In his own words: Confessions of a cyber warrior

A longtime friend working as a cyber warrior under contract to the U.S. government provides a glimpse of the front lines

1 2 3 4 Page 3
Page 3 of 4

Grimes: Explain.

Cyber warrior: They had thousands of people just like me. They had the best computers. They had multiple supercomputers. They had water-cooled computers running around on handtrucks like you would rent library books. The guys that interviewed me were definitely smarter than I was. I went from always being the smartest guy wherever I worked to being just one of the regular coworkers. It didn't hurt my ego. It excited me. I always want to learn more.

Grimes: What happened after you got hired?

Cyber warrior: I immediately went to work. Basically they sent me a list of software they needed me to hack. I would hack the software and create buffer overflow exploits. I was pretty good at this. There wasn't a piece of software I couldn't break. It's not hard. Most of the software written in the world has a bug every three to five lines of code. It isn't like you have to be a supergenius to find bugs.

But I quickly went from writing individual buffer overflows to being assigned to make better fuzzers. You and I have talked about this before. The fuzzers were far faster at finding bugs than I was. What they didn't do well is recognize the difference between a bug and an exploitable bug or recognize an exploitable bug from one that could be weaponized or widely used. My first few years all I did was write better fuzzing modules.

Grimes: How many exploits does your unit have access to?

Cyber warrior: Literally tens of thousands -- it's more than that. We have tens of thousands of ready-to-use bugs in single applications, single operating systems.

Grimes: Is most of it zero-days?

Cyber warrior: It's all zero-days. Literally, if you can name the software or the controller, we have ways to exploit it. There is no software that isn't easily crackable. In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface.

Grimes: What do you like hacking now?

Cyber warrior: Funny enough, it's a lot of wireless stuff again: public equipment that everyone uses, plus a lot of military stuff that the general public knows nothing about. It's mostly hardware and controller hacking. But even that equipment is easy to exploit.

Grimes: Does your team sometimes do illegal things?

Cyber warrior: Not that I know of. We get trained in what we can and can't do. If we do something illegal, it's not on purpose. Well, I can't speak for everyone or every team, but I can tell you the thousands of people I work with will not do anything intentionally illegal. I'm sure it happens, but if it happens, it's by mistake. For instance, I know we accidentally intercepted some government official's conversations one day, someone high-level. We had to report it to our supervisors and erase the digital recordings, plus put that track on our red filter list.

Grimes: You say you don't do anything illegal, but our federal laws distinctly say what we cannot offensively hack other nations. And we are hacking other nations.

Cyber warrior: They say we can't hack other nations without oversight. John Q. Public and John Q. Corporation can't hack other nations, but our units operate under laws that make what we are doing not illegal.

1 2 3 4 Page 3
Page 3 of 4
7 hot cybersecurity trends (and 2 going cold)