...make it more difficult for the government to track me. They claimed all my hacking into those companies was a huge elaborate fraud and that I caused $300m [£185m] of damage.
They said the value of property I copied, the R&D development cost, was $300m. The government tried to use the old [definition of] loss for tangible property. If I copied that code and they no longer had use of it, it would be a $300m loss or whatever.
They told my attorney that if I didn't cooperate and plead out, not only would they take me to trial in Los Angeles, but they would put me in a revolving door of trials and put me on a bus and take me from federal jurisdiction to federal jurisdiction.
So I signed the deal and admitted causing between a $5m and $10m loss [£3m to £6m]. I signed it not believing it. I signed it to get out. I really don't believe to this day that my actions caused that amount of loss, because none of the victim companies lost use of their code, they never claimed any losses due to my activities.
Sure there were losses, maybe in the thousands of dollars, for their time to investigate who hacked into their systems and to secure them. Those are the real losses. But I was the example for the federal government, so they needed to put me away for a long time.
That's why I was very angry and bitter against the government at the time, because I wasn't being punished for what I did. I was being punished for what I represented at the time. I have no qualms about being punished for what I did. The punishment should fit the crime.
So, if someone were to ask you what lessons you've learned, what would you say?
Don't break the law. Don't intrude on other peoples' property. It's just the wrong thing to do. It's unethical and immoral. And now of course it's illegal.
It's trespassing. You're violating somebody's property rights. And they have the right to control and keep their property confidential. What I attribute my change of heart to is growing up. Back then I was young and immature, and never damaged anything intentionally.
Do you feel that your hacking has led to positive change in some way?
Yes. It led to my career. Today I speak around world, I do penetration testing all the time — and deep penetration testing, where I go after the most sensitive credentials at a company to see if I can get to the crown jewels.
I see what I can do as an ethical hacker. I really enjoy this work because when is it that you can take a criminal activity, legitimise it, and get paid for it? Ethical hacking. It's not like you can be a drug dealer and go work for [chemists] Walgreens.
A lot of penetration testers today have done unethical things in their past during their learning process, especially the older ones because there was no opportunity to learn about security. Back in the seventies and eighties, it was all self-taught. So a lot of the old-school hackers really learned on other people's systems.
And at the time, I couldn't even afford my own computer. A dumb terminal was like $2,000 [£1,200]. A 1,200-baud modem was like $1,200 [£740]. The cost of this technology was out of my range as a high school student so I used to go to local universities and use their system, albeit without their knowledge, to learn.
Read this
Why scammers find rich pickings on Facebook
People shed their normal caution on social-networking sites, leaving the scammers and worm-writers to rub their hands with glee...
Any advice for young hackers?
Don't follow in my footsteps. There are definitely other roads or other opportunities and ways that people can learn and educate themselves about hacking, security, and penetration testing. Today it's a huge market. It's become a huge issue within the federal government with critical infrastructure.
Some people say companies shouldn't hire former black-hat hackers. What are your thoughts on that?
I'm hired all the time. So far it has not really been an impediment. You have to evaluate the person's skillset, their maturity, and what they did before as a hacker. Were they getting credit-card numbers and buying merchandise on the internet? Or were they hacking systems for their own intellectual curiosity?
You can't just lump black-hat hackers into one category. You have to look at what they did in the past, what they've done since then, and what credentials they have to get the job done. People who have operated on the other side of the law, like Frank Abagnale, he is a prime example.
He reformed himself and now is the leading authority on counterfeit money and checks. Look at Steve Wozniak. He even started out as a phone phreak. But he took a whole different direction. He's done a lot of good for the community. That's another factor — what good has that person done for the community and industry since the transgression?
What are you doing now?
Consulting, author, public speaker. I go around the world speaking. That's my primary activity — ethical hacking, penetration testing, system hardening, training, education. And I'm working on my autobiography. It's due out in spring 2010.
