Tom Anthony, a Brit now living in Germany, is a hacker at heart. His driving motivation is curiosity about how things work under the hood, not how hacking could be turned to his own benefit.
Many hackers trace their origin to an interest in, and early exposure to, computers. Tom Anthony is no different. “I taught myself programming on an early BBC microcomputer when I was eight years old,” he said. “I always knew I liked computers, and I was one of those lucky people to find out what clicks for them at an early age.” His first brush with hacking was just four or five years later.
It was shareware games that triggered him. You could play a part of the game for free but would then have to buy a code to unlock the rest of the game. By this time, he had discovered how a debugger works. “I realized it was possible to use a debugger to bypass having to put the code in to get the whole game.”
He didn’t do this for personal gain nor to show off to his friends. He wasn’t even a gamer, and rarely played the games he got for free. For him, it was curiosity and challenge that motivated his hacking. “Once I had hacked it and made it the full game, it was, ‘Okay, moving on, next one…’. I think many hackers have this thing inside their heads. It’s like I need to know how this works. I need to know how I can get past this control or whatever it might be. And for me, that became the game of, can I kind of get into this thing or can I get into that thing?”
In this series, we call this the ‘shady’ phase of hacking — a precursor to becoming a blackhat, whitehat or grayhat hacker: not yet of any particular color, but with the potential to develop into one or more of the conventional descriptors in later life.
He was still only just in his teens, and although his friends called him a ‘hacker’, he didn’t really understand the concept. The turning point came when he was 17 years old and got arrested after hacking into a corporate network. “Basically, I dumpster-dived for a computer that had been discarded by the company, and undeleted stuff on the hard drive. I got enough information to allow me to use my modem to dial into their network and download files.”
Unsurprisingly, he got caught. This happened after Robert Schifreen and Steve Gold had broken into the Duke of Edinburgh’s Prestel mailbox and triggered the Computer Misuse Act (CMA, the UK’s first ‘anti-hacking’ legislation). So, the CMA existed, but no-one yet had any experience in applying it. The police told him he faced 270 years in prison. They told him that every file he downloaded was a count of theft, and that every time he used somebody else’s password was a count of fraud. They didn’t take motivation into account; nobody understood how to apply the legislation, and the police didn’t understand what he had done. “In the end, it all got thrown out, so I was fine.”
Anthony didn’t name the company concerned, but commented, “My motivations were good. I was trying to right a wrong in the world, but maybe I didn’t approach it in the best way.”
This is an important point in the evolution of Tom Anthony, the hacker. Most young, shady hackers (remember, he was still just 17 at the time) become real hackers – an evolution that often pivots on an inherent moral compass that shapes their future. (The moral compass is not the only criterion. Economic necessity in less affluent areas or countries will also play a part.)
Anthony was simply never tempted to use his hacking skills for immoral financial gain. “I don’t think there was ever a time when I would have been willing to do something [blackhat] for personal financial gain. I think there was a ‘gray’ period when I first got access to the internet, which was the late 1990s when security on the internet was a total disaster zone.”
He describes a period when curious people would roam the new internet, largely just to see what was there. “There were people who didn’t understand the potential impact of what they were doing. You could end up logging into computer systems, not really knowing where in the world this computer system was, nor what it was charged with doing. You poke around and you find something interesting; and you fiddle with it, and you might inadvertently break something. So, I think that there was a small risk of that because there was a time when I was digging around to see what things I could get into. But I don’t think I would ever have crossed the line – I was too scared even if I hadn’t had the moral compass.” 270 years is a long time.
After his problems with the police, he focused on a more traditional route. He studied computer science and then gained a PhD in artificial intelligence at the University of Hertfordshire. While working on his PhD, he joined the firm Distilled (now Brainlabs), becoming VP of Product. During this period, he developed the concept of a proxy platform that could do SEO A/B Testing, and built a team around it. It was successful, and in 2020 the concept and team became a separate firm known as SearchPilot.
He now, in his own words, has a respectable day job as CTO at SearchPilot. But his intense curiosity about how things work behind what is made visible has never left him. He doesn’t hack to break things for money, but for understanding. That understanding could uncover methods of breaking systems, but that has never been the primary motive.
For example, in 2015, “Google released a new feature that would allow you to see if they had manually penalized your website in the search results. For SEO people this was a big moment – it was exciting.”
He wondered what was going on behind the front end. “So, I started poking at the API. And then I thought, ‘Okay, well, I can see it’s making this request about my website. What happens if I change that domain?’ Google tends to be quite good at security, but there was no authorization mechanism on this. So, I could now search through Google’s database and see what their manual appraisal of any website was.”
He could have turned this to his own advantage, but remember that he always hacked out of curiosity, not for illicit gain. “How do I report this? I came across Google’s bug bounty program. I got a $5,000 bounty, my first ever bounty and I was like, well, that’s nice. That made me aware of bug bounty, but it was really the pandemic when we were all in lockdown that was the big turning point.”
During the pandemic lockdown, people with a hacker mindset were stuck at home with little more than a computer and the internet. At the same time, Zoom and other video conferencing systems took off. It was inevitable that these two things would collide. Anthony hacked Zoom.
The incident is in the public domain — and is important to his hacking evolution. It was a turning point, bringing him more centrally into the sphere of bug bounty hacking (more so than the earlier almost accidental award of $5,000 from Google). Anthony wouldn’t talk about the Zoom incident. “I don’t think I handled that first Zoom issue very well,” he said. “I have a good relationship with Zoom nowadays.”
Bug bounties are a legitimate way for hackers to make money from their skills while simultaneously strengthening the security ecosphere. But the process relies on a high level of trust between the hacker and the vendor – and Anthony doesn’t wish to disturb this level of trust. SecurityWeek approached Zoom for its approval to talk to Anthony, but did not receive a response. However, the story is public knowledge, so we have reconstructed it from public records rather than Anthony’s personal commentary.
The hack was prompted by seeing information on a Boris Johnson Cabinet Meeting that was hosted on Zoom during the pandemic lockdown. SecurityWeek reported the story at the time, and Anthony wrote a blog on the subject. In brief, he found he could break the Zoom password associated with the meeting ID (which was effectively an unchanging account number).
There is a combination of both Zoom-sensitivity and political sensitivity involved. If Anthony could relatively easily break into a Zoom meeting (the flaw was rapidly fixed by Zoom), who else could have done the same? This was a genuine concern since there was an unknown attendee at the meeting, and the current deterioration in international relations was already well underway.
The story is important on several levels. The lockdown almost certainly converted many bored and curious people into hackers and/or wannabe hackers of various colors; and was also instrumental in pointing Anthony toward the burgeoning bug bounty program.
“I am very pro bug bounty,” he said. “I think it is good for hackers, and good for security.” He doesn’t think it’s perfect, nor does it solve all problems; but it helps with many of them. He recalls a time around 2008.
“I found a bug in a major domain name provider. It let me take control of the DNS of any domain they had registered. That was millions of domains, very high profile websites, that I could have directed elsewhere. So, I reported the bug to the provider via email. They emailed back saying no, no, no – what you say is a vulnerability cannot be exploited.”
He hadn’t been looking for bugs. It was something he just stumbled on. “I found the domain name occurred twice in URLs. So, I changed one of them, and it gave me access. There was no security.” He emailed back and said, “Yes it can; look here, and here, and here. They just blanked me and quietly fixed the bug.”
He considers himself lucky. The domain name provider didn’t come after him from a legal perspective – which was common 15 years ago and still occurs today. The purpose of bug bounties, and bug bounty operators like Bugcrowd and HackerOne, is to sit between the hacker and the vendor as a mediating referee – ensuring that hacking is done in good faith and reported responsibly while the hacker is paid for his efforts.
It’s still not perfect. “There is an unsolved friction, especially where a major bug goes unfixed for a long period.” The vendor may have paid a bounty for the responsible disclosure, but is that always fair recompense for the hacker’s work, or is it a method of legally tying the hackers’ hands?
“It’s those cases where you’ve reported a bug, and you’ve been paid some number of dollars for it. Sometimes you’ll be underpaid because you spent a lot of time finding it, and sometimes you’ll be overpaid because you found it by luck. Both have happened to me. But sometimes the bug goes unfixed for a long period of time and you begin to think, ‘Would the world be better off if I had spoken up and disclosed it publicly, or told the company I’m disclosing this in 90 days to pressure them to fix it?’”
And for those hackers with a lesser moral compass, ‘Could I have got more money by auctioning the bug on the dark web?’ The answer to that last question would almost always be ‘yes’. So, for the bug bounty process to work, it is incumbent on the vendors to not only pay up adequately and quickly, but also to fix the bug rapidly.
“I think it is always going to be difficult for individual hackers to hold companies to account for that sort of thing,” he continued. “While the framework of bug bounty is imperfect, it is nevertheless a huge step forward.” The bug bounty program can apply pressure on the vendor, it can ensure the hacker is recompensed, and it can provide a safe harbor against legal blowback from disgruntled vendors.
“The role of the hacker,” said Anthony, “is not to hold the companies to account – it is to find those security issues and report them in a responsible manner.”
Related: Hacker Conversations: Rob Dyke on Legal Bullying of Good Faith Researchers
Related: Hacker Conversations: HD Moore and the Line Between Black and White
Related: Hacker Conversations: Stephanie Carruthers, Chief People Hacker at IBM X-Force Red
