Hacking since age six

Chris Sienko: Hello and welcome to this week's episode of the Cyber Work with Infosec podcast. Each week, I sit down with a different industry thought leader and we discuss the latest cyber security trends, how those trends are affecting the work of infosec professionals, offering tips for those trying to break in or move up the ladder in the cyber security industry. When today's guest contacted me with this personal biographical fragment, I don't think I need to explain why I absolutely had to have him on this show. So I'll quote it in full. I went into hacking when I was six years old compelled by the world of possibilities that came into our rural home with my first computer. It took the police at my door for me to realize that my skills could actually be a force for good. They gave me a second chance and I took it with both hands coding. At age nine, I started my own company penetrating communications network for risk management purposes using my deep knowledge of security breaches and unknown threats. From my parent's home, I hacked into banks, insurance companies, ISPs, defense organizations and numerous businesses, all with the sole purpose of exposing vulnerabilities and helping their cyber security teams excel. At age 10, I began attending Israel's highest tech institution, Technion, and continued dabbling with hacking into a variety of organizations. So I think that any of us in the cyber security world are going to want to hear about the security journey of a person with such a rarefied background. However, since most of us aren't security prodigies, I know I'm not, I'm looking forward to hearing and talking with our guest, Nir Gaist of the company Nyotron about some of the techniques or strategies that can help us work in our job and career as if we actually were a cyber security genius from childhood. Nir Gaist, Founder and CTO of Nyotron is a recognized Information Security Expert and Ethical Hacker. He started programming at age six and began his studies at the Israeli Technion University at age 10. Nir has worked with some of the largest Israeli organizations such as the Israeli Police, the Israeli Parliament and Microsoft's Israeli headquarters. He also worked cyber security curriculum for the Israel Ministry of Education. Nir holds patents for the creation of a programming language called behavior pattern mapping or BPM that enables monitoring of the integrity of the operation system behavior to deliver threat agnostic protection. Nir, thank you so much for joining us today.

Nir Gaist: Thank you, that was indeed long.

Chris: Comprehensive info here. So I guess there's nowhere to start but the very beginning. So you said you got into hacking when you were six years old compelled by the world of possibilities that came into your rural home with your first computer. So tell me about the before and after of getting your first computer. What changed, what did the world look, how did it look different after you got it?

Nir: Well, the world was different somehow but to be very practical, I think after I drew the first smiley in MS Paint, I went straight to try and do stuff myself. I don't think I was ever a gamer or into games. So I think I was very an explorer, if you want, in my nature so I was what happened after is I went straight into living in front of my computer. I think my parents would say that they saw me less and less. And yeah, I was always there in front of the computer that in my entire social life for the good and the bad of it was there.

Chris: Right, what year would this have been?

Nir: Can you repeat the question, sorry?

Chris  What year was this? When did you get this computer--

Nir: Oh, I think it was the early '90s.

Chris: Early '90s, okay. All right, for the nerds among us, what kind of computer was it?

Nir: 486.

Chris: Okay, nice. So you mentioned the MS Paint and then you immediately went into the guts of the machine. But what were some of the first things you did with your new machine? You said you lost all social contact and parents and so forth, but what were you doing immediately those first couple of weeks? What were you digging around in?

Nir: So I remember I first really played with the very basic stuff of a computer. I had no previous skill set and my parents had really no knowledge of the area. So it was just me and the computer. So I played with everything that was on it. I think I wasn't even aware I can download games. I had internet connectivity and I asked my dad why do we need it. So at first we even just disconnected from the internet 'cause I had no idea with that. And I think I start playing with whatever was already on the disk which was the operating system. I remember that Boot.ini file, I started to change stuff and see what's going on. And sooner or later, I saw I think it was IRC on a computer of a friend. That was really the door for me to everything. Once I connected to some IRC network, I think it was AFNnet eventually, that's where I really realized I could do a lot of stuff and that to meet a lot of other people like me and yeah that was the beginning of everything.

Chris: So are you pretty open about talking to people at IRC and asking questions and collaborating in that way?

Nir: Yeah, back then it was really all about building stuff together. It was very, very professional back then. And yeah, that's where I got to know some people that I know even today, some that I really work with since the very, very early days. And that's where I really get most of the knowledge and everything.

Chris: Were you pretty open about the fact that you were six years old or seven years old and how did people react to that?

Nir: Well, that's really what's was so powerful and beautiful about those days. No one really cared about anything. It was all about what you knew, what they could learn from you, what you could learn from them and that's why I still love these prodigal and mIRC specifically really forever.

Chris: Yeah, so at that point there was a high enough bar to get on the internet at that point that I feel like anyone who was on the internet was like, sure, why not a seven-year-old? We're all here together in this special place so we might as well share our information.

Nir: Well, they didn't necessarily knew what ages. We didn't know about it. We sometimes we didn't even know where you're from.

Chris: Yeah, user names, right.

Nir: It was all anonymous.

Chris: Yeah, so you mentioned the police were at your door around this time. So apart from just the sheer fear of the situation and the desire not to be punished, walk me through your mindset of going from hacking everything in sight to realizing either through change of mind or fear of punishment that there was a choice between being a force for good and a force for evil in the computer world.

Nir: Well, there wasn't a point where I thought, oh, I have this knowledge that should I be good or bad. I don't think there was never such an intersection. For my point of view, I was always good.

Chris: Right, you were just learning.

Nir: Yeah, exactly and really I don't think I ever got in any bad things. So it's get to where I should have been for the first place and what maybe not everyone understands is that when you are in your bedroom and you have this computer and keyboard and everything, and everything is virtual, you don't really understand that you are doing something illegal or anything like that until--

Chris: Or that you're even doing something in the real world.

Nir: Yeah, exactly and I think that situation really helped me to understand the first I really know something that not everybody knows and you can actually do something with that. So the choice between good and bad there was very, very natural for me.

Chris: So yeah, that's interesting because you're basically you're not doing it with a particular intent. You're just doing it to see if you can do the next thing. So it's like I got into this, can I get into this, can I get into this.

Nir: It's a game and it's challenging and you sometimes play with your friends even. So I think at that point, really it was a point that was life changing for me, but again there was never a choice between good and bad. It was always very clear.

Chris: So when you were given the stern talking to, you took the advice to heart.

Nir: Yeah, absolutely.

Chris: Yeah, so clearly based on your next business plan, you were doing penetration testing at age nine. You obviously are on the white side of the white hats but again it just sounds like you were just excited about doing this thing and learning this thing. So how did that business go at the outset? Were companies leery of letting a nine year-old, albeit a prodigy, handle this process?

Nir: Yeah, I think that back in again the age wasn't a problem especially with how I started. Obviously, my first customer was the one that had first called the police. Yeah, pretty quickly we settled this down and I helped them. It was a big ISP in Israel. I helped them fix the problems and from there, it was about their contacts and they made introduction and Israel is a very small country, so people can check references pretty easily. So yeah, the age was never a problem.

Chris: Okay, and what did you learn from working with large corporations like this at that age?

Nir: I think I learned a lot. I think that's a great question because for many people looking at banks and ISPs and some different organizations even, you tend to think that those organizations know everything and they have everything and it looks so big to you and I think what I learned was very important. I realized that although they are very big and very experienced, I do have some room at the gate. I do have something to contribute. It helped me a lot to shape myself as a professional. And that's what I tell people all the time. You probably know at least 30, 40% than what you think you know. And you do have a lot to do out there and these organizations do need you.

Chris: Yeah, that's also very interesting, yeah. I feel like you probably were able to shake off any sort of, well, I don't know if I should be here or not just by the sheer fact that of you have all this knowledge and you like doing it, so it's just why wouldn't I do it for these people.

Nir: Exactly.

Chris: How many clients did you have around that time?

Nir: Not too many, but enough.

Chris: A couple, yeah.

Nir: At very early age, yeah, I have I'd say about a dozen. In the financial world, especially in Israel, organizations are actually regulated to hire someone, third party to do apprentice once a year. And what really sets me apart is that I wasn't there just to go over their ability assessment, I was hired to actually prove them I can make a real damage by hacking your ATMs and all that stuff. So it was all that. This is the mid '90s, right, so this wasn't, penetrating testing wasn't that much of a thing yet. You were really at the front edge of people understanding this need to have one.

Chris: Blue ocean, not a lot of competition. Yeah, yeah, yeah. So by age 10, you were studying at Technion, Israel's highest tech institution. Could you tell me a little bit about that experience? I mean, you had a lot of self taught experience, but were you able to still learn new things in an educational context here?

Nir:  Yeah, absolutely, although again, I do believe in being self taught. I think some of the best professionals I've hired did not necessarily have an academic degree. I really don't think it's a mandatory thing necessarily but definitely go and study in a different institution gives you some different perspective. Not necessarily in the university but in everywhere you go study something differently would help you see things in a different way. So lots of the theory I think I got there.

Chris: And also just the difference of learning process and how you acquire information, things like that.

Nir: Mm-hm, yeah.

Chris: So before, we talked about careers and the state of the industry and so forth. I still wanna probe a little more into the notion of being a child prodigy or a genius or something like this at an early age. Apart from just knowing that you're an incredibly intelligent person and a quick learner, can you tell me a bit about your learning methods? When you were six and you got the computer, what's the first thing you did with it and then the second and the third and so forth? I mean, I know you're very close to that but can you break apart how you learn a new thing?

Nir: Yeah, first of all, I'm not a big fan of the terminology of genius and all that stuff. I think that I tend to look at myself as a person with a lot of ambition. I just as I told you, I look at things and I don't think, oh, I can never do that or I think that everything you see around you, someone built it so you can definitely do something if you just wanted. And in terms of methods of learning, it's not that I have a very special formula, but I can tell you that if something is of a high interest to me, if I really find it interesting and I can understand what's the use of it, it helps me a lot. If I don't find any interest in something, I will be pretty sad. And I have a proof for that as well. But I really think when I understand why I need something and what will be the use of it, it helps me a lot to study. So don't go and study assembly or any specific programming language without trying to build something. That's what was really I feel I really liked that in the academy because to really learn stuff theoretically without understanding the use of it, it's really hard.

Chris: Yeah, so build a thing before you learn to take it apart.

Nir: Yeah, I definitely started this way. When I got my computer, I wanted to do these things. I saw something, I tried to change it. I tried to play with it and really know what's the purpose of it.

Chris: So how has the business of pen testing changed since you started, whether procedurally or technique wise?

Nir: Pen test specifically, cyber security in general I think many things changed. I think that this industry is I look at it as a kind of a gold rush. Its hype is just too big. I think there is too many that are sheeple. They go after it because it's lucrative, because it seems to be lucrative and not because they really love it and not because they really wanna do it. And I think when you do things from that place, it's really bad for the industry as a whole. When I started and I started this company, Nyotron, and we started to build what we built, it was really just about let's detect and prevent things without signatures. It sounds so basic today because there are hundreds maybe thousands of companies who says that, but at the end of the day, many, many basic problems are not really solved with all these companies and all these investments. So there is a problem still.

Chris: So for those of us who are coming into cyber security even those of us for whom this practice doesn't come naturally and might have the ambition but not necessarily the intuition of it, what are some learning tips or techniques you can impart that have helped you to achieve a level of mastery?

Nir: So I think really the biggest advice I can give people was be focused and don't be a sheeple. Really focus on understand what you are really good at, what you really like, which probably the higher the chance you're gonna be good at it if you really like it. And don't just go do things because they seem to be lucrative. Don't be a sheeple.

Chris: Right, so as someone who's the founder of his own company and no doubt hires his own staff I would imagine, what are some of the characteristics and skill sets that you are looking for in a candidate to work for Nyotron?

Nir: So we do have a pretty cool testing process. It's a test where we really try to distinguish between your skills and your way of thinking. And that's really one way of looking at with people. Of course, we do need some skill set, but we really want to understand when you solve something not just what was your skills but really how you got to that solution. What did you think? Even if the solution was wrong, really it's not a cliche, if your way of thinking was good, was unique, we would hire you. I don't think we are big fans of an academic degree or this certification or that certification because as I said, it's not about your skills, it's about your way of thinking and about your passion. I think what I wanna see in people is someone who really loves to do what he does, he's really good at it because that's his passion. So that's what I get set.

Chris: Do you have any theories or suggestions or even any thoughts in general on the so-called cyber security skills gap in which there are more high level security job roles to be filled than there are professionals to fill them? Is it? We had a previous guest from Israel who said that she thought there might be a little less of that over there because of the military conscription, there was a lot of opportunities to learn cyber security and that there were a lot more experts in the field. But do you have any... Is the skills gap a thing in Israel? Is it different from the US?

Nir: So in Israel, there is a lot of talent. I think in Israel, there might be even more talent than positions. But I think that in general in the cyber security industry where clearly it's clearly an inflection point that the industry is clearly going through some change. So if I try to predict, if I try to look ahead, I'd say that this situation even if there are more positions than the talents out there, it's very temporary. So I wouldn't count on it. I wouldn't start a career based on the current situation.

Chris: Interesting, how would you as a pen tester trying to get into the industry, how would you suggest making yourself stand out when everyone and their uncle is trying to be a professional pen tester? What kind of experiences or what would make your resume shine in the pile?

Nir: So I'll repeat my previous answers here, but I think if you're really good at what you do, trying to find your differentiation, define your differentiation, your uniqueness is quite easier. So it all starts with the reason you are doing what you're doing. But in general, I can talk about myself. I think that what sets me apart is the fact that I didn't just came up with recommendations saying update this or update that and you're exposed here and there. I was really focused on showing you how your business is going to maybe even shut down if you don't do this or that. So I literally wired money between bank accounts for my clients to show them how these experts can be leveraged.

Chris: Wow, so you had already mentioned before, but I'll bring it up again, you said that obviously experiences and self teaching is preferable but what are your thoughts on education and cert training? Are there any certs that you consider worthwhile these days or any particular angles of that sort of thing that you think worth mentioning?

Nir:  Yeah, absolutely, there is a room for these. I think that there are people who wants to know more, they want to sharpen their skills and as long as you look at these certifications as a way to help you sharpen your skills and not build a career, I think there is a room for them. In my company, we do provide some people with these certifications, so I definitely believe in that. But again, it's about how you view them and how I view them as a way to help you get more and again get more skills.

Chris: Right, they're more of a tool than a collector's item.

Nir:  Exactly.

Chris: So tell me a bit about Nyotron, Nyotron, is it?

Nir:  Yeah, Nyotron is the right way.

Chris: Okay, so tell me about what Nyotron does for its clients and I'm very curious about this what you called a threat agnostic approach to protecting laptops, desktops and servers, the Paranoid System. How does that work?

Nir: Basically, we're doing the complete opposite of most cyber security companies. Our focus is as you mentioned to protect the end points, which is desktops and servers. But as I mentioned, we are not just doing it in a different way, we're actually doing the opposite of most security solutions out there. And by saying the opposite, I don't mean that we infect your machine rather than not protecting it obviously. But the approach is very different. So while the entire industry for more than 30 years is focused on trying to enumerate all badness in the world, we are basically realizing bad is infinite and good is finite. So that's our biggest differentiation. We realize that you can actually map all the finite good in the operating system. So it might be the way you delete files, the way you create files, the way you create communications. All these activities that might be dangerous, we literally map all the right ways to do these things.

Chris: Could you explain that further? So you're saying basically that Paranoid looks at the way the individual person is doing their day-to-day work and maps it and says that if something falls outside of the acceptable range, then it means that something's going on?

Nir: Even powerful than this, we say that there is no difference between you and me. The way the operating system will work is actually finite. So we've mapped all the right ways to delete files for example at the UOS level which is the same for you and for me.

Chris: I see.

Nir: And we do it by analyzing every system call in real-time with the code.

Chris: So how would Paranoid protect against for example a BEC attack by a compromised email?

Nir: So we analyze again every system call and everything results in a system call sent to the operating system. It cannot be to email client or the browser or anything else. And basically we look at the order of system calls. So if you compare the final system call sent by a malware or a legitimate application, it would be the same. But the path of system call send from the email client will actually be different if it's done legitimately. So that's why we analyze.

Chris: That's interesting. So I noticed SC Magazine gave Paranoid five stars, but noted that it was mostly used for very high level enterprises with large budgets. Are there specific security issues that these high level organizations are requiring that only Paranoid can provide?

Nir: I think we are really helpful in term of EDR or application widely seen or application control solutions, we can actually replace some of them. The way I look at Paranoid is a next level EDR. So we call it EPR because D stands for detection. Our main advantage is prevention.

Chris: Prevention.

Nir: So basically we do provide you a full blown EDR solution that can at the same time stops threats and not just overwhelm with data.

Chris: Interesting, so from your vantage point, what are gonna be the big security issues and threats in 2020 and beyond that are being properly addressed right now?

Nir: I think if you look at last year with speculated meltdown, I would expect that something big will happen again and again. I think we are really good still with all this new technologies and that's partly of course because our focus is really detecting the unknown. But I don't think enough companies are really doing that. So I think that big things such as spectacular meltdown will keep happening.

Chris: Okay, to wrap things up today here, if you had one piece of advice for young people who are considering cyber security as a career or a course of study, what would it be and what are some pitfalls to avoid? And some opportunities sought out?

Nir: So I think again being focused, understand what you're really good at, what you really like, which will usually be the same. And don't be a sheeple. Don't just do things because it seems to be lucrative. That's really the single most advice that I will give people rather than what certification to take or not. I think that it all starts with why you do something and not just follow their heart.

Chris: Right, chase the passion and not the money.

Nir: Exactly.

Chris: All right, Nir Gaist, thank you once again for sharing your fascinating story with us today. We really appreciate it.

Nir: I appreciate your time, thank you.

Chris: And thank you all for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page. Just go to YouTube and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts including this one. Just search Cyber Work with InfoSec in your favorite podcast catcher. To see the current promotional offers available to listeners of this podcast, go to Infosecinstitute.com/podcast or check the link in the description. Once again, use our free election security training resources as well to education poll workers and volunteers on the cyber security threats that they will face during the upcoming election season. For more information about how to download your training packet, please visit Infosecinstitute.com/IQ/election-security-training or click the link in the description. Thanks once again to Nir Gaist and thank you all for watching and listening. We'll talk to you next week.