Virtuosity

Shomiron Das Gupta wears braces and rides a large Bullet. He is what the Matrix would call "an anomaly". He's a hacker whom people pay to break into their own systems. He never went to college, but at 23 receives offers worth over Rs 6 lakh a year from an industry that usually loves degree abbreviations. He's an "ethical hacker". Another anomaly, especially to a large group of underground programmers who don't believe there's such a thing as a virtuous hacker. But Shomiron exists. He's among a growing number of lock-pickers whom corporates and even the government are employing to find out how secure their networks are. In the battle between the good and the evil, one is hiring from the other. According to general opinion, all ethical hackers have been illegal to varying degrees in their past lives.

Shomiron quit ICICI's security consultancy wing a few days ago because he was tired of "writing recommendations instead of doing real hacking work". Constructive break-in is also called "penetration test", an expression the industry uses to abolish the much-feared word 'hacking'. Such a test can go on for days, with the hacker clocking over 20 hours every day. Shomiron plans to start his own intrusion analysis firm that will monitor the networks of clients, detect hack attempts and offer baits called "honey pots".

Twenty-five-year-old Karthik Shinde too rides a Bullet, but he doesn't wear braces. He works for a security consultancy company that does a lot more than just penetration tests. Once when his boss wanted to prove to a client that its confidential documents are easily available in public domain, Karthik had to fish in five garbage bins in Bandra where the client usually disposed its waste. He loves the "broad nature" of his job, even if it deviates from conventional hacking. One of his primary ambitions, though, is to take part in the Capture The Flag contest, an annual hacking grand slam held in a Las Vegas casino. One of the low points in "the art of hacking", according to Karthik, is that there are virtually no girls. "Womanz", as an underground hacker would later longingly describe the gender.

It's the paucity of brilliant hackers and greater scarcity of virtuous brilliant hackers that makes Rajiv Wadhwa, who runs a network security firm, refuse to name the four White Hats he has employed. "If I reveal their names, they will be stolen from me." Wadhwa feels the future is bright for all those boys who didn't go to college but grew up looking at a seemingly meaningless screen for hours. Indian penetration tests will be outsourced in large numbers by American and British companies. "Even today we offer remote testing services to some British firms. We get a written consent from them saying that within a few parameters we can test how secure their systems are."

Even the Government of India has found hackers highly useful. "It's true that they have been employed by the IB to protect sensitive material and for other strategic purposes," says Subimal Bhattacharjee, a security consultant. A 24-year-old who broke into 16 sites but was eventually caught by Mumbai's cyber crime department today works for the same agency that nabbed him. "Good deeds in exchange for getting my life back, that was the deal," he says.

But not all hackers who want to become good citizens get employment. They face resistance even if they come with the prefix 'ethical'. So, popular internet trainer Vijay Mukhi is trying to promote the concept: "RBI itself has mentioned in its guidelines that banking institutions should use ethical hacking to secure their systems but not many have actually followed the recommendation."

Some hackers are using an old trick to get jobs. They break into a system and go tell the boss about it.They then offer to guard his gates. Mostly, it works.