WEBVTT 00:00:00.000 --> 00:00:08.120 JACK: In 2014, a five-year-old hacked Xbox Live. A five year old! Ya. Here’s 00:00:08.120 --> 00:00:12.280 what happened; [MUSIC] the family got an Xbox for Christmas. The five-year-old was having fun 00:00:12.280 --> 00:00:17.440 playing games, and dad set it up with parental controls so the kid could only play a few games 00:00:17.440 --> 00:00:21.960 that were set aside for him. But the kid saw some of the other games that dad was playing 00:00:21.960 --> 00:00:26.040 and wanted to play those, too. He tried to get to those other games, but he couldn’t; 00:00:26.040 --> 00:00:30.600 it was locked by dad. But the kid didn’t stop trying. He understood that there were 00:00:30.600 --> 00:00:35.760 two different accounts; one for kids and one for dad. So, he clicked on his dad’s account which 00:00:35.760 --> 00:00:40.720 prompted the kid for a password. The kid didn’t know the password. Heck, he was five years old, 00:00:40.720 --> 00:00:44.720 so he didn’t even know how to spell even if he knew the password. But when he got to the 00:00:44.720 --> 00:00:51.680 password screen, the kid just hit space bar a bunch of times; tap, tap tap, then Enter, 00:00:51.680 --> 00:00:58.080 and magically, it worked. Apparently there was a vulnerability in the Xbox parental controls that 00:00:58.080 --> 00:01:03.640 allowed someone to just type in all spaces to get out of the kid’s account, and the kid got 00:01:03.640 --> 00:01:10.560 into his dad’s games and played them. When the kid could play his dad’s games, this is what he said. 00:01:10.560 --> 00:01:12.120 KID: I was like, yeah! 00:01:12.120 --> 00:01:18.240 JACK: He played them, wasn’t very good at it, but then shut them off and went and did something else 00:01:18.240 --> 00:01:24.440 without his dad knowing, that little sneaker. Then he did it again another day. He bypassed 00:01:24.440 --> 00:01:28.760 parental controls, played the game he wasn’t supposed to, and then shut it off before his dad 00:01:28.760 --> 00:01:36.080 found out. But then his dad noticed someone was playing his games and was like, that’s odd. So, 00:01:36.080 --> 00:01:40.600 he asked the kid, hey, were you playing my stuff? The kid started to worry a little. 00:01:40.600 --> 00:01:44.900 KID: I got nervous. He was gonna find out. 00:01:44.900 --> 00:01:49.200 JACK: His dad realized the kid must be breaking out of the parental controls 00:01:49.200 --> 00:01:53.400 and asked him to demonstrate how he did it. [INTRO MUSIC] So, the kid showed dad how you 00:01:53.400 --> 00:01:58.240 could just mash the space key a whole bunch of times to get to the other games. His dad 00:01:58.240 --> 00:02:03.880 was dumbfounded and they reported this bug to Microsoft who fixed it, and they even credited 00:02:03.880 --> 00:02:11.360 the kid in the bug report as a security researcher involved with identifying it. 00:02:11.360 --> 00:02:15.920 (INTRO): These are true stories from the dark side 00:02:15.920 --> 00:02:34.700 of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS] 00:02:34.700 --> 00:02:44.720 JACK: This is the wild and strange story of Mr. Daniel Kelley. 00:02:44.720 --> 00:02:51.440 DANIEL: So, I think it’s important to go back to 2013, 2014, because that’s when a lot of 00:02:51.440 --> 00:02:57.120 this started that led up to the events that took place. I had a normal childhood. I really disliked 00:02:57.120 --> 00:03:05.240 school, had really low attendance, and my life pretty much resolved around online games. So, 00:03:05.240 --> 00:03:11.200 I’d go to school, I’d come home, I’d play online games, and I’d basically do the same 00:03:11.200 --> 00:03:18.120 thing for months on end. I used to be obsessed with a certain game called World of Warcraft. 00:03:18.120 --> 00:03:24.160 On World of Warcraft, essentially, you had a PvP system. I used to take this game really serious. 00:03:24.160 --> 00:03:27.040 JACK: I picture you as a rogue. When you were telling me this story, I was like, 00:03:27.040 --> 00:03:30.560 this guy is definitely a rogue and he’s a griefer; I can tell already. 00:03:30.560 --> 00:03:34.040 DANIEL: No, no, that’s not true. I had a few characters, 00:03:34.040 --> 00:03:41.080 actually. I used to play a lot of healers. My main character was a Holy Paladin, 00:03:41.080 --> 00:03:46.380 but then I played Resto Druid for a bit. That’s pretty much all I used to play, was healers. 00:03:46.380 --> 00:03:52.420 JACK: I just don’t picture you as either a paladin or a druid. That’s so funny. 00:03:52.420 --> 00:03:53.380 DANIEL: Yeah. 00:03:53.380 --> 00:03:58.760 JACK: Daniel played a lot of World of Warcraft for thousands of hours, and during this time, 00:03:58.760 --> 00:04:03.680 he was really working hard to rank up in PvP. This is player versus player skirmishes, 00:04:03.680 --> 00:04:06.440 where he’d get in a group of other players and battle against other 00:04:06.440 --> 00:04:10.680 players to see who was better. He was very high-ranked and very competitive, 00:04:10.680 --> 00:04:15.040 spending as much time as possible playing this game. Because he was high-ranked, he would often 00:04:15.040 --> 00:04:20.160 compete against the same teams who were around his rank. One day, he got a strange message. 00:04:20.160 --> 00:04:25.080 DANIEL: Before the match started, I received an in-game message which basically said something 00:04:25.080 --> 00:04:35.720 like goodbye. [MUSIC] The game started, and my internet disconnected. At the time, I didn’t 00:04:35.720 --> 00:04:40.440 even realize that I had received the message. It was only when I went back for my chat logs did 00:04:40.440 --> 00:04:47.160 I see the message. Basically, we get to a point where we’d queue against the same team so much, 00:04:47.160 --> 00:04:51.920 and someone on my team would always go offline. It would either be me or it would either be one 00:04:51.920 --> 00:04:57.040 of my teammates. It got to a point where I ultimately realized that we have no chance 00:04:57.040 --> 00:05:05.240 of winning whatsoever. So, I called one of the members of this specific team and asked them 00:05:05.240 --> 00:05:09.680 what they were doing, and they sort of made a joke out of it. They didn’t admit that they 00:05:09.680 --> 00:05:15.960 were doing anything, but they didn’t say that they weren’t doing anything. So, after a while, 00:05:15.960 --> 00:05:20.660 I sort of – I went to Google and I started to search how to cheat on this game, basically. 00:05:20.660 --> 00:05:25.960 JACK: He found a forum that talked about the different kinds of cheats and hacks. He gets on 00:05:25.960 --> 00:05:30.860 the forum and asks them what could have caused him to be disconnected just before a match started. 00:05:30.860 --> 00:05:36.320 DANIEL: I basically explained everything and I saw – asked people to make a suggestion on 00:05:36.320 --> 00:05:41.400 what he could be doing. A lot of people started saying that there was a high 00:05:41.400 --> 00:05:46.680 probability that I was being DDossed. Back then, I was like, twelve years old, 00:05:46.680 --> 00:05:50.180 so I really didn’t understand the concept and I was not familiar with this at all. 00:05:50.180 --> 00:05:55.920 JACK: So, he looks up what DDoS is and finds it stands for distributed denial of service, 00:05:55.920 --> 00:05:59.800 and this typically means flooding someone with so much traffic that they cannot get 00:05:59.800 --> 00:06:05.440 to the internet anymore; service is denied. Okay, that made sense. Someone may be flooding 00:06:05.440 --> 00:06:10.960 him with tons of packets and that made him go offline. Then he found what a booter was, 00:06:10.960 --> 00:06:15.760 which is a type of hacking tool that does this kind of DDoS attack. All you had to do 00:06:15.760 --> 00:06:20.000 was enter the victim’s IP address, and you could blast them off the internet. 00:06:20.000 --> 00:06:24.680 But what didn’t make sense to him was how did anyone know his IP address to attack 00:06:24.680 --> 00:06:30.160 him basically at home? There’s nothing in the game that would show his IP to anyone. 00:06:30.160 --> 00:06:34.920 DANIEL: So, I sort of interacted with the people that posted on that thread and asked 00:06:34.920 --> 00:06:38.460 them if they had any theories behind how he may be getting my IP address. 00:06:38.460 --> 00:06:44.320 JACK: They came back and asked well, have you talked with any of your attackers over Skype 00:06:44.320 --> 00:06:49.360 in the past? [MUSIC] Yeah, he had. Remember? He even called the guy up who he thought did 00:06:49.360 --> 00:06:54.800 this and asked him about it. Well, as it turns out, back then when you called someone on Skype, 00:06:54.800 --> 00:07:01.040 it would store their IP address on your computer. Then when hackers figured that out, 00:07:01.040 --> 00:07:04.480 they created a little tool called the Skype Resolver, and with this little tool, 00:07:04.480 --> 00:07:08.560 all you had to do is enter someone’s Skype username and it would try to call them and 00:07:08.560 --> 00:07:14.160 then tell you what IP address they had. So now he knows exactly what tools they used to 00:07:14.160 --> 00:07:21.000 find him and kick him offline. So, now that he knows how it’s done, he gives it a try. 00:07:21.000 --> 00:07:24.920 DANIEL: This is pretty much what I was doing when I was like, twelve. So, I had a booter 00:07:24.920 --> 00:07:33.200 and Skype Resolver, and I decided to test this theory. So, one night we queue against this team, 00:07:33.200 --> 00:07:40.760 I get his IP address, and I DDoS him. It basically worked. We won and I sort of 00:07:40.760 --> 00:07:44.920 realized that this is what he had been doing all along, because the effects were exactly 00:07:44.920 --> 00:07:53.640 the same. At the very beginning, I only used to use it against their team, and I – to be honest, 00:07:53.640 --> 00:08:00.240 I didn’t even tell the other two players what I was doing because I didn’t want them to know. It 00:08:00.240 --> 00:08:06.200 was really tempting to do it to every single team that we queued into, but I didn’t do that because 00:08:06.200 --> 00:08:11.520 I had essentially achieved where I was through hard work and skill, and not cheating. So, 00:08:11.520 --> 00:08:16.800 I wasn’t about to ruin all the time that I had spent learning just so that I could cheat. 00:08:16.800 --> 00:08:21.240 JACK: He wasn’t using this attack that much, but with this knowledge of what it 00:08:21.240 --> 00:08:27.480 looks like when someone is attacked, he started noticing this happening more often. In fact, 00:08:27.480 --> 00:08:33.040 a lot of the top-ranked teams had been using booters to force people to leave just when a 00:08:33.040 --> 00:08:40.080 match would begin so they could win easier. This ruined the fun and the game for him, so he started 00:08:40.080 --> 00:08:46.160 playing it less. But what this all did was it sparked his curiosity about hacking, so he went 00:08:46.160 --> 00:08:50.600 back to that forum that taught him how he was booted from World of Warcraft to see what other 00:08:50.600 --> 00:08:56.680 kinds of hacks there were out there. This is where he learned about Google dorking. [MUSIC] Google 00:08:56.680 --> 00:09:02.640 dorking is where you use Google as a vulnerability scanner. What I mean is Google is a search engine, 00:09:02.640 --> 00:09:07.320 right? But in order for it to be a search engine, it needs to go out and scan and spider 00:09:07.320 --> 00:09:13.640 its way across the entire internet, scooping up tons of data about websites along the way. 00:09:13.640 --> 00:09:16.800 Google’s not specifically looking for vulnerabilities; it’s just grabbing 00:09:16.800 --> 00:09:20.600 whatever’s out there and putting it into a database so that when you search Google, 00:09:20.600 --> 00:09:24.360 it can present you with information about what you searched for. So, 00:09:24.360 --> 00:09:29.880 you can search Google for specific things that are vulnerabilities in websites. Like for instance, 00:09:29.880 --> 00:09:36.200 if you do a Google search for the term ‘ intitle:index.of id_rsa -id_rsa.pub’. This is 00:09:36.200 --> 00:09:42.360 basically asking Google if they found any files on the internet called ID RSA, which typically 00:09:42.360 --> 00:09:47.760 stores a private key. This file should never be out there on the internet and open for anyone 00:09:47.760 --> 00:09:53.920 to see. It’s like exposing your password. Yet, Google has found tens of thousands of websites 00:09:53.920 --> 00:10:00.200 that clearly display their private keys for anyone to see. These little clever searches were what 00:10:00.200 --> 00:10:06.160 Daniel was learning and it opened his eyes to tons of possibilities. One day, he searched for 00:10:06.160 --> 00:10:13.600 a misconfigured admin portal and found one, and was able to log into this website as an admin. 00:10:13.600 --> 00:10:21.360 DANIEL: So, it was a website belonging to a school. I don’t want to name the name of the 00:10:21.360 --> 00:10:27.160 website because it was over ten years ago, but what I ultimately did is defaced the website, 00:10:27.160 --> 00:10:31.960 ‘cause I just wanted to sort of – it was the first vulnerability that I ever found, 00:10:31.960 --> 00:10:37.000 so I was sort of intrigued that I found something like that to begin with. 00:10:37.000 --> 00:10:39.960 JACK: What did you put on the website? 00:10:39.960 --> 00:10:45.340 DANIEL: It was some stupid picture. I think it was like – do you know the picture of the troll face? 00:10:45.340 --> 00:10:46.100 JACK: Yeah. 00:10:46.100 --> 00:10:51.280 DANIEL: Like, pretty much just left it there for a couple of days. But the thing is, back then, 00:10:51.280 --> 00:10:57.360 I was really young. [MUSIC] I was like – I think I was twelve or thirteen. So, 00:10:57.360 --> 00:11:01.260 it was more I was doing it for fun, if that makes sense. 00:11:01.260 --> 00:11:08.640 JACK: This was amazing. This was legendary, at least to a thirteen-year-old. He got onto 00:11:08.640 --> 00:11:13.340 a website and changed the picture to whatever he wanted. He felt clever and powerful. 00:11:13.340 --> 00:11:19.920 DANIEL: You honestly sorta feel – it’s like a sensation of euphoria, if that makes sense, 00:11:19.920 --> 00:11:28.120 almost like a really, really big achievement. But the problem is, after you’ve gained access 00:11:28.120 --> 00:11:32.600 to that system, you start to look for the next thing. It’s always the next thing because you’re 00:11:32.600 --> 00:11:37.280 always sort of chasing that feeling and trying to replicate what you just did. 00:11:37.280 --> 00:11:41.640 JACK: So, he went back to Google, typing in search queries that would point him to 00:11:41.640 --> 00:11:45.600 different websites that were vulnerable. Of course, when you type anything into Google, 00:11:45.600 --> 00:11:50.640 it gives you 100,000 hits, right? So, he starts looking through the list of potential vulnerable 00:11:50.640 --> 00:11:54.520 sites, and as he was scrolling through, looking at the websites on the list, 00:11:54.520 --> 00:12:01.200 one stood out; microsoft.com. Well, it was a subdomain of Microsoft, but still; 00:12:01.200 --> 00:12:05.600 this is a big company, so he followed the link to see if the site was vulnerable. 00:12:05.600 --> 00:12:10.880 DANIEL: I found a cross-site scripting vulnerability in – on a subdomain in this 00:12:10.880 --> 00:12:19.200 login panel. Essentially, it allowed me to inject JavaScript into that web page so I could craft, 00:12:19.200 --> 00:12:23.820 for example, a malicious link and then steal user accounts, if that makes sense. 00:12:23.820 --> 00:12:30.040 JACK: But a cross-site scripting vulnerability is hard to actually exploit. Finding it is one thing, 00:12:30.040 --> 00:12:35.320 but using it to actually attack someone is a bit tricky. So, Daniel didn’t want to use it 00:12:35.320 --> 00:12:40.240 to do any kind of malicious attack. Instead, he just decided to tell Microsoft about it. 00:12:40.240 --> 00:12:45.200 DANIEL: So, back then, Microsoft ran a responsible disclosure program. I think 00:12:45.200 --> 00:12:50.880 it was one of the few companies back then that did, and I basically took the proof 00:12:50.880 --> 00:12:57.120 of concept and submitted it to Microsoft’s security team. Within a couple of hours, 00:12:57.120 --> 00:13:00.840 they pretty – well, it was either a couple of hours or a couple of days. They got back 00:13:00.840 --> 00:13:05.020 to me and triaged the vulnerability and basically confirmed the existence. 00:13:05.020 --> 00:13:09.920 JACK: Did they give you anything, like a shirt? 00:13:09.920 --> 00:13:18.400 DANIEL: No. So, all they pretty much – so, the only real incentive I had was when I found the 00:13:18.400 --> 00:13:24.480 responsible disclosure program. They were offering a page which allowed you – where 00:13:24.480 --> 00:13:29.200 they put people’s names on, where it was some type of security acknowledgement where you would 00:13:29.200 --> 00:13:34.720 submit a vulnerability and they’d put your name on the website in returns – for submitting that 00:13:34.720 --> 00:13:44.160 vulnerability. But back then, that type of thing was really cool to me because having your name 00:13:44.160 --> 00:13:51.320 on a website like Microsoft when you’re so young seemed really fascinating. So, that’s basically 00:13:51.320 --> 00:13:58.360 the only incentive that I used to submit the vulnerability, or the only source of motivation. 00:13:58.360 --> 00:14:01.180 JACK: Yeah, so did they add your name to the thing? 00:14:01.180 --> 00:14:07.220 DANIEL: Yeah. So, my name was added a week or two later and is – it remains there to this day. 00:14:07.220 --> 00:14:11.360 JACK: Very good. So far, this is a great start for Daniel. Replacing 00:14:11.360 --> 00:14:15.840 one image on a website? Not too bad, but now finding a vulnerability on 00:14:15.840 --> 00:14:20.040 Microsoft’s website and reporting it to them? Nice job. On top of that, 00:14:20.040 --> 00:14:25.200 he was given a great big thank-you. Even better. This could be a great start to a 00:14:25.200 --> 00:14:30.080 prosperous career for Daniel. If he keeps it up, submits a few more vulnerabilities to companies, 00:14:30.080 --> 00:14:35.104 he might start getting job offers, or he could be rewarded for responsibly disclosing bugs. 00:14:35.104 --> 00:14:40.640 DANIEL: [MUSIC] Yeah, so, I pretty much started off with really positive intent. After that 00:14:40.640 --> 00:14:48.720 initial submission with Microsoft, I basically applied the same – I started to wonder if other 00:14:48.720 --> 00:14:54.040 companies would offer some recognition or the same – or some type of reward. So, 00:14:54.040 --> 00:15:01.280 I went through loads of Fortune 500 companies, started finding vulnerabilities, and I ultimately 00:15:01.280 --> 00:15:06.640 ended up submit – well, attempting to submit a lot of vulnerabilities to these Fortune 500 00:15:06.640 --> 00:15:13.560 companies, but none of them ever really provided the same response as Microsoft, 00:15:13.560 --> 00:15:19.400 because they didn’t run any official responsible disclosure programs. 00:15:19.400 --> 00:15:26.760 JACK: Okay, so what did you do after telling them they’ve got a problem and they’re not fixing it? 00:15:26.760 --> 00:15:32.840 DANIEL: So, I – the vulnerabilities started to accumulate. It got to a point where I was 00:15:32.840 --> 00:15:38.960 just sitting on all of these vulnerabilities. I wasn’t really sure what to do with them. I just 00:15:38.960 --> 00:15:43.960 had them saved somewhere. I kept doing it, kept accumulating vulnerabilities, 00:15:43.960 --> 00:15:48.680 I kept trying to reach out to these companies, but they – most of the time, they wouldn’t 00:15:48.680 --> 00:15:57.240 respond. So, two things would happen; either they’d respond and nothing would come of it, 00:15:57.240 --> 00:16:04.120 or they would completely ignore your contact attempt. But I saw – I started to accumulate 00:16:04.120 --> 00:16:14.186 all these vulnerabilities and I guess it got to a point where I decided that I was wasting my time. 00:16:14.186 --> 00:16:18.240 JACK: [MUSIC] Now remember, Daniel learned these hacking techniques from a hacker forum, 00:16:18.240 --> 00:16:22.360 and he was learning more and more from there. In fact, he was hanging out in chat rooms with them 00:16:22.360 --> 00:16:27.760 and stuff. So, you can just imagine his eyes shifting and darting around between windows, 00:16:27.760 --> 00:16:32.640 right? He’d look at one screen which showed all the vulnerabilities he found, 00:16:32.640 --> 00:16:36.160 and then would check his e-mail to see if any of the companies replied that he 00:16:36.160 --> 00:16:42.000 reported vulnerabilities to, and nothing. Then he looked at the hacker chatroom and 00:16:42.000 --> 00:16:49.080 the forums he was on, and then his eyes does the loop again; vulnerabilities, empty inbox, 00:16:49.080 --> 00:16:55.640 hacker forum. He knows the people on this hacker forum loved finding stuff like this. 00:16:55.640 --> 00:16:59.320 DANIEL: Obviously, those individuals weren’t really – not all of them were 00:16:59.320 --> 00:17:04.800 ethical. Not all of them were up to similar things that I was doing at that time. They 00:17:04.800 --> 00:17:10.080 were up to malicious things. But I ultimately ended up sharing all of 00:17:10.080 --> 00:17:16.000 the vulnerabilities with people that I had met on these forums. They sort 00:17:16.000 --> 00:17:21.740 of started using these vulnerabilities with malicious intent, and I guess I joined them. 00:17:21.740 --> 00:17:25.840 JACK: Now, keep in mind; at this point, Daniel has only found vulnerabilities. He 00:17:25.840 --> 00:17:31.040 hadn’t actually tried to exploit any of them. It’s equivalent to finding a window open on 00:17:31.040 --> 00:17:36.640 an office building at night, but not really looking in or reaching in to grab anything. So, 00:17:36.640 --> 00:17:42.840 he tells the people on the forums hey, I found some vulnerabilities on some websites, 00:17:42.840 --> 00:17:47.240 and of course, they loved seeing this. They went straight to trying to exploit 00:17:47.240 --> 00:17:50.220 it to see what kind of information they could get out of these companies. 00:17:50.220 --> 00:17:56.080 DANIEL: So, they’d exploit the vulnerabilities, they’d gain some type of access, and then – so, 00:17:56.080 --> 00:18:01.880 they’d escalate privileges and they would just really pivot around the networks or whatever 00:18:01.880 --> 00:18:09.760 they had gained access to. Sometimes it would result in data being stolen, 00:18:09.760 --> 00:18:16.000 but mainly it was just keeping access at that point in time. It was just to see what could 00:18:16.000 --> 00:18:19.960 really be done with the vulnerabilities, if that makes sense. I guess they were 00:18:19.960 --> 00:18:29.240 just doing it to see what they could sort of accomplish. There was no real intent, 00:18:29.240 --> 00:18:35.346 if that makes sense. It was more like, let’s fuck around and sort of see what we can do. 00:18:35.346 --> 00:18:37.180 JACK: [MUSIC] Were you participating in this? 00:18:37.180 --> 00:18:43.540 DANIEL: So, after I shared the vulnerabilities, I pretty much decided to participate in it, yeah. 00:18:43.540 --> 00:18:48.200 JACK: I guess he’s already participating hacking these sites just by sharing vulnerabilities with 00:18:48.200 --> 00:18:54.200 them. Doing recon, finding vulnerabilities, and sharing that is all part of the process, 00:18:54.200 --> 00:19:00.360 right? I pause here for a moment because I’m trying to find the actual line that 00:19:00.360 --> 00:19:05.560 you have to cross to become a criminal. Walking by a building just looking to 00:19:05.560 --> 00:19:11.160 see if it has any open windows at night isn’t criminal behavior. But what if you 00:19:11.160 --> 00:19:17.480 told a group of troublemakers about this way in you found? Is that now criminal, 00:19:17.480 --> 00:19:22.360 just telling someone about a vulnerability you found with a company? It’s hard to say. 00:19:22.360 --> 00:19:27.160 DANIEL: It depends where you are in the world. There’s different computer laws 00:19:27.160 --> 00:19:33.920 pretty much in every different country. I can only speak on behalf of the UK. In the UK, 00:19:33.920 --> 00:19:41.520 the Computer Misuse Act is so vague that there’s different interpretations of it. Like, 00:19:41.520 --> 00:19:46.800 I read somewhere that the National Crime Agency has their own interpretation of the Computer 00:19:46.800 --> 00:19:54.800 Misuse Act. So, I think it ultimately comes down to ethics. If you’re going to report a 00:19:54.800 --> 00:20:01.960 vulnerability, [MUSIC] I think there’s a law – like, we heard that you’re really gonna be 00:20:01.960 --> 00:20:07.880 prosecuted for trying to ethically disclose a vulnerability, but it doesn’t always turn 00:20:07.880 --> 00:20:17.000 out that way. In that time period, I must have reported twenty or thirty vulnerabilities, and 00:20:17.000 --> 00:20:25.080 I never received a negative response, not once. It was either no response or a positive response. 00:20:25.080 --> 00:20:28.840 JACK: Well, now Daniel was switching it up. Instead of just finding vulnerabilities and 00:20:28.840 --> 00:20:34.160 reporting them to companies, he was now actively trying to exploit these vulnerabilities and hack 00:20:34.160 --> 00:20:37.960 into these companies and their websites, and trying to get into their systems and doing stuff 00:20:37.960 --> 00:20:43.360 he absolutely wasn’t supposed to be doing. This was all just for fun. Occasionally, someone would 00:20:43.360 --> 00:20:48.240 take some data or download something, but for the most part, it was just a big thrill to find a 00:20:48.240 --> 00:20:55.280 way in and look around. That was enough for these guys. I’m picturing you as – half of you is there 00:20:55.280 --> 00:20:59.640 to help. You’re like man, this stuff needs to be cleaned up. Nobody’s cleaning it up. Here you go; 00:20:59.640 --> 00:21:06.200 you guys need to fix this stuff. Then half of you is like, I’m gonna have fun with what I have at 00:21:06.200 --> 00:21:09.800 the same time and just screw around with – like, if these companies aren’t gonna be fixing stuff, 00:21:09.800 --> 00:21:14.160 I might as well jump in and see what’s going on in there, and just take a look and get out. 00:21:14.160 --> 00:21:20.360 DANIEL: Yeah, I think that’s pretty much accurate. I had no real – I wasn’t on one side, 00:21:20.360 --> 00:21:26.480 if that makes sense. I was on both. Sometimes I’d sort of mess around with a vulnerability 00:21:26.480 --> 00:21:32.600 and then sometimes I’d try and disclose it. I was never really – at that point in time, 00:21:32.600 --> 00:21:35.680 I was never really on one side, if that makes sense. 00:21:35.680 --> 00:21:40.580 JACK: Yeah. So, at that point you start going to college, I believe? 00:21:40.580 --> 00:21:43.960 DANIEL: Yeah. So, around that time, I started going to college. 00:21:43.960 --> 00:21:49.320 JACK: Daniel completed his Level 2 coursework, which is sort of like high school in the US, 00:21:49.320 --> 00:21:52.960 and was wanting to go onto Level 3 courses, which is kind of like what you do after high 00:21:52.960 --> 00:21:57.160 school. He finds a college near his parents’ house in Wales, in the UK, 00:21:57.160 --> 00:22:00.860 and he signs up to study computers, which was his passion, clearly. 00:22:00.860 --> 00:22:05.640 DANIEL: So, I complete this Level 2 course and then I apply for the Level 3 course. I 00:22:05.640 --> 00:22:14.920 basically – I’m informed that this Level 3 course consists of a lot of presentations and socially, 00:22:14.920 --> 00:22:21.200 you have to be – there’s a lot of activities in this course that involve – there’s a social 00:22:21.200 --> 00:22:27.120 element to them and back then, I was a really unhappy and awkward, fat teenager. 00:22:27.120 --> 00:22:36.600 I really didn’t like that at all. I basically had access to this botnet. It was essentially a Mirai 00:22:36.600 --> 00:22:42.480 botnet which had loads – so, someone online essentially gave me access to this botnet. 00:22:42.480 --> 00:22:44.000 JACK: Did you pay for it? 00:22:44.000 --> 00:22:49.060 DANIEL: No. So, it was through someone I had met online and they gave me free access to it. 00:22:49.060 --> 00:22:54.840 JACK: Now, what the Mirai botnet is best at is flooding an IP address with gobs of traffic, 00:22:54.840 --> 00:22:59.920 so much that it will take down a website. It’s very good at doing DDoS attacks. 00:22:59.920 --> 00:23:04.920 DANIEL: They pretty much had a website, and on that website there was a panel where everyone 00:23:04.920 --> 00:23:13.200 would log in. That’s how everyone used to access all of their work and their documents. At the 00:23:13.200 --> 00:23:19.680 time, I had access to this botnet and [MUSIC] I guess I got really bored and decided to point it 00:23:19.680 --> 00:23:29.320 towards the college. I essentially DDossed that college, but what I didn’t know at the time is 00:23:29.320 --> 00:23:34.800 that the college was also hosting a lot of other networks. It was basically one – so, 00:23:34.800 --> 00:23:41.720 it was one huge network that hosted a lot of services like police stations and quite 00:23:41.720 --> 00:23:48.600 a few things. So, by DDossing this network, I had pretty much affected a lot of services, 00:23:48.600 --> 00:23:56.760 not just the college. I ended up DDossing a lot more things than I really intended to. But yeah, 00:23:56.760 --> 00:24:02.200 by DDossing that website, in effect, nobody could log in and nobody could 00:24:02.200 --> 00:24:08.480 really access their work or upload work or pretty much do their coursework. 00:24:08.480 --> 00:24:14.960 JACK: Well, when the main portal that students used to log in to do their work was down, 00:24:14.960 --> 00:24:20.760 this resulted in Daniel’s class getting canceled for the day, which was sort of what he wanted. 00:24:20.760 --> 00:24:24.480 He didn’t want to go to class, but he also didn’t want to tell his parents that he didn’t 00:24:24.480 --> 00:24:30.040 want to go to class. So, this was the perfect excuse for him of why he wasn’t going to class; 00:24:30.040 --> 00:24:34.680 school was canceled because the computers were out of order. Once the scheduled time for his 00:24:34.680 --> 00:24:41.960 class was over, he turned the attack off. [MUSIC] Well, that worked out in his favor for the day, 00:24:41.960 --> 00:24:46.880 but then the next week rolls around and he has classes again. Since attacking the school with a 00:24:46.880 --> 00:24:53.160 botnet resulted in class being canceled last time, he decided to launch the attack again. Again, 00:24:53.160 --> 00:24:58.200 this took the computers down and it resulted in classes being canceled. This seemed to be 00:24:58.200 --> 00:25:02.760 working. So, every time he had to go to class, he’d just attack the school. 00:25:02.760 --> 00:25:08.680 DANIEL: So, at the very beginning, I used to pretty much just do it 00:25:08.680 --> 00:25:15.360 in hour intervals. I would DDoS the network for an hour or two, 00:25:15.360 --> 00:25:20.120 usually in the morning when everyone would go into the college, and quite quickly they’d find 00:25:20.120 --> 00:25:24.460 out that the network was offline, and they’d cancel everything for that day. 00:25:24.460 --> 00:25:30.000 JACK: Daniel had mixed feelings about all this. On one hand, he was relieved that he didn’t have 00:25:30.000 --> 00:25:34.200 to do any presentations at school. But on the other hand, he felt bad for attacking 00:25:34.200 --> 00:25:40.040 a school and ruining it for other students. But then his curiosity was growing, wondering 00:25:40.040 --> 00:25:45.560 how many more days can the school be canceled because of this? Surely it can’t go on forever, 00:25:45.560 --> 00:25:49.480 right? They’re not gonna cancel the whole semester, will they? It sort of made him 00:25:49.480 --> 00:25:54.920 curious on how they’re gonna resolve this. How do you defend against a Mirai botnet? 00:25:54.920 --> 00:26:00.320 How tough is the school to be able to stand up to it? So, he continued to attack the school. 00:26:00.320 --> 00:26:07.320 DANIEL: I think in total, I must have done it well over thirty times. It became a constant 00:26:07.320 --> 00:26:14.120 thing. I would pretty much do it every day. So, whenever the network would come back up, 00:26:14.120 --> 00:26:21.360 I would just hit it again, and it became a constant thing. They used to send – they would 00:26:21.360 --> 00:26:32.560 cancel lessons for weeks at a time because nobody could do anything, pretty much. So, 00:26:32.560 --> 00:26:39.280 basically, one morning – so, I was sleeping and I remember opening my eyes [MUSIC] to two 00:26:39.280 --> 00:26:44.960 police officers standing in my bedroom doorway. Obviously at this point, I was still living with 00:26:44.960 --> 00:26:50.240 my parents because I was quite young. But I remember opening my eyes to these two police 00:26:50.240 --> 00:26:58.760 officers standing in my bedroom doorway, and they sort of said to me you need to come downstairs. I 00:26:58.760 --> 00:27:06.760 pretty much went downstairs; they – I sat down on a couch and they were going through everything. 00:27:06.760 --> 00:27:11.160 They were going through my computer, they were taking all of the electronics, 00:27:11.160 --> 00:27:17.880 pretty much all the devices in the house. At that time, I was cautioned and arrested 00:27:17.880 --> 00:27:25.520 for DDossing the college, pretty much. So, when I – basically, when I was arrested, 00:27:25.520 --> 00:27:32.160 even though they came to arrest me for the college DDoS, there was a lot of other material 00:27:32.160 --> 00:27:38.960 on my hard drive that they wouldn’t have been aware of. They only became aware of it when 00:27:38.960 --> 00:27:45.480 they inspected my devices. So, when I previously discussed where I was hacking websites for fun, 00:27:45.480 --> 00:27:50.280 that was all still on my hard drive. So, what had happened is they had come to my house, 00:27:50.280 --> 00:27:56.080 arrested me for DDossing the college. They kept me in a police station for 00:27:56.080 --> 00:28:03.160 a couple of hours. They interviewed me. I was released on bail but during that bail period, 00:28:03.160 --> 00:28:08.560 when they inspected my computers, they would have then found all the other material, which would 00:28:08.560 --> 00:28:17.320 have allowed them to charge me with more things, like the – all the Computer Misuse charges. 00:28:17.320 --> 00:28:22.480 JACK: Once the police discovered all this new evidence of crimes that Daniel committed, 00:28:22.480 --> 00:28:27.480 they re-arrested him and charged him with thirteen more offenses. They brought him 00:28:27.480 --> 00:28:31.440 down to the police station and interview him. They asked him lots of questions about the 00:28:31.440 --> 00:28:36.240 stuff they found on his computers. They let him go home and they investigated some more, 00:28:36.240 --> 00:28:40.520 and they brought him back to the station and interviewed him some more. This goes on and on for 00:28:40.520 --> 00:28:46.120 months. They finally issue him a court date where the judge will decide what his punishment will be. 00:28:46.120 --> 00:28:52.120 DANIEL: So, this is where it gets a bit tricky. So, basically when they issued me with that court 00:28:52.120 --> 00:29:01.640 date – so, they issued me with a court date; I think it was the following year. During that time 00:29:01.640 --> 00:29:06.960 period, after I had been released from the police station, I pretty much decided to re-offend, 00:29:06.960 --> 00:29:10.434 and that’s where it starts to get a bit more complicated, because then… 00:29:10.434 --> 00:29:14.760 JACK: Why do you say it like that? I decided to re-offend? Was it that clear in your head 00:29:14.760 --> 00:29:20.040 that like, I’m gonna go re-offend? It just seems like a weird thing to say. 00:29:20.040 --> 00:29:27.840 DANIEL: Honestly, no, it wasn’t really that clear. 00:29:27.840 --> 00:29:37.440 JACK: He had about five months before he was due in court. Now, the cops still had 00:29:37.440 --> 00:29:41.680 all his computers. They confiscated those months ago and kept them for evidence. So, 00:29:41.680 --> 00:29:47.624 Daniel convinced his parents that he needed a computer in order to resume his life. 00:29:47.624 --> 00:29:54.240 DANIEL: [MUSIC] By removing my devices, what they had done is sort of stripped my existence. 00:29:54.240 --> 00:29:59.560 I was fulfilling all of my needs through the internet. I had no other activities. 00:29:59.560 --> 00:30:02.640 I used to socialize through the internet, I used to have fun through the internet, 00:30:02.640 --> 00:30:09.960 entertainment through the internet. Basically, I ended up committing more offenses on bail. I 00:30:09.960 --> 00:30:15.560 can’t really explain why, but what happened – what ultimately happened is that I resumed everything 00:30:15.560 --> 00:30:20.040 as if nothing had happened. I managed to convince my parents to buy me a new device. I went out, 00:30:20.040 --> 00:30:25.720 logged in to all of these – I logged into the communities that I was already established in, 00:30:25.720 --> 00:30:33.400 and I just continued. My criminality essentially – from that point onwards, my criminality 00:30:33.400 --> 00:30:42.240 essentially escalated from low-level offending to blackmail, fraud, and computer hacking. There 00:30:42.240 --> 00:30:48.920 was this three-month period where I basically went on this hacking spree, and I acted in a 00:30:48.920 --> 00:30:54.840 group and I acted on my own. I sort of would hack into websites, I would steal the data, 00:30:54.840 --> 00:31:02.300 and I would then try and blackmail the founder or the – whoever was behind the website for money. 00:31:02.300 --> 00:31:06.280 JACK: Once he found his way back into the groups he was in and he got all his old 00:31:06.280 --> 00:31:12.000 tools set up again, there was no stopping him. He went right back to his old ways, 00:31:12.000 --> 00:31:25.212 because, as the old saying goes… 00:31:25.212 --> 00:31:25.288 MUSIC: [MUSIC/LYRICS] In for a penny, in for a pound, you should never jump 00:31:25.288 --> 00:31:25.354 off the merry-go-round. In for a penny, in for a pound…[CON’T] 00:31:25.354 --> 00:31:29.560 JACK: Now, there was no effort to do responsible disclosure. His intention was just to figure out 00:31:29.560 --> 00:31:34.760 how to make money with all the hacking he was doing. The easiest thing that came to mind was 00:31:34.760 --> 00:31:40.200 extortion. I hacked you; pay me or else, kinda stuff. He didn’t have his hands on 00:31:40.200 --> 00:31:44.760 any kind of ransomware, or he might have tried to use that. But what he would do was find a website 00:31:44.760 --> 00:31:49.400 with vulnerabilities, exploit them, maybe take some data from them, and then e-mail the owner 00:31:49.400 --> 00:31:54.040 of the site demanding money, or else he’ll publish this data that he stole and publish 00:31:54.040 --> 00:31:58.520 the vulnerabilities on how he got in. Sometimes he didn’t even exploit the site and steal data; 00:31:58.520 --> 00:32:01.960 sometimes he’d just tell them that he found a severe vulnerability on their site and will 00:32:01.960 --> 00:32:07.600 publish it unless they pay him. What Daniel was asking was anywhere between five and 00:32:07.600 --> 00:32:12.560 forty Bitcoin. A Bitcoin then was only worth about $200, so he was demanding anywhere from 00:32:12.560 --> 00:32:20.080 $1,000 to $10,000. Of course, companies weren’t paying, so sometimes he’d escalate the situation 00:32:20.080 --> 00:32:25.320 and would get personal data from site employees and show them how he was going to publish their 00:32:25.320 --> 00:32:30.120 information unless he pay them. These were some serious threats to these companies, 00:32:30.120 --> 00:32:34.920 so of course, they were reporting all this to the authorities. But Daniel was hitting companies 00:32:34.920 --> 00:32:45.960 in countries all over the world; Canada, the US, Australia. Did any of these work? 00:32:45.960 --> 00:32:53.480 DANIEL: So, one of the blackmails worked, and I pretty much ended up extracting about £5,000 00:32:53.480 --> 00:32:59.000 out of an Australian company. [MUSIC] We basically sent an e-mail to this – the 00:32:59.000 --> 00:33:04.040 CEO of this company and we said if you don’t pay, we’re going to release all the customer 00:33:04.040 --> 00:33:09.080 data and we’re also going to publish the source code, which would then make their 00:33:09.080 --> 00:33:14.880 product a bit useless. After we sent that e-mail, that’s when they decided to pay. 00:33:14.880 --> 00:33:20.440 JACK: Now, here’s why you shouldn’t pay people when they try to extort you like this. As soon 00:33:20.440 --> 00:33:25.600 as this company paid Daniel, he just wrote back to them and demanded even more money, saying I found 00:33:25.600 --> 00:33:30.560 even more stuff; pay me more. You can’t trust criminals to be honorable in this situation. 00:33:30.560 --> 00:33:35.040 DANIEL: So, along with blackmail, I was putting some of the data that I had stolen up for 00:33:35.040 --> 00:33:41.880 sale. I was trying to sell them on various forums and tried to make money that way. So, 00:33:41.880 --> 00:33:48.000 I made a couple of hundred of pounds, but I never really made a lot of money. 00:33:48.000 --> 00:33:54.040 JACK: Now, getting even this little bit of money, it was like jet fuel for Daniel. It 00:33:54.040 --> 00:33:59.440 was amazing that his system worked, and he was getting paid for hacking. He just 00:33:59.440 --> 00:34:04.240 had to hack more and extort more, and he’d get paid more. So, he kept on the hunt for 00:34:04.240 --> 00:34:08.860 more vulnerabilities and was going crazy with all kinds of hacking and extortion attempts. 00:34:08.860 --> 00:34:13.040 DANIEL: The companies became a lot bigger, the websites became a lot bigger, 00:34:13.040 --> 00:34:21.080 and the blackmail – the sums demanded with the blackmail became a lot bigger as well. 00:34:21.080 --> 00:34:26.560 Eventually, one of the companies that we – well, that I sort of hit was TalkTalk. 00:34:26.560 --> 00:34:34.480 JACK: Oh, TalkTalk. This is a British telecom company. They provide cell phone and internet 00:34:34.480 --> 00:34:41.520 services. It’s a big company in the UK. But this TalkTalk incident was quite the thing. [MUSIC] It 00:34:41.520 --> 00:34:47.160 all started one evening when Daniel logged into the hacking forum that he frequented. In fact, 00:34:47.160 --> 00:34:50.580 he was such a regular at this hacking forum that he was a moderator there. 00:34:50.580 --> 00:34:58.000 DANIEL: On one evening, a user makes a post and he basically – he’s asking for 00:34:58.000 --> 00:35:04.080 assistance in exploiting this vulnerability in TalkTalk. What he’s effectively found is 00:35:04.080 --> 00:35:08.120 an SQL injection on a subdomain but he doesn’t know how to exploit it, 00:35:08.120 --> 00:35:14.080 so he sort of posted it on this forum asking for help. That’s when I’ve come across it. 00:35:14.080 --> 00:35:19.480 JACK: This user posted a vulnerability for a pretty big telecom company and had 00:35:19.480 --> 00:35:24.960 no idea how severe this was. Some savvy users on the site pretty quickly were 00:35:24.960 --> 00:35:28.800 able to exploit this vulnerability and actually get into TalkTalk’s 00:35:28.800 --> 00:35:34.480 network and start moving around and stealing data. Daniel was seeing the 00:35:34.480 --> 00:35:39.840 frenzy that was stirring from this forum post. This was really bad for TalkTalk. 00:35:39.840 --> 00:35:47.040 DANIEL: This thread got posted and loads of people started sharing it. It went everywhere. It went 00:35:47.040 --> 00:35:52.120 over other forums, it went over Java, it went over IRC. I think at that time, 00:35:52.120 --> 00:35:56.840 there must have been well over twenty people that had this vulnerability in their possession, 00:35:56.840 --> 00:36:04.120 for sure. There were just so many people exploiting this vulnerability. So much 00:36:04.120 --> 00:36:10.680 data was stolen from TalkTalk that it was really unbelievable. Even people – so, 00:36:10.680 --> 00:36:16.480 people on darknet markets even started selling the data. It was pretty much everywhere. So, 00:36:16.480 --> 00:36:24.760 I took the vulnerability and I initially shared it with someone on IRC. They had pretty much decided 00:36:24.760 --> 00:36:30.960 to dump as much data as possible. There was something like sixty-four databases, 00:36:30.960 --> 00:36:40.000 and they’d stolen – I think it was 100,000 records before the website went offline 00:36:40.000 --> 00:36:45.540 and they couldn’t dump any more data. That person then sent me that data on the server. 00:36:45.540 --> 00:36:49.560 JACK: The next day, this was all over the news. Here’s a clip from the BBC. 00:36:49.560 --> 00:36:54.840 HOST: Some breaking news; in the last hour, police are investigating after a significant 00:36:54.840 --> 00:36:59.760 and sustained cyber-attack on the website of the company TalkTalk. We actually have 00:36:59.760 --> 00:37:05.840 the CEO of TalkTalk, Dido Harding, here. First of all, Dido Harding, how many people are affected? 00:37:05.840 --> 00:37:08.320 DIDO: We don’t know for certain, but we’re taking 00:37:08.320 --> 00:37:11.920 the precaution tonight of contacting all four million of our customers. 00:37:11.920 --> 00:37:13.860 HOST: But you didn’t do – the attack was yesterday. 00:37:13.860 --> 00:37:17.480 DIDO: The attack started yesterday. We brought down all of our websites 00:37:17.480 --> 00:37:22.400 yesterday lunchtime. We spent the last twenty-four hours with the Metropolitan 00:37:22.400 --> 00:37:26.600 Police and various security experts trying to get to the bottom of what has happened. 00:37:26.600 --> 00:37:30.200 JACK: Good luck trying to get to the bottom of this one. Twenty different people just breached 00:37:30.200 --> 00:37:36.800 your network. But not Daniel; Daniel has only seen the forum post and told a friend to check 00:37:36.800 --> 00:37:42.080 this out. His friend is the one who got in and downloaded the database. But at this 00:37:42.080 --> 00:37:47.480 point in Daniel’s life, he was actively extorting companies left and right. So, 00:37:47.480 --> 00:37:53.104 he looked at the data that his friend took from TalkTalk and got an idea. 00:37:53.104 --> 00:37:59.440 DANIEL: [MUSIC] So, I had access to this data and I basically decided to 00:37:59.440 --> 00:38:05.480 gather all of the e-mails from the data and – so, the staff e-mails, 00:38:05.480 --> 00:38:12.040 the employee e-mails, and the CEO’s e-mail addresses, and I decided to send a ransom 00:38:12.040 --> 00:38:19.560 demand basically demanding Bitcoin in exchange for me not to release this data. 00:38:19.560 --> 00:38:24.440 JACK: The CEO of TalkTalk, Dido Harding, did in fact get his e-mail, 00:38:24.440 --> 00:38:28.100 and I know this because here’s another clip from the BBC a few days later. 00:38:28.100 --> 00:38:31.280 DIDO: It’s a live criminal investigation. All I can say 00:38:31.280 --> 00:38:37.000 is that I had and personally received a contact from someone purporting, 00:38:37.000 --> 00:38:41.620 as I say – I don’t know whether they are or are not – to be the hacker looking for money. 00:38:41.620 --> 00:38:46.680 JACK: The CEO didn’t reply to Daniel. Instead, she just turned over his e-mail 00:38:46.680 --> 00:38:51.800 to the Metropolitan Police who got right to work investigating this case. I’ve heard from 00:38:51.800 --> 00:38:56.200 a few listeners that they don’t like it when I have teenage hackers on this show. But let 00:38:56.200 --> 00:39:01.360 me tell you why I think this is important. This isn’t some cringe roll-your-eyes kind of story; 00:39:01.360 --> 00:39:05.000 ah yeah, a teenager hacked some company. Big whoop. This guy isn’t even that good 00:39:05.000 --> 00:39:11.320 of a hacker. Anyone could have done this. Maybe, but this whole TalkTalk incident resulted in $70 00:39:11.320 --> 00:39:16.400 million in damage to TalkTalk. They saw scores of customers cancel their service because of 00:39:16.400 --> 00:39:22.080 this. Their stock tumbled, and the CEO had to appear before parliament to give testimony as 00:39:22.080 --> 00:39:28.360 to why their security failed. This was a huge problem for TalkTalk, which meant it was a huge 00:39:28.360 --> 00:39:32.520 problem for the highly-skilled, talented IT staff that worked to secure TalkTalk. 00:39:32.520 --> 00:39:34.440 DIDO: We would receive what’s called 00:39:34.440 --> 00:39:37.080 denial-of-service attacks on our network every week. 00:39:37.080 --> 00:39:42.600 JACK: This is their adversary, a teenager who wants to make some money from your one slip-up 00:39:42.600 --> 00:39:46.680 that you had on a server that came over when TalkTalk acquired another company. What I’m 00:39:46.680 --> 00:39:52.040 saying is this is really important and you can’t ignore this kind of adversary. You can’t roll your 00:39:52.040 --> 00:39:57.000 eyes and ignore this kind of attack, because this kind of attack can destroy your company and bring 00:39:57.000 --> 00:40:03.560 it to its knees. This TalkTalk incident is such a big story that I actually spent a whole episode 00:40:03.560 --> 00:40:08.640 on it. That was Episode 4, so if you want to know all the details of what went down in the TalkTalk 00:40:08.640 --> 00:40:15.260 incident, go check out Episode 4. Anyway, as the hack died down in the news, a few weeks go by. 00:40:15.260 --> 00:40:24.160 DANIEL: One evening in November, I was driving and I had a phone call from my dad. On the phone, 00:40:24.160 --> 00:40:28.600 all I can hear in the background is someone saying my name and then 00:40:28.600 --> 00:40:32.960 saying not to tell me something. [MUSIC] But my dad had basically 00:40:32.960 --> 00:40:40.480 told me that there was police waiting in my house and they wanted to speak to me. So, 00:40:40.480 --> 00:40:48.240 I initially – a part of me sort of knew what it was about at that point. I wasn’t that naive. I 00:40:48.240 --> 00:40:55.880 sort of knew what it was about, so I pretty much turned the car around and drove home. 00:40:55.880 --> 00:40:58.560 JACK: When you turned that car around and you were driving home, 00:40:58.560 --> 00:41:01.320 what was going on in your head as you were driving home? 00:41:01.320 --> 00:41:01.980 DANIEL: I was… 00:41:01.980 --> 00:41:04.720 JACK: Like, were you – I can’t imagine you listening to your 00:41:04.720 --> 00:41:07.300 favorite music and just jamming – dancing around. 00:41:07.300 --> 00:41:16.560 DANIEL: No, definitely not, no. I honestly got lost in my own world. On the way home, 00:41:16.560 --> 00:41:21.800 I just had so many thoughts going through my head that I really didn’t know what to 00:41:21.800 --> 00:41:29.800 think. A part of me really didn’t want it to be real, even though I knew – obviously then, 00:41:29.800 --> 00:41:33.280 I pretty much knew what it was, because there was no other reason for them to 00:41:33.280 --> 00:41:40.360 come back. A part of me was just like, wishing that it wasn’t real and that it 00:41:40.360 --> 00:41:51.560 was all not reality. It’s really hard to explain. I was just lost in my own world. 00:41:51.560 --> 00:41:59.380 There were no – there wasn’t panic. I guess I was just focused on getting back to my house. 00:41:59.380 --> 00:42:05.080 JACK: He arrives home. Now, keep in mind, he lives in a small, quiet town out in Wales. 00:42:05.080 --> 00:42:09.880 DANIEL: There’s like, four police vans, twenty police officers, there’s multiple agencies, 00:42:09.880 --> 00:42:14.000 there’s undercover police officers. You could tell it was a lot more serious this time. The whole 00:42:14.000 --> 00:42:20.680 street was closed and it literally looked like a murder scene. I parked my car, I walked past 00:42:20.680 --> 00:42:24.720 the police officers because they didn’t recognize me. I walked into the house, and then my parents 00:42:24.720 --> 00:42:31.760 told me that this was me. A part of me thinks that they were expecting something a lot more serious, 00:42:31.760 --> 00:42:37.680 because at first they didn’t even recognize me. There were agencies from – so, there was the 00:42:37.680 --> 00:42:42.960 National Crime Agency, there was the Metropolitan Police, there was my local cyber-crime unit. 00:42:42.960 --> 00:42:47.260 JACK: They go through the house, seizing all his computer equipment just like before. 00:42:47.260 --> 00:42:52.240 DANIEL: So, they put me in the back of a undercover police van. They put me in 00:42:52.240 --> 00:42:57.680 between two police officers, and they pretty much escorted us through town. 00:42:57.680 --> 00:43:03.320 They had their blue lights on. There was one car in front of us, one car behind us, 00:43:03.320 --> 00:43:08.800 and we pretty much just flew through my town center. They closed off roundabouts, 00:43:08.800 --> 00:43:13.380 they closed off roads, and we must have literally got to the police station in minutes. 00:43:13.380 --> 00:43:18.320 JACK: Now, at this point, he’s around seventeen years old. They interviewed him and asked him 00:43:18.320 --> 00:43:22.040 what happened. Then they let him go back home so they can investigate further. [MUSIC] They 00:43:22.040 --> 00:43:26.880 bring him back to the police station and charge him with twenty offenses. They were charging 00:43:26.880 --> 00:43:31.360 him with attempting to extort Dido Harding, and they apparently found some of the other offenses 00:43:31.360 --> 00:43:36.300 he did on the other companies too, which gave Daniel a clue on how they found him. 00:43:36.300 --> 00:43:44.720 DANIEL: So, when I sent the extortion e-mail to TalkTalk, I used Tor. I used an anonymous 00:43:44.720 --> 00:43:49.840 e-mail provider. But around that time, I was obviously still blackmailing other 00:43:49.840 --> 00:43:59.640 companies. What I had done is I had hacked and blackmailed another company without using Tor; 00:43:59.640 --> 00:44:09.840 I only used a VPN. What I had done is I had reused a Bitcoin address for the TalkTalk extortion and 00:44:09.840 --> 00:44:15.320 the other companies’ extortion, so they had pretty much managed to use a Bitcoin address 00:44:15.320 --> 00:44:22.080 to link those two offenses together, and then they had investigated the smaller hack. Because 00:44:22.080 --> 00:44:27.420 I was only using a VPN, presumably the VPN provider turned over my IP address. 00:44:27.420 --> 00:44:31.760 JACK: This case was bigger than what the local police station of Wales could handle, 00:44:31.760 --> 00:44:36.880 so they took him to the Metropolitan Police in London, about four hours away. About two 00:44:36.880 --> 00:44:40.700 months after being arrested, he finally gets to go to the magistrate court in London. 00:44:40.700 --> 00:44:43.800 DANIEL: I go to my first court hearing. In effect, 00:44:43.800 --> 00:44:47.720 I’m then remanded into custody from that magistrates’ court. 00:44:47.720 --> 00:44:52.160 JACK: Which means he had to go to jail, but only for a week or two. 00:44:52.160 --> 00:44:57.240 But this was his first time in jail, and he did not like the experience. 00:44:57.240 --> 00:45:03.160 DANIEL: After those seven to ten days, I pretty much decided that I wasn’t built for prison, 00:45:03.160 --> 00:45:08.520 and it was honestly one of the worst weeks of my life. I was pretty much a cyber criminal. I was 00:45:08.520 --> 00:45:13.760 there on computer hacking charges and blackmail. Then to be put in a cell with someone that was 00:45:13.760 --> 00:45:19.720 doing five years for armed robbery is really – it’s a huge shock to the system ‘cause you 00:45:19.720 --> 00:45:24.680 honestly don’t expect to be sharing a cell with someone – like, that’s really serious 00:45:24.680 --> 00:45:31.600 offending. So, I pretty much decided from that point on that I was never gonna re-offend again. 00:45:31.600 --> 00:45:36.320 I think that’s when it really hit me, that – just those seven to ten days, I decided you know what, 00:45:36.320 --> 00:45:42.580 I’m never gonna re-offend again. It’s not worth anything to go through that experience again. 00:45:42.580 --> 00:45:49.520 JACK: Now, this week he spent in jail was not his whole punishment. I’m confused on how things go in 00:45:49.520 --> 00:45:54.360 the UK, but my theory is since he had previous charges for hacking the school and he did all 00:45:54.360 --> 00:45:59.040 this extortion stuff while he was out on bail, the court didn’t want him to break more laws, 00:45:59.040 --> 00:46:02.960 so they threw him in jail just to give him a taste of what prison life is like, 00:46:02.960 --> 00:46:08.800 and this worked. This shock to his system made Daniel not want to re-offend again, because if 00:46:08.800 --> 00:46:13.560 this was gonna be his consequences, he did not want to make it any worse. [MUSIC] So, he gets 00:46:13.560 --> 00:46:18.120 out on bail and has to wait for his court date where they’re going to figure out what his full 00:46:18.120 --> 00:46:23.600 sentence is gonna be. Now, when he’s out on bail, the judge put a lot of restrictions on Daniel. 00:46:23.600 --> 00:46:29.920 DANIEL: A lot of them were really bizarre. I was banned from Python, the programming language, 00:46:29.920 --> 00:46:36.520 I had to register all of my devices with my local police, I was banned from using Tor, 00:46:36.520 --> 00:46:43.160 I was banned from using VPNs. I was pretty much banned from a lot of technology. Like, I couldn’t 00:46:43.160 --> 00:46:50.520 delete my internet history. But the only one that really stands out is being banned from Python. 00:46:50.520 --> 00:46:57.400 I couldn’t really understand why they decided to put that as part of my bail conditions. But yeah, 00:46:57.400 --> 00:47:04.160 I had all of these bail conditions on me and that’s pretty much what I had to live by for like, 00:47:04.160 --> 00:47:12.280 months. After spending that week in prison, I sort of had an epiphany and realized that no matter 00:47:12.280 --> 00:47:17.640 what happens in my life, I never want to be in this place again. So when I was released on – when 00:47:17.640 --> 00:47:24.920 I was bailed from prison, a part of me didn’t even want to touch computers again. I would have found 00:47:24.920 --> 00:47:31.760 it a lot easier just to not use computers ever again if it meant not going through that week. 00:47:31.760 --> 00:47:41.920 But as weeks went by, I sort of – I guess I got bored and I ended up buying another computer. 00:47:41.920 --> 00:47:49.200 JACK: He eventually got back into hacking, looking for vulnerabilities on websites. But this time, 00:47:49.200 --> 00:47:54.600 it was completely different. He was serious that he was done offending and was abiding by 00:47:54.600 --> 00:47:59.880 his bail conditions, because what he wanted to do was use his hacking skills for good, 00:47:59.880 --> 00:48:04.280 and he started doing responsible vulnerability disclosures for companies, 00:48:04.280 --> 00:48:08.760 finding problems and then quietly reporting it to them, not exploiting any of it, 00:48:08.760 --> 00:48:14.160 not stealing anything, and not extorting anyone. He wasn’t even asking for a reward; he was simply 00:48:14.160 --> 00:48:19.840 trying to make right all the wrongs he did by helping companies secure their systems better. 00:48:19.840 --> 00:48:25.080 DANIEL: I started engaging in all of these bug bounty programs. I started engaging in responsible 00:48:25.080 --> 00:48:32.680 disclosure. [MUSIC] Pretty much every day, I was reporting vulnerabilities in all types of systems 00:48:32.680 --> 00:48:41.960 while on bail. So, in my head at the time, I sort of realized that any good that I could do would 00:48:41.960 --> 00:48:49.320 be considered during my sentencing hearing. So, it’s basically called mitigation. So, you can do 00:48:49.320 --> 00:48:54.520 a lot of good things and then your lawyers can go to the judge and go look, these are all the 00:48:54.520 --> 00:48:59.040 good things about this defendant and this is why you should give him less of a prison sentence or 00:48:59.040 --> 00:49:06.240 no prison sentence at all. So, I pretty much decided to engage in responsible disclosure, 00:49:06.240 --> 00:49:15.040 report all of these vulnerabilities to these entities, and pretty much every day for two years. 00:49:15.040 --> 00:49:17.320 JACK: He was finding a lot of stuff and reporting 00:49:17.320 --> 00:49:22.040 it. One place he liked reporting bugs to was MITRE’s CVE program. 00:49:22.040 --> 00:49:25.680 DANIEL: What I would do is I would take an open-source project, 00:49:25.680 --> 00:49:31.680 I would find a vulnerability, I would then contact the vendor, I’d inform the vendor, 00:49:31.680 --> 00:49:37.360 and after they’ve patched the vulnerability, the vendor – I’d then ask the vendor for permission 00:49:37.360 --> 00:49:46.760 to sort of file this proof-of-concept along with a publication to this awarding body called Citra, 00:49:46.760 --> 00:49:52.440 and they would then publicly issue a CVE ID for this project affected. 00:49:52.440 --> 00:49:58.960 JACK: Nice; he’s responsible for finding many CVEs. That’s pretty good. CVEs are like a list 00:49:58.960 --> 00:50:02.400 of known vulnerabilities in products. When the vulnerability you found is big enough 00:50:02.400 --> 00:50:08.120 to merit its own CVE, it means that it’s now going to be integrated into antivirus tools, 00:50:08.120 --> 00:50:12.320 vulnerability scanners, and more security tools to detect when someone else is 00:50:12.320 --> 00:50:17.040 exploiting this application. So, not only was he privately helping vendors fix bugs, 00:50:17.040 --> 00:50:21.600 but he was also helping the professional security community be able to identify those 00:50:21.600 --> 00:50:26.120 bugs if anyone were to do what he did. Did you get paid for any of these bugs that you found? 00:50:26.120 --> 00:50:33.520 DANIEL: So, I was doing this with no real financial intent. I was just doing this for the 00:50:33.520 --> 00:50:40.600 sole – on the sole principle of it contributing to less of a prison sentence. But sometimes, 00:50:40.600 --> 00:50:45.720 a lot of companies would offer me money regardless, and what I would do is I’d 00:50:45.720 --> 00:50:51.400 accept the financial rewards and I just sort of accumulated the money. The money 00:50:51.400 --> 00:50:56.720 then went to re-encompensating my – the victims of my offending. 00:50:56.720 --> 00:51:00.840 JACK: Over the course of this time, while he was waiting for his sentencing court date, 00:51:00.840 --> 00:51:06.840 he found vulnerabilities in lots of companies. I mean lots. He always simply asked for a thank-you 00:51:06.840 --> 00:51:12.040 letter or a letter of recommendation from helping someone. This was the most valuable reward he 00:51:12.040 --> 00:51:18.120 wanted, and he got a lot of letters. He sent them to me to see, too. The PDF he gave me is 00:51:18.120 --> 00:51:25.160 over 300 pages long of just really nice things companies have said about Daniel. For instance, 00:51:25.160 --> 00:51:30.400 here, let me read one. Dear Dan, Deutsche Bank appreciates your ongoing efforts in searching 00:51:30.400 --> 00:51:34.800 and responsibly communicating IT security vulnerabilities. You showed us a cross-site 00:51:34.800 --> 00:51:38.760 scripting vulnerability we had on our website, and we thank you for your dedication to the task 00:51:38.760 --> 00:51:43.520 of increasing internet security and wish you all the best for your future endeavors. Signed, 00:51:43.520 --> 00:51:47.880 the CISO of Deutsche Bank. The list of companies that he found vulnerabilities 00:51:47.880 --> 00:51:52.400 in and reported them and got thank-you letters for is really long. [MUSIC] Here, 00:51:52.400 --> 00:51:55.360 I’ll have Daniel tell you a bunch of places that sent him thank-you letters. 00:51:55.360 --> 00:52:01.800 DANIEL: The Crown Court Digital Case System, the National Crime Agency, the Ministry of Justice, 00:52:01.800 --> 00:52:10.640 the parliament website, University of Cambridge, the Australian National University, 00:52:10.640 --> 00:52:26.160 Stanford University, Yahoo, GCHQ, Royal Air Force, DBS Bank, AT&T, S3, BBC, Sony, Deutsche Telekom, 00:52:26.160 --> 00:52:35.740 United Nations, Duke University, Adobe, AOL, Telegram, Sage, Amazon. Tell me when to stop. 00:52:35.740 --> 00:52:39.080 JACK: Well, I’m… [LAUGHING] 00:52:39.080 --> 00:52:40.400 DANIEL: There’s thousands. 00:52:40.400 --> 00:52:45.840 JACK: At first I was like oh, this guy’s just getting universities and schools; that’s easy. 00:52:45.840 --> 00:52:50.440 But then I heard GCHQ and I was like wait, and then it just keeps going. So, how – what was… 00:52:50.440 --> 00:52:55.720 DANIEL: No, there’s some real – even though the bulk of them are cross-site scripting 00:52:55.720 --> 00:53:01.440 vulnerabilities, there are some really serious vulnerabilities that are aborted. 00:53:01.440 --> 00:53:03.016 JACK: Okay, so… 00:53:03.016 --> 00:53:03.034 DANIEL: I think… 00:53:03.034 --> 00:53:04.360 JACK: So, these ones that you listed, 00:53:04.360 --> 00:53:10.200 this is – they confirmed okay, thank you, and sent you a letter of thanks? 00:53:10.200 --> 00:53:16.440 DANIEL: So, these – yeah, I’ve had actual letters from the directors and CEOs of these entities 00:53:16.440 --> 00:53:20.640 where they’ve said – they’ve acknowledged the vulnerability and they’ve said thanks. 00:53:20.640 --> 00:53:26.160 JACK: The GCHQ, that comes as a surprise as you were listing things. What happened there? 00:53:26.160 --> 00:53:33.080 DANIEL: So, GCHQ basically published this open-source project called CyberChef. 00:53:33.080 --> 00:53:34.520 JACK: Yep, I’ve used it. 00:53:34.520 --> 00:53:37.320 DANIEL: When they – yeah, when they first published it, 00:53:37.320 --> 00:53:40.900 there was a git based XSS in it, pretty much. 00:53:40.900 --> 00:53:44.960 JACK: Okay, so this was just a vulnerability and one of the open-source tools that GCHQ 00:53:44.960 --> 00:53:49.320 puts out. It wasn’t a vulnerability into their main database or something. But still, 00:53:49.320 --> 00:53:55.360 it’s pretty cool to have a letter of appreciation from GCHQ, isn’t it? One day while doing all this, 00:53:55.360 --> 00:54:00.880 Daniel came across another vulnerability that someone found on TalkTalk’s site. Daniel 00:54:00.880 --> 00:54:05.440 confirmed the vulnerability was still valid and immediately reached out to someone. But this time, 00:54:05.440 --> 00:54:09.760 instead of telling a friend about it, he reported this to the authorities and shortly after that, 00:54:09.760 --> 00:54:15.800 it got fixed. So, in a way, he even helped TalkTalk become more secure. 00:54:15.800 --> 00:54:20.320 Daniel had truly changed his ways and was on a serious dedicated mission to 00:54:20.320 --> 00:54:25.280 help as many companies as possible. He even did some math to try to quantify it all. 00:54:25.280 --> 00:54:30.400 DANIEL: [MUSIC] The total amount of my offending was probably – like, TalkTalk 00:54:30.400 --> 00:54:38.400 alone was $79 million. If you combine everything else, it probably was closer to $100 million. 00:54:38.400 --> 00:54:43.360 But when you really look at all the companies that I’ve disclosed vulnerabilities in – like, 00:54:43.360 --> 00:54:50.200 there’s 5,000 – there’s over 5,000 companies. Then you take some of the submissions which are like, 00:54:50.200 --> 00:54:58.760 P1 vulnerabilities and ISPs and banks. You can only logically assume that I’ve probably saved 00:54:58.760 --> 00:55:07.840 more money for those companies than the damage that I caused, because for – I had a vulnerability 00:55:07.840 --> 00:55:15.680 on – I had a RCE on Virgin Media, and that was a more critical vulnerability than the vulnerability 00:55:15.680 --> 00:55:21.240 that I discovered on TalkTalk. If that had been exploited, then presumably it would have had the 00:55:21.240 --> 00:55:27.400 same effect as it had on TalkTalk. So, I think it’s really fair to say that after submitting all 00:55:27.400 --> 00:55:34.160 these vulnerabilities, over 5,000 vulnerabilities, I honestly can confidently say that I’ve probably 00:55:34.160 --> 00:55:43.000 saved a lot more money for companies than my offending ever caused in terms of damage. 00:55:43.000 --> 00:55:51.720 Because there were so many charges and my case was so complicated, I was going to court and they 00:55:51.720 --> 00:55:59.080 must have told me five or six times that the next time I would come to court, I would be sentenced. 00:55:59.080 --> 00:56:03.960 Except, every time that I would go to court, I would never be sentenced and there would be some 00:56:03.960 --> 00:56:11.280 legal dispute about a charge or something. So, I sort of had to live the experience of thinking 00:56:11.280 --> 00:56:19.080 that I was gonna be sentenced five to six times. When that kept happening, it really started to 00:56:19.080 --> 00:56:26.760 play on my mental health. I got really depressed, basically, because it was a really stressful 00:56:26.760 --> 00:56:33.240 situation to be in. My lawyers were telling me okay, you’re gonna get twelve and a half years, 00:56:33.240 --> 00:56:43.680 you’re gonna get five years. A part of me just wanted it to stop completely, so I would pretty 00:56:43.680 --> 00:56:51.240 much just go home and I would honestly do nothing. I would spend months – I would spend pretty 00:56:51.240 --> 00:56:58.960 much all day just in bed waiting for my next sentencing hearing. It was like being locked – it 00:56:58.960 --> 00:57:05.000 was essentially like being in limbo. I would just wait for the next date to the next date, 00:57:05.000 --> 00:57:13.520 and that’s pretty much how I lived the last two years on bail. My entire life just resolved around 00:57:13.520 --> 00:57:21.200 these dates that were being set. Eventually, it got to a point where I was so depressed that I 00:57:21.200 --> 00:57:29.000 lost over seven stone in weight and I became emaciated. I used to be really overweight. I 00:57:29.000 --> 00:57:38.120 pretty much lost half of my body weight, and I started to get really depressed. I stopped eating 00:57:38.120 --> 00:57:47.840 and eventually my legal team took notice and they started to refer me to doctors and psychiatrists. 00:57:47.840 --> 00:57:51.760 JACK: He pleaded guilty to ten or eleven of these charges brought against him, 00:57:51.760 --> 00:57:57.680 but they were trying to charge him with things he didn’t actually do, and this caused some disputes. 00:57:57.680 --> 00:58:02.400 DANIEL: At this point, there was a huge dispute between a lot of psychiatrists and doctors saying 00:58:02.400 --> 00:58:08.000 whether I was even fit to go to trial, because I was – I intended on pleading not guilty to 00:58:08.000 --> 00:58:16.840 these new allegations, because I’m actually innocent. I didn’t actually commit them. There 00:58:16.840 --> 00:58:22.920 were days that I’d even wake up and I wouldn’t be able to remember my own name. So, after this 00:58:22.920 --> 00:58:29.280 huge dispute of seeing loads of psychiatrists and doctors, they essentially deemed me not fit 00:58:29.280 --> 00:58:36.500 to go to trial. So, the prosecution essentially wasted a lot of taxpayers’ money for no reason. 00:58:36.500 --> 00:58:42.240 JACK: So, with him not able to stand trial to dispute the charges against him, 00:58:42.240 --> 00:58:45.800 the court had no choice but to simply charge him with whatever they thought 00:58:45.800 --> 00:58:51.240 he was guilty of and sentence him. His sentencing date kept getting pushed back, 00:58:51.240 --> 00:58:56.920 but eventually came after four years of waiting. It really was four years? 00:58:56.920 --> 00:59:03.280 DANIEL: Yeah. So, I was – my – I was arrested for the TalkTalk hack in 2015, 00:59:03.280 --> 00:59:08.340 November, and then I was sentenced in 2019 in June. 00:59:08.340 --> 00:59:10.960 JACK: By this point, he was twenty-one years old. 00:59:10.960 --> 00:59:15.000 DANIEL: Sentencing comes and essentially, it comes down to whether I’m gonna go to a hospital 00:59:15.000 --> 00:59:23.880 or prison. What the judge had essentially did is gotten the head of the healthcare unit in 00:59:23.880 --> 00:59:32.760 HMP Belmarsh to take responsibility for me. She was at my sentencing hearing and when I 00:59:32.760 --> 00:59:37.880 was being sentenced, the judge put my – so, he read out twelve-and-a-half years. 00:59:37.880 --> 00:59:44.680 JACK: Twelve-and-a-half years in prison is what the judge said was his punishment. Oof. Fourteen 00:59:44.680 --> 00:59:50.000 years is the maximum for extortion crimes, so it couldn’t really get much worse for him. But this 00:59:50.000 --> 00:59:54.600 was only the starting point. Quickly, Daniel’s lawyer jumps up and says to the judge that 00:59:54.600 --> 00:59:59.160 Daniel has had excellent behavior while on bail and has not re-offended. [MUSIC] This made the 00:59:59.160 --> 01:00:04.640 judge happy and reduced the sentence a little. Then Daniel pulled out hundreds of positive 01:00:04.640 --> 01:00:09.000 letters he received from helping all those companies improve their security, and the judge 01:00:09.000 --> 01:00:14.920 was particularly impressed by this and lowered the sentence some more. His lawyer kept coming 01:00:14.920 --> 01:00:19.820 up with other reasons on why Daniel deserves a lower sentence, and the judge kept lowering it. 01:00:19.820 --> 01:00:23.520 DANIEL: He read out twelve-and-a-half years and then he went ten years, 01:00:23.520 --> 01:00:28.640 nine years, seven years. It essentially got to four years. 01:00:28.640 --> 01:00:33.400 JACK: Four years prison time was his final sentence that he received for 01:00:33.400 --> 01:00:37.800 this criminal behavior. Now, in the UK, you only serve half your time in prison 01:00:37.800 --> 01:00:42.240 and the other half out in the community, sort of like parole in the US. When it 01:00:42.240 --> 01:00:46.600 was at the end there and they said four years, what was going through your mind? 01:00:46.600 --> 01:00:52.080 DANIEL: Honestly, at that time, I was just in a – I was in a state of shock because I 01:00:52.080 --> 01:00:58.760 couldn’t actually get over the fact that he’d read out twelve years to begin with. Once I 01:00:58.760 --> 01:01:06.520 heard that figure, I really – I sorta just went numb and my mind just sorta went blank. 01:01:06.520 --> 01:01:11.120 It was almost like an out-of-body experience. I couldn’t actually believe that he had read 01:01:11.120 --> 01:01:17.840 out twelve years. It was only really after I’d been taken down under the courts that I 01:01:17.840 --> 01:01:23.949 really started to consider the possibility of doing two – well, four years in prison. 01:01:23.949 --> 01:01:28.000 JACK: They immediately whisk him off to prison directly from court, but first he had to get some 01:01:28.000 --> 01:01:32.240 healthcare to get his mental state back to normal. But once he was showing signs of stability, 01:01:32.240 --> 01:01:36.080 they put him in the main cell block with the other prisoners. But just when he got used 01:01:36.080 --> 01:01:42.040 to the routine, they put him on a bus and moved him to another prison, a super-max prison, even. 01:01:42.040 --> 01:01:46.840 Of course, when you go to a new prison, all the other prisoners want to know what you did to get 01:01:46.840 --> 01:01:51.760 there. He tells them the truth and says hey, look up my name if you don’t believe me. So, they did. 01:01:51.760 --> 01:01:56.000 DANIEL: A lot of them actually thought that I stole £70 million from TalkTalk. They didn’t 01:01:56.000 --> 01:02:02.720 realize that I – that was the damage cost. Anyway, I have loads of gang members asking 01:02:02.720 --> 01:02:06.540 me to hack their phones. They’re asking me to hack the county, hack the prison. 01:02:06.540 --> 01:02:10.040 JACK: He got on pretty well with the other prisoners. They liked him since he didn’t 01:02:10.040 --> 01:02:13.840 pose as any threat to them, and they thought he was smart with computers. [MUSIC] But the 01:02:13.840 --> 01:02:19.680 prison guards and staff did not like him. They were afraid of what he might do if he used 01:02:19.680 --> 01:02:24.560 any of the computers in prison. They must have gotten word from someone else too, because they 01:02:24.560 --> 01:02:30.440 just didn’t treat him well. For instance, they randomly searched his prison cell frequently, 01:02:30.440 --> 01:02:34.520 much more frequently than any of the other prisoners when he was there. He knew something was 01:02:34.520 --> 01:02:39.680 off because he just couldn’t figure out why he was being treated differently. One morning at 5:00 AM, 01:02:39.680 --> 01:02:43.720 he gets woken up by some guards telling him get out, we’re searching your cell. Of course, 01:02:43.720 --> 01:02:47.720 he gets out and looks around and sees there are some other cells being raided, 01:02:47.720 --> 01:02:51.480 but they’re all people he knew in prison. Out of all the prisoners, 01:02:51.480 --> 01:02:55.980 why is it him and just the people he knows that are getting raided? It didn’t make sense. 01:02:55.980 --> 01:03:02.080 DANIEL: When they raid your cell, they just rip everything apart. They tip the bed apart, 01:03:02.080 --> 01:03:09.280 they – I was even – so, I go back to my cell and I was even told that they were using screwdrivers 01:03:09.280 --> 01:03:18.920 and stuff to take furniture apart to see if I was hiding anything. I get back to my cell, 01:03:18.920 --> 01:03:22.600 I clean everything up, and funnily enough, there was a razor that I didn’t even know 01:03:22.600 --> 01:03:26.440 that was in the cell from the previous occupant and they just put it on the table and left it 01:03:26.440 --> 01:03:32.000 there almost to send a message to say look, we found something. But I really didn’t even 01:03:32.000 --> 01:03:37.000 know it was in the cell, so there we go. So, what that essentially did was make me become 01:03:37.000 --> 01:03:42.400 even closer friends with these – they just – they were all part of a gang, in effect, 01:03:42.400 --> 01:03:49.200 so I become close friends with these people. Two days later, my cell opens again, 7:00 AM, 01:03:49.200 --> 01:03:55.600 and they say right, you’re being drug test. Come with us. I don’t take drugs, okay? Drug tested; 01:03:55.600 --> 01:04:00.600 come with us. So, I go for some drug test. On the piece of paper that they give me, it says 01:04:00.600 --> 01:04:06.360 it’s randomly allocated, except it’s not randomly allocated because you can see the coincidence, 01:04:06.360 --> 01:04:09.920 right? But that’s how they were abusing the system. They were saying it was just randomly 01:04:09.920 --> 01:04:14.160 allocated. It’s a load of bullshit. They were just trying to cause me inconvenience, I think, 01:04:14.160 --> 01:04:16.840 or they had some source of intelligence; someone probably said something. 01:04:16.840 --> 01:04:24.480 I didn’t take drugs, but that’s how intelligence works. So, I – negative on the drug test. Then 01:04:24.480 --> 01:04:29.960 Christmas Eve comes. [MUSIC] So, Christmas Eve morning, my cell opens at 6:00 AM and 01:04:29.960 --> 01:04:34.360 they tell me – two prison officers tell me you’re being transferred. I said, 01:04:34.360 --> 01:04:40.880 okay. At first I was like okay, maybe this isn’t a bad thing. Where to? They say HMP Bristol. Now, 01:04:40.880 --> 01:04:47.240 HMP Bristol is a really bad prison, okay? It’s a Victorian old prison. It’s in England and it’s not 01:04:47.240 --> 01:04:52.680 really a prison anyone wants to go to, especially over Christmas. It was their way of ruining my 01:04:52.680 --> 01:04:58.600 Christmas and throwing me out of that prison as fast as they could. But anyway, after they tell me 01:04:58.600 --> 01:05:04.360 I’m being transferred to HMP Bristol, everyone’s out of their cells and these gang members figure 01:05:04.360 --> 01:05:09.640 out what’s going on, and they convince me that it’s really – I sort of – I was 50/50; 01:05:09.640 --> 01:05:14.360 a part of me – I didn’t want to go to Bristol, but I knew I didn’t have a choice, because I couldn’t 01:05:14.360 --> 01:05:20.200 just stay in Berwyn because they’d now remove – like, they removed that option. If I stayed there, 01:05:20.200 --> 01:05:25.960 they would have just took me to segregation or something. So, one of these gang members 01:05:25.960 --> 01:05:31.720 essentially convinces me to put a – so, take a safety razor and put it in my mouth, okay? 01:05:31.720 --> 01:05:36.720 What essentially that does is it invokes a safer custody issue, ‘cause that essentially 01:05:36.720 --> 01:05:42.960 means that – it’s like self-harm. The prison officers can’t touch you. I put a – so, 01:05:42.960 --> 01:05:46.560 I – this guy – this is completely out of character, by the way. I’m not some 01:05:46.560 --> 01:05:50.680 irrational person that goes around self-harming, and I’m not saying that self-harm is irrational; 01:05:50.680 --> 01:05:53.680 I’m just saying I’m not the type of person to do that. I don’t put razors in my mouth 01:05:53.680 --> 01:05:59.800 and all of this type of thing. It was only when that suggestion was made to me that I did it, 01:05:59.800 --> 01:06:05.440 so I put a safety razor in my mouth ‘cause these gang members had convinced me to do it, 01:06:05.440 --> 01:06:09.560 and I’m sorta – I just – I put it in my mouth and I looked at the prison officer, 01:06:09.560 --> 01:06:17.760 and I said I’m not moving. Anyway, everyone’s locked up. Well, they tried to lock everyone up, 01:06:17.760 --> 01:06:22.480 and – ‘cause – because this is taking place in my cell, and all the prisoners essentially refuse, 01:06:22.480 --> 01:06:26.880 because there’s a huge crowd outside my cell and they’ve worked out what’s going on. Because 01:06:26.880 --> 01:06:30.840 I was on good terms with these prisoners, they thought it was really unfair. It was my first 01:06:30.840 --> 01:06:35.920 time in prison, I was in for computer hacking, and it was really unfair to transfer me to a 01:06:35.920 --> 01:06:45.000 prison like HMP Bristol on Christmas Eve. So, they refused. Prisoners start smashing the wing up. 01:06:45.000 --> 01:06:51.560 They started smashing the kiosk and in effect, a really small riot starts. Someone threw a 01:06:51.560 --> 01:06:59.320 fridge off the top landing and all the prison officers left the wing. I was oblivious to this 01:06:59.320 --> 01:07:05.200 at this time because I was in my cell, but I – so later on – so, when this is happening, 01:07:05.200 --> 01:07:11.240 all the prison officers leave their cell – leave the wing, sorry, and everything goes 01:07:11.240 --> 01:07:15.680 quiet. All the prisoners are just there rioting, I’m sitting my cell, I’ve got a razor in my mouth, 01:07:15.680 --> 01:07:24.720 and we’re just sort of sitting, yeah. So, I go by the door frame and forty-five seconds later, 01:07:24.720 --> 01:07:31.760 less than a minute, about eight prison officers wearing riot gear come marching onto the wing. I 01:07:31.760 --> 01:07:34.920 can see them coming onto the wing. They’ve got riot shields, they’ve got batons, 01:07:34.920 --> 01:07:42.160 and they’re all kitted up. They’re walking towards me. I sort of realize that if I didn’t 01:07:42.160 --> 01:07:47.960 drop this razor and comply in the next thirty seconds, they were gonna force me to comply. So, 01:07:47.960 --> 01:07:53.920 I spat the razor out and I said look, I’m going. Take me to where you want to go. 01:07:53.920 --> 01:08:00.080 JACK: They transferred him to another prison and he spent a few months there. 01:08:00.080 --> 01:08:03.040 It was much worse than the other two he was in, 01:08:03.040 --> 01:08:08.440 but he gets through it and finishes his prison sentence. So, you spent how long in prison? 01:08:08.440 --> 01:08:10.720 DANIEL: So, I did two years in prison. 01:08:10.720 --> 01:08:12.240 JACK: When did you get out? 01:08:12.240 --> 01:08:14.480 DANIEL: June last year. 01:08:14.480 --> 01:08:19.720 JACK: Since getting out of prison, he still has to do two years of probation and he has to follow all 01:08:19.720 --> 01:08:24.720 the rules set forth on him. He can use a computer and the internet, but he has restrictions, 01:08:24.720 --> 01:08:31.080 and he hopes to someday get a regular above-board job doing cyber security. So, last question. 01:08:31.080 --> 01:08:31.900 DANIEL: Yeah. 01:08:31.900 --> 01:08:33.840 JACK: What’s your biggest regret? 01:08:33.840 --> 01:08:37.040 DANIEL: Probably blackmailing people. 01:08:37.040 --> 01:08:38.520 JACK: Why? 01:08:38.520 --> 01:08:47.040 DANIEL: I don’t really – so, I don’t regret the hacking aspect of what I did. 01:08:47.040 --> 01:08:51.680 I just think that my offending became really twisted when I started blackmailing people, 01:08:51.680 --> 01:08:58.560 because that’s where it became really personal. I think that’s ultimately what sent me to prison. I 01:08:58.560 --> 01:09:05.624 think just hacking systems is completely different in comparison to blackmail. 01:09:05.624 --> 01:09:15.480 (OUTRO): [OUTRO MUSIC] Thanks to Daniel Kelley for sharing this story with us. 01:09:15.480 --> 01:09:19.160 This show is made by me, your friendly moderator, Jack Rhysider. Sound design was 01:09:19.160 --> 01:09:22.800 done by the too-weird Andrew Meriwether, and our theme music is by the mysterious 01:09:22.800 --> 01:09:28.680 Breakmaster Cylinder. Oh, and hey, if you ever have questions about TCPIP, 01:09:28.680 --> 01:09:38.120 I know the pro to call. Get it? Protocol? Forget it. This is Darknet Diaries.