A gang of teen hackers snatched the keys to Microsoft’s videogame empire. Then they went too far.
Pokora’s reckless Xbox episodes
The trip to Delaware was only supposed to last a day. David Pokora, a bespectacled University of Toronto senior with scraggly blond hair down to his shoulders, needed to travel south to fetch a bumper that he’d bought for his souped-up Volkswagen Golf R.
The American seller had balked at shipping to Canada, so Pokora arranged to have the part sent to a buddy, Justin May, who lived in Wilmington. The young men, both ardent gamers, shared a fascination with the inner workings of the Xbox; though they’d been chatting and collaborating for years, they’d never met in person. Pokora planned to make the eight-hour drive on a Friday, grab a leisurely dinner with May, then haul the metallic-blue bumper back home to Mississauga, Ontario, that night or early the next morning. His father offered to tag along so they could take turns behind the wheel of the family’s Jetta.
An hour into their journey on March 28, 2014, the Pokoras crossed the Lewiston–Queenston Bridge and hit the border checkpoint on the eastern side of the Niagara Gorge. An American customs agent gently quizzed them about their itinerary as he scanned their passports in his booth. He seemed ready to wave the Jetta through when something on his monitor caught his eye.
“What’s… Xenon?” the agent asked, stumbling over the pronunciation of the word.
David, who was in the passenger seat, was startled by the question. Xenon was one of his online aliases, a pseudonym he often used – along with Xenomega and DeToX – when playing Halo or discussing his Xbox hacking projects with fellow programmers. Why would that nickname, familiar to only a handful of gaming fanatics, pop up when his passport was checked?
Pokora’s puzzlement lasted a few moments before he remembered that he’d named his one-man corporation Xenon Development Studios; the business processed payments for the Xbox service he operated that gave monthly subscribers the ability to unlock achievements or skip levels in more than 100 different games. He mentioned the company to the customs agent, making sure to emphasize that it was legally registered. The agent instructed the Pokoras to sit tight for just a minute longer.
As he and his father waited for permission to enter western New York, David detected a flutter of motion behind the idling Jetta. He glanced back and saw two men in dark uniforms approaching the car, one on either side. “Something’s wrong,” his father said, an instant before a figure appeared outside the passenger-side window. As a voice barked at him to step out of the vehicle, Pokora realized he’d walked into a trap.
In the detention area of the adjoining US Customs and Border Protection building, an antiseptic room with a lone metal bench, Pokora pondered all the foolish risks he’d taken while in thrall to his Xbox obsession. When he’d started picking apart the console’s software a decade earlier, it had seemed like harmless fun – a way for him and his friends to match wits with the corporate engineers whose ranks they yearned to join. But the Xbox hacking scene had turned sordid over time, its ethical norms corroded by the allure of money, thrills, and status. And Pokora had gradually become enmeshed in a series of schemes that would have alarmed his younger self: infiltrating game developers’ networks, counterfeiting an Xbox prototype, even abetting a burglary on Microsoft’s main campus.
Pokora had long been aware that his misdeeds had angered some powerful interests, and not just within the gaming industry; in the course of seeking out all things Xbox, he and his associates had wormed into American military networks too. But in those early hours after his arrest, Pokora had no clue just how much legal wrath he’d brought upon his head: For eight months he’d been under sealed indictment for conspiring to steal as much as $1 billion worth of intellectual property, and federal prosecutors were intent on making him the first foreign hacker to be convicted for the theft of American trade secrets. Several of his friends and colleagues would end up being pulled into the vortex of trouble he’d helped create; one would become an informant, one would become a fugitive, and one would end up dead.
Pokora could see his father sitting in a room outside the holding cell, on the other side of a thick glass partition. He watched as a federal agent leaned down to inform the elder Pokora, a Polish-born construction worker, that his only son wouldn’t be returning to Canada for a very long time; his father responded by burying his head in his calloused hands.
Gutted to have caused the usually stoic man such anguish, David wished he could offer some words of comfort. “It’s going to be OK, dad,” he said in a soft voice, gesturing to get his attention. “It’s going to be OK.” But his father couldn’t hear him through the glass.
Kindergarten Security Mistakes
Well before he could read or write, David Pokora mastered the intricacies of first-person shooters. There is a grainy video of him playing Blake Stone: Aliens of Gold in 1995, his 3-year-old fingers nimbly dancing around the keyboard of his parents’ off-brand PC. What captivated him about the game was not its violence but rather the seeming magic of its controls; he wondered how a boxy beige machine could convert his physical actions into onscreen motion. The kid was a born programmer.
Pokora dabbled in coding throughout elementary school, building tools like basic web browsers. But he became wholly enamored with the craft as a preteen on a family trip to Poland. He had lugged his bulky laptop to the sleepy town where his parents’ relatives lived. There was little else to do, so as chickens roamed the yards he passed the time by teaching himself the Visual Basic .NET programming language. The house where he stayed had no internet access, so Pokora couldn’t Google for help when his programs spit out errors. But he kept chipping away at his code until it was immaculate, a labor-intensive process that filled him with unexpected joy. By the time he got back home, he was hooked on the psychological rewards of bending machines to his will.
As Pokora began to immerse himself in programming, his family bought its first Xbox. With its ability to connect to multiplayer sessions on the Xbox Live service and its familiar Windows-derived architecture, the machine made Pokora’s Super Nintendo seem like a relic. Whenever he wasn’t splattering aliens in Halo, Pokora scoured the internet for technical information about his new favorite plaything. His wanderings brought him into contact with a community of hackers who were redefining what the Xbox could do.
To divine its secrets, these hackers had cracked open the console’s case and eavesdropped on the data that zipped between the motherboard’s various components – the CPU, the RAM, the Flash chip. This led to the discovery of what the cryptography expert Bruce Schneier termed “lots of kindergarten security mistakes.” For example, Microsoft had left the decryption key for the machine’s boot code lying around in an accessible area of the machine’s memory. When an MIT graduate student named Bunnie Huang located that key in 2002, he gave his hacker compatriots the power to trick the Xbox into booting up homebrew programs that could stream music, run Linux, or emulate Segas and Nintendos. All they had to do first was tweak their consoles’ firmware, either by soldering a so-called modchip onto the motherboard or loading a hacked game-save file from a USB drive.
Once Pokora hacked his family’s Xbox, he got heavy into tinkering with his cherished Halo. He haunted IRC channels and web forums where the best Halo programmers hung out, poring over tutorials on how to alter the physics of the game. He was soon making a name for himself by writing Halo 2 utilities that allowed players to fill any of the game’s landscapes with digitized water or change blue skies into rain.
The hacking free-for-all ended with the release of the second-generation Xbox, the Xbox 360, in November 2005. The 360 had none of the glaring security flaws of its predecessor, to the chagrin of programmers like the 13-year-old Pokora who could no longer run code that hadn’t been approved by Microsoft. There was one potential workaround for frustrated hackers, but it required a rare piece of hardware: an Xbox 360 development kit.
Dev kits are the machines that Microsoft-approved developers use to write Xbox content. To the untrained eye they look like ordinary consoles, but the units contain most of the software integral to the game development process, including tools for line-by-line debugging. A hacker with a dev kit can manipulate Xbox software just like an authorized programmer.
Microsoft sends dev kits only to rigorously screened game-development companies. In the mid-2000s a few kits would occasionally become available when a bankrupt developer dumped its assets in haste, but for the most part the hardware was seldom spotted in the wild. There was one hacker, however, who lucked into a mother lode of 360 dev kits and whose eagerness to profit off his good fortune would help Pokora ascend to the top of the Xbox scene.
To be continued