Making some name and fame - Hacking my governement.

This article follows on part 1 https://steemit.com/introduceyourself/@steve-walschot/hi-i-m-steve-professional-penetration-tester-security-expert-hacking-the-web-24-7-for-your-security-part-1

Years passed by, evolving from a 16yr old programming kiddie to a fulltime security auditor/freelance programmer. I've had a good amount of customers, enough to make a decent living. But then i woke up one day, still thinking about those missed millions, and that's when i decided to become known to the world.

When searching for some information on my governement's website, i've already noticed there was a intranet login button but i didn't really payed attention to it, until that one morning.

I ran some basic tests (well, basic to me anyway!) and discovered the webserver running on ASP.NET + SQL. ASP + SQL??? That's not even like leaving your frontdoor key under the door mat, it's more like having just a frontdoor standing up without walls to surround it.

Sure enough, i've discovered a time-based SQL attack possibility after 15 minutes of testing. Well played governement. This is how you spend my tax dollars on security? 

It took me about 4 hours of time-based attacks to reveal the password of our prime minister. After having the password, i felt like a fool since the password was "Belgium-we-love". It would have taken less time just to guess it :)

I've seen many intranets before, but the things our prime minister could do was beyond any logical expectation you have when thinking intranet. 

The governement's intranet was more like a nuclair command center. He had access to TOP SECRET level 0 documents, highly sensitive meeting reports, upcoming parlaiment votes and debates, half of Belgium's politicians, judges, police officers addresses and phone numbers, and many more information considered 'sensitive'. 

I've managed to access a dozen of accounts just to proof this attack was not a lucky shot.

"Hello admin? I'd like to report a bug" - From testing to jail in under one week.

To be honest, i never intended to do some harm. I wanted to work for the governement as a security auditor, and this felt like it was my golden ticket in.

So i did the obvious thing, report the bug along with some less sensitive data to the general email address of the governement due to abscense of any administrator mail on the site. Exciting! All i've had to do was wait for an email to invite me for a job offer right?

4 days later goes the doorbell. I'm just sitting in front of my computer as my dad opens the door like he always does. Goes who? The SWAT team in true A-TEAM style (we love the A-team, admit it!) with pulled weapons making lot's of noise. When i look out the window i see my dad on the floor with a gun pointed at his head, not knowing what's happening since the only thing i see are masked guys in black clothes and 2 black cars in front.

I guess my job invitation just arrived?

Surely enough, the cops overpowered my parents and myself with brute force and violence. This all happens in seconds but trust me, you have no logic sense thinking 'Oh, these are cops, ok, i'll just lay down'. 

I got cuffed and carried (literally) away in the back of the black car and brought to the police station where i've got charged with hacking, cyber criminality and terrorisme accusations. All our computers got seized, every CD-OM, every floppy, every printer, anything that was digital got seized never to be seen again.

I've been questioned and interogated for over 20h straight before seeing a judge who sent me to jail in temporary custody.  I've spend 7 weeks in temporary custody before being probationary released.  

Well, at least i made some name and fame now, didn't I?

Judged like a criminal, welcomed like a hero

I got judged for a 5 year probational sentence with a dozen of rules to abide. Yet somehow, my 'work' impressed the IT guys that manage my country's websites and platforms.

I did get my job interview shortly after being sentenced as a cyber criminal, suspected of cyber terrorisme.

However, i was do disgusted by my governement that i refused the job offer.

Having millions of $$$ one mouseclick away but leaving them.

Cryptocurrency was a big game changer. All the sudden my penetration testing objectives went from finding and protecting sensitive user data, to having millions of dollars just one mouseclick away.

It's needless to say that I surely had some doubts at some moments in the course of my penetration testing audits.

In 2014, i've gained complete root access over a server hosting +8000 BTC. This server belonged to a big exchange that's still active and running up to date. 

I've successfully exploited over 40 exchanges, found vulnerabilities on most web-based wallets running, including blockchain.info, detected malicious code in cryptocurrencies sources, exploited ASIC miners so they could be operated from the outside world, got access to well over 1000 servers running wallets and pools, you name it, i've done it.

One thing i've never done so far is take even one cent for my own profit.

Every bug i find get's reported to the administrators, and a small public notice will be posted to make sure they'll get onto it. 

Recently i found a bug on steemit that could lead to a session hijacking. I've reported the issue along with a simple fix and posted a small notice to warn users about a potential security risk. I'm sure the administrators are working hard to fix this issue.

https://steemit.com/steem/@steve-walschot/security-bug-steemit-vulerable-to-session-hijacking

Allright Mr morality, then why are you doing all this?

You see, i'm making my living being a security auditor/programmer. I'm not making millions, but enough to have a comfortable life. Even tough i could pull off a perfect theft, stealing millions of dollars in Bitcoin, i find myself having enough arguments no to do so:

• I'd rather be named and famed than being blamed and shamed.
• The chase is better than the catch - I really love coding and finding bugs!
• I'm a strong believer of Karma. What comes around, goes around some day, some how.
• I take more pride in getting a thank you and protecting thousands, than being selfish and having money
• I just really love what i'm doing! 

Conclusion: Never be greedy in life and do what you've always wanted to do!

There's no price to set on happiness. I've walked on a thin line on having millions of dollars at my disposal, but somehow i've always failed or refused to take that path. 

Does this means i'm simply a fool? Or maybe it means that this is the way my life was ment to be. Doing what i enjoy the most for the last 20 years of my life. Being happy. Good Karma.

I'm amongst the top 50 security experts in Europe, i've got to work on top notch projects, i've accessed data never meant to be seen, and i still get a rush when finding even the smallest security issue.

Now, that's how i wanted my life to become. To round up, i'm glad i took every step i've described in my story and would do exactly the same thing if i had a choice. All these events made me the man i am today instead of a 16yr old kid that would've became a spoiled rich kid.

Even without all the dollars i've missed in life, i feel like the richest man on earth.

Thank you for reading my story! This post was split in 2 parts since i've didn't have the time to write it in 1 post, but reading the comments on part 1 warmed my heart and so i finished part 2 already :)

Keep on Steeming!