Interview: Cthulhusec
Interview: Cthulhusec

Not many can claim to have been labelled a terrorist by the Turkish government. Thomas White can. He earned the title when he published a 17.9 gigabyte database full of the personal information of Turkish police officers on his website. The database had been handed to him by a hacker who claimed to be eager to expose the abuses of the Turkish state. His website was promptly blocked by the Turkish government and White refused its requests to take the database down. After all, this is what he does.

As a security researcher, White became known for publishing major leaks in what he describes as a way of disciplining companies who don't protect their data well enough, or injuring organisations that play a role in harming human rights.

White is 22 and lives somewhere in the Liverpool area. In his day job he's a sysadmin, and he does security work.

That's about all the acutely identifying information he wants to offer. He assures us that this is his real name.

He's taken careful steps to remove images of himself from the internet, although there may be a couple floating around, he's not sure.

In his 'work', he goes by the name CthulhuSec, named for the winged octopus god of H.P. Lovecraft. Its that particular name that's become famous as the middleman for the publication of  a series of high profile breaches: Hacking Team, The Fraternal Order of Police, The Turkish government, Patreon and most recently, Dropbox.  

Most of the work is done in private, between himself and the leaking organisations that he deals with. He says if they don't protect customers' data and come clean about their breaches, he will.

It's a controversial practice. There might be sympathy for this kind of behaviour within the industry but this, argues Graham Mann, MD of Encode Group UK, “has to be the responsibility of the authorities and shouldn't be down to an individual, no matter how well-meaning.”

That said, “what this does demonstrate, however, is that there is a vacuum, which people like Thomas are filling. The ‘authorities' must recognise that the security of customer and employee data simply cannot be entrusted to organisations without a comprehensive legal framework to protect it.”

White's first large ‘political' curation was Hacking Team. When the Milan-based IT company, Hacking Team, got breached in 2015, he was happy to publish their internal details. After all, Hacking team's problem wasn't that they weren't protecting their customers, but rather who those customers were.

“I've never been a real fan of those sort of companies to begin with”, says White. The dump that White helped to publish showed hacking team to be helping some of the most repressive governments in the world surveill and oppress their own citizens.

If you are, like Hacking Team, selling to the Sudanese government, it's not good enough to say you're only selling the software: “It's like selling a handgun to someone when you know they're going to go kill someone with it.”

The tranche of data stolen from hacking team was large and difficult to get at. White put it up in a manner accessible enough for the average journalist, researcher or member of the public to understand.

As he sees it, his job is not to take a position on the data, rather to get it to people who might be able to do that. When the Fraternal Order of Police were hacked in January 2016, amid a series of incidents involving police officers shooting unarmed African American men, White hosted that leak too.

White promptly published that breach, leaking hundreds of documents which included agreements between US cities and local Order branches. The information, in and of itself, wasn't particularly interesting but, says White, “there were little details that may become relevant later on”.

Those little details, he adds, could be relevant from a legal perspective later on down the line.  White tries to remain neutral about the nature of the data but he can verify it and make it available for those that can.

He shies away from any clear political identification. The kind of political hyperbole that seems so popular among hacktivists, doesn't occur to White in quite the same way. In fact, he doesn't consider himself so much a vigilante, as a public servant.

“I've tried to avoid the politics of it”, says White. Wikileaks, for example, “do tamper with an awful lot of data. And I'm guessing they're pretty happy to scrub something out that looks bad for Assange”.

“I don't tamper with the data in any way so I either publish as is or i don't. Just preventing accusations that I've fiddled with the data or manipulated to fit in with something that I believe”.  

Isn't choosing what to publish an editorial act?  Well, admits White, yes it is.  There are apparently no strict criteria on which White chooses to publish or withhold but he does discriminate.

He says that the good the publication of private information might do, and the public interest that it might serve, has to be weighed against the realistic damage it might cause.  

The water that White swims in, however, is different to a journalist, bug bounty hunter or orthodox security researcher. What he publishes might be the first time the public has seen it, but it's certainly not the first time the underground has.

White wouldn't call them friends so much as associates but he knows plenty of people with worse intentions than him: “I couldn't even count them all, people that I know who are involved full time in things such as fraud or identity theft.” He says that they get these leaks whether he publishes them or not.

If a tranche of data is already making its way around a series of groups with intentions far less public-minded than White's then the arguement is that publication won't do that much damage: “the one's you have to worry about already have it”, he says.

He says that what he does “is about informing people what data has gone missing and how secure the company tried to make it.” In his view, if a company is using MD5 encryption, widely known to be compromised, instead of Becrypt, someone's not doing their job.

This isn't just benign data on a computer system, after all, “this is actual people's data”.  

It should be said, White publishes personal data too. Although, White says, there is larger point to him though in proving that the people who were trusted with that data, weren't to be trusted at all.

Most of this though, never makes it into the public eye. When he gets a leak and verifies it, he'll approach the leaky company, with the leaker's permission, and tell them what he's got. If they aren't upfront about it, or don't fix the problem, then they've got a problem.

He gives credit to Patreon, whose 2015 breach exposed 15 gigabytes worth of data, much of its personally identifiable, for being upfront with their customers: “Yeah they messed up. But they also were quick to fix it. They let everyone know the scale of the breach and so on”.

Some organisations don't. By making it public, White says he can hold those companies to account or rather people can look at the data for themselves and hold companies to account themselves.

There are more of those than you might think, and White claims to know several large UK companies that store their passwords unhashed and in plain text.

“I can't even remember how many times I've been arrested”, says White, but “I've never been charged”. He insists he doesn't have a criminal record but that doesn't stop the legal threats or law enforcement calling him up for a friendly ‘chat'. He thinks the FBI might still have an open investigation against him, but he's not sure. That said, he doesn't seem to mind too much.

It might hobble him somewhat, but White says he knows around 15 similarly minded people that if a particularly pressing breach fell into his hands, he could get it out even with the threats of a nation state.

It's just as well too, as he's decided to close shop. Dropbox was his last, for the moment at least: “It seemed the criminal groups had it, and the journalists and legitimate researchers didn't, so I poked my sources and finally had permission to release publicly.”

More and more, people come to him with leaks they want published as proof of their ability- he doesn't want that any more.  Even the blackhats and cyber-criminals he knows, he says, have some kind of backbone, but increasingly, he says, crackpots and hackforum dwellers who don't have even have a reliable criminal interest in the breaches, pile his inbox high. White says he doesn't want to have to deal with this kind of thing any longer.

“I'm not there to use as some kind of certificated body of how good somebody is. I do it for the public interest. If they're going out just to break into these companies that is not cool.”

Most recently he reports that some kid came to him with data looted and then wiped from a children's charity, hoping White would publish, thus spreading the word of this young hopeful's talent. The tranche included operations, home addresses, even pictures; information that should be sacrosanct. The organisation itself was apparently pretty secure, and publishing that information wouldn't do any good: “I found it pretty abhorrent”. White says he quickly found out who he was, trashed his opsec and gave the boy a prompt verbal kicking. He says this isn't what he got into this to do.

He says he is playing around with a couple of ideas about what to do next. He might start working on a couple of things around Tor Hidden Services or Bitcoin, he's not sure yet.

Patreon, DropBox, Hacking Team, The Fraternal Order of Police and Ruby Corp, the parent company of Ashley Madison declined to comment.