Back in 1968, the Rolling Stones came out with a song titled, “Sympathy for the Devil.” The lyrics try to offer sympathy for a demon. So, the following story of a kid hacker tries to offer some sympathy for a criminal hacker. As one of Britain’s most notorious cyber criminals, Daniel Kelley played a leading role in the 2015 TalkTalk data breach. The hack was catastrophic for the telecoms firm, resulting in a financial loss of £77 million (€90.7 million) and the stolen data of over 150,000 customers. Kelley would go on to spend four years in prison for hacking TalkTalk, his Welsh college, and several other organizations. But since being released from jail, he wants to use the self-taught IT skills that helped him launch devastating cyber-attacks to build a genuine cybersecurity career.[1]
"I want to get into the industry to make a living, and to be able to live my life doing something that I enjoy on a daily basis that's a passion," he told Euronews Next. "It always has been, and always will be, whether I'm actually in the industry or not." Now a free man, Kelley has been job hunting, sharing his cybersecurity knowledge with a growing audience of social media followers, and working with companies and organizations to improve their cybersecurity posture.
Many of his LinkedIn posts get hundreds of likes, and consequently, Kelley has been inundated with job offers from organizations keen to leverage his industry knowledge. But due to being subject to a Serious Crime Prevention Order (SCPO), Kelley is now limited in what industry activities and opportunities he can pursue. SCPOs are UK court-mandated for a variety of crimes, including drug trafficking, people trafficking, slavery, fraud, and organized crime amongst others and are usually issued if there are "reasonable grounds to believe that an order would protect the public by preventing, restricting or disrupting involvement by the person in serious crime in England and Wales," according to the UK’s Crown Prosecution Service. In other words, the order anticipates there is a "real risk" the person will re-commit offences "from which the public [would] require protection".
Plenty of cybersecurity job offers - Kelley describes the SCPO as a "prison in a different form," explaining he cannot "accomplish even the most basic and mundane tasks." "Many employers approach me with the notion that I could join their red team or give guidance on their web-application security because of my technical background and success in the bug bounty space. Unfortunately, this is not possible because of the restrictions on me," he said. "The first piece of evidence against me originated when I was around 12 or 13 years old; I am now 25 years old, and this order will not be lifted until I am 29 years old. So, in essence, you could say that my sentence was more than a decade. “I'm constantly paranoid because I have to make sure I don't accidentally break one of the conditions."
The order, he says, not only hinders the former black hat’s chances of landing his dream cybersecurity job but affects other parts of his daily life. He recalls walking into an electrical retailer after leaving prison and struggling to purchase a phone contract. At the store, an employee asked Kelley to provide a digital signature on a tablet PC. However, he had to ask for a pen and paper as using a device would have breached his post-prison restrictions. "Touching that device could have resulted in a 5-year prison sentence, which is longer than my initial sentence actually was. I had to wait for them to print out what they wanted me to sign, and it was completed in that fashion," Kelley said.
Hefty prison sentence for ordering a burger - These restrictions mean Kelley must disclose the Media Access Control (MAC) address and model information of his devices to the police. He also needs an authorized third party to install operating systems on a device. And technically, Kelley even risks a hefty prison sentence if he tries to enter a McDonald’s drive-thru and buy a burger because he would have to use a radio to make the order. "All devices, including 2-way radios, must be registered with an agency called LOMU according to a provision of my SCPO," Kelley said. "Obviously, you use a radio to communicate with someone when you want to place an order. I could be sent back to prison for using one of these, unless I ask the store staff for the MAC address, make, and model then register it with the police. It sounds a bit ridiculous but this is actually what it would mean." It's just one of many everyday things that have become inaccessible to Kelley. "There are a lot of grey areas that essentially ruin my way of life," he added.
"You have to be in the situation to understand it because it's difficult to comprehend otherwise. I am aware that I have no cause for complaint, but nothing about this order makes sense, especially given the fact that I have a track record of not breaking the law for more than seven years. The first piece of evidence against me originated when I was around 12 or 13 years old; I am now 25 years old, and this order will not be lifted until I am 29 years old. So, in essence, you could say that my sentence was more than a decade."
Future in limbo - Until these restrictions are lifted in four years' time, Kelley’s future as a cybersecurity professional is in limbo. He has considered taking part in a formal cybersecurity course, but he would still face the challenge of accepting a job offer after graduating. "Many people make various suggestions to me, such as formal education, but the issue isn't my technical background, or getting jobs; it's what I can and cannot do," he told Euronews Next. The UK’s prison was ill-equipped to deal with computer hackers and cybercriminals. Because of the nature of my convictions, and the presence of computers in the educational department, I was not permitted by security to attend classes. "The issue is staying current and useful for another four years. You can only read so much; at some point, you must be doing things in a practical context to ensure that your ability remains sharp, or you will become useless. Cybersecurity is a constantly evolving industry that requires you to be proactive in your learning."
In prison, Kelley had massive ambitions for what his life would look like when he was eventually released. He wanted to create a business that would help organizations better understand cyber risks and how to tackle them. "In essence, it was going to be an external attack surface management platform that would secure large organizations and businesses," he explained. "I was basically taking the methodology I used as a hacker and applying it in a structured format."
But Kelley admits that he was "extremely naive about the obstruction of the conditions," and he soon realized that his business idea would never go ahead as a result of the SCPO.
Kelly spent most of his time behind bars reading books - and away from computers. As a result, his cybersecurity skills waned. "Prison was ill-equipped to deal with computer hackers and cybercriminals. Because of the nature of my convictions, and the presence of computers in the educational department, I was not permitted by security to attend classes. Alternatively, I had the option of doing in-cell work, which was only useful to pass time," he said. "Prison is ideal for helping people that enter the system illiterate, so if you can't read or write, for example, you'll come out with some useful skills if you put your mind to it, but for people that aren't at that level, prison won't be useful at all in that context for them."
Looking back on his hacking convictions, Kelley has no regrets about launching cyber-attacks on targets like TalkTalk as they taught him invaluable IT skills that he can leverage in a cybersecurity role. He is, however, remorseful of the impact his crimes had on other people. "I regret the blackmail, the fraud, and everything where there were direct victims," he concluded.
Only time will tell if he’s able or allowed to use these skills to land a legitimate cybersecurity role and prevent others from doing what he did.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.euronews.com/next/2022/08/21/i-went-to-prison-for-the-77m-talktalk-hacking-i-could-be-sent-back-for-ordering-a-mcdonald
Comments