Yesterday I reported the news of the return of one of the most popular hacker, Ghost Shell who exposed data from 32 companies and launched a new campaign to punish negligent network administrators.
Who is GhostShell? It is too simple to label it as a hacker or hacktivist … I decided to go behind the scene and reach him for an interview. … I decided to go behind the scene and reach him for an interview.
I believe it is important to understand the thoughts and opinion of talented minds like GhostShell. Hackers have their codes, their experiences, their growth paths, knowledge of which is crucial for people who actually live cyber security.
Let me thank GhostShell for his availability, I really appreciated it.
Enjoy the Interview!
What are your motivations? Why do you hack?
I have plenty of reasons for hacking. For starters I’m a hacktivist so my public hacks and leaks are politically
motivated. The reasons vary for each of them. In the past they’ve been focused on topics such as the educational sector or the abuse of governments towards its people in places like Russia or China. Other times they were more aimed at the authorities in the US for arresting other fellow hackers across the world. Or even widespread corruption in other parts of the world, like Africa.
Behind the scene, I take pleasure in exploring the internet without any restrictions or anyone judging me for it.
To be able to explore any part of this new and ever-changing world to your heart’s desire gives you a brief taste of true freedom. Like a cold breeze in a hot summer day, short but memorable.
What is your technical background and are you an IT professional?
Can’t really say that I have an official (technical) background in this industry. Everything that I know or can do I’ve studied and learned on my own. In fact, when I first appeared on the scene, it was just me with a twitter account and zero followers. I literally had no friends or contacts. The reason why I even bring this up is to prove that you don’t need any sort of professional help from a private class course or governmental training to learn about cybersecurity. Anyone with a bit of curiosity and determination can pursue any topic out there associated with this field.
Some of the topics that I have been attracted to over the years have ranged from general pen testing, general programming in various languages, cryptology – cryptography although with a bigger focus on cryptanalysis, since code breakers are almost non-existent nowadays. Infiltrating and extracting private data is one thing but what happens when you stumble upon encrypted data? Being a regular MD5 password cracker with rainbow tables just doesn’t cut it anymore. Hackers have to evolve and adapt in parallel with this ever-changing environment.
As an exclusive tidbit of information that I would like to share is that I have a presence in plenty of other industries, not just this one. I have been a game developer for years, both as a game programmer and designer. Or a theory hardware hacker in robotics, mostly engaged in breadboard simulation and light programming. But also involved in other non-IT industries.
I cannot really mention more or even go into too many details. As mentioned before, earlier this year in my outing, the moment you release any sort of private information about yourself or others it no longer becomes yours but everyone else’s. However, if there’s someone out there interested in cybersecurity and wants to learn how to pen test then they should start by looking up every single tutorial on the open net.
Most of the information, exploits, step-by-step tutorials can all be found online. Places like OWASP are pretty cool for beginners to read more on the different types of attacks out there and pretty much every source of freely available information, from blogs to online videos, can help tremendously, especially when you’re a newcomer.
Newcomers should never feel discouraged in their pursuit for knowledge. Regardless of what any and every paid troll or ignorant researcher may label us as, take pride in the knowledge you have accumulated so far and make way to acquire even more. For me, when it comes to cybersecurity, hacking is basically coding and security testing. People, especially outsiders or the usual upper-class middle-aged men from the west that are part of this industry, are too bent on name branding everything/everyone and micromanaging the cultural aspect of things. My only advice to them would be less judging, more security testing.
What was your greatest challenge?
My greatest challenge for me was holding back from the systematic destruction of every single person from the industry working on my case. This started back at the beginning of 2013 when I took my first break because of them and has lasted up until this very day. I have been aware of the people assigned to my case since the start, from the federal agents to the private companies aiding them. In 2013, I was prepared to leak all their identities and point fingers at all the exact honeypots from the scene where hackers are herded and actively entrapped, but I held back.
To put someone’s identity and life on display for the world to judge and critique while you laugh at their own misfortune is something that the authorities do for a living.
I wasn’t about to become the same medieval animal as them.
What was your greatest hacking challenge?
I don’t really have a specific target in mind but I’m pretty sure that the most difficult and equally irritating cyberspace for me was South Africa’s slow connections, poorly configured encodings on the site, and overall tricky measures incorporated into their systems made my campaign there one of the worst hacker experiences I’ve ever had.
I suppose that’s me complimenting their cyberspace since they made me feel like I was stuck in quicksand while pen testing their domains. Props.
Another challenging territory to attack is China. The slow connections play a huge role here as well, add to that the new and unique encodings never seen before in western networks all the while you’re trying to map out a hermit cyberspace that houses a solid population of over 500 million netizens and you end up with quite a handful of things to worry about. There are more than half a billion users there but realistically how many people on Twitter can name at least 10 websites from mainland China? The ignorance and lack of information in the west will one day end up in our own downfall.
What scares you the most on the internet?
People. People scare me. Especially those with even a shred of power at their disposal that are incapable of suppressing their urges from abusing it.
I have the knowledge to make and break this digital reality yet you don’t see me actively taking down websites, altering server data or leaking compromising information about any individual such as up to date banking information or private medical records. Even in this recent leak dubbed Light Hacktivism where I’ve strayed a bit away from that, the few examples given were either outdated/expired credentials or redacted medical data that had nothing to do in general with a patient but with the establishment itself. That’s a courtesy that you don’t see all too often around here, considering how a lot of this information is available en mass on the internet, unprotected for anyone to see.
I can’t claim all the higher moral ground here either since I also have my faults and failures but they don’t even come close to those of grown ass men working for or with governments to both surveil and entrap children and young people. It makes me sick to my stomach to witness federal agencies parading around 15 year olds through the press, branding them criminals or terrorists simply because they were curious to test a network’s security or naive enough to fall into another one of the usual generic entrapments.
What would you change about the cybersecurity industry and why?
You mean apart from the medieval practices of using children and young people as escape goats for an industry that basically exploits them? How many times have we seen news about the end of days on the internet?
Companies overreacting to our hacks while peddling their own broken products, the feds entrapping us with whatever is politically trendy, all the while the bystanders sit on the fence calling us criminals or terrorists that need to be put behind bars.
If I had to pick a set of topics that need everyone’s attention in the near future, it would be these:
How many women do you know that are hackers or pen testers? What about as networking architects? Data mining experts?
Hacktivists? If anyone out there can name 5 of them from each of those categories then you’ve just won the internet but if you can’t even name 1 or 2 without looking it up then you know we have a problem. A diverse industry leads to a diverse set of ideas, which leads to more innovative creations. That much is a no brainer to anyone. Let’s try to make a change for the better. Together.
A serious talk about the future of cybersecurity. And here I mean less the software and more the people. Because at the end of the day the people are the ones that make up the industry. We should talk more often about the sensitive problems we’re facing, like drugs abuse or alcohol. We have been pointing it out in the past but we never really came to any conclusion. Can we do something about it? Can we help prevent hackers and security professionals from becoming drug addicts or alcoholics? Maybe we need a support group for them. Maybe we need to stop being so judgmental and more understanding when bringing up the subject. Maybe that’s how we prevent certain disasters.
Maybe it’s all linked to those three other points above.
Why did you agree to this interview? You’re usually reserved in giving them so why give one now?
Because I respect you as a journalist. You’re one of the original team of independent people that have reported on the hacker scene since before I even arrived. You’ve reported on my projects and activities from the very beginning and I wanted to thank you for it. Same goes for all the other infosecurity enthusiast. You guys have no idea how amazing it is to have journalists that report on our activities while sitting at the same level as us. It helps bridge that gap between hacker and journalist. After the Hacker Team journo list was formed I thought things were going to change and some hacker activities obfuscated but I’m glad that things have remained the same.
We all need down-to-earth journalists that can do their job of reporting on real-time news and for that I’m thankful.
[adrotate banner=”9″]
(Security Affairs – GhostShell, hacking)