This article first appeared in The Alt on February 21, 2017.
Leet Systems: Tyler Wrightson stands behind (l-r) Joe Cohen, Chris Mazzei and Jonathan Gaines
Photos by Leif Zurmuhlen
The guy who owns your favorite Albany cafes spends his days and nights infiltrating servers, hacking email, accessing sensitive documents and thwarting physical security systems.
Tyler Wrightson, owner of both locations of Albany’s Stacks Espresso Bar, didn’t get his start with coffee beans. In fact, he makes it clear that the credit for the success of those shops belongs elsewhere. Getting involved in the coffee business was an afterthought; he didn’t want his favorite coffee shop on Lark Street to close, so he bought it.
Wrightson’s real passion lies in cyber security and hacking.They’re avocations he grew up with. And now at Leet Systems he has a team of like-minded technophiles, all of whom have a certain set of skills: they’re good at subverting, defeating, undermining and exposing corporate and government cyber-security systems.
These aren’t the guys you call if you want a firewall installed. They aren’t the guys you call if you’ve got a virus. These are the experts you call if you want to find out just how good your cyber security is. Chances are they can infiltrate it, and if they can, so can the folks who are going to exploit the flaws in your security systems for nefarious purposes.
Wrightson, slender, tall and polite, has a demeanor that mixes debonair with Midwestern matter-of-factness. He recalls feeling out of place and a bit lonely growing up focused on computers and hacking. He admits he got up to some no good, testing his abilities in ways that maybe he shouldn’t have.
“It really started as a hobby, when I was a teenager,” says Wrightson. “It was a passion of mine growing up in Kinderhook. I guess I was always mischievous, and in some ways hacking seemed like magic. So it started kind of naturally. I did some pretty stupid things as a kid and was lucky I didn’t get into any real trouble.”
He’d travel regularly to a local Barnes and Noble and leave notes in 2600: The Hacker Quarterly, setting times and dates for public meetups with those with similar interests. “I know it sounds a little weird,” says Wrightson, “but it made sense at the time. There just weren’t that many people following this.”
Things have changed drastically since then. Wrightson has turned his passion into a career in a growing and essential field. He’s authored two books on cyber security: 2014’s Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization and 2012’s Wireless Network Security A Beginner’s Guide. Tech meetups have become a regular occurrence. Hackers regularly get together at area bars for “Cybeer” meetups. And soon Wrightson will be hosting the Any Con: Albany New York Hacking, Infosec & Cyber Security Conference at The Albany Capital Center on June 16 to 18. He expects it will attract visitors from across the country. The conference will have four tracks: Offense, Defensive, Education and Grab Bag. There will also be a hackathon and a ping-pong tournament.
It’s hard to escape the threat hacking poses these days. From allegations that Russian agents hacked the Democratic National Committee and otherwise influenced the election, to reports that malicious code has made its way into a Vermont power utility computer, news about hacking is everywhere.
“Everyone has tech at all times now,” says Wrightson as he sits in the boardroom of Leet Systems headquarters in downtown Albany. “Now pair that with the non-stop barrage of breaches people see in the news. People are more aware than ever.” Asked if he thinks people should be more concerned about malicious hacking, he says, “Hell, yes! This is just the tip of the iceberg. People have no idea. A politically motivated group broke into somebody’s email account and disseminated sensitive information. There is nothing revolutionary about that. We break into thousands of email accounts all the time to point out the vulnerabilities. That incident is just an indicator of what’s to come; that’s the only tip of iceberg. We will see far far more impactful data leaks. We’ll see physically efficacious and impactful events that stem fully from cyber breaches.”
Does Wrightson think the government and corporate America are doing enough to protect against these sorts of breaches? In a word, “No.”
“I don’t want to come across as a typical fear-mongering cyber guy, but not enough is being done to prevent these things,” says Wrightson. “We break into very secure systems all the time, and we don’t have the budget of nation-states. If we can do it as four guys in a room, imagine what they can do with a warehouse full of hackers and millions of dollars. It’s far easier and more economical for them to do it.”
Plenty of companies provide cyber security. They install firewalls and monitoring software, they install password protections and other means of user authentication to ward off malicious infiltrators. And those companies often also provide hacking services to test the security systems they’ve set up. Yet Wrightson says he believes that approach is lacking. “We only focus on offensive security hacking, mimicking attackers. It’s where we see the greatest need.”
Joe Cohen sits across from Wrightson at the conference-room table. He listens, nodding. He’s dressed in blue jeans and skater shoes. Asked about what he likes about his job, he replies, “It’s exhilarating!” A wide smile crosses his previously stoic face. Wrightson leans over the table to high-five him. “It’s a fricking high, and it’s what we get paid to do. I can’t tell you how much I love to do it,” says Cohen.
So what is it that delivers that high? The thrill of beating the system, the risk of being caught, the knowledge that you are operating on a different level from your tech-savvy peers.
Cohen describes doing a “physical penetration” for a client. “I was just physically walking through areas by means of social engineering. Getting access to places I shouldn’t have. Not wanting to get caught. And in the end I was high as a kite on adrenaline. I would ask people to give me access to this room or that room, and they we’re more than happy to because they don’t want to offend.”
Wrightson notes that he made his way through this corporate setting dressed as he is now, in-a baseball cap, blue jeans and skater shoes.
“You wouldn’t believe where a clipboard can get you,” says Cohen. “Hospitals are the easiest places.”
Wrightson says that many of these tests of physical security systems occur in typical office settings. However, some are less mundane-appearing At one point, they were tasked with infiltrating a power-monitoring company. “We used a whole different pretext–showed up as FedEx and simulated a bomb threat,” says Cohen. Their security tests simulate various scenarios, from break-ins by common criminals to terrorist attacks.
Leet Systems HQ is sparsely populated these days. The team only moved in in the last few weeks. Their desks have multiple monitors setup. There’s a ping-pong table and an Xbox. Wrightson notes that his team doesn’t necessarily do the typical nine-to-five grind. Cohen says he can go days without sleep while working on a project. Wrightson adds that Cohen is like a “dog with a bone”
Asked about the stereotype of the hacker sitting in front of a screen, eyes red, surrounded by cans of Red Bull, Cohen replies, ”Replace the Red Bull with a beer.”
While most of Leet’s employees have some sort of education, none of them have an education specifically in hacking or cyber security. Cohen says he simply grew up with computers, like Wrightson. “Tech is just an extension of my reality.”
Jonathan Gaines, dressed in a blue flannel shirt and snow beanie, is relatively quiet. He’s the youngest member of the team. He’s currently going to community college to study cyber security, but he found quickly that he already had the skills to do the work before he earned his degree. “I’ve been interested in the field since I was 11,” says Gaines. “I would be on line in video games tricking people into giving me stuff,” he says with a playful sense of regret. “Once I matured enough to get moral standards, I got into cyber security. It was my passion. But at the time there was no name for it.”
Now, Gaines said, he’s taken classes in cyber security where he’s actually demonstrated the value of offensive hacking as a means of testing a system’s defenses
Wrightston says the lack of formal education in cyber security and offensive hacking is a challenge facing the field, given that there is a very great need for skilled workers.The Any Con web page touts their education track as designed to help remedy that problem. “There is a huge discrepancy in the number of open cyber-security positions and the available candidates to fill these positions, and it looks like it’s only getting worse. We want to inspire the next generation of hackers. Encourage individuals to pursue education in cyber security and obtain a rewarding career in the field. Individual talks geared towards K-12 students, higher education and workforce development.”
Wrightson says he expects to have the discussion about what kind of education is useful to educate hackers. “Should we have hacker bootcamps, is there something we can do in traditional schools? Do you need traditional schooling at all?”
Chris Mazzei has known Wrightson for years. He’s a founder of the local 2600 group. They meet at the Starbucks across from the University at Albany on the first Friday of every month. Mazzei estimates they’ve had about 60 people come in and out of the group over the years. Occasionally they get visits from students from college campuses hours away, because Albany serves as a hub for the tech community.
Asked if there is any other company in the area that does the kind of offensive hacking Leet Systems does, Wrightson smiles coyly. “I don’t want to come off like a jerk, but honestly, no, there is no competition in the area. There are other places that will say, ‘Sure, we can do a penetration test because we set these things up.’ We don’t deploy firewalls and then tell you they work. We find out if we can get in. And because of that we have more focus than they do.”
When it’s asked whether any of the Leet team has a specialty, they laugh. “We’re all pretty much jacks of all trades,” Mazzei says. “I’m the infiltrator!” jokes Cohen. “They call me The Magician,” laughs Gaines. “We need to get some subtitles in here to flash in front of us,” Wrightson says. “We’re gonna need a montage,”adds Cohen.
What about video games like Watch Dogs? Games in which lead characters break into power systems with their cell phones and cause havoc in major cities. Do they portray hacking accurately? The team smiles, letting the question hang.
Later, Gaines admits that he’s played Watch Dogs. “You know, what we do is like that,” says Gaines. “Everything I do from my computer I can do on my cellphone. The only difference is that Albany’s power grid isn’t entirely interconnected. But one day it will be, and it will be vulnerable. That is the future we’re facing,” says Gaines.
It seems a certainty that Wrightson and his team will be growing soon. And if Wrightson and Gaines are right an increasing number of people will know why what they do is so critical.