Ankit Fadia : “To become a hacker, you need to know how to think like a criminal”

Let’s start with this question: who is Ankit Fadia?

I define myself as an ethical hacker.

Why ‘ethical hacker?’- does the word ‘hacker’ on its own have a pejorative connotation?

Traditionally, a hacker was somebody who knew everything about technology and understood how to work the computer, internet etc. in ways s/he wanted to. Over the years, the term hacker has come to have a negative connotation. Whenever some cybercrime happens, they say that somebody has ‘hacked’ into the system. So to separate hackers from cybercriminals, the term ‘ethical hacker’ was devised.


And what exactly are the parameters within which you operate?

An ethical hacker is usually somebody hired by a company and given permission to hack into their network and in the process get to know what the security loopholes are. In the process, they will create a report saying “Hey these are your problems and this is how you can fix them”. So this is what an ethical hacker does. He takes the knowledge of the criminal and uses it against him.

But if you have that knowledge, what prevents you from putting it to any other use?

To be honest it’s a very fine line. Knowledge is powerful but it comes with great responsibility. One has to be very careful.

As an ethical hacker, where would you stand in relation to WikiLeaks, for example?

I personally feel that some information is confidential for a reason. So I don’t agree with the ideology of wikileaks, of putting every thing up online, especially confidential information.

So you think its okay for government officials to be using secret information behind our backs?

It’s difficult to have a strong stand on the issue either way but I still personally lean on the side that some information is confidential for a reason. An ordinary citizen hacking into government military computers and stealing information is not acceptable.

When you talk about ethical hacking, don’t you actually mean legal hacking?

Yes. It also means that you are not going to harm anybody. For example, the most common example of hacking is using the photographs and data of innocent women to set up fake profiles for putting up obscene messages. It’s not just illegal but it also harms somebody and their reputation.

Did wikileaks harm anybody or did it free the world of all these secrets which happened behind closed doors?

Wikileaks actually started out as something quite interesting. What ended up happening was that once it got so big, you had all these people trying to hack into government computers to try to steal information. Also existing government employees started feeding false information to wikileaks, so when they are receiving millions of submissions, it’s very difficult to determine whatis genuine and what’s not. Initially they had control over how they got the information. Now they don’t.

You’ve written so many bestselling books about hacking - what makes your books such a big success?

Basically I grew up in India we had no books on hacking. When I wrote the first one, the response was fantastic. We sold something like 40 or 50,000 copies before the book was even released. Usually books are first published in the U.S and the U.K then local Indian editions are released. With my books, it was the reverse. We had the Indian edition out first and then global editions came out.

Though you wrote 14 other bestsellers translated into several languages, you never managed to beat that record, did you?

No, I think that my first book was raw and I did not think much about the consequences. It was not a controlled logic. I was perhaps a little immature and presented essentially raw information which is what I think made a lot of people like it.

It was more spontaneous, you mean?

Yes, because when you’re 14 you don’t think about the consequences of giving information.

What does one need to become a hacker?

To become a hacker you need four things: You need to know about programming, you need to know networking,the basics of Linux and, most importantly, you need to know how to think like a criminal.

So what’s the percentage of people excluded already?

(Laughs) A lot of people. The first three things can be learned but the fourth thing you have to learn on your own. It’s a talent you have to develop, and I classify thinking like a criminal as a talent which you definitely require if you want to be successful as a hacker.

When you say you have to develop the capability to think like a criminal, how does a criminal actually think?

A criminal is thinking about how to take advantage of the system, how to break it, find a loophole or bypass it for his/her own personal benefit. This could be put to positive as well as negative use. Hacking for me is a concept: it’s being able to use information to do things that most people don’t know.

What did your workshop teach those who could afford you?

Practical demonstrations of hacking into everything from the passwords that you use everyday, your cell phone, your ATM machine or any kind of machine that you use. I did live demonstrations on how it can be done.

What’s the point of teaching people how to think like criminals?

Most people don’t realize how vulnerable they are. When you put them in a room and hack into something that’s personal to them, they suddenly realise how vulnerable they, their organisation and their kids really are. Suddenly they start taking cyber protection seriously. So yes I do show them how to hack, but the idea is not to teach them how to be criminals. It’s not like you attend a seminar and come out criminals the next day. What I do on stage is simple and exciting, but hacking is not that easy to learn.

Will you teach me how to hack into a bank for example?

(Outburst of laughter) No.

But you could hack into a bank’s system if you wanted to.

Yes.

If you did not teach our CEOs how to do that, what did you teach them?

I explained to them that the biggest risk in an organisation is its own employees…

Well, thanks!

(Loud chuckles)… Because they are already inside the system, they have access to sensitive data and have plenty of opportunities to steal it . So how do you protect yourself from your own employees? There are certain measures that a company could take. For example, have a fire wall, security measures such as disabling USB drivers and forbidding the use of personal emails because documents could be sent to a competitor from a personal email account. Personal email accounts cannot be monitored, only official email accounts are.

Does that mean that all the companies are sitting there reading all the emails that we are sending out from the company account?

Of course. In the U.S, employees have to sign a document authorizing the company to look into their email accounts whenever they wish. I don’t know about Mauritius but in India they don’t make employees sign anything but go through the employees’ emails nevertheless.

What about government? Are the secret services having fun reading our emails too?

Yes, the government has access to everything that is happening online including what emails we are sending, what we are chatting about, what websites we visit. However, they don’t sit and actively read all this data. They only refer to it or look at it when and if they need to. They have the power to spy on everything, though.

So, our CEOs now know how to spy on us properly.

(Laughs) Well, I didn’t teach them that! I only taught them how to better protect their organisations. For example, a lap top is company property, and employees should not be doing certain things. What I recommend to companies is to have a recreational room or something for employees to use computers there for leisure time that is unrestricted. This is a price that companies have to pay.

How much of all this is paranoia?

Most companies think it’s paranoia until something goes wrong. It’s like insurance: one could ask why get fire insurance if the last fire in their building was 100 years ago. But we still need to have it in case one does take place. I’m sure you must have heard about the Sony case, where the credit cards and identity details of customers worldwide were stolen just a month ago. Even Blackberry was attacked and the android platform of Google. Just the other day, government officials in the U.S alleged that Chinese hackers were targeting the emails of top government officials.

How many such hackers do you think there are out there?

Nobody knows. They stay underground. Most don’t even want to be known. Most just want to have fun and have regular lives and jobs which will obviously be IT related.

How much fun can you derive from prying into people’s private details?

Go to any college student and ask them why they’re on Facebook. It’s not like Facebook is the first way to stay in touch with people. You could stay in touch with people on chat. But why Facebook? There are photos and videos. Young people put pictures of nicely dressed people in a party. That’s what people want to see. And many people may not have the confidence to, say, go up to a cute girl and talk to her. Now, sitting in the comfort of their room, they don’t have to dress up, they could be in bed, but they can still see what that cute guy or girl is up to. That is what drives Facebook. So comparing that to computer hacking, sitting in my room, I can see what you are doing in your life and you have no idea about the sense of power and rush that I get. You know, wow, I’m able to do this.

Apart from what I’m doing in my life, what’s the big deal about this whole hacking thing?

The other day, the NASA network was attacked by a kid from Russia who managed to control a spaceship in space. So imagine being able to do something like that! More recently, there’s something called the Stuxnet Worm. Everybody says that the US government created the virus and what the virus did was that it attacked only the Iranian nuclear department computer. So the next world war, if it ever happens, may actually be through the internet. You don’t necessarily need to go with tanks and bombs and airplanes to take over a country anymore.

At what point did you realise that you had this talent of thinking like a criminal?

I first hacked when I was 13. My favourite computer magazine was a magazine called the Chip Magazine, in India. So one Friday afternoon, I hacked the Chip India website and put my photograph in the place of the website. And I got super excited like “Wow, my favourite magazine and I put my photograph on the website.”

And presumably your first book was about giving advice to young people about how to do the same thing?

It was about how to hack and how to protect yourself.

You mean at that age, you were already thinking corporate protection?

Not as much as my more recent books. The first book was more about how to hack and less about how to protect yourself.

If I acquired your book, would I learn how to get into your bank account and sweep it clean?

(Laughs) No!

Do you know how to do that?

It can be done, but in reality what happens is that it’s traceable. The money would have to be transferred to some other account in some other bank. Usually the criminal has to be fast, withdraw the money immediately in cash and then leave the country.

Oh, why leave the country? Can’t you transfer it to an account abroad?

You can, but as long as it is in a bank account, it can be recovered and there can be legal action. Ideally, if you don’t want to get caught, or if you don’t want any litigation happening, you should take the money and leave the country.

 Is this the advice you have given our CEOs?

(Laughs) No, I did not talk about this at all!

They didn’t pay enough?

(More laughter) Yes! A smart criminal will not only be able to hack in but also delete the traces he has left behind. In most banks in most countries, you need to show proof of identity to open a bank account but there are countries where you can forge documents or create an account using a false name. If you do that, then there’s no way to get caught again because it’s a fake account and you’ve withdrawn the cash and there is no link between that account and you. For regular kind of hacking, not talking about banking at all, if I wanted to hack into someone’s network and not leave any trace behind, I would connect to the proxy server in Russia and then hack in. I could be sitting in the same room as the person whose computer I’m hacking but when he investigates the matter, he will see that someone in Russia hacked him and the police here will spend all their time investigating in Russia! But I am here in the same room.

Is hacking a good career?

It is. It’s very exciting. It’s not like having some boring programming job where you do the same thing over and over again for the rest of your life. It’s something new and you get the rush of protecting, of fighting it’s almost like a game you are playing in real life and you are getting good money to do it.

What’s the hackers’ age group?

The best hackers are young people aged between 12 to 25.

What happens afterwards? Do people get bored with hacking?

I think life interferes between them and their passion. A marriage takes place and suddenly you realise that you need to pay the bills and you need to earn money…

Can’t you pay the bills through hacking?

You can, but not everybody can be that successful. Also technology changes so fast that, if you’re stuck with life, you don’t have time to upgrade your skills.

Do you, then, feel that you are left behind?

Well, yes but, by that time, you are also doing other things. I personally feel that the main reason why the best hackers are young people is that they have a lot of free time and they pick up technology really well. The younger generation will always be better hackers because of the time.

Because of the time not because of the mindset?

Mindset also, because young people are less conscious of the consequences. Someone who creates a virus that brings down the entire internet is likely to be a young person because when you’re older you’re more conscious.

So you would never put your photo up on your favourite magazine today?

Oh no, I would never do that again.

What else would you not do?

When I was at school, there was this cute girl that I liked and I hacked into her email account. I would never do that again.

What did you find out?

(Laughs) Nothing very interesting. But she found out I had done that.

So you weren’t very good then?

No, it’s just that I was the only hacker she knew, and she knew I had a thing for her. Today, I wouldn’t do that because I respect people’s privacy and I think everyone has skeletons in their closet and it’s best to leave them alone. In the last 10-12 years, I have learned that you can make a good living by staying on the right side of the law and even if I’m tempted, I prefer to stay there.

What’s the ideal age to learn how to hack?

Probably fifteen or sixteen because that’s when children know enough about the internet and technology and that’s when they will get that kick and excitement about doing something that someone else cannot.

Aren’t you worried that they might misuse it?

Anything that you know may be misused. Yes, there is going to be a percentage of people who misuse the knowledge. But if anyone wants to commit a crime, there are other ways to do that.