LAS VEGAS — Ask any hacker who’s been around long enough, and there’s a good chance you’ll hear an archetypal story, tinged with regret, about the first time his or her real identity was publicly disclosed.
After enjoying years of online anonymity, the hacker known as Grifter was unmasked by a less-than-scrupulous spouse. “Hey, Neil!” his wife called out at him, absent-mindedly, from across a crowded room, while accompanying him (for the very first time) at a hacking conference. “My beautiful wife, she outed me in front of the entire hacker community,” he said with a laugh.
Dead Addict’s version of the story involves an employer who pushed him to apply for a patent — for which he was required to provide his full legal name. “The people who later doxxed me,” he said, using a term for publishing private information about someone, usually with malicious intent, “pointed to that patent.”
Nico Sell managed to stay “ungoogleable,” she said, until around 2012, when, acting as chief executive of a secure-messaging company, Wickr, she felt she needed to become more of a public figure — if reluctantly. “My co-founders and I, we all drew straws,” she said, “and that was that.”
I met Grifter, whose real name is Neil Wyler; Dead Addict, who, citing privacy concerns, spoke with me on the condition that I not share his real name; Nico Sell, which, while undeniably the name she uses publicly, may or may not be her legal name; and dozens of other self-described hackers in August at Defcon, an annual hacking convention — one of the world’s largest — held in Las Vegas.
A lion’s share of the media attention devoted to hacking is often directed at deeply anonymous (and nefarious) hackers like Guccifer 2.0, a shadowy online avatar — alleged to have been controlled by Russian military intelligence officers — that revealed documents stolen from the Democratic National Committee in 2016. And, to be sure, a number of Defcon attendees, citing various concerns about privacy, still protect their identities. Many conceal their real names, instead using only pseudonyms or hacker aliases. Some wear fake beards, masks or other colorful disguises.
But new pressures, especially for those who attend Defcon, seem to be reshaping the community’s attitudes toward privacy and anonymity. Many longtime hackers, like Ms. Sell and Mr. Wyler, have been drawn into the open by corporate demands, or have traded their anonymity for public roles as high-level cybersecurity experts. Others alluded to the ways in which a widespread professionalization and gamification of the hacking world — as evidenced by so-called bug bounty programs offered by companies like Facebook and Google, which pay (often handsomely) for hackers to hunt for and disclose cybersecurity gaps on their many platforms — have legitimized certain elements of the culture.
“It’s probably fair to say that fewer and fewer people are hiding behind their handles,” said Melanie Ensign, a longtime Defcon attendee who works on security and privacy at Uber. “A lot of hackers who have been around for a while — they have families and mortgages now. At some point, you have to join the real world, and the real world does not run on anonymity.”
“This is a profession for a lot of people now,” she added. “And you can’t fill out a W-9 with your hacker handle.”
Defcon has grown exponentially since its founding in 1993, when Jeff Moss — or, as many of his hacker friends know him, The Dark Tangent, or simply D.T. — gathered about 100 of his hacker friends for a hastily assembled party. By contrast, this year’s convention, the 26th, drew some 27,000 attendees, including students, security researchers, government officials and children as young as 8.
It’s difficult to characterize the conference without being reductive. One could describe all of its 28 constituent “villages” (including the Voting Machine Hacking Village, where attendees deconstructed and scrutinized the vulnerabilities of electronic voting machines, and the Lockpick Village, where visitors could tinker with locks and learn about hardware and physical security), offer a complete list of this year’s presentations (including one by Rob Joyce, a senior cybersecurity official at the National Security Agency), catalog its many contests and events (like the Tin Foil Hat Contest and Hacker Karaoke) and still not get at its essence.
The ethos of Defcon is perhaps best embodied by a gentleman I encountered in a hallway toward the end of the conference. He was wearing an odd contraption on his back, with wires and antennas protruding from its frame and with a blinking black box at its center. An agribusiness giant, he said, had recently heralded the impenetrability of the security systems built into one of its new computing components. He had obtained a version of it — how, he wouldn’t say — and, having now subjected it to the ever-probing Defcon crowds, had disproved the company’s claims. “Turns out it’s not very secure after all,” he said with a grin, before vanishing around a corner.
As with many of his early online friends, Mr. Moss’s foray into aliases was directly tied to his interest in hacking and phone phreaking (the manipulation of telecommunications systems) — “stuff that wasn’t really legal,” he said. Aliases provided cover for such activity. And every once in a while, he explained — if a friend let slip your name, or if you outgrew a juvenile, silly alias — you’d have to burn your identity and come up with a new name.
“In my case, I had a couple previous identities,” he said, “but when I changed to The Dark Tangent, I was making a clear break from my past. I’d learned how to manage identities; I’d learned how the scene worked.”
He also remembers when everything changed. During the dot-com boom, many hackers transitioned to “real jobs,” he said, “and so they had to have real names, too.”
“My address book doubled in size,” he said with a laugh.
“The thing I worry about today,” he added, taking a more serious tone, “is that people don’t get do-overs.” Young people now have to contend with the real-name policy on Facebook, he said, along with the ever-hovering threats of facial-recognition software and aggregated data. “How are you going to learn to navigate in this world if you never get to make a mistake — and if every mistake you do make follows you forever?”
Philippe Harewood, who is 30, represents a relatively new class of hackers. He is currently ranked second on Facebook’s public list of individuals who have responsibly disclosed security vulnerabilities for the site in 2018. And while he maintains an alias on Twitter (phwd), a vast majority of his hacking work is done under his real name — which is publicized on and by Facebook. He also maintains a blog (again, under his real name) where he analyzes and discusses his exploits.
For Mr. Harewood, maintaining his alias is partly about creating a personal brand — a retro nod, in a sense, to the era when using a hacker handle was a more essential element of the trade. But it also has practical advantages. “People want to reach out all the time,” he said. “And I’m still not all that comfortable communicating with people on my Facebook profile, under my real name.”
“In a way,” he said, “it just helps me filter my communications.”
In the wake of the Cambridge Analytica scandal, Facebook expanded its existing bug bounty with a program that specifically targets data abuse. And just this week the company again widened its scope to help address vulnerabilities in third-party apps. Such efforts — coupled with the rise in recent years of companies like Bugcrowd and HackerOne, which mediate between hackers and companies interested in testing their online vulnerabilities — have created a broader marketplace for hackers interested in pursuing legitimate forms of compensation.
Like Mr. Harewood, 11-year-old Emmett Brewer, who garnered national media attention at this year’s Defcon by hacking a mock-up of the Florida state election results website in 10 minutes, also alluded to the marketing appeal of his alias, p0wnyb0y.
“I came up with it a couple years ago, when I first got included in a news article,” he said. “I think an alias helps you get more recognition — sort of like how The Dark Tangent has his.”
“P0wnyb0y is shorter and catchier than my name,” he added. “And it just seems a lot cooler.”
Emmett said his involvement with Defcon — he has attended for several years, accompanied by his father — has left him skeptical about the degree to which his peers share things online. “My friends put everything up on the internet,” he said, “but I’m more mindful.” Still, he said he wasn’t invested in keeping his real name separate from his alias. “I don’t see it as the end of the world” if people can easily link the two, he said. “But some other people take that stuff more seriously.”
(About his hacking the simulated election results: “The goal was to modify with the candidates’ votes — to delete them or add new ones,” he said. “I changed everyone else’s votes to zero, added my name, then gave myself billions of votes.”)
That’s not to say, though, that the younger generations of hackers are all comfortable operating so openly. Ms. Sell’s daughter, who spoke with me on the condition that I refer to her only by her hacking handle, CyFi, was especially guarded about her identity.
“When I was 9, I discovered a class of zero-day vulnerabilities,” said CyFi, who is now 17, referring to software bugs that developers are unaware of. She ultimately disclosed the bugs, she added, “but I didn’t want to risk being sued by all those companies — so hiding my identity was the best way to go.”
As with Emmett, CyFi is wary of her generation’s penchant for oversharing online. “My friends have definitely been frustrated with my lack of social media,” she said. “But the less data there is about you out in the world, the less people can try to mess with you.”
One of the most intriguing aspects of Defcon is the relationship between the hacker community and the attendees from the federal government, the complexities of which have ebbed and flowed over time. For many years, the tension resulted in a cat-and-mouse game called “Spot the Fed.”
“In the early days, if a fed got spotted, it was pretty consequential,” Mr. Moss said. “Later on, they were outing each other,” he said with a laugh — because they wanted the T-shirt granted to both the fed and the person who outed them.
Linton Wells II, a former principal deputy to the assistant secretary of defense for networks and information integration, began attending Defcon around 2003. He now volunteers as a “goon” — the term for the volunteers (roughly 450 this year) who help organize and run the conference.
Mr. Wells said that governmental officials who attend Defcon fall into one of three categories. “One was the people who openly announced they were feds — either speakers who announced their affiliations, or there was a Meet the Fed panel,” he said. “There were others who wouldn’t deny it if you asked them, but who didn’t go out of their way to advertise it. And then there were those who were either officially or unofficially undercover.”
The relationship hasn’t always been contentious, he added, noting that, in 2012, Keith Alexander, who was then director of the N.S.A., “came out here and spoke in a T-shirt and bluejeans.” Less than a year later, though, after the Edward Snowden leak, things soured. “For the next couple years,” Mr. Wells said, “the feds were — well, if not uninvited, then at least tacitly not particularly welcome.”
Joe Grand, who for many years operated under his alias, Kingpin, understands the complexities of the relationship as well as anyone. Twenty years ago, in May 1998, Mr. Grand was one of seven computer hackers who testified before a congressional panel that included Senators John Glenn, Joseph Lieberman and Fred Thompson. The hackers, members of a collective called L0pht (pronounced “loft”), had recently boasted that they could shut down the internet in 30 minutes, and lawmakers had taken notice.
“Due to the sensitivity of the work done at the L0pht,” Senator Thompson explained in his opening remarks — haltingly, as if for effect — “they’ll be using their hacker names of Mudge, Weld, Brian Oblivion, Kingpin, Space Rogue, Tan and Stefan.” Chuckles echoed through the room. Until then, staff members had told the L0pht hackers, the only witnesses to testify while using aliases had been members of the witness protection program. “I hope my grandkids don’t ask me who my witnesses were today,” Senator Thompson added, to another chorus of laughter.
“It probably helped their agenda — by having these kids show up with fake names,” said Mr. Grand, who sat for an interview at Defcon. “It probably made it that much more intriguing.”
“But using our handles,” he added, “was our natural way of communicating. And having that protection, it felt good. We were putting ourselves out there as hackers communicating with the government — which, at the time, was not something you did.”
As with many longtime hackers, Mr. Grand — who became widely known after appearing on a Discovery Channel show called “Prototype This!” — has grown more comfortable operating in the open. But he still appreciates the value of anonymity. “Hiding behind a fake name doesn’t mean you’re doing something malicious, and it doesn’t mean you’re a bad person,” he said. “It means you’re trying to protect your privacy.”
“And, in this day and age, you need to,” he added, “because everywhere you look, your privacy is being stripped away.”
Keren Elazari, a cybersecurity expert whose 2014 TED talk has been viewed millions of times, expressed a similar sentiment — that hackers, by fighting to maintain their anonymity, can help push back against the trends of eroding online privacy. But she also described what she calls a “maturing of the industry and the community.”
“More and more people who started hacking in the nineties are now becoming icons and thought leaders — and, most importantly, role models for the younger generations of hackers,” she said.
To help guide younger generations, elder hackers can often still use nicknames, she added. “But sometimes it makes it more powerful when they can speak up in their own voices.”