Mar 18, 2014 People
From schoolboy dropout to world-famous hacker, Auckland-born Barnaby Jack lived hard and died young. On the way, he changed the technological world.
First published in Metro, March 2014.
The Jägermeister shot glasses are piling up along with the stories in the outside bar of Galbraith’s in Mt Eden Rd. It’s a stormswept Sunday in January, the six-month anniversary of the death of Barnaby Jack. A dozen of his friends are here to remember him in a pub he loved.
Tonight, to them, he’s “Barnes”, their mate, not Barnaby Jack, the man the world knew as the elite hacker who could make ATM machines spew money, insulin pumps inject a lethal dose and heart pacemakers explode at a single command from a laptop — all stunts he pulled not to make trouble, or money, but to make the technology safer and more secure. In the infamously geeky community of computer hackers, Barnaby Jack was a rock star. The man who could party all night and brush his teeth in the carpark on the way to a flawless presentation at 9am.
It’s the first time they’ve gathered since the publication of an American medical examiner’s report on January 4 put months of bullshit internet conspiracy theories to rest. How the mad stories flourished in that charged atmosphere after the suicide just months before of activist and fellow hacker Aaron Swartz, and the car-crash death of investigative journalist Michael Hastings.
But, no, Barnaby Jack wasn’t murdered to derail the presentation of his latest research. And no, government officials hadn’t spirited him away to work on secret projects. The truth was ineffably sadder. On a Thursday afternoon, alone in bed in his comfortable top-floor apartment, opposite The Ritz in San Francisco’s Nob Hill, Barnes died of an accidental overdose of heroin, cocaine and prescription medicines.
There are no judgments here among his friends who gather under a fug of cigarette smoke on the old wooden bench seats outside Galbraith’s, where Barnes used to sit. The stories about him are warm and funny, to be told with a drink, about a guy who loved a drink. Many drinks. A guy who, when asked if he wanted another, would reply, “We’re not here to fuck spiders.”
At his funeral in Auckland, the service sheet says the same thing more eloquently: “The flame that burns twice as bright fades out twice as fast.”
Think hackers and most of us imagine a shady world of extortion and cyber crime practised by preternaturally smart but socially inept nerds bent on exposing state secrets, ripping off companies or crippling the internet. They are known as black-hat hackers. Barnaby Jack was a white-hat hacker, one of the good guys. One of the best of the good guys.
He became world famous in 2010 when, at the annual Black Hat convention on computer security at Caesar’s Palace in Las Vegas — despite its name, it’s where the white hats gather — he showed, with all the flair of a Vegas magician, how he could remotely hack into an ATM. Bank notes flew all over the stage, his peers cheered, and Barnes stood at the podium and nearly pissed himself laughing.
A couple of speakers at his funeral said he could have told them the secret before he told the world. But Barnaby Jack wasn’t that sort of hacker. He told the makers of the ATM machines what their problem was, and got them to fix it. Likewise, when sister Amberleigh jokingly suggested he might eradicate evidence of her student loan, he reckoned it could be done — but he’d have to erase thousands of them or he’d be fingered.
To look at the show he put on in Las Vegas — versions of it have had nearly four million views on YouTube — is to get the sense that this is somehow easy, a matter of tapping a few lines of code into a laptop and bingo! That ignores the feat of engineering and computer genius the work involved, from the moment he bought two ATMs on the internet and moved them into the bedroom of his San Jose apartment in 2008, explaining to the bemused FedEx delivery man he just didn’t like bank transaction fees.
“He took them apart, bit by bit,” his then-girlfriend Dea Hartz says. She came home the day he cracked the hack in 2009, to find champagne glasses out and bubbly on ice. “I got it,” he said. “He put me in the apartment with a glass of champagne and said, ‘Wait and see what the machine does.’ Then he went across the road and the machine started spitting out money.”
But it was the beginning of months of frustration, as Jack’s then-employers pulled his planned presentation from that year’s Black Hat convention after ATM makers made legal threats against them. Their cold feet was one of the reasons Jack left the company soon after.
The ethical dilemma reveals how carefully computer security firms weigh the risk of being seen as the bad guys in the hacking world and, for potential clients, the fine line between being held to account and held to ransom.
“Having one’s ATM so publicly attacked can never look good,” ATM company rep Henry Schwarz blogged after Jack’s demo.
Lawyers were called to discuss options, Schwarz wrote, “my favourite of which was to have a US attorney frog-march Barnaby out of his workplace in handcuffs”. But he said that while they started as adversaries, they ended as friends. “And Barnaby got his 15 megabytes of fame…”
And more. Jack’s hack — Jackpotting, as it became known — was featured on news channels around the world. Overnight he became hacker royalty. “I’m on the good side of the fence,” he told interviewers. “I couldn’t really bring myself into a criminal life. Besides, my mum wouldn’t like it if I was in jail.”
Sammi Jack remembers her son’s fifth-form maths teacher pointing to his desk in the classroom at Auckland Grammar during a 1993 parent-teacher interview. “That’s where your son sits, physically,” he said. “Where his mind is, I have no idea, because it’s not in this classroom.”
Unrecognised genius is a label desired by many but visited on few. Months later, Barnes was expelled for repeated truancy. He spent the last of his school days at Selwyn College, where his mind was still, determinedly, not in the classroom but in the makeshift lab in his bedroom. Here he drank Coke, ate two-minute noodle sandwiches and took computers apart to see how they worked.
“He could see vulnerabilities in lines of computer code the way other people see spelling mistakes in words,” says Selwyn school friend and long-time mate Will Stow. He bought a lock-picking kit off the internet (ticking the box that swore he was a registered locksmith) for no other reason than he liked the challenge. He became expert, but friends say they never saw him pick a lock attached to a door.
And all the while, Sammi and Barnaby’s dad, former Radio Hauraki pirate DJ Mike Jack, despaired their son would ever make anything of his life. He went on the dole and taught himself about computers from books he ordered from a fledgling Amazon. “I thought he was wasting his life on computer games,” says Sammi, who offered him $50 if he’d get a job. He got one at VideoEzy and sold computing codes to businesses on the side.
But it was in online hacker chatrooms, using the moniker Dark Spyrit, that Jack came to the notice of American computer wunderkind Marc Maiffret, in the late 1990s. Maiffret would ultimately hire him and lure him to the US to work at the security research company he founded.
Maiffret, who achieved celebrity status testifying before Congress and being named one of People magazine’s 30 People Under 30, had hacked into government and corporate servers as a 16-year-old runaway. After waking up to an FBI agent pointing a gun at his head, he changed sides.
While Maiffret is famous for being the man who found the first vulnerabilities in Microsoft Windows systems, he says he couldn’t have done it without Barnaby Jack.
“We discovered a way to basically break into any server that was running Microsoft software,” Maiffret told Metro. He also tells us exactly what help Jack provided, something the computer world calls a “buffer overflow exploit”. You’ll have to Google it.
Maiffret says while Jack became famous in the mainstream through his ATM exploits, he was highly regarded in the industry from a decade before, after writing one of the most widely known papers on how to leverage Windows security issues — how to exploit the vulnerabilities to do things other than simply crash the system.
“He was one of the absolute pioneers of Microsoft security research and he’s a large reason that Microsoft as a company has completely changed and takes security more seriously. And yet, while he’s changed companies like Microsoft for the better, it’s old news and people don’t even remember it.”
Like Jack, Maiffret dropped out of school at 16. He says it’s common for security researchers to be “self-educated”.
“You have to be curious and a bit rebellious. But it’s one thing to be curious and another thing to be curious to the point of ‘how do I manipulate something to work in a way it’s not intended?’” He says at the time of his FBI arrest, there was no clear career path for hackers. “We learned by breaking into other systems because that was your only outlet.” His security research firm, eEye, was one of the first started by a hacker.
Maiffret was keen to have Jack join him at eEye in the early 2000s, but Jack’s father had been diagnosed with prostate cancer in 1997 and Jack refused to leave New Zealand. Mike Jack died in 2003, aged 59, with Barnaby and Amberleigh lying next to him in bed, his favourite song, “Me and Bobby McGee”, playing in the background.
Mike and Sammi had separated before Mike died, but the family remained close and Barnaby’s friends think he never got over the loss of his dad. Sammi says he phoned her, sobbing, from San Francisco, after he heard “Bobby McGee” on the car radio as the Golden Gate Bridge, one of his father’s favourite landmarks, came into view.
They suspect his legendary penchant for partying was partly driven by that grief, and his separation from the family he loved so much. Amberleigh puts it a bit differently: “Barnes lived for adventure of every kind.”
Hartz recalls, “He constantly missed his family, but socially he was the happy guy, everyone’s drinking buddy. He told me one of the things that attracted him to me was that I was so close to my family. He needed that feeling of comfort, from not being able to see his own all the time.”
In a poignant February 2012 email to Amberleigh, Jack admitted that “no matter what I have, even if it’s good money, friends (have fuck all out here tho, tbh) and even a girlfriend, I’m like never SUPER happy. I mean I have my moments. But that’s usually after I present something and everyone digs it — maybe I’m just a glutton for validation. No one’s life is perfect or even mostly awesome.”
Jack was so modest about his own abilities, Amberleigh says, “he never believed he was so special he could do something no one else could.” She thinks he never learned to drive “in case he sucked at driving”.
In his email, he describes himself as simply getting lucky. “I honestly didn’t care about money… if anything, it just put more pressure on you to be good at shit. Basically just threw myself into it and lucked out a couple times but only to try to get the respect of people in my industry and validate my work. Which now, I have. I’m OK at shit but… you’re a lot brighter than me lol. I just picked a field that hadn’t been touched at the time, and got in early. Turned out to pay well. Was never even my intention… I was just fucking round on the computer on the dole. These days I feel better about my work but there’s so much pressure on me coz of the reputation I’ve built (def not a bad thing) to come up with the next big thing…”
Jack was not simply “OK at shit”, says Maiffret. “He touched everybody. He was universally loved. It wasn’t just because he did some of the greatest research anyone has done in our community, but that he did it in a way that had no ego and no agenda, just a passionate love for it. He was the hackers’ hacker.”
Sometimes, that brainpower kilowattage comes with a cost. “When you have someone who is literally a genius like he was,” says Maiffret, “it’s hard because so many aspects of life and the world weigh on somebody like that a lot more than your average person. It’s like the gift and the curse.”
That’s also true for the strange and driven isolation of the hackers’ work, which can see them go days without sleep. Says Hartz: “You get an idea and you don’t stop working on it until it’s done and that means not sleeping. I think that’s what drove him to take stuff to keep him awake… and ultimately, once you start that…” Once you start that, the cycle begins. Taking a pill to stay awake and another to put you to sleep.
“When you’re chasing the problem or chasing that hack, it’s hard to turn your brain off and walk away from it at 5 o’clock,” Jack’s former manager Steve Manzuik explains. “As you get closer and closer to finding what you’re looking for, finding that bug, you get more and more motivated to keep looking, more excited about it.”
The partying — which he says they all did to excess — was as much about forcing the brain to stop thinking about the problem as it was about having a good time.
Maiffret remembers collapsing in a bar in Amsterdam and badly gashing his head after speaking at a Black Hat conference. “Everyone was wasted. Barnes and the guys got me back to my room and we were wondering if I should go and get stitches. Barnes rang his mum and she said, ‘Go to the hospital.’ But our brilliant plan was to hold a washcloth to my head and if it was still bleeding in the morning, then we’d go. It was the complete opposite of all the brilliance we’d been showing from a professional perspective.”
While some of the stories sound like plot lines from The Hangover movies, Jack’s antics were always good humoured. “There’d be times in a pub where I’d be positive there’d be a guy getting ready to punch Barnaby in the face and I’ll turn around and next thing the guy’s buying him a drink like they’re best friends,” says Manzuik.
“The bar would be closing and Barnaby would say, ‘We’ll go to another one and keep the party going.’ He never wanted it to end. Most people hit that wall, like, ‘Wow, no more beers for me, I’ve had too much.’ Barnaby didn’t have that wall. He didn’t have a limit. There was no line for him, and at some point, alcohol’s not going to do it for you anymore.”
Working from home in San Francisco, 1300km away from his Seattle-based employers, would have given Barnaby Jack plenty of opportunity to slack off. But he never did. After the ATMs, he pushed himself to find the next “big thing” — hacking into heart pacemakers and insulin pumps. As he did with the ATMs, he first bought the devices and took them apart to see how they worked, and talked to patients about how they used them.
Australian hacker Mark Dowd says Jack’s work was not only cutting edge, it required hundreds of hours of effort. “I could look at his stuff and go, ‘Wow, I don’t even know where to start.’
“When you look at very specifically designed embedded systems such as medical devices, often the companies that design them have gone out of their way to make sure it’s quite difficult to work out how they work.
“There are some things that can be pretty show-pony stuff — stunt hacking, we call it — but his weren’t just some easy system he picked that no one happened to bother looking at. It was the opposite. He picked things that were quite challenging, and predominantly security focused. It was very technically impressive work.”
Colleagues say Jack was always motivated to find the vulnerabilities before the bad guys did. A Washington Post blog called him “the hacker who wanted to save your life”.
Often the possibility of the bugs he found had been explored only on television or in movies. The first series of Homeland , for example, featured scenes in which a terrorist remotely hacked into the pacemaker of the Vice-President of the United States, after accessing its serial number. Doctors quoted after the show pooh-poohed the idea as “not possible in the real world”.
Jack showed it was possible. And in a blog in February last year, he wrote: “TV is so ridiculous! You don’t need a serial number!” He said the goal of his research was not for people to lose faith in the devices, but to improve them.
While Jack had already presented his research on hacking pacemakers, he was said to have new discoveries to reveal to the Black Hat convention at which he was scheduled to speak just a few days after he died.
His boss at IOActive, Jennifer Steffens, told Metro it was too early to say whether Jack’s demonstration would be presented this year by another researcher. But she says he worked with others, so his knowledge would not be lost.
Much of Jack’s work was never going to make big money because he gave away the “fixes” for free: anything more could be construed as extortion.
But his reputation was valuable and Jack would have been a popular target for industry poachers. His $US200,000-plus salary wasn’t high for someone of his status, but at IOActive he was allowed to spend around 85 per cent of his time on his own research, because the company knew how important it was, and it knew the worth of the resulting publicity.
“He was a brilliant mind and he was fearless in terms of how to extend his technical abilities and how to apply them,” says Steffens. “He wasn’t scared to tackle something new. Losing that as an industry overall is heartbreaking.”
How important a hacker was Barnaby Jack? “He was an absolute fricken rock star from Mars,” says Australian journalist and podcaster Patrick Gray, who specialises in information security.
“Number one, I would say. It came down to combining world-class research with showmanship. A lot of people in that industry are not rock stars. He had risen through a group of people who are not known for being socially brilliant and he was just Mr Cool. But he was cool for everyone — just insanely popular.”
Jack was found dead in his bed by his girlfriend Layne Cross in the early evening of July 25, 2013. While his friends told the medical examiner he would use opiates and the sedative Xanax, his prescription medicines showed no evidence of abuse. No alcohol was detected in his body. An accident, a simple and fatal miscalculation.
Barnaby Jack was 35 years old.