In this episode for The Pivot podcast, we welcome Zaid Sabih!
Zaid Sabih is an ethical hacker, a computer scientist, and the founder and CEO of zSecurity. He has tremendous experience in the field of ethical hacking. In 2013, he started teaching his first network hacking course, which led him to publish a number of online ethical hacking courses. Now, Zaid has more than 800,000 students worldwide.
In this episode, Zaid sits down with Maltego to recall what led him into cybersecurity and infosec and later to establishing his own company, zSecurity. He also talks about his thoughts on “hacking” and CTFs, and provide 3 tips for becoming a successful bug bounty hunter in the end.
The Pivot: Your New OSINT and Infosec Podcast 🔗︎
Brought to you by Maltego, The Pivot is your OSINT and infosec podcast that dives deep into topics pivoting from information security to the criminal underground. Through The Pivot episodes, we aim to share insightful information for beginners and seasoned investigators alike, shedding light on all things OSINT and infosec from an insider’s perspective.
Each episode features one or two of Maltego’s own Subject Matter Experts as the host and an external expert, researcher, or industry leader invited to share their projects, stories, experiences, and advice.
Where to Listen to The Pivot? 🔗︎
The Pivot podcast is available on Spotify, Apple Podcast, Google Podcast, and the Maltego YouTube channel. Each episode is 45 to 60 minutes long and is released on the 15th of every month. Stay tuned with us for more updates!
Tell us a bit about yourself and zSecurity! 🔗︎
Zaid: My name is Zaid, the the CEO of a cyber security company called zSecurity. We’re based in Dublin, Ireland, and we provide lots of cyber security services such as pentesting, consulting, training, code reviews, and more. We also have our own VPN company and have recently launched our own bug bounty program. Everything we do is related to cybersecurity, and we’re trying to always be keeping up with the updates and everything that’s coming up.
Another thing is spreading education. Getting people to be more educated about their cyber world or their lives, as everything now is online or on the cloud. Everybody uses computers and most of the time, people don’t ask questions. They don’t think about what they’re clicking and doing before realizing that somebody has access to all of their data, pictures, and everything. Thus, I think it is essential to educate yourself about that in the time that we live in right now, even for people that aren’t even interested in learning ethical hacking.
What got you into infosec, cybersecurity, or let’s say hacking? 🔗︎
Zaid: I think I was 11 or 12 years old. It was back in the Yahoo Messenger days, so you’d have a lot of friends in your Messenger. There were exploits where you could just get someone to sign out or get their Yahoo Messenger to crash. We had a challenge of hacking someone else’s Yahoo. I could get people out of their accounts, but they could log back in. What’s the next step? Hack into their accounts. The challenge that we had was to see who’s going to hack into the other accounts first.
At the time you feel like you’re bending the rules. Obviously, you’re not supposed to be able to access someone else’s account. I felt like I bent the rules and managed to do something that’s not supposed to do, or something that is really difficult to do, and I really liked the feeling of achievement. From there, I started learning more about ethical hacking and hacking. Later, I learned that there are actually jobs to work legally and make a living as a pentester or ethical hacker.
After that, I started contributing to ethical hacking communities and eventually met up with a few friends, becoming one of the early people within an Arabic hacking community. I also then began teaching live classes. At that time, I was in college and decided to study Computer Science because I knew that I wanted to work as an ethical hacker.
Back then, we didn’t have cybersecurity or ethical hacking courses like we do now. By the time I graduated, I turned down an offer and founded my own company, zSecurity, with the thought in mind that it would be harder to make the move later in my life. It was a tough decision, but fortunately, everything went well and I ‘m really happy with that.
What is it like to teach in full scale? 🔗︎
Zaid: I actually never thought of teaching ethical hacking and pentesting. I’ve always thought of working as a pentester and didn’t really think I would enjoy teaching it. But once I did it, I ended up loving it.
First of all, I get to do the pentesting anyway when I’m not teaching, and before I can teach something, I have to get really good at it or even better. Sometimes, I know how to do something, but I don’t fully understand why it works that way. To go ahead and teach it, I have to understand every single aspect of it and every single possibility of how it happens, which widened my knowledge in a topic that I love, and that’s a big perk.
Another thing is the feeling you have when receiving feedback from your students. It takes a bit of time to start getting these nice messages and all that. Nevertheless, every now and then, I get a message from someone saying they used to be in a very bad situation. Either my course put them on a path, got them to a level to obtain their dream jobs, or helped them fix personal issues. It genuinely feels good as you feel like you’re giving back and you’re doing something good. It’s just really nice energy you get back from them.
Tell me about the bug bounty platform from zSecurity! 🔗︎
Zaid: The goal is to have a bug bounty platform where companies can submit whatever platform they have–be it a website, an app, an API, or whatever they want ethical hackers to check. It gets put on our platform, and ethical hackers around the world can test it. If they discover any bugs, it comes to us first and we’ll verify it. If it is valid and meets all criteria, we contact the platform owner, informing them that somebody discovered a bug in their platform. The owner decides whether they want to give points, pay monetary reward, or bounty for the discovery. The idea is obviously not novel as bug bounties have existed for a while, but the cool thing about it is that it solves two problems.
The first solution, for the platform owner, is that you only pay when a bug or weakness is discovered. Even if you’ve done a pentest, the pentest will only cover you for a limited period of time. For example, if you get Maltego pentested today, I’m going to give you a report of all the bugs that I discover today, but you probably are going to release an update tomorrow, in a week, or in a month. Besides, libraries that Maltego uses might actually become vulnerable and release updates in the future. Updates introduce new code, and new code could introduce new bugs, which is the idea of a bug bounty. You can have your system always tested by a number of ethical hackers.
The other solution, for the ethical hackers or the bug hunters, is that it gives people a pledge to practice their skills legally without breaking any laws while making a difference. At the end of the day, they are discovering bugs and protecting other users who use the platform. Not only do they get to practice and earn rewards, but they also get to do something good.
Some people do it as full-time because it gets them a lot of money, some use it to practice, and others use it to make a name for themselves. Our platform solves two pieces of the equation, bringing the ethical hackers and the company owners together.
What are your thoughts on how people learn to do ethical hacking or bug bounty with CTF platform nowadays? 🔗︎
Zaid: I think they’re great for entertainment and some of them are actually really good to learn actual skills, while some of them focuses too much on gamification.
If you want to practice properly, bug bounty programs are better. People often ask me how to start with bug bounty. Just go ahead, sign up, and start testing. It’s not that hard to start with bug bounty. You’re testing against real websites, and there are numerous platforms out there.
What is your opinion on the alternative wordings for hacking, such as red teaming, blue teaming, and purple teaming? 🔗︎
Zaid: I don’t see anything wrong with using the word “hacking.” The word describes hacking very well, so I don’t see the need to come up with different words to describe the same thing.
It’s annoying that we have to come up with substitutes. If you’re a hacker, you should be able to say that you’re a hacker, knowing hacking does not make you a criminal. You’re a criminal if you commit a crime, and there are a lot of other crimes that you can commit other than hacking. So, the word “hacking” shouldn’t mean crime.
I see why alternative terms are used as a lot of bots like Google are scared of the word “hacking.” Upload a video on YouTube with the word “hack” in it. It’ll probably get flagged if not removed. I had that experience. The video was related to hacking, but once it got reviewed by a human, they were like, “Okay, the video is fine. It’s educational and it was allowed.” Still, I have to go through this process several times, and that becomes annoying.
If you go on our website, I still say ethical hacking and stuff related to hacking. I don’t say “blue team” or try to dance around saying “hacking.” Instead of trying to avoid the words and replacing them with other terms, I think we should use it and educate the people considering it to be a crime to know that it’s not a crime.
What are the three things you would like to share with the readers on how they could make a successful life as a bug bounty hunter? 🔗︎
Zaid: I would say the first thing is don’t buy a dream. I know I sell courses, and that’s part of what I do, but I actually never sell a dream. I never say: “Take my courses and you become a millionaire.” You can earn a fortune from bug bounty and as a cybersecurity expert and get paid very well. Likewise, you can also get paid very well doing other jobs.
Do what you love. If you are passionate about bug hunting or being a pentester, it’s going to take a significant amount of practice, time, and patience. The guys whom you see making handsome money now, they spent hours and hours staring at code with their head over problems. One vulnerability can take them so long and once they submit it, they also have to wait for so long until it gets approved. You have to account for that.
Finally, spend a lot of time learning and don’t get frustrated. That goes back to the second point. If you’re doing what you love, then you’ll be able to stay patient and persisten. This principle applies to everything not really just for bug bounty only.
There’s More! Listen to Our Full Interview with Zaid! 🔗︎
If you find the snippets of the interview interesting, don’t miss the full interview!
Listen to our full interview with Zaid to learn more about:
- How Zaid explains the word “hacking” to people with zero background in ethical hacking
- What topics he is interested in exploring besides hacking
- His whole journey in ethical hacking and bug bounty
And much more!