Friday, March 16, 2018

Gray Hat

Marcus Hutchins was still recovering from the night before as he settled into a lounge at the Las Vegas airport one afternoon this past August. Hutchins, a 23-year-old cybersecurity researcher, had come from his home in rural England in part to attend DefCon, the world’s biggest computer-hacking conference, and in part to take a well-deserved vacation.

Three months earlier, a North Korean cyberattack known as WannaCry had crippled the British health-care system and caused a billion dollars in losses across 150 countries. The damage could have been much worse — tens of billions, by one estimate — but a few hours after the attack began, Hutchins figured out how to stop it, almost by accident, while sitting at a computer in his bedroom at his parents’ house.

That act made Hutchins the closest thing cybersecurity had ever had to a global celebrity. “Oops! I Saved the World,” read the cover of the New York Daily News. “Cyber Geek Accidentally Stops Huge Hack Attack.” Edward Snowden congratulated Hutchins, and strangers recognized him at Heathrow. Hutchins had gone to DefCon the year before and found the convention unpleasant — “I remember slowly moving down a packed hall in a sea of people who smelled like they hadn’t showered in days” — but in 2017, Cisco invited him into the VIP section at its party. “A year earlier, I’d never have gotten in,” Hutchins said. At six-foot-four, with hair that adds an inch or two, Hutchins was easy to spot, and conferencegoers asked him to pose for photos that they put online with the tag #WannaCrySlayer.

The post-WannaCry attention had been a bit overwhelming for Hutchins, but he loved Vegas. He stayed in an Airbnb with the city’s largest private pool, lit up a bin Laden target at a gun range, and drove around in a friend’s rented Lamborghini. Hutchins didn’t gamble, but he hung around the casino floor to get free drinks. “About to cross ‘turn up at a club in clothes I bought on the way’ off my bucket list,” he announced on Twitter as he went to the nightclub XS to see one of his favorite groups, the Chainsmokers. He wasn’t even mad when he lost his credit card and ID. “Chainsmokers was definitely worth the lost wallet,” he said.

In short, Hutchins was having the kind of Vegas experience that a 23-year-old’s dreams are made of — so much so that he was oblivious to the American law-enforcement agents who were watching him in Nevada. Hutchins didn’t know it, but before he came to the United States, a grand jury in Wisconsin had indicted him, alleging that, three years earlier, he had coded a piece of malware called Kronos that could steal people’s online banking information and conspired to sell Kronos to cybercriminals — charges that carried a maximum 40-year sentence. The legal system has struggled to deal with the reality that between the poles of “white hats,” the good guys, and “black hats,” who use their skills to do harm, many of the world’s cybersecurity experts got good by probing the large gray area in the middle. Whatever Hutchins had or hadn’t done years earlier, he now seemed to be one of the good guys — a hero, even — and a prosecution like this threatened to fray the already fragile connection between hackers and the government at a moment when the internet can use all the help it can get. All of which left Hutchins surprised, as he sat in the airport tweeting about his eagerness to start investigating a new cyberthreat, when several federal officers walked up and said they needed to ask him a few questions.
***
One Saturday in February, Hutchins walked into a bar in Santa Monica wearing black Etnies skate shoes, a gray T-shirt, and Apple headphones he kept in his ears until he met me at a table in the back. After his arrest last summer, he’d had a long weekend in jail, followed by a court date in Milwaukee, where he pleaded not guilty to the charges. A hacker he’d never met paid his $30,000 bail, though he wasn’t allowed to return to the U.K. (During intake at a halfway house, Hutchins, whose mother is Scottish and father is Jamaican, said an employee insisted on listing him as African-American, despite Hutchins’s noting that he was neither. “America is the only place that could try so hard to be politically correct that they just end up being plain racist,” he said.)

With nowhere else to go while awaiting trial, he had moved to L.A., where the cybersecurity company he works for is based but where he knew almost no one. At one point in October, he couldn’t recall having had a conversation with another human being for two weeks. “Not Going Home November is over and I’m halfway into Don’t Go Home December,” Hutchins wrote on Twitter, where he has documented his life with surprising candor for someone facing a federal conspiracy charge. “Pretty pumped for Just Stay In America January.”

Hutchins had been living under decreasing levels of surveillance — house arrest, a curfew, a GPS monitor on his ankle — but much of his old life had fallen apart around him. A girl he’d been seeing off and on stopped talking to him, and when a friend suggested Tinder, Hutchins pointed out that “I’m under federal indictment, don’t have a car, and can’t go out between 9 p.m. and 6 a.m.” didn’t seem like a very good pickup line. He spent his days playing video games, learning to cook — this was his first time living away from home — and day-trading cryptocurrency: One night, Hutchins got drunk and shorted bitcoin, and a subsequent crash paid the rent on his L.A. one-bedroom for three months. His defense team was working pro bono, but he’d just been forced to sell most of his holdings to help cover the legal fees that came with retaining two immigration lawyers and another attorney “to explain to me where the fuck I’m supposed to pay tax.” He wasn’t allowed to work and was having trouble sleeping. “The FBI took everything from me,” Hutchins told me. “My job, my girlfriend, my bitcoin.”

Hutchins is a self-described introvert and pessimist. (“I don’t really like people,” he deadpanned.) But he also has the youthful confidence that comes with knowing he possesses one of the world’s most in-demand skills: By his own estimate, there are only five people in the world — “I know of three, but five is a round number” — with his particular expertise. When I asked about his post-WannaCry life as a “mini-celebrity,” he objected to the modifier. He was annoyed at those who defended him by saying he wasn’t skilled enough to have made Kronos in the first place. “I don’t know what hurts more,” Hutchins said. “That people think I’m a shitty person or that people think I’m that bad at programming.”

Hutchins started learning to code when he was 12. By high school, his skills were advanced enough that administrators blamed him for an attack that took down the school’s servers. (Hutchins maintains his innocence.) He went on to a local technical school for two years, where he found the computer-science offerings primitive. In 2013, he started a blog. Malwaretech.com featured wonky posts in which Hutchins detailed his amateur explorations into “reverse engineering,” a critical cybersecurity job in which researchers dissect malware to figure out how it works. In a post titled “Coding Malware for Fun and Not for Profit (Because That Would Be Illegal),” Hutchins declared that he was “so bored” with the malware being produced that he had made some himself, assuring readers that, “before you get on the phone to your friendly neighborhood FBI agent,” he had designed the malware so it couldn’t be deployed.

A year later, Hutchins started looking for a job in cybersecurity. He says he applied to GCHQ, the British equivalent of the NSA — his résumé included links to his blog and a childhood swimming certification — but the background check took ten months. By then, he’d become interested in tracking botnets, the giant networks of poorly secured computers, baby monitors, and other devices that cybercriminals use to deploy malware. “I was never trying to make a career out of it,” Hutchins said. “I was just kind of bored.” But in 2015, Salim Neino, who runs Kryptos Logic, a computer-security firm in L.A., saw Hutchins’s blog posts about a major botnet called Kelihos and offered him a job without even meeting him. “He was extremely talented,” Neino said. “You can teach certain things, but in computer security, raw talent is almost irreplaceable.”

by Reeves Wiedeman, Select/All | Read more:
Image: Jeff Minton