Nipun gupta (batch of 2020), a.k.a fsociety can safely be considered to be amongst the best student hackers in India. He first discovered his love for understanding and breaking down systems shortly after coming to Roorkee. Fast forward countless national and international CTF (cybersecurity competitions) wins as part of team InfoSecIITR and a smashing research intern, he’s now working as a cybersecurity researcher at Payatu. Here’s an excerpt from our conversation with the elusive haxxor.

Watch Out! - In an environment where programming, and by extension tech, is almost synonymous to competitive programming and software development, cybersecurity seems to be the road less taken. What was it that nudged you towards a career in this surprisingly niche field?

Nipun - When I first started playing CTFs ( specifically https://backdoor.sdslabs.co), I never thought of cybersecurity as a career, but rather as a hobby which later turned into a profession. During my initial 1-1.5 years, I was playing CTFs just because they were fun and I was learning a lot about hacking and how computers work in general. Around this time ( my 2nd - 3rd year in college ), we were playing lots of CTFs, both online and on-site, that’s when I realized that there are a lot of opportunities, and I got involved with a few of these.

Watch Out! - Setting aside the leet haxor ‘fsociety’ for a minute, what is it that Nipun Gupta gets up to in his free time? Any crazy exploits (pun intended) you would like to share from your college life?

Nipun - In my free time, I usually read blogs or waste my time on twitter, youtube or netflix. When I am not on the internet, I usually play snooker or travel with my friends. One crazy “exploit” that I would like to share is how I “pwned” the swimming pool with my friends. This happened when we were in our first year and one of my friends came up with the idea of jumping over the fence of the swimming pool at night for a quick swimming session. At around 8 pm we went to count the number of guards around that area and to find out the possible entry point. After figuring that out, we came back at 12:30 and jumped over the fence. At that moment, one of us went ahead to look if there were any more guards nearby, but it took him a few minutes and we thought that he ran away. As we were already scared, we started running from there too. One of my friend was already swimming by that time, and as soon as he found out, he jumped over the fence with just one hand (his other hand was fractured at that time) and ran to grab his cycle which was in front of the main building stairs. He was so scared that he forgot to wear his clothes, and was half-naked in front of the main building stairs. This is probably the funniest and craziest thing we have ever done in college. I dare you too try that something (without the naked running of course)

Watch Out! - You came to Roorkee in 2016, the same year that InfosecIITR was founded and have been an integral part of it ever since. How did it help you in your endeavours and what is your most memorable experience with the group?

Nipun - Just a correction here, I joined InfoSecIITR in 2017. Without any doubt, InfoSecIITR played a huge role in helping me get an internship and a job in cybersecurity. As I told earlier, we used to play a lot of CTFs during that time and most of the skills I have are because of those weekend CTF sessions when we used to play them overnight. I certainly learned a huge amount of things from my other teammates ( mostly when I used to act as a rubber ducky to help them solve the challenge they were stuck at). It is hard selecting just one memorable experience with the group because we traveled a lot for on-site CTFs and every trip was somehow memorable. But one that tops the list was CSAW-2018. It was my first on-site CTF and we (Paras, Faizal, Aditya, and me ) went there with very little hope that we would be in the top 3 ranks, but to our surprise, we stood 1st in the Indian region. There was also a moment during that CTF when we were 1st in the world on the leaderboard when Paras and Faizal solved two challenges. We were so excited that we ran to the CTF arena to click some pictures of InfoSecIITR being top on the leaderboard in the world. The whole CTF was a really good experience. In addition to this experience, we had some really fun time in Gujarat , Bangalore, Goa , InterIIT and many other places.

Watch Out! - You interned in cybersecurity at SEFCOM Labs at Arizona State University. How was your experience?

Nipun - I had a really amazing experience working at SEFCOM. To be honest, before that internship, my experience in security mostly revolved around CTFs and exploitation, but during that period of 2-2.5 months I learned a ton about real world security and vulnerability research, which further helped me gain a larger understanding of the current state of security research. The professors and my team there was amazing, and I thoroughly enjoyed my work. Apart from the professional experience, my personal experience was amazing too as I engaged myself in travelling to a few amazing cities, going on hikes, experiencing their culture and food etc.

Watch Out! - What are the differences in opportunities present for a student to pursue cybersecurity as a career in India and abroad? Being from a non circuital branch with a less than mind-blowing CGPA, did it affect your options in any way?

Nipun - Currently the opportunities in security are increasing at a very fast pace. The job opportunities are increasing with not many people to fill that gap, that’s why we can see a sudden increase in CTFs in India organized by DSCI or a few companies to hire people in security. When I applied for the job and the internship, my branch and CGPA were not considered during the interview round, so I think it didn’t affect my options in any way. But if I would have considered for masters or Phd, then these things would have mattered.

Watch Out! - According to you, how is the environment at IIT Roorkee for a student interested in cybersecurity with respect to the opportunities available? Are there any specific changes, administrational or otherwise, that you would like to see take place in the future?

Nipun - I can confidently say that IIT Roorkee has the best security culture among all the IITs and NITs. I sincerely thank the seniors who started the group. But in terms of opportunities I think we can do a bit better. There are a lot of opportunities for security but when it comes to looking for a job or internship students here are mostly on their own. Last year we organized a CTF during InterIIT Tech meet, which was a really good initiative. After that Tech-meet a few other IITs started their own security group. I would really appreciate it if the placement team could reach out to the few places that are hiring people in cyber security, that would really give some students a sigh of relief.

Watch Out! - As opposed to typical coding contests, a CTF can last anywhere from 12-48 hours at a stretch and requires consistent effort from the entire team; throughout the duration to come out on top. What keeps you going through the sleepless nights and painful glaring contests with your computer screen?

Nipun - I can surely say that it is not easy OR healthy to stare at your computer screen for 12-48 hours. But when we used to play as a team, I had some equally dedicated hackers along my side ready to stay up for the whole night just to reverse-engineer a shitty Virtual Machine written in assembly or to read a file from a computer system just using compiler flags ( shaddy :P ) just to get some Internet Points, that’s what kept me going through those nights. Those points were a dopamine hit for us.

Watch Out! - Now that you have graduated, what is the one thing that you’re going to miss the most about Roorkee? Having lost almost a complete semester to a certain global pandemic, is there anything you wish you could’ve done before graduation but didn’t get a chance to?

Nipun - There are a lot of things that I am going to miss about this place but the one thing that I will miss the most is the campus life. Apart from that I will miss the friends that I made here, the internet, my room, college fests, easy trips to rishikesh, InfoSecIITR meetings, etc. As a part of our group we always discussed that the group InfoSecIITR had a curse which disallowed us from travelling abroad for any CTF finals, even after we qualified in the first round. In our third year it was mostly because the CTF organizers were not able to sponsor our travel and stay. But in our final year we finally qualified to 3 events abroad ( Singapore, Vietnam and Russia ) and the organizers were sponsoring travel and stay, but due to this pandemic everything was cancelled. We all were really looking forward to these trips, but were unlucky. I hope InfoSecIITR makes some international presence sometime soon.

Watch Out! - Can you share some details about your present work, future goals and so on?

Nipun - I am currently working at Payatu, as a Security Researcher. My area of interest is exploitation, so my current research is inclined towards browser exploits and VM escapes. We are currently trying to find bugs in related open source applications by fuzzing various components of these applications. I don’t have any solid future plans for myself right now, but I want to increase my knowledge and experience in fuzzing and exploitation. For those of you having trouble understanding, I am trying to hack some apps.

Watch Out! - Customary question: What do you think of Watch Out!

Nipun - I have been following a few categories - tech, summer diaries and memoirs. I personally love reading memoirs, but other articles are equally amazing as well. I think you guys are doing an amazing job and I hope to see the same in the future.