An Interview With A Singaporean Hacker

What are your hopes for the cybersecurity landscape in Singapore?

Portrait of Tammy Strobel

"SAMUEL ENG HACKERONE"

What age did you start hacking? Do you have a favourite type of bug or vulnerability to hack?

Samuel: I started learning about hacking in my university years around the age of 23. I love server-side vulnerabilities such as Server-Side Request Forgery (SSRF), Server-Side Template Injection (SSTI) or code injection bugs.

How do you keep up to date on the latest hacking techniques, tools and vulnerability types?

Samuel: I did take a lot of certifications such as Offensive Security Certified Professional (OSCP) and Offensive Security Certified Expert (OSCE) for example, and I read a lot of blogs, including Chinese, South Korean and Russian security blogs (I do not want to miss any information).

Do you remember when you found your first bug? What was the type of bug? How did it feel to find it?

Samuel: My first bounty in HackerOne was from Zomato. It was a SQL injection (SQLi) in a cookie. On Saturdays, I usually spend my time doing physical activities, but on that particular day, I was sick with the flu. Since I am a person that cannot sit still, I decided to start hacking (not advisable!). I decided to try weird stuff and start fuzzing weirdly named cookies. I was shocked that it actually worked. The moral of the story is that if you never try, you will never know!

What motivates you to hack for good?

Samuel: I see hacking as a form of hobby. Plus, the feeling of accomplishment when a company replies with an appreciative message for the work that we do cannot be found elsewhere.

How did your friends and family react when you first told them that you wanted to be an ethical hacker?

Samuel: Actually, all of them think it’s a cool career path. Hacking today is different from the past where hackers have traditionally been portrayed as bad guys who only seek to destroy computer systems and take down everything who stands in their way. Nowadays, ethical hacking is gaining recognition as a viable career choice that is both niche and desirable.

Are there any hackers that you look up to?

Samuel: If there was one, it would be @filedescriptor because his reports always require multiple reads to fully understand the attack chain!

What advice would you give to aspiring hackers?

Samuel: Have an appetite for knowledge or be hungry for more knowledge. Whenever one stumbles across an interesting topic, it is important to also dive deep and do deep work (30 hours) to fully understand the concepts before moving on.

Do you expect bug bounty adoption to increase?

Samuel: Yes. Bug bounties are getting more and more popular in the cyber security industry and they go hand in hand with penetration testing as a form of defense-in-depth solution.

How long (on average) do you spend your time hacking?

Samuel: When I hack, I hack for about two hours a day after work. On weekends, I only hack when I have a challenge on HackerOne. I do have a full-time job as a security engineer.

Any thoughts on how to attract more young professionals to the cybersecurity profession?

Samuel: I think it is important to market ethical hacking not only as a job that pays well but also a hobby that can be fun and meaningful.

What are your hopes for the cybersecurity landscape in Singapore?

Samuel: I think the Singapore Government certainly keeps up to date with the industry as shown by embracing bug bounties together with the usual compliance/penetration test process. I hope more young students will join our industry and show that Singaporeans can do it too!

Do you think hackerpowered security (aka bug bounty programs) is becoming a widely accepted concept in Singapore?

Samuel: Definitely. Many companies in Singapore are actually planning on having a bug bounty program but there are also challenges such as budget, legal and the fear of change.

Do you think the perception of hackers is changing? Globally? And how about in Singapore?

Samuel: There is a positive perception of what it means to be a hacker not only in Singapore but globally as well. As mentioned before, I always receive a positive response when I inform my friends and family that I am hacking as a career. Before bug bounty platforms came about, this was likely to be frowned upon. I think HackerOne has done an amazing job in showing the world that not all hackers are bad.

"THE SINGAPORE GOVERNMENT HAS REALISED THAT THERE IS A SHORTAGE OF SKILLED CYBER SECURITY TALENTS"

PICTURE HACKERONE