This is the third blog in a series titled WhiteHat, chronicling the most pressing questions about what it really means to be a hacker, the moral dilemma that white hat hackers face, and what a profession in cybersecurity is really all about. Read more stories from the hackers at Fortinet here.
I recently sat down with Kushal Shah, a security researcher in Fortinet’s FortiGuard Labs research division. Kushal sheds light on his interest in cybersecurity and how he became a white hat hacker by trade.
When I was little, my father’s office was located just near our house, a place I was strictly not allowed to enter. But, like every kid, being told not to do something only ensured that I would try my hardest to get in. I didn’t know it was called security then, but not being allowed into that office helped me foster a fascination with it and breaking into things. Since then, I have always tried to find new ways to gain unsupervised access to things. Because of my curiosity, my father naturally assumed that I was the cause when things were broken. As a result, I had to learn to fix things too, taking responsibility even when it wasn’t me who broke things.
I certainly enjoyed the fixing part better, since I was not scolded.
In elementary school I was naturally drawn to programming from the experiences in my father’s office. I took a course on Java before most people my age. This set me ahead especially as I entered high school in Mumbai. A lot of the available study materials were reprints of old programming books, and the outdated theory didn't get me very far. I was much better in practice, even solving problems before the professor. I was always of the mind that a computer program should have a purpose. I didn’t want to just write programs to calculate equations I could do in my head. I wanted to make something useful. I actually developed a clever web-filtering bypass while in school.
Even though security was an emerging field, it was not something you could study directly. I knew I was interested in computer science and so that is what I studied as an undergrad. However, I always pushed my team members on group projects to choose security related topics. After my undergrad program I got a job at Accenture where I was actually first exposed to Fortinet devices.
I was a part of NullCon & ClubHack since early 2011 during my last year of undergrad wherein I met fellow Indian hackers & security experts. I was in the minority as a compliance professional. Everyone else was working on new technologies and methods. I figured I should get into the same while I was still young and motivated to learn these rapidly changing technologies. Close to the end of my time at Accenture, I applied for a computer security degree at Rochester Institute of Technology, Rochester NY and was accepted. At RIT, I got something that I always wanted, practical knowledge of all areas of Information Security (Network, Web Application, System, Scada, Digital Forensics, Malware, etc) from some of the leading experts in the field. My final project was on memory forensics, a field that is still very new. I joined Fortinet after my graduation, primarily due to the Security Researcher role so that I can continuously learn and thereafter contribute back to the community
A hacker is someone who breaks into things. This definition has both a positive and negative side, however. Even before most people really knew the term there was media about hackers that acted as a kind of baseline. I remember the 1995 film Hackers, as well as the Robert Redford movie Sneakers. Back then, both sides were depicted pretty evenly. Now it is different.
People naturally like to see people breaking the system, but the line between what is good and what is bad is not always very clear. Take Mark Zuckerberg as an example. He broke into all kind of systems at Harvard and was penalized for those actions. Of course, he has now created something great that benefits a lot of people. I think the media portrayal of hackers now is a problem. But, it is not their fault.
The issue is what the media publishes as soon as something wrong happens. There is no media about the real hackers and security experts that are breaking things for good, through penetration testing, red team exercises, etc. These activities are protected under NDA and so are never written about. It becomes really hard to understand the full picture of a profession in this field when all you see in the media is the negative side of hacking. It is not so easy to see how these skills can be used for good. There is actually a separate word for people using these skills for bad, “crackers,” but it is mostly unknown.
Yes. Someone who tries to find different ways to solve an issue, someone who likes to break into stuff, is a hacker. Security and hacking is something you can never learn unless you get your hands a little dirty. You just need to know where to draw the line. I met Reginaldo Silva recently at a conference. He gained notoriety for pulling passwords directly off of Facebook servers. Once he discovered how to do this, he could have very easily explored the Facebook servers and found much more. However, he did not. He reported the issue as soon as he found it and went no further. He was responsible about his discovery.
Thankfully, our laws are not so stringent that you can’t do that. There are plenty of legal ways to break into systems for practice. There are great bug bounty programs like those at Facebook, and websites built specifically to test against. Like I said, you can’t be a hacker without getting your hands dirty. That means learning through practice. Being a hacker means failing more than you succeed. I was recently at a conference where I was constantly referred to as a security expert. I had to ask people to stop regarding me as an expert. I consider myself a life-long learner. The day I become an expert is the day I stop learning.
We are so fortunate to have technologies like cloud computing today. It is so simple to set up an environment with very little resources and start practicing, doing penetration testing, and more.
Kushal sent me a list of great practice resources after our conversation: