Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

6/8/2017
02:30 PM
Tad Whitaker
Tad Whitaker
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

From Reporter to Private Investigator to Security Engineer

How I fell in love with coding and traded in a camera-rigged Prius for a MacBook and a GitHub account.



"You’ll receive an email with a first name, last name and a ticker symbol,” the hedge fund manager told me. "I don’t care how many hours you bill. Just understand that I will trade money on whatever you turn up."

Never in a million years did I think I’d be a private investigator. Or a security engineer in Silicon Valley. I studied journalism in college with the goal of working on the investigative team at one of the major dailies: New York Times, Washington Post or the Wall Street Journal.

I started at the main daily paper in Marin where I developed a reputation for writing the long, drawn-out, data-driven pieces published above-the-fold on the front page of Sunday papers.

That’s how the hedge fund manager got to know me.

After doing a couple projects for him, he invited me to an intimate batting practice party. He rented out AT&T Park in its entirety. It was the same extravagant party that opened Season 2 of Silicon Valley: A dugout full of catered food, an open bar, and networking. One attendee told me he was a private investigator. A few weeks later, after some finessing, the state designated me PI #26458.

For the next eight years I conducted surveillances, worked undercover on a corporate jury-tampering trial, hired people in South America to take photographs of American products being sold inside a mall reportedly owned by Hezbollah, hunted car thieves for Enterprise Rent-A-Car, set up a team of former newspaper reporters to search for assets owned by every single person who was a net winner in the Bernie Madoff Ponzi scheme, and conducted background checks for the NBA. I bought the plainest car possible — blue, base model Toyota Prius — and rigged up a stop-motion HD video camera in the roof rack so I could park and leave it in front of places where a person sitting in a car for an entire day wouldn’t draw suspicion.

Lawyers, hedge fund managers, politicians, businesses, venture capitalists, and even big international detective agencies turned to me when they hit the end of the line of their own abilities. More often than not, I had never done exactly what I was proposing and everyone knew I’d have to figure it out as I went along. That turned out to be a great skill later on.

Three key things happened within a short span of time around 2014:

  • I read Ghost In The Wires, an autobiography by notorious hacker Kevin Mitnick
  • The ocean of data available via public APIs landed on my radar
  • Software bootcamps became a thing

As a P.I., I had always spent money liberally to learn any new skill that would help me become a better, more creative problem solver. Reading Mitnick’s book opened my eyes to how much soft skills and raw persistence drove technical hacking. The same week a software developer quoted me $20,000 to build a custom business development tool, I saw an ad for one of the first bootcamps and it was half the cost of the bid. On a whim, I enrolled and started a week later with the assumption that I could learn enough to build my tool and return to my practice.

A funny thing happened though: I fell in love with software.

The Python-focused curriculum was a mess and only two of the 20 or so students landed full-time gigs. That was okay, though. Everyone was incredibly supportive and I was hooked on something new. After returning to client work, I found myself spending most of my day tinkering with code tutorials and pushing the paid investigative work late in the afternoon. When a colleague initiated merger talks shortly thereafter, closing up shop was an easy decision. My brain had moved on.

It felt strange considering another bootcamp, but I wanted to get proficient as fast as possible and earn a living working on software. Hack Reactor looked like the fastest way there.

Once I got accepted, it really was as brutal as everything I’d heard. They took for granted that I could code and drilled us on things like algorithm design, time complexity of different search methods, and test coverage. And even though the program focuses exclusively on Javascript, the goal is to produce engineers who can learn any language quickly and solve problems with it.

A tracking program on my laptop showed that I coded 88 out of 90 days, averaging 12 hours each day.

While searching for an engineering job, I attended security meetups, took a class about using the Burp Suite exploitation tool, wrote blog posts for the Wall of Sheep group from the Defcon security conference and, with a friend, set up a Chromebook with the Kali Linux penetration testing tools. I also spent two months teaching front-end web development to a dozen low-income girls of color through an amazing program called Mission Bit. Once again, I found myself in a profession that wasn’t part of the plan. Me, teaching coding.

When a friend of mine heard about my volunteer work, he encouraged me to apply for a job at his company: CircleCI. I solved their timed code challenge, passed the interviews and got hired. Just like Hack Reactor predicted, I landed a gig where no native Javascript is written. And not only that, we use Clojure, which is a Lisp dialect and not even an object-oriented language. I started as a support engineer helping customers learn to use our platform. During slow periods and holidays, I holed up in the office and taught myself Clojure.

While the company began recruiting a security engineer, I picked up the slack out of raw curiosity about how our system worked through the lens of security. It started with answering security questionnaires from customers and quickly morphed into using my journalism skills to document the security processes already in place. When I volunteered at the BsidesSF security conference this winter, everyone told me the company should promote within and hire me. Which is exactly what happened. These days, I’m doing a lot of what I did with my P.I. agency: hiring vendors, managing subcontractors’ projects, creating budgets, and figuring out creative ideas to solve problems. But I also jump into the code to solve problems when needed and that’s my favorite part.

One of the most exciting things I’m looking forward to this year will be hosting security workshops for engineers. The goal is to not just explain things like SQL injection to our engineers, but to turn them loose on a deliberately vulnerable application and give them time to break it. I want them to think like hackers so they can design better systems.

My newfound security engineering focus is a stakeout of a different kind. I’ve traded my Prius for a MacBook and a GitHub account. But I’m still looking in the shadows, searching for flaws and vulnerabilities. 

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Related Content: 

 

Tad Whitaker is a security engineer at CircleCI. He spent 8 years as a private investigator, worked as a reporter in California, and is a graduate of Hack Reactor. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
RetiredUser
0%
100%
RetiredUser,
User Rank: Ninja
6/9/2017 | 3:28:33 PM
Kudos and Condolences and Kudos
I identify with your story - I remember my evolution from no-tech to low-tech to high-tech some twenty years ago.  It was painful, blissful and startling.  Kudos on getting where you are, and on even finding your toolkit included un-honed security skills.

Condolences, though, on your role as an investigator.  It seems it must be hard being an investigator in software security if you are not the one defining who you take down.  Like law enforcement, the judicial system, and financial industries, there are countless gray areas in InfoSec.  How do you know who to arrest, who to prosecute, and who is better to let go in favor of bigger fish.

Cyber criminals come in all shapes and sizes, too.  Some can be tracked and taken down with little resistance while others are part of a larger "army" who can be unforgiving once they know you have them in your sights. 

But kudos again for giving back, and digging under the casing.  With a focus on code, perhaps you'll be in better shape than as an investigator.  Don't get me wrong, boy do we need InfoSec investigative work.  But I don't envy those who do it.

Nice to see a personal story once in a while here on DR. 

 

 

 
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "SpearPhish! Everyone out of the office!"
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10100
PUBLISHED: 2019-07-17
tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.
CVE-2019-12175
PUBLISHED: 2019-07-17
In Zeek Network Security Monitor (formerly known as Bro) before 2.6.2, a NULL pointer dereference in the Kerberos (aka KRB) protocol parser leads to DoS because a case-type index is mishandled.
CVE-2019-12475
PUBLISHED: 2019-07-17
In MicroStrategy Web before 10.4.6, there is stored XSS in metric due to insufficient input validation.
CVE-2019-13346
PUBLISHED: 2019-07-17
In MyT 1.5.1, the User[username] parameter has XSS.
CVE-2019-13403
PUBLISHED: 2019-07-17
Temenos CWX version 8.9 has an Broken Access Control vulnerability in the module /CWX/Employee/EmployeeEdit2.aspx, leading to the viewing of user information.