“Since we have nothing to hide, we’re publishing all our e-mails, files, and source code,” read a Tweet published on late Sunday, July 5, 2015.
The tweet was accompanied by a link to a torrent file of around 400 gigabytes, practically everything Hacking Team had on its corporate servers: internal emails, confidential documents, and even the company’s source code. Hacking Team, which at that point was already notorious for selling its wares to repressive regimes and governments such as Ethiopia, Morocco, and others, had just gotten hacked.
Hours later, the hacker who breached the company’s computers, and used its own official Twitter account to spread the hacked data and embarrass it, revealed himself to be the same one who the year prior had carried out a similar attack against another company that sells spyware to governments, FinFisher.
”I just read the Citizen Lab reports on FinFisher and Hacking Team and thought 'that’s fucked up.'”
Since then, the hacker, who goes by the moniker Phineas Fisher, has kept mostly quiet, except for some tweets on his own Twitter account, and a writeup on how he broke into Hacking Team, which also served as a manifesto of his “hack back” hacking political movement.
Before all this, though, just a few weeks after his hack, I asked him if he wanted to do an interview with some colleagues from VICE Canada, who were working on a documentary on the growing market of cyber mercenaries, companies that sell hacking and spying tools to police and intelligence agencies all over the world.
After some back and forth, Phineas Fisher agreed—with one strange condition.
“I'll do a video interview if you get kermit the frog (or a homemade non-trademark violating puppet) and a voice actor to read lines I type in chat,” Phineas Fisher told me.
And so, our friends in Canada got a homemade puppet and chatted with Phineas Fisher in his first-ever extended interview. You can watch most parts of the interview in the video below, or read the full transcript (lightly edited for clarity) also below.
BEN MAKUCH: So why did you hack Hacking Team?
PHINEAS FISHER: I just read the Citizen Lab reports on FinFisher and Hacking Team and thought “that’s fucked up,” and I hacked them.
That easy? How did you do it?
Gamma group I wrote how [I did it], Hacking Team I’ll write eventually. [Note: This interview was conducted months before Phineas Fisher published a detailed explanation of how he did it.]
What was the goal in leaking all of the Hacking Team data? Were you trying to stop them?
For the lulz. I don't really expect leaking data to stop a company. But hopefully it can at least set them back a bit and give some breathing room to the people being targeted with their software.
Speaking of which, we spoke to Ethiopian journalists who were targeted by their government using Hacking Team software. They wanted to thank you.
Cool. Kinda weird seeing my hacking addiction/hobby actually affecting people in the real world in a positive way.
For a hobby you're pretty good at it. So is this at all about anti-surveillance for you?
Of course or I wouldn't be hacking surveillance companies.
What do you think of surveillance companies? And Hacking Team specifically?
I would say they are people with no morals going where the money is, but that's maybe not entirely true. I imagine I'm not all that different from Hacking Team employees, I got the same addiction to that electronic pulse and the beauty of the baud [a reference to the famous Hacker’s manifesto]. I just had way different experiences growing up. ACAB [All Cops Are Bastards] is written on the walls, I imagine if you come from a background where you see police as largely a force for good then writing hacking tools for them makes some sense, but then Citizen Lab provides clear evidence it's being used mostly for comic-book villain level of evil. Things like spying on journalists, dissidents, political opposition etc, and they just kind of ignore that and keep on working. So yeah, I guess no morals, but most people in their situation would do the same. It's easy to rationalize things when it makes lots of money and your social circle, supporting your family etc depends on it.
”I don't really expect leaking data to stop a company.”
Well it's interesting because they say what they do is legal and what you do is illegal.
Well yea that's true. Legal versus illegal is almost inversely proportional to right and wrong though.
They said to us, that what they were doing was totally above board. True. What do you think the public thinks about Hacking Team now?
Probably the public still hasn't heard about Hacking Team. Hopefully enough in the programming/hacking world have to make it harder for them to hire new talent. People probably go in relatively normal and the contradictions and rationalizations they have to make to stay sane working their make them progressively more unhinged like [Hacking Team CEO David] Vincenzetti.
Do you think other surveillance companies are afraid of you now? You're two for two.
I don't think of myself as scary. But probably, you can see in the Hacking Team emails they got a pentest to check their security after the Gamma Group [FinFisher] hack. And it's not just surveillance companies. It made a lot of the infosec industry uneasy. Like they call themselves "ethical hackers" and Hacking Team was making tools used mostly for obviously unethical hacking, So a lot of individuals in infosec were cheering after the hack. But it also made a lot uneasy, because they recognize people like them securing banks and defense contractors and the people like Hacking Team providing offensives tools to law enforcement and military are essentially on the same side, and it brings back bad memories for them of ~el8, zf0, phc etc.
Do you think the software that Hacking Team sold, was it any good? How would you rate them?
I mean it works well enough for what it's used for. Considering the number of technical employees working on it as their full time job it's a little underwhelming. But the software's not really the important part, there's better RATs [Remote Access Tools]. What they provide is packaging it all in some point-and-click way and providing all the technical support. So shitty dictators that can barely turn on a computer can hack and spy on their opposition.
Yeah, that's basically how Citizen Lab saw the software. The Ethiopian intelligence agency INSA was shit at hiding themselves and their tracks.
Yea reading some customer support emails it's pretty amazing how bad with computers the people operating the software are. Like seriously INSA, just pay for one of your employees to get a computer science degree or something.
Good advice! What was the funniest thing you found?
[A tweet that reads "Meanwhile in the London Embassy" in Spanish. The tweet is a joke about the presumably awkward situation at Ecuador's Embassy in London, which was hosting Julian Assange at the same time as WikiLeaks was publishing the leaked Hacking Team emails. The emails showed that Ecuador's intelligence agency purchased the Italian-made spyware and used it to spy on political opponents.]
So if these surveillance companies keep selling to shitty dictators, (even after being hacked), is there anything the law can do to stop them from basically selling weapons abroad?
I'm a little confused by the question. I'm not sure why people writing laws would want to try to stop a company whose job it is to help them enforce them.
Maybe you mean along the Citizen Lab line where there's "good" governments and "bad" governments, and the "good" countries have legitimate uses for the tools but need to stop them from falling into the hands of the "bad" countries?
I guess I mean between "authoritarian regimes" and "democratic" governments.
The essential function of law enforcement is the same. In all the FinFisher and Hacking Team customers where targets of the spying have been identified in Bahrain, Ecuador, Mexico, Ethiopia etc, it's all investigative journalists, dissidents, political opposition etc being targeted, never "standard" crime. The vast majority of law enforcement resources everywhere are dedicated to monitoring threats to those in power, in one of the rare glimpses to how police spend their resources in a "democratic" government. Back before everything was on hard drives and you could hack them in your pajamas, it was in filing cabinets and you had to physically break in. But when the citizens commision to investigate the FBI broke into their office they find: according to its analysis of the documents in this FBI office, 1 percent were devoted to organized crime, mostly gambling; 30 percent were "manuals, routine forms, and similar procedural matter"; 40 percent were devoted to political surveillance and the like, including two cases involving right-wing groups, ten concerning immigrants, and over 200 on left or liberal groups. Another 14 percent of the documents concerned draft resistance and "leaving the military without government permission." The remainder concerned bank robberies, murder, rape, and interstate theft. Draft Resistance and leaving the military I'll include under not "real" crime but threats to those in power. So like 70 percent political, 30 percent real crime. The difference between authoritarian regimes and "democratic" ones is that Hacking Team customers jail, torture and kill, where the "democratic" ones have gentler ways of managing dissent.
”The difference between authoritarian regimes and 'democratic' ones is that Hacking Team customers jail, torture and kill, where the 'democratic' ones have gentler ways of managing dissent.”
I guess if you take the Snowden leaks and the Hacking Team list of customers, governments are basically doing the same things. Money and technology is all that separates them.
Well yeah, the natural tendency of everyone in power is to want more power and control, and they need surveillance for that.
I'm wondering, what would you say to Eric Rabe? He's Hacking Team's media guy.
Well he's certainly good at putting the best light on a situation. Well worth the money if you find yourself exposed for contributing to human rights abuses and need a PR man.
Ice cold. I’m wondering what Lockheed Martin's PR guy is like.
Lockheed Martin just makes the drones that someone else uses to kill people on a list someone else writes. Hacking Team was only one step removed. Being two steps removed absolves you from any PR problems right?
I'm sure that's what they tell themselves at night. One last thing before you go, if you don't mind. How do I know you're Phineas Fisher?
You don't, we're all Phineas Fisher. That's a dumb name though, just the first play on FinFisher I could think of and I haven't hacked them in a while. I should try out a new name.
Yeah you should. Go with something fierce. Like "Laser Tiger."
Needs more cyber.
"Hacking Team Hacked Again By Infamous Laser Tig3r". OK, well thanks very much for taking the time to chat with me. Much appreciated. And the puppet worked hard tonight too. You'll like it.
Vice Cyber Investigative Journalist Squad
I like it.
But seriously in the Motherboard article on Variety Jones it keeps saying "a source independently gained access to," where "a source independently gained access to" is probably a euphemism for illegal hacking. How can I get paid for some of these special "investigative journalism" jobs?
I imagine you'd charge a lot in Bitcoin. Do you accept Dogecoin or Kanyecoin?
Bitcoin, Dogecoin, Faircoin. Also fun fact you should include in the interview: I got my start in the hacking scene writing visual basic malware thanks to my church group when my mom signed me up for "Summer VBS."
Wow, so we can thank the Church? And thanks for that. Very fun fact.
No problem. After I get out of jail for hacking instead of going the reformed whitehat route I'm gonna try stand up comedy, think I got a shot?
Follow your heart Phineas.