Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

6/8/2017
02:30 PM
Tad Whitaker
Tad Whitaker
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

From Reporter to Private Investigator to Security Engineer

How I fell in love with coding and traded in a camera-rigged Prius for a MacBook and a GitHub account.

"You’ll receive an email with a first name, last name and a ticker symbol,” the hedge fund manager told me. "I don’t care how many hours you bill. Just understand that I will trade money on whatever you turn up."

Never in a million years did I think I’d be a private investigator. Or a security engineer in Silicon Valley. I studied journalism in college with the goal of working on the investigative team at one of the major dailies: New York Times, Washington Post or the Wall Street Journal.

I started at the main daily paper in Marin where I developed a reputation for writing the long, drawn-out, data-driven pieces published above-the-fold on the front page of Sunday papers.

That’s how the hedge fund manager got to know me.

After doing a couple projects for him, he invited me to an intimate batting practice party. He rented out AT&T Park in its entirety. It was the same extravagant party that opened Season 2 of Silicon Valley: A dugout full of catered food, an open bar, and networking. One attendee told me he was a private investigator. A few weeks later, after some finessing, the state designated me PI #26458.

For the next eight years I conducted surveillances, worked undercover on a corporate jury-tampering trial, hired people in South America to take photographs of American products being sold inside a mall reportedly owned by Hezbollah, hunted car thieves for Enterprise Rent-A-Car, set up a team of former newspaper reporters to search for assets owned by every single person who was a net winner in the Bernie Madoff Ponzi scheme, and conducted background checks for the NBA. I bought the plainest car possible — blue, base model Toyota Prius — and rigged up a stop-motion HD video camera in the roof rack so I could park and leave it in front of places where a person sitting in a car for an entire day wouldn’t draw suspicion.

Lawyers, hedge fund managers, politicians, businesses, venture capitalists, and even big international detective agencies turned to me when they hit the end of the line of their own abilities. More often than not, I had never done exactly what I was proposing and everyone knew I’d have to figure it out as I went along. That turned out to be a great skill later on.

Three key things happened within a short span of time around 2014:

  • I read Ghost In The Wires, an autobiography by notorious hacker Kevin Mitnick
  • The ocean of data available via public APIs landed on my radar
  • Software bootcamps became a thing

As a P.I., I had always spent money liberally to learn any new skill that would help me become a better, more creative problem solver. Reading Mitnick’s book opened my eyes to how much soft skills and raw persistence drove technical hacking. The same week a software developer quoted me $20,000 to build a custom business development tool, I saw an ad for one of the first bootcamps and it was half the cost of the bid. On a whim, I enrolled and started a week later with the assumption that I could learn enough to build my tool and return to my practice.

A funny thing happened though: I fell in love with software.

The Python-focused curriculum was a mess and only two of the 20 or so students landed full-time gigs. That was okay, though. Everyone was incredibly supportive and I was hooked on something new. After returning to client work, I found myself spending most of my day tinkering with code tutorials and pushing the paid investigative work late in the afternoon. When a colleague initiated merger talks shortly thereafter, closing up shop was an easy decision. My brain had moved on.

It felt strange considering another bootcamp, but I wanted to get proficient as fast as possible and earn a living working on software. Hack Reactor looked like the fastest way there.

Once I got accepted, it really was as brutal as everything I’d heard. They took for granted that I could code and drilled us on things like algorithm design, time complexity of different search methods, and test coverage. And even though the program focuses exclusively on Javascript, the goal is to produce engineers who can learn any language quickly and solve problems with it.

A tracking program on my laptop showed that I coded 88 out of 90 days, averaging 12 hours each day.

While searching for an engineering job, I attended security meetups, took a class about using the Burp Suite exploitation tool, wrote blog posts for the Wall of Sheep group from the Defcon security conference and, with a friend, set up a Chromebook with the Kali Linux penetration testing tools. I also spent two months teaching front-end web development to a dozen low-income girls of color through an amazing program called Mission Bit. Once again, I found myself in a profession that wasn’t part of the plan. Me, teaching coding.

When a friend of mine heard about my volunteer work, he encouraged me to apply for a job at his company: CircleCI. I solved their timed code challenge, passed the interviews and got hired. Just like Hack Reactor predicted, I landed a gig where no native Javascript is written. And not only that, we use Clojure, which is a Lisp dialect and not even an object-oriented language. I started as a support engineer helping customers learn to use our platform. During slow periods and holidays, I holed up in the office and taught myself Clojure.

While the company began recruiting a security engineer, I picked up the slack out of raw curiosity about how our system worked through the lens of security. It started with answering security questionnaires from customers and quickly morphed into using my journalism skills to document the security processes already in place. When I volunteered at the BsidesSF security conference this winter, everyone told me the company should promote within and hire me. Which is exactly what happened. These days, I’m doing a lot of what I did with my P.I. agency: hiring vendors, managing subcontractors’ projects, creating budgets, and figuring out creative ideas to solve problems. But I also jump into the code to solve problems when needed and that’s my favorite part.

One of the most exciting things I’m looking forward to this year will be hosting security workshops for engineers. The goal is to not just explain things like SQL injection to our engineers, but to turn them loose on a deliberately vulnerable application and give them time to break it. I want them to think like hackers so they can design better systems.

My newfound security engineering focus is a stakeout of a different kind. I’ve traded my Prius for a MacBook and a GitHub account. But I’m still looking in the shadows, searching for flaws and vulnerabilities. 

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Related Content: 

 

Tad Whitaker is a security engineer at CircleCI. He spent 8 years as a private investigator, worked as a reporter in California, and is a graduate of Hack Reactor. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
RetiredUser
0%
100%
RetiredUser,
User Rank: Ninja
6/9/2017 | 3:28:33 PM
Kudos and Condolences and Kudos
I identify with your story - I remember my evolution from no-tech to low-tech to high-tech some twenty years ago.  It was painful, blissful and startling.  Kudos on getting where you are, and on even finding your toolkit included un-honed security skills.

Condolences, though, on your role as an investigator.  It seems it must be hard being an investigator in software security if you are not the one defining who you take down.  Like law enforcement, the judicial system, and financial industries, there are countless gray areas in InfoSec.  How do you know who to arrest, who to prosecute, and who is better to let go in favor of bigger fish.

Cyber criminals come in all shapes and sizes, too.  Some can be tracked and taken down with little resistance while others are part of a larger "army" who can be unforgiving once they know you have them in your sights. 

But kudos again for giving back, and digging under the casing.  With a focus on code, perhaps you'll be in better shape than as an investigator.  Don't get me wrong, boy do we need InfoSec investigative work.  But I don't envy those who do it.

Nice to see a personal story once in a while here on DR. 

 

 

 
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32089
PUBLISHED: 2021-05-11
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on Zebra (formerly Motorola Solutions) Fixed RFID Reader FX9500 devices. An unauthenticated attacker can upload arbitrary files to the filesystem that can then be accessed through the web interface. This can lead to information disclosure and c...
CVE-2020-24586
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted us...
CVE-2020-24587
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and...
CVE-2020-24588
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802....
CVE-2020-26139
PUBLISHED: 2021-05-11
An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and...