(sighs) - My name's Gummo, I'm a hacker. I've been a hacker for the past 36 years. And I'm here to tell my story. My story started pretty young, right? I was born and raised in
Jacksonville, Florida. Grew up absolutely dirt poor and I had an older brother. I had two older brothers, one half brother and a natural sibling. And all of us grew up in Jacksonville. Growing up in Jacksonville, we only had a mom, our mother. She raised us by herself, all three of us, the best that she could. She was an alcoholic and she did the best raising three boys. My mom passed away when I
was 12-years-old in 1985. And I actually actually woke
up on December 7, 1985 and... pulled the covers back
and there was my mom. And so ever since then,
I've been on my own. My brother and I, we went
to go live with my aunt but she failed at that miserably. And my father was in prison. So there was no choice really but to live with friends of the family, which we did for a little while. And my brother, he was about a year and
a half older than me, so he was much more of a free spirit. He just went on his way. Went on to do his thing at 16-years-old. By that time, I'm 14 and a
half and really on my own. And that's when I
discovered computers, right? Actually I discovered computers
about three years earlier before my mother passed away. Never really gave any
consideration to it other than any other normal kid at the
age of eight, nine, ten. So it sat until my mother passed away. And before she passed away, the night actually that she passed away, she had come home from graduation of my brother, my
half-brother had graduated basic training at Fort Benning. And the thing she told me
before she went to bed was she asked me how my computer
studies were coming along and I lied to her, right? And I said, they were going great. In actuality, I really
wasn't doing anything. Then she passed, right? You deal with what you can deal with when you're 12, 13-years-old. And my outlet was computers. First, I withdrew like any other kid does. I guess, I don't know. And second of all, I began
to master my computer. I had a TRS-80 Model II and I taught myself how
to code, code basic. And for a couple years,
that's where I was, right? When people would ask me if I
was fine, yeah, I'm fine, yeah but my grades were really disastrous. I had a couple friends
that I really engaged with, but no one too in particular, but I did withdraw even more
into my computer, right? I got an acoustic modem, connected that to a local bulletin board, and began to meet other people, began to meet other people like me. And then people ask about you, right? They wanna know who you are. Back then, the internet really wasn't what people think it is now. It was more or less dial up boards, ARPANET, closed loop
systems, things of that such. But I set up a bulletin
board on a local BBS system and at the ripe old age of 14, I started to meet other hackers online. And I started to learn
a lot of cool things like telephone phreaking, like
how to make free phone calls. I discovered a subculture
of people who existed on the phone lines, on the telephone lines where they were, you could talk to someone in London or in Paris or in Georgia or LA. And you can meet these
people on the telephone on these telephone
party line, so to speak. 14-years-old, I'm learning how
to phreak telephone systems. Phreaking telephone systems
was a way to actually access the old telephone systems,
the old bell systems with special instructions
and codes and methods, which have long since expired since the telephone
system has gone digital. So 14-years-old, I'm
learning how to code myself. I've set up a bulletin board, I'm meeting hackers
and I'm getting advice. I'm learning how to do things. I'm learning how to get the
things that I need, right? Because I'm living with
friends of the family and they really... They too themselves were
barely able to support me, much barely themselves as well. So everything that I had to
do was for myself, right? Everything. From food, to money, for money for clothes,
for school, everything. My entire existence depended
on my willingness to make sure that I was taking care of myself. And so that's what I learned how to do. I learned how to, at
the age of 15-years-old, I took a Bell & Howell Language Master and I learned how to
reprogram credit cards to use them in stores and in ATMs back before ATMs really
had a dedicated ATM line to verify a transaction. And of course, I would understand the batching process and all that. But that was 32 years ago. And I just learned how
to manipulate things to get the things that I wanted, whether it was printing
a UPC code for food from the store which I needed or doing the magnetic gas handle flip. Back in those days, when
you need a gas for your car, there was a dial on the gas pump and you would flip the dial on and off. Well, if you took an
old-fashioned speaker magnet and set it next to the handle, that would flip it up and engage the pump. The pump would begin to run
to distribute gas in the hose but the numbers wouldn't turn. So I kept learning these tricks, right? I kept learning little tricks to survive, survivability tricks, learning
how to social engineer people to get what I wanted, whether it was access
to a specific computer that I wanted to dial in
to steal some files from, or whether or not it was to
convince the supermarket manager that I had left some food behind, when in turn I actually hadn't, just so I could eat that night. So just growing up, meeting hackers online, people giving me what I felt
like was worthwhile advice to survive, to be able to not
wind up in a bad situation. And that's exactly how I kept
myself from falling apart, from going under. And all of the wild, right? I'm still living with
friends of the family. 1989 comes around. I'm 16, 17 years old. The friends of the family
really had enough of me living there, so the official
parting of ways, right? So there I am, I just turned
17-years-old and I'm on my own. I had a Chevrolet Chevette,
a 1984 Chevrolet Chevette, no, a 1982 Chevrolet
Chevette, powder blue, and all of my stuff was in there, including my TRS-80 Model II. And I lived in my car for the better part of
the entire year of 1989. And it was tough, right? I dropped out of school. I began to lose focus. I began stealing cars,
began using my skills in very, very unique fashions
to obtain money quickly because when you're living in your car, what choice do you have? So, yeah, I did that for about a year. Then I met a girl and
she became my girlfriend. And ultimately she became my
wife and she helped me realize what I was capable of doing and her family took me in and... I went and got a job just
bagging groceries and shit and... just kept doing that, right? Someone believing in me. And still sticking to computers. Had a daughter. My daughter who turns 30 this December. My wife and I had a daughter. And I realized that I needed to do better, needed to do more, provide more
for my wife and my daughter. And so there I am, bagging groceries, working in retail stores
and actually working hard and continuing my computer studies, teaching myself C, COBOL,
FORTRAN, all of the old languages, teaching myself computer languages and taking care of a wife
and a kid on $5 an hour, and I kept doing that. And about two years into that, I got the opportunity, I
saved up enough money to go to the Chaos Congress in Germany, which is an annual conference of hackers from all around the world. And I met some hackers like me who had not only been through a struggle, but were continuing to
go through a struggle. I met a friend of mine, his
name was Boris Floricic. He went by the hacker name Tron and we became really good friends. And Boris and I, we worked on a lot of smart
card systems together. He taught me about smart
cards, the little chip card in your wallet that
everyone carries around, that thing what's in your wallet. And at the time, no one really
knew what smart cards were. They were only used extensively
in Europe at the time. And so Boris taught me about smart cards, these things that have a computer,
a microprocessor in them. And he taught me that these
things control many things, from television access,
to telephone access, to making and receiving
long-distance calls. And so we worked on a
crypto card scheme together to where we were able to
actually reverse engineer about five different providers
who issued chip cards, smart cards for their services. We successfully decrypted those services. And with that knowledge, after we became friends,
after a couple years, we began to converse back and forth. At that point, this is '94. And now I'm attending the
CAS Congress each year and meeting with Boris and
we're chatting back and forth on all kinds of technology,
most specifically smart cards. About that time here in the United States, Hughes Space systems was ready to launch a system called DirecTV. Back then actually it was called DSS, the Digital Satellite System. And Hughes built the
system from the ground up. And I was interested in that. The reason I was interested in that because at this point, it's 1995, my father has just been
released from prison. And so I go to visit him and
he's watching television. I said, "Oh, dad, what is that?" And he's like, "Oh, it's a
satellite system called DirecTV." And I was amazed by the picture quality and how great it looked. And it all came on a
little small 18-inch dish. So that was pretty fascinating. And I looked at the
system and I'd realized it was controlled, all
of the authorizations were controlled by, you
guessed it, a smart card. So it really took very little to no effort between Boris and I to
collaborate on the DirecTV F card, which basically was a smart
card that allowed authorization for customers to receive HBO,
all of the channels, right? Pay-per-views, et cetera. And we successfully created
a quite little humble system to reprogram those cards
and laughed it off. Really didn't think anything
of the wares after that. And then several months past, right? Busy couple of years, I'm going to school and actually working at a carpet cleaning company. And really just surviving,
paying the bills and continuing to enhance my skills. And I'm like, well, you
know, the hell with it, you know, I really need some more money. My daughter's getting
ready to go into school. And so I wanted to put her into a school. And so I decided to sell
my wares for programming DirecTV satellite access cards. And so that's what I did. I realized that it was
very easy to make money providing a service for people who did not wish to pay their bill. I really wanted to one up my game, right? So Boris and I, we worked
together on some extensible ideas and we created some software
that we sold to the Canadians, and we made some money, right? We made $10 million each and I was able to get
everything that I wanted, and so did Boris. And it was great, but there
were a lot more factors than just Boris and I releasing code. There were other mitigating factors. You had an entire battalion of
hackers from Rupert Murdochs and trying to actually circumvent other services and competitors
out there to destroy them, which they ultimately did, but
that's a whole other story. So we hacked DirecTV for a few years and made some money, got caught. And then after I got caught, I was offered an opportunity, right? Rather than to go and sit
in prison for a long time, I was asked to consult
and helping a company at that time called NDS to help them solve their
conditional access problem, which at that point, the entire DirecTV system
was completely compromised and NDS was looking for a
way to stamp out piracy. So consulted with some
good minds in Haifa, Israel for a couple years, and went on my way. Came back to Jacksonville
after hanging out consulting, securing the DirecTV period 4 card, helping a lot with that technology. Moving on, coming back home, my name sort of floated
out in the wrong direction. This guy who was doing the DirecTV cards, his wife was a dispatcher, she obtained my information
and then my wife's information and then my family's information and pretty much doxed me at that point. And back then, doxing someone
was really a terrifying thing, such it as now, right? When someone doxes you or post your information on the internet. It's a shitty thing to go through. And in my circumstance, I had a lot more things that I was involved with with the government, so... With a lot of help from the government and my own my
self-motivation now, I moved. I moved to Indiana. Packed up the kids, packed
everything, and moved to Indiana. I was just gonna really
kind of lay low for a while. I just got back from Israel, I moved from Florida to Indiana, and really just kind of chilled out. I got a job at a newspaper and handled their websites
and all of that, real low key, low tech job, nothing fancy, living in the middle of
a cornfield, so to speak and enjoyed it, enjoyed the
life for a couple of years. And then I was asked to... And then a gentleman I met in Indiana invited me up to Chicago to
take a look at his business, to see what sort of technical advice I could give him for his business. And so I traveled to Chicago, got to know him within several days. He got to know who I really
was about my background. And I went to work for him. And at this point, right, now I have a job and I'm doing, I'm setting up IT
infrastructure for his company and making sure that all
of his offices connect. And not only that, but securely, right? Cyber security really wasn't a thing then. It was barely even mentioned. But cybersecurity to me,
right, to what exists now, or what people realize
as cyber security now, to me is just an afterthought
or was an afterthought. Still sort of is mentally speaking because things that people
are writing papers about, talking about, creating solutions about, these are all things that
are built on technologies that were built when the
internet was created, right? Everybody's talking about 1970s technology and no one's really
trying to fix the problem. But yeah, so I provided
cybersecurity for him, his company. Set up the whole deal. And then just started meeting new friends along the way in Chicago. That's how it is in Chicago. And one thing led to another. Met a gentleman named Willard Harper, Willard Buddy Harper. And he worked at the CME in Chicago. He was one of the largest hog
traders in the world really. And he gave me an opportunity to create some special networks for the
CME to connect to the NYSE. And so with that, after
doing several of those, meaning, they were really simple for me, but I created some ultra
high speed private networks that only the CME and the NYSE still use. And so he was impressed with that and he's like, "What else can you do?" And I'm like-
- Just so people know this, Chicago Mercantile Exchange and the New York Stock Exchange. - That is correct, yes, yeah. So I set up two bi-directional
unique fiber lines specifically for those two
exchanges and secured them. So yeah, he asked me what was next. So I'm like, "Hey, there's
this thing called Bitcoin. "It kinda piques my interest." And he asked me what I needed. I said, "About a million
bucks would work." And he literally opened up a file cabinet, he had a million dollars in. He's like, "All right, go do it." And that's what I did. At that point, I built a supercomputer that was able to mine Bitcoin. I mined about 5,000 Bitcoin. And at that point, I
believe Bitcoin was trading at $200 to $300 a coin. And so he was impressed
and so was I actually. And so we built three more
over the next eight months. I built three more and
had them right there at 107 West Van Buren
Street across from the CME and just sucking up electricity. But at the end of that
year and a half run, we were able to mine
close to 80,000 Bitcoin. So yeah, after a couple of years of doing that, I really felt a little
sense of accomplishment, but I really didn't feel like I was done. So I ran into a gentleman... (laughs) So I'm squandering around Chicago, right? I've mined some Bitcoin, I'm hanging out, walking around the loop,
hanging out in Millennial Park and just hanging out with my friends. And kicking back, I met
a gentlemen and he said, hey, you know, our company
needs a webmaster, right? And a webmaster is just basically someone who just does web work for a company. I'm like okay, yeah, sure. Yeah, I'll come and be
your webmaster, right? Because having a job,
having a legitimate job completes who I am, right? I could sit around and do
whatever I want to make money, but in the end, I think it's about working in honest nine to five. And so, yeah. Yeah, hey Jackson, I'll go and work, be a webmaster at your software company. And so I went to work
there as their webmaster and it was hilarious, right? They're vice presidents. They're like, "Well, this
is a very important job "and you should blah, blah, blah." And I'm, yes, sir and yes, ma'am. I really kept the ruse
up as long as I could but I was outed by a friend
of mine that worked there and he outed me to the marketing manager and the marketing manager, she outed me to the entire staff and eventually I became responsible for their cybersecurity practice. And so I'm like, well, shit, I guess I'm doing cybersecurity. So here I am doing cybersecurity for a software company in
Chicago, unintended, right? But I'm honing my skills, right? Figuring out the best method to stand up specific protocols and systems and things of that nature from
a cybersecurity perspective. And so that's what I did. I did it pretty well. But then they fired me. Then they just, they fired me. And so, yeah, it was kind of a thing between the owner and myself. He didn't like me and I
surely didn't like him. So now that that's public,
I really didn't like him. So after that, right, I
just took a couple of gigs as cybersecurity, just kind of... just did my thing, packed
up my stuff the entire time in Chicago and came back to Jacksonville. And again, doing consulting
with a company for cybersecurity and I enjoy it. But that's what led me
to where I am now, right? From some of those angles. I've been responsible for
putting some heavy hitters away. I've worked with law
enforcement in the past, some real heavy hitters. I'm really good at hunting
hackers and finding people and finding, not finding just people, but finding the real hacker, right? The real hacker that's
really causing mayhem. I'm that guy that looks for that hacker. And I do that very seriously
and continue to do that because I provide my service
not only for companies, right, but for celebrities and stars, right? They consult with me. I work with them personally to solve any cybersecurity questions or issues that they have. Some of the things that
people don't understand is that everyone carries around a smartphone, watching Edward Snowden do
all of this ridiculousness, hiding under covers and everything. Everyone should know that
your smartphone is a PC, is a portable computer, and the things that that smart
phones are capable of doing are very terrifying. There just recently was
an exploit that I had used for years for iOS that
allowed me to actually listen in on your phone conversations,
to read your SMS messages, to read your email, to actually
see everything that you do on your iOS device. Those sort of exploits exists
everywhere in everything. Almost everything has a GPS chip in it. Almost every device has a chip in it. And if it has a chip in
it, it can be exploited. And when things are exploited, sometimes devices things,
systems and people are exploited for one reason or another. There's a lot of things that
are very scary out there. Right now there are people
selling your information. They're selling your wifi network. They're selling your wifi credentials. They're selling your
ancestry.com genealogy data. They're selling all of that. The thing that people
don't really understand is that there really is no
more privacy in this world, unless you go and live on an island somewhere in the South
Pacific with no electricity and no other people, there are things to be taken advantage of and systems and devices and so on. It takes a professional car thief about 30 seconds to steal a car now, because you really don't
need to hotwire anything or use a screwdriver or even a laptop. You can use an RF intercept
or intercepting device which could do a man in
the middle of the attack with just a key fob and you can steal someone's $150,000 car with that. The technology stacks
out there are endless that are being taken advantage of. Most notably are the cellular
systems, the mobile systems, what people carry around most contain the most value and the most data. Putting your information on TikTok, creating a TikTok account and filming from so many locations. You don't realize what you're really doing is you're really giving
everything that you hold, possessive in private out to the world. And that's where we see
people being attacked. People, their bank accounts
being compromised, et cetera. Speaking of bank accounts,
a lot of people realize that when you log into your bank, and a lot of banks will really deny this, but banks actually have back
doors into your accounts, into your system. Just think about it for a moment. When you log into your bank accounts through suchandsuch.com and you have to answer all
of these ridiculous questions and get a two-factor
SMS message sent to you, so you can enter in the code. But people really don't realize is that their banks also have backdoor access to where applications like your TurboTax and your money management
software, all of that. How do you think that
connects to your banks? And so with these backdoor
connections into banks things continue to be inherently insecure. We see data breaches every day where millions of people have
their information stolen. And not only stolen, but
sold and used against them. One of the things that
we also have to realize is that we have quantum computers coming. Quantum computers will make all current and former encryption
algorithms absolutely obsolete. So if you have something that
you've encrypted in the past or you have some encrypted files and they've been anywhere on the internet, in a book, wherever, someone else can access
your encrypted files. Well, very soon those files
won't remain encrypted long. And so hopefully, those secrets
were quite well encrypted. Websites. Websites have so many flaws in them. Everybody needs a website nowadays. Everybody has a website to go
to, their favorite website. (sighs) Right now, about 90% of the
web and the technologies that support them in your
applications in websites they're insecure, they're
inherently insecure. Whether or not it's a web
server running an open port or a misconfigure file on your server. There's something that... There's a little bit of
something out there for everyone to take advantage of and now
everyone is paying the price. Everyone now is becoming
victims to these crimes to where they thought
they weren't a victim, where they never thought
they would actually be potentially be a victim. The more mobile applications, the more people that are using
the phones that we just... The more people that use mobile devices require more mobile applications, require more data centers, require more servers for those
applications to connect to. And those are all at risk. All you have to do is do a DNS
query on anyone's web domain and you can begin to uncover the pieces of how insecure most
organizations and individuals are. People don't realize that
when they're at home, they put a password on their router and they think that's it. I'm safe, I'm secure. But no one really understands the context of using an additional layer
of protection, like a VPN or some sort of ad blocking technology. And people don't realize
that their IP address is basically like a flag
out there on the internet for them to be discovered,
for them to be stalked, harassed, intimidated, swatted. It doesn't matter. And so it all comes with
understanding these technologies and understanding how to protect ourselves and how to protect
yourself against bad people wearing hoodies and cloaks. As I said, not all hackers are bad people. Most hackers... Everyone is a hacker. If it weren't for hackers,
we would not have wifi. We wouldn't have cameras. We wouldn't have many things
that we take for granted today. Criminals are the ones that
give hackers bad names. Criminals are the ones who
are breaking into systems and stealing information
and creating data breaches. Criminals are the ones
who are stalking people and bad context and stealing from others who don't belong, not hackers. And so it's been said before and here I am saying it too, right? Hackers are not bad people. The criminals are bad
people, but hackers, nah. My thing now, right, is to tell my story, to tell people that hackers
really aren't bad people. Hackers really have a story to tell too. I have a story to tell and I'm telling it and I'm almost done telling it, but we're just like anyone else. We live, we breathe. We have feelings. We actually overindulge in our feelings because we wonder what
people are always doing and what the next best thing is. I painted my pinky pink back in 2006 because a friend of mine, I
was visiting a friend of mine in Fort Myers and her daughter
came and tugged on me. She said, "Hey, why are
you such a bad hacker? "Why don't you be a good
hacker and do good things." And ever since then, man, I've advocated for doing
good things with your skills. Helping people, helping others, not doing something for yourself, doing something for others, making sure that you know your mom and dad wakes up in the morning without their shit being
sold on a dark market and to help people, right? To help people achieve their goals, to help people understand who they are, not just by where they've been or what they've seen and the
shit that they've been through, but to help people understand how to get to where they're going by telling them what I've been through, the
shit that I've been through. I've been through some real
serious shit in my life, but that's never deterred
me from becoming who I am and who I expect to be. And it really hasn't stopped
me from helping others and showing other people the way. With this pink pinky nail now, that young lady just
got married this year. And that's my goal, right? To help as many ladies, as
many women, as many females get into cybersecurity. It's not just a guys thing. It's just not a sausage
fest of guys walking around saying they hacked something. It's about people who are
critical thinkers, who contribute, who care and have empathy
and share their knowledge. That's what it's about. And that's what I'm here
to help people understand and to help people and encourage people to do with their skills. Yeah, man. I've seen a lot. I've been through a lot. I have my jump bag right here with my Bitcoin collection on
'em and I'll show Mark after. The only thing that I can
encourage people to do is never give up, always
hold your head high, and never, ever, ever,
ever consider giving up, no matter how tough things may get, because one way or
another, you'll find a way, you'll find a path. And so hopefully, what I've
said, hopefully, my story helps. I don't know. But if it reaches one
person and it gives someone that motivation to say, hey,
you know, I can do that too. You know, I can go from living in cars to consulting with
celebrities and governments. Well then, you can do it too. So there's nothing that you can do. There's nothing that we can't do. It's only about what you choose to do and the decisions that we all make. And so I choose to do the right thing. I choose to make the right decisions and I choose to make the right call. And so that's my story. - [Mark] All right. Thank you, Gummo.
- Thanks.
No real way to TLDR this but in short it's the guy's story and then gets into some of the current vulnerabilities and their scope. Last 15 mins or so focus on more of the technical portion.
I watched the whole thing and probably found his story even more impactful than the technical discussion. Particularly poignant if you've dealt with trauma and want to see a guy who made lemonade from some lemons in a completely unique way.
I work in this industry and would be happy to help answer any questions about it. I specialize in the opposite side of the industry (defense). I will say that a large portion of the breaches you will see, especially in the news, can be traced back to one of the following.
1 is the reason vulnerability management programs at companies are a big then and are "watched"/have eyes on by even the highest in the organization. But #2 is the hardest to solve. Mainly because to solve it really well (will never be fully prevented), you have to really impact the user's freedom on their machines. And when you do that, they start to complain. A lot.
Dude he mined 80,000 bitcoin. Fucking 80,000. This guy is probably a secret billionaire or at least help make others billionaires. Holy shit
Can we recognize how amazing speaker he is?
Heads to to anyone liking this kinda stuff...listen to the Darknet Diaries podcast! I just started listening to it today
The point he makes in the end that mobile phones are terrifying is so true.
If you have wifi on, you spill out information about every wifi "Name", not so long ago you could use the google database and find out where someone is living.
Super markets use those information to find out how long you stand where.
You could make an Access Point with the same name as an unsecured coffeshop the owner has connected in the past and the phone connects to that automatically.
Time and time again you get zero click exploits over sms/mms/whatsapp
Old telephone towers used the A5/1 or A5/2 cipher which is insecure and with rainbow tables you can see the contents in no time.
Police uses a device called sting ray to find out who is on a demonstration. You could also build this yourself with a full duplex SDR and even set your own encryption but it is really hard to do.
Then there is SS7, 3 or 4 years ago 10k dollars got you to be your own provider and use this protocol to have a lot if rather insteresting applications. They can't drop SS7 because the telco has to route the call even from bumfuckistan to your grandma, but they made access a lot harder.
Wish there was a highlight reel. Don't have time to watch right now.
Who is this btw? Tried looking up 'Gummo' but keeps going to Kevin Mitnick.
What an incredible story. This person, Gummo, has led a truly unique life filled with tragedy and incredible success, but at his core, his sense of curiosity, innovation, grit, ethics, and empathy have been his guide. I hope he continues to succeed and that his story is heard and inspires a new generation of ethical people who are interested in technology.