Ron Reiter was a childhood hacker in Israel – for fun rather than harm. He was recruited into the IDF’s elite Unit 8200 for his military service. Now he is CTO and co-founder of cybersecurity firm Sentra.
Reiter’s career is not untypical – starting in early years by just messing with friends’ computers to be ‘more interesting’, becoming a hacker in his teens and early twenties, and then going on to co-found a cybersecurity company. The details, however, are less typical. When asked if he was a hacker, he replied, “Yes, I am a professional hacker.”
This was the first time in this series that a hacker has added the epithet ‘professional’ to the title. While it may seem insignificant, it is indicative of the man, his persona, and his history – and a specific type of hacker.
Reiter believes that hacking may originate in curiosity, but the initial curiosity does not necessarily make a hacker. He was interested in computers and computing from an early age, and started coding before he was nine years old – but he didn’t start hacking until he was a teenager. “Curiosity is the first step to being a hacker, but it’s completely unrelated to being a hacker. I only started to like hacking when I was a teenager.”
By this time, he already understood computers and computing. Now, perhaps partially through teenage rebellion, he no longer wished to be considered just the nice guy. He began to mess with his friends, sending them harmless viruses or accessing their CD-ROMs.
“It was just to show off and show people what I could do. Imposing your will on your friends’ computers is impressive. It’s a skill that makes you more interesting and more likable at school. I liked that people thought I was smart.” It is worth noting, however, he never thought of hacking as anything more than a bit of fun.
But then came the compulsory Israeli military service. He was recruited into the IDF’s Unit 8200. This is officially known as the Central Collection Unit of the Intelligence Corps – the IDF unit responsible for SIGINT and cyberwarfare. Israel is perhaps unique in the world. It is almost surrounded by groups, some of which are classified as terrorist groups, that openly call for its destruction. Military intelligence and both defensive and offensive cyber capabilities are key to its national defense and security posture.
Reiter’s history as a coding prodigy and his involvement in teenage hacking would have been known to the IDF. “It’s not hard to find hackers online,” he said. “That’s one of the ways that military intelligence looks for people.” His military training transformed him from being a childhood fun-seeker into a professional hacker – it’s where things got more serious.
“I got the professional education and guidance necessary. I really learned how things work and I learned the tools and the methodologies and the techniques necessary to manipulate systems. I learned from my friends and colleagues, and my managers; I got tasks and missions, and it really became my profession. But I’ve never used these skills for anything other than protecting my country.” By ‘these skills’, he includes the dark side of hacking.
When he retired from the IDF, he took his professional hacking skills with him, but changed his motivation from defending his country to defending companies. He didn’t suddenly cease to be a professional hacker. “I’ve done whitehat hacking. Every now and then I’ve helped people better protect their systems— like ticketing booths for movie theaters, and parking systems. I found a way to get free parking tickets. So, in that sense, I continued it as a hobby. I never did it as a profession,” he explained.
“I’ve never used my skills for any type of damage or malicious activity, which isn’t related to protecting my country. Now I have a security company. I use my skill set as a hacker to build a security product. And that’s why today I still consider myself as a professional hacker. I’m the CTO of the Sentra cybersecurity company, and my hacking knowledge helps me understand how to build a better security product.”
This is the professional hacker. It is someone who has been formally trained to be a hacker, not someone who is self-taught. That quality of training is most usually found within national military intelligence agencies.
The skills necessary to be a whitehat hacker are the same as those necessary to be a blackhat hacker. But when you are in the military and defending your country, you don’t get to choose between offensive (cyberwarfare?) and defensive (SIGINT?) missions. The normal associations of malicious offense with blackhat, and moral defense with whitehat simply do not apply. So, ‘professional hacker’ is the best description.
We asked Reiter what it takes to be a hacker. “When I say ‘hacker’,” he replied, “I don’t mean the script kiddie who only runs scripts that may have been developed by real hackers.” Many of the internet’s cybercriminals today are little more than script kiddies, and this number is likely to grow with the increasing professionalism and separation of roles within the criminal underground. But when Reiter describes a hacker, he is really describing the professional hacker that is more likely to be found in the APT groups.
“There are two types of hacker,” he says: “reverse engineers and system hackers. Reverse engineers will take a piece of software, break it down, understand its workings and try to build exploits that will make it behave differently under certain situations.”
He gives an example. “Let’s say I take an email server, or a phone messaging server. I look for a vulnerability so that I can craft a very special email or a very special text message that I send to you over, say, iMessage, that makes your iPhone, or your email server behave in a certain way. It might let me take control over the machine that runs that server, or perhaps install some malware on your iPhone that will let me control the phone and later extract information. That’s one type of hacker.”
For this you need to learn reverse engineering and learn how computers work. “Things like assembly language, and a deep understanding of CPU architecture and how it works — and how compilers work, how code works, how the memory works, and how modern computer protections work.”
That’s the first type of hacker. The second is the systems hacker. “Systems hacking is more focused on things like web servers, on understanding how web applications are built, how servers are connected and how organizations are protected by firewalls and the networking stack. You must be able to look at an organization and understand how to attack it. Maybe you need to send an email and control some workstation within the organization’s network that you can take over and then run your own commands, or maybe you look for interesting servers and hack them. That’s a different type of hacking,” he continued.
“You need a very, very broad understanding of how web applications are built, and how networks are built, and how security products are built, and just about how every piece of software and hardware in the world of IT works. That’s the two types of hacker. The ultimate hacker is the one who does both. It’s possible — you can do both. It took a lot of time, but I got there. I may not be level ten in both, but I’m very good.”
There is a further requirement for both types of hacker beyond skill and knowledge. “The other thing a hacker needs is an incredible amount of patience and dedication, because it’s very hard to find and exploit a vulnerability,” he added. “It can take months to find just one vulnerability, and then you must work really hard to exploit it. It requires a lot of devotion, dedication, patience, skill, and intelligence to be a professional hacker.”
Morality plays no part in the process of hacking. But morality does direct the purpose and/or outcome of hacking. In general, we categorize hackers as blackhats, whitehats, or greyhats. This series suggests the possibility of a fourth, which we could just call ‘shady’. Shady is the childhood fun hacker who messes with friends’ computers, technically illegally but with no malicious intent beyond being the cool kid on the block. Reiter’s CV introduces a further and very important category: the professional hacker.
Blackhats hack for personal gain, usually financial. “A blackhat is an immoral person,” comments Reiter, “no better than a thief.” Whitehats use their skills to help organizations improve their systems and security defenses. Pentesters and researchers are subcategories of the whitehat. In general, whitehats attempt to stay within the confines of the Computer Fraud and Abuse Act (CFAA).
Greyhats are a little different — they will break the law, but for moral rather than immoral purposes. Morally-motivated hacktivists could be seen as a subcategory of greyhats. Reiter gives an extreme example: breaking into the Pentagon for the sole purpose of demonstrating that it is insecure. “You could go to jail for that. But the truth is, you did it for a good reason; you didn’t do it for your own benefit. This is the grey area between being a blackhat and a whitehat.”
The blackhat is immoral, the whitehat is moral, and the greyhat is amoral. But the professional hacker stands apart from all these considerations. For the sake of argument, we’ll suggest that professional hackers are the alumni of national military and intelligence agencies. This is where they learn the profession of hacking. Morality and immorality play no part in national security and defense — but geopolitics does; and this is where the concept of morality gets confused.
If professional hackers are the alumni of intelligence agencies, then the most destructive APTs out of Russia, China, and North Korea are better viewed as professional hackers rather than blackhats. North Korea may be an outlier since many North Korean hacks are designed purely for financial gain, which is a key characteristic of the blackhat. Nevertheless, the motivation is national rather than personal.
It would be wrong to describe these professional hackers as blackhats – even when they are attacking critical industries. Their personal motivation is patriotism rather than personal gain. But it is right for security teams to consider them enemies, especially where that patriotism belongs to a geopolitically adversarial nation.
In the West, the professional alumni of the intelligence agencies generally become whitehats working to strengthen society’s security defenses (consider From IDF to Inc: The Israeli Cybersecurity Startup Conveyor Belt). Ron Reiter, now co-founder and CTO at Sentra, is one of these. We do not know what happens in adversarial nations, but the suspicion is that many become blackhats of the most dangerous type.
Related: Hacker Conversations: Chris Wysopal, AKA Weld Pond
Related: Hacker Conversations: Casey Ellis, Hacker and Ringmaster at Bugcrowd
Related: Hacker Conversations: Youssef Sammouda, Bug Bounty Hunter
Related: Hacker Conversations: Inside the Mind of Daniel Kelley, ex-Blackhat
