There is a lot of money to be made on the black market for a limited amount of effort. This has created a war over the minds and allegiances of tomorrow’s tech innovators.
A recent report from Juniper Networks and the RAND Corporation found cybercriminals, also referred to as Black Hats, can earn high salaries. In fact, some suggest that the cyber black market could be more profitable than the illegal drug trade.
In addition to the possibility of high wages comes very low risk of getting caught. People robbing a physical bank or selling drugs have a very high risk of getting apprehended red-handed. Whereas Black Hats can steal countless pieces of valuable information behind the protection of their computer screen.
Q: With so much to gain and so little to lose, why would someone choose to do good and become a security researcher, or White Hat?
Kyle: The growth of the security industry is one, creating a demand for would-be attackers using their skills for good. There is also a moral and financial incentive to do the right thing. But there are ultimately a number of reasons why those with this technical aptitude decide to navigate through the ethical route to hacking.
Q: What inspired you to become a security researcher?
Kyle: As someone who thoroughly enjoys breaking into secure systems and software, and forcing it to do things it wasn’t meant to do, becoming a security researcher was an obvious choice for me. The downfall with such a hobby is that in most cases, it wouldn’t be legal to engage in. This cripples your options dramatically. For example, I may see an interesting target which looks vulnerable and could likely be compromised, but ethically, I cannot pursue the challenge. Even though my intentions are always good, “practice” attacks like that would likely be received poorly and expose me to legal problems I have no interest in encountering. As a security researcher, I get to do what I love to do without incurring any legal consequences. In the end, you either use it, or you lose it.
Q: What incentivized you to stay on the right path?
Kyle: Using my experience and skill to commit crimes has never really been a viable option for me. It’s a very lucrative endeavor, but it just doesn’t sit well. After watching the hacking world evolve, seeing the large attacks, and fully understanding the intended and unintended consequences, I have a serious appreciation for the unseen damage a relatively trivial attack can generate.
For example, many years ago I stumbled across a forum where an attacker was boasting about successfully defacing a major corporate website. It was funny, I have to admit. They were clever and posted a very humorous message. I figured that was it. The company cleaned up its website, fixed the hole, and life went on as usual (albeit with a little lingering embarrassment). Later on however, I also stumbled across a forum where some of the employees responsible for the site’s security posted about the aftermath. It turned out fixing the website involved pursuing legal action against the outsourced team that built the app, several jobs were lost, and the company suffered financial setbacks. So in short, the hacker who had a few hours of fun and gained a little notoriety with fellow hackers, ended up severely impacting the lives of dozens of hard-working professionals.
The stakes change a little when you talk about extracting large sums of money during the attack vs. a simple defacement, but the collateral damage is unacceptable in my book. These are good people, possibly neighbors, friends and family. There is no such thing as a victimless crime; the victims are just not always so obvious.
Aside from that, I’m proud of my professional accomplishments and enjoy openly sharing them with those who are interested. A life of crime also requires a life of secrecy and under-appreciation, at least in the physical world.
Q: What temptations popped up that could have led you down the Black Hat path?
Kyle: There have been many times where I saw an opportunity to compromise a target and extract large sums of money. These days, and with the right experience, it’s nearly impossible to use the Internet without such an opportunity presenting itself during regular legitimate surfing. The numbers are where things get interesting.
For example, I came across an extremely large site a few years ago with a blatantly obvious vulnerability to XSS. Not just a little XSS hole in some random page, but an XSS hole that was exploitable on literally every single page of the application. This site also actively took orders from its customers. Even better, I knew there was a customer list available for this specific company via a shady marketing firm. This meant that with a few hours of effort, I could have phished a huge percentage of their customer base and collected their financial information for black-market resale.
Selling those records would have yielded many tens of thousands of dollars. So you have to ask yourself, do you disclose the vulnerability and be the silent hero, or do you exploit the vulnerability, make $40K+ in an afternoon, and be the notorious villain? It’s a question that ethics has to drive because the chances of getting caught are extremely low. You would likely come out clean regardless of which road you take. It’s an easy decision for me, as I have zero interest in excelling in life through the misfortune of others. Did I mention that I’m also an Eagle Scout?
Q: What is your advice to the next generation of security researchers as they weigh the White Hat vs. Black Hat decision?
Kyle: It shouldn’t be a decision. If you are ok with hurting people, I likely won’t be able to persuade you to follow the White Hat trail. If hurting people is off the table, and you’re still struggling with this choice, it’s just a matter of lack of experience. Dig in, see how bad these attacks get, who is impacted, what ripple effects are generated, and how long and how far they reach. Most importantly, remember, the Internet is a large collection of bits flying around the world and constantly evolving, but behind those bits are real lives, some of which you may know and be close with.
Q: What opportunities are available to would-be hackers?
Kyle: If you enjoy security, breaking into systems, manipulating software, and so forth…and you want to do good, not harm, then enter the world of a security researcher. You’ll learn a lot, see some really cool things, meet some amazing people, and generally just feel good about your work. While it doesn’t pay like a massive illegal corporate breach, the money is competitive and it’s definitely more socially and emotionally rewarding. Another bonus, you don’t have to spend your retirement in prison!
Kyle Adams is the chief software architect of Junos WebApp Secure at Juniper Networks, where he is responsible for designing and implementing many of the attacker-detection techniques and countermeasures used within the product. Prior to Juniper, Adams served as the chief software architect and R&D manager at Mykonos Software. Before joining Mykonos, he worked as a software engineer and architect at BlueTie. He holds a bachelor’s degree in computer science from the Rochester Institute of Technology, as well as a minor in criminal justice.