Technology permeates society. This is true not just in the United States but also across the globe. With it comes the opportunity to level the playing field amongst vastly different cultures around the world. But the one thing that remains is the constantly evolving virtual battlefield and its effects on the real world. And if one shows an uncanny ability to navigate this arena, it matters not from where they came. One such individual is Sid Siddharth of NotSoSecure.
Sid’s story is one of success. But it’s not from luck or privilege. Sid’s success comes from the simple concept of hard work. Each step along the way, Sid gave it his all and it was noticed. Even when there was no such thing as a professional ‘ethical’ hacker, Sid continued with his passion and that simple tool in hand… hard work. Because of that, doors opened for him in India, the UK, the US and beyond. Now he has his own company and travels the world as a speaker, instructor and penetration tester. In this interview, Sid shares his thoughts with the EH-Netters around the world looking to follow in his footsteps.
Thanks for taking the time out of your hectic schedule to join us on The Ethical Hacker Network. Although we’ve known each other for several years, many of our readers may not. So a good start would be for you to introduce yourself.
Hello everyone, my name is Sid, the founder Director of NotSoSecure along with Dan Haagman. My core skills are technical and I always pride myself in these skills which are application security, database security and infrastructure security.
As I often do in interviews, I like to go back to the original spark. Can you share your very first memory of seeing or touching a computer and what was it in that moment that ‘got’ you?
So I graduated from India’s top University called IIT which is also a big name in America. One of the things the University had was one of the very quickest computer networks out there – that was back in 2001. From the early days I picked up networking and hacking was the natural transition.
I remember my first hack which was in my University days where I found a way to read /etc/shadow on the University network and I was fined 1,000 rupees. Back then 1,000 rupees felt like a lot and when I turned up at the disciplinary hearing I asked if I could negotiate the rate down which did not go down very well.
When did you make the leap from a curiosity of computers into the deep end of hacking and security?
My first job was with IBM. When I graduated from University I got head hunted into IBM and back then they put you into training for 2 months; but all we did for 2 months was just hack around some PCs and eventually realized this was serious and we had to do something about this job we had. It was difficult back then convincing my parents that I wanted to take up hacking because hacking was not really a profession back then. Now there is so much awareness that these subjects are taught in Universities – back then it was difficult. It was the only thing I could do really.
When did you know that this would be your career path?
I never actually sat down with a plan; things just started to fall into place and eventually things worked out well I guess. I realized I could do this thing for a living and I was put into research, wrote some papers, spoke at conferences and eventually one thing lead to another.
You attended the prestigious Indian Institute of Technology, Kanpur. How did that experience shape you as a thinker, an entrepreneur, a man?
Oh wow. I did a major in iron and steal metallurgy and will struggle to differentiate aluminum and brass now so I don’t think my University professor will be too proud of that. But I think it’s not the subject that matters, it’s the ethics that you take away with you from university which really helped in my case. Some of the disciplines of when you have to meet a deadline, you have to work your ass off and there is no other way of going about doing it. I think that helped me in shaping the individual I am today.
What was your first “real” job in a computer-related field? How did that lead to more specific jobs in InfoSec and eventually penetration testing?
My first job was for an Indian based company and back then in India a couple of companies did something to do with IT Security, I so was really grateful for one of these firms to have me there. Since then, I moved over to the UK, did some more research, wrote further whitepapers and after that I realized it was starting to get very serious.
NotSoSecure was founded in 2013 and Dan Haagman joined me earlier this year to expand the business. The problem I felt was that there was a real lack of boutique companies in the market. All the good boutique companies in IT security were either acquired, or getting acquired – so there was a demand for a niche company to undertaken core pen testing and some specialized advanced training. So far the reception for our services and training has been superb and this is better than I thought it would ever be 2 years ago.
You’ve been doing in-person, instructor-led training for quite some time, and the course offerings and attendance keeps growing. Other than cloning yourself, the next obvious way to reach a wider audience is through online training. Can you tell us what the future holds in this regard?
Oh yeah definitely – the core of what we do is innovation and we are very proud of what we do. Some of the courses we have designed are very specialist; they are based on our real life pen testing experience. It is this experience that makes our classes so much more niche and they are all taught by hands-on pen testers that have been doing this for many years. If we find a really good hack in our day-to-day pen testing jobs, we will translate this into our courses so this is why it has been so popular. One of the things we have also done is to take a different approach towards training. In normal conventional training, you attend the class and you may have access to some sort of a lab but that is just for the duration of the class. What we have done is posted all our labs online. We host the class for 30 days afterwards and anyone who has attended gets access to this lab. The training is not actually over when the physical training is over. In our view, the training starts when we are done with the personal training because then the attendees can go back to the lab where they can get extra time to practice things. This is successful because some of these concepts are based on months and years of our experience so you cant really teach them thoroughly in 4 days.
Running courses is quite a complicated endeavor. Tell us something about the development of them. Is it as straightforward as some people think?
Not really – for a good class you are covering complex topics; obviously you need to have the expertise to teach the people, you need to stay current with the latest hacks but also the labs take a lot of time. You need to worry about things like how many VMs you need to spin, how you are going to grant access, how can someone spoil someone else’s fun, how to make the level of difficulty gradually increase. So you need to structure it accordingly.
We expect to meet some really clever people at Black Hat and some people who will do things differently and teach us a thing or two. That’s the joy of teaching at such great conferences.
Now you are off out to Las Vegas and this interview is being done at 35,000 feet. Currently NotSoSecure is doing its Advance Infrastructure Hacking course at Black Hat 2015 and is arguably one of the biggest and most popular courses this year (being sold out); why do you think that is? Is it relevant, what’s so special about Advanced Infrastructure Hacking?
First of all this is something we have been working on for months now; I think 5 months to be precise. It’s something we have invested a lot of time and effort into and we are really happy to see the results come out and it being as popular as it turns out to be. We are hosting a class of 100 people in Las Vegas and have built an extensive lab. I think infrastructure hacking generally is really a topic everyone wants to get familiar with but more importantly, some of the topics we teach are not common in other training courses; things like VLAN hacking, VoIP and other core niche topics like privilege escalation etc., are something you do not often find in course syllabus because a. it requires a rigorous lab to be built, and b. you can get away with out teaching those topics and still teach an infrastructure class.
That sounds a bit “old hat” and not the normal ninja skills one might expect at “Black Hat” training?
Well it is but if you think about it … Hacking is constantly evolving but the principles remain the same so there is no way you can teach an advanced hacking course and not touch on the core principles.
What we do is try to build from the base up so in a 4 day class, we start with the very basics but gradually build up on the most cutting-edge vulnerabilities and exploits. In our training class we are really pleased with talking about vulnerabilities as latest as last month; some of them like MS 15-077 which was patched by Microsoft just 3 weeks ago. This is something we cover in the class and similarly there are other exploits that we talk about that people really need to know about.
You have a new partner/employee/collaborator that is actually an old boss of yours. Life is a series of ups and downs, twists and turns, and no one ever knows when paths may cross again. Can you tell us a little bit about your journey in this industry with Dan Haagman?
I am really chuffed to have Dan Haagman alongside me to guide me and to take this business to a new level. Dan obviously comes with decades of experience having started a Security business, sold the business; he knows what works and what does not work so it is really good to feed off this experience. Only time will tell how far we go but so far the future looks really bright for us.
What do you both bring to the table; how have you divided it up and who does what?
I think one of the things is we try not to cross wires; Dan is purely business and I am purely technical and I think for what I could see in the foreseeable future, I would like it to stay as it is.
Being a success also has its tradeoffs. How do you handle the work-life balance or is that even possible at this point in the life-cycle of your new company.
Family life is very important and this is key to me; to spend time with family and friends really matters.
And the future for NotSoSecure… what are your plans together?
Well, I think the plan is to grow and the plan is to still remain niche and the plan is to do good work with like-minded clients. Hopefully everything else will fall into place.
To wrap up the interview, here’s another common question I ask. Based on a life in technology, what is the one piece of advice that you would give to someone just starting their career?
Work hard, try to stay current with the technology…
Many thanks to both Sid and Dan and best of luck at Black Hat 2015. We wish them all the best in their future endeavors and keep the door open for them here at EH-Net for any advice, tutorials or life-lessons they’d like to share.
Donald C. Donzal
The Ethical Hacker Network Online Magazine