The tête-à-tête with 22-year-old Ankit Fadia starts off with his narration of how a gadget-savvy young girl staying in a studio apartment in Mumbai wasn’t aware that all her thingamajigs had been hacked. While she was merrily chatting away with old friends and new over the Internet, her web cam began capturing her activities without arousing her suspicion. She found out about this criminal invasion of her privacy several days later, when at an interview for a job, she was told about her having been featured on a pornographic website.
Meet Ankit, at 22, he seeks and strikes cyber criminals
Shocking but true, asserts Fadia, who himself is a hacker. Only, he claims he hacks with the knowledge of the authorities, who, in fact, use his services to catch other hackers. Set a thief to catch a thief, they say. Fadia claims law enforcement agencies in India and abroad have used what he calls his ‘ethical hacking’ services to decipher an encrypted message from cyber criminals. But isn’t willing to substantiate his claim with documentary evidence. What is for sure, though, is that he has written a number of books on ethical hacking that have been well received and runs government-approved courses in the subject in Malaysia, India and China.
Nishu Kakkar of Livemint.com asked Fadia what exactly ethical hacking was all about and why it held the promise of a lucrative, yet legal career.Edited excerpts:
What does ethical hacking involve? How can it ever be ethical in the first place, and what makes it a good career option?
The job of an ethical hacker is to get into the mind of the computer criminal or cracker, think like him and come up with innovative methods to protect computer systems from him. Within minutes, a single computer intrusion is capable of causing losses to the tune of millions of dollars. You know, even an 11-year-old Russian kid was able to change the path of NASA’s latest spaceship.
Ethical intruder: Ankit Fadia
With a significant rise in cyber crime across the globe, there is a growing demand for skilled ethical hackers who can protect Internet users from cyber criminals. Information Security (IS) services were worth around $8 billion in 2001, and $23.6 billion in 2006. And there is a corresponding increase in the demand for IS professionals. A Nasscom report pegs the current requirement at over 18,000 in India and over 60,000 worldwide. This is estimated to grow to over 77,000 in India and 188,000 worldwide by 2008.
When did you first turn to hacking? What was it that spurred your interest?
I got a computer when I was 10 years old. I must have been only 12 when I got interested in hacking but can’t really remember what the trigger was. I guess the power of forbidden fruit is so attractive, especially to young minds (laughs). You know, I published my first book, An Unofficial Guide to Unethical Hacking, when I was only 14.
I’m quite happy that I have been able to convert my hobby into a profession. In fact I am so passionate about it that I have been spreading awareness about computer security for the past eight years through my books and seminars.
These certified courses that I have started are the latest initiative. I have partnered with Career Launchers to start India’s first certification course, Ankit Fadia’s Certified Hacker Course. I have also tied up with IIMT Ghaziabad to start a one-year diploma in cyber security. And the response to both courses has been quite positive. India is has an edge in the IT space globally and a talent pool of ethical hackers and security experts from this country would complement the existing resource of IT professionals.
Were you ever concerned what you were doing was illegal?
Whenever I talk about hacking, people think of it as a crime. But in reality, I think the computer world has two types of people — the good guys whom I call the ethical hackers, and the bad guys, or the crackers. Ethical hackers are the heroes in a masala Bollywood film. They work with the cops to protect the interest of the people. Crackers are the villains. They steal credit card information, infect systems with viruses and generally create havoc on the Internet. I belong to the first category. The adjective ‘ethical’ seeks to do away with all the negative connotations people attach to the term hacker.
Okay Mr Ethical, tell us what your tribe has achieved so far.
Ever heard of this cyber criminal called Keven Mitnick? He broke into a couple of bank sites and stole thousand of credit cards. The FBI nabbed him a few years later. He was cooling his heels in prison when, one fine day, the FBI approached him and offered to release him if he agreed to work for them. He did, and so, I think that makes him one big hero — someone who crossed the big fact line that distinguishes us ethical guys from the crackers.
Did you also cross that big fat line?
No. I’ve always been on the positive side of hacking and have never even thought about entering negative territory. In fact I’ve written 13 books on the subject that have sold 2.5 million copies worldwide. I have attended more than a thousand seminars and trained over 10,000 students the past few years.
Come on. Surely the devil would have tempted you?
On second thoughts, yes. I have done some bad stuff but I haven’t consciously harmed anyone. I broke into some websites without permission but made it a point to inform the system administrator via email describing the hows and whys of my action, following it with counter measures.
And how did your ‘victims’ respond to your hows and whys?
I got some interesting reactions. I recall one of the largest computer magazines called ‘The Chip India’ offered me a job. When I told them I was only 14, they asked me to come back to them after four or five years. That was my first call for a job.
How do you feel when you hack a website ethically? I’m sure you also do it for fun every once in a while?
Yes, I do like playing with websites. It all started off as a hobby, remember? On a serious note though, I am very clear about my ethics. I respect the rights and wrongs and have never ever harmed a website. I think I have reached a level where I can simply transfer money from somebody else’s account into my own but have never ever done this more for the fear of not being able to see my face in the mirror than fear of the law.
Fine, but what about the people you teach? Not all of them will think the way you do?
Whenever I organize seminars or conduct these courses, I am not afraid people will misuse the knowledge, for two reasons. First, I make things look very, very easy and use this to drive curiosity. Second, I have been doing it now for two years, so I know how to go about it. I can assure you, when people try to do it on their own they won’t know how to crack.
So what’s the big deal? Why spur their interest first and then disappoint them by not giving them all the knowledge?
It isn’t a gimmick. I just want people to know cyber crime is a reality and an efficient, motivated criminal can do it as easily as I can.
But what if out of a 1,000 students, 100 acquire perfection and even 10 turn out to be rotten eggs?
Yes, that’s a possibility I hadn’t discounted. But I think one can’t just sit back and simply not take a risk. In any case, if I basically have a criminal mind, I’d go anywhere to learn how to crack if Ankit Fadia isn’t going to teach me everything. You can’t stop a knife manufacturer from making his product only because a murderer can use it to kill, can you? What about the surgeon who uses the same knife to save a life?
How can anti hacks get better?
I think three or four things should happen to improve security in India or even globally. Firstly, awareness campaigns must be implemented in schools and colleges, and in companies. Secondly, cyber laws in India must be revised to make enforcement more proactive and the government should train cyber cops to apprehend offenders. It is much more difficult to catch cyber criminals than it is to catch other offenders.
Thirdly, there should be some sort of tax incentive for companies, such as banks, airlines and others who rely on the net to boost their top lines to implement security systems. Companies that are lax could be penalized.
How come Russia and Ukraine are known as safe havens for crackers?
These two countries have no cyber laws to speak of. So a large chunk of the cyber crime originates from there. Also, a lot of criminal tools are available at their websites. Many countries where cyber crime is rampant are caught up in political problems, so issues like Internet laws take a back seat.
How vulnerable are we to hacking today?
Today, we are more dependent on technology than we have ever been before. It is difficult to imagine a life without computers, ATMs or cell phones, isn’t it? Techie-crooks know that and will exploit every means to cheat people of their money. If security systems have become more complex, so has tech crime, which is why the need for awareness and constant updates on the latest anti-hacking technology.
Have any of your projects ever been hacked despite your having provided the best security systems?
Oh, plenty. Like I said, computer security is a constantly changing field and you need to update yourself constantly to keep one step ahead of the criminal. But each failure served as a reminder that there is much more to learn, and that I ought to update my knowledge and try again.
How do you update yourself?
That’s the fun part. I’m sort of playing the role of a double agent. I work with police agencies and the corporate world, so this gives me a fair idea about what I should do to protect Internet users. At the same time I also network with the informants in the underworld — the Khabris — so I know what criminals are up to as well. I think ability of being on both sides of law gives me an edge.
You’re still very young. Where do you think you’ll be 10 years down the line?
You’re interviewing me for a job (laughs). Today, I am an entrepreneur engaged in the business of computer security. I have a consultancy in Malaysia and an education company in India. And I am based in China. I write books and conduct seminars/ events on security. I am planning to enter other fields as well. For instance, I am writing on a script for a movie on computer hacking. It’s a thriller — you know, the slick Hollywood kind, not the masala musicals of Mumbai with grown-ups running around trees. I will also be setting up a restaurant in Mumbai and getting into real estate development in a small way.