The rockstar hackers protecting you from the bad guys
In their spare time, they hack Metallica. Their day job? To protect and serve.
Mark SerrelsEditorial Director
Mark Serrels is an award-winning Senior Editorial Director focused on all things culture. He covers TV, movies, anime, video games and whatever weird things are happening on the internet. He especially likes to write about the hardships of being a parent in the age of memes, Minecraft and Fortnite. Definitely don't follow him on Twitter.
He didn't have a good reason, or malicious intent. He was just a Metallica fan. He always wanted to play in a band but didn't have, as he puts it, "music skills."
"But I had hacking skills."
De Ceukelaire hacked Metallica for the attention. That's it. He had no intention of holding the band ransom. When I ask de Ceukelaire how he did it, or even whathe means when he says "I hacked Metallica," he won't tell me. I have to take his word for it. Telling me, he believes, will expose Metallica to other potential hacks. If the bad guys find that vulnerability, Metallica might be in trouble.
Fortunately, de Ceukelaire is one of the good guys.
De Ceukelaire is a white-hat hacker, a maestro using his deep knowledge of online security to hack companies for a living. He spends his days (and nights) on the hunt for potential vulnerabilities in websites, services, anything you can name. And, thanks to "bug bounties," he gets paid handsomely for his efforts.
But in 2018, de Ceukelaire is more like a rockstar.
De Ceukelaire didn't get paid for hacking Metallica; he got something far more valuable. After finding the exploit, he emailed the band, scared shitless ("They could've sued me and sent me to jail for the rest of my life").
Almost immediately, he received a response. A good one. De Ceukelaire got tickets to the group's next concert. He had the night of his life. He was invited backstage, and Metallica signed his keyboard.
Then Metallica invited him on stage. He sang backing vocals with the band. To this day, he's convinced the mic wasn't actually turned on, because Inti de Ceukelaire doesn't have music skills. But he does have hacking skills.
Inti de Ceukelaire essentially hacked himself on stage with Metallica.
Rock and roll
Right now, de Ceukelaire is on a different type of tour. Over the last six months, he's been to New York, Las Vegas, Buenos Aires. Alongside a core group of elite hackers, de Ceukelaire has spent 2018 being flown to exclusive locations to hack world-renowned companies at their behest and find the exploits their internal security teams have missed.
Today de Ceukelaire and hackers like him have congregated in Sydney. Thanks to Bugcrowd, and event sponsor Atlassian, a group of the world's best will battle it out for a pot of cash worth $100,000.
In an age when platforms and companies exist entirely online, and businesses could be ruined with the click-clack of a keyboard, security is paramount. Preventing your company from being set on fire and obliterated by a rogue hacker with an ax to grind is an industry in its own right.
Traditionally, this sort of thing was done in house, or via a consultancy. Casey Ellis, the founder of Bugcrowd, did consultancy work for 15 years and it was expensive. (As one hacker explains, a standard consultation "costs you $50K and you get nothing, shitty bugs.")
Ellis figured there might be another way. During a flight, writing on the back of a napkin, he came up with an alternative: What if, instead of asking companies to pay exorbitant amounts for inconsistent testing, he invited the best hackers he knew to attend an event? What if the hackers who found the best bugs, the best exploits, got paid then and there? First come, first served. Companies like Google and Facebook were already doing this, but Ellis wanted to take the model to companies that needed more than your traditional, basic security scan.
Two worlds collide
"This is the cutting edge."
Jason Haddix is Bugcrowd's vice president of researcher growth. It's his responsibility to make sure things run without a hitch, that the best hackers come to the biggest events and find the most useful bugs. It's also his job to build a bridge between the security industry and potential white-hat hackers.
Haddix has had a foot in both worlds for as long as he can remember.
He is bearded, broad and mostly silent. Hackers dart around the room in T-shirts, Vans and hoodies, but Haddix is suited and booted. He's intimidating, right until the point you ask him about video games. Then he cracks -- a goofy grin breaks out.
Before he wore a suit to work, before he worked in security, Haddix was just another kid playing Starcraft, hacking to get an edge online. "I'm a gamer," he says. "I learned to hack using video games."
In college, Haddix studied "offensive computer security," which led to a gig as an IT technician at security company Citrix. During that period (via the "shadiest sections of the internet"), Haddix was teaching himself how to hack.
Watch this: Google bug exposed data of up to 500,000 Google+ users
Haddix says he was just "putzing around" when he found 40 crucial vulnerabilities on his employer's website, but he alerted his boss regardless. Almost immediately he was promoted to the security team. That's when Haddix became involved in "penetration testing," essentially running simulated hacks designed to test the security of online systems.
All the while, Haddix was earning bug bounty cash hacking on the side.
Bug bounties are simple: They're cash paid for hacking. If you head to Bugcrowd's website, there's a list of companies looking for hackers to test their systems. Pinterest, for example, is paying $15,000 per vulnerability found. Skyscanner -- the cheap-flights service -- will pay anything between $100 and $2,000, depending on the bug.
Ford is on Bugcrowd, so is Magic Leap. Acorns, IOTA, Binance -- all on Bugcrowd, paying hackers to scope out weaknesses in their systems before the bad guys find them.
"I paid for my wedding with bug bounty money," Haddix says. "I paid for my car with bug bounty money. I paid for my kids' education with bug bounty money."
And he did it all without leaving his computer.
Bugcrowd has leaderboards. It's fairly easy to see who's found the most exploits. It's for bragging rights, but it's also a fairly decent metric to see who should be flown out to events like this one.
In 2014, Jason Haddix was No 1.
Now he helps other hackers get where he once was.
What success looks like
In Sydney, for one weekend only, Adrian Ludwig is the man who decides how much hackers like de Ceukelaire get paid.
Ludwig is chief information security officer at Atlassian, the Australia-based software company sponsoring the Sydney Bugcrowd event. It's Atlassian that's putting up the $100,000 bounty. It's Ludwig who ultimately doles out the cash.
A year ago, Atlassian launched its bug bounty program in partnership with Bugcrowd. It represented an open invitation for hackers across the globe to identify potential exploits and vulnerabilities in Atlassian software like Jira and Confluence. To date, hackers have been financially recompensed for finding 314 bugs in Atlassian software.
Ludwig says Atlassian's partnership with Bugcrowd has been "successful," but in this situation, what does success look like? If bugs are found, is that a failure? If Atlassian has to pay hackers exorbitant amounts of cash to keep its products safe, is that good?
"We want it to be difficult for people to find issues," Ludwig explains. "But we also want the best researchers in the world to be looking for those issues.
"If you can do those two things, then over time the amount you pay increases. That means better researchers are spending more time on it. And it means that your products are getting better.
"Ultimately you want to get to a point where you're spending a lot of money for each issue, but less issues are being found."
Ludwig is in his early 40s but could easily pass for 25. He speaks softly and chooses his words carefully. But like most attending this event, Ludwig is masking a quiet giddiness at being surrounded by like minds.
This sort of event doesn't happen often -- security is a solitary profession. Hackers tend to work weird hours, at home and on laptops. Events like these are designed for people to meet in person, exchange techniques, learn from one another.
Get to know the person behind the online handle and collaborate.
"You're meeting people for the first time and that's a super cool interaction," says Ludwig. "It's like 'I've been following your work for years!'"
Ludwig has grown up in this universe, but he still finds space for hero worship.
For Atlassian, and Ludwig's team specifically, this is a golden opportunity to build relationships with some of the best hackers and security researchers in the world, to encourage them to work on Atlassian products. That's the endgame for Ludwig. It's his job to make Atlassian's products as safe as possible. Events like these make that possible.
He expects to pay out the whole $100,000 available.
"Maybe we'll end up paying more."
When Ludwig was a hacker, he knew everyone worth knowing by name, or by handle.
"I got in early," he says.
At 16, Ludwig was a "pretty good math student." Good enough that the US government recruited him for the Department of Defense -- which put Ludwig through college. ("They paid for me to learn about math," he says.) After college he spent seven years building and destroying cryptography systems.
"It was a good fit for me," he says. "I like to see how things can break and think through hard problems."
During that period, the mid- to late '90s, Ludwig estimates there were roughly a dozen good security people who could do what everyone at this event can do. Now there are thousands, he says, but it's still not enough.
"There's a shortage of security professionals -- about a million people. It's an astronomical number to imagine."
In 2018, security is often a battle for attention, and events like this one, with its $100,000 pot, are an effective way of securing it.
Despite being information security chief at Atlassian and being a math prodigy recruited by the US military, Ludwig says he'd have no chance competing with the elite group of hackers prepping to attack his company's products.
"Twenty years ago? Sure," he says. "Give me a Windows 95 box and I'm good to go."
Bugcrowd's Haddix thinks differently. He takes a second and looks out the window of a corner office. "Who's here today..." he wonders openly, scanning his potential opposition as they stare intently at laptop screens. "I could go toe-to-toe."
But going toe-to-toe isn't Haddix's day job anymore. It's his job to take these hackers to a world outside the tech bubble.
In the end, Ludwig was right. Atlassian did end up paying more than it initially bargained for. $110,000 to be precise.
Ludwig was delighted with the results. Atlassian is happy to pay hackers $110,000 to break its products to pieces because Atlassian is Australia's biggest tech company and it understands how this works.
The next step is convincing everyone else. Companies like Google, Facebook and Atlassian are wise to the benefits of white-hat hackers and bug bounties. The rest of the world is not.
"We're still out there trying to convince companies this is the model," Haddix says. "This is the future."