Hacker Spotlight: Interview with dki
Dawn Isabel, otherwise known as @dki, is an inspiring iOS hacking expert. She happens to be the kind of person who sees puzzles all around her and finds joy in solving them. She says it’s hugely satisfying to experience the puzzle solver’s dopamine hit of seeing a solution shine through the fog after stringing together seemingly unrelated vulnerabilities. When she’s not hacking, @dki likes to knit, sew, sing along to "Hamilton", and play favorite board games with her kids such as Ticket to Ride, Wingspan, or Azul. Read on to find out more about her journey.
How did you come up with your HackerOne username?
I lack imagination in this area so I just used my initials.😂
How did you discover hacking?
Back in college I had a favorite departmental email account that was hacked while I was away on vacation. I was quite dismayed because I thought I was doing all the right things to keep my account secure. I decided then that I wanted to learn how my account had been hacked so I could ensure it wouldn't happen again. As I moved into an early career as a developer, I tried to figure out how the things I was building might be attacked. Eventually I became the "security person" by default because at the time (early 2000s) application security wasn't a big focus. When I learned that in the corporate world entire teams focused on offensive security, I knew that was where I wanted to be!
What motivates you to hack and why do you hack for good through bug bounties?
I've always enjoyed solving puzzles and investigative work. Hacking is one big puzzle - you have an idea of what you want to accomplish, but not how to do it. Stringing together seemingly unrelated vulnerabilities to achieve serious impact and accomplish a goal is hugely satisfying! But being able to demonstrate to stakeholders how I exploited something and guide them in how to fix it is probably the most rewarding part. Seeing that light bulb go off and knowing that I helped connect the dots for someone so they can become a stronger defender is a great feeling.
What makes a program an exciting target?
I get the most excited about programs where I have a stake in the outcome. When I've used an application and have a deep understanding of the functionality and the users' threat models I am better able to exploit it.
What keeps you engaged in a program and what makes you disengage?
I definitely think that active and ongoing engagement from the program makes a big difference. When I feel like I am in a partnership with a program, and we are working together to secure assets, it is more motivating!
How many programs do you focus on at once? Why?
I try to focus on one at a time, largely because I have a very finite amount of time to spend and I don't want to get overwhelmed. Even within a single program I try to choose a focus area versus going after everything at once.
How do you prioritize which vulnerability types to go after based on the program?
I usually choose vulnerabilities that I want to learn more about or practice exploiting. That way, even if I don't find anything I am still learning and growing my skill set.
How do you keep up to date on the latest vulnerability trends?
I rely on Twitter for a lot of my security-related news. Monitoring conference talks is also a good way to find out about bleeding-edge techniques and vulnerabilities.
What do you wish every company knew before starting a bug bounty program?
That it is definitely not a "set it and forget it" type of initiative! Effective programs will require time and effort, and it is important to realistically estimate that effort and ensure that you have the resources committed to make the most of your program.
How do you see the bug bounty space evolving over the next 5-10 years?
I think we will see more long-term formal bug bounty team efforts, and with that more tools geared toward supporting distributed bug bounty teams.
How do you see the future of collaboration on hacking platforms evolving?
As more teams spring up, there will probably be more demand for team-based metrics within hacking platforms. Once metrics are published, I wouldn't be surprised if some programs want to engage teams as a whole for private programs - you would be getting a group of high-quality hackers with a proven track record collaborating with each other on a program, which is very powerful.
Do you have a mentor or someone in the community who has inspired you?
My biggest champion in the bug bounty space is @randomdeduction - she has been there encouraging and supporting me the entire way. I am regularly inspired by @InsiderPhD, who has created so much great content and supported so many people in a relatively short time! I'm also grateful to my Syndicate teammates @c0rv4x and @ajxchapman - I've learned so much working with them.
What educational hacking resources do you wish existed that doesn't exist today?
My area of interest is iOS application hacking, and I wish we could lower the barriers to entry for new hackers and researchers. It is still pretty difficult to learn about iOS application security without a physical device and a Mac, and for many folks that is a pretty significant hurdle!
What advice would you give to the next generation of hackers?
Learn from people who are very different from you. Attacks often exploit our blind spots - the avenues that we don't see; the tricks we would never suspect. Gaining the perspective of others who have very different threat models from yours will make you a better hacker and defender.