During the bug bounty hackathon called Hacken Cup, HackenProof has invited some of the most talented cybersecurity experts from around the world to Ukraine in order to participate in the event. During the hackathon, we interviewed hackers about the event, their future plans, their insights about bug bounties, and many other topics.
Can you tell us a little bit about yourself? How did you start hacking?
Sam Eizad: My name is Sam Eizad. I am 21 years old. I started hacking when I was around 12-13 years old. It all started with me accidentally downloading a malicious file. I ran the binary and of course, I got infected. During that time I played a lot of games and my gaming account got stolen. I got very sad. I started looking around by googling to find out the reason behind this and found a good thread on how to hack the hacker. I started to look at the communication the binary had and during that time No-IP dynamic DNS was popular. I found the DNS and reported it and from there it all just continued with more malware analysis. When I was 15 years old I started programming websites and that was also when I first got interested in web applications and when I turned 18 I got my first bug bounty from Google.
What’s the most appealing thing about hacking to you, personally?
Sam Eizad: The adrenaline you get. There’s no greater feeling in the world that can be compared to when you find a vulnerability. You just want to report it and make the internet safer. Nothing can beat that. It is the best feeling in the world. Your body gets warm and you feel the adrenaline while being happy at the same time. So it’s basically the best feeling in the world.
Do you have any hacker mentors? Are there any guys you follow and read their posts?
Sam Eizad: When I first started with hacking, there were not many write-ups. You had to Google around on your own to hopefully find the answer to your question. A lot of the things were written in different languages but the title was usually in English so with the help of google translate you could translate the information to extract the useful things from it. So, I have never had anyone who actually taught me anything directly. Write-ups is a pretty “new” thing and it’s really appreciated by the community since it gives bug hunters a new way of looking at bugs. I don’t have a mentor. However, there are very good people in the community. I do read a lot of Frans Rosen’s posts. He has very interesting and detailed write-ups. The same is with Mathias from Sweden. There are some other people as well but I can’t come up with the names right now.
Is this your first time in Ukraine? How do you like the country so far?
Sam Eizad: I was here last year as well, at Hacken Cup. It’s perfect, as always. I love this country, it’s very beautiful and especially with the old buildings. The weather is the same as in Sweden where I live. There is not a big difference for me, except the time, of course. Very beautiful city.
Can you describe the event? How it has been going so far?
Sam Eizad: It’s been going very good for me and Abdullah. I don’t know if something has happened until now, but we’re third right now and we are currently holding the highest bounty payout so hopefully, we’ll win that. Everything has been nice. Drinks, food, and environment are all great. The big screen with the live leaderboards is awesome. The triage team is on spot, so it’s really nice that you can communicate with them directly and same with the companies that are here today.
Can you tell us a little bit about targets? Do you like them, what’s the scope?
Sam Eizad: I like the targets. I like that they added the web application for Uklon later on and not before, so people didn’t have time to do pre-recon since I didn’t have time to do that. However, there were some problems with language barriers. Some things are written in Ukrainian so I didn’t really understand everything that was written on the site. Fortunately, the web pretty much looks the same so the API’s were readable so it didn’t stop me from hacking.
What you like and don’t like about bug bounties? Are there any improvements needed?
Sam Eizad: I think bug bounties is really good for people who want to get started with hacking. Before people who did bug bounty were professionals, the people who had been doing it for years but with a “grey hat” got the opportunity to do it in a white hat way. However, nowadays, anyone can do it. Just read the guidelines and get going. There are tutorials everywhere that will help you get started. Me personally, I don’t do bug bounty that much anymore. I have a full-time job as a security consultant, so I don’t have time for it, unfortunately. But, I think there are great platforms, especially for new people who want to get into hacking. There are good places to read write-ups on and you can learn a lot from them.
What do you do when you’re not hacking? How do you relax?
Sam Eizad: I like going for long walks and think about different non-hacking related stuff. I have my family that I talk a lot with, especially my father. We can sit together for hours and talk about different topics. But, mostly, I’m just hacking like everyone else. You come home from work and hack. If I don’t hack I’m probably at work or sleeping. People think that I’m kidding when I’m saying this but that ’s actually how it is right now and I love it.
Why have you chosen a white hat path? Why is white hat hacking better?
Sam Eizad: Because nowadays there are legal ways to do hacking. A good part of it is that you can also get paid by doing it so it’s not worth doing anything related to black hat activity. First of all, it’s illegal and your life is probably ruined if you get caught. You can also talk about vulnerabilities that you have found in different websites publicly in your own name which you won’t be able to do if you do it the illegal way. You can also talk about your work with other people. The white hat community is mostly public which also makes it much easier to ask questions and cooperate on different vulnerabilities with other people.
What do you think, is the role of bug bounty platforms in converting black hats into white hats?
Sam Eizad: If we walk back 10 years before the bug bounty platforms and look at the hackers, most of them were black hats because there was no other option for them. Either they worked at a company with security-related stuff or they would do it on random targets without consent and that is illegal. When bug bounty platforms were introduced it opened a whole new world for hackers. It gave them the opportunity to actually gain money in a legal way while at the same time gain the adrenaline and have fun. So I think the bug bounty platforms have done a lot when it comes to converting black hat people into the white hat.
What is your ultimate goal? What do you want to accomplish with your career?
Sam Eizad: I’m pretty young, I’m 21 years old, so it’s too early for me to think about what I want to do. Right now I really love my job. I’m working as a security consultant and do a lot of pen tests and research. I really love my job right now, it’s fun and that’s what I want to focus on and be good at.
What is the most interesting bug you’ve found so far?
Sam Eizad: It was a remote code execution with a number of different vulnerabilities combined. I’ve never been so happy in my life. I was almost crying. I was really happy because I had been working on a vulnerability for a long time and then I chained it with a few other vulnerabilities. Multiple vulnerabilities into one critical, pure happiness.
What would be your advice to the guys that are just starting out?
Sam Eizad: Just keep trying. Don’t stop. I know how hard it is to sit with something for hours and not find anything. Usually, people give up there. Go to sleep, take a walk, go eat something, go talk with someone and then come back and try again. That has happened to me a lot of times. You look for something, you don’t find anything and get mad because you think you’ve wasted a lot of time on it. But you haven’t wasted any time, you’ve learned a lot. And you can always try harder to hopefully exploit it. So, just keep trying. Even if you don’t find anything, just keep trying until you find something else because trust me the feeling is great. Don’t forget to not only do it for the bounty and by that, I mean that you shouldn’t only do bug hunting for the money, do it because you want the world more secure and by doing that knowledge and bounties will come.
What do you think can be done in order to improve an overall bug hunting community?
Sam Eizad: It’s a hard question. All we see is our nicknames online and usually, we don’t see each other that often in real life. Live hacking events like Hacken Cup is a great thing since we all get to meet each other in real life and hang out. Maybe meetups during different conventions would be awesome as well because I know that most of us attend these. Other than that everything is great, shout out to the bug hunting community.