Careers & People
6/8/2017
02:30 PM
Tad Whitaker
Tad Whitaker
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

From Reporter to Private Investigator to Security Engineer

How I fell in love with coding and traded in a camera-rigged Prius for a MacBook and a GitHub account.

"You’ll receive an email with a first name, last name and a ticker symbol,” the hedge fund manager told me. "I don’t care how many hours you bill. Just understand that I will trade money on whatever you turn up."

Never in a million years did I think I’d be a private investigator. Or a security engineer in Silicon Valley. I studied journalism in college with the goal of working on the investigative team at one of the major dailies: New York Times, Washington Post or the Wall Street Journal.

I started at the main daily paper in Marin where I developed a reputation for writing the long, drawn-out, data-driven pieces published above-the-fold on the front page of Sunday papers.

That’s how the hedge fund manager got to know me.

After doing a couple projects for him, he invited me to an intimate batting practice party. He rented out AT&T Park in its entirety. It was the same extravagant party that opened Season 2 of Silicon Valley: A dugout full of catered food, an open bar, and networking. One attendee told me he was a private investigator. A few weeks later, after some finessing, the state designated me PI #26458.

For the next eight years I conducted surveillances, worked undercover on a corporate jury-tampering trial, hired people in South America to take photographs of American products being sold inside a mall reportedly owned by Hezbollah, hunted car thieves for Enterprise Rent-A-Car, set up a team of former newspaper reporters to search for assets owned by every single person who was a net winner in the Bernie Madoff Ponzi scheme, and conducted background checks for the NBA. I bought the plainest car possible — blue, base model Toyota Prius — and rigged up a stop-motion HD video camera in the roof rack so I could park and leave it in front of places where a person sitting in a car for an entire day wouldn’t draw suspicion.

Lawyers, hedge fund managers, politicians, businesses, venture capitalists, and even big international detective agencies turned to me when they hit the end of the line of their own abilities. More often than not, I had never done exactly what I was proposing and everyone knew I’d have to figure it out as I went along. That turned out to be a great skill later on.

Three key things happened within a short span of time around 2014:

  • I read Ghost In The Wires, an autobiography by notorious hacker Kevin Mitnick
  • The ocean of data available via public APIs landed on my radar
  • Software bootcamps became a thing

As a P.I., I had always spent money liberally to learn any new skill that would help me become a better, more creative problem solver. Reading Mitnick’s book opened my eyes to how much soft skills and raw persistence drove technical hacking. The same week a software developer quoted me $20,000 to build a custom business development tool, I saw an ad for one of the first bootcamps and it was half the cost of the bid. On a whim, I enrolled and started a week later with the assumption that I could learn enough to build my tool and return to my practice.

A funny thing happened though: I fell in love with software.

The Python-focused curriculum was a mess and only two of the 20 or so students landed full-time gigs. That was okay, though. Everyone was incredibly supportive and I was hooked on something new. After returning to client work, I found myself spending most of my day tinkering with code tutorials and pushing the paid investigative work late in the afternoon. When a colleague initiated merger talks shortly thereafter, closing up shop was an easy decision. My brain had moved on.

It felt strange considering another bootcamp, but I wanted to get proficient as fast as possible and earn a living working on software. Hack Reactor looked like the fastest way there.

Once I got accepted, it really was as brutal as everything I’d heard. They took for granted that I could code and drilled us on things like algorithm design, time complexity of different search methods, and test coverage. And even though the program focuses exclusively on Javascript, the goal is to produce engineers who can learn any language quickly and solve problems with it.

A tracking program on my laptop showed that I coded 88 out of 90 days, averaging 12 hours each day.

While searching for an engineering job, I attended security meetups, took a class about using the Burp Suite exploitation tool, wrote blog posts for the Wall of Sheep group from the Defcon security conference and, with a friend, set up a Chromebook with the Kali Linux penetration testing tools. I also spent two months teaching front-end web development to a dozen low-income girls of color through an amazing program called Mission Bit. Once again, I found myself in a profession that wasn’t part of the plan. Me, teaching coding.

When a friend of mine heard about my volunteer work, he encouraged me to apply for a job at his company: CircleCI. I solved their timed code challenge, passed the interviews and got hired. Just like Hack Reactor predicted, I landed a gig where no native Javascript is written. And not only that, we use Clojure, which is a Lisp dialect and not even an object-oriented language. I started as a support engineer helping customers learn to use our platform. During slow periods and holidays, I holed up in the office and taught myself Clojure.

While the company began recruiting a security engineer, I picked up the slack out of raw curiosity about how our system worked through the lens of security. It started with answering security questionnaires from customers and quickly morphed into using my journalism skills to document the security processes already in place. When I volunteered at the BsidesSF security conference this winter, everyone told me the company should promote within and hire me. Which is exactly what happened. These days, I’m doing a lot of what I did with my P.I. agency: hiring vendors, managing subcontractors’ projects, creating budgets, and figuring out creative ideas to solve problems. But I also jump into the code to solve problems when needed and that’s my favorite part.

One of the most exciting things I’m looking forward to this year will be hosting security workshops for engineers. The goal is to not just explain things like SQL injection to our engineers, but to turn them loose on a deliberately vulnerable application and give them time to break it. I want them to think like hackers so they can design better systems.

My newfound security engineering focus is a stakeout of a different kind. I’ve traded my Prius for a MacBook and a GitHub account. But I’m still looking in the shadows, searching for flaws and vulnerabilities. 

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Related Content: 

 

Tad Whitaker is a security engineer at CircleCI. He spent 8 years as a private investigator, worked as a reporter in California, and is a graduate of Hack Reactor. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
0%
100%
Christian Bryant,
User Rank: Ninja
6/9/2017 | 3:28:33 PM
Kudos and Condolences and Kudos
I identify with your story - I remember my evolution from no-tech to low-tech to high-tech some twenty years ago.  It was painful, blissful and startling.  Kudos on getting where you are, and on even finding your toolkit included un-honed security skills.

Condolences, though, on your role as an investigator.  It seems it must be hard being an investigator in software security if you are not the one defining who you take down.  Like law enforcement, the judicial system, and financial industries, there are countless gray areas in InfoSec.  How do you know who to arrest, who to prosecute, and who is better to let go in favor of bigger fish.

Cyber criminals come in all shapes and sizes, too.  Some can be tracked and taken down with little resistance while others are part of a larger "army" who can be unforgiving once they know you have them in your sights. 

But kudos again for giving back, and digging under the casing.  With a focus on code, perhaps you'll be in better shape than as an investigator.  Don't get me wrong, boy do we need InfoSec investigative work.  But I don't envy those who do it.

Nice to see a personal story once in a while here on DR. 

 

 

 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.