Hacking for Fun and the Hunt for Osama

Note:?The following is the third installment of emails we sent prospects when they joined the ReFirm Labs mailing list. We attempted to embrace the marketing concept around one's origin story. The following is a true story.

The U.S. National Security Agency? What the hell?

Apparently, the woman I met in Baltimore at the SANS conference, standing in the Starbucks line and claiming to work for the "DoD," was actually an employee of the U.S. National Security Agency. And she really did pass along my resume ... throughout the frickin' NSA!

After a lengthy phone interview, I was offered an all-expense-paid opportunity to visit the NSA for in-person interviews. Without hesitation, I accepted the offer.

The flight for my NSA interview was booked. With tickets in hand, I made my way to the airport. Unfortunately, I would never attend those interviews on that fateful date.

It was September 11, 2001.

My NSA interviews were rescheduled for the middle of October 2001. With the U.S. ready to launch the Global War on Terror, I was sure that my round of interviews would be canceled. When I finally arrived there in mid-October, an all-hands-on-deck mentality lingered in the air of the NSA lobby where I waited. And conducting interviews, in my opinion, would likely be the least of their concerns.

Boy... was I wrong.

After a day of whirlwind interviews throughout the NSA, I was eventually provided a thick stack of official-looking documents known as the SF86. I was told to fill out these forms and return them as quickly as possible so they could begin to process my Top Secret security clearance.

It appeared I was hired! But it was contingent upon my obtaining a security clearance.

Oh, Christ... my arrest record! That won't go over very well.

I hesitated whether I should tell the recruiter about my arrest record. It was expunged, right? No longer in my file? That's what I was told back in 1985. But this is the NSA! I'm sure they will eventually find it. I couldn't hide it.

So, I fessed up to the recruiter about my arrest. I told him the long-winded story about my indiscretions as a 17-year-old teenager.

He calmly assured me it should not be an issue as long as I wasn't actively hacking outside my lab environment or as part of my job. "Besides," he said, "this agency needs more people like you."

After a nine-month background investigation, I was granted my Top Secret security clearance. I started on Monday, September 23, 2002.

The Global War on Terror was in full swing. And I was assigned to a team that provided quick-reaction capabilities, or QRCs, to specialized units within the U.S. Special Forces Command. These guys would deploy at a moment's notice to track down and then capture or kill high-value terrorist targets or simply HVTs.

Intelligence reports revealed the types of devices used by these HVTs. My team found vulnerabilities in these devices that could be exploited so that the U.S. Special Forces units could track and locate the HVTs.

Never in a million years would I have guessed that one day, I would be using my hacking skills to help hunt down members of al-Qaeda and Osama bin Laden.

Word of our exploit capabilities and the resulting military successes began to spread among other military groups and within the intelligence community. We held numerous demos and briefing sessions for those interested in understanding our approach and methodology.

Many interested parties wanted access to our unique capabilities so as not to reinvent the wheel. After all, we're all fighting the Global War on Terror.

Or so I thought.

The NSA denied other military units and intelligence agencies from sharing the capabilities our team had developed. There was fear among the leadership that other groups might "burn" our capabilities.

"Burning" a capability is government-speak for some person, or some group, that uses that capability in such a way that the capability becomes exposed. For example, suppose law enforcement were to use our capability to apprehend someone. In that case, there is a good chance that our capability would have to be revealed in a court of law, thus "burning" our capability. Or suppose another intelligence agency recklessly uses our capability for their specific mission need, and the enemy discovers that capability. In that case, that capability is now "burned."

Frustrated by this lack of sharing amongst our peers fighting the same war, I sensed a business opportunity taking shape. The opportunity: to offer skills like ours to other groups that desperately needed them for their specific missions.

After another frustrating you-can't-use-our-capability meeting, I couldn't take it anymore. I took a walk across the NSA campus to meet the unit commander whose team we supported on many HVT missions. I asked him, point blank, "If I start my own company making specialized hacking capabilities for your team, is there any chance your unit would buy them?"

He said he couldn't make any specific promises or commitments. But as long as he was in command of the unit, he would be more than willing to examine any capabilities I produced.

As I stood up, I thanked him for his time. We shook hands. And with my first potential customer in my pocket, I walked back to my office across the NSA campus, met with my branch chief, and turned in my letter of resignation.

Wednesday, February 28, 2007, was my last day as a civilian employee with the U.S. National Security Agency. It was, without a doubt, the best job in the world.

The following day, Thursday, March 1, 2007, I took my first step to becoming a supplier of offensive cyber capabilities to the U.S. military and training programs that would teach people how to weaponize vulnerabilities found in IoT and embedded devices.

Little did I know that my company would become a global supplier of offensive capabilities in the emerging cyber arms race.

Terry Dunlap co-founded Tactical Network Solutions, ReFirm Labs, and?Gray Hat Academy. Before that, he worked at the US National Security Agency developing hacking tools and exploit capabilities, which would have landed him in jail in any other capacity.