By Roel van Rijsewijk
Inspiring conversations with Rickey Gevers
This time at my kitchen table a conversation with Rickey Gevers, perhaps Holland’s best-known hacker amongst the general public. Nowadays he helps organizations to respond to cyber-attacks, what we call ‘incident response’. Not a very predictable job, so the conversation was a bit hard to schedule. A conversation about ‘hacking’: the use of systems for which they are not intended. And then the tricky boundaries of what is and what isn’t allowed with or without the best of intentions. A difficult issue that has dominated the discussion since the emergence of this phenomenon. Especially now that all kinds of critical infrastructure such as trains, locks, traffic lights and chemical factories can also be hacked.
He owes his fame to the fact that young Rickey had the dubious honor of being the first Dutchman ever to be arrested for a hack. Of course I want to know more about that, but first I want to explain to the reader what a hacker is exactly.
What is a hacker?
‘A person who uses computers to gain unauthorized access to data’, I read in the dictionary. However, this is not always done with the intention of obtaining information illegally, but usually to demonstrate that the network is insufficiently secured. In my opinion this definition does not do justice to the skills, ingenuity and creativity of hackers. For me, the most beautiful definition is still the one Bruce Schneier uses in his book ‘Secrets and Lies’:
“A hacker is someone who thinks outside the box. It’s someone who discards conventional wisdom, and does something else instead. It’s someone who looks at the edge and wonders what’s beyond. It’s someone who sees a set of rules and wonders what happens if you don’t follow them. A hacker is someone who experiments with the limitations of systems for intellectual curiosity.”
Curious, that is an accurate description of the person who has taken a seat at my kitchen table. With a permanent smile and a twinkle in his eye he looks at me with an open mind, curious about what I want to talk to him about. I can imagine that he is pretty much done talking about the one time he was caught. Yet I start talking about it and he doesn’t seem to mind telling the story for the millionth time.
“I helped them for free, they should be thanking me!”
Looking at the edge
“Did you deliberately cross the line at that time?”, I want to know.
“I intentionally crossed a line at the time but back then those were not things you could be arrested for,” he begins. “The first time you are aware, the second time a little less so, and after that you don’t really think about it anymore. Never in my life have I done something for personal gain, violated people’s privacy or broken systems.”
And then he explains his motivation, which is close to Bruce Schneier’s definition.
“At the time I was mostly concerned with the technical challenge: what kind of system is this and can I hack it? And once I was in, other hackers were going to systematically remove it and make it more secure,” he explains. “So yeah, I didn’t feel like I was doing anything wrong. I helped them for free, they should be thanking me!
And he waits a few moments, “at least that’s how I have white-washed it in my head”, he adds laughing.
“So, you actually had the best intentions and it wasn’t illegal yet,” I nod understandingly, “but then why were you arrested?” Which still feels like an impertinent question.
What happens if you don’t follow the rules
Again, Rickey doesn’t seem to find it embarrassing, quite the opposite. “That was for hacking the University of Michigan. I had managed to get access to several terabytes disk space there, which was an incredible amount at the time. I used that for downloading movies and such. Apparently, they have an excellent Computer Science program there, because I was discovered by a number of students at the time. I had obtained admin rights for myself.”
“You mean you were some kind of God in the network?”, I try to disguise my lack of technical knowledge.
“Yes, I had access to absolutely everything, so also the student administration with sensitive data like Social Security Numbers. I had no idea, but it was taken quite seriously because of that. They put an entire team of students on it to investigate it forensically. At the time, I really didn’t think it was necessary to use a proxy server or whatever, and so they ended up finding out my email and home address as well. They probably then determined that I hadn’t done that much harm. They eventually turned the file over to the FBI who they shoved it in a closet; prosecuting someone who’s in the Netherlands for computer hacking wasn’t a priority at the time. Case Closed.”
He pauses for effect.
“And then the High Tech Crime Unit was created in the Netherlands. And this young team wanted to get to work. They asked the FBI if they had any nice cases to start with. Well, and then after 5 years (!) they picked up my old case from the shelf,’’ he shakes his head. “To sink their teeth into. They thought they had caught a really big guy.”
“How old were you then?”, I want to know.
“By then, I was studying computer science at the University of Applied Sciences in Amsterdam. I invested all my time and energy in my studies, so my clandestine hacking time was over. The irony lies in the fact that I had started the Security and Forensics minor exactly that day. “They invaded my student room in the middle of the night and dragged me out of bed.”
“I’m sure you know what we’ve come for!” they said.
“Well, I had no idea; this was 5 years ago and I had stopped a long time ago.”
“I was 18 when I did it. I hacked a lot of systems during that time, I didn’t realize this was a skill. My nickname was ‘LanMan’, so to speak, the boss of the whole network (LAN=Local Area Network ed.) because I was pretty good at getting domain admin rights. I think I managed this in half the universities in the Netherlands. In that time, it was quite normal to manage that in companies like banks.”
“And you were never afraid of getting caught?” I want to know.
“It turned out I was inside the NASA.”
“No not at all,” and he thinks for a moment. “Well once I did! Then it turned out I was inside the NASA. That gave me a bit of a fright. I thought, shit, you don’t want those people following you around. I wasn’t the only one, the place was full of hackers”, he laughs.
I want to know more about his motivation, are hackers indeed driven by curiosity?
“Yes, I did it mainly to learn from it. I wanted to be a digital detective.” And he bursts into laughter again. “To arrest digital crooks. And I felt I needed field knowledge for that and could learn from other hackers.”
“And you could get that through your education?”, I want to know.
“Well, partially. I think in my daily work I used 90% knowledge and skills that I taught myself and 10% from schooling. And that’s not surprising either, because I was really deep in the material and schooling in that subject is very broad”.
The grey area
Hackers are sometimes divided into three groups. One group is the most notorious, which are the so-called ‘black hat’ hackers. Black Hat, like the bad guys from the old westerns. They have no authorization and wrong intentions. In contrast are the white hats, or ethical hackers. They always have permission and are hired to improve your security. But the biggest group of all are the ‘grey hats’. These are the hackers like the 18-year-old Rickey, who don’t have permission but don’t necessarily have wrong intentions.
The question is how you as a government and business should deal with this group. As Rickey’s story shows, you have to take into account that not everyone will be grateful for your work. If you discover that an organization somewhere does not have its security in order, should you report it? You can get into a lot of trouble if you do so. And you can also sell such a vulnerability for a lot of money on the black market. It seems that the straight path is not always the easiest one.
“The ‘silver bullet’ that makes you immune to cyber-attacks doesn’t exist.”
“Yes, during that time I did report to administrators where things were going wrong with their security,” Rickey responds. “The responses were 50/50. Sometimes positive and they took action. But also often very aggressive, like you shot them in the feathers. Threatening with the police. Very extreme. There was nothing in between. Then the leak wasn’t fixed either. At a certain point you think: all that effort for nothing, never mind.
Today, most companies have what is called a Responsible Disclosure policy, also known as Coordinated Vulnerability Disclosure. In it, the organization explains how they deal with hackers who have penetrated security and want to report it. That policy may also be that the company will call in the police at all times, but at least then you know what you’re getting into.
“Most mature companies have policies like this,” Rickey tells us. “And most of those who understand it, make it very easy for the hacker. They actually do something with the reports, learn from them and are grateful for it. Sometimes even with a reward.”
Responsible Disclosure in Industrial Control Systems
In this sense, the cowboy era in IT security seems to be behind us. The legislature has now become quite clear in what is allowed and even the gray area is regulated by policy between hacker and company. So, I want to talk further about Operational Technology (OT), what we also call Industrial Control Systems. These are the systems that control production processes and infrastructure. The IT in the non-carpeted areas. They have now also become targets for hackers.
“To me, that seems like an attractive target for curious, young hackers?” I begin.
“Oh definitely, confirmed Rickey. “ Of course, there’s nothing as cool as taking over the matrix signs at Central Station. The boys and girls between 14 and 18 years old have all the time in the world, they are quite capable and their moral compass is still developing. Then they might just start messing around in all kinds of critical systems. Being tough in front of your friends is an incredibly strong motivation at that age, don’t underestimate that.”
I want to know how you should deal with this kind of hacking in this kind of environment, what your Responsible Disclosure policy should look like. When a website stops working because of a hack, that’s bad but in an OT environment it can be a disaster. Should you invite hackers to try something?
“Look, it’s just a law of nature: your system is just going to get hacked at some point. You may not want that, you do everything you can to prevent it but it’s going to happen anyway. Then you better deal with it the best you can when it happens. Maybe encouraging to hack that kind of environment is indeed not a good idea. But if you’re confident enough, be open to it. Maybe at the moment a lot of infrastructure and production processes are not ready for it. But if you are confident in your systems, then I would say, bring it on!”
“Remains a huge dilemma though,” I respond. “You don’t want to risk people’s lives because someone is snooping around in the systems of a nuclear power plant without permission. You may have things in order, but you don’t want to run that tiny risk either.”
He returns to his intrusion into NASA that he mentioned earlier. “Look, I wasn’t the only one and it was incredibly easy. An environment like that where nobody wants to be caught, where nothing is allowed to be tried, that’s where vulnerabilities persist. It doesn’t make things safer.”
It gets me thinking. It raises thoughts around human resilience. You have to be exposed to all sorts of viruses and bacteria at a young age to give your immune system the chance to learn from them. Trying to keep people away from all of that through extreme protective measures doesn’t always lead to very resilient people.
A dilemma we faced recently with the pandemic. The Responsible Disclosure Policy is then some type of vaccination program.
“And then you’d rather have someone 16 years old who’s inside than a criminal.” Rickey continues.
Advanced Persistent Threats
Criminals that we also call ‘state actors’, so hackers employed by the government. There are a number of countries such as the US, China, Russia, North Korea and Iran that want to be known for having these kinds of capabilities and are not afraid to deploy them. Think of the Stuxnet virus that sabotaged Iranian nuclear facilities, the Shamoon virus that caused major problems at Aramco or Black Energy malware that took down Ukraine’s power grid.
“Well, then you also have the state actors who are acting a little less prominently.” says Rickey. “Like France who is quite active according to Snowden. And if we are to believe Huib Modderkolk, we in the Netherlands also count for quite a lot. So, the government is not afraid to try something out with Industrial Control Systems. And states are what we call ‘APTs’, Advanced Persistent Threats, which are very advanced and highly motivated and therefore almost impossible to stop. So, then you have to be able to limit the damage by segmenting your network. Compare that to the watertight bulkheads in a ship, and knowing what to do once they’re in. The ‘silver bullet’ that makes you immune to cyber-attacks doesn’t exist.”
“How about learning from young people whose moral compass still needs some calibration?” I remind him of his comment a little while back.
“The gray area is already a bit less unclear than it used to be. The legal framework is fairly clear. But when you’re young you tend to look for those boundaries and sometimes cross them. It is also to a large extent culturally determined. It is better to give young people the chance to learn from this and to do something with their skills than to become too repressive. It’s the countries where talent gets few opportunities to make money with their skills in an honest way where most cyber criminals are.”
Learn from your mistakes
It’s nice that Rickey didn’t get too deeply technical in this conversation so that I couldn’t follow it anymore. On the contrary, he says he can appreciate my more philosophical approach to hacking. I see an interest in the moral side of the profession in almost all hackers.
Because for Rickey it all turned out well. Nowadays he is an ethical hacker who always has permission. Not as a digital sleuth in the High Tech Crime Unit but as an Incident Responder.
“A beautiful profession. You can make a lot of progress in making a company safer following an incident, so that’s very satisfying. Sometimes you’re really busy and sometimes you have a lot of peace and quiet. And for this work I can also use my offensive skills.”
And so Rickey Gevers is the running example of how we need to give young hackers the opportunity to learn, especially when they make a mistake. Especially then.
About the author
Roel van Rijsewijk is a cyber security consultant and evangelist with over 20 years of experience helping organizations become cyber resilient. He is a key note speaker and author of ‘Cyberrisico als Kans’ (The Upside of Cyber Risk).