Transcription performed by Leah Hervoly www.leahtranscribes.com
[START OF RECORDING]
JACK: [MUSIC] A quick warning right here at the beginning; this episode does contain some swear words and some bad language. If that’s an issue for you, well, maybe skip this one. Hey, it’s Jack, host of the show. One of the reasons I like making this show is to smash the stereotype of what a hacker looks like and today’s guest definitely does that. I don’t know, I’m trying to understand – get a picture of your vibe, here. You almost look like Eminem a little. Not quite, but you know.
TOMMY: Yeah, I get told that a lot.
JACK: What would you characterize yourself?
TOMMY: Well, I actually used to take a lot of pride in the fact that I don’t look like the average hacker. I guess what most people would say I was, was do you remember the term whigger? W-H-I-G-G-E-R? White guys that dressed like black guys, listened to rap music, and stuff like that? My first time in prison and up until that point, I guess that’s technically what most people would see me as. Like, I wore baggy clothes, sagging pants, backwards hat, and everything like that. I got tattooed Pain is Love from a Ja Rule song on the back of my head. I got the Laugh Now and Cry Later faces.
JACK: These are tattoos he got while in prison.
TOMMY: On my right bicep, I put a little tribal-looking face that was smiling, and it said Laugh Now. Then on my left side, I had a face that was crying and it said Cry Later.
JACK: Federal prison.
TOMMY: In federal prison we all have prison numbers and the last three digits of your number show where you were arrested. My number was 38141-083. 083 is the Eastern District of Virginia.
JACK: This is dawgyg and his story perplexes me because of stuff he says, like…
TOMMY: October 18th of 2018, I was paid $160,000 in that one day.
JACK: So, what did he do to make $160,000 in one day? Well, he’s a hacker.
JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: So, dawgyg’s real name is Tommy DeVoss and like many hackers, his story starts out when he was a young boy in a chatroom.
TOMMY: I actually joined the wrong chatroom by mistake; it was just like, somebody else’s private room. It was run by a guy that used the alias Dznutz, D-Z-N-U-T-Z, but I just did the /join#dz by mistake.
JACK: This brought him to a chatroom full of hackers.
TOMMY: I kind of just hung out in there. I would just keep joining that same room every day after school for a couple of weeks. I started asking them questions. They were like, who the hell is this kid? Blah, blah, blah. I got banned like, several times.
JACK: There’s something magical about being in a chatroom as a teenager. They’re fun and addicting and even though he was banned, he figured out ways to get back in.
TOMMY: I would just disconnect, reconnect, and then go back in again. After going in there and spending, I don’t know, several months of just keep going back in there repeatedly and asking – just pretty much begging the guy to teach me [00:05:00] stuff.
JACK: Because Tommy saw this chatroom was full of hackers, people breaking into computers and networks that they weren’t supposed to, and Tommy thought this was cool. He wanted to get in on the action too, and he wanted to learn what these hackers were doing. Even though they kept banning him, he just kept finding a way back into the channel and was asking them to teach him how to hack. Eventually they gave in and threw him a bone.
TOMMY: [MUSIC] The first thing that he told me was go to Yahoo AltaVista. He was like, read everything that you can find about hacking. I want to say this would have been happening in about ‘94ish.
JACK: Actually, in 1994, Tommy would have only been twelve years old, a pre-teen still. Well, after bouncing in and out of all these chatrooms, he finally landed on a name. Dawgyg is what he would be known as online, and that’s dawgy spelled D-A-W-G-Y. So, he starts learning some basic hacking techniques by reading up on it. At that time, Phrack was a free online hacking magazine so he probably dove into that and started reading it from like, the first issue and slowly going through it, reading every issue. He learned a few things here and there but hey, he’s just twelve so he was just starting out and wasn’t very good. But he eventually joined an IRC hacker crew called TDK.
TOMMY: TDK stood for Those Damn Kids. The main focus of TDK was IRC EFnet wars. We would build botnets to go and check every single op in our target room and find a server that didn’t have anybody from that server on it that was an operator. Then we would DDoS that server to split it off in the network and then they’d just basically take over the channel.
JACK: Damn you, you’re the one who did that? That pissed me off so much back in the day.
TOMMY: So, there was – do you remember?
JACK: Yeah, I remember that. I remember that because I was also hanging out in IRC channels in 1994 on EFnet, the exact place where dawgyg was trying to do server splits and take over the channels. I remember channels getting taken over by young kids but at the time, I thought it was kind of funny and didn’t really take these chatrooms too seriously. When Tommy started calling himself dawgyg, trying to take over these chatrooms, I think this is where he starts trying on his black hat. That is, he’s trying to conduct hacks that are causing destruction and grief. Maybe taking over a chatroom isn’t illegal but this would be the beginning of his lifelong hacking career. What led you up to getting suspended at high school?
TOMMY: I used to get bored a lot while I was taking a computer class for – it was QBasic in school. A lot of times I’d get bored and wouldn’t have anything to do ‘cause I would write my program for the class really fast. I would actually DDoS my school’s IP address to take our internet down because then we couldn’t do class and we’d get to go outside and play.
JACK: Yeah, he crashed the school’s internet because he would rather go outside and play.
TOMMY: I actually got in trouble for doing that. They suspended me the first time three days for that.
JACK: That was his first suspension from high school but it wasn’t his only one. Soon after that, he got suspended again.
TOMMY: I got expelled from school because I broke into a military base in Korea and used their computer systems. I hijacked the AOL account that the general of the base was using and I sent an e-mail from his e-mail address, from his AOL account to the superintendent of Hanover County, that one of the high schools in his county was gonna blow up at 10:30 in the morning.
JACK: A convoluted scheme but it was done for the same reasons as the first one; he just didn’t want to be in school. He wanted to…
TOMMY: Be able to skip school, go to the river, smoke weed, and just have fun for the day.
JACK: It worked, sort of. School was cancelled but he didn’t get away with it.
TOMMY: I went to school the next day. There was a guy in a suit on each side of the door and they were like, you need to come with us. [MUSIC] I got expelled.
JACK: So, how did he get caught? Did that military base in Korea do some forensic investigation and trace this back to a teenager in West Virginia? No. Did the police track his online connections? No again. What happened is that he told someone that he’s the one who got school cancelled that day and that person went and told someone at the school that Tommy is who sent in this bomb threat.
TOMMY: Because I had used [00:10:00] the internet to do it, the FBI ended up raiding my house about two weeks after it happened to take my computers. That was the first time that I was charged with computer crimes. I was actually charged with violating The Computer Fraud and Abuse Act.
JACK: Being a minor, a sophomore, one of those damn kids in the eyes of the law, this could get bad pretty quick. The feds took his computers but let him go free as they investigated the case. Well, this gave him more time, more time to hack more stuff. He got a new computer and slipped on his black hat again. But forget about TDK at this point; he was onto more ambitious adventures.
TOMMY: [MUSIC] I started talking to a bunch of other hacking groups and I got in contact with a guy named RaFa who was a member of World of Hell and he was telling me about they had rules for their group where you’re only allowed to hack UNIX systems. You weren’t allowed to target Windows because Windows was too easy. They like to only attack government, military, and Fortune 500 companies.
JACK: This was great. Dawgyg liked everything about this; the rules, the people, the stuff he was learning, so he started hacking with World of Hell.
TOMMY: Then in June of 2001, I defaced my first website as part of World of Hell. It was actually the Virginia – I broke into The Virginia Department of Informational Technology and defaced www.state.ba.us which was our main state website. Just from that point on, I just was defacing stuff with World of Hell nonstop for about six to nine months.
JACK: Oh, in case you were wondering, deface is just a term used to change what’s written on a website. You can swap the photo that’s on the front page to something else, or just change what’s said there to whatever you want. In this case he probably had to prove himself that he was the guy who hacked this site so he probably wrote something on there like Hacked by dawgyg or Hacked by World of Hell, or something like that. What were some of the sites that you were hitting or World of Hell was hitting?
TOMMY: Yahoo.com.ph, nokia.com, sony.com, Dotson, Dunhill, Epson, Fuji Film…
JACK: If hacking is a drug…
TOMMY: …Mercedes Benz…
JACK: …dawgyg was getting addicted.
TOMMY: …World Online, the car company, AOL.
JACK: He was loving this hacking and the World of Hell hacker group.
TOMMY: …HP, Reebok…
JACK: But the problem with addictions is that you can overdose.
TOMMY: …United Airlines, Casio, Motorola…
JACK: And you can fall into a world of pain.
TOMMY: …Hyundai, Sony Music, Toshiba, Opal, Volvo, EA Sports…
JACK: After the break, the party ends for dawgyg.
TOMMY: …Rolex, Pfizer, a bunch of Chinese government systems, the US Department of Energy, the US court systems, Venezuelan military…creative.com, Audi, Kenwood, Acer…
JACK: High schooler dawgyg was still hunched over his monitor wearing a black hat and defacing website after website.
TOMMY: …Xerox, Packard Bell, Compact, 3Com…
JACK: Doing all he could before he turned eighteen which was an adult in the eyes of the law.
TOMMY: I turned eighteen in November of 2001. I actually stopped hacking for a few weeks but then I got bored again so I started [00:15:00] doing it again. I hacked consistently until June 12th of 2002.
ANNC: [MUSIC] In the year 2002…
TOMMY: [TRAILER IN BACKGROUND] Oh, and June 11th, that night, Men in Black 2 had just come out in theatres so that night, before I went to bed, I downloaded Men in Black 2. The plan was I was gonna go to work the next day and then I was gonna come home from work early, smoke weed with my sister…
ANNC: Don’t bother calling the CIA. Forget the FBI.
TOMMY: We were gonna watch that movie.
JACK: He got out of work for the same reasons he wanted to get out of school; so he could go play. In this case, to play an illegally-downloaded movie. He goes home to his apartment with his sister and they watch Men in Black 2, but the real men in black were knocking on his door.
TOMMY: [MUSIC] I went to push the door open but it was yanked open in front of me and an M16 was in my face. There was somewhere between twenty and thirty agents inside of my apartment. My sister was sitting on my couch crying, my dad was standing in the living room next to her and just like, when he saw me walk through the door, he just looked at me and shook his head. They took everything in the house that was related to computers; all floppy disc, any CD that was in there, every computer, every computer component, every piece of paper that had notes handwritten on them.
JACK: Now, what was going – I mean, what was your emotional level at that point? Were you freaking out about this or how were you feeling?
TOMMY: I was scared shitless at the time because I was an adult at that point and I was on probation still for the hacking and bomb threat two years before.
JACK: Once again, they took all his electronics and computers and he had two weeks before his court date.
TOMMY: This is it; I’ve got two weeks of freedom. They’re going to lock me up in two weeks so I was like screw it, I’m just gonna have fun and do whatever. [MUSIC] I spent two weeks racing. I used to street race a lot so I spent two weeks street racing, going to the beach a lot, hanging out with as many of my friends as I could, trying to sleep with as many different girls as I could.
JACK: Now nineteen years old, black hat hacker Tommy DeVoss, dawgyg, stands in front of a judge two weeks later. Hats were not allowed in court.
TOMMY: I ended up pleading guilty in October of 2003 to one count of violating the CFAA for breaking into a computer system that controls interstate commerce. I had broken into a website called Bank Colo, B-A-N-K-C-O-L-O.com, and defaced the website. Turns out, it was for the Colorado Bank and Trust Company.
JACK: Hm, yeah, messing with a banking website was probably a bad move. I mean, they’re federally regulated and insured which means that crimes involving a bank are probably going to be investigated by federal law enforcement.
TOMMY: The judge asked me to stand up. He looked at me and he said Mr. DeVoss, I do not believe that you’re sorry for anything that you’ve done. I think the only reason that you are showing any remorse whatsoever is because of the fact that you got caught. He ended up sentencing me to twenty-seven months in federal prison, [MUSIC] banning me from computers for ten years, and giving me five years of probation. I want to say it was $100,000 of restitution that had to be paid. Then after he pronounced my sentence, he said I now place you in the custody of the US Marshals to serve your sentence and my knees pretty much gave out on me. I walked in there expecting to walk back out that day for at least thirty days and now all of a sudden, I’m getting locked up for almost two and a half years.
JACK: The fun was over; dawgyg’s hacking spree was done. Back to being Tommy with no hat to wear in prison. What were some of the tattoos you got?
TOMMY: My first tattoos in prison; I got a tribal on each one of my [00:20:00] biceps, one on each side. It was just a small little tribal and one had a T for my initial and the other one had a C for the girl I was dating at the time. I got three dots on my right wrist which is a Hispanic gang tattoo puntos locos, ‘crazy life.’ I had the words ‘crazy life’ put on – I don’t know what it’s called. It’s not my forearms but it’s the back of my arms between my elbow and my wrist. ‘Crazy’ was put on one side, ‘life’ was put on the other side. I went in with five or six tattoos and came out with like, twenty-five or thirty total.
JACK: Tommy served his two years in prison and got out. At this point it’s 2006, he’s twenty-two, but still has to serve probation. So, your real probation had ten years no computers?
TOMMY: No computers, cell phones, game systems, fax machines, anything that could communicate with other people aside from an actual phone. I could make phone calls. I wasn’t allowed to touch a cell phone or anything like that. Even when I would go and get a job, a lot of jobs would have you clock in on a computer. I wasn’t allowed to do that. I had to have another co-worker clock me in and out. For the first thirty days or so, when I got out of prison the first time, I didn’t do any drugs and I didn’t get on a computer or anything.
JACK: For the first thirty days? This doesn’t sound good. But let’s not forget Tommy was once addicted to hacking. It was all he could think about, not to mention being high, so even though he went two years without doing any of this, how long could he hold out now that he’s sort of free again? Turns out, thirty days.
TOMMY: [MUSIC] I actually started defacing websites again because of how my bedroom was set up in the house. I used to sit at my computer and I was sitting next to a window that I could see out but you couldn’t see into it. I just would always sit there and if I saw a car pull in my driveway that I didn’t recognize, I would jump up and take my desktop computer completely apart, hide different parts of it in various places of the house so it couldn’t be found, and then go and answer the door.
JACK: His probation officer would visit sometimes, come by and check on Tommy; talk to him, look around his room, and make sure he wasn’t using a computer because that wasn’t allowed on his probation. One day, when his probation officer did come by, Tommy quickly shut down the machine, took it all apart, and hid it all over his room. But he forgot to hide one thing and when the PO came into his room, he saw a keyboard on Tommy’s bed. Busted. This was a violation of his probation and he had to go back to prison to do more time. Eventually he came back home again. Again, his probation was that he could not use computers but Tommy just couldn’t keep his fingers off them. He didn’t want to hack anymore but he was just addicted to computers and would use it for other things, but the FBI was interested to see if he was gonna go back to being a hacker.
TOMMY: The FBI actually watched me for six months. They rented the house across the street from mine, took pictures of every person that came to my house. The FBI actually collected our trash to go through it, looking for evidence that I was on a computer hacking again.
JACK: As Tommy tells the story, his parents wanted to sell the house and a couple of FBI agents came over posing as potential buyers of the house. That’s when they saw Tommy on his computer in his room. This was a direct violation of his probation again which was all the evidence they needed. The FBI went and got their arrest warrant and came back and knocked on the door.
TOMMY: When I opened it, they bust through the door and it was the FBI DCIS which is the Defense Criminal Investigative Service. It’s kind of like the Department of Defense’s version of the FBI, the Secret Service, and state police for Virginia. They locked me up for violating probation and failing a drug test. They gave me fourteen months in prison that time which was the maximum they were allowed to give me. They gave me what they call diesel therapy; they put me in solitary confinement for three weeks in Petersburg and they shipped me from there to USP Atlanta which is a maximum-security prison in Atlanta, Georgia. They put me in solitary confinement there for I want to say it was another three weeks. Then they sent me from there to a medium-high prison in Williamsburg, South Carolina where they put me in solitary again for a couple of weeks before putting me on the actual compound.
JACK: I think going back to prison again really did change Tommy. [00:25:00] He didn’t like it there; he didn’t want to ever come back so he spent a long time weighing which was worth more to him, the high you get from hacking or his freedom. Each time he went to court, he ended up in front of the same judge every time and that judge’s name was Judge Payne. Judge Payne said something to him which had a lasting impact.
TOMMY: The last time I was in court on October 28th of 2009, I had Judge Payne. For every time I went to federal court, I had the same judge. He told me that if he ever sees me in his courtroom again for a computer crime, he was gonna give me life in prison. Yeah, he made it so I don’t want to hack illegally anymore. I got a daughter that would be really mad at me if I went to prison for the rest of my life.
JACK: Tommy gets out of prison and does good on probation; no violations. In fact, he does all the time he’s supposed to do and on November 3rd, 2010 his probation is done and he’s a free man once again.
TOMMY: [MUSIC] It was really nice to know that I could get on computers again and not have to worry that I was gonna go to prison or get caught on them or anything. I didn’t have to hide them anymore. I was allowed to get cell phones. The biggest thing to me was the fact that I was allowed to go to school now. While I was on probation I wasn’t allowed to go to college because you can’t go through college without having to use a computer for something, especially when I wanted to go for computer stuff. I was allowed to try to find a computer job at that point. That was the biggest difference for me.
JACK: He could go to college, use computers, but of course, he was not allowed to do any illegal hacking, no matter how tempting it might be. Finding a legit job in the tech industry is really hard when you have a federal conviction on your record, especially for fraud.
TOMMY: I spent three years from 2010 to 2013 trying to find a computer job, period. I kept working as a cook and doing construction but I couldn’t find any company that would hire me doing computers because of my background and everything. They automatically think you were stealing money or identities.
JACK: Tommy would sometimes get that itch to be dawgyg the black hat and hack into something again. But he controlled his temptations no matter how strong they were. The truth was he was really good at hacking and when you’re really good at something, you like doing it. But then he heard about something new, something that would change his life and start a new chapter for him; bug bounties. [MUSIC] There are two main websites that do this; HackerOne and Bugcrowd. Companies will go to these websites and say something like hey, if anyone can find a security issue on our website, we’ll give them a reward. Tommy came across HackerOne and decided to check it out. He saw the website Yahoo had a bug bounty program and he was already really familiar with the way Yahoo worked. He’d been poking at it and hacking on it throughout his whole teenage life, so he was kind of flabbergasted now that Yahoo was willing to pay anyone who could find a security problem in their website. He starts hacking around on their site and found something.
TOMMY: I reported my first bug on HackerOne to Yahoo in March of 2016 and I found that a lot of Yahoo’s system admins and developers were using gist to share information and they were forgetting to make them private or delete them after the fact. I found a bunch of them that were leaking internal passwords, database credentials, network maps, and stuff like that. That was my first bug. Yahoo reported it to them and they gave me like, three hundred bucks for it.
JACK: As in, Yahoo was thanking Tommy for hacking their site and telling them about a security problem they had and were so happy, they gave him $300 for this.
TOMMY: I was like oh shit, okay, so maybe this is real. I made very little money the first couple of months ‘cause it was all really low-level things that I was finding. Then in May of 2016, ImageMagick remote code execution vulnerability was public at that time.
JACK: The ImageMagick bug was a vulnerability where websites let you upload an image but you could send a malicious image to it and then you can get access to the website just by uploading a malicious image.
TOMMY: I actually got remote code execution on two of Yahoo’s servers using that and got – the first one was $1,000 bounty and then the following week I found the same [00:30:00] RCE on a different server, reported that, and they gave me the full $4,000.
JACK: With that, dawgyg was back. This time, completely legal. This time wearing a white hat because all this was legit and paid out by Yahoo, the company he hacked. But because they have a bug bounty program, it explicitly allows this kind of hack if you’re participating in the program. They’ll pay you for it, so he was basically given the green light to hack once again. Dawgyg was in somewhat disbelief. Is this even real? But it was, so he sat up straight, cracked his knuckles, and began going to town looking for more bugs that would pay out.
TOMMY: In my first year doing bug bounties, in 2016, I think I only made let’s say somewhere between $30,000 and $50,000, somewhere. Almost all of it was on HackerOne and then in 2017 I ended up making – I think I set the goal to make $100,000 in 2017 from bug bounties, and made somewhere between $115,000/$200,000 for 2017.
JACK: The white hat hacker move was working for him but what looked even better, what he really wanted, was a green hat. Green as in money.
TOMMY: 2018, I think I made, combined across all three platforms, somewhere between $600,000 and $700,000.
JACK: For dawgyg money looked best when it was turned into cars. Men in Black 2 got him in real trouble but Fast and Furious truly inspired him.
TOMMY: The Fast and the Furious movies started coming out, what was it, ’99 or so? I fell in love with the Skyline GT-Rs.
JACK: Tell me about what happened to you in January, 2018.
TOMMY: In January, 2018 I got $175 bounty on a Friday afternoon, [MUSIC] on a HackerOne program. I was kind of mad about the bounty ‘cause it should have been quite a bit more but the program paid really bad, and I put the $175 on a – I bet on basketball, international basketball, a lot – put that $175 on there at about 7:00 on that Friday night and by Monday afternoon, 4:00 or 5:00 in the afternoon, I had turned $175 into $133,000. I withdrew $50,000 of it and I went and bought my first Skyline. It was a 1992 R32 GTS-T. That was technically my dream car. It wasn’t the GT-R model but it was still a Skyline. I was like, extremely happy.
JACK: In 2018, dawgyg kept finding and submitting bugs on HackerOne. $200 here, $1,000 here, $5,000 there. He was racking up one bounty after another, slowly but surely fattening his stack, earning his green hat, and then he scored the biggest bounty yet.
TOMMY: Okay, so October of 2018 I set the record for the highest amount of bounties paid in a single day to a single researcher. I was playing with the Nexus RF and I found a bypass for their blacklist that they had used and I ended up being able to bypass the blacklist in a total of fifteen or sixteen different end points for SSRF.
JACK: I know some of you don’t understand what he’s saying. That’s okay; all you need to know is that he found a vulnerability sixteen times on a single company’s website.
TOMMY: Ended up getting new bugs for all sixteen of them and each one of them was $10,000. [MUSIC] It was like, October 18th or something like that of 2018. I was paid $160,000 worth of bounties in that one day.
JACK: What is that feeling like, to get $160,000 in a day’s work?
TOMMY: Unreal. It was just, like – it still seems too good to be true. That’s my single-day highest payout but I’ve had at least five or six single-days where I’ve made six figures in one day.
DOM: Ask any racer, any real racer. It don’t matter if you win by an inch or a mile. [CROWD CHEERS] Winning’s winning.
TOMMY: It’s unreal to know that ten years ago right now I was sitting in federal prison, to [00:35:00] now I’m one of six people on HackerOne that have made a million dollars just on the HackerOne platform. I’m pretty sure I’ve made over $800,000 in 2019 just from HackerOne.
JACK: I’ve confirmed all this, by the way; I’ve read through his court cases, I’ve listened to his mother talk, and HackerOne themselves has announced that Tommy was the sixth hacker on their site to make one million dollars. In 2019, he made $910,000 total, just missing his goal of one million dollars in bug bounties in one year. What did your parents think when you started using HackerOne to hack again?
TOMMY: At first, they were super leery of it. My mom finally accepted it after the first year or so when she saw that I was able to make money and I was making decent money and not getting in trouble. My dad still doesn’t accept it. He actually won’t talk to me because he thinks that I’m wasting my life and wants me to get a normal nine-to-five job and everything. The last time I actually spoke to him was in February of this year and he was disowning me and telling me that I needed to stop wasting my life and get a real job before I lose my life, or something along those lines.
JACK: That’s because he thinks this isn’t legit work?
TOMMY: Yeah. I’m hoping that he’s seeing it now in the last – in 2019, I’ve bought cars for my two nieces that are seventeen years old; I bought both of them their first car. I bought my baby sister who is about to turn eighteen, I bought her her first car. I’ve got a set of twin sisters a year younger than me. One of them lives in Florida; I bought her a truck earlier this year. I bought her twin sister a car and a truck a few months ago. I bought my mom a Mustang back in October of this year and I bought myself, this year, I’ve bought myself an Infiniti G37. I’m planning to buy my dad a brand-new truck. I’m planning on buying him a truck within the next month or two and then just buying it, taking it to his house, putting it in his driveway with the keys in the title, and just leaving it there and letting him come home from work to find a brand-new truck sitting in his driveway for him.
JACK: Oh, there’s an update here; I recorded this interview months ago but I checked with Tommy just before airing this and he’s slowly getting on talking terms with his dad again. When he pitched this idea to him, his dad had another plan. Remember the car Tommy bought his eighteen-year-old little sister? Well, she didn’t drive it right and she blew the engine so his dad said instead of buying me a new truck, why don’t you buy another new car for your little sister? So, that’s what Tommy’s planning on doing. Also, at this point, dawgyg has earned so much money that he’s been able to buy two of his dream cars and both of them are the classic Nissan Skylines from Too Fast, Too Furious. What are the license plates on your cars?
TOMMY: On my R32 GTS-T I’ve got an antique tag on it that says H4CK3R, H-4-C-K-3-R. On my ‘92 R32 GT-R, it says BNTYPLZ and then I have on my Infiniti G37, I have the license plate TY-H1. Earlier this year I actually, a couple months ago, I actually was sent to DC by HackerOne and I spoke at a little cyber-security leaders meetup between the government and military agencies. So, going from a black hat being sent to prison for hacking the government to actually being invited to speak to government leaders about my experience hacking them.
JACK: This is the weird new future we’re living in. Ten years ago, when dawgyg was hacking, bug bounties didn’t exist and the government was chasing him. Now, dawgyg is doing the same kind of hacking but now companies are paying him to do it and the government is asking him to come teach them, sort of like if you can’t beat ‘em, join ‘em.
TOMMY: Yeah, exactly. The good thing, one of the things that I love about the DOD’s program so much is that it’s their scope. Tons of companies start up a bug bounty program and they have an extremely limited scope. It’s like, we only want information about these and everything. As a former black hat, I know that I don’t give two shits about a scope if I’m a black hat.
JACK: Yeah, Tommy’s now helping the feds secure their networks. It’s weird how it all turned out, isn’t it? [00:40:00] Even though the bug bounties are bringing him a great income, he’s actually been looking for a day job lately.
TOMMY: I don’t have anybody to talk to that – when I make a really cool hack or anything like that, aside from the people online. I see hacking as kind of an addiction. I’m just as much addicted to hacking as I ever was addicted to any drug or anything like that. I’ll never stop hacking. Actually, the only reason I’m looking for a full-time job is because I miss working with a team and just want to have a little bit of structure to my day so that I’m not just like, I sit around bored out of my mind a lot. There’s only so much Xbox you can play and online games and stuff you can play before even they get boring.
JACK: Tommy did, in fact, recently get a job with one of the biggest banks in the US doing research on the threats they see there. He applied, interviewed, they liked him, he passed, got the job, and he had a start date in January. But when they ran a background check on him, they got worried and so they decided not to bring him on board. This was a bummer since another reason he wants a day job is to prove to his dad that he’s doing good work.
TOMMY: I think he’ll be happier then. I’ll still be doing my bug bounties and stuff but I’ll have what he sees in his eye as a real job.
JACK: Okay, so if Tommy’s story is inspiring to you, you can get started earning money finding bugs, too. This is what Tommy suggests you do to get started.
TOMMY: Just doing hacker101.com which is kind of like hacker university where it’s capture-the-flags and stuff to show you some real-world examples of things that bug hunters have found to give you hands on experience. Doing pen tester labs; I always suggest when somebody asks me where to start is reading every blog post you can find from Bug Hunters about what they found and everything so it gives you an idea.
JACK: Last thing I asked Tommy, a former criminal, is if he has any advice for the next generation who might be thinking of trying on that black hat.
TOMMY: It’s not worth doing the stuff illegally. Thanks to Edward Snowden’s leaks back in 2013, we know that everything we do online is monitored by the US government and anybody that thinks that they can do things illegally and get away with it is mistaken. Anybody that has been doing things illegally and has gotten away with it, it’s only because they haven’t wanted to look at you yet but they can. You’re not gonna hide yourself completely. Everybody makes mistakes. The amount of money that you can make doing this legally far outweighs the money you’re gonna make illegally ‘cause if you’re good enough to do this as a black hat, you’re good enough to do this as a white hat and you can make life-changing money doing it.
JACK: Just being airing this episode, Tommy attended the H1-415 hacking event. This is a nine-hour hackathon put on by HackerOne in San Francisco. The goal is to see how many bug bounties can be claimed within nine hours. A bunch of people showed up. Tommy went and he was finding bug after bug and reporting them. Within the nine hours given for the event, he earned $101,000 which gave him the coveted MVH, Most Valuable Hacker. [APPLAUSE] I get a little jealous listening to this story because I was one of those people who did everything right; I’ve never been arrested for hacking, I never went to prison, I went to university and got a computer science degree, and then I spent ten years working as a security engineer. I made nothing close to a million dollars yet here’s Tommy breaking all the rules and getting scarred again and again, failing repeatedly, and still coming out not just okay but with all the toys. But I guess it just reminds me of that Fast and Furious quote.
EDWIN: You know, everyone happens to know a few things. One of the things everyone knows is it’s not how you stand by your car; it’s how you race your car. You better learn that. [REVVING]
JACK (OUTRO): [OUTRO MUSIC] A very big thank you to Tommy DeVoss, AKA dawgyg. Great story, but stay out of trouble, okay? Oh, have you listened to the five bonus episodes of Darknet Diaries yet? They’re out there but they’re only for Patreon supporters. If this show brings you value, please consider giving to the Darknet Diaries Patreon. You can also get an ad-free version of the show there, too. This show is made by me, the Tokyo drifter, Jack Rhysider. This episode was produced by the turbo-charged Jake Warga, editing help this episode by the [00:45:00] windblown Damienne, and our theme music is by the electric-powered Breakmaster Cylinder. Even though a Mirai botnet is launched somewhere in the world every time I say it, this is Darknet Diaries.
[OUTRO MUSIC ENDS] [END OF RECORDING]