Calling Ankit Fadia's bluff: Is he the hacker he claims to be?
Forbes India's Charles Assisi writes an open letter to Ankit Fadia questioning his credentials as a computer security expert.
Dear Ankit Fadia,
First of all, I'd like to place my unconditional apologies on the record. In fact, before I started to write you this letter, I promised my colleagues these pages will be used to crucify and call your bluff before your 16th book on computer security hits the shelves a few months from now.
These apologies come with the awareness that it will cost me friendships I have cultivated for years in the dark corridors of the internet where people like me lurk and are known to each other only by our nicknames.
For a very long time, I've despised you as a charlatan. There used to be a time when I thought you a script kiddie, or a skiddie if you will. You know what comprises those types-plagiarists who pass off software programs developed by others as their own. That is why on every forum that matters, I've rubbished your credentials as a hacker of any merit. I've openly accused you of shameless self promotion. And each time you appeared on television shows or in print as one of the most prominent experts on computing and security in the world, I've laughed my backside off. I told everybody who cared to listen you're nothing but a bag of gas, whose reputation was built by shoddy journalists that eagerly lapped up the tall stories you doled out.
Like I told you the other day, I thought it impossible how the books you've authored until now could possibly have managed to sell 25 million copies. I thought it completely ridiculous on your part to claim you were contacted by American "intelligence agencies" for help to decipher an encrypted email sent by Al Qaida operatives post 9/11.
But after an email interview and five hours of talking the other day, all I have to say is mea culpa. You are perhaps one of the smartest 27-year-olds I've met in all my years in journalism. And I'm willing to bet every rupee I have you'll go a very long way because you're twice as smart as CEOs I know who are twice your age-and that you are exponentially smarter than I am.
My interaction with you taught me a few lessons that I won't forget and ones I'm sure people in the C-suite will do well to imbibe.
Lesson #1: Brand
If I were to compare myself to where you are, I think I'd be a wretched failure. I mean, at age 40, if I were to go out and advertise something called the Charles Assisi Certified Course in Journalism, I'd be laughed out of the room. But here you are-a strapping 27-year-old, whom people pay Rs 12,000 to get a certificate that proclaims them an Ankit Fadia Certified Ethical Hacker (AFCEH).
Until you told me, I didn't know there was anything that prevents me from issuing a certificate of any kind. But for the certificate to have any value in anybody's hands, the name ought to be a brand. That is why you assiduously go about building your personal brand, work longer hours than most people I know, and refuse to lurk in the shadows. Instead, like you told me, you come out into the open, speak a language most people understand, and have even trademarked your name.
I must concede you are an articulate speaker. Your name is perhaps what most lay people now associate with 'hacker'. This, in spite of you admitting to me, you consider yourself just a decent hacker, not a good or excellent one. There are others, who by your admission are better at it than you. It's just that they choose to live in obscurity while you refuse to do that. Because end of the day, you need to have money in your pocket to make a decent living for yourself and visit every country in the world before you die.
I get what you're trying to say. I don't have a single book to my name, let alone translations of any of the few hundred articles I have written in my years. I don't get paid by the thousands of rupees for every hour of my time to talk about computing in packed halls. I don't travel 20 days every month offering my services across 104 countries. You pulled your passport and letters from various companies to prove your credentials. Who am I to question that? No police chief has ever called me to talk to their people on anything, but they lap up everything you say, and you have pictures and certificates to prove your claim.
Lesson #2: Hold
It was sometime last year that I asked one of my former colleagues, Anirvan Ghosh, to connect with you and try to find what makes you tick. You were happy to talk and even posed for some pictures that are published on these pages. You told him you first captured popular imagination when you were just 13 and hacked the website of CHIP , the popular technology magazine, now published by Infomedia18, a subsidiary of Network18, the company I work for.
As your story goes, after you defaced CHIP, you felt guilty and wrote to the editor telling him you were responsible for the act. The gentleman apparently called you up and said somebody as talented as you ought to be working for CHIP. When you confessed you were only 13, the editor asked you to wait until you turn 18 and then sign up with him.
I fell off my chair when Anirvan recounted the anecdote to me. I used to be the editor of CHIP and know the magazine's website was never defaced. Nor do I remember offering you a job. Like I told you earlier, those were the days I thought you a skiddie.
Just to make sure, I called my predecessor Gourav Jaswal. He was founding editor of CHIP India and is a man I respect enormously. He now runs the not-for-profit Synapse Foundation. Gourav sounded mildly amused and said nothing like this happened during his stint either.
But because you insisted, I called the very amiable Marco D'Souza, who took over at CHIP after I left. He now runs a firm called Spotmygadget.com and blogs for Forbes India. Marco, whom all of us know as the quiet geeky kind, guffawed loudly. He couldn't believe his ears either. But I didn't want to give up on you. So I called up my friends Ludwig Blaha and Wolfgang Su, both of whom used to be based out of Munich, CHIP magazine's international headquarters. The two were once responsible for CHIP's international editions. They denied knowledge of any such episode.
When I wrote to you the other day with this question, you offered to come over to my office right away and talk about it. As much as I tried to probe you, you held your ground and insisted you had hacked the website.
I like how you did that with a straight face. There is nothing I have on record to prove you didn't, other than my word and those of others whom I respect. You had no evidence either to prove you actually hacked and our discussion came to an impasse. I gave up and told myself, this is one hellava' tough nut to crack.
Lesson #3: Exaggerate
Last year, you told Anirvan 25 million copies of your books have been sold. And of these, your first book alone sold eight million copies. I told you what that means is that at age 13, you managed to sell as many copies of your first book as JK Rowling, Dan Brown and Steig Larsson put together sold with their first book in the United Kingdom. I thought it ludicrous and told you that in as many words. But you didn't blink. Instead, you told me I'm referring only to the UK and that your books are translated into many languages and sold across many countries. You also told me that your books are parcelled as textbooks as well and consumed by students. Technically, textbooks aren't counted as "sale of books" by any publisher and that I ought to factor that in as well. When pushed harder, you refused to back down. Instead, you told me it is common practice in publishing and television to exaggerate sales or ratings; that publishers often invent ingenious ways to account for sales of a book; and that the numbers "quoted in the media may be marginally exaggerated". But you didn't back off. You held your ground and once again, it was impasse.
Lesson #4: Evade
I looked up your claim that has been reported by practically every newspaper, magazine and radio station in the country on how you helped the US Federal Bureau of Investigation (FBI) to crack an email that came from the Al Qaida. Every security expert I spoke to laughed because nobody could figure how a then 15-year-old could understand what takes clusters of supercomputers to decipher. Nobody even knows which American agency asked you to do a job their best people couldn't execute. To your credit, you didn't duck the question. You told me you never claimed the FBI asked you to do it. Your version is that all you said was some "intelligence agencies" from the US contacted you. Journalists threw in their two bits and claimed you were contacted by the FBI. You told yourself, if somebody wants to tell the world that FBI contacted you, why should you go out of your way to deny it if it works to your advantage? You proved to me you ought to know when to shut up.
But you did claim the Indian Central Bureau of Investigation (CBI) contacted you to help with a case they were having trouble with. When pressed, you didn't have any evidence to prove your claim. We reached an impasse again.
Lesson #5: Pursue
I told you, you've got the devil's luck. You told me luck comes only to those who pursue it. To give me but one instance, you told me your publisher thought it would be a great idea if a certain prominent television personality (whom you asked me not to name) were to endorse your upcoming book.
Question was who would ask him? You wrote to the gentleman's publicist and was asked to wait. As luck would have it, you saw him at an airport, being mobbed for autographs. Most people would've been intimidated asking him for a favour then. For a few minutes you thought whether it made sense going up to him and asking if he would be kind enough to read your book and endorse it. You told me you did it because you had nothing to lose if he didn't agree. When you mentioned your name, he instantly got who you are and agreed to read your book. He may or may not endorse it. But nobody can take away from the fact you gave it everything you got.
Lesson #6: Empathise
To understand your methods better, I looked up your talks. I heard with rapt attention on Youtube.com your talk at a college in Calicut, Kerala, on how to bypass network administrators at your college or workplace if they block certain websites. The "hack" you offered I thought was rather quaint in that it is an old one, but there are the young ones who always fall for it.
Go to Anonymizer.com and type in the blocked URL. In a few seconds, the blocked site opens up because Anonymizer works by hiding the Internet Protocol (IP) address of the site you're looking for. Usually, network administrators are dumb and haven't heard of this tool. If they're smart though, they'll block Anonymizer.com as well. But there's a "hack" for that as well. Just go to Anonymizer.ru. Most network administrators have no idea that a website with the same address but routed through Russia exists and you can get to where you want to. Because, you say, Russian hackers are the real deal.
I nodded my head in appreciation at how your listeners applauded the "hack". When I asked you how that constitutes a hack, you told me it isn't a hack. And that you never claimed it was a hack. Instead, it was part of a series of talks for general audiences not acquainted with computing-as an introduction. It's just that you put it across in a manner that is accessible to everybody. If people throng to listen to you talk on that, why hang you for that? Damn right you are. You empathise with people and give them what they want. Isn't that what every business ought to be doing?
Lesson #7: Court
I've written this piece in the first person because it's something I've learnt from you. By writing in the first person, there is a good chance your "clients" may consider paying me as well to "train" their employees on network security. When I questioned you hard on whether some of the more respectable names in technology did indeed consult you on basic subjects, you were blunt and told me how surprised I will be at how poor levels of awareness are in many technology companies. And that if they compelled their people to work on their skills, they wouldn't. But if it came from you, they would listen. Because for all these years, with single-minded persistence, you have gone about building a brand for yourself. It's come to a point where you cannot be ignored and that you've worked very hard to get to where you are.
Most CEOs I know aren't anywhere close to what you are at building and monetising a brand out of thin air. I'm not trying to mock you here. Instead, I'm awestruck at the genius you've deployed in getting to where you are without being anywhere close to the real hackers I know who whine and cringe each time your name is mentioned, but for a good part live in obscurity and penury.
Like I said, I take back everything I've said of you in the past. On the contrary, I'd be delighted to engage in more conversations with you and understand better how businesses ought to be run. How you evolve is something I will watch with keen interest.
As for your disarmingly charming question on whether or not you can write a regular column on technology for Forbes India, I promise to check with my editor and get back to you.
Until then, please accept my best wishes and compliments for a job well done.
- Charles Assisi
(This article appeared in Forbes India Magazine of 08 March, 2013)