IT Security Consultant & Security Researcher – ZeroDayLab Ltd. London, United Kingdom
Mr. Osanda Malith Jayathissa is an IT Security Consultant at ZeroDayLab Ltd. as well as an independent Security Researcher. Having completed his secondary education at Vidura College, Colombo, he attended a private university and is currently based in London, United Kingdom. With an avid interest in the field of Computer Security from a very young age, his curiosity in the world of hacking has taken him to great heights, and he is well known for his insightful blog osandamalith.com that portrays his work. Here he joins Exposition Issue 16 to share with us his journey, and his views on the field of Cybersecurity, and more.
What was your educational background starting from your school days?
Back in 2013, when I should have been doing A/Ls I made that difficult choice to defy the traditional path even though no one was happy with my decision. Instead of doing Advanced Level, I decided to do foundation courses and then move into a private university. You need your backbone to be very straightforward and speak up for yourself to do such a thing. When I was 17 years old, I solved an online cryptographic challenge conducted by IFS and then they invited me for an interview. I missed that opportunity as I refused the invitation saying that I am not even 18. Nevertheless, it was an achievement to be selected.
I was learning Computer Science courses from MIT and EdX courses which gave me a good solid understanding. Then I entered APIIT and did Networks and Security. In my first year, I realized that they were teaching the CISCO syllabus (CCNA) which made me change my entire degree to software engineering. I had good networking knowledge and was a good student when I was doing software. Yet, I could not find what I was looking for in either networking or software. When I was 20 years old, I gave up my degree because my actual passion was for cybersecurity.
I have been into my research since I was 12 years old. That is why I started a blog named osandamalith.com where I published all the different things I was doing. This blog led me to where I am today. I did research about the LinkedIn platform and found many bugs. This brought me a lot of international offers from New Zealand, Australia, Dubai, and the UK. I decided to accept the UK offer and started my first job in the UK. After that, I got into the University of London.
What was your greatest inspiration in life, and what inspired you to pursue this field?
It was back in 2008 when I was only 12 years old that I got into hacking. If I relate my background, we had a computer in our house from my very young days and I have experienced even Windows 98. Naturally, as a young boy, I was very much into games even to the point of addiction. This caused me to get in some mischief as well but nevertheless, it was a very fun childhood. With gaming, I also came across cracked software which got me curious about how they work. In grade 5, I began experimenting with batch programming and many were amazed by the things I was doing. I was a kid who wanted to do something magical with these things. By around 16 years of age, I started learning languages like C and Python. This is my technical background.
Then, when it comes to hacking, at the age of 12, I got curious about how to hack Facebook accounts. That was the start of my search into hacking. The first technique of hacking I learnt was phishing. Back in the time, there was practically no security. Therefore, it was easy and I was hacking 5-10 people a day. However, my biggest intention was to learn how things work behind the scenes. I was curious about how computers work and such basics. I even dove into some of the more complex older systems to get an idea. This phase grew my interest towards reverse engineering.
From what companies have you been acknowledged for your work so far?
I started reporting bugs officially at the age of 17. Since then I have been acknowledged by so many companies that I cannot even keep track anymore. Microsoft, Apple, Facebook, Oracle, Twitter, the government of Netherlands, Sony, Red hat, Samsung, Nokia, GitHub, Apache, Huawei, eBay, MongoDB, and MySQL are just some of them.
In addition, I received an offer from Facebook to work as a Security Engineer, which I turned down as I was new to the British industry and wished to gain more experience first. I was also offered a contract from Google for their Android pentesting team but I had to deny this as mobile development was not my focus area. At the same time, I do not think too much about denying those offers as I have maintained a good profile. This is because I believe one must consider freedom in life as well.
You mentioned two very distinct fields, cybersecurity, and reverse engineering. What is the interconnection you see between these two fields?
What a software engineer does for four years of his lifetime in the university is learning to develop things or forward engineering. We also know how long it takes to develop software. Still, when you release a software, within weeks someone may find a critical vulnerability and if an attacker comes into the picture, it will take them only seconds to make all your hard work pointless. This is the relationship between development and security.
Though you mentioned them to be separate fields, reverse engineering is like a branch of cybersecurity. It is used by attackers to find bugs or security issues in systems and to exploit them. At the same time, it is used by penetration testers/ethical hackers to test software or bypass protections. If we consider malware, we must first analyze it and understand how it works through reverse engineering to prevent it. Simply, cybersecurity is about prevention and we need to use reverse engineering for this purpose. That is how all these fields are interconnected. Reverse engineering can be used for different goals; both good and bad. It is very useful for understanding how things work and can be used for fixing bugs and micropatching. When it comes to penetration testing, this knowledge is crucial to bypass antivirus software. Performing forensic investigations on systems, binaries are all about reverse engineering as well. On top of these, I must stress that it must be used only for ethical purposes
as it is otherwise considered a crime depending on the end-user license agreements.
We got to know that “bug hunting” has only been an interest of you. How did your career evolve through it?
Back in 2008 when I started hacking, there was no such thing as ‘bug hunting’. Then Google came up with bug hunting programs, which was probably the first of its kind. They would pay from $500 to even $100,000 for finding bugs. Other major companies followed, and I did bug hunting in my free time.
Bug hunting is a good chance to experiment legally and get some experience. Still, you must be cautious when choosing a website, as people often get misled about bug hunting. You cannot simply scan any site you see for bugs. Some websites have a page called “Responsible Security Disclosure” where they have mentioned their terms, what you can attack, what you cannot attack, the scope, and how much they pay. However, you must be very careful because you are attacking live websites and it can disrupt businesses and cause financial losses. I would say bug hunting is somewhat like finding a gem. You need some luck as well because if someone reports the bug before you, there will be no benefits. Therefore, it is good as a hobby but never as a career or a source of passive income.
I am currently working as a penetration tester which involves testing net infrastructure. I believe bug hunting was a good experience and was a value addition just like my research, research papers, and exploits I have written. I tend to explore many areas and would not recommend doing just one thing. That is mainly because being an infosec consultant is difficult and requires you to be an all-rounder. The thing I love about this field is that you learn something new every day, and you become very confident with technology.
Going on that topic, do you believe that technologies like quantum computing or blockchain will make fields such as cybersecurity and pentesting irrelevant in the future?
I believe quite the opposite. Whatever we develop has both a security aspect and a forensic side to it. However, user-friendliness and security tend to work in opposite ways. Nowadays, the world is moving towards increasing user-friendliness.
Quantum Computing will bring the ability to process things much faster. As an example, a quantum computer would give me the ability to break private keys within seconds and hack almost anything since quantum computing power could be utilized in finding the prime factors P and Q of the public modulus N using a polynomial-time quantum algorithm such as Shor’s algorithm. Technologies like quantum computing will make the cybersecurity field more challenging. It could cause huge concerns related to intercepting of data and would create the need for much more powerful algorithms or much larger private keys, in order to secure systems.
Blockchain on the other hand is a totally different topic. The data is practically impossible to manipulate as it is stored in all the computers, and everything is validated through proof of work. Even though the blockchain technology is safe, accessing the blockchain is done through a private key where the security concerns still remain if the private keys get stolen. There are also many emerging topics in these areas. Blockchain technology can bring economic advantages and solve many issues such as corruption. Hence, it can be used for actions like land registration which is a significant problem in developing countries such as Sri Lanka. On the other hand, it can be used for undesirable purposes like drugs and crime as it is difficult to track. Therefore, as a country, we must carefully analyze our resources and capabilities when dealing with such technologies. As a big fan of blockchain, I have ideas to implement this in Sri Lanka as it is the future.
In your most recent visit to Sri Lanka, you did a workshop in collaboration with the undergraduates of Sri Lankan universities. What do you think about the interests and knowledge of the Sri Lankan community, in terms of your field?
People are very much interested in hacking and yet they do not have proper guidance. Most of the private universities have cybersecurity for their BSc level. In the workshop I did, there were two girls’ teams from the University of Moratuwa who were not doing any cybersecurity at the university. However, they were researching, reading articles, and performed very well in the Hacking Challenge. This is what I expected. The students that were learning cybersecurity at the other universities did not even attempt to do the given tasks.
Most of the Sri Lankans expect to be spoon-fed. If the lecturer does not teach them or it is not in the syllabus they try to put the blame on someone else and do not take the responsibility to spend time learning things that they do not know. That is not how things work. You need to learn yourself. Do not do something for the sake of passing or to take a certificate. You should have the enthusiasm to learn something new. People should learn how to learn. You must be passionate about the field rather than thinking about how much you are going to earn. If you are born talented to sing, do you need a certificate to prove to society that you are good at singing?
I think people are hiding behind a certificate or a degree because they are very insecure about themselves. First of all, have a proper plan, a proper target, and spend time in a useful way to achieve it. The truly talented people are pretty much silent in the field. In my life, I have never thought about how much money I would make, neither did I want to be the greatest hacker in the world. You need to be just good at what you are doing and things will come naturally.
How would you describe the relationship between Management and Cyber Security?
Cybersecurity is a part of the business, as it is used to protect the business. There is a field called Information Security Management, where you need not to be super technical. You may come from a different educational background. It is more like the same things you do as a manager, and how to manage that event.
How important is receiving certifications and courses apart from the university?
Academics are purely theoretical. It is a theoretical degree. When it comes to higher-ranking universities, they have only computer science. The low-ranking universities divide it into subcategories like software engineering, network engineering, cybersecurity since they cannot compete with the higher-ranking universities.
Things like Java development and mobile app development are the skills that are required for a job. Some people are straight away going for a job without having a degree because they have the skills that a certain job requires. However, if you want to do some advanced research in AI or data science, you need to know mathematical concepts and that requires a degree. For example, I would not spend money on doing a Cybersecurity Master’s at all, because I know there is no point. I will rather spend that money on doing a Master’s in Mathematics, because I know I can get that knowledge only from a university.
On a final note, what is your message to undergraduates in Sri Lanka who wish to pursue a career in cybersecurity?
I think I said most of the good facts for the university students in the entire discussion. My message would be for you to think out of the box and be creative. When it comes to cybersecurity there are so many areas. Be an all-rounder. You do not need to be a great developer, but you need to know how to read the language and how to find bugs. Organization is very important. You need to keep notes because no one can keep everything in their minds. Get the maximum out of the internet. Internet speed may become higher in the future, but it does not solve your problems. It will not make you a genius unless you spend time and you are ready to focus. If you want to enter this competitive field, do not go with the flow. Think out of the box, practice, and do not keep complaining about the things that you do not have. Utilize what you have, and you will do your best.