BSidesSLC 2019 - Tech Panel

I love it

they should put weird stuff on this TV behind us my own I'm a bit of a prima donna in my own I was like can I get a headset so I can move around if I feel like I need to I don't want to be restrained so hi I'm grifter hi I have been in Utah for probably I think it's like 21 years now I started out in the community doing stuff with 2600 Salt Lake City back in 2000 right but so I've been around for a while I am a full-time threat hunter for RSA and then by night I run all the technical operations for the blackhat security briefings and then one of the lead organizers of Def Con

I'm also on the CFP review board for Def Con and blackhat and I do other stuff too but that's enough I think good stuff thank you that means a lot coming from you all right my name is no I'm still what new to Utah I've been here about four years now we actually moved here on the flip of 1/4 quite literally so it kind of shows my character special but no I love it been here for four years I focus on social engineering and physical security at Def Con 22 I want a black badge for the social and recapture the flag and then at Saint Con 2017 I was on the winning team with JC and Davis

Chauncey his face but we won the vault which is a physical security challenge and I'm also on the DEF CON CFP Review Board as well and my name is Mike I'm also known as dark matter I'm not sure why I'm up here with these two they're freaking awesome but um I created a project called the Wi-Fi cactus I don't know if you've heard of that I didn't bring it with me but I bought a brought a picture of me with it so I'll pass this around it has some pretty interesting stuff on it and yeah this picture is crazy there's a lot of tissue I've been able to go to a lot of different places I love to travel my

backgrounds computer science I love hacking stuff I've been hacking stuff since I was a little kid I'm from southern Utah so local Utah native been here all my life yeah and just I really really love hacking on stuff so that's about me

so you know really one thing that a lot of people ask is you know what kind of what kind of drives you guys to give back to the community because I feel like all three of you or you know I've done a lot for this industry the community you're well known and what kind of drives you to keep doing that every day who first wants to go first okay so when I first got into this community I reached out to two individuals for advice the first one was an advocate for women in tech so I thought you know she would have some good kind of starters for me and it turns out her career advice was that I

work for her for free as a project manager I'm not joking that it's serious um and then the second one was someone who focused on social engineering and they pretty much said I would have to take a minimum-wage job and the only company that would hire me was their company so that really sucked I did not like that advice I was very lucky to have an amazing mentor JC but as far as giving back to the community I don't want someone to be in that position especially someone who's new who tries to find advice in it's I don't think that's fair actually being here at besides it's really cool because this is where I gave

my very first presentation in 2015 so I really enjoy doing presentations and trainings I built a black cat training that focuses on things that I haven't seen before because it was important to me I wanted to make sure all these aspects were in one training because that's something that I searched for so mentorship and giving back to community is very important to me well the interesting thing about me is like I've gotten a lot from the community so I feel kind of obligated to give back because there's always been people there who have helped me out and in fact the whole concept of the Wi-Fi cactus started literally because betwee between me and grifter because there was a

conference called shmoocon that I didn't realize I was as close as I was and he's like no you get here you get here now you doesn't matter if you have a ticket or whatever and that led to me meeting with Darren kitchen and so it's like now I want to give back I want to talk I want to you know give my advice and want to help out people with data do data analysis and stuff like that as much as I can I try to be pretty active in there's a kismet kismet so Wireless a tool that we use and that we have a disk discord I like to be active in there as well as come to a bunch of

conferences and so I mean it's like I build like the things that I do on shoulders of giants and so I think that all of us need to have like they'll be willing to give back so I think that's really important I think with my experience as well which is just like I wouldn't have the career that I have today if it wasn't for you know things like you know simple things like going to 2600 meetings started me getting face-to-face meetups with folks and that led going to DEFCON and then being involved in DEFCON and helping out on the staff and like legitimately everything I have in my career is owed to this community and so I think if you

are the type of person who one doesn't recognize that or two recognizes that and then chooses to do nothing about giving back you're a horrible person let's just put that out there right now you know who you are you're squirming in your seat right now you know about the meetings you just choose not to you know participate I think that's that's the thing is it's just like like I legitimately oh my I don't know my entire career and the means for caring for my family to everybody in this room right so it would be selfish not to do something and the opportunities that it affords you to to like like to have a community and have resources like

there's job offers and things that I've gotten that just would have never happened had I not done that these things or giving back or been a part of this community so I think it's really important to the networking aspect and the community part yeah I think it's also important point out that like that is not my default state like to be out in front of kids to do this it's not my default state right I going to a meeting and like walking in the first time and there's a dozen or two dozen people there who all seem to already know each other but I'm new and it's awkward and whatever like that is about as close to

my nightmare scenario as you could possibly put together but you just you do it anyway right you do it because like how else will you make those connections I can count the number of job opportunities and things that have come out of you know 801 Labs or DC 801 just from people knowing each other face-to-face and being like oh yeah we're hiring some folks and they're like oh well I have been in a room with you multiple times and don't hate you you should come work with us you know so that happens a lot sometimes you end up hating each other but you know at least it started out positive now yeah I think that's like get out there and get a

chance to meet the people who are in your field

optionally unless you learn nothing at all I've never failed before breasts I'm gonna take a pass I can share I guess one experience which was speaking of career stuff where I was interviewing at a place to do some Red Team stuff they had known of me brought me in because of my reputation and everything I met with the team I did all this stuff I met with all these different levels and managers multiple interviews all whatever and I got to like the seaso and for whatever reason we just did not click like I could tell like within minutes of like chatting with this guy that I was like yeah I'm not getting this job like it's just not

gonna happen he hates me and I don't not quite sure why right but but that sucked right because I was like oh this would be really cool and it's a cool opportunity I really like the folks who are on the team everything up to that point looked positive and in the end it ended up you know not going the way that I hoped and McGinnis just came down to my personality which is a difficult thing to like absorb right you're like oh he hated me as a person right I have the skill set to do the things that they're asking for but I'm just not likeable enough right so that was that you know that was difficult but the lesson that I

took from that was that like sometimes like it just it doesn't matter like you can think that you check all the boxes or do all the right things and in the end it won't go your way right you can't feel like you're owed that or just because you do check the boxes on the technical aspect of something that that means that you you know you deserve a position or something it's like no my accomplishments in the community or like public speaking stuff authoring books all that kind of stuff did not matter to this dude he just didn't like me right and I was like oh well that's an interesting pill to have to swallow right

so a time that I failed in my career actually landed me in handcuffs not the fuzzy one is either unfortunately so I had a client in the Midwest and I was doing physical security assessments for them and right out of the gate he pretty much took control of the assessment he dictated what my pretext was so who I was pertained to beyond sight and he wouldn't have any flexibility there I had to pretend to be the same person on every site normally this is not something I would do and I knew in my gut something was wrong and so what happened was I go and I'm starting these assessments I'm on site number five and

site number five kind of gets suspicious calls ahead to site number six saying or calls ahead to other ones saying hey this is kind of funky you might want to check into it when this person gets there so I get there and I was greeted by this manager who ended up calling the cops um so for me that was a huge failure but that was a failure because I knew and my gut something was wrong and I let the client have control of the situation it just really changed things going forward for me I really learned what things I needed to have control of compared to what the client could have control of a lot of information security if you're

consulting is really kind of figuring out what what limits you put in what you're in control of so that was a big lesson for me when I was younger I worked for a company an engineering company and we were building a project for the Korean South Korean government and and we were having a lot of struggles with getting a project done on time and that project ultimately turned into a giant failure and I didn't want it to fail and I kept trying and trying not to fail and trying and putting more effort into it and didn't realize that guess what sometimes the inevitability is failure and it's okay to accept that and like put a you know a stop on it and

move on and so with that let that project taught me was to fail fast so if you are gonna fail learn how to fail fast at something so that way you don't continue working for months and months destroying relationships hurting people and ultimately I left that company on bad terms and that was something that I never wanted to do ever again after that and it's still and like in my mind I think back on it and I'm like this could have been a really cool project cuz it was for a missile targeting system and it's like that's awesome you know building missile type projects and South Korea for South Korea so that that's clear and you know now it's like

what if it would have been successful what if it would have worked you know and how cool would that be instead now I'm talking about it is you know one of my biggest failures but I I like failure actually I mean if you anybody follows me on Twitter like 90 percent I would say is me failing and doing stupid things so but I feel like when you fail that's when you learn the most right because like something bad happens and it's like everything becomes clear right because whatever you're doing is completely garbage and that's usually when I'm learning the best so

grifters yeah we were joking about earlier and they like say it no but I think honestly it's for me at least what what I see is that there are folks who are coming into the industry who are purely monetarily motivated right there like the world has caught on to the fact that that the cybers pays pretty well right and so it's like oh we've got degrees for that we've got certifications for that we've got a two-year tech you know school whatever version of a degree you know and and so you've got people who are coming out of these you know diploma mill type of situations or certification mills who don't feel like we feel right where we

do this because we love it right it's fun and coming to a conference like this and being able to talk to other people just about doing it is an exciting prospect to us that I feel like is it freaks me out a little bit you know I don't want to see things get watered down with folks who are like oh this is a really difficult problem someone else should deal with this where I think the hacker mentality is this is a really difficult problem I'm never going to sleep until I figure out how to solve this right like that that is something that has made you know many of us successful in the careers that we've

chosen because of that mindset you know it may not be the most physically healthy thing but it's incredibly rewarding and I think if you don't have that if that piece is missing that's a dangerous thing to put somebody like that in charge of the keys to your kingdom and say defend our organization you're like well I'll do it from nine to five because that's how much I care but I won't think about it a moment after that I'm gonna go home and turn on the sports ball and I'm gonna watch that until I have to wake up the next day and come back and think about this problem again instead of just being like I'm gonna order pizza who's

with me you know like I think that that freaks me out to add to that I think that you know college graduates are kind of coming out of school with you know thinking that they're gonna get a job right away but a problem with that is academia isn't updating their material as fast as in our industry is changing right think about math and algebra that stuff doesn't change right the college material doesn't change that's because it doesn't change no one's doing groundbreaking research on this but in our industry stuff changes so often so when you have all these Greg you know college graduates looking for jobs they're already behind the mark so I think the skillset gap is is a pretty

big problem in our industry I don't I don't have a degree like I don't know that like I mean I tried to go to school and do the my college thing I couldn't do it like I got into like classes maybe like this is how it is and I'd be like that's not correct you know like I do this every day right now and I can tell you right now that that's not how that works you fail like oh wait what hold up no I mean like I'm winning it the actual career shouldn't that mean I passed this course like I was just like I'm not going to get into crippling debt so that you can teach me the stuff that mattered

10 years ago well tell you as someone with student debt sitting and sitting up here and my dog I'm a little bit jealous of you not gonna lie you know I think that these issues they've talked about up here are really important and another one that kind of piggybacks with this that I've seen is like people are learning coding and they're learning how to build things and they're learning how to put things together and they're not learning how to do it in a method that's secure right so we're not taking or taking stuff right now we my bad I think that you know security needs to be a framework that's from the ground up right it's like you don't hack something

together and then ship that like the Facebook model right it's like get it out there and then we'll fix it later because you know we can patch later you know why aren't we doing more in the early stages of development to implement security and I think that like the prevalence of all the breaches and stuff that are happening I mean it's like we've got to look at things like earlier on in the in the in the you know in the development cycle and so that's something I think schools and stuff like that is a huge thing they're missing is you know let's teach secure coding you know let's start out of the gate teaching you you know guess what you're

the buffer flow exists let's teach you you know how to avoid SQL issues let's teach programmers that PHP is bad just kidding anyway sorry but it's actually it's actually Perl pearl sucks but um you know I mean that this is that sort of thing that I think we the industry needs to start addressing that earlier and earlier in the learning cycle so you bring in a junior developer who starts coding and they'll start making some of those decisions because there's been tons of times when I've been working on projects and it's like it's always like we'll get to security later like we'll add additional authentication well I had better encryption later right and like nowadays it's you don't have to have it

that way with like let's encrypt project and if you're doing web-based projects it's literally a plug-in in most web libraries now to be able to get SSL encryption on your site and so it's just there's just so many more tools that are available and I think that it's really important that we start using those so guess what all of our info doesn't end up in somebody's database I think that's like that's hard though too because then you talk about like oh well you can get you can gain these things and add these things almost like as plugins but then you're reliant on whoever it was who wrote that plug-in I think that's like scary as hell too is true like oh I've

got these you know but it's from the internet you can trust though alright never mind guys we're good can I get a show of hands here for all of the college students okay what about people are new to the industry right that's a lot of you guys I really encourage everyone to go out and get involved because school is not enough right go out and take specialized trainings from people in this industry who are actually doing this things day to day get involved in the community do CTF things like that I think that's really going to be beneficial to your careers especially as you're getting into this industry I encourage you to drop out and spend that money on stuff

to break or or let me let me offer you an another version of this go get a laptop get a wireless card and start just sniffing Wi-Fi and start doing stuff like like snow is saying like go out and start doing stuff get involved because you're going to get a lot of practical knowledge stay in school kids or don't see this is why we're on opposite side this thing is falling off of my face again Pope I have a weirdly shaped ears or something year after year I can't keep this thing on my face

oh snap look at it he was not JC was literally going like this not even like conscious of he was doing he was down here just like oh yeah this is gonna be a huh man pub like that Jackie in the last row the question go ahead no John I just yell it out Oh him first you have to walk up here ah so I would say don't okay the question was any tips on transitioning from blue team to red so here's the thing so here's my take on the whole blue team red team thing red team super super fun right I get it super fun did it four years still do it like part-time the problem with being

red team is that it is super sexy and everybody wants to be like you know the cool check me out exploit you know like we call can't be Bryce so learn red team stuff and apply that within the blue team so when you're looking for things within your own environment whether that's from a standard analyst standpoint or if you're doing traffic analysis that kind of stuff take the attacks that you want to learn how to do and then do them but then monitor how that affects your log data how that looks on the wire so take pcaps and see what it looks like on the wire so that you not only do you get the

chance to do the the red team portion of it that is fun everybody loves seeing calc when nobody asked for it but also know what those attacks look like on the wire and then you it will make you a better defender I go into a lot of companies and talk frequently where you have blue team folks who are like they're just a blue team and I'm like you should you're doing yourself a disservice go do red team's stuff as well but don't jump ship there's no there's no reason to jump it's I said it sounds cool and it's fun to say like I'm a hacker for hire you know that sounds neat the reality is

if somebody asks you what your job is on a plane as you fly off somewhere you're like I'm an accountant because as soon as you say I break stuff and people pay me to do it they're like tell me all about it and you're like I don't want to know you we're not friends so so I would say don't transition from Blue team stay there just do the red team stuff and figure out how that can better you know protect your organization sorry if that's not the answer as a counterpoint I'm someone who that and drop out has it hasn't traditionally worked an official red team type position in a company before but that doesn't mean like if

you're not passionate about it like go do it like go get involved with it like make that a thing cuz like you've got to commit to it and do it so there's a lot of work to it like I've done that with active Wireless assessments and I quit my last job in order to do those types of things so I left I left my job of almost 5 years that was very safe and secure and in semiconductor manufacturing to do my own thing now and so like if you really want to do something like commit yourself to do it and so that's what I would say is that if that's so if you hate blue team then

don't do it because you're gonna be bad at it right but but I'm just saying like a lot of people are like Oh red team's where the cool stuff is that you can do a lot of cool stuff there's a lot of cool stuff you can do on the blue team's side as well but I think too coming from a blue background moving to red makes you so much more valuable rather than someone just coming straight out because you know you've seen what attackers are doing so I think both of the advice is good go out there learn what you can from where you are but as you if you transition I think that makes you more

of a valuable person having that background purple team for life [Music] it's not it's not there are no questions by proxy just that's a good question if you could answer that that would be incredible yeah for for me personally it's like what do I already know how to do and then try to tackle those problems and use the skill sets that I know how to do like I tried to do a project with a new like PHP framework a few years ago and it sucked I had to learn new framework and I had to learn a language and I wasn't comfortable so it's like tackle problems with tools you know how to do especially if it's a hard problem

you're not sure how to do so that's what I would say like start going down your wheelhouse and then build out your wheelhouse and expand and add more tools to your wheelhouse yeah I think also for me I like I go to a lot of conferences right so whenever I'm sitting in a talk and someone says something I'm just like you know like I'm just like let me write that down just by a book right so for me it's just like where I see gaps I just go look for you know some information on that I like at least having an inch deep knowledge on on most things and then obviously I have my areas that I

specialize on but I think to your point about like github x' and there's awesomeness and awesome that a lot of people are I think afraid to reach out to the folks who are running those projects and things and honestly if you reach out and say hey you or I'd like to help in some way or I'd like to talk to you about this there like some help that would be amazing you know so don't be afraid to to reach out to the folks who are working on projects and say what can I do to help make this better I think taking things in little bite-sized chunks helps so rather than saying I want to go out and I wanna

learn red teaming right stick with something small like I want to learn Wireless and then from there expand to another area but just kind of taking things as small as you can to expand upon I think it's a good way to break your fun-sized so far back so the question did everyone think they got it okay what you sort of allene so from a hiring manager what would you look at for someone coming straight out of academia I would look at what they're doing besides school so are they involved in projects do they have their own projects do you have a blog do you have a github I look for things like that to see where

you're passionate and where you're spending your time that I think is one of the biggest things again going back to passion and really making or seeing that you're spending time on things that like that yeah I think encouraging that kind of behavior is huge again I think you mentioned just going on doing it just for the practical knowledge aspect of it like there's a difference from reading about it or watching talks on YouTube in some way that's actually trying it out yourself yeah and here's the thing too like when you see people like us presenting something and giving you information like guess what that information may or may not be true right like go try what they're telling you to

do it came from me it's probably not so you know and I so I think that's an important thing and so in the case of you know what am I looking for like who are the people that are doing because doers are the people that are like putting stuff together building projects they have a 3d printer in their basement they're up all night tweaking it so that they can to get it to print you know I mean it's it's that type of people that I'm I'm looking for personally and I think that will truly thrive in the current state of this industry yeah there's also there's a different level of I think it just a completely different level of

ownership and understanding when you do something yourself the like the the first time I ever picked a lock was like one of the best days ever right I remember the sound of that padlock bit more and I was just like right like it was like it was incredible like that rust from it you still get it by the way it doesn't matter how many years you're picking locks when you pick a lock it doesn't matter if it's like a master three like you know that should just fall off when you like breathe on it like you like you still you're like clack and you just look around the room like you heard that right I opened that

that's what that sound was but it gives you a different understanding of physical security for one you know or when RFID stuff was new and like cloning someone's badge and then taking that cloned badge and going beep and the door opens you're like mm-hmm and then it's next level when you have a chip in your hand and you go beep yellow for life in my hand no I would immediately get all something in my brain if I could Johnny mnemonic things well I'd want to be able to access it Johnny he really just carried it around yeah whatever sorry what were we talking about what was the question do we answer it do we answer that question maybe yes

no thumbs up we got the thumbs up you can see that

so that's a good question so pretty much I will not let the client dictate what pretext I can use that's one of the things I do I go out and I do open source intelligence gathering and I figure out what makes the most sense and I build my pretext from there that's something I'm I don't believe the client should have control over the second they start controlling things it starts reading a pretext is who I'm pretending to be so I might pretend to be an auditor or an internal employee so by my findings online it might make sense that I'm someone very specific because of just different things I find but again giving the client less control over that

is more important because when they start getting more control it kind of feels rigged I mean in that sense it really was I got stopped right away and I could have continued and been a lot more successful real quick if we could get as soon as these guys asked that question if we get someone in the back to ask a question that would be amazing now Bryce you keep coming forward you said real quick and then it's fine he already made it you're got it you killed that time I was gonna kill the time but I got it for you I can relate to them because I've done in here I've done quite a bit of you I yeah

you're not just just an engineer just you know like I've done a lot of UI type stuff and some of the go to tools for me is like burps we even just the Community Edition which is free and then even postman is another good one for playing around with that I'm sure you're familiar with that and then just using like Chrome and Firefox is built-in inspection tools and then I usually just build my own back and forth between back-end in front I mean your front-end UI so your