Episoder
-
This season of Hacker Valley Red wraps up with another interview of an incredible offensive cybersecurity legend. Known first and foremost for his work founding Metasploit and his recent work co-founding Rumble, HD Moore joins the show this week to talk about his journey from spiteful hacker to successful founder. HD walks through the history of Metasploit, the motivation behind their coding decisions, his opinions on open source software, and the excitement of exploration and discovery.
Timecoded Guide:
[04:57] Catching up on HD’s career from his hacking exploits in the ‘90s through his founding of Metasploit to his recent activities with Rumble
[11:41] Getting personal with the feelings and takeaways from a project as successful and impactful on the cyber industry as Metasploit
[18:52] Explaining HD’s personal philosophies around accessible education and the risk of sharing vulnerable information publicly
[25:39] Diving deep into the technical stories of HD’s path of discovery and exploration during his time at Metasploit
[31:14] Giving advice for future founders and hackers looking to make a legendary impact on the cybersecurity community
Sponsor Links:
Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley
What were some of the trials, tribulations, and successes of Metasploit?
Although Metasploit has had a lasting impact on the cyber world, HD Moore is not afraid to admit that part of Metasploit existed out of spite for critics, employers, and gatekeepers in the cybersecurity industry. In terms of trials and tribulations, HD saw a great deal of criticism come from his peers and from professionals ahead of him in the industry, often displaying rudeness towards the quality of the exploits and Metasploit’s audience of young hackers. Later, HD says that a surprising and amusing side effect of his success with the project was watching employers and peers go from criticizing to lifting up his work with Metasploit and attributing success of many hacking professionals to its creation.
“When we started the Metasploit project, we really wanted to open up to everybody. We wanted to make sure that, even if you barely knew how to program, you can still contribute something to Metasploit. So, we did our best to make it really easy for folks to get in touch with us, to submit code.”
Where does your philosophy land today on giving information freely?
HD has heard the same opinions many professionals that teach and give information freely have heard: “You’re making it easier for people to use this information the wrong way.” Instead of considering the worst possible outcomes of making hacking accessible, HD chooses to acknowledge the importance of accessible education and publicly provided information. According to HD, if someone is creating and teaching content to the next generation of red teamers, that content is theirs to use. Whether they’re a physical pen tester teaching lock picking or a hacker disclosing a vulnerability, what they choose to share with others has to be based on personal moral code and what others do with that information is up to them.
“It comes down to: You do the work, you own the result. If you're teaching people how to do stuff, great, they can do what they want. You can decide to do that, you can decide not to do that, but it's your decision to spend your time training people or not training them.”
Is it possible to be a CEO, or a co-founder, and stay technical?
The downside of success in the cybersecurity industry is often stereotyped as losing the opportunity to be a hands-on hacker. However, for HD, his success has allowed him to do the exact opposite and instead prioritize his time to be technical. HD believes strongly in the ability to make this happen through proper delegation of duties, incorporating new leaders and managers in your company or project, and acknowledging when you may need the help to bring what you’re working on to the next level. HD is proud of his success with Metasploit and Rumble, and is happy that he was able to hand off certain duties to other professionals that he knew would do better if they had a chance in the founder’s shoes.
“Don't let the growth of your company change what you enjoy about your work. That's really the big thing there, and there's lots of ways you can get there. You can hire folks to help out, you can promote your co-founder to CEO. You can bring on program managers or project managers to help with all the day to day stuff.”
What advice do you have for people looking to follow a similar cyber career path?
Content is the name of the game, especially when you’re looking to get more eyes on what you do. HD is the first to admit that putting himself out there in a blog post, on a podcast, or at a stage show is not always a walk in the park, taking him out of his comfort zone and often away from the tech that he spends his time on. However, publicly displaying himself and his work has brought attention to Rumble and Metasploit, and HD knows he would not have achieved this level of success without putting his content out into the world, hearing feedback from his peers, and even receiving his fair share of criticism from industry professionals.
“Not all of it is the most fun thing to do all the time, but it is crucially important, not just for growing yourself and getting out there and getting feedback from your peers, but for learning because you learn so much from the feedback you get from that effort.”
-----------
Stay in touch with HD Moore on LinkedIn, Twitter, and his website.
Learn more about Rumble, Inc on LinkedIn and the Rumble website.
Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter.
Follow Ron Eddings on Twitter and LinkedIn
Catch up with Chris Cochran on Twitter and LinkedIn
Continue the conversation by joining our Discord
-
We’re joined again by the hacker’s hacker, Tommy DeVoss, aka dawgyg. Bug bounty hunter and reformed black hat, Tommy dives back into a great conversation with us about his journey in hacking and his advice to future red team offensive hackers. We cover everything we couldn’t get to from part 1 of our interview, including his struggles with burnout, his past hacking foreign countries on a bold quest to stop terrorism, and his future in Twitch streaming to teach you how to be a better bug bounty hunter.
Timecoded Guide:
[02:57] Fixating on hacking because of the endless possibilities and iterations to learn, but understanding that burnout does happen, especially when hacking gets frustrating
[09:54] Giving advice to the next generation of hackers, including patience for success, getting back up after a failure, and dedicating yourself to a hands-on learning experience
[17:17] Contacting Tommy and keeping up with him on Twitter, and asking questions publicly so that others can learn from the answers he gives you
[21:43] Planning a Twitch course to teach hackers about bug bounties using real bugs and real-world examples of how they work
[24:57] Hacking in the early 2000s and understanding the freedom Tommy has to talk about any and all illegal hacking he’s done now that he’s gone to prison
Sponsor Links:
Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley
Do you ever struggle with burnout when it comes to hacking?
Hacking has maintained Tommy’s interest longer than anything else because of the constant changes in technology and the ever-evolving issues in the online world. However, just because hacking is his passion, doesn’t mean that burnout or frustration never happens. Currently, Tommy is taking more of a break with hacking, letting his current day job and his passion for gaming have a front seat. However, he’s still firmly in the industry, passionately developing learning opportunities for future hackers and answering questions from cyber professionals of all backgrounds.
“I do get burned out sometimes…When it comes to bug bounty hunting, I try and make it so it averages out to where I make at least $1,000 an hour for my effort. It doesn't always work. Sometimes I'm more, sometimes I'm less, but I try and get it so it averages out to about that.”
What hacking advice would you give the younger version of yourself?
Although his black hat ways resulted in prison time for Tommy, he doesn’t regret his past and instead seeks to teach others the lessons he’s learned. When we asked Tommy for advice for new hackers, he was clear that success is a longer journey than people assume it is. Tommy’s success was not a fluke, it took years of hands-on learning and patience with failures in order to develop his bug bounty skills. Nothing is actually automatic or easy with hacking, especially as the technology continues to change and evolve. Tommy wants hackers to take every opportunity to try out their skills, even if it's a complete failure.
“Don't expect success overnight. Also, don't let failure discourage you. When it comes to hacking, you're going to fail significantly more than you're going to succeed. And the people that are successful in bug bounties are the ones that don't let those failures discourage them.”
What do you think about the “media obsessed” stereotype many people have about black hat hackers?
Wrapping up today, Tommy tells us that he’d be happy to be back in the Hacker Valley Studio again some time. Although the stereotype of a black hat hacker wanting attention from the media is disproven, Tommy believes that he definitely has craved that media attention for a large majority of his hacking career. Starting in the early 2000s, after 9/11, Tommy had one of his first brushes with fame in an interview with CNN about hacking Middle Eastern companies. Although his hacking and his politics have changed since then, Tommy enjoys having in-depth conversations about hacking and explaining the intricacies of what he does.
“We loved the attention back then, and I still love the attention now, it's nice. The good thing about now is, because I already got in trouble for everything that I've done, I've done my prison time, I don't have anything that I did illegally on the computer anymore that I can't talk about, because I've already paid my debt to society.”
What are the best ways for people to keep up with what you’re doing?
Considering Tommy’s success, it’s understandable that a lot of cyber professionals and amateurs have tons of questions for him. When it comes to getting in contact with Tommy, he recommends tweeting him on Twitter publicly so that he can not only answer your question, but help others with the exact same questions. Education is key, and Tommy is so dedicated to teaching other hackers that he’s currently developing a recurring Twitch stream centered around helping others learn about bug bounty hunting.
“I don't know how successful we're going to be in finding the bugs, but I think it'll be fun to teach people [on Twitch] and do it that way, so that they can actually spend some time learning it. The best way to actually learn this stuff is to actually try and do the hacking.”
-----------
Stay in touch with Thomas DeVoss on LinkedIn and Twitter
Check out the Bug Bounty Hunter website
Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter
Follow Ron Eddings on Twitter and LinkedIn
Catch up with Chris Cochran on Twitter and LinkedIn
Continue the conversation by joining our Discord
-
Manglende episoder?
-
We’re joined by million-dollar hacker and bug bounty hunter, Thomas DeVoss, this week as we continue our season-long discussion of offensive cybersecurity legends. A legend in the making with a success story in bug bounty hunting that has to be heard to be believed, Tommy is an incredibly successful black hat hacker-turned-bug bounty hunter. He represents how misunderstood the hacking community can be and how positively impactful bug bounties can be. Who hacks the hackers? Look no further than Tommy DeVoss.
Timecoded Guide:
[02:59] Becoming interested in hacking for the first time at a young age through internet chat rooms and finding a mentor through those rooms
[08:26] Encountering unfriendly visits with the government and the FBI after his hacking skills progressed and being arrested in the 2000s
[14:20] Seeking his first computer job after a couple visits to prison and finding a new position with someone that knew of his hacking skills
[25:21] Discussing with Yahoo the possibility of working with them due to his successful bug boundaries and understanding the limitation he would be under if he did that
[30:56] Giving honest advice to hackers looking to break into the bug bounty scene and make the amount of money that he’s making
Sponsor Links:
Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley
When did you get into hacking for the first time?
At an early age, Thomas found his passion for hacking in an IRC chat room. Mentored by a man named Lewis and encouraged by fellow friends in the hacking world, popping shells and breaking into US systems using foreign IP addresses. Although Tommy became incredible at his craft from a young age, his early habits became serious black hat issues that ended up getting him in trouble with the US government. Just like the hacker in a big Hollywood blockbuster, the government caught up with Tommy and he faced 2 years in prison in his first sentence.
“Instead of coming back to him and saying, "Hey, I'm done," I came back and I was actually asking him questions like, "Can you explain this?” And he saw that I was like, actually interested in this and I wasn't one of the people that was just expecting it to be handed to me and everything like that.”
After spending time in prison, were there barriers to getting involved in hacking again?
After being in and out of prison a couple times, Tommy found the worst part of coming home to be his ban from touching any sort of device with internet access. Despite it being a part of his probation, his passion for tech continued to bring him back to computers and gaming. After his final stint in prison after being falsely suspected of returning to his black hat ways, the FBI lifted Tommy’s indefinite ban on computer usage and immediately renewed his passion for working in tech.
“They had banned me indefinitely from touching a computer. So, when I came home on probation the first time, they upheld that and I still wasn't allowed to touch computers as part of my probation. For the first month or so, I didn't get on a computer when I came home from prison, but then it didn't take long before I got bored.”
How did your cyber career pivot to bug bounty hunting?
With prison behind him and his ban on computers lifted, Tommy got a job working for a family friend in Richmond, Virginia for a modest salary of $30,000. Although this amount felt like a lot at the time, he quickly realized that there was money to be made in bug bounties. His first few experiments in attempting bug bounty programs had him earning $20,000 or $30,000 for hours of work, a huge increase from the salary he was currently making. Encountering success after success, Thomas quit his job in 2017 to become a full-time bug bounty hunter.
“The first bug bounty program that jumped out at me was Yahoo. I had started hacking Yahoo in the mid 90s, I knew their systems in the 90s and early 2000s better than a lot of their system admins and stuff. And I figured, if there's any company that I should start out with, it should be them.”
What success have you seen since becoming a bug bounty hunter, especially with major corporations like Yahoo?
Thomas has become a huge earner in the cybersecurity community, and has continued to see incredible results from his hacking and bug bounty projects. Most notably, after numerous high earning days, making up to $130K at once, with companies like Yahoo, he’s even been offered positions working with corporations he’s bug bountied for. However, Tommy is quick to point out that his success was definitely not overnight, and warns fellow hackers of getting too confident in their bug bounty abilities without the proper skill sets or amount of experience under their belts.
“I think at this point, I've had days where I've made six-digit income in that single day, at least six or seven times. And it's almost always been from Yahoo.”
-----------
Stay in touch with Thomas DeVoss on LinkedIn and Twitter.
Check out the Bug Bounty Hunter website.
Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter.
Follow Ron Eddings on Twitter and LinkedIn
Catch up with Chris Cochran on Twitter and LinkedIn
Continue the conversation by joining our Discord
-
John Hammond, Senior Security Researcher at Huntress Labs and self-described cybersecurity education enthusiast, joins us as we continue our discussion of red team legends. With a focus on content creation this week, John discusses his success with his YouTube channel, his passion for showcasing authentic and accessible educational materials online, and his advice for creating content safely and spreading awareness with not only a red team or blue team mindset, but with a purple team perspective.
Timecode Guide:
[01:37] Understanding the impact of content creators in the cybersecurity community, especially when it comes to YouTube educational content
[06:58] Becoming a successful YouTube creator through consistently posting hacking content and ignoring the stereotype of “overnight success”
[13:28] Combining his role as a cybersecurity educator with his security research at Huntress to explore exploits and have real life experience with what he teaches
[16:47] Focusing on the blue side of the house as someone with red team experience, and understanding how to use a tool like PlexTrac to create a collaborative purple team
[21:13] Being mindful of the impact he has through sharing this knowledge and understanding the risk of cybersecurity educational materials falling into “the wrong hands”
Sponsor Links:
Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley
What is your origin story for wanting to educate other hackers?
Like many of us, John started his journey Googling how to become a hacker. As he gained more knowledge about the specific skills involved in hacking, John never left the internet behind, always seeking out videos and articles explaining new and emerging content. Inspired by those who created that content in the first place, he started his own YouTube channel, simply titled John Hammond, as has spent years cultivating a consistent hacker audience.
“Along the way, creating content and helping educate others through YouTube is really my main stage platform and has been just a passion project, a labor of love, and something fun along the way.”
What feelings do you get looking back on the YouTube content you’ve created so far?
John prioritizes clarity, transparency, and honesty in what he does, and he’s not afraid to show some humbleness, too. Overall, John is thankful for his YouTube success and the impact it had on the cybersecurity community. No matter what he’s showing in his videos, he prefers to keep things honest, to show where he’s made mistakes, and to accept criticism and advice from other hackers and offensive cybersecurity professionals that see his work.
“I'm showcasing just my computer screen, maybe you get a little face cam and a circle on the bottom right, but it's like you're looking over my shoulder. You're seeing me showcase something raw, live, genuine, and authentic…It’s not all sexy, there’s a lot of failure in hacking.”
Have you ever considered focusing on the blue team or the defensive side of cybersecurity?
The majority of John's YouTube content and the work he does in his role at Huntress Labs heavily involves the red team and offensive side of cyber. However, John is a huge advocate for the blue team and the red team collaborating and communicating better. Through making more concepts in cybersecurity accessible through educational content like John’s own videos, he hopes we can continue to bridge the gap and achieve that perfectly mixed purple team.
“We're all playing in concert. As one team sharpens their skills in the red team pen test, then it's up to the blue team to figure that out. What did they do? How can we better detect it? How can we stop and mitigate that security threat?”
What advice do you have for red team content creators that want to share content and spread awareness safely?
With the impact that he’s had and the content he’s put out onto the internet, John is no stranger to seeing the negative side of cybersecurity knowledge being more accessible than ever before. Still, he wants to make sure content creators understand the value of transparency and honesty in what they do. Instead of fearing what could be, cultivate a community around making this level of knowledge and security available to everyone.
“Share, be transparent, be forthcoming. I know there are a lot of conversations about gatekeeping in cybersecurity, but there shouldn't be that. I understand there's grit and determination and hard work to do all the things that you're doing, but be friendly and be transparent and honest.”
Hacking the Vocabulary:
Cybersecurity Capture the Flag (CTF): Competitions to demonstrate expertise in attacking computer resources. The “flag” is normally a file or code a team recovers and provides as proof of their successful penetration of defenses.
Python Programming Language: A powerful, general-use programming language, often used in web development, data science, and creating software prototypes.
The Onion Router (TOR): A free and open-source software for enabling anonymous communication, with each “onion” network having layers of encryption.
Kaseya VSA Ransomware Incident: A ransomware attack in July of 2021. This paralyzed as many as 1,500 organizations by compromising tech-management software from a company called Kaseya.
Log4j: A Java-based logging utility used by developers to keep track of what happens in their software applications or online services.
Zero-Day Vulnerability: A vulnerability in a system or device that has been disclosed but is not yet patched.
----------
Links:
Check out our guest, John Hammond, on YouTube and LinkedIn.
Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter.
Follow Ron Eddings on Twitter and LinkedIn.
Catch up with Chris Cochran on Twitter and LinkedIn.
Continue the conversation by joining our Discord.
-
We’re joined by sponsor and guest Dan DeCloss, CEO and Founder of PlexTrac, on the podcast today to talk about communication and collaboration between the red and blue side of cybersecurity and why security success depends on those two sides working together. On their mission to build stronger, more productive, and well-rounded security teams, PlexTrac provides incredible and insightful metric and messaging tools that change the game for the cybersecurity industry.
Timecoded Guide:
[05:36] Understanding PlexTrac’s history and mission for cybersecurity teams
[09:58] Lack of empathy and understanding in red team and blue team communication
[18:48] Breaking through the resentment and confusion within a team
[24:45] Envisioning the future of PlexTrac’s community impact
[27:52] Caring about your cybersecurity mission beyond yourself
Sponsor:
Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life!Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley
What is the function of PlexTrac that would help you the most as a pen tester?
With prior hands-on experience on the red side, Dan found his journey to creating PlexTrac to be full of moments where he wanted to fix the same problems he encountered over and over with reporting and communicating. One of these problems was solved easily with the addition of a video feature, a simple function that has existed since PlexTrac first began but is instrumental and is a huge time-saver for visual learners.
“As a pen tester, I hated finding that I had 20-odd screenshots if it's a pretty complex exploit. I think the adage for us is like, if a picture's worth 1,000 words, then a video is worth 1,000 pictures, right?”
What do you think are some of the gaps in skills that organizations face when hiring these professionals to perform offensive operations?
Communication is key— not just in life, but in this episode. While we’ve discussed skills gaps previously in cybersecurity, Dan is quick to point out that a consistent gap he sees in all areas of cybersecurity is effective communication. PlexTrac keeps this struggle to communicate in mind and creates easy, simple pathways and functions that encourage communication and facilitate collaborative problem solving.
“If there's one area that I really emphasize with anybody that I'm mentoring or have hired in the past is, as a security person, whether you're red or blue, you really do need to be a good communicator and be able to communicate risk effectively within the right context.”
What would you want to say to those folks that don't see eye-to-eye from the red or the blue side?
We’re fighting the same fight, no matter if we’re on the red side or the blue side of cybersecurity. Dan’s message for our warring red and blue teams throughout the industry is to understand the importance of your mission and to not let relationships between red and blue feel clouded with misunderstanding or resentment. No one’s job is harder than anyone else’s, and each role on offensive and defensive plays a part in our collective victory.
“I'm gonna just be point blank about it…Are you trying to just prove a point about your knowledge and your skills? Or, are you actually trying to make the world a safer place?”
What would you want to say to all those folks out there [in cybersecurity]?
As PlexTrac aims to make a huge impact on our community, Dan and his team acknowledge a need for a unified, focused, and collaborative cybersecurity industry, with hard workers on both the red and blue sides. With PlexTrac’s assistance in making reports, measurable results, and communication that much easier, our team at Hacker Valley is thankful to be a part of PlexTrac’s amazing network and can’t wait to share more tools like this with all of you.
“I think keep fighting the good fight, for both sides, and recognizing that your mission is vital to the safety and security of your organization and the world at large, right? We are all in this battle together.”
Hacking the Vocabulary:
DOD: The United States Department of Defense.
----------
Additional resources to check out:
Spend some time with our guest, Dan DeCloss, on LinkedIn, and the PlexTrac website
Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter.
Follow Ron Eddings on Twitter and LinkedIn
Catch up with Chris Cochran on Twitter and LinkedIn
Continue the conversation by joining our Discord
-
We’re breaking down the concept of difference makers this week and we couldn’t help but call upon Mari Galloway, CEO of the Women’s Society of Cyberjutsu, to be our guest during this conversation. As a black woman in cybersecurity who has dedicated a large portion of her career to helping women and girls become a part of the cyber community on both the technical and non-technical sides, Mari is a stunning example of making a difference and creating a path to expand cybersecurity beyond stereotypes.
Timecoded Guide:
- [01:29] Defining the difference makers and explaining the OODA loop
- [13:52] Introducing Mari and the Women’s Society of Cyberjutsu
- [20:14] Finding her purpose in helping others find their purpose
- [25:06] Explaining the roles and paths available outside of strictly technical
- [30:31] Understanding imposter syndrome and forging a freedom-based career journey
Sponsor:
Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley
What is that like to see people go from taking that original red pill all the way through starting their career in cybersecurity?
When we talk about making a difference, many of us don’t get to see our impact as clearly as the Women’s Society of Cyberjutsu sometimes gets to see. Mari tells us numerous stories of women throughout this episode, including herself, who became a part of this industry because of the instrumental work they do in outreach and education. For Mari, seeing women change their minds and majors to become a part of the tech industry shows how vital this work is.
“These are the moments we're waiting for, whether it's one person or 50 million people. We want you to feel confident enough to get the skills you need, get in the industry, continue to refine those skills, and be super successful.”
What would you equate your purpose to, and how does everything you do fit into it?
Like many of us, Mari isn’t entirely sure what her purpose is, but she knows that she enjoys helping the next generation and making a difference in the landscape of cybersecurity. Working with a nonprofit is not an easy job, even if it is rewarding, and Mari still prioritizes her freedom alongside meeting her purpose. No matter what Mari’s future holds, she knows that this work and this purpose to help others will always find her.
“I think as I get older, as I start to take steps back to just kind of look at what's happened and the impact that I'm having and others around me are having on the next generation of folks coming up, I think my purpose is to help people. It's to help other people see their potential.”
How do you feel like creating that safe environment has affected others?
Helping others find their footing in the cybersecurity industry can be extremely rewarding, especially when Mari found herself in a situation of uncertainty when she first joined the Cyberjutsu Tribe. The community of cybersecurity and the stereotypes around hackers can feel incredibly uninviting from the outside. Offering people, especially women and young girls, an opportunity to step into a safe space where they can ask anything has been huge for Mari.
“We call it our Cyberjutsu Tribe, and we want to make sure that anybody that comes to us feels like they can reach out and touch us and ask us questions and get answers and just have a conversation with us.”
How do we invite more people in and let them know that there are opportunities in cyber outside of technical roles?
Whether you’re hacking, selling, managing, or marketing, there is a space for you in the cybersecurity world. You don’t have to code or to be extremely technical to fit in this industry anymore, and you don’t have to have a certain look. The Women’s Society of Cyberjutsu prioritizes educating people on every role involved in the industry and showing them that they don’t have to be a tech wizard or a computer guru to find a satisfying and profitable position.
“You don't have to look like this to be a hacker. You can look like me…That stereotype, I think, is dying, as we see the number of women coming in and men coming into the space that don't look like that anymore.”
Hacking the Vocabulary:
OODA Loop: Observe, Orient, Decide, Act. A four-step approach to decision-making that focuses on filtering available information, putting it in context and quickly making the most appropriate decision.
CISO: The chief information security officer, a senior-level executive responsible for developing and implementing an information security program
Taking the red pill: The terms "red pill" and "blue pill" refer to a choice between the willingness to learn a potentially unsettling or life-changing truth by “taking the red pill,” or remaining in contented ignorance with the blue pill.
---------
Additional resources to check out:
Spend some time with our guest, Mari Galloway, on LinkedIn, Twitter, her website, and the Women’s Society of Cyberjutsu website.
Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter.
Follow Ron Eddings on Twitter and LinkedIn
Catch up with Chris Cochan on Twitter and LinkedIn
Continue the conversation by joining our Discord
-
Those on the red team may not be household names to the everyday person, but they are absolute legends and icons in the world of cybersecurity and hacking. While we have our personal favorite hackers between the two of us, we also invite our guest, Davin Jackson, to share his favorite cybersecurity legends and the lessons he’s learned from them.
Timecode Guide:
[00:50] The importance of red teaming, especially during this season
[02:17] Ron and Chris’ first experience working in a red team environment
[11:23] Communication and collaboration between blue and red
[16:53] Knowledge gained from Davin Jackson’s humble beginnings in tech
[22:19] Gaining the blue perspective with Hacker Valley Blue
Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
PlexTrac, the proactive cybersecurity management platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley
Legends, Icons, Teachers, and Friends
From Marcus Carey to Johnny Long, we’re excited to share the legends that had an early influence and lasting impact on our careers in cybersecurity. While our two backgrounds in red teaming are different, we can attribute so much of our success and our ability to share our knowledge with all of you to the experts that were willing to invite us to join and learn the best hacking techniques alongside them.
“I think that's the most important thing in red teaming, it’s passing that knowledge on to someone else.” - Chris Cochran
Communication, collaboration, and community instead of red vs blue
It is not two teams with two separate fights when we’re talking about red teams and blue teams. Often, when cybersecurity is too focused on this split between offensive and defensive, we forget to collaborate and fall short of improving on issues we discovered. Communication between red and blue can be a costly struggle, which is why we’re happy to see our sponsor PlexTrac stepping in to develop communication technology for these teams.
“There's this push and pull of collaboration. On one hand, you want the red team to work autonomously…but on the other hand, they do need insight if you’re going to go deeper and deeper.” - Ron Eddings
Legends met, lessons learned, tech loneliness understood
In the latter half of our episode, we’re joined by Hacker Valley Blue host Davin Jackson, also known as DJax Alpha. Davin started his cybersecurity journey with no computer of his own. Working his way up from basic tech jobs at corporations like Circuit City, lessons Davin learned from the legends he looked up to include finding a mentor, focusing on networking (even when it feels like a dead end), and being always willing to share what you’ve learned.
“It’s about consistency, and you have to have self control and discipline…It’s one thing to get it, but it’s another to maintain that success.” - Davin
Hacking the Vocabulary:
Pen test — Pen test, or penetration testing, is a method of identifying and testing vulnerabilities and gaps in an IT security system that could be exploited. This can also be referred to as “ethical hacking”.
Popping a shell — A slang term for when a hacker exploits a security vulnerability to make a program run a hacker code.
Red team — A group within an organization made up of offensive security experts who try to attack an organization’s cybersecurity defenses.
Blue team — A group of defensive security experts within the same organization that defends against and responds to the red team attack.
Additional resources to check out: Marcus J Carey, Johnny Long/Hackers for Charity, United States Cyber Command, Booz Allen Hamilton
----------
Spend some time with our guest, Davin Jackson (DJax Alpha/Alpha Cyber Security) on his website, Twitter, Instagram, Facebook, and on the Hacker Valley Blue podcast.
Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter.
Follow Ron Eddings on Twitter and LinkedIn
Catch up with Chris Cochan on Twitter and LinkedIn
-
In this season of Hacker Valley Red, we focus on cybersecurity legends in offensive operations with a legend in physical pen testing and lockpicking: Deviant Ollam. As a pioneer in our industry and an author of two incredible books about lockpicking, Deviant shares his history from hobbyist to professional and all that he’s learned along the way. He also discusses making the secrets of the hacking world accessible to all.
Timecoded Guide:
[01:28] Defining the pioneers in cybersecurity[08:47] Deviant’s first explorations in lockpicking [16:03] Accessing and democratizing hacking secrets[18:58] Becoming an author to transfer his knowledge[23:12] Seeing the past, present, and future of hackingSponsor Links:Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone
PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley
_________
What does it mean to be a pioneer in cybersecurity?
As our season focuses on legends, it’s important that we explain what makes these individuals such a vital part of our community. In the case of this episode, we explain that our guest Deviant is nothing short of a pioneer. Deviant has been willing to take on new challenges and revolutionize the industry throughout his career, influencing hundreds of individuals and leaving a lasting educational impact on the entire industry.
“That ‘zero to one’ part can be the hardest part of any progression in any field, but especially in cybersecurity.” — Chris
When you reflect on changing this whole industry, how does that make you feel?
Despite our guest’s legendary reputation, Deviant is humble about his achievements, caring more about how his work has impacted others than himself. What he focuses most on in his teaching, presentations, and writing is making lockpicking and penetration testing accessible and understandable. Instead of harboring secrets and perpetuating exclusionary policies, Deviant wants anyone to be able to master these skills and understand this knowledge.
“I’m not the first one who ever did this. What I like to think of my contributions is that they have chiefly been making it accessible and democratizing this knowledge.” — Deviant
Do you think it's harder today to stand out than it was a couple of decades ago?
For Deviant, our globalized internet and algorithm-focus social media sites are both a blessing and a curse. While knowledge can be found on every corner of the web and anyone can become familiar with the information that was once borderline inaccessible, Deviant also recognizes that younger hackers and lockpickers will have a very different rise to success than he did years ago, especially due to fragmented audiences and tricky algorithms.
“We have more avenues to put yourself on display, to put yourself out there than ever before, but that means the audience is fragmented and is spread so thin.” — Deviant
What piece of advice would you have for the folks that want to make an impact in security and technology and in our community today?
Although success will look different for newer members of our cybersecurity community, Deviant is confident that the younger innovative minds of the future will be able to solve so many of the long-standing problems within our industry. However, he reminds our younger audience that they need to still respect the tenured members of the cybersecurity world and learn from them without oversimplifying the issues past professionals have faced.
“Start thinking about it in a way that doesn’t use ‘just,’ because every old head in the industry has heard that….We couldn’t ‘just’ do it, or we would’ve ‘just’ done it.” - Deviant
Hacking the Vocabulary:
Physical pen-testing — A simulated real-world threat scenario where a malicious actor attempts to compromise a business’s physical barriers to gain access to infrastructure, buildings, systems, and employees.
CVE— Common Vulnerabilities and Exposures (CVE) is a database of publicly disclosed information security issues.
Lockpick Village — A physical security demonstration and participation area where participants can learn about the vulnerabilities of various locking devices, techniques used to exploit these vulnerabilities, and practice on locks of various levels of difficulty.
Additional resources to check out: Robert Morris, the Morris worm, TOOOL, the CORE group, Practical Lock Picking: A Physical Penetration Tester’s Training Guide by Deviant Ollam, Keys to the Kingdom by Deviant Ollam, DEF CON
________
Spend some time with our guest, Deviant Ollam, on his website, Twitter, Instagram, and Youtube channel.
Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter.
Follow Ron Eddings on Twitter and LinkedIn
Catch up with Chris Cochran on Twitter and LinkedIn
Purchase a HVS t-shirt at our shop
Continue the conversation by joining our Discord
-
In this special mini series of Hacker Valley Red, hosts Ron and Chris are joined by the Senior Vice President of Intelligence at CrowdStrike, Adam Meyers, to review and highlight elements shared in CrowdStrike’s 2022 Global Threat Report.
In the final episode of this series Ron, Chris and Adam discuss threats to cloud infrastructure and how to better secure the gaps. Adam explores how the adoption of cloud technology has expanded our attack surface, how the digital transformation has placed significant strain on asset management and observability, and why identity protection and zero trust protocols might be your biggest defense against data breaches. He takes a deep dive into the Log4J vulnerability and its massive impact on cybersecurity teams all over the world. Finally, the trio examine the intersection of cloud and supply chain security and its implications on security operations.
Guest Bio:
Adam Meyers is a recognized expert in the security and intelligence communities. With more than 15 years of experience in the security space, Adam has extensive experience building and leading intelligence practices in both the public and private sector. Adam is a founding employee and SVP on the executive team at CrowdStrike Inc., a global provider of security technology and services focused on identifying advanced threats and targeted attacks. A sought-after thought-leader, Adam conducts speaking engagements and training classes around the world on the topics of threat intelligence, reverse engineering, and data breach investigations.
Links:
Stay in touch with Adam Meyers on LinkedIn and TwitterFollow CrowdStrike on LinkedIn and Twitter and learn more about what CrowdStrike has to offer on their websiteHacker Valley Studio: Swag | LinkedIn | Twitter | Instagram | Email Ron & Chris | WebsiteSupport Hacker Valley Studio on PatreonContinue the conversation on our DiscordThanks to our friends at CrowdStrike for sponsoring this episode!
-
In this special mini series of Hacker Valley Red, hosts Ron and Chris are joined by the Senior Vice President of Intelligence at CrowdStrike, Adam Meyers, to review and highlight elements shared in CrowdStrike’s 2022 Global Threat Report.
In episode two of this series Ron, Chris and Adam take a deep dive into APTs – how it’s changed over the years and where we stand on the matter today. Adam uncovers the motivations behind nation-state attacks, how APTs are becoming more sophisticated in conducting espionage, and what we need to know about supply chain attacks. Lastly, he explores how APTs are utilizing the cloud and current events to further their operations.
Guest Bio:
Adam Meyers is a recognized expert in the security and intelligence communities. With more than 15 years of experience in the security space, Adam has extensive experience building and leading intelligence practices in both the public and private sector. Adam is a founding employee and SVP on the executive team at CrowdStrike Inc., a global provider of security technology and services focused on identifying advanced threats and targeted attacks. A sought-after thought-leader, Adam conducts speaking engagements and training classes around the world on the topics of threat intelligence, reverse engineering, and data breach investigations.
Links:
Stay in touch with Adam Meyers on LinkedIn and TwitterFollow CrowdStrike on LinkedIn and Twitter and learn more about what CrowdStrike has to offer on their websiteHacker Valley Studio: Swag | LinkedIn | Twitter | Instagram | Email Ron & Chris | WebsiteSupport Hacker Valley Studio on PatreonContinue the conversation on our DiscordThanks to our friends at CrowdStrike for sponsoring this episode!
-
In this special mini series of Hacker Valley Red, hosts Ron and Chris are joined by the Senior Vice President of Intelligence at CrowdStrike, Adam Meyers, to review and highlight elements shared in CrowdStrike’s 2022 Global Threat Report.
In episode one of this series Ron, Chris and Adam take a deep dive into understanding the state of ransomware today and how it’s shaping the cybersecurity landscape as we know it. Adam explores the evolution of ransomware from a targeting and technical perspective, how data extortion has impacted day-to-day operations and services in our industry, and the risks cloud/SaaS environments present in today’s threat climate. Adams shares a glimpse into the creation of the Global Threat Report and how CrowdStrike is uniquely poised in providing actionable intel to help safeguard your data and operations. Lastly, he gives his advice on how to properly ingest the information provided in the report.
Guest Bio:
Adam Meyers is a recognized expert in the security and intelligence communities. With more than 15 years of experience in the security space, Adam has extensive experience building and leading intelligence practices in both the public and private sector. Adam is a founding employee and SVP on the executive team at CrowdStrike Inc., a global provider of security technology and services focused on identifying advanced threats and targeted attacks. A sought-after thought-leader, Adam conducts speaking engagements and training classes around the world on the topics of threat intelligence, reverse engineering, and data breach investigations.
Links:
Stay in touch with Adam Meyers on LinkedIn and Twitter
Follow CrowdStrike on LinkedIn and Twitter and learn more about what CrowdStrike has to offer on their website
Hacker Valley Studio: Swag | LinkedIn | Twitter | Instagram | Email Ron & Chris | Website
Support Hacker Valley Studio on Patreon
Continue the conversation on our Discord
Thanks to our friends at CrowdStrike for sponsoring this episode!
-
Alissa Knight joins Ron and Chris to wrap up this season 2 of Hacker Valley Red. Why? Some big news is why! Stay tuned for that and much more as the trio dive back into the mind of a hacker.
Key Takeaways:
02:57 Big News!
03:20 Alissa's Bio, round 2
05:10 Ron’s takeaway for this season of Hacker Valley Red
06:43 Alissa’s take on Lisa Forte
09:30 “My content is different”
11:38 Hacking an entire industry and doing research with it
18:56 The generational difference – Past vs. Present
21:10 Alissa and the video world
23:49 The dream guest
26:13 Alissa asks the golden question
Links:
Hacker Valley Studio: Swag | LinkedIn | Twitter | Instagram | Email Ron & Chris | Website
Alissa Knight: YouTube | LinkedIn | Twitter | Website
Support Hacker Valley Studio on Patreon
Join our monthly mastermind group via Patreon
HVR is proudly presented by Axonius
-
This episode is all about the hacked mind and who better to discuss it with than Lisa Forte. Lisa is a partner at Red Goat Cyber Security -- she started her career in counter piracy operations off the coast of Somalia and then worked her way to UK Counter Terrorism Policing. She continued her career in UK Police Cyber Crime Units and co-founded a movement called, “Respect in Security” to try and stamp out harassment and abuse in the infosec industry. This episode is a loaded weapon in the fight against insider threat.
Key Takeaways
2:11 Bio
2:42 Lisa’s favorite part of the job - working with Marines
5:07 What is insider threat?
6:04 An actual employee who got coerced
10:03 Surprising facts about attackers
12:30 Preventing insider threat
15:05 The attackers’ tactics and motivation
22:56 Respect in security - a company after harassment in cyber
26:20 Chris was manipulated on Myspace. What happened?
Hacker Valley Studio: Swag | LinkedIn | Twitter | Instagram | Email Ron & Chris | Website
Lisa Forte: Twitter | LinkedIn | Blog | Website
Support Hacker Valley Studio on Patreon
Join our monthly mastermind group via Patreon
HVR is proudly presented by Axonius
-
This week on Hacker Valley Red, Chris and Ron are joined by Dan Trauner. Dan is Senior Director of Security at Axonius, and takes pleasure in breaking things to find creative ways to put them back together. The three colleagues discuss more technical specifics of a hacker’s mind, like how we can understand motive and deception, trends among attacks, and much more.
Key Takeaways:
03:09 Bio
04:33 Where to start when you attack a computer – Finding weaknesses
10:20 Surprising Motives
13:00 Trends among security risks
14:34 Bitcoin & Crypto
16:26 The future of attacks
21:00 Reducing attack success
23:10 Understanding deception
27:50 Cohesion between red and blue teams
Links:
Hacker Valley Studio: Swag | LinkedIn | Twitter | Instagram | Email Ron & Chris | Website
Dan Trauner: LinkedIn | Twitter
Support Hacker Valley Studio on Patreon
Join our monthly mastermind group via Patreon
HVR is proudly presented by Axonius
-
Laurie Pieters-James is an Offender Profiler, Forensic Criminologist, Expert Witness and best-selling author of Shattered Lives: The Story of Advocate Barbie. Chris, Ron and Laurie dive deep into understanding the mind of a hacker, a criminal, and a criminal hacker. Laurie has spent her career learning to profile the most heinous criminals, both in cyber and on the streets. Listen to help yourself understand the enemy from the inside out.
03:20 Bio
04:41 Why did you choose to learn the mind?
06:23 Do criminals think about the punishment when they commit a crime?
09:06 The bridge to cyber security
13:39 Replicating red challenges on the blue side
18:47 Moral disengagement
20:03 Justifying deviant behavior
24:28 More tools for hackers
28:07 Getting into criminology
31:05 Getting started understanding a hacker’s mind
Links:
Hacker Valley Studio: Swag | LinkedIn | Twitter | Instagram | Email Ron & Chris | Website
Laurie Pieters-James: Twitter | LinkedIn | Book
Support Hacker Valley Studio on Patreon
Join our monthly mastermind group via Patreon
HVR is proudly presented by Axonius
-
Welcome back to Hacker Valley Red season two. This week Chris and Ron are joined by a hacker through and through. Alissa Knight blends influencer marketing, content creation in writing and filmmaking/cinematography, and go-to market strategies for telling brand stories at scale in cybersecurity through the lens of a hacker. She achieves this through ideation to execution of content strategy, storytelling, and execution of influencer marketing strategies that take cybersecurity buyers through your brand’s custom curated journey. But more importantly, she tells us what it takes to hack an entire industry...
Key Takeaways:
03:25 Bio
05:59 Why hacking?
07:32 What is FHIR? Hear how it was to hack it.
10:43 I’m just a hacker who did homework
13:50 Unexpected vulnerability
17:57 Support
20:22 How an API works
24:23 Input validation
29:28 A date worth more than oil
33:23 How to scale efforts
Hacker Valley Studio: Swag | LinkedIn | Twitter | Instagram | Email Ron & Chris | Website
Alissa Knight: YouTube | LinkedIn | Twitter | Website
Support Hacker Valley Studio on Patreon
Join our monthly mastermind group via Patreon
HVR is proudly presented by Axonius
-
In episode three of Hacker Valley Red, Chris and Ron are joined by Deviant Ollam, a hacker to the bone and one of Chris’ inspirations in security. Deviant is currently a physical penetration specialist with The CORE Group and the Director of Education for Red Team Alliance. He is also a master lock-picker and uses his skill to shape the future of physical security. The three discuss very important topics, such as the hacker’s mindset, what we can do to foster growth in the next generation of cyber professionals and how physical security is changing.
Key Takeaways:
03:32 Bio
05:30 Developing the hacker’s mindset
08:40 Hacking in the past vs. the present
11:05 Bringing creativity and freedom back to kids, ultimately freeing adults
17:00 Impactful tinkering
21:39 The difference in the means to get to the end
25:28 Progress in physical security
27:17 Staying ahead of criminal tactics and mindset
31:35 Advice for people who need to fail up
34:57 Get in touch
Links:
Hacker Valley Studio: Swag | LinkedIn | Twitter | Instagram | Email Ron & Chris | Website
Deviant Ollam: Website | Youtube | Twitter
Support Hacker Valley Studio on Patreon
Join our monthly mastermind group via Patreon
Hacker Valley Red is proudly presented by Axonius
-
Charity Wright is a Threat Intelligence Analyst with over 20 years of experience in the intelligence community, including the US Army and the National Security Agency, where she translated Mandarin Chinese. Charity now specializes in strategic intelligence, dark web cybercrime, counter-disinformation, and at Recorded Future. Join Ron, Chris and Charity as they discuss all things nation state-level, what we can do to avoid bad habits as a community, and how we understand our enemy.
Key Takeaways:
03:12 Bio
04:16 China’s security threat to the U.S.
07:20 What are hackers’ motives?
12:30 China plays the long game, and it helps them
15:11 In regards to national security, can we learn from any other countries?
17:20 When the line between crime and nations blurs
23:24 Know thy enemy
28:47 Using high-level strategic intelligence
30:54 Get in touch with Charity!
Links:
Hacker Valley Studio: Swag | LinkedIn | Twitter | Instagram | Email Ron & Chris | Website
Charity Wright: Twitter | LinkedIn | Email
Support Hacker Valley Studio on Patreon
Join our monthly mastermind group via Patreon
Visit our presenting sponsor Axonius to solve your asset management efforts
-
Chris Hadnagy – Show Notes
Christopher Hadnagy is the founder and CEO of Social-Engineer, LLC. He created the world’s first social engineering framework, as well as hosted the first social engineering-based podcast. Chris is an adjunct professor of Social Engineering for an NSA Cyber School of excellence at University of Arizona. Chris is also a well-known author, having written five books on social engineering. Chris’ new book, “Human Hacking: Win Friends, Influence People and Leave Them Better Off for Having Met You”, released January 5, 2021. Join both Chris’ and Ron for an episode of self-analyzation, empathy and understanding.
Key Takeaways
02:52 Bio
06:20 Exploring the title of Chris’ book
08:40 What’s the difference between manipulation and influence?
10:36 A contract in a book. Why?
14:33 What books describe Chris?
21:48 The importance of Empathy
26:48 The science
30:57 Chris’ conference: The Human Behavior Conference
Links:
Hacker Valley Studio: Swag | LinkedIn | Twitter | Instagram | Email Ron & Chris | Website
Chris Hadnagy: Twitter | Facebook | Book | Conference
Support Hacker Valley Studio on Patreon
Join our monthly mastermind group via Patreon
Visit our presenting sponsor Axonius to solve your asset management efforts
-
This episode of the Hacker Valley Studio podcast concludes the Hacker Valley Red series. In this finale, Ron and Chris interview their friend - and formerly their shared roommate - Marco Figueroa. Marco is a security researcher and cybersecurity speaker, and he is also a bug bounty enthusiast. He and the hosts constant improvement, bug bounty, and more, while also looking back at the conversations thus far in the season.
-The episode features Marco Figueroa, and listeners are introduced to the content ahead.
-What is Marco’s background, and what is he doing now?
-Is there such a thing as an unhackable device?
-The group talks about Marco’s philosophy in his protection work, the place of social engineering, and the value of building relationships.
-What is the hacker mindset, and do you need coding experience to be a good hacker?
-If interested in the red side of the field, what should someone do first?
-Marco shares about what he sees on the horizon.
-The group considers two major season takeaways: the value of mentorship and the need to put yourself out there and take the first shot.
-Where is Marco planning to take his contact creation from here?
Links:
Connect with Marco Figueroa on Twitter
Connect with Marco on LinkedIn
Follow Marco’s Livestream
Learn more about Hacker Valley Studio
Support Hacker Valley Studio on Patreon
Follow Hacker Valley Studio on Twitter
Follow Ronald Eddings on Twitter
Follow Chris Cochran on Twitter
Learn more about the season sponsor, RiskIQ
- Vis mere