YATTA, West Bank – “You’ve no idea what I’ve done,” Khalil Shreateh said, bursting into the kitchen of his family’s stone-and-concrete house in the South Hebron Hills. The stocky 30-year-old Palestinian ran a hand through his already haphazard hair. “I just posted on Mark Zuckerberg’s wall.”
“You’re kidding,” said his sister, 22-year-old Nibal. She’d just tried sending her brother a message over Facebook, and was surprised to find his account mysteriously deactivated. Now she could guess why. “Stay away from big people, brother!”
“I’m going to take a nap,” Shreateh shrugged. “Hopefully they’ll give me back my page when I wake up.”
Facebook CEO Mark Zuckerberg. Photo: Carlos Serrao
It was August 14, and Shreateh had just reached halfway around the world to pull off a prank that would make him the most famous hacker in the Israeli-occupied West Bank. He’ddiscovered a Facebook bug that would allow him to post to another user’s wall even if he wasn’t on the user’s friends list. Demonstrating the bug on Zuckerberg was a last resort: He first reported the vulnerability to Facebook’s bug bounty program, which usually pays $500 for discoveries like his. But Facebook dismissed his report out of hand, and to this day refuses to pay the bounty for the security hole, which it has now fixed.
Where Facebook failed, though, techies from across the world stepped in to fix, crowdfunding a $13,000 reward for Shreateh. Now that money, and Shreateh’s notoriety, is about to launch the former construction worker into a new life. He’s using the funds to buy a new laptop and launch a cybersecurity service where websites will be able to request “ethical hacking” to identify their vulnerabilities. And he’s started a six-month contract with a nearby university to find bugs as part of their information security unit. He hacks and reports flaws on other universities’ sites in his free time.
“If they offer money I do not reject them, but I did not ask for money,” Shreateh says. “I don’t seek much money, only a job and a good life.”
Shreateh’s life so far hasn’t been easy. Born in Jerusalem and raised here in Yatta, an agricultural town known for its grapes and olives, he has never stepped foot outside the West Bank. Shreateh’s mother died of a heart attack when he was 13. His father, who worked as a manual laborer for an Israeli agricultural company, died of a similar heart problem three years later, leaving Shreateh orphaned along with Nibal and two other siblings.
That was 1999, the same year computers came to the Hebron area. Shreateh was 16, and he began taking shared taxis to Hebron to visit the city’s only Internet café, paying 10 shekels for the round-trip and 3 shekels for an hour online. Then in 2002, Shreateh discovered the world of hacking. “I got hacked by a Kuwait kid because I was talking to his cousin. I think he was in love with her,” Shreateh says. “Then I found hack forums. I started learning how to hack PCs and personal accounts.”
Shreateh began a degree in information systems at Al-Quds Open University — eight 15-hour semesters at about $320 per semester, which took Shreateh 10 years to finish. He worked a construction job from 7 a.m. to 7 p.m., so he rarely attended class, instead studying and completing assignments at night. “At exam times I quit my work to study,” Shreateh says. “I had to delay some semesters because I didn’t always have money.”
In the meantime he learned programming online. “You can learn anything from the Internet,” Shreateh says. “It just takes time. Months, you know, maybe years. Even my English, I learned it from chatting.”
Shreateh eventually got his own computer (“It was Intel, I think, a big one”), and then Yatta’s local Internet café hired him as a troubleshooter. He was able to give up construction for a while, taking odd website design and e-commerce jobs with companies in Ramallah. But by 2011 he was unemployed again. Most Yatta residents work lower-level jobs in Israel. Finding a job with the big companies usually requires wasta, personal connections that Shreateh doesn’t have.
In August, with funds running low, Shreateh decided to go back into manual labor. “I was hopeless,” he says. He called a construction company, which said they would call him back in four days. “While I was waiting, I hacked Mark,” Shreateh says with a smile.
Shreateh discovered the bug during one of his favorite hobbies, checking potential vulnerabilities based on hacker gossip (his other favorite pastime is the game Counterstrike). He first emailed Facebook’s white hat team, expecting to qualify for the company’s two-year-old bug bounty program, which has paid $1 million to some 300 white-hat hackers in 51 countries. To demonstrate the bug, he posted an Enrique Iglesias video to the profile of Sarah Goodin, one of Zuckerberg’s college friends.
Goodin’s privacy settings prevented non-friends from seeing her Timeline, so Facebook’s security team couldn’t see Shreateh’s post. Shreateh exchanged three emails with them, explaining why their access was blocked and attaching screenshots of the exploit.
Facebook’s reply was terse: “I am sorry this is not a bug. Thanks.”
That’s when Shreateh went to Facebook’s founder himself. He posted the bug report on Mark Zuckerberg’s wall, accompanied by a message:
Dear Mark Zuckerberg,
First sorry for breaking your privacy and post to your wall , i has no other choice to make after all the reports I sent to Facebook team .
My name is KHALIL, from Palestine…
Minutes later, Shreateh’s account had been disabled. Facebook engineers contacted him for details. They fixed the bug and reactivated his account but refused to pay any bounty, saying that Shreateh had violated the conditions of its bug bounty program by testing the vulnerability on a real user’s account. Facebook’s Chief Security Officer Joe Sullivan later released a statement acknowledging they’d been “too hasty and dismissive in this case,” but also blaming an “absence of detail” in Shreateh’s report. Facebook still refused to pay the reward.
The story went viral. Outraged at Facebook’s snubbing of a fellow ethical hacker, California security expert Marc Maiffret launched an appeal to the tech community. A former teen hacker who made his name by finding security flaws in Microsoft products, Maiffret is now CTO of BeyondTrust. He contributed the first $3,000 to a GoFundMe campaign to crowdfund a bounty for Shreateh’s Facebook exploit.
Within a day, donors had given more than $10,000. The final amount raised was $13,125 from 303 people across the world, mostly donated in sums of $5 or $10, many with notes congratulating Shreateh and deriding Facebook.
The West Bank town of Yatta, where Khalil Shreateh hacked Facebook’s CEO. Photo: Alice Su
The West Bank is no easy place to be a hacker, or to do anything in the technology sphere. The occupied region depends on Israel for electricity, water and telecommunications, including the sluggish Internet that crawls into the South Hebron Hills. Shreateh has a well and three water tanks on his roof because Yatta only receives several days of running water every few months. Blackouts are common, and the town often goes without electricity for whole days in the winter.
Partly to blame is a complex system established by the Oslo accords that splits the West Bank into three zones under different combinations of Palestinian and Israeli control. “It’s like Swiss cheese,” says George Khadder, a tech entrepreneur who worked in Silicon Valley for 13 years. He sketches how Zones A, B and C weave in, out and around each other, with chunks of Israeli settlement territory in between. “The West Bank is like an archipelago, in terms of contiguity and services. This is absolutely a problem.”
This access gap is clear on the drive from Jerusalem to Yatta, which requires passing through a military checkpoint that bars Shreateh from entering Israel. The road to Yatta passes several Israeli settlements, sprawling over hilltops with their separate telecom systems, brightly lit streets and green, well-watered lawns. “The dogs in Israel drink more water than Palestinians,” the taxi driver laughs.
Shreateh now lives in Ramallah, where the situation is a little better. He comes home on weekends, as does Nibal, who is studying dentistry in Abu Dis. “He’s the only one who does this computer stuff,” she says. “Our family geek.”
Their nieces are rambunctious, dancing to an Arabic music channel blaring from the television and yelling about the Eid al-Adha crowds in Hebron. They parade around the kitchen table, showing off the new clothes they’ve just bought for the Muslim holiday – matching turtlenecks with faux fur vests – while Shreateh’s sisters laugh and croon that yes, the girls look very pretty.
Only Shreateh is oblivious to the family buzz. He sits at a small table next to the refrigerator, wholly engrossed in his laptop screen, flicking back and forth between Hacker News, exploit forums and his own security projects. He typically stays up until 2 a.m., clacking away on the keyboard as the rest of Yatta sleeps.
“He’s listening to Linkin Park,” Nibal says, adding that she finds it funny how “geeks everywhere like the same music.”
Shreateh has his own website and 44,156 followers on Facebook, many of whom spam him with questions about hacking into their boyfriends’ profiles or raising their exam grades online. Shreateh ignores them. “I am an ethical hacker,” he says. “I don’t damage or destroy.”
That makes him different from some other Palestinian hackers. The same month as Shreateh’s Facebook prank, hacktivists hijacked Google’s Palestine domain, redirecting it to a page with a Rihanna background song and written message: “uncle google we say hi from palestine to remember you that the country in google map not called israel. its called Palestine”
This month, another group called KDMS hacked the websites of security companies AVG and Avira, among other companies, redirecting to a site displaying the Palestinian flag, a graphic of Palestinian land loss, and a similar message: “we want to tell you that there is a land called Palestine on the earth,” it read in part. “this land has been stolen by Zionist.’
Shreateh dismisses these attacks as counterproductive. “They hacked to put a message about Palestine,” he says. “But some will say ‘Look, Palestinians are mindless. They hack everything, that’s bad.’ … Some people break the law to send a message, but I will send a message with my own name, not with a nickname. I can send a message without damaging a website.”
He shrugs off KDMS’s invective about good Palestinians versus bad Israelis, but bubbles over when the conversation turns to good hackers versus bad hackers. He’s a citizen of the Internet, disconnected from the Israeli-Palestinian situation, wrapped in the superhero role of upholding a hacker’s ethical code in a virtual, non-occupied world.
“There is no security today. No one is secure,” Shreateh says. That’s why people need ethical hackers to protect systems against the nonstop threat of security vulnerabilities and the black-hat hackers who exploit others for fame and money. There’s a moment of truth when you decide to take the white hat path, Shreateh says, a fork in the road when any hacker discovers a bug and decides to publicize it or get it closed instead of exploiting it for personal gain.
“I think, if someone hacks and takes my money, how do I feel?” Shreateh asks. “You treat people how you want them to treat you.”
As for Israeli hackers, he sees them as inferior, babied by the privilege of living without occupation. “Israeli hackers all come from university classes. They have companies and courses to teach them,” Shreateh scoffs. “Palestinian hackers come from Google search and YouTube videos. We all learned on our own.”
Shreateh smiles, kicks off his rubber slippers and opens his laptop to check his Facebook page, which has been receiving a steady flow of messages all afternoon. He scrolls through the flood of bug reports, Metasploit gossip, requests for hacking advice and fan mail in Arabic and broken English. He chuckles at some comments and Likes others, then opens khalil-shreateh.com, pausing on the still-incomplete website for a moment. “I am the only ethical hacker in Palestine,” Shreateh says, puffing out his chest. “But for sure, there will be more like me in the future.”