Joe Grand – from ‘feral’ child Kingpin through rehabilitation by the L0pht hacker collective to running the Grand Idea Studio.

Joe Grand is the epitome of a hacker. Childhood curiosity followed by mischief-making tipping over into illegal behavior before developing into a responsible good faith hacker – all colored with a sprinkling of neurodiverse issues and ‘superpowers’.

Grand was seven years old when his interest in technology began. His older brother had an Atari 400, and he would watch and learn. When his brother changed course to become a musician, he ‘inherited’ the Atari. “I just fell in love with being able to play video games. That was the first thing. Then I started writing my own games and then connecting to bulletin board systems and talking to other people that were computer fanatics. This seemed normal to me – anybody who liked a computer was normal; but to the outside world, anybody who liked a computer was kind of a freak or a nerd.” 

By age ten he realized he wasn’t alone. There were communities of other fanatics, separated by distance but connected by the telephone system and bulletin boards. The problem was the cost of the phone. He was in Boston, Mass; and he connected to a bulletin board in New York City – and presented his parents with a bill for hundreds of dollars. They were not happy.

His brother wrote down some codes for him. He didn’t know or ask where they came from: an 800 number followed by some six digit codes. These codes allowed him to phone anywhere in the US free of charge. “It seemed completely normal to me. Yes, I had a concept of price and value and right and wrong, but it was still normal.” It may have been wrong, but it wasn’t bad.

“Now I could satisfy my curiosity. My parents didn’t have to pay, and I didn’t have to pay, so it worked out for everybody – except the person getting the bill obviously.” This route into hacking is typical for kids who grew up in the 1980s. It was a rebellious time for youngsters, with skateboarding and punk rock music and mischievous- rather than malicious-hacking subcultures. Sticking it to The Man was an acceptable sport.

“I was involved in a lot as a teenager with credit card fraud, phone phreaking and alliance teleconferences [big group chats via phreaking]. Nothing ever seemed to me like I was attacking someone personally; I never thought I was harming anyone. It was just the phone company, the credit card company, the banks. I was just using these large machines, these large systems, to get what I wanted to feed my own curiosity. Very rarely did I ever consider is this right or wrong. I just didn’t care. Eventually I got arrested.”

Grand grew up in Boston. He has a BSc in computer engineering from Boston university (adjacent to, but not affiliated with, MIT). L0pht also grew up in Boston. It was a good place for the early hacking groups – lots of colleges, lots of young people, and lots of curiosity. L0pht evolved out of these groups. 

“The L0pht formed organically from some of the guys that were living with their significant others in small apartments in Boston but basically needed a place to store their extra computer stuff.” That extra stuff would be purchased at the MIT Flea Market, which continues to this day. Post Flea Market meetups were effectively hacker meetings at the L0pht. The core membership, which became L0pht Heavy Industries, were those who paid the rent on the accommodation – around $50 dollars each per month. At the time, Grand was five or six years younger than this core – he considered them as grown-ups in relation to himself. But the L0pht, sort of, rescued him.

Grand had known and talked with these people since he was 12 or 13. He was involved with a hacker group known as Renegade Legion and was “still doing mischief”. The L0pht knew him, but kept their distance, “because they didn’t want to be involved while I was going through all this kind of troublemaking.”

But when he was arrested and got into trouble, they took him under their wing and asked him if he wanted to be a part of the L0pht core. “I was already hanging out at the L0pht, but not as an official member. They invited me in and asked if I would like to have a space in the L0pht to work on projects. But I’d have to pay the rent.” 

He was still at High School and couldn’t afford it. But after he was arrested, his parents told him he would have to take up sports or get a job. He started running track– and his parents agreed to pay the L0pht rent. He feels the two, physical exercise and hacking, “is a great balance, and actually very good for your mental health and body positivity and confidence, and all of these things that I didn’t really have.” It would be fair to say that separate support from his family and L0pht turned his life around – and he was still only mid-teens.

This was when the L0pht became a more formalized group: centered on Brian Oblivion, Count Zero, Mudge, Weld Pond, Space Rogue, Dildog, and Kingpin (Joe Grand). (Kingpin was a handle from his earlier days. Like most hackers, he cycled through numerous handles, and he thought he had outgrown Kingpin. The L0pht members called him Joey – but Kingpin clung on, and he is still known by that handle today.)

The group moved to a different space. The L0pht was never a physical location; it was more like a gang name. “We tried to be self-sufficient through things like selling T-shirts. We had our bulletin board system and then we had an early website. We sold CDs with hacking tools and collections of things from Brian Oblivion’s bulletin board. And we started to spread the good side of what hackers can do. For me, it was such a pivotal moment, because these guys were all at least six years older. They seemed like grownups because even though I was 15, they were around 21 years old with jobs and stable relationships.”

That’s when he learned the value of sharing rather than hoarding information. “I learned very quickly about the importance of sharing information, sharing what you know, and learning from other people. And building on what somebody else taught you, to learn something new. And then you go back and share that again. That’s when I realized that hacking is less about hoarding information, like I did as a kid to have power and clout, but to distribute that information and trade it with people and learn new things – and then everybody grows together.”

The rest, as they say, is history: L0pht Heavy Industries, L0phtCrack, testifying before the Senate and much more that has become part of hacking folklore.

There is a hacker meme of the solitary person in the basement or bedroom sitting in front of a computer. This meme could also apply to ASD people (ADHD and especially that part of the spectrum formerly known as Aspergers syndrome). These neurologic conditions often involve high intelligence, an ability or preference to work alone, and an immersive concentration that can apply a different way of thinking about a problem over long periods of time. The correlation between hacker and neurodivergent is not imaginary – many hackers are also neurodivergent. Neurodivergence is not a cause of hacking; but it certainly aids the process of hacking. Grand is almost certainly one.

See Harnessing Neurodiversity Within Cybersecurity Teams.

“I loved being alone in my computer room, coming home from school, going straight to the computer, and using the computer until dinnertime; having dinner, and after doing my homework going back to the computer – and then sometimes even in the morning before school. I loved that solitude. But at the same time, I had a community. The community was online, and physically I was in a quiet room. Even today, I love sitting on an airplane with headphones on. They’re not playing any music – I just get a little bit of that white noise of the airplane, and I love being in that world.”

It is possibly the ability of cyber to provide the solitude craved by neurodivergents with the social needs of all humans that fosters an attractive world for hackers. 

Grand accepts that neurodiversity can be a curse or a blessing. “Sometimes it’s completely debilitating, and it’s very hard to escape from – but sometimes, if you’re aware of your struggles, you can maybe use those in a way to turn it into something positive. That ‘something positive’ is very relevant to the electronic world – it’s the ability to apply new thinking at a deep level for an extended period. Neurodivergents know this period as being in the flow, similar to sports people being in the zone.

Grand is a hacker. Hackers are curious. Grand is also curious about how his brain works. “I’m really looking into this as a kind of thought experiment. OK, that’s why I do the things I do, and maybe why I’ve been successful at doing that. But at the same time, maybe there was a sort of deficiency that led me into those early troublemaking ways. I don’t know, and I can’t speak for everybody. But I know for sure there is a cross section of hackers that are neurodiverse to various degrees, and that probably led them to this computer/hacker world – maybe to have control of something because in the outside world you feel you don’t have control. It doesn’t apply to every neurodivergent, and not all hackers are neurodivergent, but I would say there’s probably a greater degree of neurodiversity in the hacker community than other communities. For me, I know it was a part of why I gravitated toward this world.”

With the right support, environment and attitude, the tendency of neurodivergence to foster troublemakers can be diverted into the creation and harnessing of superpowers while in the flow. Is it coincidence that Grand’s partner, Keely, has authored her own book: Troublemakers and Superpowers?

Joining L0pht was instrumental in changing the direction of Grand’s life. He embraced the group’s ethos that hacking can be, and should be, a benefit to society and business – by finding product faults and helping them be fixed before they can cause harm.

It was L0pht that championed the concept of ‘responsible disclosure’: disclose the fault first to the manufacturer and allow reasonable time for it to be fixed or patched. 

Grand isn’t completely happy with the term. “What does it mean?” he asked. “Is it how the hacker responds to the discovery, or how the vendor responds to the disclosure?” This was back in a time when vendors were simply not responsive, few had formal disclosure policies, and the law could be aggressive. 

The law now has an informal ‘safe harbor’ for good faith hacking (research), but the law hasn’t changed, and the hacker can still face legal action. Is this still a problem? “Absolutely,” he said. “And I’m dealing with just such a problem right now.” He has something to disclose, but…

“There’s always a fear of what’s going to happen when this information comes out. It’s not a fear because I did anything wrong – it’s a fear because not every company is prepared to handle somebody disclosing a security problem in their product.” This is not universal since many companies now have a formal disclosure policy. Grand will always adhere to this if one exists. It helps protect the hacker, but still doesn’t guarantee an adequate response from the vendor.

In this instance, the vendor has no formal policy. Grand is faced with telling a manufacturer that has no disclosure policy and no bounty system, ‘Hey, your baby is ugly!” Many companies have these policies that can be followed, and that provides an element of protection. And there are formal bug bounty programs like BugCrowd and HackerOne which also provide a ‘good faith’ umbrella (incidentally, Grand is not a great fan of bug bounties: “The companies great free security research, and then pay a pittance as a ‘thank you’.”)

He said this not to suggest that he wouldn’t disclose what he had found, but to explain the pressure that all hackers face: lack of prosecution is not because of the law, but up to the favor of the prosecutors. He voiced these concerns to his partner. She replied, “Of course you will disclose. You are a hacker.”

That hardware wallet

Perhaps the best known of all Grand’s hardware hacking adventures is his successful hack of a Trezor crypto wallet. There are numerous video accounts of this process – Grand has one on his YouTube channel (How I hacked a hardware crypto wallet) that has been viewed almost 8.5 million times.

It started when he was contacted by a guy who had lost access to his crypto wallet and had therefore lost the digital money it contained: around $2 million in the Theta currency. “I got curious,” said Grand. “Maybe I can do that. There are other motives, but usually it starts from something that triggers curiosity.” He is not a compulsive or obsessive hacker. “But once I start, I can’t let it go.” And that’s to the exclusion of almost everything else. “It goes real deep, real fast. And sometimes the other end is a solution to a problem, or a hack of some sort.”

A successful hack can turn into a conference presentation or video (this hack did both); but that is not his driving motive. “There’s still that element of curiosity and learning for myself and purely for myself, not for anything else.” Having learned, he believes in sharing what he has learned for the benefit of all security. That is what he learned from his time at the L0pht.

The teacher

This raises one last question. How does a natural born hacker earn a living? Bounty hunters get paid by vendors. A few can do this full-time, but mostly it’s primarily pocket money supplementing a proper day job – and Grand thinks that bounties are more favorable to the vendor than the hacker. Others become full-time researchers or red teamers with security firms. A few, of course, find no other route or outlet than crime.

None of these suit Grand’s temperament. Today, he is the proprietor of Grand Idea Studio (founded in 2002), ‘a technology development, licensing, and consulting firm based in Portland, Oregon’. 

“I do a lot of training, going to organizations and teaching them about hardware hacking and how to think like a hacker to solve a problem. All of this seems normal to me. Thinking like a hacker is normal, but it’s not the way most people think. Maybe they don’t have that mischievous or malicious side to their experiences. But it’s fun [and profitable, but notice that money-making has never been an important part of his personality] to be able to share my thought processes with people who don’t generally think in the same way.”

The history of Joe Grand is a journey from childhood mischief-maker through teenage troublemaker to adult teacher – via the iconic hacker group, L0pht Heavy Industries.

Related: Hacker Conversations: Kevin O’Connor, From Childhood Hacker to NSA Operative

Related: Hacker Conversations: HD Moore and the Line Between Black and White

Related: Hacker Conversations: Rob Dyke on Legal Bullying of Good Faith Researchers

Related: Hacker Conversations: Casey Ellis, Hacker and Ringmaster at Bugcrowd