To commemorate F-Secure’s 30th year of innovation, we’re profiling 30 of our fellows from our more than 25 offices around the globe.
Tomi Tuominen, Practice Leader at F-Secure Cyber Security Services, remembers what you might call his first “hack.”
It happened while playing he was playing a little game of electronic roulette.
“When you’re twelve, your toolbox is somewhat limited and you work what you’ve got,” he says. “The attack was to power off the machine and power it back on. Then you insert four Finnish Marks and get forty back because the first hit would always end up being number 7.”
He knew this early success meant that he had a “funny way” of seeing the world. But his instincts didn’t quite catch up to his knowledge for a couple of decades.
To F-Secure and back again
“It took me about 20 years to understand why the hack worked but now I know,” he says. “I also learned about phreaking pretty early on and was a heavy user of bulletin board systems. So, when my friends’ FreeBSD box got popped back in the early 90s, I was sold and decided I would like would like to work on securing things.”
This path would lead him to F-Secure—twice.
His first stint began during the last millennium and his second began when F-Secure acquired nSense, the company he moved on to, in 2015.
“When I joined Data Fellows [F-Secure’s original name] back in 1998 we were less than 40 people,” he says. “Now, we are 1600 Fellows and obviously that changes the dynamics quite a lot. I’d like to think we are a bit more professional than we were back then.”
Now his goal is the same as it was his first time around.
“I really wanted — and still want — to make F-Secure the best player in the market by offering the best infosec related services money can buy.”
Finding the ‘Ghost in the Locks’
The service Tomi most often provides is breaking into things, like companies’ networks. And it’s also his hobby.
Along with Timo Hirvonen, F-Secure Senior Security Consultant, he spent over a decade investigating a mystery that began with a stolen laptop at a hacker conference. The result was a hacked key that could be used to open hotel rooms almost everywhere — a sensational story that made headlines around the world.
This sounds cinematic and thrilling, but the truth it was “boring as hell,” Tomi says. “It’s like watching paint dry, and there’s nothing sexy in it.”
Why did it take so long? Tomi says the duo made every possible mistake they could make until they ran out of mistakes.
“If you’re not smart, you have to be persistent,” he says.
Hackers have to train themselves to exploit others’ vulnerabilities, so it makes that he would be self-effacing about his own flaws. And this modesty helps him recognizes that the most effective tool in a hacker’s arsenal can be collaboration.
“The things I’ve managed to accomplish have always in cooperation with some brilliant people.”
Extreme persistence and cooperation are skills that aren’t likely to come naturally to you when you’re twelve. But he still gets to indulge the same urge that had him hacking that roulette game as a kid.
Seeing the world the way a hacker does
“To me the hacker mindset is not something you turn off,” he says. “With the risk of sounding super cheesy, I see it more like a way of looking at life rather than something else.”
While he doesn’t walk around thinking about which electronic lock to pick next – he plans on sticking to picking physical locks from now – he does look at the world and see lots of things that need hardening.
“I think that the process-related and logical vulnerabilities are very often the worst kind and do not the attention they deserve.”
For Tomi, the thrill of his work doesn’t come from exploiting vulnerabilities or breaking into things, but from the experience of finding the unexpected—no matter how long it takes.
“To me it hacking more about the intellectual challenge, understanding how something works and then trying to come up with — hopefully creative — ways to bend the rules.”
Check out our open positions if you want to join Tomi and the hundreds of other great fellows fighting to keep internet users safe from online threats.