My Journey to Now

I’ve been asked by many people how I got to where I am today. I’ve given the tl;dr version for years and have meant to write the long version for a while. This will include a lot of details that aren’t just about my tech experience, because they shaped me in ways more fundamental than, say, learning C++ did. If you only want to know my tech journey, the first section will cover that.

Small warning: I try to be as accurate as I can with when things happened but, well, it’s been a long time now. I’ll do my best to be truthful and accurate despite that!

TW for those who want it: mental illness, self-harm, drug use.

TL;DR #

I grew up in a household that always had a computer, so they were always around. In kindergarten there was an Apple //e and I started learning BASIC, thanks to a book discovered in the library. I spent years writing apps in Apple BASIC and later QBASIC on my DOS PC at home. Around 11 or 12, I learned Perl and then quickly jumped over to PHP, which became my language of choice. I discovered the EverQuest hacking scene when I was 14 or so, and I began writing server admin tools for it in PHP. I quickly realized that to keep going, I needed to learn C++ and started learning to reverse-engineer. Did that for a while, then got into hacking DRM. After years of reverse-engineering, I got into security consulting, then started teaching hacking.

The Long Version #

Early Years #

I was born in 1988 on a naval base in Illinois. When I was 2, we moved to rural Pennsylvania, where I would live until I was 17. My mother read to me constantly, and I learned to read by 3. She also fostered my creativity in big and small ways; I remember laying in bed with her when I was 4 or so, just going back and forth making up a long, winding story. My father was and is a musician, and all my earliest memories are of the music that was ever-present in the house growing up.

I also grew up with an older brother, who was essentially my opposite. I was into computers, he was into cars; I was into metal, he was into rap; I was into video games, he was an athlete. Between the age difference and the polar difference in our interests, we spent little time together.

First Steps #

In kindergarten, I got my first taste of the power of computers. There was an Apple //e and when you turned it on without a disk inserted, it would give you an Applesoft BASIC prompt. Somehow, I was pointed to a small orange paperback book in the library, which served as a reference and example set for the computer. I started out copying examples from the book, then tweaking them, then eventually writing my own from scratch. I was obsessed with writing little text adventure games, of which I’m sure I finished none.

At home we always had a computer, despite being lower-middle class in the best of times. People under 25 or so may not understand just how rare that was at the time. My uncle ran a business building computers, so we always had something he gave us; were that not the case, I likely wouldn’t be writing this today. I learned enough to be able to start games under DOS, very early on.

I distinctly remember the day my life changed, though. I had this game called Pilgrim Quest, an altogether forgettable edutainment game. I was young – probably 6 or 7 – but I had gained a decent knowledge of DOS commands. For whatever reason, I decided to open the main Pilgrim Quest binary in edit.com, the built-in text editor. I saw a bunch of meaningless garbage and, being the curious kid I was, deleted some of it and probably just typed some random garbage. I saved it and started the game. On the screen I saw some scrambled nonsense, and I figured I’d just broken it entirely. I pressed a key – probably starting to hit ctrl-alt-delete to restart the computer – and … a tone played! I pressed another, and a different note played. By sheer luck, I had managed to turn this game into a very primitive synthesizer!

If you did the exact same thing I did a million times, I would bet good money that you wouldn’t see this same result; the chances have to be effectively zero. But somehow, it happened, and a very fundamental thing clicked for me: everything I saw on the computer was something that a person made, and I could take it apart, understand it, and change it in whatever way I saw fit.

It was around this point where I first set the goal that became my driving force for years to come: I wanted to go to MIT to become a programmer.

The Internet #

In late 1995, when I was 7, we got our first internet connection. I remember going to the ISP with my dad to get it set up, with them giving me the instructions for how to download Netscape Navigator from their FTP server.

The PC was the first new one my parents had bought in my life; my mom was trying to start a wedding planning company, and thought it was worth the outlay. It was running Windows 95, with a 100Mhz Pentium processor, 8MB RAM, an 850MB hard drive, and a 14.4kbaud modem. I remember this well, because later this became my own personal computer, which I used for many years.

I don’t remember much about my first year or so on the internet; I imagine that I spent a lot of time downloading games and other things like that. But when I was 8 or so, I discovered IRC and hacking wargames. For the first time, I was surrounded by people as curious as I was; for the first time, I felt like I wasn’t the smartest person in the room. In fact, I saw all these people who were infinitely more intelligent and experienced than I was and well, I was overwhelmed and pretty much gave up.

Gaming and Pace Computing #

Like any other kid with similar access to computers at the time, I was obsessed with games. I spent years playing Doom and other awesome shareware games, and I got quite good at them. Sometime around 11 years old, my mom told me about a local computer shop that had weekly gaming sessions, which became the next big turning point for me.

I thought I was cool with my Doom, then they showed me Half-Life. Suddenly, this whole new world was open to me. I’ll never forget the shit-talking we all did; from kids my age, to adults, all fragging each other and treating each other with respect. For the first time, I was around other people in person who were interested in the same things I was. For the first time, I didn’t hate where I lived.

I was a fat kid with an inability to stand up for himself, which made me an easy target for the bullies in my school. It’s sad to say, but I can’t remember a time when I was happy there; I thought that everyone around me was an absolute moron, from the teachers to the kids, and I hated them all. Funny thing about hating everyone: you end up hating yourself too. Pace Computing showed me that not everyone was dumb and not everyone was an asshole.

It wasn’t long before I started talking programming with John Pace, the owner of the shop. Their staff primarily built computers, but they also did web site design and development. They got me interested in programming again, telling me about Perl CGI scripts.

I started learning Perl and any time I hit a roadblock, I’d just ask John or another person there, and I’d be back on track. Then one day, they said something to the effect of “Perl is dead; you should learn PHP” and well, who was I to argue with that?

At some point, John offered me my first paid programming assignment. I’m sure it was something tiny like $50, and I can’t for the life of me guess what it was that he asked me to write, but to me – a poor kid who had never made a dime before – it might as well have been a million dollars. Suddenly this wasn’t just some pipe dream, but something I could be good at and make money with.

This was also the first time I really saw C code and didn’t feel like it was just absolute nonsense. One of the folks at the gaming nights showed me the absolute basics, showing printf and scanf. I didn’t really start learning C then, but it planted the seed and showed me it was something I could learn if I wanted to.

Around this time I also discovered the #php channel on OPN, the IRC network that later became Freenode. I met many amazing people here – some are still friends to this day, in fact – most notably Rasmus Lerdorf, the creator of the language! Despite being an effective celebrity, he was always patient and willing to answer the questions of complete newbies like myself. In retrospect, that kind of respect and love for teaching almost certainly helped shape who I would become later.

Shortly after, I started doing contract work for whomever would pay me, developing everything from terrible little websites, to e-commerce backends for porn sites (which now strikes me as more than a little inappropriate, given that I was only 13 or so), to email scrapers for spammers. While it started off slow, I eventually got to a point where I could afford to buy my own hardware as needed, which was a huge boon for a kid like me.

BeOS and Linux #

In 2000 or 2001, I discovered the world beyond DOS/Windows. I got a copy of BeOS R5 and immediately installed it on the Pentium 100 machine I mentioned previously. I was stunned by just how incredibly smooth everything was. I could watch a video and browse the web at the same time with no lag! Unfortunately, even at this point BeOS was very much on the way out and while it made a great desktop, developing on it was a pain in the ass at the best of times.

Shortly thereafter, I discovered Linux and my world changed. It became my primary OS pretty much instantly, letting me do anything I wanted. If I didn’t like the way something worked, I could edit a config file or even make a patch to the code! Emacs followed shortly after, really showing me how powerful my computer could be if I just put some time into it. I was a Linux fanboy for many years after this.

EverQuest #

I think I was 12 or 13 the first time I saw EverQuest. A friend showed it to me and I knew that I needed to play it. After much convincing, my parents bought it for me and set up a subscription.

I spent a while just playing it, but naturally I got curious and wanted to see if anyone was hacking it. What I discovered was a huge community of brilliant people taking the game apart and building tools like ShowEQ to watch the network traffic, to give you info that you normally wouldn’t get (e.g. the position of every mob (movable object – characters, NPCs, monsters, etc)).

It was in the ShowEQ IRC channel that I learned a very valuable lesson. I had hit a point where I thought that I was absolutely brilliant, and brilliant people always know the answer, even when they don’t; leave it to a 13 year old boy to think he’s unlocked the secrets of the goddamn universe. At one point, one of the lead developers got a bit frustrated with my attitude and asked if I had heard of ROT13. Not wanting to sound ignorant, I responded “I think so. That’s that unbreakable cryptography, right?” … Turns out that if you don’t know something, the best response is to ask and then listen. If you think you know everything, you probably don’t know a damn thing.

ShowEQ was cool, but it wasn’t really that interesting to me. At some point, someone in there referenced EthernalQuest, a sister project which served as a server emulator. I quickly downloaded it and suddenly, I was playing EQ on a server that I ran myself! I was the god of this tiny little universe. The project itself was pretty much dead at this point, though, and I subsequently discovered the eqemu project, which served to do the same thing but in a better way.

That discovery was another turning point for me. There was this community of people hacking on things that directly interested me. I started writing simple server admin tools in PHP, but quickly saw that there was more for me to do by working on the server code itself. As such, I started teaching myself C++ and making tiny modifications.

However, one of my favorite zones had these lifts (elevators) which got you from the forest floor up to the city. These didn’t work in the emulator, so I made it my mission to reverse-engineer the protocol and add support for this to the emulator; after weeks of work, I got it all working and finally felt success. I was officially a reverse-engineer!

BinaryPHP #

Around 14, I started my next big endeavour – and last big PHP project – was a compiler from PHP to C++ called BinaryPHP. This was my first ‘real’ compiler of any kind and it is, of course, a complete and utter mess. I used the tokenizer built into PHP and a hand-rolled parser to pretty directly emit C++ code.

This project was the first I started myself and then led a team for. I recruited a number of developers and eventually brought in a project manager. In the end, we made a couple small releases, each adding a ton of new functionality. Most notably, we were able to compile a bunch of IRC bots and other daemon-y code, with no modifications required whatsoever.

However, this project hit a bit of a wall when we tried to add support for more than basic object-oriented code. I spent months trying to get things working properly, but never could get it before my interest waned and the project died. Interestingly enough, Yahoo reached out to me at some point about their use of it internally; I guess they had forked it internally and managed to get it working quite well. They were talking loosely about hiring me, but when they found out I was a minor they dropped the thread.

OpenEQ and High School #

Around the time BinaryPHP wrapped up – 2003, I’d guess – I started a project called OpenEQ – my first game project. I had previously messed around with OpenGL bindings for PHP, so I had the tiniest bit of experience with 3d programming. PHP wasn’t going to cut it for performance, so I tried doing it in Python, which I was learning around that time. With that iteration of the project, I was able to get a pretty decent renderer for game zones, albeit not a performant one.

I knew that to make this a real project, I was going to have to go lower level, so I started a new version in C. This one was screaming fast and I was so proud of the work I did there. I had renderers working for the whole world, but ended up hitting a bit of a wall when new file formats started coming out. This led directly to the C++ version, which was a ground-up rewrite, integrating the many things I had learned.

This was also where file format reverse-engineering became my forte. When a new EverQuest expansion came out that used entirely new file formats, I had the opportunity to figure out some formats that no one had ever looked at before. To do it, I printed out hex dumps of the various different files and brought them to school. Using pens and highlighters, I was able to put the pieces together, identifying all the key fields and their meanings.

This was a pretty transformative experience for me, because previously school had seemed like a complete waste of my time. I aced every test but failed all my classes because I steadfastly refused to do homework; if I knew the material, why should I waste my time on homework? This led to growing resentment and served to deepen my depression. I was a relative social outcast – I had few close friends in person, preferring to keep my interactions online for the most part – and grew deeply resentful of where I was and what I was doing.

It was around this time that I began writing poetry daily, which served as my only outlet aside from hacking. To this day, it’s all still available online, and I occasionally go back there to reflect on how far I’ve come. With the deepening depression, though, came a renewed sense of self-hatred, which led to self-harm in various forms. I would cut and burn myself, primarily out of (in retrospect) an inability to find useful and healthy outlets for my anger and sadness. I find it hard to look back on that period with anything but astonishment; at the time, everything I did seemed so reasonable, but now I just genuinely can’t relate to the person I was.

This was all magnified by the fact that half of my teachers wanted me to be in the gifted program and half of them wanted me to be in special education. The special ed contingent won out, leading to me spending several hours each day in a classroom with students who suffered from legitimate learning disabilities; this served to further distance me from the people around me. I don’t know if I’ve ever felt more alone, before or after.

I eventually hit my breaking point and went to the guidance counselor’s office, seeking to drop out of school. I told them that I was making good money doing contract work and would find a way to manage. Unfortunately, because of the “learning plan” I was on, I was forbidden from dropping out without parental permission. I’ll never forget the principal coming in and telling me that I would never amount to anything if I didn’t at least graduate high school and start college. I’ve never been much of a fan of revenge as a driving force, but I made an exception here.

PHPtunes, PyTunes, An Accident, PyMusique #

In early 2004 – when I was 16 – I came upon a tool called iTMS4All. It was a Perl script that allowed Linux users to browse the iTunes Music Store and listen to the preview snippets. It became my mission to take this one step further and be able to purchase songs from iTunes without using the iTunes client app (which was an is unavailable on Linux).

To this end, I built an app called PHPtunes, which was essentially just a straight-up port of iTMS4All but provided a test platform for purchasing. As I figured out more and more of the protocol, I rewrote this and built a command-line app called PyTunes that made browsing and purchasing much simpler. Unfortunately, I wasn’t able to decrypt the files that came from the server at the time, so we were left with unplayable garbage.

In late 2004, just as I was starting my 11th year of school, I was involved in a serious car accident. I had to have a large number of stitches and was out of school for weeks resulting from the injuries received. While this obviously wasn’t fun, it gave me the time necessary to figure out the file encryption.

It turned out that iTunes didn’t apply DRM on the server side, like a sane service would. Rather, each user simply got the same file from a CDN. Alongside the download link, the server would send an AES key, and the first 16 bytes of the file were the IV. With a bit of fix-up, the resulting file was completely playable and lacked any form of DRM!

Shortly after this – in early 2005 – Jon Lech Johansen (DVD Jon) took PyTunes and turned it into a GUI app called PyMusique. He released the app for Windows, Linux, and Mac and all hell broke loose. The media loved the story that a teenage hacker had “hacked iTunes” and ran with it, leading to my first interactions with the press. As a result of this, it was covered in a huge number of publications, most notably Forbes.

One of the magazines in which I was featured was hung proudly in the office of my high school, which I could only laugh at; the same place where I had been told that I couldn’t possibly be a success without going to college.

MP3tunes #

After the Forbes publication, I was contacted by Michael Robertson (of MP3.com and Lindows infamy) giving me his full support.

[Sera],

I really admire what you’re doing. I am the founder and former CEO of MP3.com. I’m not anti-DRM, but I am pro-consumer. I recently launched MP3tunes.com, a MP3 only store which also includes a locker so you can sync to many devices. Let me know if there’s anything I can do to help. You might also be interested in MP3beamer. See: http://www.mp3beamer.com

Keep up the good work.

– MR

I told him that I didn’t need much but that a license for IDA Pro would go a long way. Within a day, he and his assistant had taken care of it and bought me a real license for IDA! We continued to chat and he talked about what MP3tunes was doing and where I might be able to fit in.

Just before the end of the school year – one I was failing anyway, due to prolonged absences due to the aforementioned accident and then an appendectomy – I flew out to San Diego to meet him and the rest of the MP3tunes staff in person. While I was there, they offered me a substantial contract position, building iTunes integration for MP3tunes, where both stores would be made available from the iTunes client. I jumped at the chance and a few months later, I moved out there to work for them full-time. I never officially dropped out of school, but my mom had to go in and fill out some forms to officially withdraw me from the school.

Apparently while she was there, the principal said something along the lines of how it was a shame I was throwing my life away, to which she replied, “he makes more money than both of us combined.” I don’t know how true any of it is, but I like to imagine him turning red and walking away; I got my revenge.

When I moved out to San Diego to work for them, I brought along a good friend of mine from IRC, who also took a position with them. Shortly thereafter, DVD Jon (whom I had worked with on PyMusique) joined the team.

While MP3tunes remained an indie music store, the focus shifted dramatically around the time I started with them full-time. All of our development efforts went to the “MP3tunes Locker”, where you could upload all your music and then play it from any device. I built plugins for everything from WinAmp to Apple Front Row to TiVo DVRs, allowing you to play your music in any way you wanted. This really was ahead of its time.

Shortly after I moved there, I also met a woman who became my girlfriend, then fiancee. At 17. Chances are pretty good that you can see how bad a decision this was!

Xbox 360 Hacking #

While living in San Diego, I had the immense pleasure to have been in the absolute epicenter of Xbox 360 hacking. When it released, I was within 10 minutes of Bunnie Huang (of Hacking the Xbox fame), Warren (of PSP hacking fame), and Caustik (of CXBX and CXBE fame). We all became friends and through them I met many other hacking legends. I learned so, so much in a short time; HDL and FPGA magic from Bunnie, all kinds of hacking techniques from Warren and Caustik.

One fun anecdote: when the 360 came out, it was practically impossible to get them in the US, so we had a friend in Germany send us one. When it arrived, we couldn’t get it to work with my TV due to NTSC vs PAL differences. Bunnie popped it open, grabbed an oscilloscope from his car, and looked at the board for a few moments, before attaching the oscope leads in just the right place. He pressed the power and adjusted a few knobs and there was the boot screen! I had never seen anything like it in my life; he just seemed like a wizard.

Alky and Falling Leaf Software #

In 2006, I started a project called Alky. Rather than running a Windows binary through a layer like Wine, I sought to directly translate Windows binaries to native Linux and (Intel) Mac binaries, specifically to achieve high performance for games. It began as an open-source project, but I quickly realized the commercial potential of this if it worked out. I started a company, Falling Leaf Software, with a number of MP3tunes and Linspire (previously Lindows) employees and we decided to focus solely on running games at the highest possible speed.

Within a few months, we were able to translate and run games with effectively zero performance hit. We started selling the product via a subscription (the Sapling Program) where we’d release converters for each game we targeted. We also acquired a company which was converting Vista-only apps to run on Windows XP; this became Alky for Applications.

In early 2007, I broke things off with my then-fiancee, quit MP3tunes, and decided to move back to my hometown to focus on Falling Leaf Software. Instead, I ended up doing a lot of drugs and fell into a terrible depression, essentially ending the company’s chances of success. Towards the end, it was just myself and the CEO, then just me, and then it was gone. I wrote a more extensive postmortem here, where I detail just how bad this all went.

iPhone Hacking #

I spent a while just wasting time on various projects, then the iPhone was announced. I immediately wanted to hack it. I was completely broke when it came out, but I’d gotten into the “iPhone Dev Team” with the other early hackers, and someone donated money to me to go pick one up, 2 or 3 days after release.

I spent most of the remainder of the year just reverse-engineering it and working towards an unlock, which is a story for another day. But it was exactly what I needed to get back into hacking again and I made some great new friends and contacts.

At the end of it, we had the ability to jailbreak and unlock the original iPhone, which seemed impossible a few months earlier.

Unified Platform Management Corporation #

In mid 2008 – when I was 20 – I moved to Georgia to work with the friend who’d served as CEO for Falling Leaf. We began brainstorming a multitude of ideas for what we could do next, eventually settling on something that initially sounded boring: I’d reverse-engineer the Onity hotel lock system and produce a replacement for their front desk unit using off-the-shelf hardware. This would provide a much lower-cost unit – an important factor for small hotels particularly – and increase reliability.

For the next year and a half, this was my primary focus. I reverse-engineered everything from the encryption and data format for cards, to all the wire protocols. At the time, I was probably the most knowledgeable person on the planet when it came to anything Onity.

Our product ended up being used in a couple dozen hotels at its height, but it was never commercially successful in the least. For a number of reasons, the company went bankrupt and the person who was funding us just couldn’t afford to keep going, so we went our separate ways. I moved back to my hometown again, to figure out my next steps. I seriously considered moving to Vegas to become a poker pro – it’d become an obsession of mine for a year or two – but decided that it was just too big a risk to take on a whim, so I set my sights on NYC.

Matasano Security #

I had known Thomas Ptacek – one of the founders of Matasano Security – for years via Hacker News and he’d always mentioned that he thought I’d be a good fit there, so I asked him if he was hiring. A few short interviews later, I was moving to NYC to take my first job directly in security. Boy, did I have a lot to know!

I had hacked many web apps over the years, but since I had come up with the techniques independently, I didn’t know any of the terminology used in the industry. What I did know, though, was how to quickly get up to speed and break things. This served me well at Matasano.

There, I was surrounded by some of the absolute best hackers I had ever met, many of which I still consider to be friends to this day. I learned more in the two years I worked there than I think I’ve learned anywhere else in my life; every day was something new.
Eventually, though, I was a bit burnt out on security consulting; I was traveling constantly for work and I just wanted to do something else.

Mozilla and BlackHat #

Oh man, what a mistake. Worked there for less than a year, optimizing the graphics stack for their phone OS, Boot2Gecko. It was a seriously bad cultural fit across the board.

One discovery made during the reverse-engineering of the Onity lock system was that the portable programmer – the unit used to assign all the settings for the lock – was able to directly read memory from the lock. I took this and built a simple device that would read the site code from the lock and send it back with the open command, allowing anyone to open a lock in under a second. We licensed the tech to a company producing intrusion devices for law enforcement, which finally let us actually make some money, albeit a tiny sum in comparison to how much we spent. After this, we shut down the company entirely.

Shortly after this, I decided to put a talk into BlackHat about the lock hack and disclose it all publicly. I tweeted about putting my paper in and was contacted by Andy Greenberg of Forbes (now Wired), which ended up with an exclusive story. The BlackHat talk went really well, with my entire second day in Vegas being spent doing interviews with various media outlets.

The full story of the Onity lock hack is out of scope here, but eventually I’d like to cover the entire thing; it’s one hell of a story.

Accuvant/Optiv and Breaker101 #

At the very beginning of 2013, I began working at Accuvant LABS, which later became Optiv Security. Being back in security consulting was odd, but I was working with a great team and loved the work I was doing.

In mid 2013, while on-site at a client for 6 weeks, I decided that it was time to start something new and created Breaker101. I had initially wanted to build a revere-engineering course, but realized that the market just wasn’t there for it, so I settled on creating a course that would take people from developer to security consultant. It was a smash success, selling out within hours of announcement.

HackerOne and Hacker101 #

In 2017, anticipating the birth of my first kid, I decided that it was time to sell Breaker101. I was contacted by Alex Rice, CTO of HackerOne, who was very interested in turning it into a free course. In the course of the negotiations over future content, we started to discuss me coming onboard there as a full-time employee, to grow Hacker101 into a full-on education platform.

I’m happy to say that I’m still at HackerOne, doing exactly that. We’ve released dozens of videos covering everything from basic web security, to cryptography, to native code exploitation. Additionally, I created the Hacker101 CTF where hackers can put their newly-acquired skills to the test in a unique way.

Now #

What a journey. I’ve been hacking for anywhere from 17 to 25 years, depending on where you put the start date, and frankly I wouldn’t trade those experiences for anything. I still suffer from depression and anxiety, but I’ve been put into an extremely privileged position in life where I can deal with it and still be happy with what I’m doing at the end of the day. That’s not something many people get to do and I’m immensely grateful for it.

There have been so many amazing people in my life who have helped me get to this point, it’d be impossible to name them all. It’s a genuine surprise and pleasure every day when I wake up and get to help others on their hacking journey. I hope this shines some light on the path that I walked.

Happy Hacking,

 
114
Kudos
 
114
Kudos

Now read this

Bounty Progress - April 2019

I have a few goals for my bug bounty work in 2019: $50k in total bounties/bonuses At least one $5k bounty (for reference, current best is $4802) At least half my reports rated high/critical (CVSS 7+) Blog about my progress monthly, with... Continue →