Sometimes cybercrime is the work of organised gangs. Or it can just be a teen in a bedroom
For his tenth birthday, Charles “Charlton” Floate received a PC. “My mum and dad knew I was very into computers and they could see I was good at it,” he says. “They were encouraging, certainly early on because they realised how important computer skills were going to be.”
With the approval of his parents — his mother is a chartered accountant and his father is an energy certifier — Floate began to learn coding, but gradually they grew concerned about how much time he was spending on his computer.
“My mother tried to put a computer lock on,” he says, “but I’d continually reset the router until I was able to be on it as much as I liked. She simply didn’t understand what was going on. She’d sometimes come into my room and look at what I was doing, but it’s impossible to know what’s happening if there’s a load of code on the screen.”
Having gained control of his family’s network, Floate started looking farther afield. He learnt how to hack into other people’s computers and at the age of just 18, while his parents were downstairs watching TV at their home in Solihull in the West Midlands, he brought down the FBI’s website.
“I’d built a botnet, a network of a few hundred infected computers which I could control, and I used them to hack into the FBI,” he says. “I exploited the vulnerability of the software the FBI used to run their site, basically. I can still recall sitting there with a big smile on my face when I pulled it off. I didn’t do it for notoriety, I did it to impress the people in the hacking community, to show them I had the skills to pull it off.”
It’s been the decade of the hack. A series of high-profile attacks and the trials of the people responsible have regularly hit the headlines. In August this year there was the Ashley Madison incident, which resulted in the account details of 32 million site users being posted online. Then last week, there was the cyberattack on the phone and broadband provider TalkTalk, which may have led to the disclosure of thousands of customer details. Cybercrime implies organised gangs working online but some of the biggest hacks are the work of a few people, in fact, often a single young man sitting at a keyboard in his bedroom.
Floate’s big moment was just one in a cycle that has been turning since computers began to reach our homes in the mid-Eighties. In 1985 Robert Schifreen broke into BT’s Prestel Viewdata site and accessed the Duke of Edinburgh’s website (password 1234) and posted a message saying: “good afternoon HRH”.
Schifreen was one of the first two people to be charged under section 1 of the Forgery and Counterfeiting Act. He later won his case on appeal but it led to the first laws against hacking being introduced in the UK. At the time Schifreen was regarded with awe by computer gamers, and for some people the sense of mystique surrounding the lawless genius computer whizz has never gone away.
For Floate the transition from keen young programmer to hacker came when he started investigating gamer forums. “There would be sections on them where people would discuss hacking accounts and borrowing people’s usernames. I found it fascinating. By the time I was 14 I had started looking into hacking seriously and ways you could do it.”
He began to make connections through chatting online. One of those was Topiary, who was later revealed to be Jake Davis, a founder of the notorious hacking group, LulzSec (see panel, right). “I learnt most of my serious hacking skills from them,” Floate says. “They gave me a lot of help. I was even advised how to market myself. I wanted to prove myself to them. That was my main motivation.”
Articles that appeared about Floate around his trial presented him as a quiet loner, but he maintains that he wasn’t. “Yes, I’d spend ten hours a day on the computer but the idea I was some overweight kid with no friends isn’t true. I’m actually quite health-conscious. I wouldn’t eat junk food all day. In fact I’m quite a good sprinter and I still go running. I’d take a break from the computer and go out with my friends. I’m still good friends with many of them.”
However, there were problems at school, as Floate admits. “I was totally bored. I opted to do IT at GCSE but was kicked out within weeks. The teachers didn’t have a clue. They were showing us how to make a website in Powerpoint and I was pointing out you didn’t do it like that. It didn’t go down well. One of those teachers subsequently gave evidence against me at my trial. I began to get an image. My friends used to refer to me as ‘hacker boy’. Some of the teachers thought I was going to break into their bank accounts.
“I didn’t know this myself at the time but I was later diagnosed by a psychologist with having ‘severe depressive episodes’. Essentially that means I find it hard to create serotonin in my brain without getting outside validation for myself somehow. I was hating school and getting alienated and probably getting support from the wrong people online at the same time.”
The FBI hack was the culmination of just three months between November 2012 and January 2013 during which Floate says he crossed the line from messing around to criminal activity. He maintains that he then pulled away from hacking in the wake of proving himself. “I realised it was wrong and it could end badly. I was getting the recognition I needed elsewhere so I stopped.”
He’d moved to Canada with his girlfriend at the time, but an incident came back to haunt him. He’d attended a protest with friends at the Church of Scientology in January 2013, been arrested and had his phone taken by the police. It was encrypted and their interest was heightened. However, it took more than a year for them to decrypt it whereupon they discovered his activities. Without that he maintains he would never have been caught.
On his return from Canada, when his plane landed Floate was arrested by anti-terrorist police. Unfortunately it was the day of the attack on the Canadian Houses of Parliament. “There was a dozen of them with guns and Tasers,” he recalls. “One of them had his gun on me and I could see the laser sight on my chest. It was petrifying.”
He was eventually charged with three counts under the Computer Misuse Act and this month, at Birmingham Crown Court, he was given an eight-month jail sentence, suspended for 18 months, and ordered to do 250 hours’ unpaid work. None of which has done anything to dispel the serious sense of cool that surrounds hacking.
“You explain how you do these things to people and they are seriously impressed,” he laughs. “Even my probation officers wanted to know about it. Cyberwarfare is exciting. It’s glamorised in movies.”
Floate is now focusing his skills on his own computer marketing company. Unsurprisingly, it’s going well. “When people find out that I’m the kid who hacked the FBI they assume you’re a whizzkid.”
What advice would he give to parents of children who are clearly very talented at computing but spending too long in their rooms looking at a screenful of code? “In the old days your dad probably took you out into the garden and played some football. These days it’s probably better to sit down with them and play computer games and try and get into their heads and figure out what they’re like.
“If they’re into chatrooms maybe you’d have to consider stopping them. If you have serious concerns you need to try to find out but spying is going to break down trust pretty quickly. It’s not easy. Children who are talented like that need to be shown a better way to use their talents.”
THE BIGGEST TEEN HACKS
James Kosta
Aged 14, he was recruited into a hacking collective targeting business and military sites. Convicted of 45 counts of technical burglary, he was sentenced to 45 years, but after a year in juvenile detention was given another chance. He joined the Navy, then the CIA. Now 40 and a multimillionaire games maker, he mentors troubled youths.
Jake Davis and Ryan Cleary
As part of the notorious LulzSec hacking gang, Jake Davis, 19, and Ryan Cleary, 20, admitted launching a string of cyberattacks in 2011 on major institutions including the NHS, News International, Sony, Nintendo, Arizona state police and 20th Century Fox. Cleary was jailed for 32 months, Davis for two years.
nsplitter
In 2011, police arrested a Greek teenager working under this alias for hacking into the websites of the Pentagon and Interpol. After a two-year chase, a raid of his house revealed 130 fake credit cards. It was reported that the tattoo on his right arm, written in Hebrew, read: “Capitalism is an opportunity and the opportunity — freedom.”
The Microsoft hacker
A 14-year-old Irish hacker broke into the servers of Call of Duty: Modern Warfare 2 to start a phishing scam that tried to get other players to divulge personal information. He was caught but not taken to court. Instead, Microsoft said they planned to work with the Dublin teenager to develop his talent for legitimate purposes.
DJ Stolen
An 18-year-old hacker who called himself DJ Stolen was arrested for stealing unreleased tracks from Lady Gaga, Justin Timberlake, Leona Lewis, Ke$ha and Mariah Carey and selling them online between 2009 and 2010. He was sentenced to 18 months in detention in Germany and therapy for internet addiction.