1 of 6
Adam Fondren, Deseret News
Brady Bloxham works on a piece of cyber security software called "Slingshot" that he and employee, Nick Landers, wrote for the company he started called Silent Break Security in Lehi on Tuesday, May 1, 2018.

SALT LAKE CITY — He believed a teenager was being abused, and having been an abused child himself, he decided to help, using the computer skills he'd been honing since he attended a New England prep school with a guy named Mark Zuckerberg.

Zuckerberg would graduate from Phillips Exeter Academy, attend Harvard and eventually become the founder of Facebook. Martin Gottesfeld would became a hacker — in his view, an ethical one.

It's a view not shared by federal prosecutors in Massachusetts.

There, Gottesfeld has been jailed for two years, awaiting trial on multiple charges stemming from a 2014 cyberattack on the website of Boston Children's Hospital, a hack he's admitted in public statements to orchestrating.

Photo courtesy of Dana Gottesfeld
Dana and Martin Gottesfeld at their wedding ceremony.

The federal indictment also contains details of a cyberattack a year earlier on Logan River Academy in northern Utah, Gottesfeld's first foray into "hacktivism," which is the practice of infiltrating a computer network or disabling a network through distributed denial of service attacks to achieve a social or political goal.

The Gottesfeld case is a made-for-the-big-screen saga involving telegenic newlyweds, a rescue at sea by a Disney cruise ship and a U.S. Senate campaign launched from Gottesfeld's cell in Plymouth, Massachusetts.

It's also a test of the boundaries of what is known as ethical or "white-hat" hacking — the invasion of a computer network for the purposes of doing good.

Federal law does not distinguish between "good" and "bad" hacking; anyone who "intentionally accesses a computer without authorization" can be prosecuted, and many states have similarly strict laws.

Outside the courtroom, what constitutes ethical hacking differs widely among people who do it: from Gottesfeld's "end justifies the means" philosophy, to rigid adherence to existing law. Most people who work in the field hack with permission: Companies hire them to infiltrate their systems so they can identify vulnerabilities before criminals do, hence the job title "penetration tester," sometimes shortened to pentester.

But Molly Sauter, author of “The Coming Swarm: DDOS Actions, Hactivism, and Civil Disobedience on the Internet,” said it isn’t permission alone that distinguishes ethical hacking from unethical.

Adam Fondren, Deseret News
Brady Bloxham works on a piece of cyber security software called "Slingshot" that he and employee, Nick Landers, wrote for the company he started called Silent Break Security in Lehi on Tuesday, May 1, 2018.

“Ethical hacking is something you have to look at in the context of the technology and also the person doing the hacking ... what the intended consequence is, and what the actual consequence is," Sauter said. "All of that together gives you a framework from which to judge whether or not something is an ethical action or an unethical action."

As Gottesfeld awaits an answer on his April 20 motion to have the case dismissed, the number of ethical hackers is growing, even as some states are enacting tough laws governing their actions and a controversial federal statute remains murky. The ethical hackers use the same tactics as those who hack for criminal purposes, but their motives are good, and some are even willing to share some of their security tips.

White and black hats

To most people who work in computing, an ethical hacker is someone who is hired, either as an employee or a consultant, to hunt for flaws in a computer system so they can be fixed before a criminal finds his way in.

Brady Bloxham, owner of Silent Break Security, headquartered in Lehi, Utah, said that an astonishing number of companies are lax with their network security, and he and his employees can often get into a system “and get access to everything within a couple of hours.”

Adam Fondren, Deseret News
Brady Bloxham works on a piece of cyber security software called "Slingshot" that he and employee, Nick Landers, wrote for the company he started called Silent Break Security in Lehi on Tuesday, May 1, 2018.

Outside the orderly world of corporate hacking, however, operates a cadre of young and passionate hackers who use their knowledge to hack for the chance to win bounties, or to access systems illegally for what they consider the public good.

The group that hacked into the Ashley Madison online dating service website in 2015, for example, cited moral grounds, as well as anger that the company charged customers to erase data and then didn’t delete it.

And Aaron Swartz, the Reddit co-founder who hung himself at age 26 after being charged with hacking an academic database, is thought to have been motivated by his belief that information in scientific journals should be available to everyone for free.

Hackers can be "white hat," "gray hat" or "black hat," depending on their motivation and methods, Bloxham said. But specialized knowledge and the unbridled passion of youth (most hackers are 34 or younger, according to one recent survey) form a combination that is sending some of them to jail.

'Free Marty G'

Gottesfeld has lived in Massachusetts for most of his life, but strangely enough, he arrived in jail by way of Utah.

He was working as a senior systems engineer when he began dating the Brandeis University student who would become his wife. Dana Barach had a younger brother who had recently been admitted to Logan River Academy, a residential treatment facility for teens.

Dana visited her brother in 2013 and was upset by what she saw and learned about teens being kept in seclusion, which she and her husband thought amounted to abuse.

Gottesfeld had been physically abused by his grandfather, a fact confirmed by a Rolling Stone magazine reporter last year. A sensitive young man who has said he cried when Swartz committed suicide, Gottesfeld wanted to shut the academy down. With the help of other people associated with Anonymous, a loosely organized coalition of hactivists, he launched an online attack on the facility's website that lasted for more than a week and attracted national attention.

A spokesperson for the Utah Department of Human Services said its Office of Licensing investigated the allegations in 2013 but found no violations, and the controversy quickly blew over.

But when Gottesfeld learned about a Connecticut family that accused Boston Children's Hospital of "medical kidnapping" he decided to employ the same strategy to help Justina Pelletier.

Adam Fondren, Deseret News
Brady Bloxham launches a piece of cyber security software called "Slingshot" that he wrote for the company he started called Silent Break Security in Lehi on Tuesday, May 1, 2018.

Pelletier, then 14, suffered from mitrochrondrial disease, and the state of Massachusetts took permanent custody of her after her parents took her to Boston Children's for complications from the flu. She spent more than a year in a psychiatric ward before she was released to her parents after public outcry, which included Gottesfeld's cyberattack on the hospital during its annual fundraising drive.

Gottesfeld's role in Pelletier's return home, however, was widely condemned, even by others in the hacking community. During the attack, one person associated with Anonymous posted online "IT IS A HOSPITAL. STOP IT."

In court filings, Boston Children's Hospital has said that it lost more than $600,000 because of Gottesfeld's actions and that the attack disrupted research and basic operations. Gottesfeld has countered that no one was injured by his actions, and that one person — Pelletier — was demonstrably helped.

Gottesfeld and his wife have publicly campaigned for the dismissal of charges with a campaign called Free Marty G, and last week, his attorney filed a motion asking the court to dismiss the charges, saying that his lengthy detainment has violated guarantees of the Speedy Trial Act.

But many people who work in computer security, including Justin Searle of Salt Lake City, insist that hackers can't operate outside the law, regardless of how well meaning they are.

The world of pentesters

Searle, director of ICS security for InGuardians, a security consulting firm, teaches ethical hacking all over the world, although he dislikes the word "hacker," which he believes has been turned into a negative term by the media.

Searle believes that Gottesfeld and other rogue hackers should go to jail, regardless of their motivation. He likens their actions to a protestor who sets police cars on fire or throws barricades through windows.

"I don't see them as ethical hackers; I see them as criminals that deserve to be arrested and incarcerated," Searle said.

Gottesfeld, however, argues that the penalties for that sort of civil disobedience are not as draconian as some of the penalties that hackers face under current federal law.

“We as a society have to choose what types of behavior we want to incentivize and deincentivize,” he said, answering questions from The Deseret News that were conveyed through his wife. “The behaviors we want to deincentivize should not be selfless behaviors that are meant to further the greater good, protect children from abuse, protect whistleblowers, etc."

In the Swartz case, officials with the JSTOR database declined to press charges, but federal prosecutors went after Swartz anyway, with U.S. Attorney Carmen Ortiz famously saying "Stealing is stealing whether you use a computer command or a crowbar."

Wikimedia Commons
Aaron Swartz, pictured here in 2006, was a renowned computer programmer who committed suicide while facing a federal trial for hacking into MIT's network to download millions of academic articles.

Critics of a law recently passed by Georgia legislators, however, point out that some laws make computer specialists criminals even if they accidentally infiltrate a system.

The Georgia bill, which has not yet been signed by the governor, was written in response to an unintentionalbreach of voter information by a security researcher who wrote an automated script, went to lunch, and returned to find 15 gigabytes of sensitive data on his computer, according to Andrew Green, who teaches information security and assurance at Kennesaw State University, in Kennesaw, Georgia, where the data was housed.

The resulting outcry and the drafting of what Green believes to be an overreaching bill is taking place at a time in which the boundaries of penetration testing are still being established.

“Information security as a discipline is so young that it’s the equivalent of a 6-month-old baby,” he said, adding that people working in the field don’t even agree on what constitutes a data breach.

In the case of Georgia’s voter records, “Data was taken, but it was inadvertent. I don’t consider it a breach; I consider it an incident,” he said.

Green is among those who believe that the federal law governing hacking contains ambiguities that can lead to overzealous prosecution. But he also says that the newness of the security industry has contributed to the problems of defining and regulating hacking — as has the demands of the public.

“At the end of the day, people want to be able to pay their water bill at 3 in the morning wearing their pajama pants at home. They don’t want to think about what it takes to secure that,” Green said.

“The moral of that story is, when we have to choose between usability and security, currently usability wins every time.”

How to become an ethical hacker

According to a recent survey by the company HackerOne, the majority of people working as ethical hackers are self-taught, and more are motivated by the desire to learn and to improve their skills than to make money. But "to help others," "to do good" and "to protect and defend" came after profit.

HackerOne is a platform that hackers can join for free, and then try to win money by finding vulnerabilities in the computer systems of corporate subscribers. The company's clients have included the U.S. Department of Defense, General Motors, Twitter, Nintendo, Starbucks and Spotify, said co-founder Michiel Prins.

Aaron Thorup, HackerOne, The 2018 Hacker Report
HackerOne, The 2018 Hacker Report

The company surveyed more than 1,700 penetration testers who registered with HackerOne. Of them, 1 in 4 had donated their proceeds to charity, 58 percent were self-taught and 44 percent were IT professionals.

Jason Tsang, who designed and teaches an ethical-hacking certification program at the University of Washington, also works for Microsoft, which, like Google, has a bounty program for "bug hunters." Such programs pay hundreds or thousands of dollars to people who discover vulnerabilities within a system and report them. But hackers generally abide by an unwritten code of ethics that restricts them to accessing their own data in a system, not that of others.

For example, the Ashley Madison hack would have met ethical guidelines only if the hacker had accessed his own data, not that of 32 million other users, Tsang said.

True ethical hackers also give a hacked company an opportunity to repair the vulnerability before making the flaw public, generally a window of at least a month, Tsang said.

“The goal of regular hackers is just to steal stuff. The goal of the ethical hacker is to educate the business, to help them become better in general.”

Ethical hacking is also taught at the University of California at Berkeley and North Dakota State University, among others. It's not just a casual term: people obtain official certification as a CEH — certified ethical hacker.

Advice for families

Ethical hackers learn and employ the same techniques that criminal hackers used when taking over Atlanta's government network and demanding $50,000 in bitcoin as a ransom. (The March cyberattack there crippled everything from police warrants to online bill payment for a week.)

Their knowledge and skills go far beyond that of the ordinary computer user, but their advice is surprisingly simple and uniform when it comes to defending your own computers and devices.

Asked for advice for families, each ethical hacker that spoke with The Deseret News offered the same recommendations: change passwords frequently, use a different password for each account, and use a password manager to keep track of them all.

Green, at Kennesaw State University, also recommended that families avail themselves of a free service, Haveibeenpwned.com, developed by Troy Hunt, a Microsoft director, who developed the site as a public service, and now partners with password-management company 1Password.

On Hunt's website, people can type in their email addresses to learn if they have been part of a hack, and if they have, the details are given.

6 comments on this story

The ethical hackers also advise people to use two-step verification for all their devices, when available.

Correction: Hactivism is the practice of infiltrating a computer network or disabling a network through distributed denial of service attacks to achieve a social or political goal. An earlier version of the story defined hactivism as only infiltrating a computer network. Martin Gottesfeld said he was a senior systems engineer prior to his arrest. An earlier version of the story stated he was a programmer and systems analyst.