Hey, I am Nilabha Saha, a soul in the millions gracing this planet, and this article is a whirlwind tour through some of the ways digital security has played a part in my academic and “professional” life. I will try to go step-by-step through each of my years so far at IIT Bombay and provide some insights into some of the many ways cyber security has entered my life. I will try to sprinkle in some anecdotes to keep the reading light, but in fear of crafting an article too long for a reasonable read, I’d have to leave out some details.
Enter my first year at IIT Bombay – right amidst the COVID-19 pandemic! This was barely a year; the “first year” during my time was compressed to being just 4-5 months long, with nearly three-fourth of the “first year” being online. I was in the Engineering Physics Department back then, trying to pursue my interests in Mathematical Physics. Life was a lot more complicated than it may seem back then for a variety of reasons, but I digress.
Let me add a little bit of background to my story to set the stage for my first cyber security influence on campus. CTFs, which stand for Capture The Flag competitions, is a style of competitive gaming used in many shooter games, both First Person Shooters (FPS) and Third Person Shooters (TPS). While my interest in FPS’ and TPS’ is something I could elucidate upon, let me turn the steering wheel to the other (more relevant to this article) interpretation of CTFs – cyber security competitions where you “hack” into systems (and a lot more) and submit a sequence of characters (called a “flag”) to the portal as “proof of hack”. The flag can be recovered only after you’ve successfully “hacked” the system, and this is how the name “Capture The Flag” originated for these competitions.
I was first introduced to CTFs in 10th grade via the competition In CTF Jr. conducted for high-school students by the CTF team bi0s (the top CTF team in India back then, and even now at the time of writing). This competition started my foray into the realm of cyber security, and that’s when I started learning and exploring cyber security at a serious level. I managed to make it to the finals and secure the runner-up in the same, but the best part of the experience was less the destination and more the journey of getting there. I could not focus on it much during the next years of high school thanks to JEE, but this helped me realise one of my key fields of interest – Cryptography.
There’s an International Cryptography Olympiad conducted every year, which has separate rounds for individual high school students and for individual university students. I had participated in the individual high school category and had secured International Rank 1 in the same. And with that, we wrap up the background you need for now.
At the beginning of my first year, I enquired about the existence of any cyber security related community in the institute, and I got introduced to the Cyber Security Club (CSeC) of IITB. Surprisingly, most of them already knew my name! Turns out this stemmed from my performance in CTF Jr. and in the International Cryptography Olympiad, which brings me to the first impact the field can have in your life: you do things well enough, people hear of you! The cyber security communities across most colleges are not always as massive as certain other communities, and people hear often of others in the field as we all want to encourage and promote digital security and its unquestionable importance in society.
CSeC has introduced me to some of the most wonderful seniors I have met who are also responsible for significant impacts in my life. If you ever were to dig into the “annals of CSeC” from this year, you’d find about a mysterious AI hacker with the moniker HAXXOR who made it into one of our GMeets.
Back then, CSeC was part of the CSEA Council under the CSE department. There were certain issues with this setup as it made it difficult for CSeC to conduct events for students who were outside the CSE department.
On the professional front, this initiated a move of CSeC outside the CSEA council to accommodate students from across all departments in the institute. On the personal front, I realised that the Engineering Physics department was not too focussed on mathematical physics (which was my primary interest), and that began my exodus out of the EP department into the CSE department (back then, the notion of “branch change” was still in effect in IIT Bombay).
New to the CSE Department, with a new Position of Responsibility (PoR) upon me – that of a CSeC Convener. There were other PoRs too, but this is not an autobiography for me to enlist every little detail, or even every major detail, of my life. I took up this PoR with the aim and vision of spreading the culture of cyber security farther to the institute masses. We also needed funding for our activities now that we were out of the CSEA council and we looked towards Institute Technical Council (ITC) for that. This was a significant political distraction during my convener tenure as we struggled to survive in a limbo between being part of ITC while not being part of it (confusing enough? Imagine our situation). Furthermore, there was a significant question mark for whether CSeC stood for “Cyber Security Club” (our original name) or whether it stood for “Cyber Security Community” (which is what ITC wanted us to call ourselves). This is an ambiguity we had to suffer throughout the tenure and there would be no settlement on this till the next year.
Let’s deal with CSeC and my personal life on two separate tracks. Let’s start with CSeC. We managed to conduct a lot more events than in the past years and our presence became more widely known and acknowledged throughout the institute. We performed many demonstrations of actual attacks, conducted an institute-wide CTF (called TyroCTF) aimed at freshers, and a lot more. We found people who were interested in the field of cyber security, and some of them even looked forward to a career in it! And they tell us it was our events which brought cyber security into their attention and inspired them to pursue this field: what more could we want? We were all proud to have actually made significant differences in people’s lives!
Amidst the whole vichyssoise of events and “politics” we had to deal with during the tenure, we noticed the emergence of a body which called themselves “IITB Trust Lab” within the institute. They claimed their aim would be to spread awareness and opportunities on digital security throughout the nation. This looked great to us, especially given how it aligned with our own interests as a club/community, albeit at a much larger scale. However, we had seen many such proposals come and go with time, so we were a little skeptical about whether IITB Trust Lab would actually deliver on its promises or whether it would just be another ephemeral trial at stressing the importance of digital security. Only time would tell.
Now we come to the personal aspects of relevance. In this year, I took a course on Advanced Network Security and Cryptography under Prof. Bernard Menezes where my final project was on Pairing Based Cryptography and its implementations (for anyone interested: you can find my project report here). Furthermore, I also took a seminar course under Prof. Manoj Prabkaharan on Zero-Knowledge proofs, with my final presentation being on the Hyper-PLONK PIOP (for anyone interested: you can find my presentation slides here). I also took a course on Principles of Systems Security under Prof. Virendra Singh with my final project being on studying dynamic allocator misuse (also known as heap exploitation). Add to that my performance in the International Cryptography Olympiad (individual university student category) where I once again managed to secure International Rank 1. Armed with these, I applied to EPFL, Switzerland for a university research internship during the summer with the Laboratory of Security and Cryptography (LASEC). The results took a while to arrive, but fortunately, I was selected as one of the four students who were selected for the internship from all across the world. This brings me to the second point: your activities in life, your achievements in life, and your work in life, do mean a lot to the right people when presented to them.
My plan during my B.Tech. life was to experience a university research internship in one year and a corporate internship in another year to get a flavour of both kinds of experiences. This was me on the first leg – a research internship. To put a nail on the technical jargon, my work during this internship was on attacking symmetric key cryptosytems, in particular, those cryptosystems which were even probably secure against linear and differential cryptanalysis (for anyone interested: you can find my presentation slides HERE). With that out of the way now, I can actually describe the research internship experience. My internship largely involved reading through papers, coding some of the attacks up to test their utility, giving presentations on what I had covered so far, suggesting improvements and changes to certain attacks; pretty much exactly what one might expect from a research internship. It was a great learning experience and showed me what real research looks like, offering me an excellent perspective into the life of a researcher in this field.
The internship also had several other advantages: the major one being the ability to travel Europe. Switzerland is a breathtaking tapestry of alpine landscapes, where snow-capped peaks kiss the sky and crystal-clear lakes reflect the beauty of nature. It is also quite centrally placed, making several other European cities well within ease of reach via train – a convenience I exploited liberally during my weekends. I visited quite a few cities during my time there, including Paris, Venice, Rome, Brussels, Amsterdam, Berlin, and many more (anything more than this, and this article would start getting close to being a travel blog instead). Once there, you truly realise how European history is a rich tapestry woven with centuries of art, innovation, and pivotal moments that have shaped the world. You observe how its architecture stands as a testament to human ingenuity, with awe-inspiring cathedrals, castles, and cities that echo the grandeur of past eras, while its diverse cultures continue to celebrate a legacy of creativity, philosophy, and tradition.
Enter third year, and my position of responsibility evolves. CSeC was under ITC now as a “community”, which necessitated altering the names of “Conveners” and “Managers” to “Core Team Members” and “Team Leads” instead (only for it to be reverted back again the very next year). I was one of the two team leads of CSeC this year, and my goal was to continue our ongoing events and intra-institute outreach while also aiming at technical development within our core team and greater participation in national and international CTFs.
This was difficult work: carrying out events within the institute to expose instizens to cyber security, while also working on self-improvement on the technical knowledge to perform better in international CTFs, and taking out time to actually participate in various national and international CTFs. This was a lot of work for each individual in the team, but they all took up to the challenge and we saw an immense amount of growth, both with CSeC as a community and with the active members of CSeC. We also witnessed an increased interest in cyber security across the institute and an increased participation in CTFs by instizens.
Remember I mentioned IITB Trust Lab a while back? They aided immensely in helping us conduct our events smoothly and supporting us through our activities! We needed space to discuss and participate in CTFs, and IITB Trust Lab made it very easy for us to request for such space – without that, we wouldn’t have had the several excellent positions we had in CTFs over the last year! In addition to supporting us, IITB Trust Lab itself was working tirelessly to bring the importance of digital security into the view of masses across the nation. They provided practical opportunities and internships to students across the nation to expose them to the realm of digital security. They conducted events such as FoSSX and Summer of Code to encourage students to explore the field of cyber security. They funded and conducted multiple CTFs throughout the year across the nation to spread the enthusiasm of cyber security and identify the brilliant minds hiding across the country in this domain. For an account of my experience with making many of the challenges for these CTFs, you can read the article here. A body which just started out less than a year back had already started making massive impact across the nation at large and IITB Trust Lab’s speed, effectiveness, and generosity has been a true hallmark of excellent standards and execution. They have formed a strong name in cyber security in the nation, all within very little time, and have helped spread the culture of cyber security to the nation at unprecedented rates. I would never have imagined the year before that an organisation could have so much impact on the digital security landscape across India, but IITB Trust Lab exceeded expectations by a large margin!
Returning to CSeC, we tried being a little ambitious this year. The official CTF team of CSeC is called IITBreachers, and this team decided to try and conduct an international CTF named “breachCTF”. This would be the first time we did it and IITB Trust Lab supported us on the same, including agreeing to fund us for the large sum of money that would have gone into sponsoring such a large-scale event. Unfortunately, our ambitious idea popped into existence too late for us to have actually conducted an international CTF, however we learnt a lot about many of the issues to be taken care of while attempting to conduct one and this would offer us a springboard to efficiently conduct an international CTF successfully in the coming years.
Let’s now switch perspectives and look at a course titled Introduction to Cryptography and Network Security which was taken by Prof. Manoj Prabhakran this year. He had the idea to create a lab component in this course which would involve solving CTF-style challenges based on the content they learnt each fortnight. I was in charge of designing the challenges for this course (as an IITB Trust Lab TA), and I heard a lot of feedback about how these labs made the course a lot more enjoyable and fun, allowing students to interact with the theory they had studied and understand its implications in real life. Inculcating CTF-style labs in a course like this was a brilliant and impactful idea, and I hope we get to see more security courses across the world adopt methods like this – helping bridge the gap between theory and practice (where cyber security has an immense impact).
As we proceed to the next section of this article, I would like to remind you of my idea of taking up a research internship one year and a corporate internship the next. With a research internship already under my belt, this was my time to look into a corporate internship, and I did have one – a summer internship with the North Moore team of Tower Research Capital!
I was placed with the North Moore team of Tower Research Capital in their London office during the summer. I had a quant developer and a quant researcher role. London is a beautiful historic city sprinkled with marvelous architecture, theatre plays (I loved them), concerts, social activities, and much more. I have written quite a bit about the London experience and my corporate internship with TRC in general for the Insight blog post, which you can read HERE. In the remainder of this section, I want to focus on how my experience with digital security helped me in the internship.
The internship itself had nothing to do with cyber security. My dev project was very distant from anything related to cyber security. However, my background did help! My experience with network security and binary exploitation helped me look at the code from a different viewpoint, helping me figure out inefficiencies and points of vulnerabilities. It took some time to give me full permission to run some executables, however my experience with static analysis in reverse engineering CTF challenges helped me to statically analyse the code without running it. I figured out certain vulnerabilities in the system by thinking from a red teamer’s perspective, something CTF challenges taught me. Most importantly, I performed experiments to test out inefficiencies and vulnerabilities, and my spirit to do so derived from the persistence CTFs provided me in messing around with code and executables. And each of these were instrumental in the work I did during the dev project.
Aah, the final year of my time at IITB… actually not! I have an integrated dual degree program with the Mathematics department so I actually have two more years to go here! At the time of writing, this is where I am, and only time can tell what happens in the future.
IITB Trust Lab is growing further. With the mathematics I aim to grasp during my time here, I hope to understand post quantum cryptosystems (including isogeny and lattice based cryptosystems) better. And most importantly, I am curious to see how digital security continues to be a part of my life.