This week we talked Robin Lunde, Security Engineer at LINE. We wanted to learn more about Robin's journey into cybersecurity as well as get his take on current issues in the industry. LINE is one of the most popular messaging apps in Asia Pacific.
The app allows users to exchanged images, texts, videos, conduct VoIP conservations, and more. Back in 2016, LINE launched its own public bug bounty program to boost its security and has paid out US$300,000 in bounties to hackers around the world. More recently, LINE has decided to team up with respected bug bounty platform company, HackerOne. Let's see what Robin had to say.
NANCY: Hey Robin
ROBIN: Hello! Thank you for this opportunity. Since the questions are aimed at me personally, I have responded as such. Please understand that these are my opinions and may not reflect the stance of LINE as a whole.
NANCY: Understood! For our Stories From Cybersecurity series (SFCS), we want to capture the experiences, journies, and opinions of individuals who work in the industry for a couple of reasons. Firstly, we think it's valuable to aspiring hackers and other IT professionals who may be confused about what a typical journey into the industry looks like. Secondly, the world as a whole is experiencing some significant cybersecurity challenges so we like hearing different opinions on how to tackle these issues. Let's get started.
NANCY: How did you find yourself working in cybersecurity? What was your journey?
ROBIN: Since I was young, I have always loved electronics, but growing up I somehow never found the time to completely understand how they worked. After getting older and spending two years in the army doing work related to intelligence and security, I realized how important cybersecurity was to our everyday lives and I decided to combine my two fields of interest, technology, and security, and try to make a career out of it.
I began studying computer science at the University of Oslo, Norway, and did my Bachelor's degree in programming and networks with a focus on security. I felt like I still had a lot to learn, and decided that a more international environment may be beneficial, so I did my Master's degree in cybersecurity at Keio University in Japan. During my time as a student, I was continuously doing security challenges, working on my own research projects and trying to understand new technology.
Many people told me that I did not need to study at universities to get a career in cybersecurity, but I have found that it gave me a good platform to build upon. Doing security-related challenges in my spare time, like CTFs or wargames, also helped me improve my skills. After graduating from college, I joined LINE as a security engineer where I am currently in charge of running our bug bounty program.
NANCY: Bug bounty programs are a relatively new way of tackling cybersecurity issues, are you happy with how the industry has adopted them so far? Do you think more needs to be done to encourage bug bounty programs?
ROBIN: I think the IT security industry has adopted the use of bug bounty programs fairly well. I believe most people have experienced being a reporter or receiving a report, so it is my impression that they can relate to one another easily. I find it is harder to get people from unrelated fields to understand the concept and value of bug bounty programs. They are often skeptical and somewhat afraid that “hackers" are allowed to freely test the products that they care about.
My experience is that hackers will test your product no matter what you do. The advantage of having a bug bounty program is that they will share the information with you, giving you the chance to fix the issue. I think this is difficult to understand for people outside the cybersecurity field because it is hard for them to understand the motivation of hackers.
I do not think we need to do more to encourage bug bounty programs, but I think we need to make sure that we continue working towards better transparency. I believe this will naturally increase engagement, understanding, and trust in both company security and bug bounty programs.
I wish there was more public awareness regarding this issue and that this, combined with pressure from experts, could help push policymakers and leaders towards more transparency in regards to cybersecurity issues. Let us learn from each other and tell the end-users about which security flaws might have impacted them, how we resolved it and what we did to avoid similar issues in the future.
I believe in disclosure by default and redactions or non-disclosure only when releasing the information may cause further issues. My opinion is that many people, both in the cybersecurity industry and outside it, have this "non-disclosure by default" way of thinking.
The main reasoning for not disclosing information regarding security incidents seems to be based on the assumption that doing so makes your product appear less secure. I believe the opposite is true. Sharing details builds trust between the users and the company, as the users are made aware of the continuous measures taken to provide them with secure services.
Of course, the average user may not understand nor care to check all the details, but just being able to do so shows that a company is confident in the security of their services.
NANCY: What do you think is the biggest cybersecurity threat we are facing today?
ROBIN: I believe the biggest threat today is in the form of insecure 3rd party code and libraries. I think that since these libraries and tools are publicly available, they are often regarded as inherently safe. Even more so if they are included in some sort of central repository or toolkit. This is not necessarily the case and, therefore, one should examine them before use.
However, this is not a realistic goal and is likely not doable for all the dependencies in every project nor for all the tools in every toolkit. For corporations, the security team may have time to whitelist each library and tool as it is checked, but this is not the case for small companies or private projects, due to time constraints. As such, they can be vulnerable by default by just including a library.
I believe we need a better ecosystem for evaluating the security of 3rd party code and I hope that bug bounty programs can be one way to help with that. I believe the Node.js third-party module program on HackerOne is a very good initiative and a step in the right direction here. Hopefully, we will see more similar initiatives in the future.
NANCY: Do you have any advice for people wanting to become bug bounty hunters or start a career in cybersecurity?
ROBIN: I think this is a question that gets asked a lot and often has the same answers, but let me give you my take on it. First of all, a basic knowledge of programming is required. I believe most people interested already have this part down, but if not, start with basic courses on programming.
Afterward, follow the commonly recommended path of doing CTFs (www.ctftime.org) / wargames (www.wechall.net/), watch youtube videos for explanations (ippsec / liveOverflow) and, most importantly, keep trying.
The biggest thing I can recommend though is this: Find a community that can help you! There are some subreddits dedicated to learning security and also some CTF teams that welcome everyone. For example, I can recommend "https://www.reddit.com/r/netsecstudents/" and "https://opentoallctf.github.io/". These are good places to ask questions and find help. Twitter is also a good platform to ask questions and people may help you figure out what the problem is or give you a nudge in the right direction.
If none of the above work, you can also reach out to me through Twitter (@pwn_panda) and I will do my best to help. With that said, the best advice I can give is: do research, don't give up and keep trying! It takes time to learn.