Working as a Self-employed Security Researcher is “Amazing, Thrilling, Challenging, Impacting, and Self Disciplinary focus coordinated multi-tasking problem tackling monster”is what Shritam Bhowmick thinks a 9-5 job never will!
Here’s our in-depth interview with Shritam Bhowmick,a renowned Cyber Security Expert at Defencely Inc. He shares his personal pinions on how he got into cyber space, what motivated him to reach at a pinnacle in security research and what keeps him going, and a genuine advice for young cyber security enthusiasts!
- What was that one moment when you thought that yes, cyber security, this is my field! How did you pursue that?
Hi, first and foremost; let me introduce myself to the audience. My name is Shritam Bhowmick, bold visional application security penetration tester cum web application security researcher. My current positioning is with Defencely Inc., an enterprise application security service platform for the right high valued applications and enterprise cloud security business portals. Some would claim that the best offensive security people are indistinguishable from hackers and I would be inclined to agree. An offensive security guy takes the view point of a hacker, he has the same knowledge and skill, the same curiosity and practical approach to things and very little interest in what is considered common wisdom among the establishment. My past were associated with many other application security companies. I do application penetration test and vulnerability assessment for clients, give enterprise business the right security status posture touch letting them know the security holes beforehand which if left unpatched might lead a malicious attacker harm the business asset of that particular business entity. Apart from this, I have a sheer interest in cutting edge application security research which I always pursue at my personal reach. Along with both of these two mentioned, I had been a trainer, and let others know what I myself learn.
To answer the question, I have my story back from the 2008’s when I first received my Desktop from my dad at my 16th Birthday. I was always curious and started first with old time NFS Hot Pursuit Games until when I landed up into the Internet world because of an introduction from a company named ‘Dewsoft’. They promised me high hopes with my programming skill (which I never found), but what this did offer was Internet based education on various programming language for which I had to obtain an Internet connection. We all know, the first time, I misused the internet and came across a new world beyond my imagination. I came along several forums, social media like Orkut, etc. and participated in every corner of the live happening. This alone made me keep updated. Curiosity still starved, and I came along several forums wherein I found out programming challenges. All these challenges still exist at these live site and the challenge is to break the program in a certain way to obtain ‘Easter egg’.
Now, to cut off the long story short; Easter Egg’s are something which are intentionally placed by developers to let users of that program find the ‘special egg, a cunning weird intentional message or a bug’ which sometimes are left undiscovered to the end users. All of these made me go to a concept from hunting Easter egg’s to ‘unethical hacking’. Yes, the first time I was introduced to WWW, I landed up on a forum where ‘Unethical hacking’ activities were at a peak. I learned everything anyway, since any part of the knowledge which I starve for is essentially right for me. I began my quest solving problems, breaking security, moving ahead of the curve, trained myself, and taught myself to code from then, and here I am at the present. There are so many more incidents which had happened along the way, which is beyond any book or an interview web call. But anyway I enjoyed the ride, and from year 2010, I decided taking up ‘application security’ as my prime area of interest. The reason to take up this very decision was that fact that World Wide Web does not stop at the edge, it builds the edge and works with the flow. An example of the same could be seen from transition of Web 1.0 to Web 2.0 and now, Mobile Applications, Rich Internet Application (RIA), and much more platforms are available to learn and get a hold on. The thrill never ever stops and you keep learning something new. This is always what I wanted.
End of all, I belong to a part of the Cyber Security arena, my quest and understanding with interest lies within the premises of ‘Application Security’ rather than the whole Cyber Security. I am specific to the specialty which would rather be ‘Application Security’, and nonetheless the less, I feel honored to be among the security scene. And, if I had not already greeted Czar Securities, I would like to take this opportunity to thank them to provide me a platform and a quick interview for the audience. I’d also deliver them my heartily congratulations with live success wishes they had been recently obtaining with Czar Securities and would always look forward for their success.
- How does it feel not going on a normal 9-5 job and being a self-employed security expert?
Ans. One Liner to this, “Amazing, Thrilling, Challenging, Impacting, and Self Disciplinary focus coordinated multi-tasking problem tackling monster”.
If you look down to my schedule, I barely get out a precise 4 hour a day for my sleep. What else keeps me awake this long? Research, Work, Self-Guidance, and the more obvious day-to-day regular normal life entities like taking up groceries, interacting with people, delivering training and talk to my pet cats. The time I give to this arena is much more beyond the 9-to-5 regular Job. Anyway, I do not find them much interesting where you cannot learn and have to look forward to your CEO to tell you everything. I mean, we are smart enough ourselves to do all the multi-tasking and 9-to-5 Jobs are really for the fresher’s who had just came out of the ‘Engineering’ colleges knowing basic computers in their entire 4 year curriculum (Maximum do, others are really into the game, and my game I mean into the Computer Industrial Game, not the Video games!).
- Do you think the trade-off for privacy and free services, what Google provides, works in the best interests for people?
Ans. This is a controversial move, if I had to take any sides. It depends on the people to use Google Services or not; either way they somehow land up doing that unknowingly or knowingly. Privacy could be trade’d off if you let them trade off, and my honest opinion on this could be with rising need for stable organizations, we can pretty much look down at Open Source Projects which are readily available or ‘Tor Node’ based network which could deal with the recent privacy problem of the mass population. Google has a name out of an amazing algorithm, if the right way was developed back then at 1998 by Larry Page and Sergey Brin, there could be possibilities if ends up the right way doing good to the public. I think, many ways, the Google Product does good public servicing, without which most others Business services could come still and never ever had progressed. Keeping logical deduction centered with an essence of privacy, it’s better if we look forward to their services but equally center ourselves to ‘tor Node’, if anyone is that paranoid. There would be hardware based routers, which have been coming up with open source hardware to maintain the anonymity. The best possible way again would be if anyone is that paranoid, he/she could take away the computer itself, disconnect it from the entire globe, pack the hardware and dig a 8-foot-grave for this giant revolution which ever had took place.
- What do you think about Facebook and twitter? How much should we share on these platforms?
Ans. Addiction and finding the right balance in addition to ‘doing what your platform/profession is’ are two sides of the same coin. Let me explain how this goes. In regular social interaction, the more interaction one would do using the internet, the lesser ‘actual social’ one would become. This is not something which I have just announced, but this was something which people predicted. People keep randomly predicting a lot of theories, and to let you know, in my personal opinion, this statement is false. Contrary to the statement, I put up my own statement, ‘find the right balance between the addiction, the good and the bad, the social and the privacy aware social, and share them that way.’
Sharing a thing or two is absolutely on the users of Facebook. As per Twitter is concerned, it’s an amazing platform to keep everyone else updated with one liners of where-about’s and what you would start your creativity given the entire 24-hour clock circle. This does not really reduce work time, but the shared object could just go viral if not taken care of the consequences already. It depends to the end users how they’d use the given platform. Bad use, bad consequences; good use, good consequences!
- Are you for or against the “Right to be forgotten on Google/Internet”?
Ans. A wise man would approach a concept called ‘misdirection’, which means you leave the trails making others believe you are following the same steps and the trails they find. Originally this does not happen. This is the hint to a solution.
The ‘Right’ as in Human Rights apply, technically would never be applied on the Internet. This is technically very much proven, hence an argument won’t change anything. Our cables, packets, and the data crosses oceans and reach the other end through ISP’s, routers, mid-devices and proxies. This technically means every packets if even given the rights to the users to forgive their packet traces, all of the packets traveling through these cables will generally always be trapped. HTTPS doesn’t really help in that context assuming there are ways (recently NSA harvested data using Radio Frequency without using any Internet, wired or wireless connections!). The basic concept of the Google search algorithm is to bring search pages based on the country, previously visited web, and the interesting information one keeps looking. All of these are stored in a ‘cookie’ jar and sent on a session connection. That been said, it just helps Google to serve the end users with the best needed. If total freedom and the ‘forgotten’ concept has to be implemented, the users themselves would complain about bad services provided by Google and raise their concern why Google has become worse than Yahoo! And why they should now rely on Yahoo! And Rediff (these will be the same people who left Yahoo! And Rediff 6 years back for Google!). That been said, we see a diverse change and hence this isn’t really very dynamic idea which needs technological challenge’s to be solved first rather than throwing out a random protest. If someone has the right to not get noticed, keep the search limited to DuckDuckgo and similar web search services and not Google or use a ‘Torified Operating System’ and make sure every time you connect to a node, you never touch Google, but that again is a hypothesis, we all know it’d touch at some point.
Considering all the stated technical reason, my conclusive deduction would be against the decision to entirely make “Right to be Forgotten” applicable since this is something which is technically challenging rather than theoretically possible. And the bottom line is I am a firm believer in ‘what and why could be done’, I rather focus on ‘how things could be done’ after the ‘what’ and ‘why’ has been solved by any 3rd party. Implementation matters.
- You must have had ups and downs in your life till now. What kept you going in your hard times?
Ans. Knowing I have haters, ignorant social pressure, endless jealousy, and sheer comparison makers at my back, I keep my passion at the fore-front and keep pushing the envelope of knowledge. Once, dedication, passion and a mix of kindness with forgiveness is at your mind and heart, nothing can stop you from success. Success is not an object to achieve, it needs a constant effort, you cannot sleep light after you had achieved something, and the generosity with which you kept pushing your efforts must again be applied after you reach your dreams. This persisting nature which has been a part of me has played an important role during all of the hardships I keep facing, let that be social hardship, research hardship or any other form of hardship. The point is to accept it and keep moving forward with the flow of knowledge and devotion. With everything aside, love and kindness in the only element you would have apart from knowledge which has a higher place than any Vedic, scientific, or conscious knowledge since without all these elements, application of knowledge is diverted and incomplete. A one liner would be ‘To the mind that is still, the whole world surrenders!’
- We hear about new bugs every day, about leaks of personal data on popular platforms like Snapchat, Instagram etc. What according to you is the best way to save our online privacy?
Ans. The best way is to keep your offline social entities apart from the online interactions. But this is highly discouraging since the technology is meant to give human beings the comfort and not the opposite. These days, you cannot really trust any application since all of them are cloud based and are centrally stored at one place. Now, to avoid this situation from happening, one must worry about the shared content. If it really needs to be shared among a closed group, one could use secure file transfer mode via other option which do not include cloud or any central storage. One kind of transmission is UDP, which is fast and never acknowledges back to the sender if the packets were received. The datagram received through these transfers using specific technologies between two end-points could be used. Or one could have a de-centralized FTP or 2-way authorization with private-public based file transfer which does not really have any centralized place for storage, once a file is transferred, it is received by the another party and must keep a copy in his/her own machine without copies being stored at server side since hackers target the server side assets and look for valuable personal information be it private photos or financial information.
- What do you do when you are not doing anything related to info-sec?
Ans. I interact with people and like to talk on an intellectual level. I like to spend time with Chess playing with my dad or play basketball at the outdoors. I seldom find that time anyway. I write, I document my research, I maintain my blog which could be accessed at http://www.pwntoken.wordpress.com and I love to go out at amazing un-explored places. The latter is also one of my hobbies.
- Microsoft just announced that .net has gone open source. Do you think Windows should go open source too?
Ans. Windows shouldn’t go opensource. That’s the business policies Microsoft had played since it knows server side technologies are used 70% with Linux based deployment and IIS web-servers are lagging because of the universal Windows Platform dependency which .NET had opted in the past. Making a Windows component opensource doesn’t mean the whole Operating System has to go opensource and this is rarely an initative Microsoft would be talking.
10. You are a renowned cyber security expert today and every expert is once a beginner. We have young minds same in your position. What is that one advice you will give them to keep on pursuing cyber security as a dream career option?
Ans. Be persistent and a consistent believer with what you would love and passionately follow and have a keen interest in. This is regardless of passion in Information Security, this applies to everything else such as Guitar playing, Dancing, Music, Reading and anything else. Persistence be it hard situations for you is the only way in order to keep yourself motivated, controlled, focused and devoted to a particular task.
Thank you Czar Securities to take up this brief interview and I thank the audience to be patient throughout the interview. I hope readers find it motivational, inspiring, and informative. Looking forward for a whole hearted communication from my end with anything I could help. Find my points of contact since this will be the required information to join me or follow me with your quest to make this world a better place for enterprise security!
[box] Check if a website is safe for work at www.czarsecurities.com. It only takes 15 Seconds![/box]