This teen millionaire hacker is leading a new era of internet privacy

Taken from the summer 2019 issue of Dazed. You can buy a copy of our latest issue here

In 2017, an 11 year-old Texas boy sat down at his desk and hacked the airwaves of a multi-million dollar toy manufacturer. “From terminators to teddy bears, anything can be weaponised,” Reuben Paul declared at the time, having hotwired the bluetooth teddy bear device to record private conversations between a parent and child.

“If an 11 year-old can do it, what prevents a skilled cyber-terrorist from doing it?” he later asked an American news channel, before pausing to spontaneously hack his interviewer’s Twitter account. After the teddy bear’s maker, CloudPets, was dropped by Amazon and eBay and were forced into administration following the revelation, Paul enjoyed thousand-dollar speaking offers the world over. The pre-teen was even offered a job at the US Department of Defense.

That Paul’s aim was to teach the world a lesson on the dangers of data security signified a paradigm shift for hacking. If you were a hacker in the 1990s, you lived in a bedsit, wore sweat bands on your wrists and were obsessed with Atari Teenage Riot. You were known as “Black Cap” hacker, an aggressive criminal outlier operating on the faultines of the internet. Paul is known as a “White Cap” or “ethical” hacker, because he is using his ability to find faults in company security firewalls for both the betterment of society, and his bank account. Nowadays, hackers are more likely to be found roaring through town in a new Lexus than pretending to on a console in their grandma’s attic. 

Take it from Argentina’s Santiago Lopez, who in February became the first ethical hacker in history to make a million dollars from his skills. He is employed by a San Francisco tech firm called HackerOne, which act as a conduit between major corporation clients and at-home hackers reading code and using trial and error to find faults in digital security. Once “bugs” are found, a reward, or “bounty”, is offered. Since he joined HackerOne in 2015, 19-year-old Lopez has reported an estimated 1,600 security weakness for brands such as Verizon and Twitter, and on one occasion earned a $9,000 bug bounty. Off the back of his hacker winnings, he now drives a coupe and lives in a private village outside Buenos Aires, the most expensive rental complex on the Argentinian coast.

Lopez may seem a few light-years away from the military-cyberpunk image of internet vigilantes in the lynchpin 90s movie Hackers, but the film was important to him growing up. “I didn’t even know hacking existed until I saw the movie, which opened up a whole new world for me,” he says. As he learned more about hacking, he realised which side of the ethical divide he preferred. “I believe that in the future, more companies will work much harder with the hackers to keep their clients safe. I also hope that we will defeat bad hackers by making systems more secure.”

In 2019, it’s poignant to hear a teenaged internet guru speak optimistically about the future of web security. In the UK last year, arch Brexit barons Nigel Farage and Steve Banon colluded with the political consulting firm Cambridge Analytica to mine Facebook users’ data in order to steer EU membership election votes. The scandal put not only the security of personal information into question, but the fabric of UK democracy.

“You could say vetting (hackers) doesn’t matter, because no matter how good the hackers are that we bring in, the worst ones are already hacking you” — Mårten Mickos

Lopez’s story is a very modern one. Last year, he earned 40 times the average salary of an Argentinian worker in the software industry, and did so with a clear conscience. In years to come, Generation Z may be best remembered as an era that coalesced bloody-minded entrepreneurialism with inspiring creative activism. What’s more, ethical hacking offers young people the chance to become lucrative from the tech knowledge they were born to acclimatise to, as internet-first communicators. “It is an equaliser of opportunity,” comments HackerOne’s CEO Mårten Mickos of the phenomenon, when I mention a 2015 New York Times piece declaring Argentina ‘the world’s new hacking capital’. “Hacking is a skill that can be sold outside the country (the hacker is from) and not be dependant on the local economy. You have a company in New York who pays a bounty to a person in, say, Belgium. The company in New York are getting the work done very quickly at a reasonable price and the hacker in Belgium is being paid New York rates. Both sides are happy.”

I meet Mickos in the company’s crystalline new London base. With its symmetrical assembly line of headset-entrusted worker ants and stand-up desks, there’s something bizarrely utopian about the set-up. “The future is always scary, but that doesn’t mean we shouldn’t move towards it,” he says. “These hackers we have will grow up with a clearer moral compass as to issues in the digital realm. If you go to the Houses of Parliament and ask them what to do about (data mining), many of them have no clue. They didn’t grow up with computers, they can’t really assess what’s bad or what’s good and how to guide it.”

Despite this, does he feel that personal data is safer in a post-Cambridge Analytica world? “I actually think it’s worse than you have described. The bad thing about the Cambridge Analytica scandal is that they didn’t do anything illegal. It’s a problem of legislation — it’s behind (in the UK) and is simply not addressing the issues of privacy, the protection of consumers or free speech.” Martin Jartelius, the chief security office of Outpost24, another enterprise focused on cyber security, places more hope in the state to react responsibly to the situation. “There are also likely scandals (like Cambridge Analytica) to come”, he warns. “(But) we are also getting to a point where legislation is more up to speed with misuse of data, and hopefully we can see a situation where a degree of digital vigilantism is becoming less important.” 

Founded in 2012, HackerOne is the world’s largest White Cap hacking directory, working with 300,000 staff across 150 countries. In just one day this year, 45 of its Singapore-based hackers came together to uncover 264 vulnerabilities in Dropbox’s security firewalls. The event set a powerful example not only for the future of ethical hacking, but for our ability to beat the “bad” hackers at their own game.

The Dropbox victory does a lot to take the edge off the Cambridge Analyica doom, but Mickos is the first to admit that the internet is more chaotic than we would like to believe. Internet users may be relying on the willingness of hackers, rather than state legislation, to discern good and bad, but it already has powerful leaders like Lopez to rely on. “The bad hackers are already attacking everybody, so you could say vetting doesn’t matter, because no matter how good the hackers are that we bring in, the worst ones are already hacking you,” he says of the company’s hiring process. “I don’t know if that’s any consolation, but it is true.” If Mickos’s philosophy truly is the reality we face, Santiago Lopez may well be the unelected leader of a whole new world.