How I became an… ethical hacker
Tommy DeVoss is obsessed with computers. His first interaction with the internet, when he was nine, launched a lifelong fascination which would lead him to spend nearly five years in federal prison before becoming a white-hat hacker who has earned more than $2m (£1.65m) in bug bounty payouts.
Hackers fall into three categories: black hat, white hat, and grey hat. The black hats are cybercriminals, out for financial gain, revenge or simply to cause trouble. White hats exploit systems on behalf of companies, so they can identify and fix vulnerabilities. Grey hats tread the line between the two as they may hack illegally to uncover security issues which they offer to share with companies in exchange for a fee.
The name comes from old Western movies, where viewers could tell the “goodies” from the “baddies” based on the colour of their headgear. Real black hats, however, are much harder to identify. And, it turns out, it can be fairly easy to become one.
A hacker’s story
In 1993, DeVoss’s cousin and next-door neighbour got a dial-up internet connection. The developer who installed it also set them up with a chat programme. “I spent time hanging out in different chatrooms, just like any other young boy, looking for girls to talk to and making friends. And then one day I accidentally joined the wrong chatroom,” he recalls.
The room DeVoss stumbled into turned out to be the domain of a prolific hacker who went by the alias Deez Nuts, or DZ. DeVoss was fascinated. He hung out in the chatroom waiting for others to join, then started asking lots of questions. This, it turned out, was a bad move when it came to getting into the good books of a 1990s hacker.
“He kept banning me from the chatroom. Back then, every hacker was considered bad, so they were all paranoid, worried that anyone they didn’t know asking questions was a fed [member of the FBI] trying to get them in trouble,” he says.
Eventually, though, persistence paid off and DZ took DeVoss under his wing, sending him to Google to learn everything there was to know about hacking and setting him exercises to test his skills. Soon, DeVoss was breaking into the sites of major Fortune 500 companies and, occasionally, secure government systems.
“The stuff I did as a black hat was almost never financially motivated. I was never trying to hurt people. I was just doing it out of curiosity,” he says.
Unfortunately, the federal police didn’t see it that way and, around the year 2000, DeVoss’s house was raided for the first time. As a minor, he received a slap on the wrist and a warning to stay away from computers, but it was impossible. He was hooked.
“For me, computers are like an addiction,” he says. “I have ADHD so I tend to get obsessive over things and then lose interest when I become the best at it, but I always come back to hacking because I can never learn all there is to know about computer security. I can never hack every system, find every bug. I can never stop learning.”
As a result, DeVoss ended up spending almost five years in federal prison, on and off, for hacking. Over the course of his time in a courthouse, he was brought in front of the same judge three times, who eventually told him “that if I was ever in his courtroom again for a computer crime, he was going to give me life in prison. I was never willing to go down the illegal route again.”
After his final prison stint, which ended in November 2010, DeVoss got a job as a system admin for a tech startup in Richmond, Virginia, and avoided hacking until 2014. Around this time, he heard of HackerOne, a vulnerability coordination and bug bounty platform that connects organisations with penetration testers and cybersecurity experts.
“It looked too good to be true,” he says. “Companies were going to allow me to hack them and pay me for finding vulnerabilities? The risk versus reward was too high.”
But over the next two years, DeVoss began to hear more about white-hat hacking and the work people were doing for HackerOne. Curiosity won and he started poking around on Yahoo, looking for vulnerabilities in its systems. In March 2016, he got his first payout. “They gave me a $300 bounty because a bug I found was disclosing sensitive information.” Since then, he has become only the sixth person on the platform to pass the $1m bounty mark.
Hackers can be a positive force for business
Demand for skills like DeVoss’s is set to rise. Global CEOs named cyber risks as the top threat to their business in 2022, according to a survey by PwC, while Deloitte found that 25% believe cyber attacks will disrupt the next 12 months of their business strategy. Gartner research shows that 88% of CEOs now see cybersecurity as a business risk, not merely a technology one. It’s never been a better time to be an ethical hacker.
“The past decade has changed the public’s perception of hackers,” says DeVoss. “Every business should use the skills of the white-hat community. If a business is only pen testing once a year and bolstering security for compliance, it isn’t ready at all. It’s been proven that the systems of many companies, governments and other institutions would have been way less secure without ethical hackers.”
He doesn’t think organisations will ever be able to beat those who are intent on hacking them. But he does believe that ethical hackers can help to level the playing field and teach organisations how to shore up their security proactively.
“The ‘good guys’ may keep up with black hats but will never get ahead of them. Cybercriminals are solely concerned with money and, especially when you’re dealing with state-backed groups, they can fear for their lives if they don’t get an attack right,” he says.
This higher level of motivation drives innovation too; cybercriminals are always working on finding the next vulnerability. “As soon as one thing stops working, the black hats are already working on the next thing.”
So, what does someone need to become a great ethical hacker? At its simplest level you need hacking skills and… a strong sense of ethics. Although lots of black hats do cross over to the white side, many companies still see employing a hacker with a history of cybercrime as too much of a risk. Regardless of this, there are certain factors any hacker will need to be successful in finding vulnerabilities.
“Ethical hackers require research skills and time – and lots of it. I believe that anyone can learn to hack if they can put in the effort,” says DeVoss. “Some people see the money that can be made from hacking and think they can jump in and start hacking to make a profit. But most of us have been hacking for decades and the money didn’t start generating straight away. Successful white-hat hackers are patient and willing to fail.”
They are also willing to learn, he adds, thinking back to his early days in the chatroom with DZ. “I wanted to learn all this stuff and I was willing to put in the effort. So, after a while, he just decided I was worth teaching.”
It appears there is money to be made and businesses to help for the next generation of computer enthusiasts. All they need is curiosity, patience and, perhaps, a mentor like Tommy DeVoss.