At 17, HD Moore was all baggy jeans and gelled up hair, a hacker so skilled and prolific that he was doing contract work for the U.S. Department of Defense while a student at Austin’s Gonzalo Garza Independence High School.
Sure, he liked mischief. He edited files to cheat at video games and remotely dialed into Austin radio towers with a modem, flickering their lights on and off. Perhaps the dumbest thing he ever did, he says, was once temporarily shut down the entire power system at a K-Mart store in North Austin to prank a friend.
But Moore, at age 34 now considered by some to be one of the world’s foremost cybersecurity experts, was also among the first to use his hacking skills to strengthen networks and protect consumers. He rooted out vulnerabilities in giants, like Yahoo and Microsoft, that left customer data unguarded at a time when companies were doing little to address such threats. A community of like-minded hackers grew up with him, and so has the industry.
The global cybersecurity market, valued at $77 billion last year, is expected to more than double in the next five years, according to industry research firm Gartner Inc. Businesses and government entities are feeling the pressure to secure their systems, racing against criminals who evolve quickly in the ways they pursue money, intellectual property and personal information.
This week, as hundreds of hackers and cybersecurity experts descend upon Austin for the annual SXSW Interactive conference, Moore is making connections and planning to serve as an adviser for a new tech incubator, which is still in the formation stage.
That old hacker label from the 1990s no longer fits him, or most of his associates, when there are fortunes to be made working for corporations and government agencies that need their knowledge.
“It’s a really difficult industry to be in because everyone sells things and no one knows what they are and doesn’t know how effective they are,” Moore said. “A lot of what I am looking at is how do we help companies build products that, one, are useful and work, but two, you can clearly define their value.”
Moore, who was born in Honolulu, lived in 13 different states before his family moved to Austin in the early 1990s. In his younger years, he couldn’t seem to stay out of trouble. He skipped classes, got kicked out of schools and hung out with friends who didn’t give the Internet much thought.
But Moore wanted to learn everything he could. Each day before dawn, he trekked the 2 miles to his elementary school, sneaked into the computer lab through a window and played on the bulky, black-and-white Apples IIs before it was time to drag himself to class.
At neighborhood libraries, he checked out books and manuals to study how computers worked. By the time he reached Gonzalo, an alternative high school in East Austin, he had assembled his own 486-DX computer with parts he dug out of trash bins.
“I couldn’t teach him anything,” remembers Christian Walker, his math and computer teacher through multiple grades. “Most of the time, students were at Gonzalo because they had failed out for bad grades. In HD’s case, it was the opposite. He was too intelligent and not challenged by the other schools.”
Walker soon had Moore helping him run the school’s IT network. Some days, Moore drove out to Kelly Air Force Base in San Antonio, where he did contract work for the Department of Defense. After graduation, he worked hacking small banks and credit unions to strengthen their systems and helped develop Digital Defense Inc. and what would become BreakingPoint Systems.
But it was his side project that would revolutionize hacking. He was weeks from turning 23 when he created Metasploit, an open-source hacking tool that allows anyone working in IT to find, fix and test thousands of security breaches.
“It’s like Legos,” Moore says of Metasploit on a chilly day in February, weeks after stepping down as chief research officer for the cybersecurity company Rapid7. Sitting outside of a North Austin coffee shop in a button-up and blazer, he looks clean cut and talks fast.
The Metasploit framework is made up of modules, bricks of code that help users assemble their own attacks, or exploits, as they seek out and test vulnerabilities in software or hardware.
Network security workers use it to verify that their system controls, such as firewalls, are working. External security testers employ it to break into customers’ systems, another way to test whether their networks are secure.
It started as “a screw-the-man type of project,” Moore said. For years, software vendors “were intentionally hiding security problems, they were taking a long time to fix security problems, and when they were pointed out, they would try to sue you, they would try to put you in jail,” he said.
Metasploit, as one hacker put it, took those problems and brought them into the light, where they were no longer easy for companies and government agencies to ignore.
Some criticized Moore for it, saying he had given people with malicious intent a handbook to start trouble. But hackers working in IT and cybersecurity say the bad guys were already using all those tools and more in the dark web.
The project reached new heights of legitimacy — and profitability — when Rapid7 acquired the rights to the project from Moore in 2009. The company hired Moore and tasked him with developing an Austin office.
By the time he left, the database had more than 2,000 unique modules and more than 300 collaborators. An ecosystem of similar penetration-testing software and research had developed around it.
Through his work at Rapid7, Moore found that anyone could attack natural gas pipelines in Texas from a cell phone, as their flow rates were connected on a public network via modems. He worked with the Texas Railroad Commission to put pipeline operators on alert and fix the issue.
“That’s just the tip of the iceberg,” Moore said. “There are so many things like that, where there is a massive dependency on technology that can endanger lives and privacy. No one really takes them seriously until you identify them, and the people who identify them tend to be on my side of the fence, people doing research that requires actively probing systems.”
Hacking and penetration testing are part of a cybersecurity market that has exploded in recent years, as cyber attacks have become more common and notorious.
With so much of people’s personal information online and the growth of Internet-connected devices, the potential for targets is vast. Meanwhile, the commercialization of ransomware — programs that break into networks and encrypt files until payment is made — and so-called “exploit kits” has raised the potential to make money and made it easier for anyone to launch an attack, from lone agents and overseas syndicates to state-sponsored actors.
Talos, a threat research group in Austin where Moore has close friends, just last year thwarted one small group of international hackers who were using such a kit to target up to 90,000 victims a day, generating more than $30 million annually, researchers said.
“Ransomware has allowed the bad guys to make so much more money than they used to,” said Craig Williams, a threat researcher for Talos, part of the cybersecurity company Cisco Systems. “They are able to literally fund developers. It’s no longer people in their basement writing malware for the heck of it. It’s a $100-million a year industry, if not more.”
Many breaches go unreported. But one study found more than 75 percent of U.S. businesses could be hacked within 15 minutes. Another survey, released by the business adviser Granton Thorton, put the total cost of attacks on businesses in 2015 at $350 billion globally.
State and local government entities are particularly unprepared to deal with the threat.
In Texas, the comptroller’s office made headlines in 2011 when a breach of its data servers exposed the the names addresses and Social Security numbers of millions of state retirees and unemployment beneficiaries. The Department of Aging and Disability Services last year revealed that it had unintentionally made the confidential medical records of more than 6,600 Medicaid patients public for up to 8 years on the Internet.
Yet, the state continues to spend only 1 percent to 2 percent of its budget on IT security. As a rule, big business spends 7 percent to 9 percent; for federal agencies, it’s 15 percent, according to the Texas Business Leadership Council.
At Mr. Tramps in North Austin, at least two dozen members of the Austin Hackers Association get together once a month in a back room shut away from the bar noise and commotion by a thick, sliding wooden panel. Experts from all areas of the cybsercurity industry give presentations projected on the walls that range from hacking and exploits to the newest technology and research.
Anyone trying to peddle a product or company has to buy a round of beers. Almost all of the hackers are white men, clad in jeans and T-shirts, and they’re boisterous. “If you’re not getting heckled, it means nobody is listening,” one member said.
Moore helped conceive these meetings. The idea was to provide a safe space for those in the industry to discuss breaches and vulnerabilities. To hack is to tinker, and one doesn’t learn the skills without pushing the boundaries. Yet hackers, even those seeking to make products and networks safer, are risking arrest or lawsuits.
In Austin, where top international cybersecurity firms like Rapid7, Cisco, Endgame Systems and Praetorian now have a presence, many credit Moore and Metasploit for helping foster a close-knit hacker community. Like him, many in the business started out hacking video games and do not have a college degree.
But they are producing some of the most influential research in the industry.
Now in an advisory role, Moore says he and his business partners want to serve people they know well and who do expert cybsercurity work in town. The incubator is still taking shape, but he said he wants to help get startups get off the ground.
Six weeks after leaving Rapid7, he said he is confident that the need for his skills will only grow. Developers are creating software faster than it can be secured.
“That’s the tradeoff we are making,” he said. “We are saying that to get the economic rate we want, to grow businesses how we want, we are willing to take this much risk to get there — that is going to bite us.”
Unless, of course, they hire some well-versed hackers to watch their backs.
About the Author
