work on top notch projects, i've accessed data never meant to be seen, and i still get a rush when finding even the smallest security issue.
Now, that's how i wanted my life to become. To round up, i'm glad i took every step i've described in my story and would do exactly the same thing if i had a choice. All these events made me the man i am today instead of a 16yr old kid that would've became a spoiled rich kid.
Even without all the dollars i've missed in life, i feel like the richest man on earth.
Thank you for reading my story! This post was split in 2 parts since i've didn't have the time to write it in 1 post, but reading the comments on part 1 warmed my heart and so i finished part 2 already, and now created the full article :)
Keep on Steeming!