By Lindsay Toler
By Chad Garrison
By Allison Babka
By Lindsay Toler
By Jake Rossen
By Lindsay Toler
By Kelsey McClure
By Lindsay Toler
Parameter job applicants have bragged about their illegal exploits in the past. Chronister has shown them the door.
If Chronister is a hacker bound by a "lawful good" code of conduct, his peer Charlie Miller is what you might call a practitioner of "chaotic good." (D&D Wiki: "...acts as his conscience directs him with little regard for what others expect of him.") Miller doesn't do any of this social engineering or dummy webpage crap. The 40-year-old St. Louisan attacks hardware directly, often finding elegant and ingenious ways around the traps that developers have built to protect their product. What those developers think about his work doesn't enter into the equation.
This approach has built him into a hacking folk hero. He's the first person to remotely hack the iPhone (in 2007), a serial-hacking competition champion and a member of Twitter's security team. The fact that he worked in the NSA between 2000 and 2005 only adds to his mystique. His LinkedIn profile simply states: "During this time, [Miller] identified weaknesses and vulnerabilities in computer networks and executed numerous successful computer network exploitations against foreign targets." (Miller adds that he did not spy on Americans, nor did he know anyone who did at the NSA.)
He calls himself a "black-and-white person." He tried studying philosophy during his college years at Truman State University but got sick of all the vagaries, all the games of twisting words to suit an argument. He hated that he could never prove conclusively that he was right and the other side was wrong. That's what led him to the clean rules and logic of mathematics, then to the NSA and the hacking world.
What he sees as "white-hat" hacking doesn't always jibe with mega corporations like Apple. The company infamously kicked him out of its iOS Developer Program in 2011 for knowingly submitting a booby-trapped program to its App Store. Apple, despite its quality assurances to keep the App Store safe from bugged content, let the app stay up for two months before Miller announced what he had done. To Miller, this was a benign experiment, a "proof of concept" designed to demonstrate a crucial vulnerability.
"Really, I'm trying to protect myself," Miller says. "I am an iPhone user. I don't give a shit if [Apple's] stock price goes down. I just want them to fix it and fast.... I only have so many hours in a day. If it will take two hours of wrangling with bug reports over the phone, then I just won't do it."
He jokes that one day he'll be as good as the hackers on TV, the kind who sit down at a computer, jab at the keyboard for 3.4 seconds and declare, "I'm in!"
In reality, one of Miller's investigations can take up to nine months of false starts and dead ends. If a team of engineers devoted that kind of time to every little idiosyncrasy of a new smartphone, the thing would be out of date by the time it hit store shelves. And often enough, Miller will report a bug only to find that software engineers already have identified it.
Still, Miller doesn't extend much sympathy to anyone he's pantsed over the years.
"To me, the ethical problems fall into the laps of the people making the software," Miller says. "Once I find a vulnerability, I should be able to do what I want with it. It's like something I found in the street. Writing better software shouldn't rely on some dude in St. Louis."
Whether the rising generation of hackers ends up following the example of Chronister, Miller or the black hats of the world might depend on who trains them.
When Chronister decided to launch Parameter and hone his infiltration skills into an art, he went to study at the foot of hacking guru Ralph Echemendia, one of the featured speakers at last month's TakeDownCon.
Chronister refers to Echemendia as his "cyber-sensei." He's a man who comes from an old-school hacker mentality, earning his bona fides during a time when the field was an open-ended Wild West. It was lawless but not necessarily lawbreaking. People who knew how to navigate between modems would go out and see what they could get away with and then report back to their fellow enthusiasts.
In the long decades since then, Echemendia has built himself into a high-profile Hollywood security consultant, protecting films from bootleggers and advance leaks. He even got his fifteen seconds of celluloid fame with a brief cameo in Oliver Stone's 2012 hack-and-shoot thriller Savages. But he's more proud of his work as a consultant on the film, ensuring that the usual Hollywood hacker bullshit didn't make it into the script.
Despite that level of hard-earned legitimacy, Echemendia says he has had to stay on top of developments in both the white- and black-hat hacking worlds. It's very much a Sun Tzu, "know the enemy and know yourself" type of philosophy. Although Echemendia has quite literally gone Hollywood, he still has a well of hacking contacts that extends deep underground.
For the many white-hat hackers whom he has met and trained, ethics is a matter of what they do at the keyboard when no one's looking. The best of them have a ravenous intellectual hunger, and they'll seek sustenance wherever they can find it.