Huan Truong

Notes from a developer


The forgotten shameful hacker

When I used the word hacker nowadays, what I usually mean by that is a person who is able to pull a fun trick on a piece of hardware or software to make it do something unintended. That is fun and cool. That's the geeky definition of being a hacker - the kind we are proud of admitting being. But in one period of my life, I used to be the kind of hacker that TV reporters mentioned: the popularist meaning of hacker. The bad one.

I remember being a 14 year old in 2001 or so, I had someone sending me an email asking if I was the one who sent spams from his free hosting service. The person who asked me that question was the sysadmin of a company. He informed me that he was fired from work because he hosted his server on the same infrastructure. I felt incredibly guilty and apologized to him. He, a Christian (a minority in Vietnam), said to me that's fine, just not do that in the future and pay it forward. He forgave me, and that was that. I never shared that story with anyone. I didn't understand what it felt like to be fired from a great job then.

You would think that I learned. But my high school was way worse. At one time, I had control of so many websites including ones that were doing early-day e-commerce shopping cart software written in ASP and PHP hosted on shared servers. That was before all the regulations were in place. So some didn't change their Access database filename. Some didn't patch. Some patched but had other websites in their shared host that didn't patch. Some had unjailed accounts. Some had SQL injections. Some had bad upload forms that accepted scripts. I stumbled across many stores that were accepting credit cards. Some even stored the records "encrypted" but I eventually defeated their method. That meant that one teenager in that hot, dark corner of the cafe shop in Vietnam had thousands of credit card transactions records (with CVV records) of many businesses. He was very fond of the great treasure he got by sneaking into your house.

I couldn't have imagined what my life would be like if I got into troubles then. But by some miracle - I was fine. But to be fair, I didn't hack because I wanted to steal people's money. I did it because of the thrill. After all, my only vice in high school was to skip classes and go play counter-strike at cyber cafe shops, which was well funded by my CD recording and gifting business in high school.

But many others hacked because it was a profitable thing. Back then, many black hat hackers shared databases of credit cards on underground forums. Do you wonder why didn't they sell them or keep them for themselves? There were two reasons for that. First, it was reputation - the same idea as karma whoring or like button nowadays. Second, it was because it is so much harder to pinpoint someone when there were 1000 other people who used that same stolen credit card. In a sense, if you wanted to utilize the credit cards you stole, you also need to share them to diversify your risks. At worst, you'd want to be accused of stealing money, not hacking into websites and stealing and distributing thousands of credit cards.

You might also wonder what could the credit card thieves use a hacked credit card for because obviously, they wouldn't want to reveal their identities. So people who actually ordered goods to their (fake) addresses were the ones who didn't know what they were doing. The professionals, instead, could use credit cards to buy virtual goods that deliver right away such as domain names. Then by transferring those domains to a series of providers, they could have domains that are valid for ten years for $1 (the last one dollar transfer fee is actually their own legitimate money), then sell it. Or they could buy software licenses to resell. Back then, the concept of revocation of software keys by checking it with an internet server was not widespread.

I knew all those tricks by talking to a quite intelligent person that did it for profit. He was about the same age as me. He didn't know to hack though, and just frequented on some underground forums to feed on dumps by other hackers. He was then a computer science student in a top-tier university in Asia. He was recognized by the government as a national talent due to numerous prizes he won as a high school student and was sponsored to study abroad by the government. Despite all that, he was fascinated when I teased him what I've got - the cards that no one published on any forum before. He asked me if I was in a new underground forum he didn't know about and hoped I would let him know of the fight club I was in. Well, the secret was that I wasn't in any fight club. I was a lone wolf – A lone wolf hacker that was up for no good.

By the time I was 18, I was a very average student who barely made it in the college entrance exam. Being an average, non-competitive college student in Vietnam also meant I have a half day free and I could be employed 20 hours a week and made consistent good money to buy most things I wanted. The idea of sneaking into other people's businesses, and especially using other people's credit cards, turned from "whatever floats your boat" to being disgusting really quickly. I somehow had a feeling of disgust for that person who despite having money and the intelligence to be making legitimate money, still sought for more money that doesn't belong to them.

All in all, I'd like to think of myself as a productive member of the society since then. That wouldn't have been possible if I didn't have the chance to be forgotten of all the pains I caused in the past. I used the word "forgotten" instead of "forgiven" because I don't think everyone would agree to forgive me.

When I was an undergraduate student years ago, I had to take a course called "Cyberethics." The professor who taught us that class had a Ph.D. in a unrelated field. The lessons, in general, were quite boring - I found them to be paraphrases of what's in the textbook. The midterm and final were merely questions extracted directly from the textbook. We were allowed to bring 2 pages of handwritten notes into the exam. Basically, everyone had a free A or B so no one really complained much. In general, it was just plain tedious and uneventful. But I distinctively remember a lesson – one day, she proposed to punish heavily people who penetrate into other people's systems regardless of reason or age.

At that point, I said something like:

  • Professor, I think perhaps there are many factors in that. Perhaps if the people are young, they couldn't think for themselves. But if you give them time,…
  • No, it is illegal. Being young doesn't make them any less dangerous.

And continued on with her textbook lessons. I usually love the education in the US and look up to many professors. But for that alone, I know that time, having someone who wore that pair of shoes would help. A person that doesn't know how to hack into a system wouldn't understand the thought process and the nuances of being a young and stupid hacker. They really are among us and they keep coming. But just as you hardly ever see any Kung Fu master hurting other people for fun, and so do any true hacker.

But I haven't contacted the person I mentioned earlier. I am wondering if he, at a corner of the world, would think the same way I do now. I don't know. I didn't give myself the chance to know the adult person of his.