Interview with one of the world's best competitive bug hunters

Meet Amat Cama, winner of three consecutive Pwn2Own competitions.
Written by Catalin Cimpanu, Contributor
Fluoroacetate team

Team Fluoroacetate: Amat Cama (left), Richard Zhu (right)

Image: Trend Micro Zero-Day Initiative

In the world of IT security, there is no other more prestigious computer hacking contest than Pwn2Own.

Founded in 2007 and organized by Trend Micro's Zero-Day Initiative (ZDI), the competition built its reputation across the years by attracting the world's top infosec talent and paying out some of the industry's biggest cash prizes.

With a 12-year history behind it, Pwn2Own is the place to be if you want to make a name for yourself and impress your fellow infosec practitioners with your hacking skills.

Past winners are some of today's most important figures in the infosec field, working in the security teams of some of the world's biggest corporations.

In its current format, Pwn2Own takes place twice a year. The first is the spring edition that takes place in Vancouver, where security researchers are free to hack desktop and server apps and operating systems. The second takes place each fall in Tokyo, and this edition focuses on mobile phones and smart devices.

For the past year, one team has dominated the Pwn2Own contests, winning three in a row.

Team Fluoroacetate -- comprised of Amat Cama and Richard Zhu -- have won the Pwn2Own 2018 fall edition, the Pwn2Own 2019 spring edition, and the recently-concluded Pwn2Own 2019 fall edition.

Since the contest concluded last month, ZDNet sat down and interviewed one of the team's members on what it takes to reach the pinnacle of his profession and the jitters Pwn2Own contests feel while they're on stage.

ZDNet: Can you introduce yourself to our readers?

Amat Cama: My name is Amat Cama. I am an independent security researcher from Senegal and I started doing research in 2016. My real start in security was through CTFs [Capture The Flag tournaments], which were introduced to me in 2012. Outside of security research, I enjoy boxing, surfing, aviation, rock climbing and video games.

ZDNet: Does winning Pwn2Own three times in a row count as the pinnacle of your career as a security researcher, or do you have other bigger goals that you're aiming for?

Amat Cama: Winning Pwn2Own three times in a row is definitely something that I am proud of. At one point in time, I viewed even getting a single entry in the contest as an unattainable goal, so it is pretty satisfying to have won the competition three times in a row. However, I wouldn't call it as the pinnacle of my career as a security researcher. In this field, there is always something more, something else or something better you can do.

ZDNet: Which is harder? The Pwn2Own spring edition that focuses on desktops and VMs, or the fall edition that focuses on IoT and mobile?

Amat Cama: In my opinion, the spring edition is more challenging because the targets there are more popular in the security community and therefore have received more scrutiny from other researchers.

ZDNet: How does it feel when you're on the Pwn2Own stage, just before running your exploit code? Is it nerve-wracking, or by that point, you know the exploit code should run as you want in 100% of cases and it's just routine?

Amat Cama: It usually depends. Most of the time, we've already done enough tests to where we feel that it's likely that the exploit will work on the first try. However, due to the nature of the bug  and the mitigations in place, it is sometimes hard to guarantee a high success rate for the exploit. This is when things can feel nerve-wracking.

ZDNet: Following your last three victories, do people in the infosec community now recognize you more often? Have the wins changed anything in your infosec life? How about your daily, normal life?

Amat Cama: Pwn2Own victories certainly "put you on the map," and the enhanced recognition opens up more opportunities. It's also been nice to see that these victories inspire other researchers and hackers to continue pushing themselves in their work and improving their skills. In that respect, it has definitely changed my infosec life. As to my daily life, I don't think the victories have changed anything.

ZDNet: Is there any pressure now to win the fourth competition? Or you never looked at Pwn2Own as a goal but more of a hobby?

Amat Cama: Winning is always nice, but I wouldn't say there is any pressure to win a 4th competition. For me, Pwn2Own experiences have always been about having a well-defined challenge that I could push myself to achieve.

ZDNet: Many security researchers are now looking up to you. Do you get any questions from fellow researchers and pen-testers? What's the most common?

Amat Cama: Yes. The most common question that seems to always interest people is: "How long did it take you ?"

ZDNet: Vendor representatives are often at the Pwn2Own hacking contest, how do they react when you hack their apps/devices?

Amat Cama: They generally react pretty well but sometimes there are some that don't take it so well or don't cooperate. However, ZDI is always there to handle those things.

ZDNet: Is there any device/system you'd want to see on Pwn2Own's targets list in the future?

Amat Cama: An airplane — just because I want to take a shot at hacking it. That would be pretty cool!

ZDNet: Would you fear hackers with your skills?

Amat Cama: I already fear them because there are many hackers out there with more skill than I have. I don't believe perfect security can be achieved because machines will always run code in some way or another. Moreover, humans will be the ones making, programming and operating these machines and we already know what that means: imperfections in the process can occur.

ZDNet: Now that you have the accolades to impress any recruiter, what would be your dream infosec job? Or what's the project/organization you'd like to work on/for?

Amat Cama: There are a number of teams out there that it would be an honor to be a part of, but I think that ultimately I'd like to have my own organization and work for myself.

10 worst hacks and data breaches of 2019 (in pictures)

Editorial standards