He could have conquered the world with his superhuman powers, but Clark Kent chose to be on the good side, beckoning his Superman alter ego to defend the weak.
The so called “white hat” hackers of the IT world, like the Metropolis Man of Steel, could also have turned bad and joined the havoc wreaking dominion of IT’s dark side; instead, they use their technical flair helping companies strengthen their defenses against malicious attacks.
Twenty-three-year-old Paul Haas’s job title is “security engineer” but simply put, he is a hacker by profession. He hacks into corporate systems and seeks out vulnerabilities that can be exploited. But he does it as a service and with the knowledge and permission of the subject company.
“Using the knowledge I gained through research and vulnerability gathering, I prepare a report that itemizes the risks of each of those vulnerabilities and the priorities in terms of what should be fixed first,” explains Haas, who works at Redspin, a security consulting firm in Carpinteria, Calif.
Haas has only been with Redspin less than a year, but he’s no stranger to IT security. During his undergraduate studies at the University of California Santa Barbara (UCSB), Haas got involved and worked at the university’s computer security research lab, alongside various post-graduate researchers.
At 22, he was one of the youngest and the only undergraduate among a team of IT researchers that won at last year’s Def Con Capture the Flag contest.
Capture the Flag is a hacking competition where each team is given a set of computer systems with built in security. The object is to break into as many of these computers as possible within a prescribed time period.
Haas says winning Def Con was one of the best things that happened to him. “Once you compete with a really good team, you can actually say that in an instant…that’s the highlight of my career.”
Shortly after winning Def Con, Haas earned his Bachelor’s Degree in Computer Science and worked for Redspin. His accomplishment at the hacking event may have helped put Haas on the radar of potential employers like Redspin, but it was his research background that added trustworthiness to his credentials, says Redspin’s president John Abraham.
Abraham admits Def Con is not typically the place where his company would look for candidates, but when he heard about Haas’s work at the university research lab he knew Haas was working on the good side.
“The whole hacker community isn’t always the community that can structure itself in a way that could benefit the clients. We had to vet out [Haas] because we needed to make sure that he came out of the research (community) and not out of the hacker community,” Abraham says.
Haas also gives Def Con credit for the opportunities it opened up for him, especially the “credibility” it added to his Bachelor’s Degree credentials. “I know what vulnerabilities look like, I know how to exploit and research them as the need arises,” says Haas, whose interest in computers started in his teens, the day he got his first PC.
Emphasizing the disparity between two types of hackers — the research-oriented and the malicious ones — Haas makes it a point that his work is not associated with the latter. He may employ the same methods of vulnerability probing as the most malicious hackers, but his fulfillment stems from what he does with the information he gathers.
“Not only can I find vulnerabilities, but I can make sure that [companies] address those [problems] and learn from the process,” he says.
Although he enjoys the work that he does, Haas says it is not without challenge. And to him, the most challenging part is getting the non-technical executives to understand the technical issues of vulnerability reports.
“Some of the exploits that I discover have a real technical side, and when the (audit) result is being presented to a CIO for example, they may not necessarily have the technical background, but making sure they understand the risk is very important,” Haas says.
Haas’s passion may be in computers, but he considers himself a “well-rounded” guy who enjoys life outside of the corporate walls, works out at the gym, hikes and surfs under the pleasant Santa Barbara climate and, according to his boss, “eats nothing but healthy food.”
Looking to the future, Haas says five years down the road he still sees himself in the same profession but with a lot more knowledge and experience to offer to the industry and his colleagues in the profession.