Congratulations on being one of the top 3 hackers on the most recent GovTech Bug Bounty Program. How do you plan to spend the bug bounty money?
Thanks! I am probably going to use a bit to treat myself with a nice meal as a small reward, and save the rest of it.
What age did you start hacking? Do you have a favourite type of bug or a bug that you were most proud of?
I started at the age of 25, as a security consultant. When I first started, I did lots of self-learning via books, blogs and online videos. Back then I was also fortunate enough to be able to learn from my awesome teammates at work.
I gravitate towards interesting exploits more than specific types of bugs. One of the interesting bugs I found to date was a side-channel timing attack, which is pretty rare since computing power is increasing rapidly (Moore’s Law).
How did your friends and family react when you first told them that you wanted to be an ethical hacker?
“Please don’t hack me in the future” was probably the most common response I had. Fortunately, no one has locked me out of their home Wi-Fi… yet.
Are there any hackers that you look up to?
There are many brilliant minds who I respect for their contributions to and expertise in this field. For instance, one of the first few inspirational figures that I first got exposed to hacking were Kevin Mitnick.
What advice would you give to aspiring hackers?
Online resources are plentiful, so absorb them like a sponge then start getting your hands dirty! And do join a hacking/bug bounty hunting community, be it online or your local community if you want to know more like-minded people 🙂
I also recommend checking out https://hackerone.com/hacktivity for newly disclosed reports and scrolling through Twitter for security-related information and news.
Any thoughts on how to attract more young professionals to the cybersecurity profession?
As a technical profession, I think some of the concerns that people can have is “am I cut out for this?” or “will it be too hard for me?“. Perhaps one way is to promote people to have a go at entry-level Capture-the-Flag (CTF) exercises. A good example is Hacker101: https://www.hacker101.com/ . In this way, they can gain some confidence and also determine if they are keen to continue further.
Do you expect bug bounty adoption to increase? Why or why not?
Yes. It is a win-win situation for both hackers and businesses. Hackers get to earn bounty rewards while businesses are able to tap into this huge pool of hackers to reduce security uncertainties of their systems. Technology is constantly seen as a business enabler which also means there will only be more and more applications and systems from now on.
What are your hopes for the cybersecurity landscape in Singapore?
As a country, I think we have been working towards becoming a digital economy, which implies adoption of more emerging technologies and increasing the volume of digital flow of information which will contain sensitive data as well as digital goods. Hence, I hope we can maintain the high overall cybersecurity maturity level and continue to explore ways to further enhance our security posture to better safeguard the interests of both businesses and individuals in Singapore.
Do you think hacker-powered security (aka bug bounty programs) is becoming a more widely accepted concept? Why or why not?
I believe more and more companies are becoming aware of the possibility of hacker-powered security. Maybe in the near future, they will start their own bug bounty programs with HackerOne?