Life behind the firewall: What it’s like to be an ethical hacker today
From having friends ask if they can hack into an ex’s account, to trending on Twitter for their work when they really want to stay anonymous, it can be strange standing in the shoes of an ethical hacker today.
“Most people don’t really understand what we do”, says Sai Krishna Kothapalli, 23, from Hyderabad, who runs a cyber security startup, Hackrew. At least today, there is some sense that ethical hackers are part of the larger framework required to protect all the personal digital data out there — whether on social networking sites or delivery apps or even in the databases of hospitals, schools and government institutions.
But when Kothapalli first became addicted to cracking code, as a college student, in 2015, his parents didn’t understand it, his friends couldn’t tell the difference between the white hats (ethical hackers) and black hats (criminal hackers), and there were very few in his circle who shared his interest.
With a large community has come greater competition. Over just one year, for instance, the number of hackers registered with HackerOne, the largest global interface between companies and ethical hackers, almost doubled, going from 166,000 in 2017 to 300,000 in 2018. At the same time, there are a lot more bugs to find now, and more apps to help secure.
The biggest frustration, Kothapalli says, is when you work tirelessly for hours on a vulnerability only to miss the mark by a whisker, and see it reported by some other researcher.
On the upside, more ethical hackers means better resources. Over the past three years, Kothapalli says, the resources available to a young hacker have boomed, from blogs, conferences and meetups to courses and white hat clubs at institutes like IIT-Roorkee and IIT-Delhi.
Networks have grown stronger online, and there is a sense of community that is helpful in a profession where one generally flies entirely solo. “On Twitter, hackers as young as 15 reach out to me. Initially, we discuss bugs and blogs about hacking but eventually also what is going on in our lives,” says Karan Saini, 20, a product support engineer and ethical hacker from Bengaluru. “I have seen hackers’ social lives being affected because of merely the number of hours the work takes up. It is important to have a support network comprising people in the same field who have encountered similar problems.”
Always on the hunt
One of the things about being an ethical hacker, says Saini, is that, like a doctor, you can never turn it off. Every symptom jumps out at you; you’re always assessing for vulnerabilities.
“Take the current Information Technology Act. Technically, as it now stands, we could be prosecuted for helping companies identify bugs in their systems.” Typically, ethical hackers do this by gaining access to the source code of an app or website (often at the company’s invitation). They then seek out weakness and vulnerabilities in firewalls, security encryption, etc. If done without prior permission, even if the results are then handed over to the company for rectification, this can land you in jail in India.
Of course there are grey areas. He studied some of those grey areas in his year with the thinktank, Centre for Internet and Society. “But this kind of thing, to me, is scary,” he says. “It’s scary that our laws are so out of touch with our digital worlds.”
That’s why some prefer to stay completely anonymous. The 30-year-old who was recently in the news for creating bots that helped report other bots that were influencing what trended on Twitter, would not give us a first name or even initial.
You can reach him online, as numerous publications did in January, but he won’t share a phone number.
“It’s hard enough as it is,” he says. “I get death threats and obscene messages every day. My relationships with people have been changed by the work that I do. The trust network you build up through your whole life, suddenly gets called into question. You don’t know who you can rely on. At times you don’t trust even your parents with all the information, because you don’t know how much they may share with other family members — and you also don’t want them burdened.”
He made the news for creating bots that helped take down over 2 lakh other bots, over a period of about four months. The other bots had been programmed to tweet a certain kind of content in such large volumes that they could affect what trended locally on Twitter.
“I wanted to do this so that people had a clearer picture of how things stand,” he says. “I am glad I did it. The role of the ethical hacker is a political one. Some sacrifice has to be made. The only fear I really feel is that anyone can file an FIR. And it is a realistic fear, I feel.”
Gurgaon based Avinash Jain, 27, is one of those white hats who hunts down bugs like he’s living in a video game. He won about 80 bug bounties in 2018 alone — including $2,500 (about Rs 1.78 lakh) for finding a bug in Go-Jek, a multiservice platform. The first bug bounty he won was with Zomato, and the prize was just some merchandise, but the thrill has had him hooked ever since.
“The one downside is that the pursuit of a bug is so unpredictable,” he says. “Sometimes, you spend days without finding a single bug in the target domain. You’re racing, and thinking out of the box; but nothing. The key tool, you soon learn, is patience.”
During the day, Jain works as a securities engineer at a startup, so time is a constraint too. “I come back from work, go for a workout, freshen up and start my hacking work of the day. It can be tiring on some days but the joy of solving problems keeps me going.”
One of the bugs he’s proudest of identifying is a loophole in an online registration system for hospital appointments and admissions that could compromise the details of those who registered online. He didn’t win anything for it, but the problem was acknowledged by the hospital, and fixed.
Typically, though, the ethical hackers say that government departments are slow to respond. Kothapalli was still an engineering student at IIT-Guwahati, when he tried to report a vulnerability on the BSNL intranet website.
It could enable a hacker to access the entire BSNL intranet database, which contained a lot of confidential data on existing and retired employees of the company.
He reported it but never got a response. Two years later, when an anonymous French hacker handle pointed out the same issue, the organisation acted to rectify the gaps. The French hacker, who calls himself Elliot Alderson, acknowledged that the issue had already pointed out by Kothapalli, in a tweet, so at least he got credit indirectly, he says, laughing.
A larger mission
Government agencies are slowly warming up to the work done by ethical hackers. Kothapalli’s Hackrew, set up in 2018, organised its first live hacking event with the Telangana government last June. Ranchi-based hacker Vineet Kumar’s Cyber Peace Foundation (CPF) has collaborated with government agencies like the National Council of Educational Research and Training (NCERT), to conduct cyber awareness contests, and with the National Crime Records Bureau (NCRB) to host a hackathon — an event in which hackers compete to spot loopholes and suggest fixes for an app or website within a stipulated time.
Kumar believes the responsibility of an ethical hacker goes beyond finding bugs and threats. “Given the reach of smartphones, it is important to educate and protect at the grassroots level,” he says.
His organisation has been working to educate rural users about the many kinds of cybercrime and about their rights. “Sometimes it’s simple things like teaching people that if you file a complaint in a case of financial fraud within 72 hours, you must — barring any malfeasance on your part — get your money back. Or teaching people that even downloading a child sexual abuse video is a crime. Or that sharing pictures and videos of children without parental consent is illegal,” he says.
Over the past two years, the CPF has worked with the police to conduct cybersecurity awareness workshops in states ranging from Assam and Jharkhand to Andhra Pradesh, Uttar Pradesh, Haryana and West Bengal. “We have a group of master trainers who work closely with the police to help in investigations too,” Kumar says.
“Digital literacy is crucial given how fast digital access has spread, and continues to spread, in India. The alternative is simply disaster.”