WEBVTT 00:00:00.520 --> 00:00:04.130 JACK: [MUSIC] A quick warning right here at the beginning; this episode does contain some 00:00:04.130 --> 00:00:06.500 swear words and some bad language. 00:00:06.500 --> 00:00:10.160 If that’s an issue for you, well, maybe skip this one. 00:00:10.160 --> 00:00:14.640 Hey, it’s Jack, host of the show. 00:00:14.640 --> 00:00:20.180 One of the reasons I like making this show is to smash the stereotype of what a hacker 00:00:20.180 --> 00:00:24.360 looks like and today’s guest definitely does that. 00:00:24.360 --> 00:00:28.890 I don’t know, I’m trying to understand – get a picture of your vibe, here. 00:00:28.890 --> 00:00:31.730 You almost look like Eminem a little. 00:00:31.730 --> 00:00:32.730 Not quite, but you know. 00:00:32.730 --> 00:00:34.489 TOMMY: Yeah, I get told that a lot. 00:00:34.489 --> 00:00:36.399 JACK: What would you characterize yourself? 00:00:36.399 --> 00:00:42.320 TOMMY: Well, I actually used to take a lot of pride in the fact that I don’t look like 00:00:42.320 --> 00:00:43.470 the average hacker. 00:00:43.470 --> 00:00:49.520 I guess what most people would say I was, was do you remember the term whigger? 00:00:49.520 --> 00:00:50.930 W-H-I-G-G-E-R? 00:00:50.930 --> 00:00:56.120 White guys that dressed like black guys, listened to rap music, and stuff like that? 00:00:56.120 --> 00:01:00.600 My first time in prison and up until that point, I guess that’s technically what most 00:01:00.600 --> 00:01:02.039 people would see me as. 00:01:02.039 --> 00:01:07.500 Like, I wore baggy clothes, sagging pants, backwards hat, and everything like that. 00:01:07.500 --> 00:01:13.290 I got tattooed Pain is Love from a Ja Rule song on the back of my head. 00:01:13.290 --> 00:01:17.120 I got the Laugh Now and Cry Later faces. 00:01:17.120 --> 00:01:19.900 JACK: These are tattoos he got while in prison. 00:01:19.900 --> 00:01:29.200 TOMMY: On my right bicep, I put a little tribal-looking face that was smiling, and it said Laugh Now. 00:01:29.200 --> 00:01:33.640 Then on my left side, I had a face that was crying and it said Cry Later. 00:01:33.640 --> 00:01:35.009 JACK: Federal prison. 00:01:35.009 --> 00:01:40.150 TOMMY: In federal prison we all have prison numbers and the last three digits of your 00:01:40.150 --> 00:01:43.680 number show where you were arrested. 00:01:43.680 --> 00:01:46.299 My number was 38141-083. 00:01:46.299 --> 00:01:50.360 083 is the Eastern District of Virginia. 00:01:50.360 --> 00:01:56.530 JACK: This is dawgyg and his story perplexes me because of stuff he says, like… 00:01:56.530 --> 00:02:04.110 TOMMY: October 18th of 2018, I was paid $160,000 in that one day. 00:02:04.110 --> 00:02:09.739 JACK: So, what did he do to make $160,000 in one day? 00:02:09.739 --> 00:02:12.560 Well, he’s a hacker. 00:02:12.560 --> 00:02:21.349 JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:02:21.349 --> 00:02:26.030 I’m Jack Rhysider. 00:02:26.030 --> 00:02:29.500 This is Darknet Diaries. 00:02:29.500 --> 00:02:36.610 [INTRO MUSIC ENDS] 00:02:36.610 --> 00:02:47.380 JACK: So, dawgyg’s real name is Tommy DeVoss and like many hackers, his story starts out 00:02:47.380 --> 00:02:49.430 when he was a young boy in a chatroom. 00:02:49.430 --> 00:02:54.500 TOMMY: I actually joined the wrong chatroom by mistake; it was just like, somebody else’s 00:02:54.500 --> 00:02:55.720 private room. 00:02:55.720 --> 00:03:04.250 It was run by a guy that used the alias Dznutz, D-Z-N-U-T-Z, but I just did the /join#dz by 00:03:04.250 --> 00:03:05.250 mistake. 00:03:05.250 --> 00:03:08.599 JACK: This brought him to a chatroom full of hackers. 00:03:08.599 --> 00:03:10.650 TOMMY: I kind of just hung out in there. 00:03:10.650 --> 00:03:17.159 I would just keep joining that same room every day after school for a couple of weeks. 00:03:17.159 --> 00:03:19.220 I started asking them questions. 00:03:19.220 --> 00:03:21.780 They were like, who the hell is this kid? 00:03:21.780 --> 00:03:22.780 Blah, blah, blah. 00:03:22.780 --> 00:03:24.310 I got banned like, several times. 00:03:24.310 --> 00:03:27.430 JACK: There’s something magical about being in a chatroom as a teenager. 00:03:27.430 --> 00:03:31.870 They’re fun and addicting and even though he was banned, he figured out ways to get 00:03:31.870 --> 00:03:32.870 back in. 00:03:32.870 --> 00:03:37.040 TOMMY: I would just disconnect, reconnect, and then go back in again. 00:03:37.040 --> 00:03:42.890 After going in there and spending, I don’t know, several months of just keep going back 00:03:42.890 --> 00:03:49.489 in there repeatedly and asking – just pretty much begging the guy to teach me [00:05:00] 00:03:49.489 --> 00:03:50.489 stuff. 00:03:50.489 --> 00:03:53.650 JACK: Because Tommy saw this chatroom was full of hackers, people breaking into computers 00:03:53.650 --> 00:03:57.939 and networks that they weren’t supposed to, and Tommy thought this was cool. 00:03:57.939 --> 00:04:01.610 He wanted to get in on the action too, and he wanted to learn what these hackers were 00:04:01.610 --> 00:04:02.610 doing. 00:04:02.610 --> 00:04:07.129 Even though they kept banning him, he just kept finding a way back into the channel and 00:04:07.129 --> 00:04:09.970 was asking them to teach him how to hack. 00:04:09.970 --> 00:04:13.390 Eventually they gave in and threw him a bone. 00:04:13.390 --> 00:04:19.690 TOMMY: [MUSIC] The first thing that he told me was go to Yahoo AltaVista. 00:04:19.690 --> 00:04:24.270 He was like, read everything that you can find about hacking. 00:04:24.270 --> 00:04:27.590 I want to say this would have been happening in about ‘94ish. 00:04:27.590 --> 00:04:34.240 JACK: Actually, in 1994, Tommy would have only been twelve years old, a pre-teen still. 00:04:34.240 --> 00:04:39.450 Well, after bouncing in and out of all these chatrooms, he finally landed on a name. 00:04:39.450 --> 00:04:45.470 Dawgyg is what he would be known as online, and that’s dawgy spelled D-A-W-G-Y. 00:04:45.470 --> 00:04:50.370 So, he starts learning some basic hacking techniques by reading up on it. 00:04:50.370 --> 00:04:55.090 At that time, Phrack was a free online hacking magazine so he probably dove into that and 00:04:55.090 --> 00:04:59.190 started reading it from like, the first issue and slowly going through it, reading every 00:04:59.190 --> 00:05:00.190 issue. 00:05:00.190 --> 00:05:04.340 He learned a few things here and there but hey, he’s just twelve so he was just starting 00:05:04.340 --> 00:05:06.090 out and wasn’t very good. 00:05:06.090 --> 00:05:10.270 But he eventually joined an IRC hacker crew called TDK. 00:05:10.270 --> 00:05:14.690 TOMMY: TDK stood for Those Damn Kids. 00:05:14.690 --> 00:05:19.280 The main focus of TDK was IRC EFnet wars. 00:05:19.280 --> 00:05:27.160 We would build botnets to go and check every single op in our target room and find a server 00:05:27.160 --> 00:05:32.120 that didn’t have anybody from that server on it that was an operator. 00:05:32.120 --> 00:05:36.250 Then we would DDoS that server to split it off in the network and then they’d just 00:05:36.250 --> 00:05:37.949 basically take over the channel. 00:05:37.949 --> 00:05:40.881 JACK: Damn you, you’re the one who did that? 00:05:40.881 --> 00:05:45.020 That pissed me off so much back in the day. 00:05:45.020 --> 00:05:46.020 TOMMY: So, there was – do you remember? 00:05:46.020 --> 00:05:47.020 JACK: Yeah, I remember that. 00:05:47.020 --> 00:05:51.960 I remember that because I was also hanging out in IRC channels in 1994 on EFnet, the 00:05:51.960 --> 00:05:57.060 exact place where dawgyg was trying to do server splits and take over the channels. 00:05:57.060 --> 00:06:01.500 I remember channels getting taken over by young kids but at the time, I thought it was 00:06:01.500 --> 00:06:05.620 kind of funny and didn’t really take these chatrooms too seriously. 00:06:05.620 --> 00:06:10.930 When Tommy started calling himself dawgyg, trying to take over these chatrooms, I think 00:06:10.930 --> 00:06:14.470 this is where he starts trying on his black hat. 00:06:14.470 --> 00:06:19.650 That is, he’s trying to conduct hacks that are causing destruction and grief. 00:06:19.650 --> 00:06:26.090 Maybe taking over a chatroom isn’t illegal but this would be the beginning of his lifelong 00:06:26.090 --> 00:06:27.460 hacking career. 00:06:27.460 --> 00:06:32.900 What led you up to getting suspended at high school? 00:06:32.900 --> 00:06:41.630 TOMMY: I used to get bored a lot while I was taking a computer class for – it was QBasic 00:06:41.630 --> 00:06:43.070 in school. 00:06:43.070 --> 00:06:46.240 A lot of times I’d get bored and wouldn’t have anything to do ‘cause I would write 00:06:46.240 --> 00:06:49.789 my program for the class really fast. 00:06:49.789 --> 00:06:55.860 I would actually DDoS my school’s IP address to take our internet down because then we 00:06:55.860 --> 00:06:58.810 couldn’t do class and we’d get to go outside and play. 00:06:58.810 --> 00:07:04.770 JACK: Yeah, he crashed the school’s internet because he would rather go outside and play. 00:07:04.770 --> 00:07:08.400 TOMMY: I actually got in trouble for doing that. 00:07:08.400 --> 00:07:11.770 They suspended me the first time three days for that. 00:07:11.770 --> 00:07:17.070 JACK: That was his first suspension from high school but it wasn’t his only one. 00:07:17.070 --> 00:07:19.900 Soon after that, he got suspended again. 00:07:19.900 --> 00:07:27.930 TOMMY: I got expelled from school because I broke into a military base in Korea and 00:07:27.930 --> 00:07:30.220 used their computer systems. 00:07:30.220 --> 00:07:36.940 I hijacked the AOL account that the general of the base was using and I sent an e-mail 00:07:36.940 --> 00:07:45.129 from his e-mail address, from his AOL account to the superintendent of Hanover County, that 00:07:45.129 --> 00:07:51.780 one of the high schools in his county was gonna blow up at 10:30 in the morning. 00:07:51.780 --> 00:07:57.720 JACK: A convoluted scheme but it was done for the same reasons as the first one; he 00:07:57.720 --> 00:08:00.190 just didn’t want to be in school. 00:08:00.190 --> 00:08:01.190 He wanted to… 00:08:01.190 --> 00:08:05.639 TOMMY: Be able to skip school, go to the river, smoke weed, and just have fun for the day. 00:08:05.639 --> 00:08:08.199 JACK: It worked, sort of. 00:08:08.199 --> 00:08:11.110 School was cancelled but he didn’t get away with it. 00:08:11.110 --> 00:08:13.669 TOMMY: I went to school the next day. 00:08:13.669 --> 00:08:17.090 There was a guy in a suit on each side of the door and they were like, you need to come 00:08:17.090 --> 00:08:18.240 with us. 00:08:18.240 --> 00:08:20.099 [MUSIC] I got expelled. 00:08:20.099 --> 00:08:23.030 JACK: So, how did he get caught? 00:08:23.030 --> 00:08:28.070 Did that military base in Korea do some forensic investigation and trace this back to a teenager 00:08:28.070 --> 00:08:30.520 in West Virginia? No. 00:08:30.520 --> 00:08:32.979 Did the police track his online connections? 00:08:32.979 --> 00:08:34.650 No again. 00:08:34.650 --> 00:08:39.110 What happened is that he told someone that he’s the one who got school cancelled that 00:08:39.110 --> 00:08:45.589 day and that person went and told someone at the school that Tommy is who sent in this 00:08:45.589 --> 00:08:47.100 bomb threat. 00:08:47.100 --> 00:08:54.029 TOMMY: Because I had used [00:10:00] the internet to do it, the FBI ended up raiding my house 00:08:54.029 --> 00:08:58.800 about two weeks after it happened to take my computers. 00:08:58.800 --> 00:09:02.360 That was the first time that I was charged with computer crimes. 00:09:02.360 --> 00:09:08.500 I was actually charged with violating The Computer Fraud and Abuse Act. 00:09:08.500 --> 00:09:14.060 JACK: Being a minor, a sophomore, one of those damn kids in the eyes of the law, this could 00:09:14.060 --> 00:09:15.610 get bad pretty quick. 00:09:15.610 --> 00:09:19.709 The feds took his computers but let him go free as they investigated the case. 00:09:19.709 --> 00:09:24.750 Well, this gave him more time, more time to hack more stuff. 00:09:24.750 --> 00:09:29.029 He got a new computer and slipped on his black hat again. 00:09:29.029 --> 00:09:33.769 But forget about TDK at this point; he was onto more ambitious adventures. 00:09:33.769 --> 00:09:40.670 TOMMY: [MUSIC] I started talking to a bunch of other hacking groups and I got in contact 00:09:40.670 --> 00:09:46.890 with a guy named RaFa who was a member of World of Hell and he was telling me about 00:09:46.890 --> 00:09:52.070 they had rules for their group where you’re only allowed to hack UNIX systems. 00:09:52.070 --> 00:09:55.850 You weren’t allowed to target Windows because Windows was too easy. 00:09:55.850 --> 00:10:01.190 They like to only attack government, military, and Fortune 500 companies. 00:10:01.190 --> 00:10:02.760 JACK: This was great. 00:10:02.760 --> 00:10:07.361 Dawgyg liked everything about this; the rules, the people, the stuff he was learning, so 00:10:07.361 --> 00:10:10.670 he started hacking with World of Hell. 00:10:10.670 --> 00:10:19.250 TOMMY: Then in June of 2001, I defaced my first website as part of World of Hell. 00:10:19.250 --> 00:10:26.010 It was actually the Virginia – I broke into The Virginia Department of Informational Technology 00:10:26.010 --> 00:10:34.920 and defaced www.state.ba.us which was our main state website. 00:10:34.920 --> 00:10:42.089 Just from that point on, I just was defacing stuff with World of Hell nonstop for about 00:10:42.089 --> 00:10:43.450 six to nine months. 00:10:43.450 --> 00:10:47.560 JACK: Oh, in case you were wondering, deface is just a term used to change what’s written 00:10:47.560 --> 00:10:48.560 on a website. 00:10:48.560 --> 00:10:53.250 You can swap the photo that’s on the front page to something else, or just change what’s 00:10:53.250 --> 00:10:55.079 said there to whatever you want. 00:10:55.079 --> 00:10:58.870 In this case he probably had to prove himself that he was the guy who hacked this site so 00:10:58.870 --> 00:11:03.470 he probably wrote something on there like Hacked by dawgyg or Hacked by World of Hell, 00:11:03.470 --> 00:11:05.440 or something like that. 00:11:05.440 --> 00:11:10.150 What were some of the sites that you were hitting or World of Hell was hitting? 00:11:10.150 --> 00:11:19.899 TOMMY: Yahoo.com.ph, nokia.com, sony.com, Dotson, Dunhill, Epson, Fuji Film… 00:11:19.899 --> 00:11:22.700 JACK: If hacking is a drug… 00:11:22.700 --> 00:11:24.200 TOMMY: …Mercedes Benz… 00:11:24.200 --> 00:11:26.190 JACK: …dawgyg was getting addicted. 00:11:26.190 --> 00:11:30.269 TOMMY: …World Online, the car company, AOL. 00:11:30.269 --> 00:11:34.829 JACK: He was loving this hacking and the World of Hell hacker group. 00:11:34.829 --> 00:11:36.110 TOMMY: …HP, Reebok… 00:11:36.110 --> 00:11:39.730 JACK: But the problem with addictions is that you can overdose. 00:11:39.730 --> 00:11:41.339 TOMMY: …United Airlines, Casio, Motorola… 00:11:41.339 --> 00:11:46.970 JACK: And you can fall into a world of pain. 00:11:46.970 --> 00:11:53.089 TOMMY: …Hyundai, Sony Music, Toshiba, Opal, Volvo, EA Sports… 00:11:53.089 --> 00:11:56.889 JACK: After the break, the party ends for dawgyg. 00:11:56.889 --> 00:12:03.990 TOMMY: …Rolex, Pfizer, a bunch of Chinese government systems, the US Department of Energy, 00:12:03.990 --> 00:12:11.610 the US court systems, Venezuelan military…creative.com, Audi, Kenwood, Acer… 00:12:11.610 --> 00:12:19.210 JACK: High schooler dawgyg was still hunched over his monitor wearing a black hat and defacing 00:12:19.210 --> 00:12:20.630 website after website. 00:12:20.630 --> 00:12:24.230 TOMMY: …Xerox, Packard Bell, Compact, 3Com… 00:12:24.230 --> 00:12:28.940 JACK: Doing all he could before he turned eighteen which was an adult in the eyes of 00:12:28.940 --> 00:12:29.940 the law. 00:12:29.940 --> 00:12:33.980 TOMMY: I turned eighteen in November of 2001. 00:12:33.980 --> 00:12:38.960 I actually stopped hacking for a few weeks but then I got bored again so I started [00:15:00] 00:12:38.960 --> 00:12:40.250 doing it again. 00:12:40.250 --> 00:12:45.830 I hacked consistently until June 12th of 2002. 00:12:45.830 --> 00:12:49.750 ANNC: [MUSIC] In the year 2002… 00:12:49.750 --> 00:12:55.560 TOMMY: [TRAILER IN BACKGROUND] Oh, and June 11th, that night, Men in Black 2 had just 00:12:55.560 --> 00:13:01.250 come out in theatres so that night, before I went to bed, I downloaded Men in Black 2. 00:13:01.250 --> 00:13:06.190 The plan was I was gonna go to work the next day and then I was gonna come home from work 00:13:06.190 --> 00:13:08.170 early, smoke weed with my sister… 00:13:08.170 --> 00:13:10.670 ANNC: Don’t bother calling the CIA. 00:13:10.670 --> 00:13:11.920 Forget the FBI. 00:13:11.920 --> 00:13:14.190 TOMMY: We were gonna watch that movie. 00:13:14.190 --> 00:13:17.560 JACK: He got out of work for the same reasons he wanted to get out of school; so he could 00:13:17.560 --> 00:13:18.560 go play. 00:13:18.560 --> 00:13:21.730 In this case, to play an illegally-downloaded movie. 00:13:21.730 --> 00:13:27.740 He goes home to his apartment with his sister and they watch Men in Black 2, but the real 00:13:27.740 --> 00:13:31.779 men in black were knocking on his door. 00:13:31.779 --> 00:13:39.860 TOMMY: [MUSIC] I went to push the door open but it was yanked open in front of me and 00:13:39.860 --> 00:13:43.320 an M16 was in my face. 00:13:43.320 --> 00:13:48.779 There was somewhere between twenty and thirty agents inside of my apartment. 00:13:48.779 --> 00:13:55.180 My sister was sitting on my couch crying, my dad was standing in the living room next 00:13:55.180 --> 00:14:00.290 to her and just like, when he saw me walk through the door, he just looked at me and 00:14:00.290 --> 00:14:02.230 shook his head. 00:14:02.230 --> 00:14:08.941 They took everything in the house that was related to computers; all floppy disc, any 00:14:08.941 --> 00:14:15.550 CD that was in there, every computer, every computer component, every piece of paper that 00:14:15.550 --> 00:14:18.470 had notes handwritten on them. 00:14:18.470 --> 00:14:21.970 JACK: Now, what was going – I mean, what was your emotional level at that point? 00:14:21.970 --> 00:14:25.769 Were you freaking out about this or how were you feeling? 00:14:25.769 --> 00:14:32.761 TOMMY: I was scared shitless at the time because I was an adult at that point and I was on 00:14:32.761 --> 00:14:39.430 probation still for the hacking and bomb threat two years before. 00:14:39.430 --> 00:14:46.010 JACK: Once again, they took all his electronics and computers and he had two weeks before 00:14:46.010 --> 00:14:47.010 his court date. 00:14:47.010 --> 00:14:49.910 TOMMY: This is it; I’ve got two weeks of freedom. 00:14:49.910 --> 00:14:54.310 They’re going to lock me up in two weeks so I was like screw it, I’m just gonna have 00:14:54.310 --> 00:14:58.440 fun and do whatever. 00:14:58.440 --> 00:15:06.530 [MUSIC] I spent two weeks racing. 00:15:06.530 --> 00:15:13.540 I used to street race a lot so I spent two weeks street racing, going to the beach a 00:15:13.540 --> 00:15:18.800 lot, hanging out with as many of my friends as I could, trying to sleep with as many different 00:15:18.800 --> 00:15:21.360 girls as I could. 00:15:21.360 --> 00:15:28.370 JACK: Now nineteen years old, black hat hacker Tommy DeVoss, dawgyg, stands in front of a 00:15:28.370 --> 00:15:30.570 judge two weeks later. 00:15:30.570 --> 00:15:31.769 Hats were not allowed in court. 00:15:31.769 --> 00:15:40.470 TOMMY: I ended up pleading guilty in October of 2003 to one count of violating the CFAA 00:15:40.470 --> 00:15:46.040 for breaking into a computer system that controls interstate commerce. 00:15:46.040 --> 00:15:56.930 I had broken into a website called Bank Colo, B-A-N-K-C-O-L-O.com, and defaced the website. 00:15:56.930 --> 00:16:01.310 Turns out, it was for the Colorado Bank and Trust Company. 00:16:01.310 --> 00:16:05.980 JACK: Hm, yeah, messing with a banking website was probably a bad move. 00:16:05.980 --> 00:16:10.230 I mean, they’re federally regulated and insured which means that crimes involving 00:16:10.230 --> 00:16:14.620 a bank are probably going to be investigated by federal law enforcement. 00:16:14.620 --> 00:16:17.110 TOMMY: The judge asked me to stand up. 00:16:17.110 --> 00:16:23.399 He looked at me and he said Mr. DeVoss, I do not believe that you’re sorry for anything 00:16:23.399 --> 00:16:24.470 that you’ve done. 00:16:24.470 --> 00:16:30.100 I think the only reason that you are showing any remorse whatsoever is because of the fact 00:16:30.100 --> 00:16:31.790 that you got caught. 00:16:31.790 --> 00:16:41.209 He ended up sentencing me to twenty-seven months in federal prison, [MUSIC] banning 00:16:41.209 --> 00:16:47.240 me from computers for ten years, and giving me five years of probation. 00:16:47.240 --> 00:16:55.730 I want to say it was $100,000 of restitution that had to be paid. 00:16:55.730 --> 00:17:03.800 Then after he pronounced my sentence, he said I now place you in the custody of the US Marshals 00:17:03.800 --> 00:17:08.760 to serve your sentence and my knees pretty much gave out on me. 00:17:08.760 --> 00:17:14.689 I walked in there expecting to walk back out that day for at least thirty days and now 00:17:14.689 --> 00:17:21.549 all of a sudden, I’m getting locked up for almost two and a half years. 00:17:21.549 --> 00:17:25.860 JACK: The fun was over; dawgyg’s hacking spree was done. 00:17:25.860 --> 00:17:30.560 Back to being Tommy with no hat to wear in prison. 00:17:30.560 --> 00:17:32.110 What were some of the tattoos you got? 00:17:32.110 --> 00:17:39.740 TOMMY: My first tattoos in prison; I got a tribal on each one of my [00:20:00] biceps, 00:17:39.740 --> 00:17:40.740 one on each side. 00:17:40.740 --> 00:17:45.710 It was just a small little tribal and one had a T for my initial and the other one had 00:17:45.710 --> 00:17:48.980 a C for the girl I was dating at the time. 00:17:48.980 --> 00:17:58.300 I got three dots on my right wrist which is a Hispanic gang tattoo puntos locos, ‘crazy 00:17:58.300 --> 00:17:59.480 life.’ 00:17:59.480 --> 00:18:04.070 I had the words ‘crazy life’ put on – I don’t know what it’s called. 00:18:04.070 --> 00:18:09.320 It’s not my forearms but it’s the back of my arms between my elbow and my wrist. 00:18:09.320 --> 00:18:13.130 ‘Crazy’ was put on one side, ‘life’ was put on the other side. 00:18:13.130 --> 00:18:18.960 I went in with five or six tattoos and came out with like, twenty-five or thirty total. 00:18:18.960 --> 00:18:22.330 JACK: Tommy served his two years in prison and got out. 00:18:22.330 --> 00:18:27.460 At this point it’s 2006, he’s twenty-two, but still has to serve probation. 00:18:27.460 --> 00:18:31.210 So, your real probation had ten years no computers? 00:18:31.210 --> 00:18:37.530 TOMMY: No computers, cell phones, game systems, fax machines, anything that could communicate 00:18:37.530 --> 00:18:41.960 with other people aside from an actual phone. 00:18:41.960 --> 00:18:43.730 I could make phone calls. 00:18:43.730 --> 00:18:47.340 I wasn’t allowed to touch a cell phone or anything like that. 00:18:47.340 --> 00:18:53.480 Even when I would go and get a job, a lot of jobs would have you clock in on a computer. 00:18:53.480 --> 00:18:55.049 I wasn’t allowed to do that. 00:18:55.049 --> 00:18:58.400 I had to have another co-worker clock me in and out. 00:18:58.400 --> 00:19:03.520 For the first thirty days or so, when I got out of prison the first time, I didn’t do 00:19:03.520 --> 00:19:06.679 any drugs and I didn’t get on a computer or anything. 00:19:06.679 --> 00:19:09.340 JACK: For the first thirty days? 00:19:09.340 --> 00:19:10.530 This doesn’t sound good. 00:19:10.530 --> 00:19:14.720 But let’s not forget Tommy was once addicted to hacking. 00:19:14.720 --> 00:19:19.860 It was all he could think about, not to mention being high, so even though he went two years 00:19:19.860 --> 00:19:26.950 without doing any of this, how long could he hold out now that he’s sort of free again? 00:19:26.950 --> 00:19:28.690 Turns out, thirty days. 00:19:28.690 --> 00:19:35.270 TOMMY: [MUSIC] I actually started defacing websites again because of how my bedroom was 00:19:35.270 --> 00:19:36.600 set up in the house. 00:19:36.600 --> 00:19:42.730 I used to sit at my computer and I was sitting next to a window that I could see out but 00:19:42.730 --> 00:19:44.510 you couldn’t see into it. 00:19:44.510 --> 00:19:48.840 I just would always sit there and if I saw a car pull in my driveway that I didn’t 00:19:48.840 --> 00:19:54.179 recognize, I would jump up and take my desktop computer completely apart, hide different 00:19:54.179 --> 00:19:58.740 parts of it in various places of the house so it couldn’t be found, and then go and 00:19:58.740 --> 00:19:59.740 answer the door. 00:19:59.740 --> 00:20:04.670 JACK: His probation officer would visit sometimes, come by and check on Tommy; talk to him, look 00:20:04.670 --> 00:20:09.169 around his room, and make sure he wasn’t using a computer because that wasn’t allowed 00:20:09.169 --> 00:20:10.169 on his probation. 00:20:10.169 --> 00:20:14.679 One day, when his probation officer did come by, Tommy quickly shut down the machine, took 00:20:14.679 --> 00:20:17.059 it all apart, and hid it all over his room. 00:20:17.059 --> 00:20:23.100 But he forgot to hide one thing and when the PO came into his room, he saw a keyboard on 00:20:23.100 --> 00:20:26.100 Tommy’s bed. Busted. 00:20:26.100 --> 00:20:31.299 This was a violation of his probation and he had to go back to prison to do more time. 00:20:31.299 --> 00:20:34.190 Eventually he came back home again. 00:20:34.190 --> 00:20:38.590 Again, his probation was that he could not use computers but Tommy just couldn’t keep 00:20:38.590 --> 00:20:40.020 his fingers off them. 00:20:40.020 --> 00:20:44.000 He didn’t want to hack anymore but he was just addicted to computers and would use it 00:20:44.000 --> 00:20:49.080 for other things, but the FBI was interested to see if he was gonna go back to being a 00:20:49.080 --> 00:20:50.080 hacker. 00:20:50.080 --> 00:20:52.770 TOMMY: The FBI actually watched me for six months. 00:20:52.770 --> 00:20:57.909 They rented the house across the street from mine, took pictures of every person that came 00:20:57.909 --> 00:20:58.909 to my house. 00:20:58.909 --> 00:21:04.120 The FBI actually collected our trash to go through it, looking for evidence that I was 00:21:04.120 --> 00:21:06.130 on a computer hacking again. 00:21:06.130 --> 00:21:10.360 JACK: As Tommy tells the story, his parents wanted to sell the house and a couple of FBI 00:21:10.360 --> 00:21:13.980 agents came over posing as potential buyers of the house. 00:21:13.980 --> 00:21:18.480 That’s when they saw Tommy on his computer in his room. 00:21:18.480 --> 00:21:24.120 This was a direct violation of his probation again which was all the evidence they needed. 00:21:24.120 --> 00:21:28.110 The FBI went and got their arrest warrant and came back and knocked on the door. 00:21:28.110 --> 00:21:35.240 TOMMY: When I opened it, they bust through the door and it was the FBI DCIS which is 00:21:35.240 --> 00:21:37.720 the Defense Criminal Investigative Service. 00:21:37.720 --> 00:21:45.090 It’s kind of like the Department of Defense’s version of the FBI, the Secret Service, and 00:21:45.090 --> 00:21:48.330 state police for Virginia. 00:21:48.330 --> 00:21:52.580 They locked me up for violating probation and failing a drug test. 00:21:52.580 --> 00:21:57.770 They gave me fourteen months in prison that time which was the maximum they were allowed 00:21:57.770 --> 00:21:58.880 to give me. 00:21:58.880 --> 00:22:03.360 They gave me what they call diesel therapy; they put me in solitary confinement for three 00:22:03.360 --> 00:22:11.100 weeks in Petersburg and they shipped me from there to USP Atlanta which is a maximum-security 00:22:11.100 --> 00:22:12.450 prison in Atlanta, Georgia. 00:22:12.450 --> 00:22:19.750 They put me in solitary confinement there for I want to say it was another three weeks. 00:22:19.750 --> 00:22:25.960 Then they sent me from there to a medium-high prison in Williamsburg, South Carolina where 00:22:25.960 --> 00:22:34.169 they put me in solitary again for a couple of weeks before putting me on the actual compound. 00:22:34.169 --> 00:22:38.760 JACK: I think going back to prison again really did change Tommy. 00:22:38.760 --> 00:22:42.750 [00:25:00] He didn’t like it there; he didn’t want to ever come back so he spent a long 00:22:42.750 --> 00:22:49.309 time weighing which was worth more to him, the high you get from hacking or his freedom. 00:22:49.309 --> 00:22:54.140 Each time he went to court, he ended up in front of the same judge every time and that 00:22:54.140 --> 00:22:56.549 judge’s name was Judge Payne. 00:22:56.549 --> 00:23:00.059 Judge Payne said something to him which had a lasting impact. 00:23:00.059 --> 00:23:08.100 TOMMY: The last time I was in court on October 28th of 2009, I had Judge Payne. 00:23:08.100 --> 00:23:12.090 For every time I went to federal court, I had the same judge. 00:23:12.090 --> 00:23:17.110 He told me that if he ever sees me in his courtroom again for a computer crime, he was 00:23:17.110 --> 00:23:18.700 gonna give me life in prison. 00:23:18.700 --> 00:23:24.210 Yeah, he made it so I don’t want to hack illegally anymore. 00:23:24.210 --> 00:23:27.990 I got a daughter that would be really mad at me if I went to prison for the rest of 00:23:27.990 --> 00:23:28.990 my life. 00:23:28.990 --> 00:23:32.620 JACK: Tommy gets out of prison and does good on probation; no violations. 00:23:32.620 --> 00:23:38.830 In fact, he does all the time he’s supposed to do and on November 3rd, 2010 his probation 00:23:38.830 --> 00:23:42.799 is done and he’s a free man once again. 00:23:42.799 --> 00:23:51.429 TOMMY: [MUSIC] It was really nice to know that I could get on computers again and not 00:23:51.429 --> 00:23:56.130 have to worry that I was gonna go to prison or get caught on them or anything. 00:23:56.130 --> 00:23:57.850 I didn’t have to hide them anymore. 00:23:57.850 --> 00:23:59.880 I was allowed to get cell phones. 00:23:59.880 --> 00:24:04.640 The biggest thing to me was the fact that I was allowed to go to school now. 00:24:04.640 --> 00:24:09.191 While I was on probation I wasn’t allowed to go to college because you can’t go through 00:24:09.191 --> 00:24:13.380 college without having to use a computer for something, especially when I wanted to go 00:24:13.380 --> 00:24:17.049 for computer stuff. 00:24:17.049 --> 00:24:20.790 I was allowed to try to find a computer job at that point. 00:24:20.790 --> 00:24:24.220 That was the biggest difference for me. 00:24:24.220 --> 00:24:29.309 JACK: He could go to college, use computers, but of course, he was not allowed to do any 00:24:29.309 --> 00:24:32.230 illegal hacking, no matter how tempting it might be. 00:24:32.230 --> 00:24:36.649 Finding a legit job in the tech industry is really hard when you have a federal conviction 00:24:36.649 --> 00:24:38.570 on your record, especially for fraud. 00:24:38.570 --> 00:24:44.940 TOMMY: I spent three years from 2010 to 2013 trying to find a computer job, period. 00:24:44.940 --> 00:24:52.860 I kept working as a cook and doing construction but I couldn’t find any company that would 00:24:52.860 --> 00:24:57.700 hire me doing computers because of my background and everything. 00:24:57.700 --> 00:25:00.700 They automatically think you were stealing money or identities. 00:25:00.700 --> 00:25:08.480 JACK: Tommy would sometimes get that itch to be dawgyg the black hat and hack into something 00:25:08.480 --> 00:25:09.610 again. 00:25:09.610 --> 00:25:13.059 But he controlled his temptations no matter how strong they were. 00:25:13.059 --> 00:25:17.150 The truth was he was really good at hacking and when you’re really good at something, 00:25:17.150 --> 00:25:18.950 you like doing it. 00:25:18.950 --> 00:25:23.899 But then he heard about something new, something that would change his life and start a new 00:25:23.899 --> 00:25:27.540 chapter for him; bug bounties. 00:25:27.540 --> 00:25:33.149 [MUSIC] There are two main websites that do this; HackerOne and Bugcrowd. 00:25:33.149 --> 00:25:37.090 Companies will go to these websites and say something like hey, if anyone can find a security 00:25:37.090 --> 00:25:40.580 issue on our website, we’ll give them a reward. 00:25:40.580 --> 00:25:45.059 Tommy came across HackerOne and decided to check it out. 00:25:45.059 --> 00:25:49.620 He saw the website Yahoo had a bug bounty program and he was already really familiar 00:25:49.620 --> 00:25:51.000 with the way Yahoo worked. 00:25:51.000 --> 00:25:55.149 He’d been poking at it and hacking on it throughout his whole teenage life, so he was 00:25:55.149 --> 00:26:00.360 kind of flabbergasted now that Yahoo was willing to pay anyone who could find a security problem 00:26:00.360 --> 00:26:01.929 in their website. 00:26:01.929 --> 00:26:05.030 He starts hacking around on their site and found something. 00:26:05.030 --> 00:26:13.520 TOMMY: I reported my first bug on HackerOne to Yahoo in March of 2016 and I found that 00:26:13.520 --> 00:26:20.159 a lot of Yahoo’s system admins and developers were using gist to share information and they 00:26:20.159 --> 00:26:24.270 were forgetting to make them private or delete them after the fact. 00:26:24.270 --> 00:26:30.360 I found a bunch of them that were leaking internal passwords, database credentials, 00:26:30.360 --> 00:26:32.630 network maps, and stuff like that. 00:26:32.630 --> 00:26:34.690 That was my first bug. 00:26:34.690 --> 00:26:40.420 Yahoo reported it to them and they gave me like, three hundred bucks for it. 00:26:40.420 --> 00:26:49.210 JACK: As in, Yahoo was thanking Tommy for hacking their site and telling them about 00:26:49.210 --> 00:26:54.570 a security problem they had and were so happy, they gave him $300 for this. 00:26:54.570 --> 00:26:57.850 TOMMY: I was like oh shit, okay, so maybe this is real. 00:26:57.850 --> 00:27:03.149 I made very little money the first couple of months ‘cause it was all really low-level 00:27:03.149 --> 00:27:04.700 things that I was finding. 00:27:04.700 --> 00:27:14.909 Then in May of 2016, ImageMagick remote code execution vulnerability was public at that 00:27:14.909 --> 00:27:15.909 time. 00:27:15.909 --> 00:27:19.740 JACK: The ImageMagick bug was a vulnerability where websites let you upload an image but 00:27:19.740 --> 00:27:23.920 you could send a malicious image to it and then you can get access to the website just 00:27:23.920 --> 00:27:25.679 by uploading a malicious image. 00:27:25.679 --> 00:27:31.780 TOMMY: I actually got remote code execution on two of Yahoo’s servers using that and 00:27:31.780 --> 00:27:39.390 got – the first one was $1,000 bounty and then the following week I found the same [00:30:00] 00:27:39.390 --> 00:27:45.870 RCE on a different server, reported that, and they gave me the full $4,000. 00:27:45.870 --> 00:27:48.840 JACK: With that, dawgyg was back. 00:27:48.840 --> 00:27:50.659 This time, completely legal. 00:27:50.659 --> 00:27:56.179 This time wearing a white hat because all this was legit and paid out by Yahoo, the 00:27:56.179 --> 00:27:58.299 company he hacked. 00:27:58.299 --> 00:28:02.809 But because they have a bug bounty program, it explicitly allows this kind of hack if 00:28:02.809 --> 00:28:04.799 you’re participating in the program. 00:28:04.799 --> 00:28:10.510 They’ll pay you for it, so he was basically given the green light to hack once again. 00:28:10.510 --> 00:28:12.220 Dawgyg was in somewhat disbelief. 00:28:12.220 --> 00:28:14.450 Is this even real? 00:28:14.450 --> 00:28:20.000 But it was, so he sat up straight, cracked his knuckles, and began going to town looking 00:28:20.000 --> 00:28:22.240 for more bugs that would pay out. 00:28:22.240 --> 00:28:28.970 TOMMY: In my first year doing bug bounties, in 2016, I think I only made let’s say somewhere 00:28:28.970 --> 00:28:33.370 between $30,000 and $50,000, somewhere. 00:28:33.370 --> 00:28:42.600 Almost all of it was on HackerOne and then in 2017 I ended up making – I think I set 00:28:42.600 --> 00:28:49.030 the goal to make $100,000 in 2017 from bug bounties, and made somewhere between $115,000/$200,000 00:28:49.030 --> 00:28:50.630 for 2017. 00:28:50.630 --> 00:28:57.149 JACK: The white hat hacker move was working for him but what looked even better, what 00:28:57.149 --> 00:29:00.890 he really wanted, was a green hat. 00:29:00.890 --> 00:29:02.390 Green as in money. 00:29:02.390 --> 00:29:09.630 TOMMY: 2018, I think I made, combined across all three platforms, somewhere between $600,000 00:29:09.630 --> 00:29:10.630 and $700,000. 00:29:10.630 --> 00:29:15.450 JACK: For dawgyg money looked best when it was turned into cars. 00:29:15.450 --> 00:29:22.370 Men in Black 2 got him in real trouble but Fast and Furious truly inspired him. 00:29:22.370 --> 00:29:29.620 TOMMY: The Fast and the Furious movies started coming out, what was it, ’99 or so? 00:29:29.620 --> 00:29:32.100 I fell in love with the Skyline GT-Rs. 00:29:32.100 --> 00:29:35.280 JACK: Tell me about what happened to you in January, 2018. 00:29:35.280 --> 00:29:43.750 TOMMY: In January, 2018 I got $175 bounty on a Friday afternoon, [MUSIC] on a HackerOne 00:29:43.750 --> 00:29:44.750 program. 00:29:44.750 --> 00:29:49.180 I was kind of mad about the bounty ‘cause it should have been quite a bit more but the 00:29:49.180 --> 00:29:57.090 program paid really bad, and I put the $175 on a – I bet on basketball, international 00:29:57.090 --> 00:30:05.350 basketball, a lot – put that $175 on there at about 7:00 on that Friday night and by 00:30:05.350 --> 00:30:16.490 Monday afternoon, 4:00 or 5:00 in the afternoon, I had turned $175 into $133,000. 00:30:16.490 --> 00:30:21.860 I withdrew $50,000 of it and I went and bought my first Skyline. 00:30:21.860 --> 00:30:28.240 It was a 1992 R32 GTS-T. That was technically my dream car. 00:30:28.240 --> 00:30:32.003 It wasn’t the GT-R model but it was still a Skyline. 00:30:32.003 --> 00:30:34.559 I was like, extremely happy. 00:30:34.559 --> 00:30:43.620 JACK: In 2018, dawgyg kept finding and submitting bugs on HackerOne. 00:30:43.620 --> 00:30:48.190 $200 here, $1,000 here, $5,000 there. 00:30:48.190 --> 00:30:53.750 He was racking up one bounty after another, slowly but surely fattening his stack, earning 00:30:53.750 --> 00:30:57.580 his green hat, and then he scored the biggest bounty yet. 00:30:57.580 --> 00:31:06.330 TOMMY: Okay, so October of 2018 I set the record for the highest amount of bounties 00:31:06.330 --> 00:31:09.309 paid in a single day to a single researcher. 00:31:09.309 --> 00:31:14.880 I was playing with the Nexus RF and I found a bypass for their blacklist that they had 00:31:14.880 --> 00:31:22.630 used and I ended up being able to bypass the blacklist in a total of fifteen or sixteen 00:31:22.630 --> 00:31:24.980 different end points for SSRF. 00:31:24.980 --> 00:31:27.500 JACK: I know some of you don’t understand what he’s saying. 00:31:27.500 --> 00:31:32.769 That’s okay; all you need to know is that he found a vulnerability sixteen times on 00:31:32.769 --> 00:31:35.030 a single company’s website. 00:31:35.030 --> 00:31:42.190 TOMMY: Ended up getting new bugs for all sixteen of them and each one of them was $10,000. 00:31:42.190 --> 00:31:47.330 [MUSIC] It was like, October 18th or something like that of 2018. 00:31:47.330 --> 00:31:55.110 I was paid $160,000 worth of bounties in that one day. 00:31:55.110 --> 00:32:03.840 JACK: What is that feeling like, to get $160,000 in a day’s work? 00:32:03.840 --> 00:32:05.200 TOMMY: Unreal. 00:32:05.200 --> 00:32:12.100 It was just, like – it still seems too good to be true. 00:32:12.100 --> 00:32:19.400 That’s my single-day highest payout but I’ve had at least five or six single-days 00:32:19.400 --> 00:32:21.670 where I’ve made six figures in one day. 00:32:21.670 --> 00:32:23.669 DOM: Ask any racer, any real racer. 00:32:23.669 --> 00:32:27.250 It don’t matter if you win by an inch or a mile. 00:32:27.250 --> 00:32:29.920 [CROWD CHEERS] Winning’s winning. 00:32:29.920 --> 00:32:38.510 TOMMY: It’s unreal to know that ten years ago right now I was sitting in federal prison, 00:32:38.510 --> 00:32:43.870 to [00:35:00] now I’m one of six people on HackerOne that have made a million dollars 00:32:43.870 --> 00:32:45.580 just on the HackerOne platform. 00:32:45.580 --> 00:32:52.530 I’m pretty sure I’ve made over $800,000 in 2019 just from HackerOne. 00:32:52.530 --> 00:32:57.220 JACK: I’ve confirmed all this, by the way; I’ve read through his court cases, I’ve 00:32:57.220 --> 00:33:01.720 listened to his mother talk, and HackerOne themselves has announced that Tommy was the 00:33:01.720 --> 00:33:06.470 sixth hacker on their site to make one million dollars. 00:33:06.470 --> 00:33:15.940 In 2019, he made $910,000 total, just missing his goal of one million dollars in bug bounties 00:33:15.940 --> 00:33:16.940 in one year. 00:33:16.940 --> 00:33:21.540 What did your parents think when you started using HackerOne to hack again? 00:33:21.540 --> 00:33:28.950 TOMMY: At first, they were super leery of it. 00:33:28.950 --> 00:33:35.179 My mom finally accepted it after the first year or so when she saw that I was able to 00:33:35.179 --> 00:33:39.270 make money and I was making decent money and not getting in trouble. 00:33:39.270 --> 00:33:43.590 My dad still doesn’t accept it. 00:33:43.590 --> 00:33:48.019 He actually won’t talk to me because he thinks that I’m wasting my life and wants 00:33:48.019 --> 00:33:52.659 me to get a normal nine-to-five job and everything. 00:33:52.659 --> 00:33:58.470 The last time I actually spoke to him was in February of this year and he was disowning 00:33:58.470 --> 00:34:05.860 me and telling me that I needed to stop wasting my life and get a real job before I lose my 00:34:05.860 --> 00:34:08.419 life, or something along those lines. 00:34:08.419 --> 00:34:11.429 JACK: That’s because he thinks this isn’t legit work? 00:34:11.429 --> 00:34:12.970 TOMMY: Yeah. 00:34:12.970 --> 00:34:22.629 I’m hoping that he’s seeing it now in the last – in 2019, I’ve bought cars for 00:34:22.629 --> 00:34:27.079 my two nieces that are seventeen years old; I bought both of them their first car. 00:34:27.079 --> 00:34:34.220 I bought my baby sister who is about to turn eighteen, I bought her her first car. 00:34:34.220 --> 00:34:39.089 I’ve got a set of twin sisters a year younger than me. 00:34:39.089 --> 00:34:42.460 One of them lives in Florida; I bought her a truck earlier this year. 00:34:42.460 --> 00:34:46.710 I bought her twin sister a car and a truck a few months ago. 00:34:46.710 --> 00:34:55.579 I bought my mom a Mustang back in October of this year and I bought myself, this year, 00:34:55.579 --> 00:34:58.790 I’ve bought myself an Infiniti G37. 00:34:58.790 --> 00:35:02.849 I’m planning to buy my dad a brand-new truck. 00:35:02.849 --> 00:35:07.599 I’m planning on buying him a truck within the next month or two and then just buying 00:35:07.599 --> 00:35:12.750 it, taking it to his house, putting it in his driveway with the keys in the title, and 00:35:12.750 --> 00:35:16.730 just leaving it there and letting him come home from work to find a brand-new truck sitting 00:35:16.730 --> 00:35:17.839 in his driveway for him. 00:35:17.839 --> 00:35:21.440 JACK: Oh, there’s an update here; I recorded this interview months ago but I checked with 00:35:21.440 --> 00:35:26.430 Tommy just before airing this and he’s slowly getting on talking terms with his dad again. 00:35:26.430 --> 00:35:29.810 When he pitched this idea to him, his dad had another plan. 00:35:29.810 --> 00:35:33.810 Remember the car Tommy bought his eighteen-year-old little sister? 00:35:33.810 --> 00:35:38.920 Well, she didn’t drive it right and she blew the engine so his dad said instead of 00:35:38.920 --> 00:35:42.720 buying me a new truck, why don’t you buy another new car for your little sister? 00:35:42.720 --> 00:35:45.849 So, that’s what Tommy’s planning on doing. 00:35:45.849 --> 00:35:50.750 Also, at this point, dawgyg has earned so much money that he’s been able to buy two 00:35:50.750 --> 00:35:56.910 of his dream cars and both of them are the classic Nissan Skylines from Too Fast, Too 00:35:56.910 --> 00:35:57.910 Furious. 00:35:57.910 --> 00:35:59.910 What are the license plates on your cars? 00:35:59.910 --> 00:36:11.700 TOMMY: On my R32 GTS-T I’ve got an antique tag on it that says H4CK3R, H-4-C-K-3-R. On 00:36:11.700 --> 00:36:20.480 my ‘92 R32 GT-R, it says BNTYPLZ and then I have on my Infiniti G37, I have the license 00:36:20.480 --> 00:36:21.930 plate TY-H1. 00:36:21.930 --> 00:36:28.560 Earlier this year I actually, a couple months ago, I actually was sent to DC by HackerOne 00:36:28.560 --> 00:36:36.330 and I spoke at a little cyber-security leaders meetup between the government and military 00:36:36.330 --> 00:36:37.330 agencies. 00:36:37.330 --> 00:36:43.180 So, going from a black hat being sent to prison for hacking the government to actually being 00:36:43.180 --> 00:36:48.800 invited to speak to government leaders about my experience hacking them. 00:36:48.800 --> 00:36:52.520 JACK: This is the weird new future we’re living in. 00:36:52.520 --> 00:36:57.080 Ten years ago, when dawgyg was hacking, bug bounties didn’t exist and the government 00:36:57.080 --> 00:36:58.080 was chasing him. 00:36:58.080 --> 00:37:04.109 Now, dawgyg is doing the same kind of hacking but now companies are paying him to do it 00:37:04.109 --> 00:37:08.460 and the government is asking him to come teach them, sort of like if you can’t beat ‘em, 00:37:08.460 --> 00:37:09.460 join ‘em. 00:37:09.460 --> 00:37:10.460 TOMMY: Yeah, exactly. 00:37:10.460 --> 00:37:14.870 The good thing, one of the things that I love about the DOD’s program so much is that 00:37:14.870 --> 00:37:16.099 it’s their scope. 00:37:16.099 --> 00:37:21.100 Tons of companies start up a bug bounty program and they have an extremely limited scope. 00:37:21.100 --> 00:37:25.720 It’s like, we only want information about these and everything. 00:37:25.720 --> 00:37:30.940 As a former black hat, I know that I don’t give two shits about a scope if I’m a black 00:37:30.940 --> 00:37:31.940 hat. 00:37:31.940 --> 00:37:35.790 JACK: Yeah, Tommy’s now helping the feds secure their networks. 00:37:35.790 --> 00:37:38.760 It’s weird how it all turned out, isn’t it? 00:37:38.760 --> 00:37:43.210 [00:40:00] Even though the bug bounties are bringing him a great income, he’s actually 00:37:43.210 --> 00:37:44.690 been looking for a day job lately. 00:37:44.690 --> 00:37:51.130 TOMMY: I don’t have anybody to talk to that – when I make a really cool hack or anything 00:37:51.130 --> 00:37:53.260 like that, aside from the people online. 00:37:53.260 --> 00:37:55.859 I see hacking as kind of an addiction. 00:37:55.859 --> 00:38:00.500 I’m just as much addicted to hacking as I ever was addicted to any drug or anything 00:38:00.500 --> 00:38:01.500 like that. 00:38:01.500 --> 00:38:03.109 I’ll never stop hacking. 00:38:03.109 --> 00:38:08.570 Actually, the only reason I’m looking for a full-time job is because I miss working 00:38:08.570 --> 00:38:13.392 with a team and just want to have a little bit of structure to my day so that I’m not 00:38:13.392 --> 00:38:16.930 just like, I sit around bored out of my mind a lot. 00:38:16.930 --> 00:38:22.110 There’s only so much Xbox you can play and online games and stuff you can play before 00:38:22.110 --> 00:38:23.430 even they get boring. 00:38:23.430 --> 00:38:28.740 JACK: Tommy did, in fact, recently get a job with one of the biggest banks in the US doing 00:38:28.740 --> 00:38:30.950 research on the threats they see there. 00:38:30.950 --> 00:38:36.190 He applied, interviewed, they liked him, he passed, got the job, and he had a start date 00:38:36.190 --> 00:38:37.960 in January. 00:38:37.960 --> 00:38:43.500 But when they ran a background check on him, they got worried and so they decided not to 00:38:43.500 --> 00:38:45.250 bring him on board. 00:38:45.250 --> 00:38:49.160 This was a bummer since another reason he wants a day job is to prove to his dad that 00:38:49.160 --> 00:38:50.319 he’s doing good work. 00:38:50.319 --> 00:38:52.670 TOMMY: I think he’ll be happier then. 00:38:52.670 --> 00:38:57.150 I’ll still be doing my bug bounties and stuff but I’ll have what he sees in his 00:38:57.150 --> 00:38:58.730 eye as a real job. 00:38:58.730 --> 00:39:04.020 JACK: Okay, so if Tommy’s story is inspiring to you, you can get started earning money 00:39:04.020 --> 00:39:05.630 finding bugs, too. 00:39:05.630 --> 00:39:07.400 This is what Tommy suggests you do to get started. 00:39:07.400 --> 00:39:14.040 TOMMY: Just doing hacker101.com which is kind of like hacker university where it’s capture-the-flags 00:39:14.040 --> 00:39:21.170 and stuff to show you some real-world examples of things that bug hunters have found to give 00:39:21.170 --> 00:39:23.920 you hands on experience. 00:39:23.920 --> 00:39:29.190 Doing pen tester labs; I always suggest when somebody asks me where to start is reading 00:39:29.190 --> 00:39:34.610 every blog post you can find from Bug Hunters about what they found and everything so it 00:39:34.610 --> 00:39:35.640 gives you an idea. 00:39:35.640 --> 00:39:41.260 JACK: Last thing I asked Tommy, a former criminal, is if he has any advice for the next generation 00:39:41.260 --> 00:39:44.380 who might be thinking of trying on that black hat. 00:39:44.380 --> 00:39:48.329 TOMMY: It’s not worth doing the stuff illegally. 00:39:48.329 --> 00:39:54.569 Thanks to Edward Snowden’s leaks back in 2013, we know that everything we do online 00:39:54.569 --> 00:40:02.599 is monitored by the US government and anybody that thinks that they can do things illegally 00:40:02.599 --> 00:40:06.090 and get away with it is mistaken. 00:40:06.090 --> 00:40:11.839 Anybody that has been doing things illegally and has gotten away with it, it’s only because 00:40:11.839 --> 00:40:16.250 they haven’t wanted to look at you yet but they can. 00:40:16.250 --> 00:40:19.620 You’re not gonna hide yourself completely. 00:40:19.620 --> 00:40:20.710 Everybody makes mistakes. 00:40:20.710 --> 00:40:27.160 The amount of money that you can make doing this legally far outweighs the money you’re 00:40:27.160 --> 00:40:31.020 gonna make illegally ‘cause if you’re good enough to do this as a black hat, you’re 00:40:31.020 --> 00:40:35.869 good enough to do this as a white hat and you can make life-changing money doing it. 00:40:35.869 --> 00:40:40.730 JACK: Just being airing this episode, Tommy attended the H1-415 hacking event. 00:40:40.730 --> 00:40:44.900 This is a nine-hour hackathon put on by HackerOne in San Francisco. 00:40:44.900 --> 00:40:49.890 The goal is to see how many bug bounties can be claimed within nine hours. 00:40:49.890 --> 00:40:51.329 A bunch of people showed up. 00:40:51.329 --> 00:40:55.470 Tommy went and he was finding bug after bug and reporting them. 00:40:55.470 --> 00:41:03.740 Within the nine hours given for the event, he earned $101,000 which gave him the coveted 00:41:03.740 --> 00:41:10.329 MVH, Most Valuable Hacker. 00:41:10.329 --> 00:41:16.119 [APPLAUSE] I get a little jealous listening to this story because I was one of those people 00:41:16.119 --> 00:41:20.900 who did everything right; I’ve never been arrested for hacking, I never went to prison, 00:41:20.900 --> 00:41:25.340 I went to university and got a computer science degree, and then I spent ten years working 00:41:25.340 --> 00:41:26.700 as a security engineer. 00:41:26.700 --> 00:41:32.420 I made nothing close to a million dollars yet here’s Tommy breaking all the rules 00:41:32.420 --> 00:41:37.700 and getting scarred again and again, failing repeatedly, and still coming out not just 00:41:37.700 --> 00:41:40.470 okay but with all the toys. 00:41:40.470 --> 00:41:47.010 But I guess it just reminds me of that Fast and Furious quote. 00:41:47.010 --> 00:42:03.440 EDWIN: You know, everyone happens to know a few things. 00:42:03.440 --> 00:42:06.270 One of the things everyone knows is it’s not how you stand by your car; it’s how 00:42:06.270 --> 00:42:07.270 you race your car. 00:42:07.270 --> 00:42:08.270 You better learn that. 00:42:08.270 --> 00:42:09.270 [REVVING] 00:42:09.270 --> 00:42:10.920 JACK (OUTRO): [OUTRO MUSIC] A very big thank you to Tommy DeVoss, AKA dawgyg. 00:42:10.920 --> 00:42:14.690 Great story, but stay out of trouble, okay? 00:42:14.690 --> 00:42:18.579 Oh, have you listened to the five bonus episodes of Darknet Diaries yet? 00:42:18.579 --> 00:42:21.700 They’re out there but they’re only for Patreon supporters. 00:42:21.700 --> 00:42:26.500 If this show brings you value, please consider giving to the Darknet Diaries Patreon. 00:42:26.500 --> 00:42:30.160 You can also get an ad-free version of the show there, too. 00:42:30.160 --> 00:42:33.550 This show is made by me, the Tokyo drifter, Jack Rhysider. 00:42:33.550 --> 00:42:39.030 This episode was produced by the turbo-charged Jake Warga, editing help this episode by the 00:42:39.030 --> 00:42:43.880 [00:45:00] windblown Damienne, and our theme music is by the electric-powered Breakmaster 00:42:43.880 --> 00:42:45.030 Cylinder. 00:42:45.030 --> 00:42:51.000 Even though a Mirai botnet is launched somewhere in the world every time I say it, this is 00:42:51.000 --> 00:43:04.099 Darknet Diaries.