web analytics

Hacker Conversations: Frank Trezza – From Phreaker to Pentester – Source: www.securityweek.com

hacker-conversations:-frank-trezza-–-from-phreaker-to-pentester-–-source:-wwwsecurityweek.com
Rate this post

Source: www.securityweek.com – Author: Kevin Townsend

The history of Frank Trezza is not unusual among hackers – from a young prankster through growing exploration of potential attacking powers to a mature defender of security. In this edition of Hacker Conversations, we follow his path.

SecuritWeek’s Hacker Conversations series discusses the mind and motivations of hackers. Many, like Trezza, have become important figures in today’s cybersecurity defense. To defend computers, it is useful to know how to attack them – and that’s where being a hacker becomes valuable.

What is a hacker

The fundamental characteristic of being a hacker is common to all hackers: it is based on a drive to understand how things work. If we consider the term ‘hacker’ as a genus, a computer hacker is a species of the genus hacker. Other hackers could belong to other species such as lifehackers, locksmiths, music hackers, and mind hackers (psychologists for the theory and psychiatrists for the function). The list is effectively limitless.

Here we are solely interested in the computer hacker species. There are numerous sub-species that are usually classified by motivation and choice using additional epithets: such as ‘blackhat’, ‘whitehat’, ‘ethical’, and ‘pentester’. In this series we apply no moral score to the motivations that create the sub-species, but we do sometimes seek to understand individual choices – which can include moral virtue or turpitude, financial or social background, and geopolitical influence. 

To complicate this scenario, one hacker can belong to several sub-species simultaneously – like the frustrated ethical hacker whose discovered vulnerabilities are ignored by the vendor and consequently decides to distribute, or even sell, those vulnerabilities on the dark web. 

A further complication is that being a hacker does not require knowledge that you are a hacker (although that usually becomes self-evident as years go by). Frank Trezza, today’s subject, is an example of the latter. He started hacking when he was about nine years old; but he didn’t realize he was a hacker for another five years. All he knew at age nine was that you could do fun additional things with this new stuff called technology. And he learned this from an older brother and their mutual love of the new computer games.

Early video gaming was the entrée into hacking for many youngsters thirty years ago. The games were so expensive, not all friends had a copy, and they didn’t necessarily do what you wanted them to do. And as gaming and playing and chatting with multiple friends migrated onto the nascent internet, everything became way too expensive with the additional telephone costs.

Knowing you’re a hacker

“Let’s say I wanted to play Wolfenstein with a friend, and he didn’t have a copy,” explained Trezza. “I learned how to take the game that I bought and compress it onto a small disc so that I could share it with him, and he could play it with me.” He was still only around ten years old.

Advertisement. Scroll to continue reading.

Technically, this may have been ‘hacking’, but Trezza wasn’t aware of this. He had an ability that enabled him to share his own opportunities with others, and he did this. This desire to share the benefits he enjoyed with others perhaps less fortunate is a latent and innate influence within his persona.

“I wouldn’t have considered myself an actual hacker until I was maybe 14 or 15 years old. I had a desire to get on the internet, but not the money to do so. I had to figure out alternative ways of getting online. That was probably the first actual hacking, where I was intentionally bypassing security mechanisms put in place so that I could get access to the internet. At that time, dial-up was very expensive, which led me to learn about phreaking.”

Phreaking (freaking the phone) is a common factor in the evolution of almost all first generation hackers. Natural hackers with the innate desire to share need to talk to other hackers. Technology provided this opportunity through the early internet and bulletin boards (BBs); but priced it beyond their reach. Hacking the phone system was largely considered an acceptable way of achieving desired ends without (usually) harming anyone other than the big comms companies.

Trezza described one method he used: “As a kid of 14, I realized AOL had an 800 number you could call, and they charged you a lot of money to use that 800 number – but you didn’t get a separate phone bill for its use. I also realized that when you signed up, they didn’t check the credit card you used until a month later, provided it conformed to the expected algorithm [the Luhn algorithmic verification of the card’s check digit]. So, I could generate a credit card, give it to them and have free use of that 800 number for a month. My parents weren’t going to get a bill, and I wasn’t going to get in trouble for it. Okay, AOL would get stiffed on those hours, but they were a major corporation, and, aged 14, ethically I didn’t see anything wrong with that.”

With access to bulletin boards, his access to learning increased. He also began going to local meetups in New York City and the 2600 crew. “I hung out with people like Emmanuel Goldstein and Rob T Firefly,” he continued. Emmanuel Goldstein, a character from the dystopian novel 1984 is / was the handle of Eric Corley; while Rob T Firefly, from the sci-fi Firefly television series, is / was the name used by Rob Vincent. Both are still active with 2600 and the HOPE (Hackers on Planet Earth) conference.

Pranks and law enforcement

The process of growing up is invariably one of testing limits (usually personal) and pushing boundaries (usually societal). Young hackers have unusual abilities with unusual consequences; and the evolutionary process for them is equally unusual. It generally starts with technological pranks and evolves into something more complex and sometimes more serious. Frank Trezza was no different.

One example of an early prank involved phones. “Me and my friends would change the level of service of somebody’s phone, so that when their parents would pick up the phone to make a phone call from their house, it would say, ‘Please insert 25 cents or 50 cents’ to make this call – because as far as the phone company was concerned, that phone was now a pay phone. Nobody could make any outbound phone calls. It was a prank, but it was a difficult thing to get resolved because the phone company could rarely figure out how that happened.”

As skills evolve and young hackers get older, those pranks might also become something less likely to be funny. “Yeah, I did a few stupid things,” he said. “I never ended up in jail, but I did have a few visits from the police. Luckily, they didn’t really have the knowledge or understanding to prosecute that type of crime back then – but I did some stupid things. I have a sealed record as a result, and I’m not too proud of some of the stupid things I did. But really, there are not too many of us that are proud of all the things we did when we were kids. I got in trouble a few times.”

As he matured, the common amoral attitude of the youngster began to change. These jokes may have real and unwelcome consequences. He gave an example. It may not have been an epiphanous moment, but it does demonstrate his increasing awareness of the potential harm of hacking for fun.

“When I was young, I worked for a big retail firm. They hired me and I worked for about three months before I found out they would be laying off me and the others hired at the same time. It seemed that they did this to avoid having to provide health insurance. Then they’d hire another batch of kids for three months. This didn’t sit well with me,” he explained.

“I understood their elementary computer and payment system; and I had a very low opinion of the manager who was about to fire me. So, I bought a router and set its priority to be the primary router that would provide the IP addresses and DHCP information to all the other devices. I took the label printer and put the manager’s name on it, and then put the router in a network closet. I knew that over time, after I got laid off, it would cause chaos. All the computers on the network would begin to connect to this router to get their information, and they wouldn’t be able to connect to the system they were designed to talk to. When they did work out what was wrong, the manager who unjustly fired me would get the blame.”

It was done in a fit of righteous justification. But Trezza soon had regrets. “I’m not very proud of having done that,” he continued. “I think it was a very impulsive thing I did as a kid, and that guy ended up losing his job because of it. I felt like I was justified at the time. I was working with the mindset of a child and seeing things in a very black and white way, missing the nuances involved. That guy could have had a wife and a family, and he might have just been doing what he was told to do from the top, you know, following orders.”

This is part of the process of growing up – from seeing things in black and white as a child, to beginning to understand the wider implications of actions. Through this process, Trezza began to focus on using his skills to protect rather than manipulate. It is a process that is common to many hackers.

Neurodiversity and moral compass

There’s an interesting conjecture around this type of moral evolution. He, like most other hackers in this series, is neurodiverse – or more specifically, ADHD and / or Aspergers. The well-known ASD capacity for long periods of hyperfocus coupled with a tendency to ‘think outside the box’ is an obvious boon (but not necessarily a requirement) for hacking. 

Trezza believes his neurodiversity has helped his hacker career while simultaneously introducing some difficulties. “I believe it brings a heightened attention to detail, pattern recognition, and logical thinking – key assets in cybersecurity. However, it also comes with challenges, particularly in social interactions and communication, which are important in client-facing roles or collaborative environments. For example, I’ve had to work consciously on refining my interpersonal communication, whether when explaining technical issues to clients or navigating team dynamics. It’s not always intuitive, but understanding these challenges has helped me develop coping strategies and maintain strong working relationships.”

He takes inspiration from Christopher Hitchens: “The essence of the independent mind lies not in what it thinks, but in how it thinks;” and “Human decency is not derived from religion. It precedes it.” Entirely separately, research published in May 2024 (Moral foundations in autistic people and people with systemizing minds) finds a statistically relevant “preference by autistic people for Fairness over Care, and their attraction to libertarian politics”.

Now relate this last statement to Trezza’s own evolution. His early childhood hacking exploits were distinctly ‘amoral’ or lacking in ‘care’. But there was always an element of fairness (for example in wishing to share his gaming opportunities with childhood friends who had no such opportunities).

Fast forward to the episode with the router and being ‘unfairly’ dismissed. His immediate reaction lacked care – but was later colored by the idea that perhaps he had also been ‘unfair’ to the manager who fired him. It is tempting to think that Trezza’s moral compass has been affected by the growing dominance of ‘fairness’ over ‘lack of care’ as he matured. 

Whether this has anything to do with neurodiversity is unproven – but the process is probably accurate. It even includes libertarian attitudes. Among other employment, Trezza is currently CISO at Atheists for Liberty. “This reflects my dedication to promoting open dialogue and standing up for principles related to freedom, individual rights, and rational thought – values that align with my ethical stance on hacking,” he said. 

And now…

Frank Trezza is fairly typical of most hackers. Early pranks sometimes leading to something more serious – the things he’s not proud of – but ultimately evolving into a strong ethical position on using skills to protect rather than harm security. Apart from being CISO at Atheists for Liberty, he now has his own independent pentesting firm, and also has a day job with a Fortune 500 company where, he says, “I do a little bit of penetration testing, but primarily I’m more focused on securing the external attack surface than I am actually penetrating their systems.”

Related: Hacker Conversations: Joe Grand – Mischiefmaker, Troublemaker, Teacher

Related: Hacker Conversations: Tom Anthony and Scratching an Itch Without Doing Harm

Related: Hacker Conversations: Chris Evans, Hacker and CISO

Related: Hacker Conversations: HD Moore and the Line Between Black and White

Original Post URL: https://www.securityweek.com/hacker-conversations-frank-trezza-from-phreaker-to-pentester/

Category & Tags: Hacker Conversations – Hacker Conversations

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
CISO Forum
CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
CISO’s – First 100 Days...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
Harvard Business Review
Boards Are Having the Wrong Conversations About Cybersecurity – Board interactions with the CISO are lacking – by Lucia Millica and Keri Pearlson – Harvard Business Review
Boards Are Having the Wrong...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos