Large corporations and government agencies pay professional white-hat hackers thousands of dollars an hour to try to hack their servers, in the hopes that they’ll find holes and vulnerabilities that can be patched before a malicious hacker gets hold of them.I’m not a Fortune 500 company, but I still wanted to subject myself to a personal penetration test to see how my security measured up.
Startled, I checked my browser tabs and my list of open applications to see if anything had been making noise. I hadn’t been watching any You Tube videos, browsing any pages with autoplay ads, or listening to any podcasts when the voice appeared. The same hacker who, for the prior two weeks, had been making my life a nightmare hellscape — breaking into my email accounts, stealing my bank and credit card information, gaining access to my home security camera, spying on my Slack chats with co-workers, and—the coup de grâce—installing a piece of malware on my laptop that hijacked my webcam and used it to take photos of me every two minutes, then uploaded those photos to a server owned by the hacker. From his computer on the other side of the country, the hacker spied on me through my webcam, saw that I was unenthused, and used my laptop’s text-to-speech function to tell me “you look bored.” I had to admit, it was a pretty good troll.
And I couldn’t even be mad, because I’d asked for it.
Last year, after reporting on the hacks of Sony Pictures, JPMorgan Chase, Ashley Madison, and other major companies, I got curious about what it felt like to be on the victim’s side of a data breach, in a time when so much of our lives is contained in these giant, fragile online containers.
So I decided to stage an experiment that, in hindsight, sounds like a terrible idea: I invited two of the world’s most elite hackers (neither of whom I’d ever met) to spend two weeks hacking me as deeply and thoroughly as they could, using all of the tools at their disposal.
My only conditions were that the hackers had to promise not to steal money or any other assets from me, reveal any of my private information, or do any harm to me, my data, or anyone else.
And then, at the end of the hack, I wanted them to tell me what they found, delete any copies they’d made, and help me fix any security flaws or vulnerabilities I had.Fortune 500 companies do this kind of thing all the time.It’s called “penetration testing,” or “pentesting,” and it’s a staple of the modern corporate security arsenal.If I had to give myself an overall digital security grade, I’d give myself an A-.But as it turned out, it didn’t matter how good my defenses were.Against a pair of world-class hackers, my feeble protections were about as useful as cardboard shields trying to stop a rocket launcher. They bypassed every defense I’d set up, broke into the most sensitive and private information I have, and turned my digital life inside out.