The very British history of Ben Harris is a mischievous youngster who tinkered with school networks, evolved through legitimate pentesting and became the founder and CEO of WatchTowr.
The WatchTowr platform builds a real-time attack view of its customers’ environments and continuously identifies and validates exploitable vulnerabilities before they can be leveraged. It wasn’t what his parents wanted – they wanted him to be a musician.
School career
“When I was very young, I was packed off to boarding school. It’s a British thing. If you’re old enough to think for yourself, it’s time for boarding school. I was seven.” The hope was that he would become a professional musician, so his school career revolved around music schools.
His own interests, however, hit a diversion at that first boarding school. “I found a book in the library about these guys in the UK that had their house doors kicked in by the police for breaking into American military computers from their bedrooms. And it was just absolutely fascinating.”
It wasn’t the idea of hacking, or breaking the law, or finding out what data is in American military computers that fascinated him, it was the simple concept of one computer being able to access a different computer, and he wanted to know more about all computers. It became a need – not so much to do it in anger, but simply to understand how it could be done.
“That’s when my life kind of just took a divergence, and I became increasingly obsessed with the idea that you could use a computer to break into other computers and get access to things that you shouldn’t have access to,” he explains.
He wasn’t entirely ignorant of computers. He was still a youngster playing computer games on an internet he couldn’t afford. That’s a common entrée into hacking, but he postdates the heyday of phreaking and blue boxes and fell straight into the IRC world. “I always say I was lucky the police didn’t kick in my doors when I was a kid,” more in jest than seriousness – not because they shouldn’t, but more because they wouldn’t.
But all this time he was learning more about computers. And learning more about – and from – school networks. He attended various schools, and while he gives few details, he does comment, “I went to a few different schools because, well, who would keep me? Each time I moved, my old school would warn the new one: ‘This guy might touch things, blah, blah, blah.’ But none of them really knew what was going on. Like worrying about Father Christmas, it was just some mythical thing that people talked about, but nobody really understood.”
His last school was an Upper Sixth College – the British equivalent to 11th and 12th Grades in US High Schools. “They let me join but made me sign a document. It basically said, ‘If you break our acceptable use policy, we can kick you out’.” Like that was going to work! It was just another rule when Harris had just one rule to rule all others – so long as he didn’t cause damage or harm, other rules weren’t that important. They were just unactionable threats.
But he tried to behave himself. His exploratory and computer-educational activities were initially kept out of school, and he managed to stay at the school for three-quarters of the allotted span. “Towards the end of my first year, I just got relentlessly bored. I never enjoyed education; I’m not the studious type. So, when things become very tempting and look very interesting, it’s hard to resist just finding out. What would happen if I did this; how far could I get doing that; is there something new here?”
Eventually, his activity was noticed, and he was called in to see the Headmistress, who claimed the school had ‘evidence’. “With the IT Admin sitting next to her looking very smug with his ridiculous face, she said, ‘We have evidence. You have a choice: either we suspend you and you leave, or we call the police’.” Red rag and bull? He replied, “You have nothing, nothing that will stand up in court, so call the effing police!”
Luckily, or unluckily, his father had been summoned to the same meeting; and his father certainly didn’t like the idea of involving the police. “Benjamin, we’re leaving.” Strange how it only seems to be angry parents that call you by your full name. “So, my educational career came to an end. I didn’t have any choice.”
There is no doubt he had been a rebellious troublemaker during his educational career. But he never caused any harm or damage, and had an apparently flippant attitude toward authorities and the law. This latter is worth exploring, since the UK’s Computer Misuse Act (CMA) had become law in 1990. It was enacted to fill a legal loophole exposed by two early British hackers, Robert Schifreen (aka hex) and Steve Gold. Neither could be described as black hat.
Schifreen and Gold broke into BT’s Prestel viewdata service and accessed private mailboxes (including one belonging to Prince Philip) in the mid-1980s. They were caught. Since there was no specific law against their actions, they were prosecuted under the Forgery and Counterfeiting Act 1981. They were found guilty, but the conviction was overturned on appeal – the law simply didn’t work with breaking into computers, and using misappropriated passwords can hardly be classified as forgery. By 1990, parliament had filled the gap with the Computer Misuse Act – but in Harris’ own words, it was still like Father Christmas that no-one understood.
“I always felt, even into the early 2000s,” when he started his network tinkering, “the authorities had a hard time working out where they should be focusing their efforts. In the late ’90s and early 2000s their focus was really on financial crime rather than the online equivalent of graffiti or anti-social behavior. If what you did wasn’t high profile, and if you didn’t stick your neck out too far, I believed law enforcement already had their hands full with real criminals.”
He draws a distinction between technically breaking the law with no intent to cause harm, and committing a crime to steal money or to cause damage. “So, for me, it wasn’t fear of the law that guided my actions, it was simply my passion to learn more about computers. Lawyers would disagree with my distinction – and they’d be correct – but that was the distinction in my head.”
Back to his last day of education when his father took him out of school. It wasn’t a choice, there was no other option. Within thirty minutes of getting home, he was back on his computer in the IRC channels. But a little later, his father took him aside and said, “I don’t care what you do. I’m not really interested. But within seven days, you must have a job.”
Professional career
Harris doesn’t dwell on the gravity of situations – he just gets on with things. He immediately applied for two pentesting positions and was offered a job three days after his first interview. He turned it down. “It was a terrible salary. It was exploitative. They probably felt, here’s this kid who knows a bit about computers but has no school qualifications whatsoever. We can screw him. Offer the minimum possible and he’ll accept it just to get into the industry.” The UK is well-known for offering pitiful entry-level salaries.
The second interview was different. It was with a better known consultancy within London. “A couple of days later I was offered a position that I could start within 24 hours. So, I was able to say to my dad, ‘Okay, I’ve got a job’. He was a bit shocked. In his own words he wasn’t expecting it to happen so fast. But I didn’t really think about it myself – I needed a job and got one. It wasn’t until years later that I thought, ‘That could have gone terribly wrong. I could have ended up stacking shelves in a supermarket’.”
He spent a couple of years at Portcullis as a security consultant before moving to MWR Infosecurity, starting as senior security consultant and working up to Technical Director. From there he moved to F-Secure as Technical Director – and then, in August 2021, he founded and became CEO of WatchTowr.
The difference between his school and academic careers is striking. The education system failed him, probably because it and his parents wanted him to be something he wasn’t – either a musician or an economist or similar. All he was interested in was computers, but with no training he had to find his own way. This meant using what was available and that was usually the school network. He tinkered with it (or them, because he kept having to move to a new school). What he did was almost certainly illegal, but he did it for no other reason than to learn about computers, and he was never prosecuted. He was most certainly a hacker, although he hesitates over this title because he was never the archetypal hooded hacker breaking into computers to steal money or wreak havoc. He just wanted to know how things worked. And that understanding paved the way for a successful career in pentesting and consultancy.
Harris the hacker
Asked if he has ever been tempted to sell discovered weaknesses on the dark web, Harris says, “No. There were times when I was young that I didn’t always report things I found, I had issues – I still do – with the whole responsible disclosure process. I don’t think ‘responsible’ is the right word. But selling is a very different ball game. Does it end up with criminals? With foreign governments? That’s a very different place to be. So, no, never. I’ve never considered selling.”
This is a complex character. As a child and youth, he had no qualms breaking society’s rules and even laws – what he has likened to online anti-social behavior – and had no fear of the law (CMA) as it then stood. But he is rigid with his own moral standards. He has a moral compass.
Most young hackers did more harm than Harris ever did, before shunning the dark side. When asked why they didn’t become black hats, a common response is ‘good parental upbringing instills knowledge of the difference between right and wrong’. Harris says nothing like this.
Many young hackers have manipulated school networks, but often with a purpose: to find exam questions before the exam, or to edit and improve their end of term grades. Harris did none of this while poking around the school networks.
Many young hackers are motivated by a drive to disassemble systems and reassemble them into something improved, or at least different. This was not his motivation.
What is left is a hacker with a rebellious spirit and a willingness to break rules in the pursuit of his purpose – but without causing harm or damage. The purpose was purely to understand how computers work and communicate. He describes himself as, “A person with a rather fierce obsession with understanding how computers work, combined with perhaps a relatively tame mischievous streak.”
Related: Hacker Conversations: Rachel Tobac and the Art of Social Engineering
Related: Hacker Conversations: Frank Trezza – From Phreaker to Pentester
Related: Hacker Conversations: Joe Grand – Mischiefmaker, Troublemaker, Teacher
Related: Hacker Conversations: HD Moore and the Line Between Black and White
