If your system starts working better, chances are it's been hacked." The Story of a Black Hat Hacker
Dear readers! In this issue of the magazine, we’re publishing an unusual interview. Through this interview, we wanted to show you that there’s another world with different values and goals. In it, we tried to uncover some aspects of the life and work of a vulnerability and penetration specialist – the aspects of life of a ‘black hat’ hacker.
The editorial team of The Global Technology magazine promised to maintain complete anonymity for the participant of this interview, as behind this person from the Netherlands lies a real story of real life “on the other side”. This interview does not aim to popularize modern hacking and everything surrounding this term.
– Mr. Kott, why did you agree to this interview?
– To dispel some myths.
– For example?
– With the emergence of the first computers, the word “hacker” was used in a different sense. They called legendary bearded engineers who wrote the first programs and tinkered with computers, deriving great pleasure from it. In this sense, a “hacker” is closest to concepts like “geek” and “nerd.” And then we all turned in the wrong direction.
– Let’s start right away with the statement: “If your system starts working better, chances are it’s been hacked.” It seems that in hacking there is nothing inherently bad. Perhaps we are afraid for no reason of those who sit in dark hoodies in dark rooms. Is Kevin Mitnick himself the author of this phrase?
– Actually, I wouldn’t call this phrase a motto or a statement. Rather, it’s an observation backed by the statistics of any company. This phrase indicates that behind any hack are fundamental people with fundamental knowledge who can elegantly solve what the entire security department and other specialists couldn’t.
You see, when a new marketer joins your company, they first conduct an audit, then point out growth areas, and you agree that the old systems need to be reevaluated, overhauled, and much more. It’s worth simply hacking them and then you can see many things in your company from a different perspective.
– An interesting comparison. But we don’t call the marketer a hacker.
– Because everything he does is transparent and he consults with you. If a marketer goes where he doesn’t have access, accidentally or intentionally, he becomes a hacker.
– If the marketer steals part of important information that doesn’t belong to him, he becomes a criminal.
– We don’t always use lawful methods in our work, that’s true.
– You mentioned “in our work.” Is hacking into other systems for ransom or information extraction considered work?
– When I receive an order for hacking and get paid for it, it becomes work.
– So, you don’t personally gain anything from the hack?
– Personally, no. I write a specific script, hand it over to certain people, and accompany it with certain instructions. That’s all.
– Let’s imagine this scenario. A certain number of people attend programming courses, and from this group, some choose the path of creation, while others choose the completely opposite path and become hackers. Why does this happen?
– Roughly speaking, I got into hacking long before these courses appeared. I got into it at a time when there were no materials freely available, there was nothing. I started like most teenagers who, by the way, didn’t become hackers or programmers later. I would download a game to my PC, if it seemed boring to me, I’d hack it and start my own game within that game. I can’t say that back then I decided to dedicate my life to hacking, I was just curious. Choosing the dark side is like choosing a superpower. Would anyone voluntarily give up a third eye that helps them see what others can’t, or the ability to read minds? At the moment, my superpower is seeing more than others, and it was my choice.
– But to choose a superpower, you don’t necessarily have to become a hacker.
– I completely agree with you. For example, you’re good at writing, something I’m not good at.
– Mr. Kott, what are your limits? Are there any limits to your activities at all? What kind of work would you refuse, regardless of the amount offered?
– I’m glad you asked me that. I have no intention of saying in this interview that hacking is a good thing; people just tend to be biased against us. No, every hacker understands perfectly well what they’re doing. But let’s talk about limits. In 2020, for the first time in Düsseldorf, a person died from a cyberattack because, according to the official version, hackers targeted the wrong object. I wouldn’t endanger someone else’s life. I would never get involved with drugs, violence against people, or terrorism. Besides, hackers don’t just hack; sometimes I’m asked to simply disable something.
– Describe your day. A typical hacker’s day.
– It all starts with reconnaissance. Passive reconnaissance, where I gather as much information as possible. If it’s a major company, I make a copy of their website using special tools for mirroring websites, so I can study them offline. This is done so that no one sees that the website is being studied. I check emails, use Google dorks – one way to view forgotten queries on websites. Then comes active reconnaissance – scanning ports, scanning networks, scanning software banners, mapping network topology to find out where the firewalls are, where the mail servers are. Then I try to attack.
– Do you gather information about your clients?
– Almost always.
– Mr. Kott, we’re probably going to ask you the most frequently asked question now. What can be hacked?
– Absolutely everything can be hacked. The theory of information security states that there are no systems that cannot be hacked. A system is considered secure if hacking it costs more than the information it stores.
– Has there been any hack or attack in your practice that you feel ashamed of?
– No. It’s just the same process. I’m just doing something.
– Nowadays, social media platforms don’t even hide that they collect a lot of data about their users, even those users aren’t aware of and therefore don’t consent to. Can this be considered hacking, or should it be considered espionage?
– I would consider it as a fee for using the platform and for communicating with the whole world.
– But is there any information on how often this data leaks into the hands of those who conduct passive or active reconnaissance?
– Often.
– Mr. Kott, do you use social media yourself?
– I do. And I use all systems that can be hacked.
– There’s another question we can’t skip. You have an interesting nickname, possibly deliberately chosen for our conversation. What does it mean?
– You know the expression: why does a cat lick its balls? “Because he can.” This is a shorthand of the programming language most commonly used for making mobile applications.
– Could you please give our readers a technology on how to avoid data theft?
– There’s no such technology. They don’t hack you personally, they hack the system where your data is. Unless… never link one email to all your online registrations and always take responsibility for your own security.