The only education that mattered

In 2006, while working as a Wells Fargo technology manager in Walnut Creek, California, 38-year-old Rowdy Van Cleave learned that a nearby recycling facility was selling Xbox DVD drives cheap. When he went to inspect the merchandise, the facility’s owners mentioned they received regular deliveries of surplus Microsoft hardware. Van Cleave, who’d been part of a revered Xbox-hacking crew called Team Avalaunch, volunteered to poke around the recyclers’ warehouse and point out any Xbox junk that might have resale value.

After sifting through mountains of Xbox flotsam and jetsam, Van Cleave talked the recyclers into letting him take home five motherboards. When he jacked one of them into his Xbox 360 and booted it up, the screen gave him the option to activate debugging mode. “Holy shit,” Van Cleave thought, “this is a frickin’ dev motherboard!”

Aware that he had stumbled on the Xbox scene’s equivalent of King Tut’s tomb, Van Cleave cut a deal with the recyclers that let him buy whatever discarded Xbox hardware came their way. Some of these treasures he kept for his own sizable collection or handed out to friends; he once gave another Team Avalaunch member a dev kit as a wedding present. But Van Cleave was always on the lookout for paying customers he could trust to be discreet.

The 16-year-old Pokora became one of those customers in 2008, shortly after meeting Van Cleave through an online friend and impressing him with his technical prowess. In addition to buying kits for himself, Pokora acted as a salesman for Van Cleave, peddling hardware at significant markup to other Halo hackers; he charged around $1,000 per kit, though desperate souls sometimes ponied up as much as $3,000. (Van Cleave denies that Pokora sold kits on his behalf.) He befriended several of his customers, including a guy named Justin May who lived in Wilmington, Delaware.

Now flush with dev kits, Pokora was able to start modifying the recently released Halo 3. He kept vampire hours as he hacked, coding in a trancelike state that he termed “hyperfocus” until he dropped from exhaustion at around 3 or 4 am. He was often late for school, but he shrugged off his slumping grades; he considered programming on his dev kit to be the only education that mattered.

Pokora posted snippets of his Halo 3 work on forums like Halomods.com, which is how he came to the attention of a hacker in Whittier, California, named Anthony Clark. The 18-year-old Clark had experience disassembling Xbox games-reverse-engineering their code from machine language into a programming language. He reached out to Pokora and proposed that they join forces on some projects.

Clark and Pokora grew close, talking nearly every day about programming as well as music, cars, and other adolescent fixations. Pokora sold Clark a dev kit so they could hack Halo 3 in tandem; Clark, in turn, gave Pokora tips on the art of the disassembly. They ­cowrote a Halo 3 tool that let them endow the protagonist, Master Chief, with special skills-like the ability to jump into the clouds or fire weird projectiles. And they logged countless hours playing their hacked creations on PartnerNet, a sandbox version of Xbox Live available only to dev kit owners.

As they released bits and pieces of their software online, Pokora and Clark began to hear from engineers at Microsoft and Bungie, the developer behind the Halo series. The professional programmers offered nothing but praise, despite knowing that Pokora and Clark were using ill-gotten dev kits. Cool, you did a good job of reverse-engineering this, they’d tell Pokora. The encouraging feedback convinced him that he was on an unorthodox path to a career in game development—perhaps the only path available to a construction worker’s son from Mississauga who was no classroom star.

But Pokora and Clark occasionally flirted with darker hijinks. By 2009 the pair was using PartnerNet not only to play their modded versions of Halo 3 but also to swipe unreleased software that was still being tested. There was one Halo 3 map that Pokora snapped a picture of and then shared too liberally with friends; the screenshot wound up getting passed around among Halo fans. When Pokora and Clark next returned to PartnerNet to play Halo 3, they encountered a message on the game’s main screen that Bungie engineers had expressly left for them: “Winners Don’t Break Into PartnerNet.”

The two hackers laughed off the warning. They considered their mischief all in good fun—they’d steal a beta here and there, but only because they loved the Xbox so much, not to enrich themselves. They saw no reason to stop playing cat and mouse with the Xbox pros, whom they hoped to call coworkers some day.

I Mean, It’s Just Videogames

The Xbox 360 remained largely invulnerable until late 2009, when security researchers finally identified a weakness: By affixing a modchip to an arcane set of motherboard pins used for quality-assurance testing, they managed to nullify the 360’s defenses. The hack came to be known as the JTAG, after the Joint Test Action Group, the industry body that had recommended adding the pins to all printed circuit boards in the mid-1980s.

When news of the vulnerability broke, Xbox 360 owners rushed to get their consoles JTAGed by services that materialized overnight. With 23 million subscribers now on Xbox Live, multi­player gaming had become vastly more competitive, and a throng of gamers whom Pokora dubbed “spoiled kids with their parents’ credit cards” were willing to go to extraordinary lengths to humiliate their rivals.

For Pokora and Clark, it was an opportunity to cash in. They hacked the Call of Duty series of military-themed shooters to create so-called modded lobbies – places on Xbox Live where Call of Duty players could join games governed by reality-bending rules. For fees that ranged up to $100 per half-hour, players with JTAGed consoles could participate in death matches while wielding superpowers: They could fly, walk through walls, sprint with Flash-like speed, or shoot bullets that never missed their targets.

For an extra $50 to $150, Pokora and Clark also offered “infections” – powers that players’ characters would retain when they joined nonhacked games. Pokora was initially reluctant to sell infections: He knew his turbocharged clients would slaughter their hapless opponents, a situation that struck him as contrary to the spirit of gaming. But then the money started rolling in – as much as $8,000 on busy days.

There were so many customers that he and Clark had to hire employees to deal with the madness. Swept up in the excitement of becoming an entrepreneur, Pokora forgot all about his commitment to fairness. It was one more step down a ladder he barely noticed he was descending.

Microsoft tried to squelch breaches like the Call of Duty cheats by launching an automated system that could detect JTAGed consoles and ban them. But Pokora reverse-engineered the system and devised a way to beat it: He wrote a program that hijacked Xbox Live’s security queries to an area of the console where they could be filled with false data, and thus be duped into certifying a hacked console.

Pokora reveled in the perks of his success. He still lived with his parents, but he paid his tuition as he entered the University of Toronto in the fall of 2010. He and his girlfriend dined at upscale restaurants every night and stayed at $400-a-night hotels as they traveled around Canada for metal shows. But he wasn’t really in it for the money or even the adulation of his peers; what he most coveted was the sense of glee and power he derived from making $60 million games behave however he wished.

Pokora knew there was a whiff of the illegal about his Call of Duty business, which violated numerous copyrights. But he interpreted the lack of meaningful pushback from either Microsoft or Activision, Call of Duty’s developer, as a sign that the companies would tolerate his enterprise, much as Bungie had put up with his Halo 3 shenanigans. Activision did send a series of cease-and-desist letters, but the company never followed through on its threats.

“I mean, it’s just videogames,” Pokora told himself whenever another Activision letter arrived. “It’s not like we’re hacking into a server or stealing anyone’s information.” That would come soon enough.

Tunnels

Dylan Wheeler, a hacker in Perth, Australia, whose alias was SuperDaE, knew that something juicy had fallen into his lap. An American friend of his who went by the name Gamerfreak had slipped him a password list for the public forums operated by Epic Games, a Cary, North Carolina, game developer known for its Unreal and Gears of War series. In 2010 Wheeler started poking around the forums’ accounts to see if any of them belonged to Epic employees. He eventually identified a member of the company’s IT department whose employee email address and password appeared on Gamerfreak’s list; rummaging through the man’s personal emails, Wheeler found a password for an internal EpicGames.com account.

Once he had a toehold at Epic, Wheeler wanted a talented partner to help him sally deeper into the network. “Who is big enough to be interested in something like this?” he wondered. Xenomega – David Pokora – whom he’d long admired from afar and was eager to befriend, was the first name that popped to mind. Wheeler cold-messaged the Canadian and offered him the chance to get inside one of the world’s preeminent game developers; he didn’t mention that he was only 14, fearing that his age would be a deal breaker.

What Wheeler was proposing was substantially shadier than anything Pokora had attempted before: It was one thing to download Halo maps from the semipublic PartnerNet and quite another to break into a fortified private network where a company stores its most sensitive data. But Pokora was overwhelmed by curiosity about what software he might unearth on Epic’s servers and titillated by the prospect of reverse-engineering a trove of top-secret games. And so he rationalized what he was about to do by setting ground rules – he wouldn’t take any credit card numbers, for example, nor peek at personal information about Epic’s customers.

Pokora and Wheeler combed through Epic’s network by masquerading as the IT worker whose login credentials Wheeler had compromised. They located a plugged-in USB drive that held all of the company’s passwords, including one that gave them root access to the entire network. Then they pried into the computers of Epic bigwigs such as design director Cliff “CliffyB” Bleszinski; the pair chortled when they opened a music folder that Bleszinski had made for his Lamborghini and saw that it contained lots of Katy Perry and Miley Cyrus tunes. (Bleszinski, who left Epic in 2012, confirms the hackers’ account, adding that he’s “always been public and forthright about my taste for bubblegum pop.”)

To exfiltrate Epic’s data, Wheeler enlisted the help of Sanadodeh “Sonic” Nesheiwat, a New Jersey gamer who possessed a hacked cable modem that could obfuscate its location. In June 2011 Nesheiwat downloaded a prerelease copy of Gears of War 3 from Epic, along with hundreds of gigabytes of other software. He burned Epic’s source code onto eight Blu-ray discs that he shipped to Pokora in a package marked wedding videos. Pokora shared the game with several friends, including his dev kit customer Justin May; within days a copy showed up on the Pirate Bay, a notorious BitTorrent site.

The Gears of War 3 leak triggered a federal investigation, and Epic began working with the FBI to determine how its security had been breached. Pokora and Wheeler found out about the nascent probe while reading Epic’s emails; they freaked out when one of those emails described a meeting between the company’s brain trust and FBI agents. “I need your help – I’m going to get arrested,” a panicked Pokora wrote to May that July. “I need to encrypt some hard drives.”

But the email chatter between Epic and the FBI quickly died down, and the company made no apparent effort to block the hackers’ root access to the network – a sign that it couldn’t pinpoint their means of entry. Having survived their first brush with the law, the hackers felt emboldened – the brazen Wheeler most of all. He kept trespassing on sensitive areas of Epic’s network, making few efforts to conceal his IP address as he spied on high-level corporate meetings through webcams he’d commandeered. “He knowingly logs into Epic knowing that the feds chill there,” Nesheiwat told Pokora about their Australian partner. “They were emailing FBI people, but he still manages to not care.”

Owning Epic’s network gave the hackers entrée to a slew of other organizations. Pokora and Wheeler came across login credentials for Scaleform, a so-called middleware company that provided technology for the engine at the heart of Epic’s games. Once they’d broken into Scaleform, they discovered that the company’s network was full of credentials for Silicon Valley titans, Hollywood entertainment conglomerates, and Zombie Studios, the developer of the Spec Ops series of games. On Zombie’s network they uncovered remote-access “tunnels” to its clients, including branches of the American military. Wriggling through those poorly secured tunnels was no great challenge, though Pokora was wary of leaving behind too many digital tracks. “If they notice any of this,” he told the group, “they’re going to come looking for me.”

As the scale of their enterprise increased, the hackers discussed what they should do if the FBI came knocking. High off the feeling of omni­potence that came from burrowing into supposedly impregnable networks, Pokora proposed releasing all of Epic’s proprietary data as an act of revenge: “If we ever go disappearing, just, you know, upload it to the internet and say fuck you Epic.”

The group also cracked jokes about what they should call their prison gang. Everyone dug Wheeler’s tongue-in-cheek suggestion that they could strike fear into other inmates’ hearts by dubbing themselves the Xbox Underground.

To be continued

Wired

Related posts: