With this type of work, the real effort only begins once you have broken into a system. The hard part, which requires a good understanding of your client's needs, comes with the ransom. If you get that part wrong, you are likely to not only have the authorities chasing you, but also wave goodbye to a payday. Get it right, however, and it can be extremely profitable.
In the HBO case, the crims asked for between $6m and $7.5m to return all the documents and files they had grabbed – something they said represented their expected annual income divided into two (because of the six-month project length).
Obviously any studio is likely to baulk at such a high price point, so the team pointed out that HBO spent $12m on market research and $5m on adverts for its signature show – Game of Thrones – alone. "Consider us another budget for your advertisements!" was the pitch.
Of course as we now know, things didn't work out in this case and HBO refused to hand over demanded sum – it did, apparently, offer just $250,000 – resulting in the hackers leaking online 3.4GB of stuff including confidential documents, administrator passwords, internal computer network topologies, some Game of Thrones scripts, some episodes of Room 104 and Ballers, TV stars' email addresses and cellphone numbers, and emails from a top executive.
Having tried and failed to pull off a similar big deal with Sony Pictures, the instigators in this case attempted to introduce a tiered business model by releasing only some of the data they had and going back to the client to ask for a smaller sum to prevent the release of more information.
This is an untested business model and doesn't seem to have worked in this case. But it does show the importance of remaining flexible in your billing practices if you wish to succeed in the high-end hacking market.
To our mind, the error in this case was the failure to offer flexibility at the start of contract negotiations. The initial pitch email was titled: "Our demand is clear and Non-Negotiable." It's not clear that such a rigid first approach is the right way to go when you are asking for such a significant investment.
And then, of course, the price may simply have been too high. While in this case, as with Sony, the HBO breakdown in negotiations could serve as a useful case study for future clients, it's always best to get paid whenever you can. The spec game can be a tough one.
Which leads us to standard practices.
Obviously, using pseudonyms is a must. Changing them frequently is also an excellent idea, even though it may entail additional work on your part. Keeping them separate from each other and your real identity is vital.
One critical and often overlooked aspect of business is the bookkeeping. It may be boring, but it is essential to the healthy running of your organization.
There are two schools of thought here: keep everything but lock it away carefully; or get rid of anything that isn't immediately necessary. Keeping good records can help you out of a jam and allow you to analyze your business' progress, but of course it can prove troublesome if discovered by the authorities.
Michael Kadar, for example, allegedly kept all his logs and his activities on a thumb drive that was discovered by Israeli police when they raided his house. That may undermine any chance he had of arguing his way out of his activities, plus it gave the FBI the opportunity to dig further into his business. Agents, for example, were granted permission to raid his Bitcoin accounts. All that work, allegedly, calling and emailing schools and threatening to blow them up for nothing.
So far the HBO raiders have fared better and appear to be investing more time and resources into ensuring their own security – easy to say, of course, if you have the resources – but still something that even a hacker on a budget needs to account for.
So, to recap, if you are going to ditch that desk job and shoot for your dream job as a freelance hacker, you need to consider:
- Your skill level
- Your expected income in the first year
- Upfront investment in tools and exploits
- The costs of security around your activities
- The market to aim for
Good luck! ®