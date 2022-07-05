Chris Roberts, an ethical hacker and top cyber security researcher who made the headlines in 2015 by claiming to have hacked into the flight systems of a United Airlines airplane he happened to be on and had FBI on his trail, is considered one of the world’s foremost experts on counter-threat intelligence and vulnerability research. Currently the chief security strategist for Boom Supersonic, Roberts has been associated with companies specializing in DarkNet research, intelligence gathering, cryptography, deception technologies and threat intelligence. Roberts works with companies and agencies to detect and expose vulnerabilities in their security systems so that why can be fixed. A passionate industry voice, he is equally known for his maverick outfits, flowing ‘pink’ beard and his love for serving the best whisky from around the world at international cyber security events.

Bharti Jain recently caught up with Roberts on the sidelines of the 12th Cyber Week event in Israel. Excerpts from the conversation:

How and when did you start hacking into computer systems?

I started out while still at school. I began messing around with systems when I was 10-11 years old. They were these ZX80s and ZX81s…the Sinclairs of the UK and Europe. Also Fastboards when I was 14. I had one of those

Ataris

and I ran into a problem with a bank because I was rather annoyed with my father. Being the master criminal I moved the money from my father’s bank account into my account and renamed his account as mine. The police then had no clue what to do with me so they just confiscated my equipment. I stayed on in the industry and got into regular IT as there was no information security then. During the early days of infosec, I got yelled at a few more times for doing things I should not have done. We moved money to prove a point and still got yelled at. It’s like when you are in a company and you break into the company’s database and draw its payroll database and then walk up to your boss to say: “So I am not not being paid enough!”

How do you manage to stay on the right side of the law?

I’m always troubled by this really fine line. There are times when some of the stuff I do, this line gets blurred. It’s not really a line but a blurry area. But for me it is morals. It all comes down to ethics and morals. Like if I am chasing child predators, I’m going to bend the rules, I am going to break into things and I am going to find the stuff I need to do. And then I am going to back out and go somewhere where I can find him (child predator). I don’t have any problem with that. But it does mean something if I am (breaking into systems) to take advantage of somebody.

As a hacker, have you done things that have resulted in saving lives or prevented big financial damage?

Probably, yes. But what I care more about is I have done a lot of work with human trafficking and child endangerment. I have seen a lot of stuff that I do, result in people being taken away from being able to do that kind of thing. I care more about that than saving financial companies

The big thing now is privacy. How does one balance privacy with cybertech advancement?

It’s hard and you can’t do it easily. On the one hand I want to educate people. I want to help them look after themselves. I want to help them understand what and when to collect and when not to collect…how to look for the right things. But on the other hand as we build better technology they don’t need to learn everything that we know and so at some point we have to see how much we want to take control of and help them. Like your telephone. How much do I have to train you so that you know what to download and what not to download, versus how much do I improve the technology so that you can do it, or do I just take control. I only let you do some things because I don’t trust you. That’s a really grey area and I don’t like it. As tech people we have to get better and improve those devices. As a human we have to find a better way to teach people a little more and there has to be a balance. We have to drive the humans but we also have to talk their language. We fail (to do that)!

Why is ‘hacking’ not taught as a subject?

It really should be. I am old and I grew up with this. So it’s part of my life. The older generation didn’t. So then you ask how much you have to train them versus the younger generation that is accepting all this. My daughter is like I am fine with a lot of data being taken as it helps me make better choices with clothing. Right up to the point that now she is getting apps for dieting. At that point she thinks it’s personal life. But it’s already too late as all the apps already have data. There is a lot more education and acceptance for people to actually have. So I don’t know if it’s going to be better ethics around how we design things. People who take the data…we have to hold them accountable for protecting our data way more inventively. You go to a website but do you know how many of these websites have dozens and hundreds of cookies on them. And the data goes everywhere. But if I haven’t made you understand how to look for that data then how do you do it?

Were there times when you courted trouble while hacking or breaking into cyber systems?

We get brought in a lot of times to break into companies. So we were once breaking into a couple of state-owned places. We chose one building, we broke into it, we called the company and we were told by the company “that’s not our building”. That cold moment of realisation that not only did you mess up the instructions but that you also broke into someone else’s building! It was actually a water-treatment plant and we were sitting with a bottle of blue dye, ready to inject it into the stream to prove a point. Only to be told that that’s not our building! We were like, “oops, hold it”!

You were in trouble for claiming to hack into an airplane mid-flight…

(Laughs) And now I am in the plane industry! I have to be careful on that one.

