Hi Sofya and thank you for your time with Red Hot Cyber. We’d like to have a little talk with you and learn more about your story as a security analyst but also as a Former Electronik Tribulation Army member.

RHC: Someone told us that you are an ideologist when it comes to the hacking subculture: what are your values?

Sofya: Thanks so much for reaching out to me. I got really excited when RHC offered to interview me! And yes, absolutely I’m a hacker ideologist. I’m so glad you asked about this.

So, ideologically the hacker subculture is kinda messy. Hacktivists for example, generally tend to sling popular terms around like “freedom” and “fighting government corruption” alongside popular sayings we’ve all heard by now, such as “We are Anonymous. We are Legion. We are Many. Expect Us.” But what does any of this mean exactly?

While this sounds like really exciting stuff, it’s completely devoid of any ideological substance and doesn’t really express what they believe, or are supposed to believe, embody, or do. The last part is the most important. It doesn’t really matter what you tell people regarding your beliefs, because what you do says it all.

Hackers generally don’t really follow any particular ideology or code if it isn’t something that’s motivated or inspired by some personal inner desire. Hacktivists desire justice by trying to expose injustices. The cybercriminals we all read about online pretty much demonstrate that their motivation is the desire for illicit gains through exploitation. This is no-brainer stuff. But for some reason nobody really wants to broach these subjects at face value.

Those people who are inspired by curiosity as their motivating factor hack to satisfy an inner desire to learn how things work, which is very self-validating and really empowering! Imagine being told all your life that you’re weird or stupid. As a consequence, you grow up feeling like you don’t belong anywhere. That can be a really low blow against your self-esteem, but hacking has a way of healing a broken sense of identity.

Hacking really is like a journey of self-discovery, and acceptance of who you realize you are on a core level. So yeah, its extremely elating and validating to be able to figure out what’s wrong with a system and to be able to be the one to exploit it and gain access, just as it’s an endorphin rush to figure out how to write a patch to fix a vulnerability in order to keep the bad actors out.

In essence, we discover that we are in fact unique because of the way our minds work, regardless of our differences in motives, which is completely counter to the way most of us were raised or taught. It’s anti-conformity at its core.

As far as ideology is concerned, the best place to start is hacktivism, which is supposed to be a composite of activism and hacking. Hacktivism is a weapon designed to fight for those who are oppressed and a means to express what we believe in an rather aggressive way. When the system isn’t listening, we use computers instead of megaphones.

There are instances when the law just has no real invested interest in a matter or an incident is beyond their reach, and by sweeping it under the rug and ignoring the problem, the oppression increases for want of justice that is both satisfying and meaningful to those who are hurting.

When this happens, people become desperate because they feel their voices aren’t being heard, which in turn makes people become more desperate because they see no rectification in sight. That is why hacktivism exists. We become the last line of defense when no-one else will. That’s why I had to turn to the ETA in the first place. Nobody would listen to me. But hackers listened, and that changed my life.

But because I feel most hacktivists have never truly been adversely affected by any real injustice, they don’t know how to actually defend people in their time of need by using their skills to create lasting results that affect real life.

Instead, they end up merely bouncing from country to country, targetting this government and that government, doing database leaks of account information that doesn’t actually have any basis in directly addressing or altering the conclusion of any particular injustice they’re suddenly campaigning against, nor does it leverage governments at the legislative level to create meaningful change.

Passwords might be exposed, but the individuals who are guilty of causing the injustice aren’t ever held accountable. It’s almost as if hackers have ADD or something, or as if they’re “role playing” liberating peoples and States. Thus, it becomes more about egos and “the lulz” and less about the mission or what they claimed to believe in the first place.

How many “governments” can we hack? The more targets, the more believed power they wield. But when it’s all said and done, not a single brick has been thrown down. Everything remains as it always was.

What’s even worse is when hacktivists go “off script” and begin attacking innocent businesses for the lulz, who otherwise have absolutely no stake in anything relating to corporate corruption.

They merely find a vulnerability, and then punish the company for not knowing about it. It’s bullish behavior, and it blurs the line between being heroes to being corrupt themselves. This is why ideology is critical. Without it, there’s nothing substantial to really stand on, and if you’ve got nothing to stand on, what do you really stand for? Whimsical hacking where ever the wind blows? We have to think bigger, which is why hacktivism needs to mature in order for it become effective in a way that affects real life in a meaningful way.

Without activism, where is the hacktivism? In today’s world, you don’t really see or hear about hackers helping activists, you know, actual real people on the ground who are taking all the real risks, while we remain safely hidden in the comfort of our own hackerspaces. Something is seriously wrong here!

Activists aren’t being helped by the hacker community by providing tactical support or assistance when things take a turn for the worst. We haven’t learned to unify with activists, and we haven’t learned to maximize our attack surface by focusing on one area and liberating it before moving on to the next.

The hackers that do fight to protect the defenseless and comfort the oppressed you never hear about in the news. The ones who are fighting for social change and against racism and injustice are plentiful. But the ones capable of actually making results are extremely rare.

But the most important thing I’ve learned about hacking is making sure you’re in the right.

RHC: We talked about your appearance and how this doesn’t help at work, especially when men “act like men”, treating beautiful girls as stupid: we are more interested on how you are inside: what “color” are you?

Sofya: I’m guessing you’re asking me which color hacker hat I am? Apart from my red squishies inside, I really can’t categorize my inner color or motives by a hacker hat color. Let me explain or else this could end up sounding really bad!

It’s assumed that being a white hat means you fight to uphold the law, report incidents, and always do the right thing when operating a computer. But what happens when circumstances compel you to do something “bad” in order to do the right thing?

Check this out. On one occasion the company I work for had a customer whose server was suffering a brutal Denial of Service attack, even though we offer DDoS protection to our customer base. This was a huge client for us, and they already threatened to withdraw from our services and find business elsewhere.

The attacker was slamming the domain our customer was using and not the actual IP of the server hosting our customer’s website, which means packets were being redirected from the domain to the web host, eating up all the bandwidth and crashing the website, sure. But nobody hits a domain name! C’mon! Only a script kiddie would do that.

I took control of the situation, my way. I logged into our customer’s domain controls (don’t ask me how I knew the login) and pulled the IP address used by the attacker from our IDS logs, replaced the IP of the web host with the attacker’s IP address into the domain name, and ended up redirecting the packet attack right back at the attacker.

My boss had me dead to rights! Like, I should have gotten fired or something or worse. But my team just blinked, said not a word. That was my ‘mic drop’ moment. Later my boss called me into his office and told me, “Great work. You saved our asses. But don’t ever do that again. I mean it.” I felt it in my jellies that this was the right thing to do.

RHC: Do you think there are some barriers for women to enter into cybersecurity? We mean, it’s hard to find a voice there? What advice would you give to girls who want to start a career in cybersecurity?

Sofya: It’s not really difficult for women to find careers in cybersecurity, but what does pose a challenge at times is having your contribution to the industry taken seriously.

This isn’t always the case everywhere, because it’s usually an environmental problem, an attitude engendered and allowed by male roles in the workplace as part of the office camaraderie or vibe. Yes, it’s a male-dominated industry.

Yet women in cybersecurity everywhere show that they are equally capable as anybody else and that we don’t need special treatment based on how we look or what we know. That day I proved to my security team that I was as capable as anybody else in the room, they started treating me like I was one of them, which is quite a contrast to the stupid comments I used to get, like, “You’re so beautiful. I didn’t know women can be beautiful AND smart.”

Male colleagues are sometimes really intimidated by a brilliant woman, and society’s patriarchal upbringing is the cause for this. As a feminist, I don’t stand for gender superiority of any kind. I just want equality and for the industry to take women contributors seriously.

RHC:How did you become a member of Electronik Tribulation Army?

Sofya: Oh my gosh, that was so long ago! Back then I went by a different alias, G3nys1s aka Jenna Thesis. So, check this out, I was 17 years old when I got involved. It was 2007 and I was being stalked and cyberbullied really badly, and I literally had no one to turn to. Online trolling has only gotten worse with society’s inalienable attachment to social media validation.

The stalker was trying to get into my email, my instant messenger, and actually managed to guess his way into my email account and gain access to my Myspace account and download all my pictures that I kept private. From there he was able to get into pretty much every account I had used that email to register with. Worse, this freaking sick brain job even installed a backdoor on my computer and had been watching me through my webcam.

I kept getting creepy texts and anonymous calls incessantly. My mother was like, “Sofya, why don’t you just keep away from the internet for a while?” I didn’t tell her about the calls, or else she would have taken my phone away. The internet was my way of escaping real life.

I mean, staying offline wasn’t going to help. I lived on the internet. That’s how I coped with everyday life, and hell no, I wasn’t going to let my abuser/stalker put me in submission to his will like that. Nope. Not gonna happen buddy.

I was in high school. I wasn’t really popular. I was that quiet scary goth girl with safety pins lined up my pant legs and pinned along the hem of my backpack which was full of Pokemon cards and tattoo magazines because I was obsessed with drawing flash art. I didn’t fit in anywhere.

But anyway, I changed my phone number but he managed to get that number too. He had everything, and there was nothing I could do about it. It was so awful. I was paranoid, super depressed, and suffering terrible insomnia. I tried talking about it with a school counselor, and she was like, “Have you considered taking some time away from the internet for a while?” That only made me feel more hopeless because nobody cared.

One day out of the blue I decided to Google “Hacker for hire”. Ghost Exodus was the first thing that popped up. I didn’t have any money, but I talked to him about what I was going through and he went after the guy and figured out who he was and managed to crash the guy’s computer and keep him off the internet.

Basically, Ghost reverse-engineered the malware he found on my computer and traced it back to a command and control server (C2) the guy was using to communicate with the malware on my computer. As it turned out, the stalker was old enough to be my dad. It was really disgusting.

After that, he invited me to hang out with the ETA and taught me how to defend myself online through OPSEC techniques, social engineering, creating honeypots to trap targets, and how to obtain the personal identifiers of a target through OSINT techniques. The learning curve wasn’t too hard, it was just a lot to take in. If it wasn’t for the ETA, there would be no W1nterSec.

The reason for the “1” in W1nterSec and my screen name is that is represents 1 life. I adopted this ideology from a movie, a belief that if you could save 1 life you could save a thousand. Who can know the consequences that may come from saving 1 life? That person’s life you saved could positively affect the lives of countless more. That’s why human lives are immeasurably precious to me. I want to love on people, tell them how beautiful they are, and that their lives have meaning.

RHC: You – as a cyber vigilant – are currently running sting operations against online pedos. Can you tell us more about that?

Sofya: I actually started participating in online sting operations with the ETA in like 2008 or 2009. They had this monthly event called “Catch-a-Pedo Month.” Back then we just hung around on IRC chats luring the targets in with suggestive screen names. Noways, I am the leader of the group, W1nterSec – W1nter Security.

One thing I’d like to say is that sexual predators are not only male. While men seem to be mostly behind these kinds of cases, women are just as culpable but seem more into this really twisted sense of parental and child roleplay. Predatorial behavior is perpetrated by both genders, though it’s often expressed differently.

Our operators use popular chat apps and websites to lure and profile targets. To avoid issues that could constitute “entrapment” we don’t approach users, but rather, they always approach us based on the suggestive themes displayed in our screen names.

As a rule, I always establish that I am underage right away. This way, when the conversations enter the scope of what constitutes sexual solicitation and enticement of a minor, (which is a federal crime that can carry up to ten years in prison), as long as we can solidify actionable evidence that meets the legal criteria it can and will lead to an arrest.

Another fundamental rule is that I forbid the use of any kind of media depicting actual people, underage or not. For one, using someone’s pictures without their consent to lure pedophiles is a disgusting practice, even if the images aren’t nudes. Sadly, this is the method used by law enforcement which makes no freaking sense at all.

Instead, if the situation necessitates escalation, I will sometimes use powerful photo filters to alter my age and render pics of myself as a 14 girl. Many targets I’ve interacted with can be kinda dubious that I am in fact a real person, so I use this alternative as a solution in order to continue tracking my targets and close the case.

Finally, it’s a critical rule in W1nterSec that our operators do not try to obtain incriminating evidence illegally through hacking. We don’t want to jeopardize the success of a conviction, so everything totally has to be done the right way.

An important note, local law enforcement are not the best authorities to report these kinds of cases to, as it is not their jurisdiction. If they receive a criminal complaint and act on it, they will hand it off to the FBI, who specialize with this kind of thing.

RHC:What are the most difficult cases you worked on?

Sofya: The difficult cases are the ones where my targets have really good OPSEC, such as cleverly refraining from revealing who they are, or when they’re using a VPN or some other kind of IP anonymizer.

This usually tells me that either they are tech-savvy to some degree, so the urgency is even greater. Because of this, sometimes targets slip through my fingers. For example, I’ve been hunting for a couple of months what I suspect to be a child sex ring. I’ve spoken to what I believe to be a recruiter for underage girls, but the target is extremely slippery.

But because I always know where to find these same individuals online, trust and believe I try again! I go out there intending to slay! I have obsessive-compulsive tendencies, so it’s hard for me to cut my losses. I will stay up for days sometimes hunting a target. They might talk to me three or four times, supposedly talking to a new girl each time, just so I can try different approaches to unmask who they are.

When a target’s hiding behind a VPN and adamantly refuses to divulge information, it’s the hardest. At the same time, the FBI can’t arrest people based on your belief that they’re pedophiles. You need proof or a judge isn’t going to find probable cause for an arrest warrant, and no self-respecting Agent is going to embarrass themselves requesting a warrant from a judge based on frivolous speculations.

My best bet is to get them to send me pictures. You see, pics oftentimes contain metadata such as geographical location information that can help me get an idea where the pic was taken. Because of this, I will lure the target onto a chat platform that I know doesn’t strip metadata from media files. That way I can extract it, analyze it, and put the location of the picture was taken on the map.

But, you know, this doesn’t always work. So, I will upload the target’s pictures to a facial recognition search engine, which will crunch algorithms to compare and match their facial geometry to other pictures on social media. This is how I managed to catch one really slippery pedo who adamantly insisted on meeting me in the middle of the night. He’s lucky he didn’t. I would have whooped his ass.

RHC:When it comes to online pedophilia, are there things you can advise kids to do, how to protect themselves and above all things not to do absolutely online?

Sofya: The number one thing sexual predators seem focused on the most is wanting to meet underage boys and girls in person. The second thing is wanting videos or pictures. They’re sweet talkers, and use all kinds of gentle manipulation tactics to try and seduce them. They’re suave. They try to be cool. Teachers are among the list of creeps, and they know how to talk to kids because they spend every day in the classroom with them.

They’ll want to take them out to dinner, the movies, offer money, suggest “casually hanging out”, whatever. They’ve asked me for my address, phone number, things about “my parents”, anything to try and get a lock on where you live. Steering clear from adult-themed chat rooms that are sexual in nature should be avoided.

RHC: How to keep children safe online? How to tell them to be careful? Have you performed some code of conduct for them?

Sofya: If I had kids, I’d have a serious sit-down with them and tell them about the reality of the kinds of people that lurk online and why they’re extremely dangerous. Again, stay away from chatrooms like that, and don’t send pictures or videos to people you don’t know, and DO NOT EVER give out your actual phone number. Phone numbers are easily reversed. How else do you think we know where these people live?

RHC:What about cyber bullies and what happens when cyberbullying takes the form of hacking into someone to harass, humiliate or post private information?

Sofya: This is a super touchy subject for me. Yes, fighting pedos is one thing. But now you gotta worry about online trolls, and trolls with hacking skills are the worst because they’re like an STD. They literally can possess the power to destroy your life and everything about you.

Finding pleasure and gratification in inflicting pain on defenseless people is sadistic. That’s why I have a real soft spot for people who are experiencing stalking, bullying, and abuse. I want to hug them and tell them they’re going to be okay while I sharpen my ax. Once I go hunting, I never rest until I’ve broken the power of their abusers.

Hacker fights are brutal. When two cyber superpowers go toe-to-toe, things get radical and scary because we are capable of devastating attacks that are desperately focused on self preservation.

RHC:The Internet is very different from the past: what can you tell us about security nowadays?

Sofya: I’ve been watching cyberattacks become more and more sophisticated over the years, as well as their attack surface increase exponentially. There is certainly no computer system, network, or industry that’s off-limits.

Nation States have their own cyber armies that are committing industrial espionage, and money greedy cybercriminals seem to have multiplied like chickenpox in a race to poison everything that people enjoy. There seems to be no moral compass. It’s dog-eat-dog and every person for themselves.

We had our own share of bad eggs years ago, but statistics from virtually every single cybersecurity company that publishes annual threat analysis reports show we’ve got our work cut out for us. Human nature will always remain the same. The only difference is that financial crimes have become easier to commit since information and access to hacking tools have become more mainstream and easier to find.

RHC: What do you think about the security of social media networks or online videogames?

Sofya: Hey, if it’s connected to the internet, theoretically anything can potentially be vulnerable, right? But nowadays, we should be thinking that hackers aren’t the only threat to the integrity of our personal security. What about the services we use that harvest metadata and use algorithms to predict what we’re about to say, and send us targetted ads? Check this out. If I wanted access to your microphone and your contacts and sell your data to advertisers I’d probably go to jail.