To commemorate F-Secure’s 30th year of innovation, we’re profiling 30 of our fellows from our more than 25 offices around the globe.
Hackers were the good guys.
Back before the “hacker in a hoodie” became the nearly universal symbol for an online criminal, before WannaCry or Conficker or email worms or even Brain, the first PC virus, experts in the art of hacking were known for their ability to hunt down vulnerabilities and help fix them.
“Hackers are technical experts; skilled, often young, computer programmers, who almost whimsically probe the defenses of a computer system, searching out the limits and the possibilities of the machine,” the New York Times reported in 1981. “Despite their seemingly subversive role, hackers are a recognized asset in the computer industry, often highly prized.”
A world were hackers were known for riding to the rescue or playfully provoking their fellow digital devotees is the world Antti Tuomi, Principal Security Consultant at F-Secure, was born into.
Unfortunately, it was also a world where the barriers were too high for a kid still in elementary school to get access to the BBSes, or bulletin board systems, that had the cool stuff Antti was after.
“Growing up in the 1990’s, I spent a lot of time fiddling with computers, games and programming, and just always wanted to learn more,” he told me. “Back then, information about security wasn’t as readily available – at least to a kid in elementary school – so my understanding was limited to viruses (‘Oh cool, programs can copy themselves, too! Now, I just wish it hadn’t deleted my files!’) and to later hearing someone brag about ‘How you can crash a network port and then run commands on the server.’”
He wanted to know more, but he didn’t know where to look. Luckily, after about a decade of the internet maturing and cyber security information becoming more accessible, fate intervened.
“By coincidence, right after entering university to study computer science, I happened to get acquainted with Joakim – who had founded nSense a while earlier – and finally was able to hear about stuff such as this new web application attack thing called XSS, war-driving for Wi-Fi hotspots, and security in general.”
Working part-time at nSense, which was acquired by F-Secure in 2015, he found “every project was a new, fascinating puzzle to solve.”
He soon gave up his goal of becoming a computer programmer and became a full-time white hat hacker, a specialists who uses his powers to probe, assess and break into networks in order to help make them stronger. As you can guess, a black hat does similar things, but for the money, the lulz or other malicious reasons.
nSense was a pioneer in the field of pentesting and security consulting. Early in the twentieth century, hackers were generally considered black hats and the idea of employing them to “assist” you business seemed problematic. Now, Fortune 500 companies regularly engage ethical hackers for red teaming and other activities that push the limits of their physical and network security.
To be a white hat is to live between two worlds. You have think and act like a criminal, while (at least somewhat) respecting the law. Few people know what it’s like to get paid to find a loophole in a purchase process that allow you to return products you never bought for thousands of dollars and then baffle the customer service representative, who calls up to find out why you don’t actually want the money.
Antti’s first red teaming assignment was almost an initiation in his new life.
He worked with an experienced colleague to lay the groundwork in a way that would “not burn our faces.” They split the duties, which included swiping key card data, plotting paths into the building and fabricating authentic-looking badges. Despite all these preparations, he wasn’t prepared for the thrill of slipping into a secured business undetected.
“We ended up making it all the way into a restricted server room where even the CISO himself did not have access. Opening the door for him from the inside and saying, ‘Oh, welcome in!’ is a moment I doubt I’ll forget.”
Ten years later, Antti says he still learns something new from every project and every colleague. And though he feels there’s “no one way in” to becoming a white hat or an ethical hacker, he thinks now is a great time to slip into his industry.
“Fortunately, there are a lot more resources available now compared to back when I started. At least the universities in Finland now have pretty comprehensive study programs in security; some of them, such as the Cyber Security Base program from Helsinki University that we are collaborating with, are available completely online as well.”
He also recommends the Web Application Hacker’s Handbook, and certifications such as the Offensive Security Certified Professional (OSCP) that encourage hands-on security and hacking knowledge.
“If I were to start out now, I think I would look up the university courses and try to apply as a trainee at a security company,” he said. And if you’re interested in cyber security but don’t want to focus on it exclusively, there are still plenty of opportuntites. “Even if you don’t want to do security testing full-time, a lot of places would love to have developers who are actively interested in security and could help educate others too and keep up the security and quality internally.”
But Antti does remind anyone who loves hacking that you may want to keep your white hat on.
“If you are looking for work in the security field, but do get caught for computer security crime, most companies will not be able to hire you anymore.”
And check out our open positions if you want to join Antti and the hundreds of other great fellows fighting to keep internet users safe from online threats.