BSidesNCL 2020 - Podcast (Pilot) w/@KeirSnelling - @safesecs and @cy_ninja

see that someone confirmed they can see my screen let's do the most said sentence of the year all right um so richard and i well we'll do some introductions in a second richard and i've been talking about doing um a podcast for a while and we keep putting it off and putting it off and then we thought hang on a minute we could maybe combine the two cheekily do a talk of b-sides see if this thing works um and then go from there so without further ado let me jump through um as scott very eloquently said this is the the name of the pilot episode um this idea came about from a conversation over a few privileges

recently where um as old people in security um there's still so much we don't know so much we don't know um if anything i feel like i know less after all this time but we've picked up a few little nuggets we wanted to share them and we know there's folks on that maybe just getting started in their infosec careers um some old timers who are long in the tooth jaded and blissa um like maybe we are sometimes and everybody in between so we've got some we've got some thoughts we've got some learnings um we're definitely here to talk about some of our mistakes because that's the best way to learn um but to kick things off um just a

reminder first of all if you do have questions slido is your friend um ben is still faffing around trying to get comments turned off in some of the streams i may or may not be on we're not monitoring them very well at the moment this is the place to go for questions all right we're doing my best subject um i'm sam humphries i work at exa beam i've got two job titles one of them is security strategist and i'm also one of those marketing people that was talked about earlier in the video farmers talk and i was cringing a little bit although i do know the difference between ai and machine learning um and can be quizzed about such things

at a booth at an infosec conference near you when we're allowed to see people again um doing this too long i love the cloud nephew philia is not illegal um i can dj at your wedding your birthday your def con party your funeral whatever you would like as long as social distancing applies love talking about sanity if anyone wants to have a sanity conversation i am your girl um and i write stuff and say things and i'm on twitter for following and blocking and reporting richard talk to me goose hey well this is it sam we finally did it we've been doing it um and we will reveal the hump and dick background in a minute but um

my goodness yeah so i've been in this game and it is a game as long as sam um but kind of taking a different route uh so i'm i'd actually been with sam so we're both uh you know ripping up the the roadways and leaving trails of fire here um and i do other things so i i've kind of been actively involved in kind of writing articles and educating the industry on overly complex subjects they don't need to be complicated but the industry seems to like to do that and kind of simplify it so that people can understand what earth it's all about um and all that other stuff so i've got a background some of it i don't talk about publicly

because i can't um but which has given me some interesting insights to other sides um that maybe we don't really see on a day-to-day basis but but we know it's there and yes i do uh wax cars and paint fences so um i actually am a real ninja in life i'm a fifth down black belt doesn't mean anything because i'm now fat and old and i'm losing my hair um but hey you know when i was young i'm nice to get there and i do other stuff as well like working on the ambulance service and and you know trying to spice it up because i'm not busy enough and so yeah that is me in a nutshell

wonderful um and we've talked about us i i know quite a lot about you because we seem to be we present together a lot now we're like married through powerpoint husband i know don't we but i want to introduce you to keir snelling and actually at this point i'm going to drop the slides because um we've got a bit of a thing with the stream going on where we can't see the videos when the slides are up so stop sharing kia snelling without the uh without the code with mars thanks sam i had to prepare the slide if you needed me to uh what am i i'm kirsten um i'm sam's fred first of all so she's

asked me to pilot this this podcast as a first guest with her but beyond that i've got 22 years security experience i think i've worked in-house i.t being an i.t generalist then being a security specialist within within a larger organization and then i went vendor side i did 10 years at mcafee working in technical support customer success left mcafee went to silence i did that and now work as imperium uh doing customer success um mobile space outside of that um if i turn my background off there's a big shelf of whiskey behind me i love love collecting my single malt whiskies um raising my family west ham united football supporter i don't know how well that's going down in

b-sides newcastle sorry for the yeah okay um and various other things along the way um i i think this is a a nice subject for a talk because you know i've seen things from frontline where i worked in an organization and they're as a as an i.t security implementer if you like and then i've worked at the vendor side where i've spoken to gazillions of different people working in security every single day and sometimes you really don't realize what you actually picked up and learned all along the way so quite excited to join the talk excellent thank you all right so i did a bit of um terrible math i think we've been in in technology for

63 years between us which means we should we can retire and thank you for coming to our talk it's been amazing i'm gonna go do something better um 52 of those years have been in security we are old so um i wanted to do a quick kind of going around around the wrapping one first of all um richard how did you get into this crazy world oh my goodness um i i have to be oh god okay um don't get arrested yeah it does involve the police but i can't really go into too much detail um let's just say a long time ago i was involved with an interesting group of teenagers and we did some interesting

things and i kind of like doing that stuff so i thought oh let's let's do this more let's make a career out of it um and a couple of bullets dodged and i managed to um find my way into this industry um and it's kind of what's kind of funny though right is i studied psychology at university right i it was always a thing i played with as a kid um you know from atari st 2600s right up to commodore c64s and blah blah blah and so i always found these things fascinating but i went into this psychology and then people said well why did you do that like that's got nothing to do with

it or security and i'm like no you are completely wrong my psychology degree has probably helped me more than my technical skill sets in every vendor and partner and customer i've ever worked in um so i got into it sam through icq chat groups um using compuserve's launch portal back in the 90s um and yeah it's it's kind of the rest is history um i think probably future podcasts will be more into detail about the kind of things i've done are you kevin mitnick can we just get this clear now oh no no no no come on you and i have spoken the head mask off yeah i definitely got that chat no bloody work

can you whistle with dtmf tones do you know what you say that you know you've done that right you know you've tried this i tell them there's people on this on this that have definitely tried that i i know that i can't whistle so i'm screwed um kim how did you get into into security and yeah so why um so first company i worked in in it was actually pizza hut uk um we had a really small team about 20 people there looking after all of their i.t infrastructure i wasn't a security guard so i actually went in there from being a restaurant manager at pizza hut and joined their help desk as somebody who supposedly was competent

at their their electronic point of sale systems just able to support other restaurant managers who who maybe came from a different generation and weren't so computer literate um i was supposed to do that for six months as a secondment as part of like the management trading scheme they put me on and then i said no i don't really want to do anything else but i team now can i stay here please and not go back to the restaurant and so i ended up there for 10 years i moved obviously off of the help desk and picked up various different technical skills i built most of the servers that they they they had in their their their data

center at the time um like one of the last projects i did with them was was implementing all of the infrastructure to enable them to do their first ever taker online ordering and because it was a small team you had to be focused on multiple different areas and i learned security along the way probably badly looking back on it from what i know now and some of the customers i look at when you when i when i work with people now today go oh oh that was a strange decision but it was the decision that worked for those guys and that was all they knew because they didn't have better advice at the time one of the things i picked up was

how to administer lotus domino servers they ran lotus domino and notes as their email infrastructure and i got quite good at doing that and uh when i decided i wanted to move on and broaden my horizons in my career um mcafee were advertising for a lotus domino expert to support their uh new products that did basically anti-spam and anti-malware integration in lotus domino so i thought yeah i'll have a go at that and i applied for that and i got the job and then i did 10 years at mcafee in various different roles so that's how i got into security and suddenly this whole world opened up in front of me and i went yeah i've landed in the right place this

is what i was meant to do awesome my story's a little weirder i think they're going from i.t into security is quite common um i was a travel agent and um i booked travel for network associates that was then mcafee and then they hired me to work on reception um i ended up as a product manager for them and i did incident response as well but there was a bit of a journey in the middle but for me again it was it i did have a technical background from tinkerine at home and i think for most of us that end up they're probably like listed on the stream on the on the zooms and various things now you

start one of those computery things at whatever age you got mine was a first one was a spectrum and then a bbc master um you know old school and i've not got them anymore which is a shame because they're beautiful things now you can spend loads of money on buying a what is it spectrum next yeah no no it's too modern now for me um so having some sort of techie background a little bit of sales don't hate me but i ended up doing tech support for my customers um that i'd sold to so the little companies they'd bring me up and say hey we've got the box so i get the cd out the box they pop it

the drive and i'd walk them through the install um and i decided that was more fun than having a quota and i think i was right so everything else along the way has kind of been a lot of it's just been picked up to be honest i know we're going to talk about qualifications in a minute and also it came up on uh the beer farmers talk but um i just i found it fascinating that was my why like those viruses kind of just kind of kicked off in like on a decent level around that time back in the back in the 1990s um melissa had hit remember like that caused absolutely merry hell um and i was like that that seems really

interesting not that i wanted to go and not necessarily write them or get involved with you know richard's friends um but certainly it was interesting that someone could like cause that much havoc um and that was kind of the bit that i caught off and going to work at a company that could help organizations deal with that was was really where i was at so um qualifications um travel qualifications clearly other way forward um richard what are your thoughts yeah do you know what i this is for me i'm a big stickler for like and we talked about this earlier the right qualifications i mean the first qualification i got back in god was in 1997 or eight

it's like very late 90s anyway um was a cisco network uh certified network associate right ccna um and what that gave me was a generally phenomenally good understanding in networking right so the osi land model that sort of stuff and and actually in network security i ended up you know the foundational knowledge you have is really really important um and i know today we kind of get a lot of stuff thrown at us and that we can go left right up down middle and other dimensions get the basics get the basic certifications the ones that teach you the what the why in the house and then you start to branch out from there and because trying to come in at

the top level and starting to learn a complex coding language or complex security architectures you know that that's all well and good but if you haven't got the basics down and you haven't got those starts you're going to find it really hard to gain traction industry and you're going to you're going to become stuck very quickly um so that's always the thing i've looked for interviewing candidates like do you have the basics and and whether it's in security or whether it's in networking or whatever it is coding you know if you've got that then i know i can build on it and i can build on you if you haven't then it's a tall order so

um that that's my my take on certifications in this short time frame we have so my ba fears and ticketing level two it's not a lot of help no no so also i don't have a degree just going to put that out there right now care yeah um i listened with to to the beer farmers talking about this just now and i've got somewhat different views i guess i've um i've hired a lot of people in the last 20 years um some with every single certification you could ever imagine um and some with none um and i've always found that the experience trumps the certifications in every single case and i heard that what we said before

where you know you can be okay with experience uh you certifications and experience trumps that um and maybe it does i haven't seen that in my experience um but what i have seen for certain is is i've hired candidates on the basis of what appeared to be worthwhile experience and really good certifications and found that they knew nothing and the thing that i've learned to do when i'm hiring people now is to really focus on probing what their experience is have they actually done what they claim to do and am i able to test against that a lot of people claim a lot of technical skills and and you have to be able to assess them

um i mentioned one of my favorite things is you see a lot of people put a whole raft of different tlas that they're supposedly technical technically proficient at on on their cvs or resumes and i'll always pick on one of them and say well tell me about this then you're claiming you've got that as your skill and you're an expert in it um and a good one i always find is something like dhcp which is a four letter not a three letter but um yeah how many people say oh yeah i've got dhcp i've got 10 years dhcp experience and it's just a nothing it's a throwaway on a cv and then when you ask them and start really drinking into

it you found that they ran the microsoft wizard once and uh and they set up the acp maybe they did it on their home router and so okay so you've lied about that what else is there that is on your cv that i need to get into now and dig into so i i try and find that but search along the way how many searches did i get i got some some basic skirts like lotus domino as i already mentioned and that gave me a broad broad exposure to all assets of i.t i mean that team i worked in at the time i did firewalls routers switches surface desktops i was in unix i was in in window big big

broad background across a load of different technologies and i probably built my career off of that because it was a wide amount of exposure but i didn't gain that really through getting certificates i just got it through that was on job experience for me and that that's what i've always found the most important when i'm hiring sam just just to add to this i think this is really important right i've hired a lot of people in my career i'm not saying that egotistically you just impart of course as you kind of grow up through the ranks and i have made hiring decisions on passion and alone right so you know if if i'm interviewing somebody

that may not have certifications and to the beer farmers point economics will sometimes dictate and life happens right if if they're a part of external groups if they go to coding kind of meetups um if they you know if they're doing things outside of their kind of day-to-day life that shows they have passion um i'll take passion any day uh over experience to some extent right you have to have a little bit of knowledge but i found some of the best employment decisions i've made i've been people that may not have had the experience when i hired them but oh my god do they have the passion that they do load of stuff extracurricular and they've turned out to be phenomenal

in the security industry so i'm just saying if you're new to this come across passionate and have have show your employer the person that's going to hire you that you love what you're doing and you're going to learn you're going to put your head down because that's what's missing from a lot of people in my in my experience 100 100 i'll tell you i also learned as well that people that get certifications if they don't actually use the skills they learn in that cert they very quickly lose them so if you if you build yourself a little pick list and think i need all these for my career go get them and nev never use those skills

ever again by the time you might find yourself needing them they're already gone they've dropped out your head so pick carefully it's like learning a language right you know if you don't use it it goes very quickly some of it might come back if you expose yourself to it again but you know if you can't get your hands on it and do something but i think one of the big things from like when we were young whippersnappers to now is you know there's there's so much information free and i know there's some of it's crap for sure but you think i mean youtube is a wonderful place there's a load of places to go learn now

that doesn't it doesn't involve needing to shell out a ton of money um with one of the big certification houses to kind of get your knowledge up um and there is a lot of helpful people out there i mean you think across the various social media channels i know i've dissed twitter a few times today but there are some really really amazing people who if you show passion and interest will happily get on and help you um you know if we get back to the the world of being able to meet up again you know it's one of the things i love about b-sides right is you have the workshops you've got um there's the villages going on and you

know get something i know defcon isn't accessible for everybody but just the amount you can get hands on in those types of environments you know makes such a difference and we didn't have that when i was young um i want to move on just a little bit and talk about imposter syndrome because i think this is something that comes up a lot and i hear it from people who've been you know in the in the industry for years and i did especially folks who were kind of maybe dipping the toe in the water for doing talks or going out there to maybe do a workshop or something and they've all of a sudden gone hang on a minute

do i actually know anything am i really supposed to be here um and i can i i deal with it still now um richard i'd like your take on that first how do you handle that well hey i'm with you right so i remember first doing uh you know standing on stage and speaking about a subject and again to go back to the beer farmer's point you know there's a lot that you don't know and there's a lot that you do know and it's it's a reciprocal thing in the industry um i'm very glad that google did what they did because it's been the most phenomenal learning tool that i've been accessing over the 20 years

and i still will um but the thing is syndrome doesn't need to be a psychological detriment right because you are bringing you to the table to the audience and it doesn't matter where you work what you do but you are what people buy into regardless of what you're talking about or trying to to do so remember that that that's what this is about they want to hear your story they want to they want to feel your experiences they want to resonate with what you have to say and more often than not remember this and this is more true in vendor land than it is in customer land is you will probably know a hell of a

lot more about the subject you've been asked to present than the audience will right and that's less true if we talk about b-sides and defcon and things like this because you tend to getting into a mix but and from my side of the fence in vendor security like you know i'm selling products and talking about products that nobody else knows about so i've often found don't get too stressed about what you're saying what you're doing and because hey you should know more about this subject but if you don't be you bring you across let people buy into your experience and passion and because that's what they're going to remember they remember how you discussed the subject and kind of what empathy and

and sort of sort of showcase you brought to it so don't don't ever feel that you're an imposter you are there because you deserved it you earned it and and own the moment and bring you to the table and that will never be a bad thing five minutes guys okay cool thanks dad um i'd love to get your thoughts on this um when i at some point in my career i remember somebody suggesting that i needed to consider what sort of persona i wanted to adopt as a professional persona and i think that was probably the worst piece of advice anybody might have ever given me and what i've learned contrary to that is authenticity

is the most important thing the idea of adopting a persona is basically saying go to work and pretend to be somebody you're not was what was being suggested to me you know portray yourself in a in a specific way and i can't do that um i've really learned i can't do that and this is if if i'm authentic i'm speaking my mind i'm caring about the people i work with um i'm admitting my own fail ability and i'm asking questions sometimes very direct questions but asking questions all the time and that's that's my truth and and and if i live by that and i succeed living by that i don't have to suffer from any kind of

imposter syndrome because i'm just being me and if somebody likes me being me and wants to employ me and keep me employed and then i'm not an imposter i'm in the right place if i'm pretending to do something then it's always a risk someone's going to catch me out so for me my advice for everybody if you're considering whether you're in the right place or whatever be authentic stick with it um be yourself and and let the good things happen i i i'm with you all the way um i i mean i'm not gonna get oh my god i'm a woman in security isn't it terrible it's even worse for me but i definitely feel and i'm sure

for the um the folks on the call who uh use the same bathroom as me or to you know um stop getting into a whole thing about dni right now because we've only got two minutes uh but there have been times i remember walking to my first meeting with a bunch of customers and there were 20 technical people in the room from a big bank and all of them guys and i bricked it and they're all staring at me we're in this tiny little room and we got talking and all of a sudden it clicked in my head that yeah actually i i was supposed to be there and i did know more than everybody else in that

room because i was coming to meet with them and they had questions for me and it was this like almost glowing feeling inside and it was maybe i was riding some adrenaline from somewhere and i was actually just slightly insane at the time but it helped um for sure but i will say this even now when i do talks on stage i still get the fear every single time before going on stage but i've learned to kind of love it now it's one of those like moments of excitement as opposed to being like i need to run away and hide maybe not do this maybe get a new career maybe go back to travel i was really good at tickets so i think

yeah the having faith in the fact you're supposed to be there is easy to say um but you have to just keep telling yourself um because it's true if someone's asking you to come and do a talk or you know you've put a talk into a conference and it's been selected you've been selected on that merit okay own it make it yours right and if someone starts interrupting you apart from scott saying you've got five minutes um during your talk especially if it's an in-person thing generally they're being a dick right so it's on them they're a dick you should never interrupt someone during the talk um we are nearly at time so i know we

have our three takeaways which i didn't have one slide but i've decided slides are for other people um so this is what we wrote down yesterday and i think this is still true um number one don't on your cv all right because you'll get found out kia will ask you questions about dhcp and it will fall down around you um it's much better to say what you can do um and there are a bunch of folks who can help you with your cvs in this industry as well so don't think that you have to just put i don't know i just like a job um don't think you have to know everything be willing to learn ask

questions and ultimately trust in why you're there because you're supposed to be uh guys thank you for being part of this today uh we are dead on at time i think it's either a break or some opinions coming up scott can you come back on and do some embassies sometimes into my own talk absolutely um that that was really really good it was nice to actually find some counterpoints to some stuff we were talking about and it ties in really nicely to what we spoke about which is disagreement is fine um you know having different opinions is is absolutely fine and that is great um we didn't get in many questions we got one person saying

on experience over search how would you get through the door and application with desirable field specifying search etc hr would bend your application um yeah that's how i've bypassed hiring um people for a bunch of friends if i if they're friends or networking people i said my friends people i just know of because i hear you right that first round can be really hard to get through because they're looking for keywords um and you know if they can't see you have had experience of this exact job title before they'd be like oh no they can't do it um yeah and as we know that's not always the case there's so much that's transferable um so that that can really help yeah

use your networks yeah and it's it's almost inexcusable not to be able to network now um i hate to put the pressure on people but there is twitter the vast majority of people are extremely friendly in the industry they will absolutely speak to you and you know what if someone's going to be a dick to you on twitter it's probably not the sort of person you would want to work for or work with like that that's been my advice to students