Mark Litchfield walked away from his computing A-level with a grade of ‘U’ but now makes millions reporting bugs
Relaxing in the sunshine with his former Playboy model wife, Mark Litchfield is contemplating another dip in his pool. The 85F heat at their luxurious lakeside home near Las Vegas is a world away from more autumnal conditions in his home town of Arbroath.
Some of his childhood was spent in Angus, where his father Dave was based as a Royal Marine, then military boarding schools south of the Border, which he ‘hated’. Among the subjects he loathed was computing science – in which he performed so poorly he achieved a ‘U’ [ungraded] at A Level, the worst possible result.
Now 47, Litchfield is enjoying a lifestyle that then would have seemed unimaginable, having made more than £1.4million – as a professional computer hacker. But he hasn’t generated that ever-growing fortune by infiltrating major companies to steal valuable data, the kind of cyber-theft that terrifies chief executives and their customers.
Instead he’s an ‘ethical hacker’ – worming his way into websites and apps owned by global firms to demonstrate to them the weaknesses and bugs in their web security, before claiming cash rewards.
The companies’ own in-house teams cannot keep up with the huge volume of defects that could be exploited by criminal hackers if they were left undetected, so depend on a network of freelance experts to find and report them.
Litchfield has recently become Britain’s first ethical hacking millionaire, according to HackerOne, an organisation which acts as a middleman for large businesses, such as Yahoo! and Google, distributing the rewards or ‘bounties’ to bug-finders.
He is candid about his reasons for getting into the business: ‘I’m in it for the money – it’s my time, my skills and I should be fairly paid. I don’t care about making the internet safer.’
Litchfield now lives in Las Vegas with his wife Carley Lynn, a former Playboy model, far away from cold Arbroath where he grew up
He is also keen to stress he’s no Bill Gates, and that anyone can turn their hand to hacking, which he says pays better and provides a steadier income than criminal hacking – and doesn’t carry the risk of a jail term.
The father of three said: ‘You literally need no computing skill or knowledge, anyone can do it. If you have a computer lying around, not doing much, watch a YouTube tutorial on how to find bugs and you will definitely find them – and start earning some cash.
‘I can’t even code [create computer programs] but you don’t need to be able to code to hack.’
HackerOne pays bug bounties to the hackers who, hunched over computers, pore over data looking for ‘vulnerabilities’, helping companies avoid PR calamities when their customers’ data is stolen by unethical hackers, exposing them to fraud.
These firms increasingly rely on a worldwide battalion of well paid helpers to pinpoint flaws that, in the wrong hands, could lead to disaster.
Last year it emerged that HackerOne had awarded more than £19million in bug bounties to its network of researchers – hunting bugs in the US Department of Defence, Dropbox, Starbucks and Twitter.
Facebook received 12,000 submissions from bug-hunters in 2017, paying £730,276, and by last year had paid £5.2million to hackers since it started its programme in 2011.
High-profile hacks involving credit rating firm Equifax, which suffered a huge data breach that exposed 400,000 Britons’ personal details and millions more around the world, mean bug bounties amount to little more than small change for big businesses – not so much an expense as an investment.
Litchfield is self-taught. He didn’t have a computer growing up and finds games boring – while playing them he can’t stop thinking about how much money he could be making by bug-hunting.
After leaving school he had a ‘nightmare time’ – a ‘job here and a job there’ – but knew he wanted to be his own boss, so won a grant to set up a computer shop.
He said: ‘I found I was losing money. People didn’t know how to use their computers. It was always “user errors”, and I realised the real money was on the technical side.’
He sold up and bought a manual on Microsoft servers, reading and re-reading it for two weeks, and later secured a ‘system administrator’ job with Cable and Wireless in London.
It was similarly uninspiring work – resetting passwords and other pedestrian tasks – so with his brother David, 45, who now works for Apple, he set up a company which tested software for bugs.
This was later bought up by a bigger company, in the year 2000, and the brothers set up another firm, which was also later acquired by a competitor. Litchfield then moved to the US and discovered a possible future lay ahead as a freelance bug-hunter, after finding a flaw on the Yahoo! site in 2014, allowing him access to passwords.
All ethical hackers operate in a legal grey area, and in the early days some risked falling foul of the law simply by telling companies about their hacking bids – but Litchfield saw an opportunity for profit.
He said: ‘I submitted information about the bug and waited six to eight weeks but didn’t hear back, then I got an email from HackerOne telling me I’d get a bug bounty of £2,230.
Ethical hackers or ‘white hat’ hackers deliberately avoid breaking the law as they write their code, often pointing out exploitable flaws to companies for a reward
‘I had just wanted to test the water but I realised that I could make a living by finding bugs. You don’t have the same support as you would get by being part of a company, and it can be solitary, but the rewards can be great.
‘I kept bug-hunting and found it was relatively easy to make money.’
Litchfield moved to Nevada in 2012 and now lives with former Playboy model CarleyLynn, 32, in a 6,200 square-foot home next to Lake Las Vegas, not far from the city.
He says the couple enjoyed several ‘awesome’ parties at the late Hugh Hefner’s Playboy Mansion in Los Angeles. Now Litchfield works for Verizon Media and is in charge of the organisation’s bug bounty initiative, but continues to work as an ethical hacker.
He isn’t a keen gambler but has made money from gaming giants in other ways: one job saw him help a casino chain detect bugs in its online operation.
Most of us are probably more familiar with less than ethical hacking, picturing either criminals trying to steal sensitive information or computer geeks at work in their bedrooms.
The 1983 movie WarGames featured a high school student, played by Matthew Broderick, hacking into his school’s IT system to change his grades before hacking a military supercomputer, almost triggering nuclear war.
In real life, Gary McKinnon, originally from Glasgow, was arrested by British police in 2002 after the US Justice Department accused him of hacking into Nasa and military computers. He then faced a decade-long legal fight against being sent for trial in America. Seven years ago, after successive Labour home secretaries ruled he could be extradited, Theresa May blocked the US authorities’ bid to prosecute McKinnon there.
Police Scotland has warned of the rise of ‘ransomware’ attacks, where malicious software takes over computing systems, blocking access to data or threatening to publish it unless a ransom is paid.
In 2017, desperate NHS staff across the UK pleaded with patients to stay away from A&E after a ransomware attack, while ambulances were diverted away from hospitals struggling to cope with the crisis. The virus attack originated in North Korea and led to almost 7,000 appointments being cancelled across the UK.
A small piece of malicious code infected a computer that had not installed software updates, then sought out other computers.
In 2016, a computer virus stopped public access to details of births, deaths, marriages and Census archives at the National Records of Scotland.
Bug-hunting has only become widespread over the past three years, but back in 1983 Volkswagen offered a reward to hackers who were able to breach the operating systems of the company’s Beetles. Modern-day ethical hackers all have one trait in common – ‘endless curiosity’, according to Mårten Mickos, chief executive of HackerOne. He said: ‘We don’t find them. They find us. They read, they study vulnerabilities and then they report them.’
Big firms have their own bug-finders but, according to Mickos, ‘even if you have a really smart person in-house, it’s difficult [for them] to find their own typos’.
In one case in the US, ethical hacker Sean Melia was scanning the Starbucks app and ordering a coffee when he realised that by changing his order number on the checkout screen he could modify other people’s orders.
This would allow him to send coffees to other people’s houses – or have their orders sent to his house – at no cost. Melia reported the bug for a reward of several thousand dollars.
‘I’d rather have a £3,000 to £5,000 bounty than a chance of stealing a free coffee,’ he said.
In 2013 an unusual post appeared on the Facebook page of the social network site’s billionaire founder from a user called Khalil Shreateh. ‘Dear Mark Zuckerberg,’ Shreateh wrote, ‘Sorry for breaking your privacy, I had no other choice to make after all the reports I sent to Facebook.’
Shreateh, a security researcher from Palestine, had discovered a bug in Facebook’s software that allowed anyone to post directly on to any user’s wall. After he was ignored by the company’s security team, he took the direct approach to demonstrating the bug – hacking Zuckerberg’s own page.
One of the youngest ethical hackers in the world is Ibram Masouk, who bought his parents a house aged just 15 with money made finding bugs.
The teenager, who was born in Lebanon but moved with his family to the US, made a small fortune discovering security vulnerabilities in Yahoo! and Google. He estimated last year that he had made £43,550 out of hacking ten hours a week over six months.
He lives at home with his parents and two sisters, and attends school every day, but has hacked more than 60 companies, some of them multinationals.
Meanwhile, Google has paid around £9.9million in rewards to hackers since 2010, dishing out £2.2million in 2017; its biggest reward in 2017 was £93,040.
Global giant Apple only launched a bug bounty programme in 2016 but, with several secretive private companies offering up to £1.2million for a high-level attack, some hackers have suggested Apple’s payments, which range from £20,670 to £165,365, are not high enough.
Paying bigger bounties could yield longer-term benefits for tech companies.
Uber admitted in 2017 that a cyber-leak had revealed the details of 57million customers over a year – stolen by very unethical hackers. The online taxi-booking firm had paid the hackers £82,680 to keep quiet and delete the stolen information while hiding the issue from regulators.
For chief executives, data raids on such a scale only underline the need for Litchfield and his cohorts, who remain invisible to billions of internet users around the world.
But regardless of their motivation – whether money or principle – there’s little doubt the web would be infinitely more lawless without their vigilance.
