June 24, 2022

From Black Hat to Bug Bounties [Pt. 2] with Thomas DeVoss

by Hacker Valley Red

Show Notes

We’re joined again by the hacker’s hacker, Tommy DeVoss, aka dawgyg. Bug bounty hunter and reformed black hat, Tommy dives back into a great conversation with us about his journey in hacking and his advice to future red team offensive hackers. We cover everything we couldn’t get to from part 1 of our interview, including his struggles with burnout, his past hacking foreign countries on a bold quest to stop terrorism, and his future in Twitch streaming to teach you how to be a better bug bounty hunter.


Timecoded Guide:

[02:57] Fixating on hacking because of the endless possibilities and iterations to learn, but understanding that burnout does happen, especially when hacking gets frustrating

[09:54] Giving advice to the next generation of hackers, including patience for success, getting back up after a failure, and dedicating yourself to a hands-on learning experience

[17:17] Contacting Tommy and keeping up with him on Twitter, and asking questions publicly so that others can learn from the answers he gives you

[21:43] Planning a Twitch course to teach hackers about bug bounties using real bugs and real-world examples of how they work

[24:57] Hacking in the early 2000s and understanding the freedom Tommy has to talk about any and all illegal hacking he’s done now that he’s gone to prison 


Sponsor Links:

Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life!

Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone

PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley


Do you ever struggle with burnout when it comes to hacking?

Hacking has maintained Tommy’s interest longer than anything else because of the constant changes in technology and the ever-evolving issues in the online world. However, just because hacking is his passion, doesn’t mean that burnout or frustration never happens. Currently, Tommy is taking more of a break with hacking, letting his current day job and his passion for gaming have a front seat. However, he’s still firmly in the industry, passionately developing learning opportunities for future hackers and answering questions from cyber professionals of all backgrounds.

“I do get burned out sometimes…When it comes to bug bounty hunting, I try and make it so it averages out to where I make at least $1,000 an hour for my effort. It doesn't always work. Sometimes I'm more, sometimes I'm less, but I try and get it so it averages out to about that.”


What hacking advice would you give the younger version of yourself? 

Although his black hat ways resulted in prison time for Tommy, he doesn’t regret his past and instead seeks to teach others the lessons he’s learned. When we asked Tommy for advice for new hackers, he was clear that success is a longer journey than people assume it is. Tommy’s success was not a fluke, it took years of hands-on learning and patience with failures in order to develop his bug bounty skills. Nothing is actually automatic or easy with hacking, especially as the technology continues to change and evolve. Tommy wants hackers to take every opportunity to try out their skills, even if it's a complete failure.

“Don't expect success overnight. Also, don't let failure discourage you. When it comes to hacking, you're going to fail significantly more than you're going to succeed. And the people that are successful in bug bounties are the ones that don't let those failures discourage them.”


What do you think about the “media obsessed” stereotype many people have about black hat hackers?

Wrapping up today, Tommy tells us that he’d be happy to be back in the Hacker Valley Studio again some time. Although the stereotype of a black hat hacker wanting attention from the media is disproven, Tommy believes that he definitely has craved that media attention for a large majority of his hacking career. Starting in the early 2000s, after 9/11, Tommy had one of his first brushes with fame in an interview with CNN about hacking Middle Eastern companies. Although his hacking and his politics have changed since then, Tommy enjoys having in-depth conversations about hacking and explaining the intricacies of what he does.

“We loved the attention back then, and I still love the attention now, it's nice. The good thing about now is, because I already got in trouble for everything that I've done, I've done my prison time, I don't have anything that I did illegally on the computer anymore that I can't talk about, because I've already paid my debt to society.”


What are the best ways for people to keep up with what you’re doing?

Considering Tommy’s success, it’s understandable that a lot of cyber professionals and amateurs have tons of questions for him. When it comes to getting in contact with Tommy, he recommends tweeting him on Twitter publicly so that he can not only answer your question, but help others with the exact same questions. Education is key, and Tommy is so dedicated to teaching other hackers that he’s currently developing a recurring Twitch stream centered around helping others learn about bug bounty hunting.

“I don't know how successful we're going to be in finding the bugs, but I think it'll be fun to teach people [on Twitch] and do it that way, so that they can actually spend some time learning it. The best way to actually learn this stuff is to actually try and do the hacking.”


Stay in touch with Thomas DeVoss on LinkedIn and Twitter

Check out the Bug Bounty Hunter website

Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter

Follow Ron Eddings on Twitter and LinkedIn

Catch up with Chris Cochran on Twitter and LinkedIn

Continue the conversation by joining our Discord



Axonius Ad 00:21
Hey, everyone. It's me, Simone Biles. You might be wondering why you're hearing my voice on a cybersecurity podcast ad. Well, it's because I'm partnering with Axonius. Whether you're a gymnast like me, or an IT, or a security pro, complexity is inevitable, and I've learned that the key to success is focusing on what you can control. Go check out my video at Axonius.com/Simone.
Tommy 00:54
Welcome back to Hacker Valley Red, where we're exploring the nexus of offensive cybersecurity and humanity with a hacker's mindset. Again, I'm one of your hosts, I'm Chris Cochran.
Ron 01:05
And I'm Ron Eddings. And let's go ahead and continue this journey of understanding and getting to know who hacks the hackers, the cyber security legends.
Tommy 01:14
100%. We had to continue this conversation with Tommy. We talked a little bit about the sponsor for this season. One of the sponsors is PlexTrac, where they are looking to unite the red and the blue side of the house. Ron, I know you've had experience on both sides of that coin, what is the most important aspect of having a medium in which to bring those two sides together?
Ron 01:38
Well, like we heard in the previous episode with Tommy, the struggle of hacking organizations, them getting hacked, and really not having a line of defense. And then, we saw things like Hacker One come into play. And this was connecting the bug bounty hunters with the teams and organizations themselves, but what about when the teams and organizations have their own red team, they have their own blue team? How do they work together? I hope that they're not using Hacker One and trying to bring external parties and internal parties in, but they have another solution that they can use to unite all of the internal parties needed. And I've seen that over and over again, working as an offensive operator, working as a threat hunter, no mechanism to ensure that the open ends are being closed out. And that's exactly what PlexTrac does, it brings the reporting and brings the actionable items to both sides of the house and makes sure that these open ends get closed out.
Tommy 02:35
100%. If that is interesting to you, bringing those two sides together, be sure to check out
PlexTrac.com/HackerValley, and they'll take care of you. We gotta jump back into this conversation with Tommy, he has so much advice to give, so many more stories to tell. So, with that, let's jump right back in.
Tommy 02:57
One of the things that I love about hacking is the fact that I'm ADHD. When I find something that I like, I hyper obsess over it until I finish it. Like, when it comes to games, when I start playing a game, I have to be the best at it. I have to reach that number one spot. And then, as soon as I do, I lose interested in it because I see it as, "Okay, I'm done. There's not much more I can do in it." But when it comes to hacking, you can never finish. You can never learn everything there is about security, you can never learn everything there is about programming, you can never learn everything there is about anything, vulnerabilities and stuff like that. And because of the nature of technologies evolving, even if you did learn everything there was about hacking IoT devices or something. Well, tomorrow, a new IoT device is out there, so you're right back to square one with at least that device. And so, it's constantly evolving,
there's constantly new stuff to learn. So, it's one of the few things.
Tommy 03:59
Now I do get burnt out at times. Like, right now, I haven't done much hacking in the last like, six or seven months. I've done some here and there, but I'm not spending anywhere near as much time hacking right now, as I was, say 18 months, two years ago. Now, a lot of that has to do with the fact that I've got a real job now, just because I sit here for work all day and the last thing I really want to be doing is sitting there and hacking for the 2 to 8 hours after I've sat there and worked. Now, don't get me wrong, I still sit on my computer and stuff when I get done working, but I'm playing games, I'm reading the news, I'm reading things on Wikipedia. Like, I've got a bad habit of seeing something or hearing something and then Googling it. I'll open up the Wikipedia page, and as I'm reading through this page, I'll get to something else that looks interesting. So, I'll open it up in a new tab and like, right now on my hacking machine behind me, I've got 17 tabs open from Wikipedia, because I started reading about King Edward the II of England and 12, 13, 1400s and stuff. And it's like, I ended up just these dark holes of learning stuff and everything.
Tommy 05:15
So, it's hard for me to get back into the hacking and it really sucks, because today's Thursday. Earlier this week, on Monday night, I got an email with— I guess it was technically Tuesday morning, I got an email at 12:30 in the morning, on Tuesday morning about one of my private programs, they had just added a new website to their scope. And I happened to be sitting there, I wasn't doing anything on my game, so I was like, "You know what? I'm gonna take a look at this," because they had also just doubled their bounty payouts across the board for this program. So, I was like, "Alright, I'm gonna take a look at this." The email came in at 12:30, I started looking at the program at about 1:30 or so in the morning, with the plan of spending 30 minutes to an hour looking at it, just to get a feel of whether I was going to want to spend enough time on it to find some bugs, right? Over the course of that hour, I ended up finding a reflective XSS, a store XSS, and an IDOR, and the IDOR is pretty impactful. Well, downside is all of these bugs I found within like, a couple minutes of each other. And they were not directly related, but they were all around the same functionality. So, I didn't write up any of the reports
yet and it got to the point where I was like, "Alright, I'm kind of done looking at this area. So, I'm gonna go and start writing up the bugs and stuff." So, I opened up the programs page, I clicked on submit report, and at the top, it's got the list of the assets for the company. And they want you to select which asset the vulnerability that you're reporting on is, and I start scrolling through it. And it's like, this assets not listed in there and I get all the way to the bottom of it, and it's grayed out and it says "out of scope." Now, I was like, "Wait, what? Maybe I forgot to refresh the page or something?" So, I go back to and I do a hard refresh, and then I scroll to the bottom, and it's still saying it's out of scope. So, I was like, "What the hell?" I went and checked my email, I hadn't gotten any notification that they had updated the scope or anything. So, then, I go back to their page on Hacker One, and I scroll down to the bottom, and it's got a message down at the bottom that says, "Due to unforeseen problems," or something like that, "we're having to take this back out of scope."
Tommy 07:26
Essentially, when they brought it into scope, so many people started hammering it with automated tools and stuff like that, they were taking the website offline, it was extremely slow, and all kinds of stuff. Like, they were hitting it so bad, that I'm pretty sure somebody was doing some HTTP request smuggling while testing on this application. Because, at one point, while I was on their testing, I refreshed the page and you know, most websites, when you're logged in, in the top right-hand corner, you'll see like, either your picture or your accounts image, or whatever. And I happened to look up at it, I was logged into somebody else's account that wasn't even mine. So, somebody on there was able to successfully do an HTTP request smuggling attack, and caused me to get a request from somebody else's account. But
then, when I refreshed the page, I was back into my account. My plan was to go back and see if I can figure out how to duplicate that, but the asset was removed from scope. So, now, I'm sitting here with some vulnerabilities and I'm like, "Alright, I'm really hoping that they bring this back into scope, and I'm really hoping that these bugs weren't recorded by somebody else in the two-hour long window that they had it open," and it kind of sucks. So, I'm not very optimistic about it right now because Hacker One, on each one of their programs, they've got a little bit of stats about that program. And initially, it had said that there had been 12 vulnerabilities submitted in the last 90 days, but when it updated later on that day, or the next day, it was now up to over 30 some vulnerabilities had been submitted in the last day. So, it's like, I'm really hoping that they didn't submit the bugs that I found. Like, I'm thinking that the reflected XSS, that one, I'm pretty sure somebody else found that pretty quickly and reported it. Some I'm not counting on that bug still being available for me to report, or if I do report it, I'm pretty sure it's going to be a duplicate. But I'm really hoping that for the stored XSS and the IDOR, when they bring this back into scope, I'm hoping nobody's reported those so I can at least make something. When it comes to bug bounty hunting, I try and make it so that it averages out to where I make at least $1,000 an hour for my effort. It doesn't always work. Sometimes I'm more, sometimes I'm less, but I try and get it so it averages out to about that.
Ron 09:54
That's what a lot of people don't see is like, all of the details that you're describing. Like, going into from
way back in the 90s and learning it from mentors, learning it the hard way, learning how to let go, learning how to readjust and take it back in, you know, take back in hacking and computer security. But looking at your past and also looking at your future, if you were to speak to a young version of yourself, maybe like some of our listeners that are on this track of wanting to grow their offensive operations skills, or red teaming skills, or pen testing skills, what piece of advice would you give the younger version of you, while you were walking down this path of learning about the things that you were kind of hyper obsessed over?
Tommy 10:36
The first advice that I would give is, don't expect success overnight. Also, don't let failures discourage you. Just because, when it comes to hacking, as I said earlier on, you're going to fail significantly more than you're going to succeed. And the people that are successful in bug bounties are the ones that don't let those failures discourage them, and they're willing to sit there and take those failures as exactly what they are: learning experiences. And it's like, just because you failed hacking this one target, or this exploit didn't work on this one target, doesn't mean it's not going to work on the next one, or the one after that. The biggest thing, when it comes to this and to be successful in this, is you have to be willing to put in the effort. Don't expect people to do the work for you, don't expect people to just give you some magic payload that's going to start giving you critical bugs and things like that. I tell people all the time when they ask me like: What is your advice to get started? And I tell them, go to Hacker One, read every single disclosed report that has ever been disclosed on Hacker One, because
that serves a couple purposes. First, it shows you what companies pay for certain types of bugs. And second, it shows you not every disclosed report are valid bugs. You've got a lot of programs that, when they get spam, or really bad submissions that are completely irrelevant, they'll disclose those two because they have policies of disclosing every bug that comes to their program. So, it lets people see things like that as kind of what not to do, or how not to engage with programs and stuff like that. And it also gives you examples of real bugs.
Tommy 12:31
Most people want to spend all of their time, when they're first starting out, doing CTFs, or hack the box, or things like that. And I've gotten nothing against those platforms, I think they're amazing. I wish we would have had something like that when I was a kid, but we didn't, of course. So, if you wanted to learn that stuff when I was a kid, instead of doing it in labs, you had to actually hack computers. That's why I was a black hat, but definitely make use of things like that. At the same time, most of the hack the box stuff, those aren't the types of bugs you're gonna find in real programs, most of the time. Now, you will find those types of bugs occasionally in real programs, but the best way to learn the bug bounty stuff is just go out there and do it. Practice by hacking real programs, go to the DOD. It is a vulnerability
disclosure program, so they don't pay bounties for the main public program, but they have the largest scope on any other program. Like, their scope is bigger than Google's, it's bigger than Yahoo's and all of them, just because, for the DoD scope, it is every single military system that is on the internet. So, they use every possible technology stack you can think of. So, you've got a huge pool of things that you can attack to learn from. You might want to go after Windows and IIS servers, you're gonna find plenty of them on the DOD. You might want to go after Tomcat servers, they're there. you want to attack Engine X and Apache servers, they're there. You want to do PHP websites, ASP, JSP, all of it. They're all in use at the DOD, and it's really cool to hack the US military and government and not go to prison for it, you know?
Tommy 14:20
But the biggest thing is just go out there and start trying to hack Yes, you are going to fail, but every time you fail, you learn something. And if you're not learning something every time you fail, then this might not be the right field for you. Hacking is not for everybody. I'm a firm believer that, to be a successful hacker, you've got to have a certain mindset and a certain way of thinking, and it's: How can I break this? Or, how can I make this do something that it's not supposed to do? I do believe that you can teach just about anybody to do this kind of stuff, but for them to be super successful at doing this, I feel that they're gonna have to have that mindset. And not every aspect of that mindset can be taught to other people, you know? You've got to be willing to put in the effort, it's not gonna be handed to you, it's not gonna just fall in your lap, and it's gonna take a lot of effort and reading, like I was saying, reading every disclosure report on Hacker One. Read every disclosure report that you can off above ground, read every blog post you can about bug bounty write-ups and stuff like that, even if they're not bug bounty related, go and read the write ups from Tavis or Mandy, or the other people that are on Google Project Zero and stuff like that. Just because you never know when you are going to read a blog post that has some little tip or trick in it that is going to mean the difference between you successfully exploiting a bug, and not being able to get that bug working at some point.
Tommy 16:02
And always keep revisiting stuff, there is nothing wrong with having to refer to a cheat sheet for SSS or SSRF bypass and stuff like that, and then, build out your own methodology. The way that I approach targets is not going to work for most other people. The beauty of bug bounties and why it's so successful is because each one of the three of us, we can all be given the exact same target, the exact same level of permissions and stuff like that, and each one of us are going to approach that target different. And we might find some on the same bugs, but odds are, we're going to find different bugs because of the differences in how we approach the target, the differences in how we think and the payloads we think about using, and things like that. So, don't try and mimic somebody else with the goal of mimicking their success, because odds are, you're just going to be disappointed. Build your own methodology, and it's okay to take parts of mine and take parts of Jason Haddix, and combine it together until you find your own flow of what works for you.
Chris 17:17
Yeah, you got me fired up. I know you got a lot of folks fired up out there wanting to get into this game. It's an honor to chat with you, hear your story, and hear your advice. For the folks out there that want to stay up to date with you and everything you have going on in this crazy world of offensive cybersecurity, what are the best ways that people can do that?
Tommy 17:35
So, the best way is to stay up-to-date with what I'm doing are mainly Twitter. I try and keep my social media accounts separated. Like, my Facebook is for friends and family and stuff like that. My Instagram is for my cars, mainly. Occasionally, I'll share pictures related to hacking and stuff on there, mainly because I've been trying to get my follower count up there, so that way I can start getting sponsors for my skylines and stuff. But Twitter is where I do my security-related stuff, so it's where I post the tips and tricks. It's where I will interact with people and answer their questions and everything. A major pet peeve of mine is people sending me DMs, though. If you try and DM me, first off, if I don't follow you, your DM is going straight into the "people you may know" folder and stuff like that, so it doesn't even come to my inbox. Now, occasionally, I do go in there and we'll look at the DMS that didn't make it into
my inbox and make sure that nobody is DM-ed me that I'm actually friends with, or make sure there's not people in there that are trying to go about it the proper way and are asking pointed questions asking for help in a very specific thing instead of saying, "Teach me to find criticals like you," and things like that.
Tommy 18:59
And the marriage proposals, dude, I get so many marriage proposals of people offering me goats and pigs and cows. Between that and people asking to borrow money. I guess, in certain parts of the world, it's culturally acceptable to ask people that you've never met a day in your life for money, but here in the US, it's not. I've had people that I was actually friends with that sat there and last year, matter of fact, he sent me a message and he was wanting me to loan him like, $100,000. And I was like, "I'm sorry, but I don't loan any money that people," you know? Loaning money to people just opens up too many problems, whether they're friends or not, I don't even like to loan family money. I will if they need it, or I'll give it to them or whatever, but I don't even like to do that. But this guy, we were kind of friends, and I had taken him to some of the live events as my plus one, trying to help him get into the bug bounties stuff and everything. He ended up going absolutely ballistic, because I refused to loan him money, and went as far as trying to go to my job and was emailing hundreds of people at my job trying to get me fired from my job because I wouldn't loan money and stuff. And it's like, well, he burned that bridge, we're no longer friends, I will no longer help him and everything.
Tommy 20:26
But my biggest ask when it comes to people wanting to get information from me, is post it publicly on Twitter, because odds are, you are not the only person that has that same question. And if you post it publicly, I can answer it publicly, and now, other people are going to be able to learn from that answer as well. It reaches a lot more people when I publicly answer it, versus responding to all of these DMS, and I do my best that if you post a question to me, or ask me a question on Twitter, I do my best to answer every single one of them. The only ones that I don't answer are the ones of people saying, "Can you please check my DM?" and things like that. I'm not going to and if you start commenting on everything that I post, saying, "Sir, please check your DM. It's important," things like that. I never will respond. I might check it, but I'm not going to respond to it. I make it very clear on Twitter, at least every
couple of months, I share something that says more or less, "Please do not DM me, unless we're talking in a tweet and I say, hey, send me a DM, so we can work on this together, or something like that." Don't DM me. Ask me the questions publicly.
Tommy 21:43
But between that, and then Twitch, I'm trying to get into streaming more now. I don't remember if I mentioned this before we started recording or not, but my plan is to start doing some classes and things. So, when it comes to Twitch, people can either follow you or they can subscribe to you, where they pay like, $2, $3, $4 a month, something like that, I don't know how much it is, to actually following people. My plan is that for all of my paid followers and stuff on Twitch, I want to start teaching these classes where, around the 15th of each month, I will host a stream and it'll be open to anybody that is a paying subscriber. And we will pick one bug class, say SSS, or SQL injection, SSRF, something like that, and we will spend 2 to 3 hours going over what the bug is, how to find it, some examples of where it's been found, some ways to bypass the common protections for that bug class, and just things like that. We will go over it for two or three hours, and then, at the end of each month, like the 30th or 31st, I will want to have the second class related to that. And the first 30 minutes of that, we would spend rehashing everything we learned in the previous class about that bug type, and then, we are actually going to spend the time, for the next hour and a half to two and a half hours, looking for that bug type on bug bounty programs. And then, we can actually try and put in the information that we are learning together on this. We're going to try to actually make use of it and try to find these bugs. Now, I don't know how successful we're going to be in finding the bugs, but I think it'll be fun to teach people and do it that way, so that they can actually spend some time learning it. And then, as I said, the best way to actually learn this stuff is to actually try and do the hacking and stuff. So, hopefully, we'll get lucky and
find some bugs.
Tommy 23:52
When it comes to those things, I do plan to record when I have these classes, but because I'm going to try and target them at my paid subscribers, I'll record it but then, I'll wait about 6 months or so before I actually post the recording on YouTube and stuff like that. If I was going to record it, as soon as I do it, and then post it the following week or something, then people don't really have much of a reason to want to be the paid subscribers and stuff. So, I want to try and do some things like that. Those would probably be the 2 best ways to stay up-to-date with what I'm doing, but Twitter is by far the best way, as of right now, to either contact me and ask me questions, or to just see what it is that I'm working on at that particular time.
Ron 24:44
Awesome. Well, we will be sure to drop your Twitter into the description for everybody to stay up to date with you, Tommy, and all the great work that you're doing, and you've got to come back whenever you start the Twitch stream, just so we could remind everybody to join and check it out.
Tommy 24:57
I am dying to come back, anytime you guys want to have me back. I love doing podcasts and stuff like this, they're so much fun. Yeah, and I'm not gonna lie, I really like the attention that I get from them. That goes back all the way back, into the 90s when I started out as a black hat, because we were what a lot of the other hackers of the time would call media whores. So, when I ran that hacking group, me and my main codefendant that I was always hacking with was Rafael Nunez Infante. He is a Venezuelan national, and me and him spent just about every waking moment together, hacking or just talking, and stuff like that. And me and him, every time we would break into a high-profile company, the fortune 500 companies, or NASA computers, or the Supreme Court, military computers, and things like that, we would, of course, go and get— At the time, the mirror was still attrition.org a little bit, but there was a different one called alldas.de, and they ended up changing their name from that to Zone H. Zone H is actually still around. When we would go to their website and report the hack to get them to mirror it, or when we would run our script that would automatically submit it for them to review it and post it on there, we would also email reporters and news agencies and stuff like that, like, "Hey, look what we just did." Because we'd like to get ourselves in the news and stuff.
Tommy 26:32
You know, like, we were actually interviewed by CNN, like, live on the air for CNN in September of 2001. So, September 11, 2001, we had the terrorist attacks here in the US, right? Me and a bunch of hackers from all over the world, we did what we thought was patriotic, and we formed a group called the dispatchers. And our goal was essentially to disrupt the communications of al Qaeda and any other terrorist organization. CNN and all of them were talking in the days and weeks after that, they were always talking about the fact that these terrorist organizations, since they had the internet, they were being able to greatly increase their numbers and their influence, because they could now reach many more people than they could just 5 to 10 years before. So, when they kept talking about them using bulletin boards and websites and stuff to recruit new members, to pass out their pamphlets that were inciting these people to become terrorists and radical and things like that. So, we started targeting— In hindsight, this was bad, but we would target every Middle Eastern computer system, like, our goal was to take any of them off the internet completely. We didn't differentiate.
Tommy 27:55
At the time, we were still like, in 2001, when September 11th happened, I was 17, I was still kind of a kid, but just about to be an adult and everything like that. And I didn't rationalize and didn't differentiate between the fact that there are, just like any other profession or group of people, there were good Muslims, and there were bad Muslims, and you can't count all Muslims as being terrorist and stuff like that. And I knew that back then, but at the same time, we were super upset about what had happened, and the attacks on America, and the number of lives lost and everything. So our goal was to just disrupt the internet. The way we looked at it, if we took the internet down in Afghanistan, or Iraq, or something like that, then the internet's down for the entire country, then the terrorists could use it to communicate. And we didn't think about collateral damage that the vast majority of the people that we were impacting had nothing to do with terrorism and stuff.
Tommy 28:55
So, in hindsight, it might not have been the best course of action, but we definitely could have done it a little bit more targeted and everything like that. But me and one of the other founders of the dispatchers, his name was Hoffa Jash, he was the leader of a hacking group called Hack Wiser. They interviewed both him and I, just our voices and stuff like that, because we didn't want to give up any information about us and everything, but it was really cool to hear our distorted voices on and everything. And they even wrote a book about us, hackers in general in 2002. An author named Dan Burton, he used to be a writer for Government Technologies Magazine, and he ended up writing a book called A Hacker's Diary: Confessions of Teenage Hackers. And chapter five of that book was titled World of Hell and was just about our hacking group and everything like that. So, we loved the attention back then, and I still
love the attention now and it's nice. The good thing about now is that, because I already gotten in trouble for everything that I've done, I've done my prison time, and I don't have anything that I did illegally on the computer anymore that I can't talk about, because I've already paid my debt to society
and everything.
Tommy 30:17
I think that's one of the big reasons that I've been able to make myself semi-famous in the hacking world is because I'm able to openly talk about everything. And it's crazy, because tons of the hackers that are around my age, that are in bug bounties, had a similar start, but they didn't get arrested. So, they can't talk about their malicious hacks, or what got them started, and stuff like that. So, I'm thankful that I have all of that behind me and I'm allowed to talk about it and everything like that. And I have people ask me all the time: If you could go back in time, would you change anything? And it's like, "Would I not have hacked the bank in Colorado that ended up getting me sent to prison and stuff like that?" And I always tell people that there's not a single thing that I would change from that because what I went through back then, impacted who I am now, and the people that are in my life now would not have been in my life had I gone a different route. I wouldn't have been a black hat and I would have stayed on the good side and would not have been expelled from school, would have gone off to college and things like that. I would have just had a completely different trajectory for my life and stuff. And I wouldn't change any of it, I'm content with being where I am today.
Ron 31:41
We're gonna definitely get you back on because, I mean, there's still so much that we got to unpack and I feel one hour, even five hours won't be enough. So, we'll break it up over many podcasts, but I wanted to say thank you again, Tommy, it's been a pleasure. Thank you for not banishing me when I sent you a DM, but I really hope we get to do it again. And with that, we'll see everyone next time.
Tommy 32:06
Thank you guys very much.
Ron 32:09
Oh, man, I mean, we could have gone on forever with this episode. And we will, I mean, we're gonna have Tommy DeVoss, aka Doggy G, back on. By the way, if you have any questions that we can push to Tommy for you, on your behalf, we would love to ask him next time on our podcast. You can reach out to us at podcasts@hackervalley.com, or join our Discord by visiting HackerValley.com/Discord. Because speaking to Tommy is a breath of fresh air. To hear the story that someone in the bug bounty industry has gone through, from early in their life all the way to becoming a million-dollar hacker, you don't really get that type of insight and stories unless you really focus on highlighting the human, like we're trying to do with Hacker Valley Red
Chris 32:54
100%. Just listening to everything that he was saying, it was truly inspiring, because I mean, taking someone that is that passionate about technology and security, and not only making it entertaining, but also making it super impactful and valuable for everyone that's out there today. Lot of really good tips about being persistent, going through failure, because it's not going to come overnight. Nothing great is done quickly. It takes time. So, that's one of the things that I absolutely took away from both of these episodes was his story. We're definitely going to have him back on to answer the questions that you send to us through email, because there's so much more to unpack there with somebody like Tommy.
Ron 33:33
With that said, I cannot wait for the next episode, but to also speak to Tommy again. We have more episodes to come on Hacker Valley Red and a full catalogue of podcasts in general. We would love to share them with you and your network. The reviews, comments, conversations about Hacker Valley mean the world to us. So, thank you for joining us. And with that, we'll see everyone next time.

Keeping It Open Source with Metasploit’s HD Moore

July 1, 2022 Hacker Valley Red