Chief Architect of X-Force, IBM
I started out as a hacker, part of a team of penetration testers that broke into client systems to expose their problems so they could fix them. Nowadays, I manage IBM’s infrastructure for hackers, incident responders and threat intelligence, and I prototype new techniques and get them out to the field. And I speak at security conferences to meet and mentor the next generation of hackers.
X-Force Red is a team of hackers. We hack everything in order to secure everything, from airplanes, cars, robots, vending machines and medical devices to Windows, Linux, mobile phones, you name it. We have specialists in virtually everything. Our mission, plain and simple, is to secure the world.
We prefer not to use the “ethical hacking” term—it would be like calling a professional an ethical doctor or an ethical lawyer. We think of hackers as in the old MIT style: talented people who pulled pranks and made computers do things they weren’t intended to do. This is in contrast to people in the outside world who break into computers without authorization. We call them criminals. We consider ourselves the true hackers.
Back in the day I worked for a bank, and when presenting at conferences, for competitive reasons, I couldn’t go by my name. So I used my old hacker handle, Mog. When I later got into password cracking, which is kind of evil, I became EvilMog. But since I’m also friendly and good, the “evil” is mostly used jokingly.
People choose passwords that are unique to them, which gives you insight into their minds. When we crack internal Windows Active Directory passwords, we can hit 60% to 70% of them, and we see really insightful things but some dark things as well. On the darker side, passwords can include things like Ih3Tmy***job and Burnth1sd0wn. On the lighter side we often see Il0veTh1sPl@ce.
Because people are terrible at choosing passwords, they often choose local sports teams, restaurants, types of food, pet names, the year and seasons, company names ― all combinations of things around them. This means passwords have a fingerprint and you can determine much about people based on password breach data. It’s just fascinating.
I don’t let it define me. But when I was in school, they put me in special classes because I couldn’t handwrite. Then I discovered a typewriter, later a computer, and that’s how I got into technology. These days in security, it’s absolutely an asset in my career. For instance, I get really deep into interests, and it’s great when those interests align with security. I’ll go down a rabbit hole that’s so deep to become an expert in something just because I want to understand how it works. And I can see patterns in the passwords people type, which is useful for generating password rules, word lists and similar techniques. I can also see the patterns used by creative attackers. So it provides an alternative insight.
But, you know, it does come with challenges. A big one is typical ADHD stuff like procrastinating and difficulty writing reports. Report writing was the hardest part of getting into this career. But as we say in the hacking world, the hacking is free, the report costs money.
Everything we do involves creativity. As an example, if we want to do a hack, we can use a whole series of attack primitives or techniques. They each do one tiny thing, but as we look at the environment, we think, we can try this, and this and this, let’s see where it gets us. We might fail, we might succeed. Then we get an entirely new picture, and we adjust it again. It’s an ever-evolving puzzle.
I do many projects outside of security to keep my creativity up. I’m a licensed special-effects pyrotechnician at Freezer Burn, the regional Burning Man festival in Alberta, Canada. Artists build structures and then I apply fire and destructive techniques creatively to burn them down. We’ve built flamethrowers, fuel sprayers, napalm effects, waterfall techniques, it’s constantly evolving. I got into it when somebody burned their eyebrows off—I got certified to help keep everyone safe. Then I discovered the joy of setting massive structures on fire in creative ways.
And I’ve dabbled in a lot of things, from electronic music production to making ASCII art composed of text and pictures. I used to scuba dive, paraglide, fly sailplanes and drive motorcycles. Through extreme sports I’ve developed really good risk management skills.
Yes, everything you do in security is based on risk. In extreme sports there’s the risk of something bad happening, but you also can’t be too risk-averse, or you’ll never move forward. And so you have to start operating within safety frameworks. The same thing applies in security.
Stay curious, always learn something new. And the thing I’ve learned the most is—and this applies to any technology—the day you think you understand everything is the day you know nothing. New techniques and processes always come out. Someone’s always smarter than you. If you keep your mind closed to the possibilities, you’ll never advance. If you keep your mind open, and always ask “What if? How can we do this? What other ways can this be done?” you’ll be surprised by what can happen.