Life as a white hat: My day with an ethical hacker
Translation by:Larisa Rusu
The world of hackers is no longer solely inhabited by malicious cyber pirates, but also by individuals who use their technological skills to increase collective security and protect the online community. They are called white hats, Internet slang for ethical hackers. To see what they keep under their hats, we went to meet one in Bologna.
For the YoTambien series we dive into the themes of Yo!Fest @ the EYE2018, Europe's largest youth-led political festival, to explore the issues that matter to young people the most. We start with the digital revolution.
A black hoodie, the hood lowered down to eye level and a laptop turned on in the darkness of a room that hasn't seen daylight for a long time. In a small basement, data and highly confidential information dance on a computer screen. Data that would make the secret services shake in their boots. This is the image of a hacker many of us have in mind: an IT geek with a bit of a dull social life; someone who spends their time infiltrating secured networks and adapting them to their needs, whether malicious or benevolent. It's a cliché that has inspired hundreds of movies and influenced generations of writers and readers, but one that is far removed from reality.
The divine comedy
I too had believed that cliché. I loved the film Mr. Robot. But it all changed when I met Davide Del Vecchio, an Italian hacker who is currently helping a team of 20 people in a multinational company. Known in the Italian e-commerce sector, the company works to protect IT security. Davide is nothing like the stereotypical hacker we see in films and read about in books. He has nothing in common with Lisbeth, the introverted geek from Stieg Larsson's Millenium trilogy, who uses her photographic memory to memorise enormous amounts of data. He's not like Neo from The Matrix either. Davide broke all of the clichés I had in mind, he didn't quite fit the part.
I was looking for a white hat, Internet slang for an ethical hacker. A white hat is someone who hacks into their own company's operating systems to uncover potential vulnerabilities, prevents external attacks and prepares for risky situations like malware or targeted hacking attacks. In short, they are the good kind of hackers; they are not on the dark side.
The person who puts me in touch with Davide, who began geeking out with his first PC (an Amiga) at age six, is a colleague of mine who is part of the Italian hacker community. A few days later, I find myself in Bologna at his apartment. Davide is a regular guy, waiting for me at the fourth floor of a historic building in the centre of town. He takes refuge here about two weeks each month and spends time abroad the rest of the days. He invites me into his kitchen, which sits below an open glass window that lights up the room. No darkness here.
Within the community, Davide is known as 'Dante', due to an old virus he created many years ago. At the time, he had set it up using the same steps as in the Divine Comedy; the user had to complete these steps in order to continue using their computer. As he tells me about coding, vulnerabilities, software and malware, we sip a cup of tea. His is a passion that was born when there were no words to define it. Since he was a child, Davide understood how to advance from one level to the next quickly, directly changing the code in his computer games to get his character more lives. He didn't know it then, but this would become his career, even if his father wanted him to be a doctor. At 16, he first gained access to the Internet. At 19, he started travelling the world to take part in the very first conferences on hacking and IT security.
"My field hadn't exploded then. It was only in the 2000s that the first discussions on hiring staff to protect organisations from cyber attacks started. But it was still early; the search engines weren't fully developed and, to stay informed, I would follow hyperlinks. In the meantime, I travelled as much as possible when I was invited by the community. I would do research and I would set off. Age didn't matter," Davide tells me. He doesn't define himself as a hacker, even if others call him one. That's how, in a way, he goes by unnoticed: "We never use this term. I consider myself an IT security specialist."
The topic fascinates everyone, but it's better not to talk about it too much. Especially because, after some routine questions, Davide explains that the conversation always ends up being the same: people ask him if he can hack into their partner's account or smartphone. Of course, he refuses every time. "That would be considered abusive access into an IT system, which is the legal equivalent to trespassing. I'm not up for that, especially due to ethical questions. For me, privacy is sacred. Still, those kinds of requests are quite common."
Up until now, Davide, who doesn't spend all of his time in front of his computer, has travelled to 75 different countries. His goal is to set foot everywhere in the span of one lifetime. A lifetime he spends in the office, from Monday to Friday. In his office, he has an inflatable palm tree with a pirate flag. This is where he leads his team of ethical hackers and IT experts from. Some are fully-fledged white hats who try to infiltrate the company's system, identifying possible flaws and signalling them. Others deal with security-related technologies, trying to prevent external attacks (hundreds of thousands per minute), which are mostly automated. And then there are those that develop the information on upcoming threats, creating possible alarms that help detect when someone or something is entering the system.
"You don't need to be a software engineer," Davide points out, "to deal with IT security, but you need to know a bit of everything. How networks work, how information circulated on the Internet, understand programming to see if some problems are rooted in code, as well as various operating systems." No network is 100% secure. According to Davide, it's easier to enter NASA's software than a private system. "Let me debunk some myths. There's a law that says that the level of IT security of a network is equal to the level of security of the weakest computer. The more computers there are, the more difficult it is to protect it. This is why reading about a young person who infiltrated big companies' or institutions' systems makes me smile. All you need is a computer to get in."
Davide doesn't only lead his team. With his colleagues, he deals with selecting future ethical hackers that could be an addition to the team. "Besides theoretical questions, I can give my computer to candidates and ask them to try and break into a test copy of our server," he says, taking a break to turn on the heating. It's still cold in the city, and a guest should be arriving anytime soon. These past years, Davide has hosted almost 600 people in the various places he's lived in: Bari, Milan, Rome, Treviso and now Bologna, through Couchsurfing. He even guided the revolt of its users, when in 2011, the founder of the website – Casey Fenton – announced the transfer of some of the NGOs' shares. It went from a non-profit to a corporation.
At first, Couchsurfing was a portal based on gratuity, reciprocity and sharing, values that white hats respect given their connection to the free software concept. The same values have inspired the Hermes Center for Transparency and Digital Human Rights, an NGO that Fenton also cofounded, which focuses on developing free systems like Globaleaks. These programmes collect anonymous warnings used by various journalists for their investigations, but they are also used by Anac, the National Anti-Corruption Authority.
"The Internet has become a war instrument"
"The Internet was born as an instrument for liberation; a great medium to allow communication from everyone, everywhere in the world," he explains, "It was a boundless, lawless field where knowledge could spread anywhere without being controlled. Then, it started being used as a control mechanism, and now it's a fully-fledged war instrument." To get a better idea of what Davide is talking about, all you have to do is think about the amount of money generated from cybercrime, which has exceeded that of drugs. In fact, according to a study by McAfee, IT-related crimes are the third most expensive illegal activity after corruption and drug-trafficking.
"Today, the risk of cybercrime is higher than that of floods and wildfires. We're talking about a phenomenon that has and will have tough consequences, both at a geopolitical level and a private level. If we're thinking about mafia in Italy, well, it's still a bit soon to tell. But in other places like Russia, organised crime travels freely throughout the Internet." In the course of the past 30 years, the Internet has changed its face several times. Few things remain from what the Internet once was when it started, when it was a place you could endlessly explore and get on to share knowledge. But the worst is yet to come. Davide is convinced that this year, we'll make another leap forwards and start seeing lethal cyber attacks, not only on companies.
"Entrepreneurs that don't invest in security will be wiped out, and soon, we'll see the first person die because of a cyber attack. Today, everything is linked to the Internet: from gas plants to bypasses inserted in people's hearts. All it takes is a little bit of imagination." It's a scenario that various directors have already thought about, but after having sketched an apocalyptic future, my eyes fall on two comic books. They are fairy tales for children, Davide writes them himself. Probably at night, when all of Hollywood's hackers are geeking out on their computers, in their basements, in the dark.