His first hack may have been his most fortuitous: Rohit Dhamankar and his classmates in India had to hack into and use their engineering professors' email so they could apply to graduate schools in the U.S. "We didn't have email back then," he says of he and the other students at the Indian Institute of Technology in Kanpur who switched their names onto the accounts. "So we got into our professors' email accounts so we could send email. Some of them had never used email before, so they weren't checking it regularly."
This is the same guy who today is responsible for choosing and ranking the world's top security vulnerabilities each week (as well as yearly) for the SANS Institute, and whose day job is senior manager of security research at TippingPoint. His desperate email crack back home in India landed him at the University of Texas at Austin, where he eventually switched from physics to electrical engineering. He got his first job in 1999 with Cisco Systems, where he worked as a software developer on intrusion detection and scanner products.
Dhamankar, 32, admits the SANS vulnerability list he compiles doesn't change drastically from week to week. About every six months, however, he witnesses a shift in the types of attacks underway. He's watched bug trends go from pervasive worms to phishing and spyware, and to client-side vulnerabilities in applications like Microsoft Office, he says.
Being the final word on vulnerability rankings isn't always a popular job, like the time in 2005 when he decided to put the MacOS on the SANS Top 20 list, a gutsy move that ticked off some rabid Mac users who cursed him and SANS publicly for calling out their beloved OS. But Dhamankar still stands by his then-controversial choice because he says he felt it was time MacOS users became aware of the bugs in the OS.
He thinks SANS' ranking system works, although it ultimately comes down to him to make the final call. Dhamankar sends out his strawman list to a panel of experts from enterprises, universities, security consultants, and vendors, who all put their heads together. "We seek out other users and ask if the list is useful to them," he says. "Nobody says 'you guys suck.'"
There is some overlap with his work at TippingPoint. Dhamankar basically manages the security research team responsible for TippingPoint's intrusion prevention systems. They analyze new vulnerabilities and attacks, and write signatures for the company's IPS products.
When he's not analyzing and ranking bugs, Dhamankar sings. He takes classical South Indian music vocal lessons and, from time to time, performs around Austin, where he's stayed since leaving India for UT. "I help promote the Indian classical music scene," he says. He also works with a battered women's organization. "These are women from ethnic backgrounds that come to the U.S. and are not treated well by their husbands."
Vulnerability is a theme with Dhamankar, for sure: He's also an animal lover, who wears a PETA t-shirt to work with a picture of a pig and "I Don't Have ANY Spare Ribs" emblazoned on it. Why People for the Ethical Treatment of Animals (PETA)? "There's the same problem with pigs and cows" and other animals being mistreated as there are with dogs and cats, he says. "Growing up in India, there were places where cows were in the cowshed, and they were very loving and intelligent, too." He witnessed cows who would only allow people they were familiar with to milk them, for instance.
Animal rights and security work sometimes mix, sometimes not, he says. "There are some people in the security industry that are like me, PETA supporters," he says. "And there are lot [who are not], with dark t-shirts, colored hair, and eating a lot of meat," he adds with a laugh.
Kelly Jackson Higgins, Senior Editor, Dark Reading