Sunday, August 20, 2017
Last updated: 2 years ago

The young hacker who schooled PlentyOfFish

As a young hacker with a track record of cracking some of the most well-known websites on the internet, every day brings Chris Russo something new and unexpected.

Within the first month of 2011, Russo found himself wrapped up in the centre of a major publicity storm that pitted him against the founder of the world’s largest free dating website, PlentyOfFish. In the media, Chris was villainized, described as a threat to security who had exposed PlentyOfFish’s 30,000,000 members. It’s not the first time he has stirred controversy with a major website. Just six months earlier, in July 2010, Russo hacked Pirate Bay, making a name for himself with his reported ability to access four million accounts’ worth of user data.

At his home in Buenos Aires, during a Skype interview, Russo paints a picture of the 23 years that led up to his worldwide notoriety. While his youthfulness is frequently mention in the media, reports rarely note that Russo already has over a decade of experience. Russo got his own computer when he was only eight and began to teach himself programming by reading forums.

“I [found] I could communicate with computers better than I could with humans,” he said. But his first introduction to the world of hacking came through romance.

“I had a discussion with the girl I was dating, so I got interested in hacking her email account. I guess that was the way I started with security-related topics,” Russo said. After that, he founded and ran several different underground communities before heading off to university, where he studied to become a software engineer at Argentina’s Universidad Argentina de la Empresa.

But like Bill Gates or Mark Zuckerberg, a university degree wasn’t in the cards. “I was wasting my time… So I just didn’t go back [to university] one day,” said Russo. The years of self-teaching were a big factor. “I already had the technical knowledge in programming that was interesting for me in the career, so I decided to quit and focus directly on my own business.” This led him to create Insilence, an internet-penetration testing business which has grown to employ five researchers.

Today, the word “hacker” has a negative connotation, one that evokes viruses, information theft and fear. Russo is often portrayed as a villain in the media. For example, a February 11 article in the Financial Post said, “Chris Russo must have had some bad online dating experiences. Less than two weeks after the self-described ‘security researcher’ based in Argentina accessed the Vancouver-based online dating website PlentyOfFish, it now appears he has set his sights on eHarmony, a similar web-based romance provider.”

However, Russo explained that he has come under fire because of a stereotype fabricated by Hollywood dramas in the 1990s. He insisted that, unlike the movies, there are distinct types of hackers. “A hacker is basically a person with advanced technical knowledge. This doesn’t mean that everyone who’s into hacking is a criminal.” He added, “You, as a hacker, can provide services to companies seeking … security solutions, release public advisories, create tools in order to expose a certain vulnerability—or sell services to underground communities, develop malware or viruses, sell stolen information or even steal money from others. … This isn’t something related to the profession itself, but the ethics and education of the person. It’s mostly like the difference between a policeman and a thief. The fact that you have skills aiming a gun or analyzing weak points in a structure doesn’t mean that you’ll necessarily use such skills to cause harm.”

So where does Russo stand? Is he a cop or a robber?

While the Pirate Bay hack stirred allegations that Chris profited from selling information about users’ downloads on the site, he publicly denied selling the information.

“The Pirate Bay hack was closely linked to a government, that’s all I can say.” In the case of PlentyOfFish, Russo’s actions take a wildly different plot line, depending on the source of the information. When asked about the incident in person one month later, he said, “I didn’t hack into PlentyOfFish. What we did was reporting a security vulnerability to its owner, just like we regularly do when we find something vulnerable on the web … Many people [think] that hackers like us break into the security of the site, but the reality is that we never broke into it, we just informed about the potential risk of a website running like that.

“If you were a firefighter, and you saw a fire on the street, you would stop to put it out, wouldn’t you?”