The notorious one yet, sincerest of all


Fyodor Bom is famous for his exploits which are written in variety of languages. However, he claims to have been comfortable with Perl, Albeit, most of his works are in PHP and Java, he is really not a huge fan of them. Fyodor is an ethical hacker who has more focus towards real life hacking which includes carding (credit cards hacking). He spoke to our Editor-In-Chief Vaidehi Taman about his thoughts on hacktivist or revolutionaries, the hypo in India around the word ‘hacking’ and how he loves to work with people of different skills.

How do you define your journey from Pizza to Python (we read it on your Facebook profile)?
Ok, I worked in bakery when I was a student. The pizza thing is a joke about my previous company. We make fun of it, because their slogan was similar to pizza delivery. So it wasn’t really pizza but, IT services. I joined Relay Group in Thailand after school which basically was a good starting point. But programming was fun even before that.

What was your first find? Define your experience please.

I am not really a research guy.

Who introduced you to tahis domain and why you entered it?
Relay Group was technically the first infosec. But, I think the most fun is to work as a system administrator in a big company — lots of machines to play, you script boring tasks and play with fun things.

Many of you rexploits/

research papers have codes written in Java, Python and few in PHP, which is your favourite and why?

I hate PHP. Java is too massive for simple scripts. Python is ok. I used to use Perl a lot.

What is your take on increasing number of Carding exhibits?
Carding fraud? Well, there is inequality in this world. Carding fraud balances it. Banking systems are penetration tested, most of the times, yet it is just a matter of time before something is proven.

Do you think it is lack of prudence by security companies?
No. But Pentest isn’t sufficient for an organisation to be secure. IMHO “protection in depth” is probably the most useful paradigm. Pentest is more a survey. Plus a service that is self-killing. If your Pentest is good, some people at customer hate you, because it shows that they did bad job. If your pentesting is bad, you are not getting paid.

Do you mentor people or are you professional towards ‘teachings’?
I think the best mentoring is to work with people of different skills on projects. I am not good enough to mentor.

Wannabes who enter this domain are clinged towards ‘black-hat’ activities, do you agree or did you also find people who were ‘constructive’ in this domain?

I don’t care really. Each chooses their own. Plus, the situation where each stands may be very different. For some people selling credit cards may only be the only way to survive. We can’t judge them unless, we wear their shoes.

What is your take on Lulz, Anonymous, AntiSec, etc. type of ‘hacktivist / revolutionaries’? Do you think revolution is possible by these activities?
They hit some big targets, but when you piss critical mass of people, there will be enough resources to get you in trouble, especially, where money is involved. Anonymous – there is a bunch of stuff around this thing. Some is useful. Some is not. The “occupy” movement was a total failure, but some things were fun.

AntiSec – things like this have been around for a while. Some people do Infosec as means of living (and making $$). Some people get upset about this. Anti-disclosure was around for a while — #ZF0, pHC etc.

Revolution is impossible without revolutionary situation (per Lenin). And revolutionary situation expects part of the society, which has nothing to lose. I think internet as medium is helpful to coordinate activities of various groups that made things change in countries. But I don’t think named groups are very relevant. Things like Wikileaks (and like-wise activities of anon) might be probably more relevant in this case.

A quick message for our readers, please.

There is too much hypo in India around the word ‘hacking’; and actually world-wide. I find it a bit sad. There is even an MTV show with some clowns leading it. I think this creates wrong impression of IT professions and hobbies related to Infosec. Plus, in a competitive society with too many people, it might be hard to take a slower pace spending time with technical details, and I think this is the most enjoyable part of the thing — play with the stuff in detail. The bad side of this is that it creates clowns and clown companies, such people who make use of hype to sell snake oil. At a few points of time I had experienced first-hand interaction with entities of this group myself. ICSALabs, E2labs, Armorize Technologies. I truly hoped that I could help these companies to realise a way of building technologies and contributing to tech community, but at the end, I just realised that these companies are so much full of them, and are in security just because this is a “hot” thing that brings cash. If there was no “security”, they’d be probably just making pizzas, if that was more profitable. Thus, the “pizza” joke in my profile you saw. I truly hope these companies will fade away as they create an extremely unhealthy environment, being completely useless, not being interested in any innovative technologies, they plainly use and abuse public domain works without contributing a dime back. Plus, some of these companies (won’t put names) were identified in openly plagiarising other sources. This is truly sad. I hope the Infosec hype will go away leaving the space for folks, who really enjoy the field.