Duo Hackculture Profile: Tyler Shields
Here at Duo, we’re well aware that security is a process more than any one particular product and that anyone who tells you otherwise is probably selling silver bullets and magic beans. Understanding the fascinating historical context behind modern hackers can help contribute to a strong security culture. By interviewing community members and charting their past (mis)deeds, we can glean insight on current challenges facing the world of security. This practice goes way back to the earliest days of the scene. So it is with pleasure that I introduce the first Duo Hackculture Profile, featuring Tyler Shields.
A veteran of the early days of the hacking and phreaking scene, Tyler Shields is a Security Analyst specializing in mobile and app security. Tyler has made his way around the speakers’ circuit, presenting at Black Hat, ShmooCon, and SOURCE Boston. He has a bachelor's degree in information technology from RIT, a master's degree in computer science from James Madison University, and an MBA from the Kenan-Flagler Business School at the University of North Carolina.
Can you describe how you first got into computers?
TS: I was one of the guys who was starting BBS Boards around 1988 with a Commodore 64 and a 300 baud modem. I started dialing into the local BBS systems and connecting with the local hacking scene and phreaking scene and warezing scene. I remember many a times yelling at my mother to hang up the phone.
I started getting on the internet and IRC around 89-90’. This was back when you could get on IRC through EFNet and there would be all of 80 people total on EFNEt. I started there and never really looked back; I’ve always been involved with cracking or hacking software and playing with code in some way, shape, or form.
When you first started hitting the boards, what were you looking for? Information? Cracking video games?
TS: Yeah, for me it was more about trading software and then I quickly learned to crack software. I spent a lot of time in that scene early on when I was 13-15 years old. I spent a lot of time trading software, trading games, cracking games. I kind of fell into hacking and phreaking as means into expediting my trades in software. Back then it wasn’t like you could just dump software somewhere everyone would know to grab it. It was more like you had to trade FTP sites, you had to trade codes on PBX sites to get at places to dump warez or to get PBX numbers to get into different areas to download software that wasn’t in your area.
Have you seen a change in the role geography has played over time [in the underground scene]? Has it ever been a factor?
TS: I think it’s absolutely been a factor. I was a 315 guy in Syracuse New York. There were a couple of notable guys up there. There was a pretty healthy scene around 315 from a geography perspective. I think that ended up distributing out as the internet came into vogue.
Then after a while there was a big pullback to more physical relationships. You started to see things like the l0pht pull together. You could actually go to hacking locations and spend time with people as opposed to doing it virtually. It started out physically close in the BBS days, it distributed out when the internet first came out, and then it eventually pulled back together. I think right now a lot of the expertise has distributed again thanks to internationalization.
How have you seen, over the past 15, 20 years, the roles [nation] states play, starting in the underground and coming into the mainstream?
TS: Back when I started, there wasn’t really, wasn’t period, any kind of nation state involvement. It was a non-existent scenario. If it was there, it was so far removed from the rest of the world that we didn’t even know it existed. Obviously that’s changed now.
There’s a number of state-sponsored hacking groups, certainly coming out of China and other countries, that can’t necessarily be directly tied to a particular nation, but certainly hacking on behalf of [a nation]. Internationalization really brought about a “We’re hacking for our country” mentality. That certainly was not something I grew up with at all. The closest we got was hacking for our area code [laughs].
Some block pride?
TS: Exactly.
Do you think some of the earlier internet regulation contributed to the comfort of being physically close to the people you were collaborating with?
TS: I think, for me anyways, part of it was about getting your hands on the systems, operating systems, hardware, whatever, to play with. Back then, that was hard to do.
People like the l0pht had access to a lot of hardware coming out of MIT, coming out of a lot of the universities in the greater Boston area. They were able to really centralize hardware, and you really didn’t have to do the illegal things anymore; you just had access to things. As a group, you really pooled your resources together, and I think that’s the part that really brought the teams and hacking groups together.
Seeing the change over time of “Let’s use this to learn for free” to today’s monetization, were the changes due to groups like the Secret Service and Congress cracking down or was it the community laying out acceptable standards?
TS: What I think happened is the commoditization of hardware so we could have everything in our homes really killed the need to do [anything illegal]. Once we had a relatively inexpensive computer running a Slackware distro, we didn’t need to hack Unix boxes anymore. I think that was the primary change. So that took [most of] the people doing illegal hacks and pushed them to the legal side because they could just [hack] themselves and not run the risks. What that left was the people who were willing to do things illegally, either for monetary gain or for personal adrenaline rush. When the good guys were pulled out of [hacking illegally], it just left the ones who were willing to do the nefarious things. They quickly realized they could monetize it and said “Hey if we can monetize it, let’s do it”. They already had the moral code of not caring.
Looking at this first wave [of hackers] move into these business roles, there seems to be a change in some fundamental values. It seems like some of the early work on the scene came from just being rebellious teenagers and angsty high-schoolers. Now they’re moving to make money because they have 401K’s and families. Do you see that value shift?
TS: I think you’re absolutely right. We grew up, we figured out the risk wasn’t worth the reward, and we found better ways to use our time than doing stupid stuff. For me it was always a learning activity. Once I felt I had learned what I could learn in that arena, I switched over to the business world. I’m still a technical guy at heart, but I went and I got my MBA. For me, it’s always been about learning. As I’ve gotten older, it’s about [learning] in a way that’s not going to be dangerous or harmful. I think you’re spot on with that comment.
Here at [The University of] Michigan, a lot of people who might have been part of the underground are moving into the entrepreneurial scene because of the promise of money. Do you see that as a trend?
TS: You bring up an excellent point. I would equate the entrepreneur scene of today with the hacking scene of 20 years ago.
I definitely think that’s the closest analogy for the old days: people getting together and banging out some code for a common cause. Back then the common cause was simply learning these new systems that were cutting edge. Now the common cause is creating intellectual property, creating things people can use, being entrepreneurial. It’s interesting because I used to be the hacker and spent years on the hacking scene. Now, I’ve positioned and transitioned to an entrepreneurial role. That’s what excites me; I went back to business school to focus specifically on entrepreneurship. That’s building technology, building products, building companies. So in many ways that analogy really hits home for me because I still feel like a part of that young and upcoming culture, building something like you guys are doing.
TS: I think the coolest thing is looking back at these guys I just used to randomly hack stuff with, used to phreak with. You look at some of these guys and they’re selling billion dollar companies or hooked into executive roles at startups, starting up companies on their own, doing very well. A lot has changed, but those friendships I’ve made over 20 years on the scene are still there. We’re all pushing 40 now [laughs].
What do you miss most about the early days of the scene?
TS: I would say it’s the speed of knowledge acquisition. That hasn’t completely changed because I’ve kept up my speed of acquisition by switching focus areas, not allowing myself to top out anywhere. Back then, you’re hopping on a system for the first time and you get hit with a prompt. You said “What’s this? This isn’t a Unix box.” Then it’s “Oh crap, it’s a VAX, I haven’t played on a VAX yet”. It was the constant speed of knowledge accumulation that I loved. That hasn’t quite changed for me, but I’ve had to do a lot of things to keep it that fresh.
Well that’s all she wrote folks. A very sincere thank you to Tyler for his time and insights. We’re just getting started on our Hackculture posts, but we’d love to hear your input on this project. Have any follow-up questions? Any great ideas for a Hackculture post? Do you want to be featured in a profile? Feel free to leave any thoughts in the comment section and to email me at domenic@duosecurity.com.