Updated: August 1, 2021 8:39:24 am
Written by Nikhil Srivastava
In most films about hackers, the first scene shows a man wearing a black hoodie, sitting in a dark room or a garage, furiously typing some secret code on a computer screen. He is aloof, and worse, a threat to society. The recent NSO-Pegasus controversy has made people even more suspicious.
But hacking has many aspects, and the life of an ethical hacker like me, who helps secure the world’s systems from fatal bugs, is very different from the characters in films.
I got interested in hacking in college. Back then, I would find the loopholes on my college website or even government websites and report them. Later, I decided to take up a career in application security. It’s not a 9-5 job and I am the owner of my time.
There are a lot of platforms on the Internet, such as Synack, HackerOne, Bugcrowd, Cobalt, Intigriti, that pay for ethical hacking of their client’s systems legally, and help them secure it. The amount ranges from $500 to $50k. Then, there are companies that run independent programmes — including Google, Microsoft, Apple, Facebook — and pay for any vulnerability you detect in their infrastructure. While signing up for these, you have to follow some strict rules, the first of which is that you can only disclose the details of the vulnerabilities to the client, no one else.
I enjoy breaking into programmes which have a large number of assets. It increases the possibility of finding a critical bug. First, I start the automated tools to scan all the assets, and then start looking into the results for any interesting stuff. I focus on finding and reporting critical or high-severity issues. The next step is to send a detailed report to the client whose security team then fixes the vulnerability. Later, I am free to disclose the report while maintaining the anonymity of a client.
Once, I was working on the system of a top European bank. I executed a code remotely on one of their assets and got access to the data of all their customers! Due to the high-security impact and critical nature of the vulnerability, it was fixed by the client within minutes. The entire process from reporting to triaging to detecting vulnerabilities and fixing it and finally getting paid takes three-four days going up to a week depending on the client. It can sometimes be a period of great anxiety for both parties.
Being a hacker, you have to be really patient and at the top of your game. At times, it starts to affect your mental health. Given the high competition in the field, burnout is also quite common among hackers these days. Sometimes, you just fail to break into systems, and that causes frustration. In such a situation, collaborating with another hacker helps.
The challenges aside, there are many perks of the job as well. Live Hacking Events (LHE) are my favourite. You get invited to hack into a client’s infrastructure and live along with hackers from across the world, which also gives an insight into their minds. And of course, you get paid for each vulnerability that you report. I have been part of four-five such events hosted by Synack in Las Vegas (2016), Mexico (2017), Bali (2018), Costa Rica (2019) and Tokyo (2020). I have also been part of a Facebook and Google combined Live Hacking Event at Facebook’s HQ in Singapore. I have returned with interesting merchandise sometimes, like a Microsoft Surface Pro 4 with my name engraved on it, an Oculus VR Headset etc.
While it is as serious a profession as any other, not many people get it, and I often receive funny requests on social media like, “Can you hack my girlfriend’s account? Can you hack my college’s website?” and so on. I mostly block them.
The writer is an ethical hacker who has helped companies such as Google, Microsoft, Tesla, Mozilla, Salesforce, eBay, among others, fix security vulnerabilities
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines
- The Indian Express website has been rated GREEN for its credibility and trustworthiness by Newsguard, a global service that rates news sources for their journalistic standards.