07 Feb Bringing Out The Best In Hackers
Joe “Kingpin” Grand’s Self-Discovery
Melbourne, Australia – Feb. 7, 2022
Joe Grand believes there are far more well-intentioned hackers out there than criminals — which has made him more than a little philosophical contemplating how he ended up going down the road that led to his first arrest at the age of 13.
That road — which led the hacker also known as “Kingpin” to a few brushes with the law as he learned to find and exploit security flaws in hardware devices — began in his very early years, when a seven-year-old Grand spent hours online, collecting video games with his 300-baud modem and connecting to bulletin board systems (BBSes) in his native Boston.
His siblings had grown bored of the family computer, but Grand was addicted — with his natural curiosity feeding what he now describes as a “curious, naïve exploration and wanting to just collect games and information, and have things that other people didn’t have.”
A memorable outfit for a fifth-grade costume party — which included sweatpants, sweatshirt and floppy disk as paid homage to what it meant to be a hacker — garnered a big “meh” from classmates but confirmed that Grand had found his calling.
“I was falling in love with technology,” he told Cybercrime Magazine, “and having powers that nobody else at school had — but it was a hard time because everything I was doing just wasn’t accepted.”
Cybercrime Radio: Hardware Hacker
Former L0pht member Joe Grand, aka “Kingpin”
Grand’s circle of influence grew as his reach and capabilities expanded, learning to manipulate phone systems and piggyback on corporate calling cards that allowed him to call BBSes nationwide while someone else picked up the tab.
As his hardware-engineering skills grew, a high school-aged Grand segued into building and selling “red boxes” — highly illegal, but common fare within the hacking underground — that could trick pay phones into thinking money had been inserted.
“Even then, I knew that I was going to be an engineer and design electronics,” he said. “None of it seemed out of the ordinary, even though I kind of knew it was, and I never questioned the legality of it.”
“I just wasn’t thinking about the consequences and thinking about what could go wrong.”
The road less taken
Had he done a little more thinking, Grand now admits, he might have realized that it was likely somebody would notice the spiraling cost of his — and his nationwide network of likeminded friends’ — almost continuous use of corporate calling cards.
Even as he would sneak out at night to physically connect to a telephone network junction box, start a teleconference and transfer control of the call to a friend, Grand never stopped to think that some poor company was being billed around $5 per minute for his group’s hours-long chat and gaming sessions.
In an underground scene where possession of insider information provided street cred, long hours spent documenting and distributing telephone-network techniques and control codes were considered heroic.
It was only when they decided to get together in real life — a gathering of friends in Michigan that was organized beforehand with full parental consent and assistance — that their past caught up to them.
“We just made stupid teenage decisions and thought it would be fun to break into the phone company,” Grand recalled, recounting a shoplifting spree that included bolt cutters, a police scanner, and more than a few broken truck windows.
“We had a great time and then ran off.”
A neighbor, however, had called the police — who promptly arrested the group of six hackers, charged the five adults, and eventually dropped charges against a then-underage Grand.
“That point shifted my mindset,” he recalled. “I still loved hacking, and I loved exploring, but I had to smarten up a little bit [because] I didn’t want to end up in jail. I didn’t want to end up like that.”
The following years were a flurry of self-discovery, including redirecting some of his energy into running — he eventually ran track and field at college and has maintained running as a lifetime outlet — but it was his eventual association with a group of hobbyist hackers, whom he met at local conferences, that changed him for good.
Many of those hackers, who had jobs in IT and networking and were sharing their mutual love of hacking in the productive sense, redirected him from “kind of malicious to more of a hacker trying to inspire people and help make things better.”
“That redirected the entire path of my life,” he continued. “Just seeing how they behaved and carried themselves was hugely influential for me.”
The years after saw the formation of L0pht Heavy Industries, a Boston-area hacker collective that was active through the 1990s and focused on responsible disclosure — a relatively new approach to cybersecurity that led to the group’s being called as expert witnesses to testify in front of a 1998 Congressional inquiry.
Decades later, their testimony is still being noted as an unheeded warning whose import has become even more significant in recent years, given the rapidly expanding Internet of Things attack surface and the security threat posed by massive interconnectedness.
“We went in and said ‘we’re seven young adults in a warehouse hacking on stuff, and look what we can do as just seven of us organized,’” Grand recalled. “And we said ‘now what could a state-sponsored actor do? What could an organized crime group do if they are focused?’”
“A lot of what we said back then is still completely true to this day — and really not a lot has changed from our testimony, except that it kind of legitimized being a hacker as a career. I just didn’t realize how huge that was, having hackers testifying in front of the government.”
Subsequent years saw a transformation in the way that hackers were perceived, with many starting consulting firms to support businesses and governments trying to maintain security in the face of the overwhelming digitization of the world as the Internet grew at a dizzying pace.
Grand was among them — and over a series of career pivots, built up a broader skill set in mechanical and industrial engineering, prototyping, and product design — which provided “handy” skills that dovetailed into a career helping companies design secure electronic products, often using portable hardware hacking labs that he sets up at industry conferences and events to provide hands-on demonstrations.
“I’ve magically, somehow, been able to make a career out of teaching people what I love to do, and to feel good about it,” he said. “It doesn’t feel like a job. It feels like what I was meant to do is share this information — kind of what I learned at the L0pht, but now to do it on a larger scale.”
“With hardware hacking, I use my engineering skills and my hacking skills; I get to keep my passion, and do what I want to do.”
Grand’s career is a lesson on bringing out the best in hackers.
– David Braue is an award-winning technology writer based in Melbourne, Australia.
Go here to read all of David’s Cybercrime Magazine articles.