Kunal Agarwal’s cybersecurity journey takes him from the edge of Juvenile Hall to the founder and CEO of dope.security.
Dope.security provides a secure web gateway. It is designed to stop hackers making hay from websites. But its founder was, is, and will always be, a hacker.
Early days
“I was born and raised in California, but I started as a bit of a child hacker,” he says. He was around nine years old, more than 20 years ago, and was at the age where he wanted to do things he shouldn’t do or couldn’t afford to do.
“It was a time of, hey, how do I watch this movie that I’m not allowed to go in and watch, and I can’t go in and watch at home. So, I entered this world of wondering how to download a movie or a game for free.”
This basic curiosity caused him to learn how emulators and ROMs work so that, if he could pirate a Nintendo game, he would be able to play it on a PC. It was the start of understanding technology.
It is worth interjecting that this behavior is just a hop, skip and a jump from social engineering – a term that we usually limit to serious bad guys, but is really something everyone does in all aspects of daily living. Notice that the Agarwal child wanted to find ways to see movies and play games that he couldn’t.
Everyone faces this problem and finds different solutions. A technical person will find a technical solution. Less technical people may resort to social engineering. What 19-years old youth has never attempted to persuade a liquor store proprietor that he is really 21. It is worth considering this connection between the social engineer and the hacker as we explore the cause and activity of hacking.
Needless to say, Agarwal’s approach progressed as he became more technically adept. “When I was in school, I almost went to jail for hacking the school grading system.” The motivation was curiosity rather than any form of personal gain – he personally had good grades, but was curious to see how the system worked.
The potential of the hack was, however, serious. “Once you get in, you could modify and change anything, across any school in any district in the California area.” He was caught; and what happened next probably changed his life.
There wasn’t so much codified law in place at that time, and much was dependent on the recommendation of the DA. “So, I was put in front of the DA for San Jose, and I had the opportunity to convince him – socially engineer him, if you like – to take my preferred route. I said, you have the option of putting me in Juvey where I’ll become an inmate; or you could let me do something else and be productive. We ended up taking the second route, which led to probation rather than jail time.”
Agarwal stayed out of jail but doesn’t pretend it was an easy time. “It was a very scary time, but a good learning experience. It was nice that somebody had that decision-making power and that there actually existed a program to direct someone down a different path, rather than just sending them to Juvenile Hall.”
It would be wrong to suggest that this experience changed him, but it did help redirect him. He was, and is, and believes he will always be, a hacker. For Agarwal, being a hacker is not what you do, but who you are; that is, someone who always questions the status quo and questions how it could be different. That questioning is not something you can turn on or off. In his own words, “It’s in my DNA.” The scary nature of his district attorney experience made his DNA-driven curiosity focus on the more productive area of cybersecurity – but it didn’t and couldn’t stop him being a hacker.
Nature versus nurture in the making of a hacker
This series seeks to understand why some people with hacking skills become black hats while others become white hats. Most hackers agree that they are born hackers – it’s in their nature. They start with childhood and adolescent pranks – often for kudos rather than gain. There is no malicious intent – yet some go on to become malicious while others do not. The question is, Why?
“I’ve always been a rule breaker,” says Agarwal. “That is my basic nature. But then there’s a learned aspect of what is acceptable – what rules you can break and what rules you should not. I absolutely credit the people around me, rather than myself, for my direction. I would say there’s an influence in nurture that ends up pushing your nature in a certain direction. Obviously, if you’re surrounded by people that are nefarious and doing bad things every single day, that pushes you in one direction. I wasn’t.”
It may be that the first influence came from the DA who decided to give him a second chance. But Agarwal himself credits his subsequent stint at Symantec as an important factor.
After several brief employments, including internships, he became a researcher at University of California, Berkeley. In 2013 he became a software engineer with Symantec, moving into product management in information protection in 2014. Three years later he became Symantec’s general manager for the internet of things. He was at Symantec for more than six years. He often says, I did my undergrad at UC Berkeley, but I did my Master’s at UC Symantec.
It was at Symantec that he learned how to treat people. He rose through the ranks into product management rather rapidly with the help of people who mentored and pushed him.
At the age of 22, “I was working with people twice my age and way smarter than me. These folks weren’t hackers and had a very different approach to things, and they really instilled their mindset into me. Every time I have a customer conversation, it is drilled into my mind that you never lie to a customer, and that you never force customers to do something they really shouldn’t do.”
So, by the age of 22, Agarwal was a hacker by nature, and people person by training.
When he left Symantec in 2020, it was for a stint as senior director of product management at Forcepoint, but when he left Forcepoint in 2021, it was to found his own company, dope.security.
Dope provides a cloud native secure web gateway, and his role as CEO marries many of the important aspects of his personal history. He understands technology (starting by teaching himself about emulators and ROMs before his age was in double figures); he understands the web (hacking it nearly landed him in jail while he was at school); and he understands the difference between right and wrong behavior (triggered by the DA who didn’t send him to jail and fomented by older and wiser colleagues at Symantec).
But he is still a hacker because it is in his DNA. And being a hacker and understanding hacking is important in developing a secure web gateway.
“I was on the black hat side for a very long time before moving over and thinking about things. But you never really lose that mentality of, How do I exploit something? or How do I find a vulnerability in something and achieve some sort of a benefit out of that? It’s wired into my personal DNA. So, I can look at someone and wonder, What is their password? And I automatically think, OK, I know the name is Jones, so the password is quite likely a variation on that: Jon_es, or joneS1, or JoneSone. That’s just me – it’s the way I’ve always operated in life.”
As a kid, although never maliciously, the value of this way of thinking was to exploit the password owner. Now that he’s grown up and matured with his own company, the purpose is to protect the owner of the password. But the thinking process of exploiting and protecting is very similar.
“Being a hacker is a mindset. It means you’re always looking for the vulnerability in things. It is a blessing and a curse, because it helps a lot with a job, but it also gets you into a lot of trouble. You end up doing things, or even thinking about things, about, well, this website works. Literally just yesterday, I was thinking, I wonder what’s happening under the hood of this website. Oh, so that’s what’s happening, and this is how it works, and these are the risks associated with that, this is the information disclosure that’s happening. It’s not something I do every day, but it’s a very, very important part of, not just my job, but also the fun part of my life as well.”
What this says about hackers and hacking
Hackers interviewed by SecurityWeek often describe their impulse to hack as a compelling curiosity that cannot be suppressed – a deep desire to understand how something works. This is common (although Agarwal suggests that this compulsion may be integral to the very DNA of the hacker – which would explain why it cannot be denied).
The area that separates hackers into different categories is what they do with the understanding after they have acquired it. Some become black hats, using the knowledge to extort money, or disrupt systems, or steal victims’ information for financial gain. Some are governed by patriotism. We could classify NSA, GCHQ and Mossad hackers this way; but that would also require us to include Russia’s FSB, GRU and SVR hackers and, for example, the Strategic Support Force of China’s PLA – including Units 61398 and 61486 – as patriotic hackers. Others seek to understand systems so that they can be improved, or secured, for the benefit of the users. Agarwal belongs to the last category.
If we assume that he is right, and that hacking is part of the hacker’s DNA, then we can assume that the origin of hacking is an inescapable part of the hacker’s nature. But that alone does not explain why we have different categories of hacker: black, white, grey, ethical, and nation-state. This comes from the hacker’s environmental pressures pointing them in a specific direction. It implies a description of the hacker as a person driven by nature but shaped by nurture.
Related: Hacker Conversations: David Kennedy – an Atypical Typical Hacker
Related: Hacker Conversations: Dan McInerney and Puzzle-Driven Hacking
Related: Hacker Conversations: Joe Grand – Mischiefmaker, Troublemaker, Teacher
