For many people, “hacker” is a pejorative: A shadowy, ill-defined threat or modern scourge that can, without rhyme or reason, wreak havoc on your world. There’s no doubt a kernel of truth to that characterization. But like most boogeymen, the myth sometimes overshadows the reality. Hackers are often nice, slightly rebellious kids like Somerset High School graduate Raynaldo Rivera.
On Thursday, the 21-year old San Antonio native will enter La Tuna Federal Correction Institute in Anthony, TX to begin a one-year and one day sentence for breaching Sony Pictures Entertainment in May 2011 as a member of Anonymous offshoot, LulzSec.
When he gets out, Rivera will face 13 months of home detention, 1,000 hours of community service and restitution of $605,663, all for taking part in what amounts to an anarchic joyride through cyberspace. On this one, LulzSec didn’t even dent the fender. (No credit cards were used, no physical damage done.)
“I wouldn’t use the term ‘joyride,’” Rivera clarifies from his parents’ home where he’s spending his last few weeks of freedom. “I mean, I went in for the knowledge and in the middle of it you get, ‘Oh shit, what am I doing?’”
Rivera continues, “Once I was in the middle of it, sure, I’d be lying if I said I wasn’t like, ‘This is exciting.’ … As a kid with computers you’re like ‘it’d be really cool to be a super-cool hacker.’ Then you’re like, ‘Oh fuck, this was a terrible idea.’ But there’s a point where you’re past the point of no return.”
The inquisitive sort, as a kid Rivera would take apart home appliances and put them back together. His mother, Norma Irene Rodriguez, remembers coming home and finding the answering machine in pieces on the floor. By the time he was nine he had his first computer, and by age 10, he’d taught himself to type. He loved computer games, so he taught himself to program.
“I was like ‘OK, how hard could that be?’ So I learned C++, my first language, when I was 12,” Rivera recalls. “Eventually, however, I became more of a fan of writing middleware—code that adds a major feature to games—and I made an audio engine named CAudio. At the time, it was one of the only fully open-source audio engines that allows for full 3D audio. It’s been used in a wide range of games.”
This was around the same time Rivera’s family left San Antonio for Somerset. He has a sister three years older than him and her teenage antics prompted their move. Living in the city was too just too crazy on the family, so they ventured to Somerset, miles out of town, out past paved roads.
“These kids are like night and day,” says Rodriguez. “My daughter is very sociable. She’s a social butterfly. Guys, girls everything, all the time. I’m like ‘I’m tired, take me out of here.’ So we went to the country and everything kind of settled there [for us] and for my son. It was the best thing I could do.”
Rivera became a mariachi and learned the violin. Someone suggested he couldn’t play basketball so he made the team to prove them wrong, and then quit. Mostly, he spent his time learning about computers. That’s what led Somerset High math teacher Beatrice Villarreal to seek him out for the school’s computer team in the University Interscholastic League (UIL).
Somerset hadn’t fielded a team before because it didn’t offer any computer classes. Indeed, the computer the school provided them would later prove wildly unreliable, failing twice in competitions, and forcing Rivera’s team to jury-rig alternatives.
When Villarreal recruited Rivera, he brought his friends along as teammates. He taught them what he knew. One of his teammates beginning his sophomore year, Jay Fisher, would in some ways surpass Rivera. Fisher’s now in the aerospace program at University of Texas studying, quite literally, to become a rocket scientist.
Over time Villarreal struck up a friendship with Rivera. Despite sponsoring the team, she’s not super computer-savvy, and he helped her recover from computer issues on at least a couple occasions. She found they shared an appreciation for ’80s music, a sardonic sense of humor and a certain amount of impatience with senseless authority.
“He had no tolerance for bullshit,” she says. Rivera and his teammates didn’t understand why she didn’t fight back against bureaucratic indignities. “Sometimes I have to bit my lip, smile and wave,” she told them. “They weren’t at that point yet.”
The competitions involve individual test-taking computers and various programming languages as well as competing in teams to solve problems and/or create programs. From the beginning, Rivera’s team approached the meets with a certain strut. They’d play “entrance” music on the laptop when they entered the room. They were young, brash and cocky—and they backed it up. They went to regionals their very first year, earning themselves a school letter. By Rivera’s senior year they placed second at state.
“These skinny little kids started showing up at meets and all of a sudden they’re beating these schools that had three- and four-year programs,” Villarreal says. “There was no discipline, no formal anything, but they would win. These kids were drinking Red Bull and cracking jokes, but winning, and it annoyed the other coaches who had their teams lined up like little Stepford children.”
The Somerset team would arrive at their Saturday meets arrayed in suits. This was a quirk they picked up that second year from Rivera. By high school, Rivera was an adherent of How I Met Your Mother character Barney Stinson’s easily summarized sartorial philosophy: Suit up! At all times.
“You’d never see this kid in t-shirts or shorts or anything. He had to dress to the nines always,” says his mother. “He bought at letterman jacket, but he never wore it. He didn’t want to mess up the suit.”
Unlike many schools across America, at Somerset High this was not akin to pasting a sign on one’s back that says “Swirlie Me.” Perhaps it’s the small enrollment—Rivera’s graduating class numbered 113—but it lacked your typical high-school-coming-of-age-movie power structure. He had an attractive girlfriend and was relatively popular.
“Our school basically had two sides to it: the hardcore athletic and the academics. For such a small school, it was really broken down. So the academic guys who competed in academic contests were right up there with the athletes,” Rivera reports. “There was never any of that old, generic athletes-and-jocks-pick-on-the-geeks thing.”
Even so, Rivera wishes he were better at something else. He sort of fell into computers and before he knew it, that’s who he was.
“Personally I dislike the fact that I’m good with computers. It might sound weird, but I wish I was better at something else. But computers was what stuck,” he says.
Takes One to Know One
As Rivera learned more about computers, he became more interested in network security. He came across a book at Borders called Elite Hackers Handbook, a joke book with advice on how to pick your handle and other comical bits. It listed a website on the back, and through talking to people on that site—mostly programmers—he found his way to another site where he met Kyle Browning.
Browning runs a site called RootHack.org which makes a game of breaking into competing teams’ systems. It’s a great way to learn the ins and outs of network security in a safe, legal manner. It’s especially appropriate for computer nerds who gain much of their knowledge not by studying, but by doing.
“The company I currently work for, we consider every one of ourselves to be, you know, hackers. We just figure it out and work through the problem. To me personally that’s what that term has always meant,” says Browning from San Francisco, where he works for a company called Work Habit.
“It’s coming down a little bit, but [‘hacker’] still has that malicious connotation to it, which is a shame.”
As corporate computer networks proliferated in the ’80s and ’90s, efforts to protect them became increasingly important. That’s when the idea of white hats and black hats evolved. The white hats represent, as you might imagine, security professionals who design systems. The black hats are those who would break in.
The saying Rivera always heard as he was being introduced to this world was that every white hat started out as a black hat. And it’s true. Companies like Microsoft and Facebook have hired people who report vulnerabilities created by poorly written code or mis-managed or -aligned systems. Some companies have bounty programs which will pay anyone who reports a weakness. The idea is that it takes a thief to truly understand a thief.
“The best security people understand attacks, understand intrusions, and the best way to understand something is to practice it,” says Veracode CTO Chris Wysopal, a security expert who was a member of the hacker “think tank” the L0pht in the ’90s. “Modern security started in the mid-to-late ’90s around this notion.... The majority are sort of self-taught, outside-of-the-mainstream people and to some degree that’s a big advantage because you’re thinking differently about the systems than the people that built them.”
Browning ran with the gray hat World of Hell hacker collective in the early ’00s. Gray hats are somewhere between white and black, and are reminiscent of Anonymous in temperament. They would exploit poor security and deface the website with humorous notes. In a certain sense they were doing the companies a favor by pointing out security flaws.
True black hats don’t announce themselves. They’re more like Albert Gonzalez and the ShadowCrew. The group—which included hackers from the Ukraine, Estonia and China—was busted four years ago for the theft of 130 million credit card numbers stolen from several payment processors, ATM machines and retailers such as Target, TJ Maxx and J.C. Penny. (Gonzalez got 20 years while his main co-defendants got two, four, five and seven years.)
Rivera and some friends joined Browning’s network intrusion games—which initially were just several computers linked on a network. Over time, with help from engineers at Novell (a multinational software and services corporation), it evolved into something much more sophisticated.
“A whole level-based gaming system that taught the ins and outs from the beginning of hacking. Everything from standard UNIX tricks and tips all the way up to buffer overflow exploits, canary exploits and the hardcore stuff that happens on service-level applications,” Browning says.
Rivera’s team finished second their first time out and they continued to stay in touch, chatting about their mutual interest in 3D programming. “He did some things for me,” Browning says. “I always enjoyed hearing from him.”
For Rivera, it whet a thirst that only college would satisfy, though probably not how he thought.
Birth of Neuron
For most people, where they go to college makes a lot of difference. But for someone like Rivera, who did most of his learning on his own, it was more of an afterthought. That’s how he wound up at University of Advancing Technology in Tempe, Ariz.
“I didn’t really have an idea of where I wanted to go to college, and I didn’t really bother too much. School is not a huge thing for me at all. Coming out of network security, your schooling is kind of ‘OK, whatever, what have you done?’” Rivera says. “So I sent out my applications and UAT was the first one that came back. I got some other ones, but UAT came first and I thought, ‘Eh, that sounds like a good place.’ They had computer science and artificial life. ‘Eh, I’ll do that.’”
Rivera received UAT’s Ray Kurzweil Scholarship, which offset 30 percent of the college’s $10,000 per semester cost. He didn’t know anybody at the school, but he soon bonded with network security major Cody Kretsinger. They met hanging out in a larger group, started talking network security and then slipped away to try breaking into a couple “demo boxes” (i.e. free/legal targets) online. Kretsinger was four years older than the 19-year-old and knew much more about security. This intrigued Rivera.
They started palling around and hanging out every day. They ate together, took classes together and really grew to trust each other. In April 2011, Kretsinger approached Rivera about joining this group of hackers he was involved in, which would turn out to be freewheeling anarchic Anonymous spinoff, LulzSec.
“He said, ‘Hey man, there are groups forming, a bunch of close people I’ve known for a long time. You’ll learn a lot and I’d really like your help with this,’” says Rivera, who initially rebuffed him. “Then he was like, ‘You always ask about learning the next thing—how to get to that point where you know it—and this will do it.’”
Rivera ultimately assented and wound up speaking to the group’s leader, Sabu, aka Hector Xavier Monsegur. Anonymous is a loose, leaderless umbrella with numerous factions. As Anonymous as a whole became more interested in activism, some of the hackers and miscreants who liked the group’s former smart-ass irreverence and lighthearted, trouble-making ways began complaining. They missed their old maverick, wildcard style and beginning in April of 2011 developed their own section of Anonymous dedicated to no greater cause than their own amusement, or, in their parlance: “lulz.”
After some extensive vetting and vouching, Rivera was finally invited to the inner sanctum of their private chatroom where he talked freely with some very talented hackers. It was a heady couple weeks, before they told him it was time for him to get his hands dirty.
“Eventually when you’re idle a long time, the head honcho is like ‘you have to do something or you have to get out.’ And that’s where my involvement in Sony happened,” says Rivera, who went by the handle Neuron. “I knew what was gong to happen and, looking back, I should’ve said no … but [my] young, stupid self was more than happy to oblige.”
He continues, “I mean, I agree with a majority of Anonymous’ and LulzSec’s ideas—but at the core I was there for the knowledge. I didn’t have it, and they were considered the best at the time … They were doing a lot of crazy stuff, so I said ‘that sounds like a place to learn.’ And I did learn. Just talking to them I learned way more than I could’ve [in school].”
When the Whip Comes Down
Over the Memorial Day weekend in 2011, Kretsinger and Rivera compromised the Sony Pictures’ computers using a SQL Injection technique. This is a fairly common hacker trick that involves using security inadequacies to inject the hacker’s own code into that system. (The attack is notably distinct from the still unexplained—at least publicly—incident which brought down Sony’s Playstation Network.)
They made off with passwords and personal details of over a million users, then crowed on Twitter about how Sony shamefully failed to encrypt users’ passwords, and asked “Why do you put such faith in a company that allows itself to become open to these simple attacks?”
Though they took precautions, law enforcement ultimately subpoenaed information from UK site HideMyAss.com, a virtual private network which provides proxy servers to disguise the user’s source IP address. When the company turned over their records to the FBI, Kretsinger was a goner.
“I was there the night that Cody got raided and I talked to him after. He was freaking out. I remember thinking ‘that’s the end. They’re going to go through him to get to me,’” Rivera says of Kretsinger’s September 11 arrest. “I didn’t think they were going to actually get him to help, but he did.”
It would be almost another year before the cops finally picked up Rivera. The whole experience suggests the scenes in the last half of Goodfellas when Ray Liotta gets all twitchy as the FBI dragnet begins to close. It may be a slow-moving train, but the advancing whistle’s never far from one’s ears.
“It’s miserable. It is the worst. To say you’re constantly looking over your shoulder is an understatement. Driving home, every new car freaks you out or anybody you don’t recognize,” says Rivera. “Nobody should have to live like that. At about the seven-month mark you start to feel comfortable.
‘Maybe this isn’t going to happen.’ You start to try to ease back into normal life. And then they hit you.”
Rivera was finally arrested in August of last year. He called his mom and his bosses Rick Harding and Darren Cummings at Cummings Engineering; they told him that whatever he did, he should own up to it, they’d stand behind him. That was his plan when he reported for questioning the next day, but it was clear pretty quickly from the evidence they showed him that his friend had given him up. That disheartened him as much as anything else.
“That’s a little upsetting. That people are willing to take each other down for the sake of maybe half a year or a year less time,” says Rivera, who wound up with the very same sentence as Kretsinger.
Time to Think
When Rivera was arrested, UAT revoked his scholarship and kicked him out of school. But Harding and Cummings kept their word. They hired him on and promised him he’d have a job with them when he got out. To Harding, Rivera just fell prey to an industry lacking appropriate training platforms for its future employees.
“The reason white hats end up starting as black hats is because the world currently is not set up to provide training for hackers who want to develop their craft in a space that is safe and legal. So what ends up happening is that, typically, young kids get seduced to the dark side because they have no place else to go,” says Harding, who spent 10 years working on U.S. black programs before going into commercial enterprise two decades ago.
“The government knows that the best guys to get to fight cyber security are the guys who were on the dark side for a while and [they] grab those guys,” he says. “They’ll not grab someone that is just a white hat because he doesn’t know enough.”
Rivera’s a very good programmer and was one of the best at UAT. That’s why Cummings brought him on as an intern. But Harding says it was who Rivera is as a person that led them to hire him on full-time as a software security engineer.
“What really caused us to invest was one, his honesty and second, his humility. He said, ‘I screwed up, and I’ll do whatever I have to do to make this right.’ He wasn’t trying to hide anything,” Harding says. “I can only reflect on when I was 18 and some of the decisions I made that by the grace of God I didn’t get thrown in to prison for some of it.”
Rivera owns his punishment and accepts that he “was an idiot.” But he chafes a little at the $605,663 in restitution he’ll have to pay, as he presumably tithes the Federal government for the rest of his life. Rivera must give 10 percent of his yearly gross income to recompense Sony Pictures. But for what really? No credit cards were used, and none of their computer equipment was damaged. This is an ongoing travesty in the way the Computer Fraud and Abuse Act is written.
“Largely to appease a lot of people [who] look after their stock price, Sony got two top-of-the-line cyber security firms to do a top-to-bottom on their network to the tune of $605,000,” explains Rivera’s lawyer Jay Leiderman. “Most of these are resolved via pleas and sometimes the damages are negotiable. In Rivera’s case it was ‘we’re not doing anything on damages.’ You can argue that they’re not legit, but the way the law is written, the government is going to impose those damages, which is kind of crazy.”
In a sense, Rivera’s lucky. In 2010 gray hat hacker Andrew Auernheimer exposed 114,000 iPad users’ email addresses to highlight a security flaw in AT&T’s system and received 41 months, though he’ll only pay $73,000 in restitution to AT&T. Internet prodigy Aaron Swartz faced 50 years for downloading scholarly journals before killing himself in what many see as an act of protest.
Right now, Dallas journalist (and once the unofficial spokesperson for Anonymous) Barrett Brown faces 105 years, mostly due to the First Amendment-challenging contention that linking to a public site with hacked information containing, among other things, stolen credit cards was the same as stealing those cards. Each, including Rivera, has been made an example in a cyber crime crackdown that’s featuring increasingly draconian punishments for comparatively innocuous crimes, and very little of the proactive “white hat” training that people like Harding advocate.
Rivera has a couple books for his reading list, and has gotten some advice from the side of his family with some knowledge of “life on the inside.” They offer the expected timeworn apothegms along the lines of: keep your head down and nose clean, but don’t be a pushover. Regret’s a daily challenge for him.
“There are days I’m like ‘oh my God, I’ve destroyed my life,’ but then there’s nothing I can do about it. If it’s nothing that I can change, then I just don’t worry about it. What’s going to happen is going to happen, but I’m trying not to let it ruin right now,” he says. “Knowing at least coming out I’m going to have a job and that way I can start paying everything off and try to get everything back restarted, that’s something at least.”
Rivera’s also hoping to do some outreach when he returns from prison. He wants to reach out to kids like himself, though he’s under no illusions about how he might be received.
“I understand people’s ideals and what they believe in. I’m not going to tell them ‘don’t do it,’” he says. “I understand that if you’re going to do it, you’re going to do it. Just understand this is what happens after. Everybody gets caught eventually.”
Though Anonymous can at times seem like a bratty, petulant bunch, they also possess that idealistic, rebellious streak a nation needs to stay vital. On Tuesday, November 5, when they celebrate Guy Fawkes day with a Million Mask March on Washington, they’ll be doing it in a small way on behalf of people like Rivera, who poked his nose somewhere where he shouldn’t have in an effort to get smarter. For that he got his nose smacked, perhaps harder than it needed, and certainly misplaced relative to the real threats. Nevertheless, the 18-year-old who fell in with the wrong crowd looking for a little knowledge discovered he wasn’t so smart as he thought. A valuable and humbling lesson, however one receives it.