THE MILLION DOLLAR HACKER
RELAXING in the sunshine with his former Playboy model wife, Mark Litchfield is contemplating another dip in his pool. The 85F heat at their luxurious lakeside home near Las Vegas is a world away from more autumnal conditions in his home town of Arbroath.
Some of his childhood was spent in Angus, where his father Dave was based as a Royal Marine, then military boarding schools south of the Border, which he ‘hated’. Among the subjects he loathed was computing science – in which he performed so poorly he achieved a ‘U’ [ungraded] at A Level, the worst possible result. Now 47, Litchfield is enjoying a lifestyle that then would have seemed unimaginable, having made more than £1.4million – as a professional computer hacker. But he hasn’t generated that evergrowing fortune by infiltrating major companies to steal valuable data, the kind of cyber-theft that terrifies chief executives and their customers.
Instead he’s an ‘ethical hacker’ – worming his way into websites and apps owned by global firms to demonstrate to them the weaknesses and bugs in their web security, before claiming cash rewards.
The companies’ own in-house teams cannot keep up with the huge volume of defects that could be exploited by criminal hackers if they were left undetected, so depend on a network of freelance experts to find and report them.
Litchfield has recently become Britain’s first ethical hacking millionaire, according to HackerOne, an organisation which acts as a middleman for large businesses, such as Yahoo! and Google, distributing the rewards or ‘bounties’ to bug-finders.
He is candid about his reasons for getting into the business: ‘I’m in it for the money – it’s my time, my skills and I should be fairly paid. I don’t care about making the internet safer.’
He is also keen to stress he’s no Bill Gates, and that anyone can turn their hand to hacking, which he says pays better and provides a steadier income than criminal hacking – and doesn’t carry the risk of a jail term.
The father of three said: ‘You literally need no computing skill or knowledge, anyone can do it. If you have a computer lying around, not doing much, watch a YouTube tutorial on how to find bugs and you will definitely find them – and start earning some cash.
‘I can’t even code [create computer programs] but you don’t need to be able to code to hack.’
HackerOne pays bug bounties to the hackers who, hunched over computers, pore over data looking for ‘vulnerabilities’, helping companies avoid PR calamities when their customers’ data is stolen by unethical hackers, exposing them to fraud.
These firms increasingly rely on a worldwide battalion of well paid helpers to pinpoint flaws that, in the wrong hands, could lead to disaster.
Last year it emerged that HackerOne had awarded more than £19million in bug bounties to its network of researchers – hunting bugs in the US Department of Defence, Dropbox, Starbucks and Twitter.
Facebook received 12,000 submissions from bug-hunters in 2017, paying £730,276, and by last year had paid £5.2million to hackers since it started its programme in 2011.
High-profile hacks involving credit rating firm Equifax, which suffered a huge data breach that exposed 400,000 Britons’ personal details and millions more around the world, mean bug bounties amount to little more than small change for big businesses – not so much an expense as an investment.
Litchfield is self-taught. He didn’t have a computer growing up and finds games boring – while playing them he can’t stop thinking about how much money he could be making by bug-hunting.
After leaving school he had a ‘nightmare time’ – a ‘job here and a job there’ – but knew he wanted to be his own boss, so won a grant to set up a computer shop.
He said: ‘I found I was losing money. People didn’t know how to use their computers. It was always “user errors”, and I realised the real money was on the technical side.’
He sold up and bought a manual on Microsoft servers, reading and rereading it for two weeks, and later secured a ‘system administrator’ job with Cable and Wireless in London.
It was similarly uninspiring work – resetting passwords and other pedestrian tasks – so with his brother David, 45, who now works for Apple, he set up a company which tested software for bugs.
This was later bought up by a bigger company, in the year 2000, and the brothers set up another firm, which was also later acquired by a competitor. Litchfield then moved to the US and discovered a possible future lay ahead as a freelance bug-hunter, after finding a flaw on the Yahoo! site in 2014, allowing him access to passwords.
All ethical hackers operate in a legal grey area, and in the early days some risked falling foul of the law simply by telling companies about their hacking bids – but Litchfield saw an opportunity for profit.
He said: ‘I submitted information about the bug and waited six to eight weeks but didn’t hear back, then I got an email from HackerOne telling me I’d get a bug bounty of £2,230.
‘I had just wanted to test the water but I realised that I could make a living by finding bugs. You don’t have the same support as you would get by being part of a company, and it can be solitary, but the rewards can be great.
‘I kept bug-hunting and found it was relatively easy to make money.’
Litchfield moved to Nevada in 2012 and now lives with former Playboy model CarleyLynn, 32, in a 6,200 square-foot home next to Lake Las Vegas, not far from the city.
He says the couple enjoyed several ‘awesome’ parties at the late Hugh Hefner’s Playboy Mansion in Los
‘I realised the real money was on the technical side’
He failed his A Level in computing, but makes a fortune hunting bugs on the internet. How did an Arbroath schoolboy become one of the world’s richest ‘ethical hackers’ – with a glitzy Las Vegas lifestyle to match?
Angeles. Now Litchfield works for Verizon Media and is in charge of the organisation’s bug bounty initiative, but continues to work as an ethical hacker.
He isn’t a keen gambler but has made money from gaming giants in other ways: one job saw him help a casino chain detect bugs in its online operation.
Most of us are probably more familiar with less than ethical hacking, picturing either criminals trying to steal sensitive information or computer geeks at work in their bedrooms.
The 1983 movie WarGames featured a high school student, played by Matthew Broderick, hacking into his school’s IT system to change his grades before hacking a military supercomputer, almost triggering nuclear war.
In real life, Gary McKinnon, originally from Glasgow, was arrested by British police in 2002 after the US Justice Department accused him of hacking into Nasa and military computers. He then faced a decade-long legal fight against being sent for trial in America. Seven years ago, after successive Labour home secretaries ruled he could be extradited, Theresa May blocked the US authorities’ bid to prosecute McKinnon there.
Police Scotland has warned of the rise of ‘ransomware’ attacks, where malicious software takes over computing systems, blocking access to data or threatening to publish it unless a ransom is paid.
In 2017, desperate NHS staff across the UK pleaded with patients to stay away from A&E after a ransomware attack, while ambulances were diverted away from hospitals struggling to cope with the crisis. The virus attack originated in North Korea and led to almost 7,000 appointments being cancelled across the UK.
A small piece of malicious code infected a computer that had not installed software updates, then sought out other computers.
In 2016, a computer virus stopped public access to details of births, deaths, marriages and Census archives at the National Records of Scotland.
Bug-hunting has only become widespread over the past three years, but back in 1983 Volkswagen offered a reward to hackers who were able to breach the operating systems of the company’s Beetles. Modern-day ethical hackers all have one trait in common – ‘endless curiosity’, according to Mårten Mickos, chief executive of HackerOne. He said: ‘We don’t find them. They find us. They read, they study vulnerabilities and then they report them.’
Big firms have their own bugfinders but, according to Mickos, ‘even if you have a really smart person in-house, it’s difficult [for them] to find their own typos’.
In one case in the US, ethical hacker Sean Melia was scanning the Starbucks app and ordering a coffee when he realised that by changing his order number on the checkout screen he could modify other people’s orders.
This would allow him to send coffees to other people’s houses – or have their orders sent to his house – at no cost. Melia reported the bug for a reward of several thousand dollars.
‘I’d rather have a £3,000 to £5,000 bounty than a chance of stealing a free coffee,’ he said.
In 2013 an unusual post appeared on the Facebook page of the social network site’s billionaire founder from a user called Khalil Shreateh. ‘Dear Mark Zuckerberg,’ Shreateh wrote, ‘Sorry for breaking your privacy, I had no other choice to make after all the reports I sent to Facebook.’
Shreateh, a security researcher from Palestine, had discovered a bug in Facebook’s software that allowed anyone to post directly on to any user’s wall. After he was ignored by the company’s security team, he took the direct approach to demonstrating the bug – hacking Zuckerberg’s own page.
One of the youngest ethical hackers in the world is Ibram Masouk, who bought his parents a house aged just 15 with money made finding bugs.
The teenager, who was born in Lebanon but moved with his family to the US, made a small fortune discovering security vulnerabilities in Yahoo! and