From Vtech kiddie to professional security expert - The self taught way.
Sure, we've had a commodore at home, but my first real steps in self teaching computer language was on the toy computer that belonged to my sister. Along the games, it has some very minimal Qbasic shell to program small tasks. I've spend hours doing input/output examples, showing off my skills to my parents at that time. Soon enough, i've ran out of options after having used and combined all techniques in the /help menu.
Like a perfectly timed coincidence my parants managed to get a brand new Pentium 90Mhz, 8Mb (yes, MB not Gb!) Windows 3.1 desktop costing a small fortune at that time. Remember, internet still didn't existed back then for the general public. Out with the Vtech, in with MS-DOS and full blown Qbasic !
Line after line, my programs started to become more evolved and complex. With every issue i've encountered (yes, no google to grab some examples), i'd only became more passionate to solve the issue.
As the years and technology evolved in a rapid paste, it was a real struggle to keep up with the new technology and programming languages. While i was still playing around in Basic, Visual basic stood out. When i started to master Visual Basic, .NET came out, and so on.
I've had the urge of mastering every single command that could be found in the syntaxis help menu before switching to another language.
By now, i have a perfect knowledge of the following languages, all self taught over the last 20 years of my life
- Basic
- Visual Basic / VB.net
- C / C++
- C#
- Java
- TurboPascal
- Batch / Shell
- Cobol
- Python
- Ruby
- MSIL
- All major web programming languages/platforms
Those are the languages that i truly master, without the help of the allmighty Google. Most of any programming language is just a dialect derived from these, so in general, i could work with any language.
Did i mentioned that i rarely use any kind of IDE? My workspace is mainly Notepad++. Yup, that's oldskool!
Mastering my skills for fun and profit and taking the biggest loss of my life.
The upside of self taught coding is knowing the flaws and weaknesses of code. When running penetration tests it's sad to conclude that the majority is blindly using third party packages, or using code they've found on Google somewhere.
Using Google found code for authentication systems is like a Google self-diagnosis when you're ill.
While there are solid, trusted, open source platforms available that will do most of the heavy lifting for you, never use it without understanding every single line of code when it comes to sensitive data, and all data related to any customer should be considered sensitive!
Around the age of 16, i've created my first full blown application for a middle size company to keep track of their supplies, staff, working time, bills, inventory, you name it, my program did it. Around 27.000 lines of code written from scratch and uncountable hours in front of my screen, almost 18h per day for about 3 months straight.
I've been skipping school just to finish up this application, believing it would make me a rich man and my future would be bright. I've dreamt about my own big building with my name plate on it, sitting next to Bill Gates drinking coffee.
Every problem i faced was just a challenge to see how much i wanted to reach my goal!
What happened then really blew up in my face. The company was very excited about my application, so they offered me a good deal (at that moment, from a poor 16yr old kid point of view).
I got payed 2500€ for the application (jackpot!!) and an additional 500€ for handing over the rights on my application on a legal ownership agreement. Jackpot again! 500€ just for that? Count me in!
There i am, 16 years old with 3000€ in my pocket. But why did they wanted the ownership over my application anyway? It's just stupid lines of code, why on earth would someone pay me 500€ extra?
Well it turns out the company commercialized my application using a license system. They've sold over 450.000 licenses in the past 15 years at 900€/year and it's still selling today in a more polished, up to date GUI version.
That could've been my income! There goes my dream of getting rich doing what i like most in life.
400.000.000€ yearly revenue. How could i've not seen this happening when they offered me 500€ extra?
I'll beat them at their own game - From outraged to security expert.
I've had a main advantage over the company's IT departement, that's the fact i've written the code from scratch. Even tough i've spend an excessive amount of time on security, code will never be 100% failure proof.
Around the time their userbase passed the 100k customers, i've send them a highly detailed security report pointing out all flaws their application suffered.
When the inital transfer of the application was done, i was supposed to do the maintenance of this application and patch up the 'small flaws' still present at the time of delivery since their priority was a working application first, patching small issues later. But with transferring the ownership, this part of the agreement was no longer needed in their eyes - So don't think i deliberately implented some bugs when reading this.
This time i've outsmarted them at their own game. I've had one condition to fix all the bugs that mainly came from their IT departement putting their own code on top of mine instead of altering the source.
"You'll send a mail with my name and contact details to every customer when notifing them for a downtime due to security maintenance."
Sure enough, after a couple of weeks, the first customer sent me an email regarding a security audit.
The game is on again!
Making some name and fame - Hacking my governement.
This article follows on part 1 https://steemit.com/introduceyourself/@steve-walschot/hi-i-m-steve-professional-penetration-tester-security-expert-hacking-the-web-24-7-for-your-security-part-1
Years passed by, evolving from a 16yr old programming kiddie to a fulltime security auditor/freelance programmer. I've had a good amount of customers, enough to make a decent living. But then i woke up one day, still thinking about those missed millions, and that's when i decided to become known to the world.
When searching for some information on my governement's website, i've already noticed there was a intranet login button but i didn't really payed attention to it, until that one morning.
I ran some basic tests (well, basic to me anyway!) and discovered the webserver running on ASP.NET + SQL. ASP + SQL??? That's not even like leaving your frontdoor key under the door mat, it's more like having just a frontdoor standing up without walls to surround it.
Sure enough, i've discovered a time-based SQL attack possibility after 15 minutes of testing. Well played governement. This is how you spend my tax dollars on security?
It took me about 4 hours of time-based attacks to reveal the password of our prime minister. After having the password, i felt like a fool since the password was "Belgium-we-love". It would have taken less time just to guess it :)
I've seen many intranets before, but the things our prime minister could do was beyond any logical expectation you have when thinking intranet.
The governement's intranet was more like a nuclair command center. He had access to TOP SECRET level 0 documents, highly sensitive meeting reports, upcoming parlaiment votes and debates, half of Belgium's politicians, judges, police officers addresses and phone numbers, and many more information considered 'sensitive'.
I've managed to access a dozen of accounts just to proof this attack was not a lucky shot.
"Hello admin? I'd like to report a bug" - From testing to jail in under one week.
To be honest, i never intended to do some harm. I wanted to work for the governement as a security auditor, and this felt like it was my golden ticket in.
So i did the obvious thing, report the bug along with some less sensitive data to the general email address of the governement due to abscense of any administrator mail on the site. Exciting! All i've had to do was wait for an email to invite me for a job offer right?
4 days later goes the doorbell. I'm just sitting in front of my computer as my dad opens the door like he always does. Goes who? The SWAT team in true A-TEAM style (we love the A-team, admit it!) with pulled weapons making lot's of noise. When i look out the window i see my dad on the floor with a gun pointed at his head, not knowing what's happening since the only thing i see are masked guys in black clothes and 2 black cars in front.
I guess my job invitation just arrived?
Surely enough, the cops overpowered my parents and myself with brute force and violence. This all happens in seconds but trust me, you have no logic sense thinking 'Oh, these are cops, ok, i'll just lay down'.
I got cuffed and carried (literally) away in the back of the black car and brought to the police station where i've got charged with hacking, cyber criminality and terrorisme accusations. All our computers got seized, every CD-OM, every floppy, every printer, anything that was digital got seized never to be seen again.
I've been questioned and interogated for over 20h straight before seeing a judge who sent me to jail in temporary custody. I've spend 7 weeks in temporary custody before being probationary released.
Well, at least i made some name and fame now, didn't I?
Judged like a criminal, welcomed like a hero
I got judged for a 5 year probational sentence with a dozen of rules to abide. Yet somehow, my 'work' impressed the IT guys that manage my country's websites and platforms.
I did get my job interview shortly after being sentenced as a cyber criminal, suspected of cyber terrorisme.
However, i was do disgusted by my governement that i refused the job offer.
Having millions of $$$ one mouseclick away but leaving them.
Cryptocurrency was a big game changer. All the sudden my penetration testing objectives went from finding and protecting sensitive user data, to having millions of dollars just one mouseclick away.
It's needless to say that I surely had some doubts at some moments in the course of my penetration testing audits.
In 2014, i've gained complete root access over a server hosting +8000 BTC. This server belonged to a big exchange that's still active and running up to date.
I've successfully exploited over 40 exchanges, found vulnerabilities on most web-based wallets running, including blockchain.info, detected malicious code in cryptocurrencies sources, exploited ASIC miners so they could be operated from the outside world, got access to well over 1000 servers running wallets and pools, you name it, i've done it.
One thing i've never done so far is take even one cent for my own profit.
Every bug i find get's reported to the administrators, and a small public notice will be posted to make sure they'll get onto it.
Recently i found a bug on steemit that could lead to a session hijacking. I've reported the issue along with a simple fix and posted a small notice to warn users about a potential security risk. I'm sure the administrators are working hard to fix this issue.
https://steemit.com/steem/@steve-walschot/security-bug-steemit-vulerable-to-session-hijacking
Allright Mr morality, then why are you doing all this?
You see, i'm making my living being a security auditor/programmer. I'm not making millions, but enough to have a comfortable life. Even tough i could pull off a perfect theft, stealing millions of dollars in Bitcoin, i find myself having enough arguments no to do so:
- I'd rather be named and famed than being blamed and shamed.
- The chase is better than the catch - I really love coding and finding bugs!
- I'm a strong believer of Karma. What comes around, goes around some day, some how.
- I take more pride in getting a thank you and protecting thousands, than being selfish and having money
- I just really love what i'm doing!
Conclusion: Never be greedy in life and do what you've always wanted to do!
There's no price to set on happiness. I've walked on a thin line on having millions of dollars at my disposal, but somehow i've always failed or refused to take that path.
Does this means i'm simply a fool? Or maybe it means that this is the way my life was ment to be. Doing what i enjoy the most for the last 20 years of my life. Being happy. Good Karma.
I'm amongst the top 50 security experts in Europe, i've got to work on top notch projects, i've accessed data never meant to be seen, and i still get a rush when finding even the smallest security issue.
Now, that's how i wanted my life to become. To round up, i'm glad i took every step i've described in my story and would do exactly the same thing if i had a choice. All these events made me the man i am today instead of a 16yr old kid that would've became a spoiled rich kid.
Even without all the dollars i've missed in life, i feel like the richest man on earth.
Thank you for reading my story! This post was split in 2 parts since i've didn't have the time to write it in 1 post, but reading the comments on part 1 warmed my heart and so i finished part 2 already, and now created the full article :)
Keep on Steeming!
What the hell just happened! I just woke up and going from 17$ to +5000$ ?? You guys are AMAZING!
I'd like to thank you all for reading my story and upvoting it means a lot to me
Steem on!
I always though the title of "Penetration Tester" was what the washed out Adult Film stars put on their resumes.
Very nice post you have here and I absolutely love your mantra
Well thank you @stoner19
Hey nice to see you joining this game! Man, it's so great to see all these great minds joining this amazing experiment!
Nothing to add!!! Just eager to read more of your articles!
This gotta be the best introduction article that I ever read! With so many headline hackers breach systems to steal data. money and credentials, I'm very glad to have people like you who reports out the exploits to dev teams to fix the loop holes. God bless you my friend!
A security tester, you would perfectly fit in this community. Welcome!
Hi @kuriko thank you! As you could read i've already found a security issue here and reported it to admins https://steemit.com/steem/@steve-walschot/security-bug-steemit-vulerable-to-session-hijacking
Dont forget to upvote all these nice people who take the time to respond to your post. Remember, theyre probably poor and youre obviously rich. You can change their future with the push of a button. Dont be like dan, stellabelle, xeroc or heiditravels haha
I'm doing the best i can to reply to most comments and upvote some :) Thank you for reading
Easily the best article (intro or otherwise) I've read in a couple of days...
Welcome aboard...
Dude. QBasic FTW
That programming language was like the hands of GOD when I was 8 years old.
Why didn't you sell exploits on zero day markets? Legal and moral. Great read btw
very good post!
You are a true inspiration. Do what you love!
Basic
Visual Basic / VB.net
C / C++
C#
Java
TurboPascal
Batch / Shell
Cobol
Python
Ruby
MSIL
All major web programming languages/platforms ????
You are a master mate!!! Did you split in 2 parts??? When will you create the third one???
Hashtag me please :)
@steve-walschot
welcome @steve-walschot
I follow you 8]
Thank you @gekko
Welcome to the community @steve-walschot! Great read. We could use your help with the blockchain wallet we're creating. What's the best way to connect? My email is: jun@bitcash.org Thx!
Hi @steemrollin, i'll contact you later today. I intentionally didn't post any contact details or links to myself not to give the impression i'm only here to promote myself. I'm here to share my stories!
Yes. Great stories too! That sounds good feel free to contact me when you're free. Thanks!
This is such an amazing story!
I would love to read more security related storys about yourself.
Have you heard of that PornHub hack?
https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/
There is so much useful information in well-written security articles and so fun to read!
Your perspective is refreshing.
Besides being a good hacker, you are a good story teller. The next Stephen King, probably? (for programming horrors ;)) I would be the first to buy your book. I enjoyed so much reading this.
Thank you @thebluepanda, i'll keep that in mind to write a book someday with all the security horrors i've witnessed :D
This was an amazing read. Upvoted and subscribed. Looking forward to reading more of your posts.
Thank you for reading @condra!
Enthralling post, big ups on 'WhiteHat' objectives - i always believe the kind gets paid-back. Keep it up man
Amazing story Steve and great choices you made in the past . You'r rich for sure , knoledge is more than anything you can pay using money.
Congrats for all the votes to your post and there it goes mine's.
cheers
Thank you @drakernoise !!
You sir... Are a genius
absolutely amazing Post...very inspiring...
52 votes! Thank you all!
Welcome to the steemit community!
Holy hell man, that's a killer story. I'd love to learn code but just doesn't make sense to me so I stuck with networking.
Man is least himself when he talks in his own person. Give him a mask, and he will tell you the truth
Well here's Steem big shot, having tons of hacker problems and probably undiscovered exploits. Show everyone how it's done, let's push it infinitessimally close to secure.
PS: Those Moire patterns you got from concentric QBasic circles were the most awesome thing.
I've already reported a problem about Steemit. There are several other issues that will be reported once my analysis has been completed. Cheers!
Wow...
Thats very interesting story,im glad it worked for you :)
Im into cryptocurrency since 2014,and for now it is really amazing how i can make profit out of there.However getting real skills,like you have would be very useful,i think i will start to learn now :D
Thanks!
Wow. You've had some incredible experiences. I don't know how I would have handled the economic loss to license...
Like my conclusion, i would do it all over again for some reason.. Thanks for the upvote @robreardon6
^ wowza!
Nice post but a bit long.
Nice keep up
first off, told you you jumped too early on accusing her :D
2nd, now this is a quality post! I can't even understand the people who got so upset about your last payout, this is awesome for steemit and its adoption! What a good timing to post this now as well with the signups being open again!
Did i missed something? Who is upset? Who did i accuse?
I've always wanted to be some programming expert but I'm little behind on track... Good decision not to take the 8000btc, this always comes back to you and doesn't make you feel better imo. Investing the money earned on this post is honest and could bring some nice results imo.
Thank you for this blog. You are my inspiration now i want to become like you someday . I am aspiring IT student and hoping someday i will be like you. I only knew few programming language at this time like java,php and c++ but i only know only the basic. I am already 26 years old and it's never been too late for anyone to study and learn more things.
Try to focus on a single language until you truly master it. Challenge yourself to create things without the help of Google, then move on to the next one! Glad i've inspired you with my post
Wow Steve, I too was enthusiastic like you in my earlier years with interests in multi-languages/programs.... but was not successful enough even in one....
Keep on trying! Don't let anything or anyone take you down, follow your guts and achieve what you want to achieve
I read "I'm professional penetration..." and... my mind is so dirty
you don't have dirty mind, you have sexy imagination lol
you're freaking awesome! top 50! can i have your signature seriously! following!
Cannot agree with you more. Thank you for your selfless effort for a safer internet world.
Even tho this post already very trending i cant ignore it not to upvote very insparing story . love it thanks for sharing your good time and bad time :D
Your post is flagged. Screw off hacker.
That's an unfair statement. Either you didn't read my post, either you don't fully understand what my job is about.
Penetration testing and security auditing things that hold valuable items, either user data or money, is nothing compared to 'hacking' them. I'm the kind of person that get's contracted to prevent such things to occur.
Hello Steve,
very interesting article. Welcome to the club ;-)
__ /) __
Wow. I really liked your post. You are one of the IT pioneers who started on their own! Respect!
What agreat passion to have
Amazing achievement you got there steve. In few months all the experts in world will meet here on steemit. It would be an advantage for people like me because it will open our minds about most of the things in the world if not everything.
Thank you @juvyjabian
Your welcome @steve-walschot
Wise words. Encounters like this make me optimistic about autonomous ecosystems and how digital karma will actually exist. Personally, I think, since the cannabis revolution started, people have become more in touch with themselves and feel more towards the globe. I would love to hear you talk about the "space budget". Draconians trying to flee?
Thank you @coindup!
This Guy needs Upvoting , a good read and I do feel sorry for you .
I hope you find success on Steemit , we need Tech Experts like you !
Very good read. Gaining access to currently running mining and exchange servers is very alarming. If this is true, many people are lucky that you are white hat and didn't just take the money and run.
Cool !
very long but awesome