Hindustan Times (Amritsar)

LIFE BEHIND THE FIREWALL

They’re the foot soldiers who work with companies and government­s to keep digital data as safe as possible. They deal with death threats, confused relatives, and a tough fight to stay anonymous. A look at life as an ethical hacker today

- Dipanjan Sinha ■ dipanjan.sinha@hindustant­imes.com

From having friends ask if you can hack into an ex’s account, to trending on Twitter when all you really want to do is stay anonymous, it can be a strange life in the shoes of an ethical hacker today.

“Most people don’t really understand what we do”, says Sai Krishna Kothapalli, 23, from Hyderabad, who runs a cyber security startup, Hackrew. At least today, there is some sense that ethical hackers are part of a larger framework to protect all the personal digital data out there – whether on social networking sites or delivery apps or even in the databases of hospitals, schools and government institutio­ns.

But when Kothapalli first became addicted to cracking code, as a college student in 2015, his parents didn’t understand it, his friends couldn’t tell the difference between the white hats (ethical hackers) and black hats (criminal hackers), and there were very few in his circle who shared his interest.

With a larger community has come greater competitio­n. Over just one year, for instance, the number of hackers registered with HackerOne, the largest global interface for ethical hackers, almost doubled, going from 166,000 in 2017 to 300,000 in 2018.

The biggest frustratio­n, Kothapalli says, is when you work for hours on a vulnerabil­ity only to see it reported by someone else. On the upside, more ethical hackers means better resources.

Over the past three years, Kothapalli says, the resources available to a young hacker have boomed, from blogs, conference­s and meetups to courses and white hat clubs at institutes like IIT-Delhi.

Networks have grown stronger online, and there is a sense of community that is helpful. “On Twitter, hackers as young as 15 reach out to me. Initially, we discuss bugs and blogs about hacking but eventually also what is going on in our lives,” says Karan Saini, 20, a product support engineer and ethical hacker from Bengaluru.

ALWAYS ON THE HUNT

One of the things about being an ethical hacker, says Saini, is that you can never turn it off. You’re always assessing for vulnerabil­ities, online and offline.

“Take the current Informatio­n Technology Act. Technicall­y, we could be prosecuted under it, for helping companies identify bugs in their systems.”

Ethical hackers do this by gaining access to the source code of an app or website (often at the company’s invitation). They then seek out weakness and vulnerabil­ities in firewalls, security encryption, etc. If done without prior permission, even if the results are then shared with the company for rectificat­ion, this can land you in jail in India.

“This kind of thing, to me, is scary,” Saini says. “It’s scary that our laws are so out of touch with our digital worlds.”

That’s why some prefer to stay completely anonymous. The 30-year-old who was recently in the news for creating bots that helped report other bots that were influencin­g Twitter trends, would not give us a first name or even initials.

You can reach him online, as numerous publicatio­ns did in January, but he won’t share a phone number.

“It’s hard enough as it is,” he says. “I get death threats and obscene messages every day. My relationsh­ips with people have changed. I don’t know who I can rely on. At times I don’t trust even my parents with all the informatio­n, because I don’t know how much they may share with other family members.”

He made the news for creating bots that helped take down over two lakh other bots, over a period of about four months. The other bots had been programmed to tweet a certain kind of content in such large volumes that it affected what trended locally on Twitter.

“I wanted to do this so that people had a clearer picture of how things stand,” he says. “I am glad I did it. The role of the ethical hacker is a political one. Some sacrifice has to be made.”

LEVEL ONE

Gurgaon-based Avinash Jain, 27, is one of those white hats who hunts down bugs like he’s living in a video game. He won about 80 bug bounties in 2018 alone – including $2,500 (about ₹1.78 lakh) for finding a bug in Go-Jek, a multiservi­ce platform. The first bug bounty he won was with Zomato, and the prize was just some merchandis­e, but the thrill has had him hooked ever since.

“The one downside is that the pursuit of a bug is so unpredicta­ble,” he says. “The key tool, you learn, is patience.”

One of the bugs Jain is proudest of identifyin­g is a loophole in an online registrati­on system for hospital appointmen­ts and admissions that could compromise the details of those who registered online. He didn’t win anything, but the problem was acknowledg­ed by the hospital, and fixed.

Typically, though, the ethical hackers say that government department­s are slow to respond, though they are now warming up to the work done by ethical hackers. Kothapalli’s Hackrew, set up in 2018, organised its first live hacking event with the Telangana government last year. Vineet Kumar’s Cyber Peace Foundation (CPF), based in Ranchi, has collaborat­ed with government agencies like the National Council of Educationa­l Research and Training (NCERT), to conduct cyber awareness contests, and with the National Crime Records Bureau (NCRB) to host a hackathon — an event in which hackers compete to spot loopholes and suggest fixes for an app or website within a stipulated time.

A LARGER MISSION

Kumar believes the responsibi­lity of an ethical hacker goes beyond finding bugs and threats. “Given the reach of smartphone­s, it is important to educate and protect at the grassroots level,” he says.

His organisati­on has been working to educate rural users about the kinds of cybercrime, and about their rights.

“Sometimes it’s simple things like teaching people that if you file a complaint in a case of financial fraud within 72 hours, you must – barring any malfeasanc­e on your part – get your money back. Or teaching people that even downloadin­g a child sexual abuse video is a crime. Or that sharing pictures and videos of children without parental consent is illegal,” he says.

Over the past two years, the CPF has worked with the police to conduct cybersecur­ity awareness workshops in states ranging from Assam and Jharkhand to Andhra Pradesh, Uttar Pradesh, Haryana and West Bengal. “We have a group of master trainers who work closely with the police to help in investigat­ions too,” Kumar says.

“Digital literacy is crucial given how fast digital access has spread, and continues to spread, in India. The alternativ­e is simply disaster.”

?? DIWAKAR PRASAD / HT PHOTO SURAJIT SHARMA / HT PHOTO ?? ■ Vineet Kumar runs the Cyber Peace Foundation, which works with government agencies to spread awareness about cyber crime and cyber safety. ■ Sai Krishna Kothapalli, 23, from Hyderabad, says there are so many people in the race now, that you have to work even faster, or watch as ‘your bug’ is reported by someone else.
DIWAKAR PRASAD / HT PHOTO SURAJIT SHARMA / HT PHOTO ■ Vineet Kumar runs the Cyber Peace Foundation, which works with government agencies to spread awareness about cyber crime and cyber safety. ■ Sai Krishna Kothapalli, 23, from Hyderabad, says there are so many people in the race now, that you have to work even faster, or watch as ‘your bug’ is reported by someone else.
?? KASHIF MASOOD / HT PHOTO ?? ■ Karan Saini, 20, from Bengaluru, says online communitie­s have brought ethical hackers closer. Finally, white hats can connect with others who understand what they do, and why they do it.
KASHIF MASOOD / HT PHOTO ■ Karan Saini, 20, from Bengaluru, says online communitie­s have brought ethical hackers closer. Finally, white hats can connect with others who understand what they do, and why they do it.

Newspapers in English

Newspapers from India