“I’ve never met a company I couldn't hack”

Who are you?

I’m Ivan Bütler, the founder and one of the managing directors of Compass Security. We look for weak spots in operators’ websites, in e-banking, trading systems, voting systems, remote access, Android, Mac and iPhone. We are, if you will, the good-guy hackers.

I set up the company with my colleague Walter Sprenger. We started out small and were able to expand very quickly; in the meantime we have offices in Bern, Zurich, Berlin and, since last December, in Toronto. 

Why do people hack in the first place?

There are various motives for hackers and then different sub-categories. I personally like the following breakdown into four groups the best.

• The script kiddies. They upload their propaganda and other content onto third-party websites. This is irritating in particular for Swiss SMEs.
• The economic criminals – again, they can be broken down into, let's say, the “Stupid” and the “Smart”. The stupid ones use their knowledge to access an e-banking user and to transfer money to another account. This is stupid because usually not much money is involved and secondly because it's easy to trace. The smart ones, on the other hand, acquire stock market information from global players and use it for insider trading before the rest of the world notices.
• The anonymous ones – these are people who access websites for ethical or moral reasons to spread their message. One example is PostFinance, whose website was paralysed as revenge, because they had deactivated the account of Julian Assange from Wikileaks.
• The fourth group engages in espionage and this affects secret services. As Julian Assange showed with his disclosures, the USA has a global network and can monitor everyone. This is the threat we are least able to protect ourselves against – we are really helpless against state players.

If you see all of this, do you still trust the Internet?

Can I answer the question with a question? Do you drive a car? And you know that it has safety belts and airbags and so on, because an accident might happen? But you carry on driving anyway? So that's what it’s like for me and the Internet. I’m aware of the risks and that you’re never safe despite taking every precaution. But I still use it because of the many advantages it offers.

Have you ever failed with a mandate?

I’d really rather not say, but so far there has been virtually no company we couldn’t hack. The problem is always people: If just one out of a hundred doesn’t pay attention, you can get in to the system. Even if the employees are warned and are careful. 

For example, we had a case where we were supposed to hack a company and one person volunteered to be the test person. We then Googled this person and found out that she is registered on a website where you can find former classmates. We set up a g-mail account in the name of a former classmate and wrote to her: “Hello, I’m organizing a class reunion; I’ve already put the addresses I knew in the attached Excel file. Could you complete the list?” As soon as she opened the attachment, the Trojan was already on her computer.