In this article I get to interview a former black hat hacker Daniel Kelley who is mostly known for the Talk Talk hack of 2015 which allegedly was a £77 million hack.
What first got me was having spoken to Daniel is that he is NOTHING like what you think he is going to be like after reading the news articles, mainstream media manipulating and mythmaking a story to their own means, who would have thought huh?
But quotes like “A cruel and calculating cybercriminal”, “cruel and calculating”, “prolific, skilled and cynical cyber-criminal” who was willing to “bully, intimidate, and then ruin his chosen victims from a perceived position of anonymity and safety behind the screen of a computer” seem a bit mad.
Yes, it wasn’t the best thing in the world BUT he was young, angry and he is on the Autism spectrum.
He has been and wants to reinvent his life and I for one am rooting for him, we all make mistakes and especially when young so hopefully he can come through this, get a career.
It is a fascinating story and was really interesting to speak to him, hope you enjoy it as much as I enjoyed speaking to him.
How did you get into hacking, although the TalkTalk hack happened when you were a teenager you must have been doing stuff before this?
I didn’t intend to pursue a life in cybersecurity or computer hacking, I used to play this game for 14 hours every day when I was younger, there was a PVP system, and I spent so much time playing this game that my team placed in the top 20 teams in the world.
One evening, we were waiting for a match to start, and my internet goes out just before the game begins, causing us to lose, this is something that keeps happening to against this specific team.
After a few weeks of searching the internet, I discovered a forum with a variety of topics covered, including programming, website creation, operating systems, and computer hacking.
Eventually, I made an unintentional transition where I stopped playing this game and replaced my commitment to it with other areas of cybersecurity and as a result, I began to explore programming, website development, and other related activities.
This carried on for a year and a half and that’s essentially how I got started.
Did you know what you were going to do with the talk talk hack or was it a wing it type hack, I mean did you target them or just found a vulnerability so ran with it?
TalkTalk was just one of my offences, Initially, I was charged with something like 30 different offences which was reduced to 11 upon legal negotiation.
With TalkTalk, I use to be a moderator on an invitation-only forum which was like a semi-private community.
I was responsible for approving applications, approving threads to be published and maintenance tasks., one evening, a user made a thread, and it contained the SQLi that was located on one of TalkTalk’s subdomains along with some data.
I took the data and attempted to blackmail the CEO of TalkTalk with that data.
It was in HMP Prison Belmarsh that you spent your time locked up, that’s a brutal prison it’s like a who’s who if known murderers in the UK. Did they explain why for a nonviolent crime they put you here as it just seems so harsh?
HMP Belmarsh is the highest security prison in Britain.
It houses category A prisoners, high-profile prisoners, terrorists, murders, serial killers, and everything that you can think of.
I was sent to this prison because I was sentenced in the Central Criminal Court (CCC) / the Old Bailey.
From there, you can only go to HMP Belmarsh.
Technically, you can go to other prisons but that’s specific to your case, by default, if you are sentenced in the Old Bailey, you will go to HMP Belmarsh.
On the canteen sheets, you could see the total number of inmates in the facility; at the time I was there, they were housing around 700 inmates, with 200-300 serving life sentences.
Did you get a single cell or have to share and if share what was the cell mate like?
When I was sentenced, my case was relatively high-profile, If you watched the news that week, you would have seen my face.
I was also in national newspapers, I was treated slightly differently from your average prisoner because I was severely ill with depression, and because of the high-profile nature of my case.
I arrived at HMP Belmarsh, was fast-tracked to the healthcare unit, spent a few weeks there and eventually, an agreement was reached by the head of healthcare and security where they decided it would be in everyone’s best interest if I was in a single cell because there were potential safeguarding issues (I was 105lbs and I have Asperger’s which is a form of ASD).
Also, my typical cellmate would have most likely been someone doing a life sentence, which just didn’t sound like a good idea.
How were you treated in prison, how do the inmates and guards treat a hacker in comparison to other crimes?
I was treated really well in prison and got on with most prisoners, I think that was because my offence didn`t pose a risk to anyone and everyone just saw me as a fairly young guy that a lot of people could relate to.
I was just a kid that had been put into this high-security prison, and I think a lot of people recognized that I shouldn’t have been there from the beginning.
A lot of prisoners were interested in my offence and a lot of the time I couldn’t explain to them what I had done because there were guys in the system for decades and hadn’t seen a computer in that long, I had to tell some prisoners that I was in for fraud because that’s the only thing that really made sense to them.
You are now reformed though, what type of work are you looking at getting into?
While I was on bail for 4 years, I did a lot of responsible disclosure, bug bounty work, and freelance work.
This is something that I’d very much like to continue doing. However, I’m currently in a situation where I have two sets of restrictions on me.
I have restrictions from probation, and I have a Serious Crime Prevention Order (SCPO) on me which is active for 5 years.
The authorities responsible for managing me are completely fine with me seeking legitimate employment in cybersecurity but it’s an obstacle because I’m banned from a lot of basic technology like virtual private networks, virtualization, proxies, etc, every device that I access must be registered with the authorities, so some roles are completely out of the question.
If you take a system administrator role, for example, it would be totally unfeasible.
So, I’m looking for a role in cybersecurity that is compatible with my current situation.
Are you being monitored in any way and is that affecting you in learning more about hacking, malware etc and in essence improving your career?
I am being monitored by 4 agencies – the National Security Divison of Probation (NPS), the Serious Organised Crime Unit (SOCU), my local police department, and a police agency called the Lifetime Offender Management Unit (LOMU) which typically manages offenders that pose a risk to national security (terrorists, etc).
They’re entitled to show up at my house up to 4 times a year, or more if security intelligence supports it and remove my devices for inspection.
I’m not inherently banned from computer hacking or cybersecurity, I’m allowed to very much engage in those types of things, however, there are just many obstacles in place which make it a bit more difficult to actually go ahead with.
You’ve also got the other aspect of potential misunderstanding which gets me recalled back to prison, If I was to go ahead and engage in responsible disclosure or bug bounties, there would be a lot of tools and material on my devices that would be used to find vulnerabilities, and obviously, there’s a potential risk there.
In the past, I’ve had SOCU visit me in prison and not inherently grasp the concept of what a bug bounty program is, so it’s not a risk that I want to play with, but obviously, a point is going to come in the future where this situation will presumably take place.
When you were In prison did you have a plan of what to do when you came out, were you allowed access to any computers, to read any cyber security books or take any courses etc or was all that just in hold until you got out?
So, when I went to prison, I had a plan of starting my own business and doing a lot of work in a freelance capacity, but this never really happened because I was oblivious to the obstruction that the restrictions on me would actually cause.
I thought probation restrictions would have been relatively trivial but it’s a lot more involved than that, I also have to get authorization from probation to do any work so I can’t just acquire a client and do the work overnight, there’s a whole risk management process that has to be followed which makes it infeasible.
Perhaps next year it will be different when I’m no longer on probation.
In prison, I read a lot of books – well over 100, I use to spend 8-10 hours a day just reading books and I actually read a lot of cybersecurity books.
I was banned from attending education because a lot of the rooms that facilitated the educational courses had computers in them, a lot of the security departments in the prisons that I visited decided that I wasn’t going to be allowed in these rooms because I was too much of a risk.
You must have had loads of people in touch about articles, writing a book, TV/Movie and stuff?
Surprisingly, I don’t really get that many people asking to do media stuff because my case is relatively old, and not a lot of people remember it.
It’s only when they make the association with me and my offence, that they begin to remember the significance of it, I’m always open to entertaining these types of things.
More than often it’s me reaching out to entities in an attempt to establish a more positive online identity, so if you’re interested, feel free to reach out!
What have you got planned for the rest of the year?
I don’t really do much, I just spend most of my days reading material on the internet, reading blog posts, and having informal discussions with people that reach out to me for assistance in their cybersecurity journey, etc.
I spend time with my family and of course, I keep looking for a role in cybersecurity.
Next year I’ll be off probation and hopefully, I’ll be able to do a lot more so things can only get better really.
Thank you all as always for reading and please feel free to follow and look him up at.
Daniel Twitter = https://twitter.com/danielmakelley
Daniel Website = https://danielmakelley.com/
Regards
Alex