Mustafa Al-Bassam was a 16-year-old schoolboy when he was arrested for his role in cybercrimes committed by LulzSec, a gang of hackers.
In 2011, it targeted the websites of the CIA in the US, the Serious Organised Crime Agency in the UK, Fox and Sony.
The group’s actions caused serious financial damage. But it also shone a light in some dark corners of world politics and exposed the virtual weaknesses of big organisations.
Last autumn, a play at the Royal Court Theatre in London called Teh Internet Is Serious Business told their story.
Mustafa – from South London and previously known online as tFlow – was handed a 20-month suspended sentence at the age of 18, shortly before taking his A-levels, and ordered to carry out 300 hours of unpaid community work.
He is now 20 and studying computer science at King’s College London.
After he gave a hacking demonstration at a recent conference on financial crime, The Mail on Sunday tracked him down so he could give his inside – and sometimes alarming – view of online security and provide advice on how we can protect our identity and finances.
Q. How did you gain your skills on the internet at such a young age?
A. I spent a lot of time on my computer as a child and taught myself how to program when I was about nine, using freely available online resources.
This might seem extraordinary, but it is a common story. Many people learn to program as a child, and it is going to become more common now that the UK is pushing for programming to be taught in secondary and primary schools.
Q. In your past life working on the other side of the law, did you consider yourself a ‘black hat’ hacker, someone whose prime intent was to breach internet security? And would you describe yourself now as a white hat wearer?
A. I think the white hat versus black hat label is an unhelpful oversimplification of an activity that covers the entire range of human motivation. The ethics of hacking are not black or white, but more 256 shades of grey, just like any other activity in life.
[256 is the number of shades of grey that can be detected on a computer screen.]
White hats may be recruited to carry out activities normally described as black hat if it was performed by a citizen, such as hacking into computer systems to steal information.
So to that extent I simply prefer the term ‘hacker’.
Challenge: Security professionals who build cutting-edge security tools probably enjoy seeing their work being used in practice to change the world we live in
Question . Putting aside the moral issue for a moment, was it more interesting on the other side of the law?
A. Not necessarily. I think computer security is an interesting issue today that has wide-reaching social implications regardless of your role.
Security professionals who build cutting-edge security tools – such as the end-to-end encryption in the WhatsApp messaging service – probably enjoy seeing their work being used in practice to change the world we live in.
[End-to-end encryption ensures messages can only be read by the sender and recipient, and cannot be understood if intercepted. It can also be used for security in online payments.]
Q. What was your favourite activity with LulzSec, in terms of what you were able to demonstrate to the world?
A. The most interesting was defacing the website of Westboro Baptist Church – a controversial homophobic hate speech group in the US – during a live radio show.
Or my involvement with the Arab Spring in helping activists to secure themselves against surveillance from malicious servers set up by their government’s oppressive regimes.
[The Tunisian government was spying on citizens’ use of social media to identify protesters.]
Attack: Mustafa enjoyed defacing the website of Westboro Baptist Church (pictured) during a live radio show
Q. What is your single best tip for people banking or shopping online?
A. Use a credit card or a separate bank account when shopping online.
With a credit card, you are not liable if an unauthorised charge is made on your card. So if your card information is stolen, the damage is limited.
Q. Are banks behind the times when it comes to cyber security?
A. The majority of UK banks don’t even implement HTTPS encryption properly on their website, and show a poor understanding of how it is implemented in practice when I have tried to probe them about it.
THE WORLD ACCORDING TO 'TFLOW'
They certainly seem to be lagging behind in terms of modern standard security practices.
Furthermore, I think the entire credit/debit card system is fundamentally flawed.
If we were to rebuild the way we make online payments today, it seems outrageous that we would have a system where you have to give every website that you use full access to your bank account to withdraw whatever they want, whenever they want.
That is what you are technically doing when you give a website your card information.
[Banks say that although they don’t have the HTTPS layer of security on their homepage, they do whenever a customer logs into online banking. A spokesman for the British Bankers Association says: ‘Banks have strict security processes in place to prevent criminals stealing customers’ money. Secure servers – or HTTPS – are standard across the industry when it comes to logging in to use online banking.’]
Q. What do the banks need to do to improve?
A. There are some things that banks are doing right, such as forcing two-factor authentication for online banking. [Where a customer must complete two actions to prove identity.]
But there are many modern standard security practices that are still not being followed by traditional institutions, but which start-ups are doing a much better job at implementing – such as having a procedure for security researchers to submit security flaws.
stage fright: Teh Internet Is Serious Business play at the Royal Court last Autumn
Q. How can we better educate ourselves about hacking and online vulnerability?
A. I think educating people about safe computing is a similar problem to educating people about safe sex. It requires a cultural shift where it becomes a norm for people to have basic knowledge on what happens to their data.
There are many campaigns that aim to educate people on basic data security hygiene, such as Cyber Streetwise [a Government campaign to help consumers – visit cyberstreetwise.com].
Q. What is the future of cyber threats in the UK if we continue to be lazy about security?
A. I think we only have to look at the headlines to see the warnings.
With the rise of the Internet of Things and more devices being connected to the internet such as cars, planes and even guns, the consequences of bad security will become more drastic and life-threatening.
Q. Household bill providers want us to sign up and pay online, but can they then protect us?
A. Probably not considering the number of major customer record data breaches we are seeing every year. But whether or not you sign up online, your data will be stored in computerised form.
Trapped: With the rise of devices being connected to the internet such as cars, planes and even guns, the consequences of bad security will become more drastic and life-threatening
Q. How do you look after your own finances? Do you pay with credit cards and use anti-virus software on your computer?
A. I use a separate bank account for online payments but I do not use anti-virus software at all. In my view the effectiveness of anti-virus software is over-rated.
First, it is extremely trivial to create a virus that evades anti-virus software and secondly, only two per cent of company data breaches are caused by viruses. Furthermore, because it requires a high level of access to the system in order to work, anti-virus software has been shown to introduce new security vulnerabilities.
The most important thing a typical user can do to protect the security of their system is to update their software and operating