The Tech Herald recently had the chance to talk with Johnny Long. If the name rings a bell, then you likely know of him from his books: Google Hacking for Penetration Testers, No Tech Hacking, or various others. Long talks with us about his life, career, and his passion to help people. However, if you still don't know Johnny Long, then the best word to describe him is 'hacker'.
'Hackers are people too'.
This statement, not only the title to an amazing documentary that looks inside the world of hackers from their perspective, is a simple fact. While there are some hackers who are criminals, there are others – the majority – who are just normal, everyday, bold-faced geeks.
Hackers are not just computer enthusiasts. A hacker is someone who loves the idea of discussion, debate, learning, and information of all types. Defcon, the largest hacker convention on the planet, is a prime example. There is far more at Defcon than just computers and the latest security developments. There are people to meet and to talk to. There are coffee wars, because no hacker can really function for three days straight without caffeine. There are Parties for more social activity (Black and White Ball), Geo Caching contests, shooting range trips, lock-picking classes and contests, and even a rather large BBQ the day before the conference.
The hacker you see in the press, the one who steals data, holds information for ransom, propagates Malware and other malicious code, he or she is not a true hacker. The tight circle of friends this hacker associates with – the ones to harvest stolen data, help design new Malware, and arrange for it to be hosted and distributed – they are far from being true hackers as well.
Each one of them is a criminal. In the eyes of true hackers they see very little fame and glory for their actions. They see no respect, nor are they seen as having real value to add to the community. Yet, the criminals care little about that, they do what they do for the money and nothing else.
The following e-mail interview has been kept intact in its entirety. What you read here is an insightful look into the life, passions, and thoughts of one of the hacking community’s most noticeable figures, Mr. Johnny Long.
Part One: Meet Johnny Long
The Tech Herald (TTH): How would you describe yourself to a person who doesn’t know you?
Johnny Long (JL): I am a Christian, professional hacker, author, pirate and ninja (in training).
TTH: What is your favorite technology, and why?
JL: As much as I hate to “take sides” I find myself drawn to Apple products more and more. The OS X operating system has really simplified my life, and their products have an amazing aesthetic. I do run Windows and Linux on the machine though and spend quite a bit of time at the command line. Second-favorite technology: shell scripting!
TTH: How old were you when you got into computers?
JL: I got my first computer when I was seven. My dad brought home some old computers from work (a “Rainbow”) and we took it apart. That was the beginning for me.
TTH: What was the fist computer you ever owned?
JL: The Texas Instruments TI-99/4A. The Bill Cosby computer. He was cool then.
TTH: When was your first 'hack'? What was it and how did you feel?
JL: I broke into the library’s computer system. It scared the crap out of me, because I just knew the black helicopters were coming and the Fed Special Forces were going to make me disappear.
TTH: What is your favorite technical term?
JL: It’s more like a business term, but “synergize”. Most people that say it want to sound smarter or cooler than they really are.
TTH: What is one phrase or term your friends would say you are famous for?
JL: “Google Hacking.” Seems I made that one up.
TTH: Who are your favorite authors in the INFOSEC or tech publishing world?
JL: Gads. I’ll plead the fifth on that one.
TTH: Recently, you said you were going completely offline after 10 years of activity. You said that your “hand was forced” Can you explain this in more detail?
JL: I had a server crash, and summarily lost all my data. Yes, I had backups, but because of a series of providential circumstances, I lost all of the backups too.
The truth is, I had lost my way over the past few years, and had become more focused on my accomplishments and myself than I would have liked. My major successes (book sales, speaking gigs, major media experiences and “fame”, my charity work, etc) happened after I stepped away form myself and focused on something bigger.
In the case of my writing career, I had turned my life over to Christ after a really bad experience at DEFCON. At the height of my career, I was invited to speak at DEFCON, which is a culminating moment in this industry. I tried to be mister cool, and really soaked up that moment. I fully expected my life to change after that talk, and I pictured myself as one of the rock stars like FX, Dan Kaminsky and Bruce Potter—guys I really looked up to.
The truth was, it was such a huge let-down that I “quit” the industry. I decided that I would get into shrubbery or something. That was a defining moment for me, because after years of inheriting spirituality, I took a step of faith (the first real step of that kind in my life) and handed over everything to God in a real way. I posted on my website that I was a Christian (in my mind a form of career suicide) and prayed a rather simple prayer. I remember it clearly. I prayed, “God, if you’re up there, I give this all to you. My site, my job, everything. If you want to do something with it, go ahead.”
Interestingly enough, He did. My site went from 500 to 80,000 users. Andrew at Syngress Publishing called me up and asked if I wanted to do a book based on my talk. That book, “Google Hacking for Penetration Testers” went on to be a raging best-seller. Major media organizations started calling me up and I did tons of interviews and became a talking head on CNN for a while. I “found” my stride as a speaker and became an acclaimed and highly sought-after speaker. That experience proved to me that faith is real, and at that moment I decided I’d rather be a set-builder hammering nails behind the scenes of God’s epic production than be the leading man in my own tiny show.
So when I lost my website recently a friend encouraged me to look at why that happened. I realized that I had taken over the wheel again, and the thirst for success had taken me over. After a dozen book projects and a successful run with my charity, I realized it had all become about me trying to succeed. I trashed the site, and began rebuilding from scratch with a new perspective. I even let the maintenance agreement expire on that shiny new web server and moved on to a Christian friend’s donated hardware.
Part Two: Hacking as a profession
TTH: What was it that made you want to go into the security sector of IT?
JL: An accident. I thought I wanted to be a system administrator. I thought that’s what computer jobs were. I got a couple of boring SA jobs, and then CSC picked me up. They had a part-time security team, and as I got to know them I became very interested in the prospect of doing security work full-time.
They pulled me in on a gig they were having trouble with. The client had a decent Internet presence, and had done lots of the right things. But with the end of the assessment looming, they didn’t have much to work with other than a Windows domain Administrator username and password that they couldn’t do a thing with. After surfing the web a bit and checking out the client’s DNS records, I made a call to their help desk posing as the admin whose name was in the DNS records.
I explained that I was stuck in D.C. at a conference and that I had a problem I was trying to work out. I explained that I needed them to turn on dial-up networking on one of the domain machines that had a modem so I could fix the problem. (We knew they [had] Windows servers with modems because of a successful war dial of their phone block). When the technician explained that he didn’t know how to turn on dial-up networking, I walked him through the process step-by-step and had them “confirm” the phone number of the modem, pretexting them with the area code and the first three digits of the local number, which I learned from the DNS records.
After connecting to the system, we were able to pull more than enough information to prove that the client had severe vulnerabilities. Social engineering saved the day on that gig. That experience encouraged me, and a year later, I started the Strike Force inside CSC, which did penetration testing and physical assessments full-time.
TTH: You worked for CSC for just over 12 years, is that correct?
TTH: Tell us about Strike Force? Why did you like it so much?
JL: There was an energy and a passion among all the members. We all loved security and technology so much and we had very compatible personalities. Each and every one of us took it so seriously that the work would creep into our personal lives, and we all geeked out at home trying to learn as much as we could. There was a cool synergy. Ha! I’m smart.
TTH: Of all the jobs you did while working for CSC, which job stands out most?
JL: The physical penetration test with Vince, found in the intro of No-Tech hacking.
TTH: What was the largest challenge in that part of your career?
JL: Balancing my life, for sure. I put everything on the backburner: my kids, my wife, everything.
TTH: Can you tell us a story about Vince form Strike Force that doesn’t involve coat hangers and multi-million dollar security systems?
JL: Vince taught me a lot about the personal side of this industry. For example, we did a physical assessment once where I infiltrated the building as a phone guy. I used the paging system outside the building to call a security guard to let me in the building to “fix the phones”. After a bit of social engineering (and the right look) the guard let me in. I spent hours inside the building and leisurely strolled around picking up all sorts of secret documents and such. I was on a real high after that gig, but Vince brought me back to earth.
He explained that the guard would almost certainly lose his job as a result of this assessment. I had never thought of that. He was right.
He went on to explain that I should be very careful when I wrote the report, and that I should obfuscate the details of the assessment. I thought it would be a simple task. I would just remove the times and dates from the report so the powers that be couldn’t tell which guard was on duty. In fact, this report became harder than the assessment. I had to fictionalize a great deal of that report so that the client could fix the problem, but the guard wasn’t caught in the crossfire. He taught me that people matter, and that firing a guard would not only have ruined his life, but wouldn’t have fixed the problem.
Part Three: Johnny Long – Hacker, author, speaker, celebrity
TTH: You have spoken to large and small crowds at several conferences, what was the first talk like? Did you get stage fright?
JL: No, I thought I was the man.
TTH: What about now, any stage fright?
JL: Yes. I need to be left alone the hour before I speak. I tend to hide. The first five minutes of every talk, I want to hurl.
[Note: Long's Defcon appearance and the video of it online are how most people know of him. To this day, his No-Tech Hacking talk is famous having circulated all over the Internet. The next two questions are related to that talk. The video of it can be viewed here.]
TTH: Does your business card really say: “Johnny Long, HACkPwN”? And, if someone was to, say, send you an SASE, would you send them a card?
JL: Ha! No, but I’ve attached my current card.
TTH: Have you earned your black belt in Bujinkan Budo Taijutsu?
JL: No, and we (my wife and I) probably won’t in the foreseeable future. We were scheduled to belt in October 2009, but we’re leaving for Africa on June 15th, and we’ll be there at least a year. So far, we have passed the entire curriculum and are no longer learning new techniques.
As advanced dark brown belts, we are in the review phase of our training, in preparation for our black belts. We will be self-training in Africa, with the intent of passing our curriculum when we return, but that might not fly administratively. Worst case scenario is that we’ll lose the ability to call ourselves “black belts” but the belt is a piece of cloth.
TTH: You’re an author, with an impressive series of books that most people who know you have read. So we can skip over them for the most part. However, you said that writing them was hard, why was that?
JL: I’m not a natural writer. It’s a struggle. I bought lots and lots of writing books, and found lots of great insight in them. Stephen King and Anne Lamott have done amazing work guiding young writers. The truth is that when I got bogged down in rules and regulations, I just locked up. I spent many wasted days trying to eek out pages “by the rules”.
When I just decided to be myself, things flowed, and perhaps the writing suffered, but sales are good. That either means I figured something out or people like buying poorly-written books. The truth is, I’m a technical writer. So I’m not in the “big pond”. That takes a lot of the pressure off. I’m happy being a fun, light-spirited, different tech writer.
TTH: What was it about the Google Hacking books that stood out as a 'wow' moment for you?
JL: Seeing it on the shelf in Barnes and Noble. My wife tried to make an announcement. “Excuse me, everyone,” she said with a bit of hand waving and mock fanfare. “I’d like to let everyone know that the author of this book is right here!”
She keeps me grounded.
Fortunately for me, no one was around. But every time we go into a bookstore she starts waving her hands, ramping up the fanfare. I think she likes watching me try to hide.
The other moment was when Google Hacking hit number five on the Amazon best seller list. Not the technical best seller list, but on the ENTIRE Amazon site. At that point I started watching my numbers. It never [went] even close to that high ever again. I think it was a fluke. I think someone bought two hundred books in that moment and Amazon freaked out or something. But I don’t watch my numbers anymore. It puts me in the wrong mind frame.
TTH: Will you keep giving talks at the various cons?
JL: I’m not pulling out of the community. The community makes this possible. Their show of support has been staggering, and I’m committed to being their cheerleader as long as I can. There’s been a dark cloud hanging over the hacker community for too many years, a certain funk and darkness that’s not warranted. The simple fact is that hackers are responsible for every significant technology in our world. Thomas Edison was the original hacker. A technology MacGyver that changed the world with a bit of wire.
Today, the media [has] vilified the word hacker to the point that it’s synonymous with the word criminal. It’s about time that the world see that hackers aren’t evil. They are curious, brilliant tinkerers that demonstrate indomitable spirit and an unwavering sense of community and openness that is to be admired. Our little hacker movement might just change the world and blast away the swirl of negativity that has surrounded us for far too long.
So, yes, I will be attending conferences and I will continue to speak when I settle on talks that hit the mark.
TTH: Will you keep publishing books?
JL: Possibly. I don’t feel the desire right now. No-Tech was done on my terms. It was my true style, my concepts, my ideas. It felt right. I won’t do another book just to get my name on a book. Book-whore Johnny has left the building. I am entertaining the idea of lending my name and skills (writing, editing, forwards) to projects that will support the charity. I’m toying with the idea of a series of books in which a portion of all the author’s proceeds benefit the charity. As for going it alone, I’ll write another book when I feel passionate about it.
Part Four: Faith, image, and the ability to help others
TTH: How does your faith help you with your work?
JL: It keeps me focused on the right things. Life isn’t about bits and bytes. (Sorry, Neo). Life is about people and relationships and God provided a very strict example for how that looks in the person of Christ. I find that when I am going astray in my work life, it’s because I’ve lost sight of this important fact.
TTH: Does your faith shape your ethics as far as ethical hacking is concerned?
JL: It doesn’t. My ethical standards with regard to my work are very high. If I give my clients any reason to mistrust me, I’m out of a job. I take that very seriously, and I believe I would even if I wasn’t a Christ follower. But, having a higher standard keeps the rest of my life in check, which can reinforce this, especially if I ever find myself out of work. =)
TTH: Did you really worry that introducing your faith would cause some to see you differently?
JL: Absolutely. The reason for this had a lot to do with the “Hackers for Jesus” I ran into at an early DEFCON. Those poor guys were the laughing stock of the conference. They handed out mini-CDs with Linux and Bible software on them. Jeff Moss (the organizer of DEFCON, and my good friend) put them next to the “Devil booth,” a vendor that sold hacker “porn” whose booth was attended by a scantily-clad hacker chick wearing devil horns. He “wanted to see what would happen”. I laughed it off, but that affected me. I remember being stuck between wanting to impress Jeff (who I didn’t know well at the time) and staying true to my (inherited) roots. I wondered why it had to be like this.
This was something I’ve been sensitive to my entire life. Most Christians I knew were nerds, and never fit in. I wondered why they couldn’t be normal, but real. Then I got into the hacker community, and I was surprised to see lots of nerds (I mean that in the best possible way) and outcasts that didn’t really fit into normal society. I felt at home among them. That’s when the thought began to percolate that I could be myself. I worried that I would be perceived as those Linux Bible guys who really weren’t members of the community, but rather more like missionaries in hostile territory.
As a result, I came “out” about my faith, and I try to focus on relationships. I want to be there when my friends in the community have problems. I want to be the guy they call, and I want to be able to tell them honestly that God rescued me, and he can do the same for them. The down side is that I’ve gotten so popular that I can’t possibly build relationships with every single person that emails me, but I do my best. I don’t want to be an ivory tower kind of guy.
TTH: Have you ever had issues with religion from within the hacking community?
JL: No. In fact some of the guys I used to worry about are now good friends. Simple Nomad, Gadi Evron and Tim “Thor” Mullen are great examples. Before I knew them I was terrified of them. Not physically terrified, but emotionally. To me, they seemed like polar opposites of me. One look at Simple Nomad and you’ll know what I’m talking about. His rings and his wild hair and his black outfits suggested that he could very possibly sense my squeaky-clean image and that we would be archrivals.
But they were technically intense and legends in their own rights in the community and I had a ton of respect for their work. So I approached them individually and shared my respect for them, and found them to be deep, emotionally intense, and kind-hearted. I failed a test of sorts, and judged a book by its cover. I swore to never do it again. Today, at least for my part I consider them more than acquaintances. I consider them friends. Thor has transcended friend status. Today I consider him a brother in more ways than one.
TTH: It is partly because of your religion that you give so much back to the community and to others. Are you still working with Invisible Children, which is where the money from your books went, isn't it?
JL: Yes, it is, but no I’m not. I never fully connected with [Invisible Children], but they got the ball rolling for me. I watched their “Rough Cut” video as a part of a homework assignment for my wife’s first mission trip to Uganda. It pushed buttons in me, but left the “tech” side of me wanting.
TTH: Let’s talk about Hackers for Charity. Can you explain what that is?
JL: HFC is an extension of my core beliefs and started as a result of my trip to Uganda with my wife in May 2007. During that trip, I used my computer skills in a unique way. The organization we worked with (AOET) had some donated computers they were using to collect profiles of vulnerable children that needed help. These computer-generated profiles would be used to attract (mostly US-based) donors that could assist them.
The AOET staff struggled because their computers were stand-alone machines. They couldn’t do their work fast enough, and our team decided to install a wireless network that would allow them to share printers, scanners, files and would allow each machine to share the (dial-up speed) Internet connection.
This simple work, far from the high-tech edge I was used to, was powerful. I felt alive doing that work. I could see the immediate benefit to the staff, and this feedback was something I lacked back home. As we prepared to leave Uganda, the country director threw a party for us. He explained that our collective work was quite literally saving children’s lives. It was giving hope to orphans and widows left in the wake of malaria and HIV/AIDS. It EMPOWERED them.
Months after my trip, my heart was still in Africa. And my wife shared that feeling. She had touched on a life-long dream to work in Africa, and for the first time, I shared her dream.
I started HFC to connect the amazing positive skills of the hacker community with organizations like AOET that need those skills and to empower people that have lost hope. This empowerment extends beyond the world’s vulnerable citizens. We also seek to empower hackers (technologists) by giving them a positive outlet and to help them get referrals to help them land a job they are passionate about.
TTH: Who is it that you help, and how have you helped them?
JL: Our focus is in East Africa. To date, we have built two computer classrooms for AOET in Webuye, Kenya and one near Jinja, Uganda. These classrooms provide skills to children and adults to help them land jobs. A single computer job in this part of the world can literally support four or five families.
We’re also working to feed children. While organizations like AOET are doing an amazing job taking care of children, many are simply waiting for sponsors. In those cases, some children are wasting away from hunger or are dying because the medication the organization provides isn’t taking hold because the children don’t have enough food. I began a food for work program in Kenya that was funded through 100% proceed donation of sales of my No-Tech Hacking book.
So far we have fed hundreds of children through this program which provides food for month and materials for a vegetable garden which will provide sustenance for years. This costs $9 per child per month, but the funds from book sales won’t last forever. Our goal is to continue this program through the “Informer” subscription program.
TTH: What is Informer?
JL: For $54 a year, subscribers will not only feed six children for six months, but they will get back-stage access to exclusive content from some of the biggest names in the INFOSEC world. They will get access to blogs, whitepapers, tools, exploits and more before the rest of the world. Subscribers will also get early access to chapters and e-books from the industry’s biggest publishers. Of course we need content providers, and we’re seeking talent from the industry who would be willing to leak content to us for the purpose of standing in the gap for the world’s most vulnerable citizens.
TTH: What has the response been from the hacker community for this?
JL: Overwhelmingly positive, I can’t keep up. It’s my goal to run the charity full-time.
TTH: What has the response been from the corporate space?
JL: Very positive. Software vendors like Core and Acunetix have donated software to our volunteers. Companies like Praxis and Proteus donated twenty brand-new Dell Laptops to our school in Uganda in exchange for a presentation of my No-Tech Hacking talk, which served as a great security awareness talk for the company.
Paraben raised enough money for an entire classroom through a silent auction they threw at their Forensics security conference. Companies like Mile2 have donated training materials and equipment to our cause. The folks at The Training Co have donated financially to our cause as well. The list is quite long, and the work we’ve done is quite significant. I look forward to taking this beyond a part-time endeavor.
TTH: You make mention that hackers who help get serious resume credits. Can you explain this in more detail?
JL: Sure. If someone does work for us, they’ll get recommendations from the charity they support. If they do more than one project, we will connect them with an “A-Lister” that will give them a recommendation in that field. I will vouch for our leading volunteers. Having a recognized icon in the industry (such as a big name, best-selling muckety-muck) can make a significant difference during a job search.
[Note: To date, over 700 hackers have joined up to help. In addition, Long said that six projects have been completed, and that hundreds have gotten “engaged in lifting a vulnerable person out of their circumstances.”]
TTH: You have pictures and video of you in Africa because of charity work. How many times have you been there now? In 2007, you mentioned a trip that hackers paid for, have they covered them all with donations?
JL: I’ve been three times. My family has been once, and my wife has been four times in the past two years.
Our May 2007 trip was fully funded by donations from companies and hackers in the INFOSEC world. That was a staggering show of support, and encouraged me to take their donation to the next level.
TTH: Can you explain how being 'Johnny Long' has helped any of the charities, if it indeed has?
JL: “Johnny Long” is a brand, as funny as that may seem. I don’t understand it, but a certain percentage of our success has come about simply because people are interested in me and my work. I appreciate that support, but I’m all about using that effectively.
TTH: You wrote: “For some reason I have been granted a small bit of celebrity, and although I do not have delusions that I am Bono, much of what he says resounds with me lately, especially that ‘celebrity is currency, so I [want] to use mine effectively’.” Do you think you have achieved this goal?
JL: Not yet. There’s a lot more to do.