Meet the 17-Year-Old Who Hacked the U.S. Air Force

HackerOne Co-founder Jobert Abma (left) with Jack Cable (right) in July.

HackerOne Co-founder Jobert Abma (left) with Jack Cable (right) in July. Photo courtesy of HackerOne

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
Jack Corrigan By Jack Corrigan,
Staff Correspondent

By Jack Corrigan

|

Chicago high school senior Jack Cable moonlights as an ethical hacker.

Jack Cable is 17 years old. With a thin build and large, square glasses, he looks like any unassuming high school senior from the Chicago suburbs. Except he’s a military-grade hacker.

Cable recently finished first in Hack the Air Force, a Pentagon-sponsored bug bounty program that recruited ethical hackers to find security holes within Air Force networks. In total, the service paid out $130,000 for 207 vulnerabilities hackers uncovered in the competition. Cable himself found more than 30 of those, including one faulty admin panel that could have been exploited to upload files and modify content on a military website.

Cable is ranked 73rd overall among members of HackerOne, a worldwide community of thousands of hackers that organizes bug bounties in the public and private sector. His success in Hack the Air Force helped him rise to fifth in the group’s third quarter rankings.

The bug bounty program comes at a time when the government finds itself struggling to attract top talent like Cable to cybersecurity positions. Last week, the General Services Administration announced it will host its first ever tech and cyber recruiting event in November, where federal agencies could offer jobs to qualified candidates on the spot.

Nextgov sat down with Cable to ask him about his beginnings, bug bounties and plans after graduation:

Nextgov: So how did you first get involved with bug bounties?

Jack Cable: I started out hacking about two years ago when I accidentally stumbled across a way to get an infinite amount of money on a financial site. I was able to send negative amounts of money to other users, and that would put their money into my account. I reported it to that company and they ran a bug bounty program, so I got into it from there. It was a Bitcoin site called ChangeTip, I think they since shut down. I eventually found HackerOne and U.S. government bug bounties. I’d been programming for about 5 years [at that point].

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Nextgov: What keeps you coming back to these competitions?

Cable: I really like the challenge that comes with bug bounties. It’s always fun to be able to find something you shouldn’t be able to do — also the acknowledgement from the companies to say that you’ve found vulnerabilities and that had a big impact. I’ve met some really cool people along the way.

Nextgov: Which groups have you participated in bug bounties for?

Cable: I’ve done three of [HackerOne’s] private U.S.-government bug bounties, with the Pentagon, the Army and the Air Force. Outside of that I’ve worked with Uber, Yahoo, Salesforce, and a few others.

Nextgov: Why do you choose to report the vulnerabilities you find instead of taking advantage of them?

Cable: There are a few reasons, I think. First of all, obviously, it’s really risky to try to exploit them. You could go to jail, which is pretty bad. Also it’s just really the ethical way. You can feel good about [hacking]. The company’s glad that you’re doing it and they want you to keep hacking with them. Instead of being punished by them, they want to meet you, they want to help you find as much stuff as you can on their websites.

Nextgov: What is it like to be a military-grade hacker and still be in high school?

Cable: I’d say that it’s not that different. I wouldn’t say that’s anything truly exceptional. It’s just that I’ve participated in programs run by the military and happened to do well in them. I’m taking a normal load of classes [including] two math classes at Northwestern [University]. I’m applying for colleges and I’m interested in going in for math or computer science. I’m looking at Stanford and a lot of East Coast schools like Harvard, MIT and Princeton. Also the University of Chicago.

Nextgov: How do you see yourself and bug bounties fitting into government cybersecurity strategy?

Cable: What the government has recently been doing with bug bounties shows that they’re starting to become much more proactive with their security. By holding these bug bounty programs, they’re able to ensure their sites are much more secure and make sure no hackers can easily get into them. Having hundreds of different people looking at your website allows people to try tons of different ways versus a cybersecurity firm that might only apply a few different methods of trying to find vulnerabilities.

Nextgov: How do you view government cybersecurity after participating in these bug bounties?

Cable: With each program there’s been a significant increase in the security of the websites. Hundreds of the top hackers have tried to get in and they’ve reported everything they’ve found. In that aspect, [the websites are] much more secure. Regardless of how secure a website is, it’s going to have vulnerabilities. That’s why running a bug bounty program is really helpful to weed out vulnerabilities that might not be as easily found.

Nextgov: What are your long term plans after high school and college?

Cable: Right now I’m just sort of exploring different areas. Government could be something interesting. [The Defense Digital Service] might be something interesting to work for temporarily, just to get some experience on a different side of things. It’s only two years so you’re not committing to anything long-term, you’re just working for a set period of time on something cool.

NEXT STORY: Hackers Broke Into SEC Computer Systems and May Have Traded on the Stolen Information

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.