Inti De Ceukelaire is chief hacking officer at the Intigriti bug bounty platform, where he has been for the last seven years. But he has been a hacker for much longer.
Hacking
Inti De Ceukelaire, a Belgian national, did not set out to be a hacker. Like many hackers he was born with the potential to become one and only gradually realized he is one. There is a slight twist to his motivation. Many hackers say they are driven by an insatiable curiosity to understand how something works, and a deep desire to see if they can make it work better.
De Ceukelaire’s starting point was slightly different: he couldn’t accept that this something wouldn’t do what he wanted it to do. Hacking was less to improve the ‘thing’ and more to bend it to his will. “I got a rush from feeling challenged. The computer would say ‘No’, and I would think, ‘Well, we’ll see’.”
In his own words it was more a case of Rage Against the Machine than simply Stayin’ Alive.
He only realized he was a hacker after finding a few bugs in Google when he was 15. He reported them to Google and got a polite response. Without knowing they were talking to a 15-years old kid, Google emailed him and fixed the bugs in around a week.
“I was fifteen years old and talking to a Google engineer. It was the first time in my life I felt like an adult. And a hacker.”
A year or so later he found a vulnerability in one of Metallica’s websites (“I was a big fan when I was younger and still had hair – lots of it.”) He reported the flaw and was again treated with courtesy – perhaps a bit more than courtesy. He was invited on stage with the band in front of thousands of fans, and they signed his keyboard. “I got myself on stage with Metallica. I was living my dreams.”
In 2018, he found a weakness in the Vatican news website. He reported it – twice. The site did nothing, so he exploited it. Not in a harmful way, but one that would certainly be noticeable. He planted a news announcement stating, “Pope Francis is excited to announce the discovery of Heaven on Earth: Aaist [a town in Belgium] … Therefore, we shall now refer to The Lord as An Onion, named after the nickname of the inhabitants of this blessed city.”
A key factor in all of this is that he caused no harm with his hacking skill. He never did anything for personal gain – except, he admits, for one time. It was while still at school. He had a project with an online deadline. He missed the deadline by three seconds; so, he hacked in and changed his submission time by three seconds. He reported himself to his teachers who were, to say the least, understanding. They allowed the hacked time to stand as the real time.
And despite his ‘do no harm’ honor, he has a criminal record. “Ten years ago, I reported a very serious vulnerability to a large organization and asked them to thank me and fix it. They blamed the messenger, and it ended up in court.” Technically, he was guilty of hacking – how else could he find the flaw? Luckily, the judge accepted that the motive was pure; so, guilty but unpunished.
This conflict of potential punishment for acts of benefit are part and parcel of the rise of ‘bug bounties’ as a distinct profession, and may well be instrumental in the path toward his current position as chief hacking officer at the Intigriti bug bounty platform.
The hacker
Most hackers today learned their trade by hacking the telephone system and talking to other hackers on online bulletin boards. That era is over. Today, there are books and manuals available. De Ceukelaire did neither. Learning from other people and studying books just makes clones of other people and the writers of books. “It doesn’t make you a hacker – it just teaches you how to parrot other people,” he says.
He taught himself by first accepting the challenge and then trying to solve it. He had basic technical knowledge and a bit of programming from his school days. “I didn’t study computer science, and although it sounds contradictory, that helped me.” Trial and error was his method; failure was his teacher.
“In doing so, I was attempting a lot of things that wouldn’t make much sense to a technical person, but I was still trying it. I was trying to learn from it. I tested assumptions that a normal-thinking engineer would never have made because they would have skipped all those steps I went through while failing. So, I know some technical stuff at a much deeper level than other people, simply because I failed more often.”
He doesn’t criticize the more traditional path (“I know a lot of talented people that have just gone the regular routes”) but he thinks they may miss out on one thing. “Learning from books and just talking to other hackers can make you a little lazy. Forcing yourself to learn it on your own by failing more than the average person… I can recommend this to everybody, because that’s where you get the sparks of creativity.”
One thing he does have in common with many other hackers is a reluctance to criticize the morality of any other hacker. There are reasons for this. For De Ceukelaire, one is a dislike of labels. “I would rather call myself a hacker than an ethical hacker. Being an ethical hacker is the default so I shouldn’t have to call myself ethical. It’s not like I go to a pharmacist and ask, ‘Are you an ethical pharmacist?’ I think hacking itself is not a crime. You can conduct crimes with hacking, just like you can conduct crimes with driving. But you don’t imply all drivers are criminals just because some cause accidents. That’s why I’ve always tried to avoid labels – in different parts of the world, hackers will be in different moral environments.”
It’s an interesting concept, implying that ‘ethics’ is a construct controlled by local politicians and local lawmakers. What is ethical in one country may be malicious in another country – an elite hacker in the GRU is seen as malicious outside of Russia, but patriotic within Russia; and a military hacker in China is behaving ethically to his or her own country. Government hackers from the NSA or GCHQ or Israel or Iran would be considered unethical outside of their own geopolitical sphere.
“In their minds, they are doing what they feel is the ethical thing, and there’s no point arguing that. Such people may never be welcome in our community, but that doesn’t mean that they aren’t great hackers. I can respect these people for their technical skills whenever a majestic attack happens. And I’m gonna give it to them, sometimes it is impressive. So, I can learn from them.”
Ethical and malicious are variables – the only common denominator is ‘hacker’. But this only really applies to the geopolitical stage – every country still has local hackers targeting local organizations for personal gain. Has De Ceukelaire ever been tempted to use his skills ‘maliciously’ for personal gain? “No, never. It’s never crossed my mind because there’s a sense of honor that goes with these things.”
Ethical would seem to be part of his DNA, but genes have a complex relationship with behavior. Nature (genetics from birth) can provide fundamental tendencies for behavior, but this can be affected by environment during life (nurture, provides a fine tuning of genetics). So, the question whether hackers are born or bred will never be satisfactorily answered – it’s probably a unique interaction between the two for every different hacker – making every hacker unique.
For De Ceukelaire, it resulted in ‘face the challenge, solve the problem and never do harm’, but not necessarily never manipulate. He recalls a time when he would go to music festivals (remember the Metallica event) where the price of a beer could be extortionate, but you could get one free pint with an entry token. “So, I would go to the beer tent with my token, break it in half and ask for half a pint for half a token. They would take the half token but give me a full pint – leaving me able to get a second pint later with the other half.” Technically, this was social engineering – people hacking, rather than computer hacking. But it’s a good example of his definition of hacking: solving a problem to get what you want, creatively without causing harm.
There is another way in which genetics may come into play for a hacker. It’s a bit iffy, but possible. Genes can affect how the brain works. Neurodiversity is a major effect of how the brain works, and statistically it is quite common among hackers. Is De Ceukelaire neurodiverse?
“It’s never been diagnosed,” he said. Remember he doesn’t like labels, and he suspects that everyone is both a hacker and neurodiverse to one degree or another. But he does recognize one ‘symptom’. It doesn’t happen all the time, but when he is interested in the subject… “When I get in the zone, I really get in the zone; and time passes very quickly while I’m concentrating.” It’s the hyperfocus secret weapon of neurodivergent hackers.
The bounty-hunting hacker
Bounty-hunting became mainstream in 2012 with Bugcrowd and HackerOne. These were followed by, for example, YesWeHack (2015) and Intigriti (2016) in Europe. Used correctly, bounty platforms take away the uncertainty of non-malicious hacking.
De Ceukelaire technically has a criminal record because the firm he hacked didn’t understand his motives. He doesn’t believe they were specifically trying to silence his message, he thinks they just followed the labels: to know this he must have hacked their system which means he’s a hacker and a criminal with bad intentions; so, they reported him to the authorities.
In other cases, well-intentioned hackers who email companies to report bugs are simply ignored. That too, is understandable. If you believe your system is secure and you get an email from an unknown person saying it isn’t, it is easy to dismiss it as a scam email. And, of course, on occasion, ‘ethical’ hackers have had their life turned upside down by aggressive companies (see Rob Dyke and legal bullying).
This is the attraction of bug bounty platforms: they can make computer hacking a legal and profitable occupation. Companies can pay less for better results than by employing their own full-time red team pentesters, and hackers can ply their trade in safety. Since rules exist on both sides, companies know that flaws can be discovered and fixed without fearing the hacker is malicious, while hackers have a place and purpose to hack without fear of prosecution, and get paid for their work.
Before bug bounties it was easy for a hacker to choose a path of crime. “Why? Because there was no ethical path,” says De Ceukelaire. “I love hacking, I love every single minute of it. I love the chase. I love to see how the technical things come together. But 10 years ago, doing this you were almost always technically committing a crime, however moral your motivations. I would never wish to hurt an individual or a company – I was never an activist, I just wanted to hack. But there was no legal way to do this.”
Bug bounties have changed things. “If you live in a western society, there’s now no reason for a hacker to take the criminal path. By doing the right thing, there’s no risk, there’s equal if not better pay, and there’s satisfaction in making things better and not worse. Personally, I work and hack with Intigriti because I want to change the world. I want to get the progressive laws that we have here in Belgium into every single part of the world, and I want that to be the default.”
Read More Hacker Conversations
Related: Hacker Conversations: Rachel Tobac and the Art of Social Engineering
Related: Hacker Conversations: John Kindervag, a Making not Breaking Hacker
Related: Hacker Conversations: Frank Trezza – From Phreaker to Pentester
Related: Hacker Conversations: David Kennedy – an Atypical Typical Hacker
