By the age of 16, Ankit Fadia was the author of several best selling books and a popular website on his pet subject: ethical hacking. Following the terrorist attacks of September 11, 2001, the US Government hired him to decrypt a critical email intercepted from Al Qaeda. It was, as they say, a good career move.
Interview by Ryan Trainor
When did you start hacking?
I got a computer at home when I was ten. The first couple of years I was just playing around, playing games, surfing the internet. At the age of 12 I suddenly got interested in hacking. I think the forbidden fruit always attracts, and hacking is something forbidden. You're not allowed to break into systems and access other people's files - that's why I got into it.
At the age of thirteen I performed my first hack and defaced the Indian government website. I put up my own website instead of the VAW homepage. And, at the age of 14 I wrote my first book, the unofficial guide to ethical hacking, which became an instant best seller the world over. At the age of 16, after the September 11 attacks, the US Government intercepted an encrypted email and I was invited to decrypt it. That was a big milestone in my career. After that I got a lot of government work.
I have written seven books on computer hacking and one on mobile phone hacking. And I have started a consulting and training company in Malaysia. I'm also studying my Bachelors in Management Science and Engineering at Stanford University.
After September 11, how did the US Government get in touch you?
At the time, my books were widely available and I was running an extremely popular website, which is probably why they got in touch with me. I am not supposed to talk too much about it. But, the good thing and the bad thing about working with the intelligence or police agencies is that they never tell you whether what you did was really useful or not. So even to date, I have no idea if what I did was actually useful. But, since I have received a lot for projects since then, I guess that what I did was at least a bit useful.
How big a problem is hacking in the world at the moment?
I think that it's a big issue of concern because these days everybody relies on the internet. Just imagine your life where the internet stops working for a day. You'd be totally paralysed.
The problem is, most corporates don't take security seriously enough - until something goes wrong. On most occasions, that's too late.
How many hackers are actually out there?
I wouldn't know the exact figure, but every school kid has, at least once, been fascinated by the term hacking and hackers. There are thousand of people who carry out hacking as a hobby, and very few of them actually take it up as a career. I would really like to see more people who start hacking as a hobby actually make it their career as well, because there is a huge market. Ethical hackers, or computer security experts, are in great demand worldwide.
Can you explain the term "ethical hacking"?
Traditionally in computer security there are two types of people: Hackers and Crackers. Hackers are actually the good guys who work with the police agencies to catch the criminals and secure the internet. Crackers are the bad guys who engage in cyber crime. But over the years, due largely to media coverage, even the hackers have come to be looked upon as bad guys. So now there are "white-hat" hackers and "black-hat" hackers. Ethical hacking is a new name for consultants who are hired by companies and given permission to break into the company network to expose the loop-holes and devise counter measures.
What are a cracker's primary motivations - fame, thirst for knowledge, money?
I think 60 to 70 percent of Crackers are in it for kicks. Being able to do things that others can't really gets them going. To a certain extent it's also about fame, because the hacker community is a very jealous community. If someone is able to break into a website, he becomes an instant hero to his hacking colleagues. And there is a very small percentage of people who do it for money; who are paid by, say, a competitor trying to break into somebody else's secret data or stealing IP or corporate espionage or spying on other people.
When you were 14 you wrote a book - that's quite an amazing feat. What was your inspiration at that stage?
I started my own website and started posting tutorials. In less that a year, around 60,000 members registered worldwide. And these people used to come back to the website on a daily basis. It was an entire community; an entire online revolution. The response was so good that a lot of people emailed me saying, "Why don't you write a book?" I realised that, at that point of time, at least in India, there were no books on hacking. So I decided to convert my website into a book. Even today, my books are the only books on hacking in India. Usually, books from Europe and the US come to India, but it worked in the reverse order. They are available the world over and have been translated into seven or eight languages.
You're making a good living out of this now. What was the flame that got you going on the entrepreneurial side?
I really don't know... I can't really pinpoint one such incident that really got me going. But I guess it's just been in me, that fire has been there to want to do new things, want to explore new avenues and try to build up a career - an entire business - out of ethical hacking.
I realised that awareness is very poor, across all sectors, so there is huge demand for somebody who is able to create awareness and manage security for companies. It's a huge market that is not really occupied by many players. At the top end you have players like Ernst & Young and PricewaterhouseCoopers, who charge an exorbitant amount of money and not their specialty. They do other sorts of consulting, and as an extra freebie they do security consulting as well. At the other end, you have a few small companies here and there, who don't give the quality and the efficiency that's actually required in the industry. So between these two types of companies there is a huge gap, which I am trying to fill.
There are always rumours around that some of the big software companies could be behind various viruses. Do you think there's any legitimacy to that?
I actually did a small research stint at Symantec, in California. I posed this question to the head of the Information Security Management Group there. He just laughed and refused to answer the question. I personally feel that it's definitely possible. It's a great marketing strategy - where you release a few viruses, infect a few million systems and then come up with a counter measure for it. In fact, when I was setting up my business, a couple of guys said to me, "Why don't you hack into your prospective clients' website, deface the website, and then a couple of weeks later, walk into their office and offer them the solution?" But that's unethical.
Being the young entrepreneur, do people take you seriously? You're a 21-year-old going to multi-billion dollar corporates. How do you win their trust?
I've done close to 100 training sessions now. I've done consulting work for many small agencies, and I guess the big break was when I decrypted the message that was intercepted by the US Government. When I talk to a particular company, they go through my profile and it completely changes the way they look at me.
What are your goals over the next 5-10 years?
I finish my education in a year's time, so I'll finally have a Stanford University degree. But I definitely want to pursue computer security as a full time career - consulting and training will always continue. But recently I've also branched into new fields. I've invested a lot into real estate in India, which is really booming in the cities. Another thing I plan to do is set up a chain of restaurants in India. The idea is to perfect the model and then to franchise it out. In India, going out to dinner or lunch is like an event - everybody dresses up. So I think there is a huge market for different cuisines and different kinds of restaurants.
Most Australians remain oblivious to computer criminals. What are some of the real threats local companies face?
In the last six months there have been around 20 to 25 major viruses that have infected thousands of mobile phones across 20 to 30 different countries across the world. So mobile phone security is the next big thing.
But within computer security, I think SPAM has always been a big issue of concern. Even today, most companies are struggling to come up with good, fool-proof counter measures against SPAM. Phishing attacks are always there. I think its just that more appliances are being connected to the internet. We are talking about digital homes, where refrigerators, televisions, all different electrical appliances are connected to the internet. The time where it's possible for an attacker to hack into a refrigerator is not to far away. The more we depend on technology, the more concerns we will have over invasion of privacy.
Identity theft seems to be quite a big problem at the moment.
It's known as social engineering, where in you can just call up a bank or company call centre and pretend to be someone else in order to find out sensitive data about that person, which then can be misused against them.
You receive a monthly mobile phone bill, right? What do most people do? They make the payment and simply throw it away. But there is a technique called dumpster diving, where people go through the victim's trash for bills, which contain all of the information you need to call up that person's mobile phone operator and change any sort of information about that particular account.
A lot of smaller businesses don't have big budgets to protect themselves from some of the issues that you've raised.
They can send me an email. Say, for example, you own a mid-size company. If you were to do security on your own or you wanted to hire a systems administrator, what would you pay?
Ten grand a month?
About US$8,000? What if I told you that I manage your security, and you could pay me only US$299 a month?
It sounds like a relatively good option.
Exactly. The end vision that I have is for people being able to go to a website, fill out a form, describe the network, describe the number of systems, platform and the kind of software they are running. They should be able to install a patch and then remotely, my people sitting in India, who are being paid Indian salaries, in India currency, are then able to provide affordable, quality security solutions, management and security monitoring services to clients the world over.
So would you call yourself an entrepreneur or hacker?
Hacker turned entrepreneur. Or, I would say, hacker turned author turned entrepreneur.
A large potion of criminal activity seems to be coming out of Eastern Europe and Asia. Do you think that the struggling economies of these countries turn them into breeding grounds for crackers?
I don't think so. I think the quality of computer hackers or criminals is spread quite equally the world over. You have viruses coming out of pretty much every country. I wouldn't really rate one country above another as far as the quality of criminals or quality of anti-criminals coming out of the country.
What made you go down the track of using your skills and knowledge to assist businesses rather than potentially going the other way and tearing them down?
I think that both hackers and crackers require pretty much the same knowledge, the same expertise, the same experience. The only difference lies in how they utilise the knowledge. I guess at that point in time I was too young to realise what I was doing. Fortunately for me, I chose the right path. And now I realise that if you use your computer security skills in a positive manner, you can end up making more money, making a better name for yourself, and will probably end surviving longer as well. Because, at the end of the day, if you choose to be a criminal, sooner or later you will get caught.
Given your position in the hacking community, do you feel that you're obliged to use your status to point other young hackers in the right direction?
My books are being used as text books in computer security courses across South-East Asia. And I offer lectures, reading and exam material for students. That's my way of giving back to society, or giving back to the hacker community.
I've also started a course in India. We're using the latest e-learning techniques and people from across 110 different cities in India registered for the course simultaneously.
For a small or even medium sized business reading this publication, would there be one key tip that you would give them in terms of internet security, apart from unplugging their computer?
I think they should just install a basic firewall - there are a lot of freeware firewalls. Just download one and start using it. Patch your systems regularly. Run windows update regularly. Have a good anti-virus and update the virus definition files. And choose a good password!
The biggest problem or the most dangerous type of attack that I have seen is something known as a distributed DOS attack, or distributed denial of services attacks. They actually change the source IP address, or source computers, that are being used to send out the attack.
Say, for example, an attack initiates from Australia. So I lock out seven IP ranges in Australia, but very soon they moved the range, so then I have to block out Japan. Soon we end up blocking out two or three continents - completely. It means none of a client's customers or employees can access their services. It can take us a couple of weeks to fix.
What kind of advice do you have for someone who is young, seen the allure of hacking and has probably even touched the dark side a little bit?
First of all, learn at least one programming language. Read as many networking books as possible, because at the end of the day, computer security is about nothing more than combining networking and programming. And learn Unix for sure. And learn how to think like a hacker. Learn how to think like a criminal; adopt a crooked mind, or a cracking attitude, so that every time you see a service or piece of software you need to think of ways in which you can break it. Only then can you become a good security expert.
Can you explain the real risk of cyber terrorism?
Cyber terrorism is indeed a big issue, but I have never really seen terrorism taking place purely on the internet. Most of the stuff that happens on the internet is more of something known as Hactivism - that is, hacking for a social or political cause.
Take, for example, the India-Pakistan cyber war. They break into the opposition's government's websites and deface them by posting social or political messages. Its more of people who are trying to spread a political or social cause, create awareness, who like to deface popular websites. Most of the investigation I have done reveals some direct or indirect government involvement.
You're 21 and travelling the world doing what you love. Do you sometimes have to pinch yourself to check that it's real?
Ah, yes. There are times where I ask myself whether I can actually handle the various activities that I'm doing. But another day I just believe in my abilities and I am very passionate about what I do, and I really enjoy it. And I love travelling. I love exploring new business opportunities. I am always looking out for an opportunity to do something new, something better, something bigger.