20-year-old Paul Biteng hacked the Comelec website. They said he could face up to 20 years in prison. Jail—or could it just be a huge waste of young brain?
Six months ago, the NBI arrested 20-year-old Paul Biteng for hacking the Comelec website, said to be the biggest government data security breach in history. They said he could face up to 20 years in prison. Jail—or could it just be a huge waste of young brain?
"You have dialed a highly classified top secret phone number. We are now tracking your location. You cannot run. You cannot hide. There is no escape. In two minutes a special commando team will swoop down on you and will arrest you with whatever means necessary. Do not—repeat—do not even think of escaping. You have illegally tapped into the secret government communications network. You have just dialed yourself into being one of the most wanted terrorists in the world. So—
—D'yan ka lang ha?! Huwag mong ibaba! Sasagutin rin niya ang phone!"
That is Paul Biteng’s ringback tone. The kid is alright, but he’s got a sick sense of humor. For a while there, we thought it was real. The kid having done what he did, we’d have believed every word of the stupid ringback.
In April, Paul Biteng, 20, was on national news when he was arrested for hacking the Comelec website. Hacked government websites are not new, but Paul’s timing was impeccable: he did it with a little more than a month to go before the 2016 presidential elections, just as the Comelec was at a critical juncture preparing for the automated polls. The government agency said their system was secure; not long after, data on 55 million voters—including passport details and fingerprints—was leaked on the web. Some news reports claimed it was the “biggest government-related data breach in history.”
A 20-year-old did that, and that was our story.
After almost a month of looking, FHM tracked down Paul, now out on bail, through a fellow hacker. Following a series of text messages and a few phone calls (with the first one pranking us good), he agreed to meet in a mall somewhere in Manila.
At the meet-up point, it felt like a Ludlum thriller. We were to rendezvous with PhantomHacker Khalifa, responsible for the biggest government security data breach in history. Fifteen minutes of standing around in the mall, three security guards had placed themselves at strategic points with direct lines of sight to us, them communicating on their radios. Our photographer was carrying a backpack; we figured they thought we looked suspicious. Maybe we were.
Then Paul arrived.
He was sipping on Starbucks and had on a V for Vendetta t-shirt. His hair was wiry and he had plugs for earrings. He was lanky, about 5’5”, and he had this silly grin on his face. He didn’t look like he had graduated from high school yet. He was with a girl—not his girlfriend, he said—who looked even younger.
“Kanina pa kayo? Sinamahan ko lang kasi siya, may binili lang,” Paul said apologetically.
We agreed to do the interview at a bar two streets down from the mall. We asked him if he was allowed in the place; the girl knew the place and said he could go in, besides he had his ID with him.
Suddenly, it didn’t feel like Ludlum anymore. It felt like we were going to play DotA.
Tech crunch
“Twelve days ako na-detain sa NBI. Sina mama at papa lang yung gumagalaw [para makapag-bail ako]. Nakapagpost ako ng bail with the help of family, friends, and fellow hackers,” Paul says.
He recalls he was outside their house, smoking a cigarette, when the NBI picked him up. It had only been a couple of weeks since he graduated from Perpetual Help College in Manila.
By his account, Paul wasn’t what you would consider a “master” in the hacking community, as the reports made him out to be.
“Sa school kasi nanggaling yan. Hindi naman sa masipag…oo, masipag magbasa ng codes, basta programming, interesado ako. So madali ako makatapos ng mga activity, kaya tinawag ako ng mga kaklase ko na “master.” Pero sa [hacker community] hindi nila ako tinatawag na ganyan.”
It has been determined that although Paul hacked the Comelec website, he didn’t leak the information on the web—two other hackers who got his codes in their community forum did that. “Sinasabi kasi nila [Comelec] secured, so tinest ko kung mabubutas—yun ang term namin dun, butasin para makapasok. May nakita ako, so nireport ko [sa Comelec]. Kaso hindi sila nagreply,” Paul says.
Here is how Paul may have done it, from a geek perspective, according to two IT experts—Pierre Tito Galla, a consulting ICT expert for various government institutions like the Senate and Congress, the National Telecommunications Commission, and the Philippine National Police; and Marie Ricana, who has held IT admin and director positions at various government and private companies:
“Biteng may have exploited an existing vulnerability/set of vulnerabilities in the website. Likely, the vulnerabilities existed because the patching and security updates of the website were not done faithfully, in a timely manner, and with a sense of urgency,” Galla explains.
Ricana speculates Biteng did an SQL injection via Voter's Registration Status Verification/Precinct Finder. “The reason why I thought [he did it] through the Precinct finder is because, 1) Using an open text box form is an easy and careless way of doing searches, especially if you don’t take the necessary precautions; 2) [The Precinct finder] has a direct access to [Comelec’s] voters’ database (which is the database that was actually stolen); and 3) Of all the services in the Comelec website, it was the first to be removed from the site.”
This was a pretty easy job to do, too, say Ricana and Galla. “On a scale of 1 to 5 [on the difficulty scale], it’s probably a 1,” says Galla. “Scripts that do these things can be copy-pasted from so many places, and they aren't all in the dark web.” Ricana agrees: “If indeed the hacking was done via SQL injection, then that means what [Comelec] did was lacking in terms of coding. With someone who has the tech knowledge and malicious intent, it would have been easy to do it.”
So apparently, it doesn’t take much to hack Comelec’s website—it could have been done by a local hacker who had just graduated from school. Recina enumerates the necessary skills to hack: “The hackers need competencies in the most common programming languages, especially those that are used to program websites and web apps (eg. PHP, MySQL, JavaScript, Visual Basic). Competencies in navigating web servers (which are more often than not, run in Linux).” Galli is more succinct: “They need the ability to search for reading material on vulnerabilities, search for scripts, and replicate them. In other words, Google and cut and paste.”
FHM to Paul: “Where did you learn to hack?”
Paul: “By reading how-to-hack websites on Google. Marami namang ganon don.”
He spent all of one summer after high school in 2012 learning to hack.
Bounty hunter
Paul Z. Biteng: underachiever, row 4 student, tamad mag-aral.
At least if it wasn’t about computers and coding and, eventually, hacking, that is how Paul thinks his entire life has been thus far.
The Balic-Balic, Sampaloc boy spent his grade school years at Legarda Elementary School in Sampaloc, Manila. He admits he didn’t excel in any subject, but he did play some sports. “Soccer.” He had a couple friends. That is all that Paul can recall.
High school was at Ramon Magsaysay. “Yun, wala rin! Tamad lang talaga akong mag-aral. Tapos wala na ring sports, eskwela-bahay na lang lagi. Nag-DotA rin ako, pero sa shop lang na malapit sa amin.”
When he was in second year high school, his family bought a computer set for cheap. Soon after, they had internet connection.
“Una, Facebook lang tsaka laro. Hanggang nag-part time ako sa pagdedevelop ng Ragnarok.” First he played the game, then learned it well enough to know how to customize the settings of the game on private servers for which some players were willing to pay to be able to play. It sounds like a technological leap for a kid, but Paul says he had been into computers since he was three. For him it was easy, and he showed his aptitude for coding when he began college as an IT student.
It was also in college that he found hacking to be a cool thing. “Gusto kong gayahin yung The Matrix,” Paul says.
Just as fast as he learned how to hack and had met fellow hackers on social media, he had begun to earn money spotting weaknesses in websites in what is called a Bug Bounty Program.
“Ito yung pag nakakita ka ng bug, irereport mo dun sa site, tapos babayaran ka nila. Yung dun sa Facebook, binayaran nila ako ng $1500 (or about P69,450 at the exchange rate as we write this). Minus tax na $450, bale $1150 ang nakuha ko. Nakapagbayad ako ng tuition at nakabili ako ng motor. Alam ng mga magulang ko yung ginagawa ko, nagsasabi naman ako,” Paul says.
“Are you famous in the hacking community?”
“Hindi naman ako sikat, kilala lang ako na magaling magbutas. Yung website niyo butas.”
“Binutas mo?”
“Oo. Pero hindi ako nakapasok. May butas lang siya, pwede akong mag-extract ng data—usernames, passwords. Yun ang mga dapat protektahan. Pero hindi ko ginawa kasi hanggang dun lang ang limit ko, yun lang ang kaya ko.
“Hindi mo kinuha yung data. Pero kaya mo?”
“Siguro kung pinagpaguran ko, kasi parang dinaanan ko lang.
“So nandun ka, bored ka, kaya hinack mo yung website namin.”
“Oo.” (laughs)
He swears he didn’t steal pictures.
Jail
Should we send him to prison?
De La Salle University law professor and litigation lawyer Andre de Jesus, founding partner at Esguerra Dy de Jesus Chico Law says Paul broke two similar laws: the E-Commerce Law or Republic Act 8792 (which regulates computer interaction in the country) and the controversial Cybercrime Prevention Act (which criminalizes several online activities such as cybersquatting, libel, and access to data without right).
“[Biteng] can be prosecuted for different counts based on different provisions of each law,” says Atty. de Jesus. “He can be prosecuted for hacking, for the fact that he accessed the Comelec website without right. He can also be prosecuted separately for computer-related identity theft. This last one means you intentionally acquire, use, misuse, transfer, possess, alter, or delete the identifying information of another without right. I think these are the offenses that were committed by Paul Biteng.”
For all these violations, Biteng may be slapped with fines and imprisonment. The E-Commerce Act imposes “a minimum fine of P100,000 to a maximum amount commensurate to the damage incurred,” says de Jesus. “There is also imprisonment from a minimum of six months to a maximum of three years. For violating the Cybercrime Prevention Act, Biteng may be imprisoned for at least six years and imposed with a fine of at least P200,000.”
There’s more.
Biteng could also be charged with illegal access against a critical infrastructure. De Jesus explains: “Critical infrastructure [refers to] computer systems, programs, traffic data so vital to our country that the interference with, the destruction of, or the tampering of these data or assets will have a debilitating effect on national or economic security, national public health and safety or a combination of all those.”
If prosecutors can prove that the Comelec website is critical infrastructure, Biteng could be imprisoned for 12 to 20 years and/or slapped with a minimum fine of P500,000.
“Maybe some sort of reduction of his prison sentence (which does not exist yet) could be extended to him,” says de Jesus. “But I think we should send a message that crime must be punished. Otherwise, we’d be incentivizing the wrong actions in our government. Simply put, Biteng committed a crime and he must be held responsible for it, whether or not his punishment is reduced.”
Hire
“On behalf of over a billion users, we would like to thank the following people for making a responsible disclosure to us,” says Facebook on its White Hat page, last updated on May 14, 2016. It cited Biteng among a handful of other “white hat” hackers for helping them by reporting weaknesses in their system in 2014.
Microsoft, on its website, also gave Biteng recognition as one of its June 2014 Security Researchers. “The Microsoft Security Response Center (MSRC) is pleased to recognize the security researchers who have helped make Microsoft online services safer by finding and reporting security vulnerabilities,” the company said. “Each name listed represents an individual or company who has privately disclosed one or more security vulnerabilities in our online services and worked with us to remediate the issue.”
Leo Nocom, a senior web developer at a multinational IT firm based in Makati, agrees that the government should not let Biteng’s talents go to waste. “He can work initially as a Quality Assurance officer, or a white hacker,” he says. “His skills would be useful in finding and exposing vulnerabilities in systems before hackers do. He’d then be the one to report them to web developers and help them find a fix.”
According to salary survey site Payscale, a certified ethical hacker (CEH) could earn anywhere between $49,330 and $133,869 annually, or about P189,098 to P513,165 monthly.
If Paul is acquitted and taken in by an IT or tech firm, he will join the likes of Nicholas Allegra, who Apple got as an intern after he created a website that allowed users to jailbreak their devices and run unauthorized software; and Jeff Moss, who once ran an underground online community for hackers and is now a consultant for the US Homeland Security Advisory Council.
There’s another option. “The most effective whistle blowers, in general, are those who are not on the periphery but come from within the anomalies that are being exposed,” says de Jesus. “If the rumors are true that Biteng is, in fact, a member of Anonymous Philippines, [hiring Biteng] might not just be able to improve the cyber security system of the Philippines but also somehow temper the propensity of Anonymous to just deface [websites] without any real purpose.”
Clifford Trigo (hackerone.com/cliffordtrigo), a security researcher and second in HackerOne’s overall hacker list, has been an online friend of Paul Biteng’s for three years now—but they have met only once in person. He was instrumental in helping Paul raise funds for his bail.
“Yes, he’s a good friend. #freepaulbiteng.info was initiated because we don’t want to see an always happy and talented young friend go to jail,” says Clifford. “He has a legit skill talking with databases using SQL injection attack. He also has ‘fast hands’ as we always play League of Legends during our free time. Paul is only 20. He might have crossed the [line] but I strongly believe his skill is a big use to the government; an asset for a better and secure Philippine cyberspace.”
He'll call you
“Ayoko nung sila ang kukuha sa akin,” says Paul of the reason he rejected an offer from two companies.
“Ang yabang mo naman!” we chide him.
“Hindi!,” he laughs. "Kasi ganito—parang ang taas kasi ng expectation nila, eh kung hindi ko magawa yung pinapagawa nila?”
Paul Loui Z. Biteng, 20. Hacker. Responsible for what they say is the biggest government data security breach in history. Not quite sure of his own capabilities because, really, he just learned hacking on Google, in his free time. IT graduate. Bug Bounty Hunter. Likes reggae, R and B, and hip-hop. Drinks. Smokes. Gets scolded by his parents because he stays out till late hanging at friends’ houses. Doesn’t watch TV because who among his age still watches TV? Has an easy grin and probably should have a girlfriend.
Just a kid.
© Cecile Jusi-Baltasar, Ed Geronia, Allan P. Hernandez and Alex Paita - FHM.COM.PH
