BSidesNoVA 2021 | Panel: Offensive Security

all right welcome to the uh welcome to the offensive security career panel um i think this is like the first panel for uh besides 2021 thanks everyone for joining uh we have like a really great uh guest feedback we have a really great guest today we'll start off by everyone introducing themselves i'm joined today by beats who has worked in this field for a very long time uh pw crack or uh bob weiss uh if you're telling people your real name today uh also has worked in the field a very long time uh a face well maybe a voice that you might recognize very well uh today uh ipsec uh joined by by nick um and then uh another

another offensive uh guy that's maybe a little bit newer to the field than than some of these guys are arash parsa here uh and my name is kyle feducia i will be uh moderating keeping bob in check today and uh now i'm gonna kick it over to chris to introduce himself and we'll go around yeah chris gates i've been doing this professionally since 2007 so feeling old um currently red team lead at robin hood and my name is bob weiss or pw crack i've been doing this for probably about 14 15 years and currently head of information security for openvpn ipsec i've been doing this since 2006 actually so [Laughter] um i do a lot of work at hack the box

contracting videos etc uh i'm a rash i've been doing this since just 2016 and currently i work as a red team threat hunter at cyberarc uh so i'm barely on camera um i can't say exactly when i started i'm gonna go back and say officially in the cyber the offensive realm back in probably 2012 um but in the more i.t related stuff um back in i'd say like 2000 something like that 2001 um yes in high school um and i'm currently doing a freelance offensive security work so um one of the first things i want to do is is kind of say you know what does your job look like right now and maybe how you got there and

you know just describe your typical day and if it's important maybe like how you got to the role you're in now and what you like about it that sort of thing chris it's really early to ask such a long multi-part question and open-ended question um what do i do today so i'm uh engineering manager for a red team and so i was what do i do all day i go to meetings all day so what do you what do you like about that what do i like about that okay i like that um it's really on me to plan what's the best thing for the organization and how do we get better from a red team perspective

so i'm very honored and lucky to have you know ciso that's given me a lot of control on deciding priorities and how to actually achieve his goals are you remote right now remote yep i've been remote basically the last 15 years so okay yeah that seems nicer than from some of the jobs we've come from yeah so i recently uh just started as the head of information security for openvpn i think the relevant part for this discussion is sort of the process or how i got from red team and penetration tester to that position i have sort of over time uh elevated or escalated through being a pen tester and trying to be a good pen tester and trying to make sure

that i was technical hands-on keyboard eventually becoming sort of a team lead and managing multiple pen testers and and i decided you know very as part of that process it was like hey i wanted to get to cso at some point in time uh and i had always sort of served the role of being the integration layer between the technical people and senior management going back and forth being that credible voice but also always making sure that i was technical and hands-on keyboard and not just being the manager or whatever and um i so so it's been for me this sort of well are you technical now do you do you see a keyboard in the day yeah so i

i am not that is not my role anymore um so we have we have an entire ops team but this was your your goal when you started or maybe earlier in your careers correct yeah and and i always wanted to make sure that um that i that i wasn't just um you know management track right that i was um you know that my technical skills were still there that i i still you know i'm still reading and still doing hacking sort of uh you know in my basement on the weekends etc but um but i want to make sure that i am that i maintain those technical skills and that i had credibility you know if

i've got one foot in the technical team and one foot in the management team i wanted to make sure that i was credible in both areas um and and that was something that was sort of very well planned and and sort of a a goal of mine so that wasn't an accident it was something that i planned for all along

so what was the question again well i mean for you we kind of know what your days look like these days uh if we watch hack the box um or the the videos you release and hack the box but um you know just describing maybe uh what your current what your current day what your day-to-day looks like for your role and um maybe how you got there if it's relevant um my day-to-day changes a lot um i'm either making machines validating machines creating testing scripts or just in meetings trying to sell the product at really probably five days a week i have six different things i do so it's just to crap shoot what goes

how i got there i'd probably say like a lot of fake it till you make it a lot of the videos i just spent at least at the start like 12 15 hours preparing to do that one hour of videos so it's one thing i really like about your videos you see the mistakes as you go along and have have you like you as the observer can watch someone else like realize okay mistakes are common he has to figure stuff out too i really like that about your videos yeah it's actually an art i think about that part because those mistakes i'll normally make you can't put all of the mistakes in yes i pick and choose which mistakes i want

to make um unfortunately i can't choose the typos i wish i could eliminate those but it's a lot of editing work to get rid of that yeah i've watched some of those i was like i see the typo and i go watch you spend like 10 minutes figuring out what was going wrong like come on man there was a typo find it cool um so right now i'm a threat hunter so what that means is i wake up every morning i look through the news i look through intel feeds and i make hunts for you know new apts basically you know i decide i'm seeing a lot of this tactic in the news lately i'm seeing a lot of apts

doing this lately i'm going to try to see if i can catch them based on some edr hunts you know my favorite being what what time do you wake up to start that process no god no i wish i would wake up at 11. now these days i usually wake up around 8. i like to be thorough i usually go until the afternoon make sure i catch everything i can while people are working through the day at least yeah all right so we're going to jump into rookie mistakes this is a offensive okay this is a that's that's a good plan this is an offensive security panel and you know our audience is really probably

people that are either interested in getting into this field or maybe are just starting out in this field have their first maybe sock job might be in an adjacent field and want to transition so um i'd say rookie mistakes maybe things that you learned early on um and i guess i'm supposed to interview myself here too so maybe i should do my day to day but i'll jump into that um say rookie mistakes that you've made um that other people can learn from and then i'll answer this question rookie mistake this is my first time moderating a panel so here's my my rookie mistake so my day-to-day i freelance so my my day-to-day is sometimes waiting for clients sometimes

waiting uh working with customers to try and set up contracts uh some days it's out breaking my legs kite boarding um while i wait for work to come in and some days it's it's um trying to find contractors to help me on projects and other days it's it's actually just doing the work uh pen testing doing doing the offensive security work um with the clients and i would say that my my most the most enjoyable part of my job is interfacing with the clients that don't really understand what we in the offensive security field do and how we can help them i've got a lot of great customers that we've we've helped a ton uh just open their eyes to how we work

and what value we can deliver improving their security they're really smart engineers i think we've all worked with really smart engineers that just don't know the security ramifications of certain things and when you introduce that to them it's really eye-opening that you know someone would take that mindset on attacking their system and to me that's the most fun is like introducing that concept to these like really smart people and that just kind of click for them and be like okay i just had so many great ideas on how we can protect our systems in the future and that's that's the the fun part for me uh and then i'll do a rookie mistake since i'm supposed to be first

um uh my rookie mistake was probably um thinking i i knew a lot more than i that i do uh and i think every single year or day that i spend in this field especially working with people like um the guys on this panel i learned so much from them working for them from working with them uh interacting with them and going to these conferences that i cannot wait to be live again um just learning so much from these you you realize how much you don't know how much there is to learn and how important the community is um to your your career your growth um so for me i would say probably um the

rookie mistake was not getting engaged in the community earlier arash uh i would say my rookie mistake is just information overload at the beginning there was so much i thought i need to learn it all instead of just you know taking it in and having fun with it as it went once i started to actually enjoy it i started to realize i'm actually learning more i think probably the biggest rookie mistake i had starting out is like lack of documentation and being afraid have you fixed that yeah i have and also like being afraid to like admit when you screwed up something um there's been that's an important one that i think we all have to learn

especially like when you do pen testing a red team there are times you're gonna crash a service and most of the time you can kind of bring it back up but sometimes when you bring it back up you don't bring it back up fully and introduce other things so it's much better just to be kind of up front being like hey we tested this the tool normally doesn't do this i don't know what happened but things went down and i feel like that happens for you a lot yeah probably [Laughter] yeah that's a really good point nick of sort of admitting mistakes right being open about it uh you know so raise your hand and say hey

i screwed up is step one towards being able to fix things right that's a huge thing i hadn't thought about that um so first of all i was like i don't think i've made any mistakes um but i would i would say this um there are two things that i think differentiate what i'm going to call junior pen tester from senior pen tester junior pen tester knows 500 tools but senior pen tester knows that 450 of them do not work right it was like senior pentester has actually run those tools and i think um there's definitely a tool overload in this space yeah yeah and and a lot of times it is the wrong thing and it doesn't work and

there's been abandoned on github yeah exactly and as to say you know it's like if you just kind of look at it you think it was like oh you know like i could just run that tool and i was like yeah we've done that right it doesn't work and and here's why it doesn't work right that's sort of the senior pen tester thing the the second thing i would say that's sort of the um that differentiator between the junior and the the senior um to me is we tell everyone to be tenacious right like never give up you've got to keep going right like never years like do not accept failure and try harder right keep hacking etc right

and and being tenacious and never giving up is part of our culture um and i think in a professional setting uh it's very important to know when to give up right to know when to stop right there's a difference between failing on your way to success and failing on your way to just failing and wasting more time right failing on your way to failure and uh senior pentester sort of knows that difference and knows sort of how to apply their time in an effective way uh so and i think i i have done a little bit of both i have failed on my way to failure and failed on my way to success but uh experience is is sort of knowing

the difference between those two things that was a really good answer i regret not going first um [Laughter] uh what would i say another rookie mistake yeah another don't go after pw crack um from a micro level i would say like not testing payloads and so wasting all the energy to do something and it failed because i didn't test it thoroughly enough um as i've gotten more mature in the process not seeing what my stuff looks like to a defender would be my second like rookie thing is what does it look like on the wire what does it look like in virus total how quickly can they just undo whatever it is i did on the you know that's that's one thing

that i learned at some point in in working this field is that i liked going back from defensive to offensive to defensive because every time i i would learn a new tool um on the offensive side i'd be like oh man i can't wait to try this tool out never really thinking about exactly what you said which was how do you how would you go and go about detecting this and then you know you you work with someone like arash who is like oh man i would detect it this way this way this way it's like i need to jump over to the to the defensive side again uh to learn those tools totally agree

all my defensive time has made me a much better red teamer understanding how people go after and figure out what i did and then you oh well let me just do it this way because everybody doesn't i took a forensics class uh at one point early in my career and you know i i was i was a script kitty probably at that point and uh i took this forensics class and and learned about all of the various artifacts you leave behind on your offensive work and it was eye-opening to me i was like man i was so sloppy i was leaving things all over the system and if i were to be you know as you know operating as like

an apt there'd be no chance i'd be caught instantly by a skilled defensive uh operator yeah uh because especially if you're a consultant it's really difficult to get to interact with those internal in defensive tools like you just have no idea what what anyone else sees internal teams you get a lot more flexibility to hopefully you're partnering with that those teams and you can go actually see what they see uh okay i'll just say that's one of my favorite parts about being uh in the freelance space is i get to see a lot of different environments uh from their defensive side uh just learning what they see from my activity and it's when you're in a when you're in a role

that's not like a consulting role you see one environment and i've had the opportunity of seeing a lot of environments in the freelance side um and you get to see that you know you might be at one point working with a very sophisticated uh defensive team and then you move over the next week and you see an absolute train wreck and you really have to change your your tactics but when you don't know what you're going into um you kind of have to assume that they're really good changes the way you operate from a macro level i'd say it was a lack of empathy so i would just assume people didn't do things because they were stupid or lazy

and instead of understanding that's definitely a rookie mistake yeah there was a reason that are things that are that are the way they are in a network you're looking at and giving advice to and you probably don't have the context so the fact that someone was just lazy and didn't do their job is 99 of the time not that reason that it is the way that it is it was probably a management decision and they were kicking and streaming saying don't do it that way or it was unintentional like oh well we intend to fix this and then just got busy because they were lazy or intentionally malicious yeah um that's a great a great answer um

so you know it's not so bad going after pw i think i pulled it out yeah so um what are some other jobs you've considered in the past um you know what brought you to this this particular job are you happy where you are maybe not not too introspective though we only have so much time okay um i've also done defensive work um which is when i moved from consulting red team to internal red teams my transition was also being on the detection response team invaluable and i think if anybody can do that they'll be much better off like i mentioned i'm the manager now and so um i always thought i could do a better

job than the other guy and our girl and now realize they were had a lot to do and i'm enjoying it because i'm kind of a master of my own destiny and i'm really focusing on playing and exploring as the red team lead and trying to do things and what's the next thing that a red team should be doing because there's not really a book on how to run an internal red team so i think anyone that's doing that is having to write the book as they go are you thinking of writing that book uh we'll see i would like to demonstrate that i can do this without failing first so that's the question of whether someone

will buy the book not whether you're not you should write it um yeah so you still get credit as an author even if it sits on the shelf right so i mean for me you know my uh in my career my trajectory has been sort of well planned out from the beginning you know i i wanted to get into red teaming um not we called it tiger teaming even back then right um that was a thing and um uh you know i i sort of tried to do that all along and years with an eye towards eventually moving into uh management moving up so uh you know for me it's it's that's been sort of that well

carefully planned trajectory i guess um so i started out on the blue team side well sis admin because back in the early 2000s there wasn't red or blue it was all just defense and defense yeah that's definitely changed in the last last probably decade but um i always played a lot of starcraft and if i had failed oscp in 2014 or 15 i'd probably be in korea as a starcraft commentator so that's kind of why like i continue my videos destined for twitch no matter what well no i was on justin tv and before that um you stream and before that live stream so i was part of like justin tv i was i think the very first

partnered stream within the la like first five or six back my starcraft date this i did not know [Laughter] are you are you happy you you opted or you passed that exam and went for cyber security or would you rather be a gamer at this point it depends on the day although you've kind of found a way to merge the two like the gaming and the offensive security yeah so the the takeaway here is like invent your own job yeah um so i went from blue i got oscp did more of the red team stuff i really didn't like it as much doing it full time because kind of as like chris pointed out like

you always assume lazy or incompetence and i think if you just do red team long enough you become cynical really easy and it's just not great because all your job is to do is point out failure watch other people fail etc it's just not healthy to go straight from a job to oh i'm gonna go to this company let's see how they screwed up today like i think that's pervasive in this industry especially if you're not jumping back and forth from defensive to offensive and gaining the empathy that chris talks about like exactly what you're saying you get cynical and you start thinking everybody is an idiot and everyone's network is a disaster yeah you pop that shell you do a little

shell dance and then realize you just made someone's life hell so it goes both ways uh for me i actually didn't start with a technical background i went to school for advertising i went to college for six years and i never graduated i was very bad at it and right after that i decided one year i love computers i did research on you know some hacking stuff i found oscp and i got it that same year and that's basically how it started for me um so i asked myself the same question which is uh how i ended up there what other jobs i considered um i i definitely did the defensive offensive defensive um back and forth and

you know as we talked about i think it's been really valuable gaining the empathy gaining experience really realizing how bad my offensive opsec was when learning about more defensive analysis capabilities and um i i guess i i i gravitated towards the freelance thing um as a way of having a little bit more of my time back um i i like it i miss i miss some of the aspects of having the uh the nine to five um a little bit more stability but um i definitely value the perspectives into various different teams tool sets methodologies how they work uh one common thing that i do see across most of the networks i've i've taken a look at is

a lack of segmentation that's been a pervasive problem but um otherwise they're they're pretty pretty unique every network i take a look at uh so next question we're gonna we're gonna chat about is advice for people starting out in this field something that maybe you wish you had have um heard something you'd like to pass on to people starting out maybe people that already in the field um that might learn from your mistakes um for me uh i think i already mentioned this so um i'll i'll just rehash it because i think it's important and probably probably the reason that that i'm here uh helping organize and um contributing to the community events like uh besides nova to me the community is

really important i don't think that i would enjoy this field if it weren't for the people like those joining me today the folks that are attending this conference the people i get to learn from interact with i think the community is what makes this fun so if i would say there's a piece of advice it's get engaged with the community those are the people that you will be spending your life with and i think this uh this community is worthwhile i think it's got a good a good crew so that's that's my maybe it's a little bit too uh a little bit too sunshine and rainbows but but i think that's given me a lot um

both as as a as like a family in the in this world in this career uh but also some people to learn from and um events like this are a big part of that i actually have two so the first one is it's okay to say you don't know in a job interview you know people mentioned this before i i think a little bit but if you go into an interview and somebody says explain to me how kerberos works it's okay to look them dead in the eye and say no one knows yeah exactly so don't be afraid of i don't know the goal is for you to be able to say i can learn

instead that's what i learned the second piece of advice is everybody thinks blue teams will detect everything um and will detect your really crazy unique stuff and that you think we won't detect it at all it's really flipped so it really does pay to learn blue team yeah the one the one thing i find about offensive security is it's a very asynchronous environment and this is something i start out with by saying to all of the clients that i work with and you guys probably have done the same it's um as a red teamer i just have to find one crack in your defenses and as a defender you have to fill all of those cracks you

have to know every single uh part of your attack surface and and fill every hole i just have to find one so it's asynchronous i have an easier job um so don't feel bad i mean you got a hard job um mine probably would be talk to as many people as you can get involved in the community like kyle said and just try to learn everything and apply that to what you have is that possible it's not but i mean as long as you maintain like five percent of the community knowledge you'll be extremely successful so how do you how do you feel i think that's a good you raise a good question um and we are running low on time but um

oh no we got we got plenty half hour left i thought we were on the hour um you raise a good you raise a good point and it's the learn everything and it's something i've struggled with in my career as um you know this web application testing there's there's the whole domain of the windows attack surface after active directory uh now there's there's there's cloud focused um security and you've also got multiple different clouds um there's there's just so many different fields that you can maybe specialize in you can't know everything like what are your thoughts on specialization well i think i guess rephrase a little bit don't avoid a certain topic um like don't avoid blue team i mean my

red teams like my most successful pen testing is always whenever i find the red team organization so there's been a few times where i just run like pec where powershells get injected threads which makes cobalt strike highlight and like oh um on this pen test i found the red team on these three boxes the blue team kind of should go look at it and um but like one of the topics i always avoided trying to learn this field was like binary exploitation things like that things that involve like c plus plus soon as like a low-level programming language involved i just went and tried to do something else and yeah my eyes have glazed over at

some of arasha's more in-depth uh reversing talks but if you just spend like a week or two you'll probably be surprised how simple it is after reading like the msdn documentation to see how windows actually works oh i make a call to this and this is what it returns and a lot of the exploits will start making sense after you start looking at those apis and it doesn't require like in-depth knowledge of any programming language it just takes like work where do they learn about some of those things uh if you just go to like ipsec.rocks and [Laughter] i gave everyone a chance to plug something today yeah so i think that the part of this is

right is you should expect to be continuously learning there is no like oh i've learned i learned how to red team and now i'm good enough and i got a job and and we're done that you're never done uh this is not going to end uh you need to be continuously learning and you probably spend most of your day learning practicing etc the amount of time on target is going to be fairly limited so this is going to be probably a a question that might derail us a little bit right but um what are your thoughts on burnout i think i think that that's a real complex issue for i mean nick was just saying learn

everything i mentioned how many different areas of expertise you can have but and you're saying keep learning keep learning keep learning i've always found this this particular career field to be uh it's important that you love to learn like that is one of your you know core interests learning new things all the time but you know what are your thoughts on burnout right so um i know burnout is a real thing in the community and um the only the only poor suggestion i would have is uh do what you love right if you're if you're enjoying what you're doing uh great you're probably not gonna burn out or at least you have a higher tolerance

for it um if you're if you hate web app pen testing and you're doing web app pen testing then you know you're gonna have a bad time uh that's you're not gonna be able to get there um but i i wanted to circle back to your your point about the community look part of what the community gets you um is you're looking if i just tell you to go out and and learn binary of reverse engineering like you're gonna not gonna know where to start like you know and and you're gonna be overwhelmed you know again you sit in on one of the russia's talks and it was like it was like what just happens right you're

just so it's just so overwhelming right but you need to you need to do that on a regular basis right here it's like sitting on that talk you're probably not going to understand 100 of it but you'll get a little bit and the next time you come back to it you'll have more context and if you participate with the community and follow other people who are doing that type of thing eventually you start to have more context and more availability and now you're getting more out of that talk and eventually obviously your goal is to be able to say hey look let me try to run through that right and it's like don't get frustrated that

first time right meet the people stick with it be in that put yourself in that mindset of continuous learning and and build context and that's going to get you over that hump and then as i say if you're not enjoying it or not having fun you just got to stop right i i love doing some pieces of this and there are other pieces that you know are not as much fun for me i i do the ones that i have enjoy that i have a good time with yeah community um if you're if you feel it back no so cr chris was in the community chris was one of the guys that got me started yeah

i just wanted i want to plug his organization nova hackers because you know i was talking about one of arash's talks or rash i can't talk about exactly what he uh presented um i guess you can't okay uh but i want to plug um there's everyone's got something to plug up here um and chris uh kind of started this community effort how many years ago chris too many to count long time ago nova hackers you started 2009. you started nova hackers with uh rob fuller mubix um 2009 you're saying somewhere around then i mean that was that was really the origins of community efforts in this in this uh this space and it's still going it's

still active we're meeting via zoom now but yes it's still it's still a wonderful event we have groundbreaking talks i think uh arash now he he cleared it with with us uh he dropped um a i think it was a one day um a brand new cve um that uh he he he built an exploit for all night spent all night building an exploit for yeah and uh yeah yeah so you get to see leading-edge stuff and um you can interact with these people so i think community so anyway yeah i mean what i would say that was like community because you can't do this alone you and when you talk about burnout you need that circle of

trust you need that circle of safety you need someone psychological safety to be able to say i don't know or have trusted friends to i'm actually really struggling with this go to go to the you know nova hackers or go to your friends you've created so yeah don't lone wolf it like you really do need some friends in the business uh other pieces of advice it's probably not you it's them um so yeah because like you're what was that about empathy you're saying yeah well no it's you mean and why i say that is like that's empathy for yourself because we are we are dealers of challenging assumptions we and a lot of times we've not been

invited by that person to challenge their assumptions or let them know things so can you say that one more time just to make sure we caught that we are dealers of challenging assumptions i think that's what people haven't asked for that so you we we want to make sure that we're encouraging them that they want this kind of stuff and a lot of times we show up kool-aid man into their network and create work for them um so to have empathy is like we weren't invited most of the time or if we're not approaching that from the right perspective we think it's us when in reality they just weren't ready for what we had to bring and you're

challenging their assumptions something that we all i think we all have a little bit of discomfort with uh having our assumptions our closely held beliefs sometimes challenged like that and the last one would be keep remember to play and explore you probably got into this because you're curious and you want to explore playing explorer if you got into this field you're not curious you're screwed you're gonna have a rough time yeah and then when it's like when you have like 16 000 million things to pick from to learn whatever is exciting to you and be okay to be like explore something for a bit like i don't like this sometimes we feel like oh i've been this

web app guy i have to be that person forever you you are free to start pivoting and doing other things um just remember that you can yeah i think i think you brought up a good point uh when you're talking about community and kind of brings us back to that burnout question uh for for me when i get kind of overwhelmed i get on new engagements and i've never seen the environment before i don't know anything about their their network their defenses their applications and it's overwhelming it's like a fortune 100 company uh and it's a small team and just having that community can bounce ideas off of um say hey there's this application i've

never heard of i've never seen i know nothing about do you have any ideas that having that community i think alleviates that burnout alleviates your need to know literally everything um and i i think it's an opportunity to build friendships and relationships and and learn more so just having that community accessible and um nurturing those relationships is really important yeah totally agree all right so um we're kind of the end of the the scripted part um so i'm going to open it up to um question that i've i've been kind of interested in and we might we might kind of touch on the same topics but um [Music] has the i know for for me

this has changed my my my life but has has working from home i know it hasn't probably changed for you but have any of the ramifications of you know this last year obviously we're doing b-sides nova in a much different format this year um i've missed all my friends i'm i'm happy to be here and see some of them today but how was your how was your day today how's your life changed and how have you worked to mitigate that and keep keep going uh in this kind of like new environment that hopefully won't be around forever man um can i go last um i've been remote most of the time and can can you tell us like maybe

about some ways you've learned to cope with that and stay focused at home maybe those those those sorts of things i had learned i had gotten a really good plan because my i had the house to myself all day and then all of a sudden for covid i had four other people in the house with me and it completely wrecked everything that i had set up the last couple years um i think we're all kind of struggling with something similar um [Music] well now you can get out a little like to me it's important to go have human interaction uh go have lunches with people or just get outside and take walks the drawback of being fully remote all

the time is you you don't get to make those personal connections and i i've seen in my own career that has stifled me and my growth in companies being was usually one of the few remote people um so being a remote what keeps you in the the dc metro area um california is really expensive we have family here too that they're kind of old so can't really leave yeah so i i think it's been a really interesting time i mean obviously the community and personal interaction is a huge part of my life um it's definitely one of the things that i miss the most um i'm very anxious i'm glad we're here um you know the small group that we have

presenters today i'm looking forward to um to the conferences coming back and the ability to again grab lunch go to meetings things like that in-person nova hackers things like that um so looking forward to all of that um that's it's a big deal to me um but you're living on hope uh yeah living on hope adrenaline fueled but um but there have also been advantages right so um got a lot more uh personal time uh to uh to work on things to learn to be a little bit more focused um a little bit less commuting things like that so uh so there have been there have been takeaways that i think look if you if you not for everyone all the

time but if you look at maybe society as a whole or even our industry as a whole there are going to be some permanent changes right there there are people who are not going back to the office there are offices that are not coming back uh there are there are unproductive things that we were doing um that everyone realized yeah we don't need to do that anymore um so so i think there are going to be a lot of positive takeaways and not everyone's going to have those but i think on the margins they're going to affect a lot of jobs so you know look from my perspective there are a lot of positives that came out of this as well

i got a ton of training time um uh completed uh completed two certifications just during the pandemic uh i had just finished up another one and a new job and the new job yeah uh so a lot a lot of positives and a lot of things that i was able to accomplish but also now looking forward to getting back to some of the things that uh that were sort of taken away from us and uh and that i that i really valued it would probably change a lot for me uh before i wasn't remote so once the pandemic hit i lost like all sense of structure and my days used to be built around like

the nine to five type thing but now my days are based around meeting times which are a lot less than nine to five and it's actually been more of a struggle to get my videos done working at home than it was being out of the house 12 hours a day because i think like i'd be strapped on time and what little time i had was a lot more precious and i'd schedule out like three hours to do a video but now like i have what feels like all the time in the world so i procrastinate i guess yeah for me it's a double-edged sword i was yeah i was already full remote um before covid i got hired to be 4mo it was my

first full remote job ever and i loved it until covet hit all of a sudden i'm like oh my god i'm trapped here i used to go out and hang out with people and it becomes hard on you mentally i think for a little bit i even considered paying a little extra and renting out an office monthly just so i could get out the house but you know i think after a while i get used to it i got settled in you know you give your life a little structure and working full remote can oftentimes be more productive in my experience yeah my my his my my day-to-day hadn't changed too much i think what changed significantly is i

look forward to going to these conferences pretty much monthly um in conference season i mean we start out with uh schmuck on one of my favorite cons of the year closely followed usually by b-sides nova and then i usually hit stock con in chicago maybe pick up another one hush con sometimes on there um another b sides dc i think that's october we hit tor con one year um obviously hacker summer camp in in august and for me it's just that steady stream of information that's pretty much how i regulated my information flow is i would i would basically dedicate the time i was at cons to learning new stuff getting new ideas uh learning from my friends and having a

lot of social interaction and it also you know stayed uh you know it it kept that burnout at bay um because i enjoyed doing those things with my friends uh so i think that's been the biggest um kind of like change to my lifestyle and the way i work and i would say i i've learned a lot less over the last uh 14 16 months since we haven't had all these opportunities and i quite frankly can't i don't know how you you as attendees are doing this right now i quite frankly can't stare at a screen um on the hours that i'm not having to stare at a screen for work um i'd say the one thing that

i am appreciative for that we'll probably stick around even after um things things get back a little bit more to normal is the communities that i've built on um platforms like discord i've got a bunch of hacker friends and discords that you know it's it's a a place to bounce ideas off of it's a you know it's a little bit of a therapy just to chat with other people like-minded um have a conversation when you don't have office you know co-workers around even if it's just sharing jokes and memes so uh i think that's that's been the big change for me um but i'm i'm definitely looking forward to um having those those conference seasons to

kind of regulate that information flow it helps track trends it helps track the pulse of the industry so changing changing topics um the next question we're going to talk about yeah we have three questions in the chat okay okay so we got a question from the audience that we're gonna we're gonna field all right so i'm gonna pass you the mic so we're gonna kind of merge these together first we want to figure out was it nature versus nurtured what did you like cling to this industry

mentor that kind of helped guide you and lastly um would you pick the career track or would you pick the consulting track to learn more if you have done both i know that those are great questions really great questions and i probably will ask you for a revisit to those let's see it was nature reverse nurture um [Music] how did you get into the community and then um i really like this one how did i forget it um career career track versus consulting okay um so let's see this is this is definitely um a little bit of both for me that's a cop-out answer i know but um i have always been a curious person

i take apart every single thing i buy i absolutely can't sleep at night until i figured out why something behaved the way it did um and so for me that curiosity was is has been there forever um i definitely think that uh having the right people around you to nurture those things and say it's okay to break stuff it's okay to take that computer that you know speaking my my parents like they buy me a three thousand dollar computer and we didn't have very much uh and i'm tearing it apart my mom's like that's cool my dad's like what are you doing we just bought that he's going to break it so having that permission to break

things has been an important part of that what got me into the community it was actually bob big thanks to bob i think he was he he invited me into the community he made made sure i was introduced to people um he you know just made sure that i got new of events and i think that was um you know he he changed my my career track uh much uh in a big way for the better so thanks thanks bob um and as far as the so it's important to have someone like that i think that's it's always it's important to either be that for someone else or or find that in the community that's

why i do these events really and the last question consulting verse like a traditional career i don't think you can do consulting without having the career first i'm not going to say that i'm an expert in anything anybody that does i would be wary of i spent a number of years doing the much less interesting work um kind of paying my dues and learning uh a large subset of the information is not technical it's interacting with co-workers it's interacting with clients it's interacting with management it's understanding how to navigate the relationships that you have to navigate in every single aspect of the career in order to do consulting it's basically all those roles merged into one you have to

interface with with clients you have to do technical work you have to interface with your team and you have to do that in a way that keeps keeps everyone happy and quite frankly that's that's hard to do sometimes because there are a lot of personalities involved so i don't think that you should aim for one or the other if your goal is consulting i think you have to you have to you know get your feet wet somewhere and probably go the the classic route of learning from other people that's that's uh a good way to start out it's also hard to to make you know get business contracts if you're not constantly involved with other people so that's my

opinion on it and i might be wrong uh so i'd be interested to hear what other people have to say so arash yeah sure you know for me it was definitely nurture when i decided i wanted to get into penetration testing and security and all this stuff i sat down i hacked my router first that was really fun then what i did is i did my first vulnerable box ever i did the walkthrough and when i got my first reverse shell with that little python one-liner that everybody knows and loves it was so exciting that when i did sign up for the oscp i did it 16 hours a day for about four months it was i put more effort into passing

the oscp than i did into all six years of college six years okay correct i didn't even graduate that's right i actually got the ostp that's right yeah you know yeah you know that's another discussion i suppose yeah you know um as far as what brought me to the community uh i did a ctf one day both these guys showed up and then this guy was like hey you should start hosting the b sites nova ctf and that was awesome you know um it really helped me out i started hosting more ctfs i started meeting more people i have my own ctf team now oh can you plug your podcast too i only have one episode but

we have a podcast we're trying to do some episodes um it's called aj you're overthinking it our first episode is with uh charles f hamilton if you guys don't know who that is that's mr unicoder he's the guy that made like sc shell and all those really fun red team tools that you guys who has donated one of his classes uh to the winner of the coding tournament just as an aside yeah the mr unicoder offensive coding class it's amazing he'll teach you tricks and techniques that bypass av and edr even actively today you know this isn't just another old here's how to do code but it won't actually work class um as far as career versus consulting goes

i definitely agree with kyle on this one you got to have a career first before most people will trust you to do consulting so so i guess how it got started um probably mainly nature my brother is seven years older than me and he's also into tech but he left when i was 11 when he was 18. so i didn't really have a long mentor in terms of tech because i was just getting into it he did like introduce me into slackware when i was a kid which was awesome but he also introduced me into windows me which was hell [Laughter] and for for the millennials out there what is slackware uh linux distro

yeah so um and then like when i was in high school i ran a blog we just put out a new like blog post monday wednesday friday we followed xkcd because we love the comic um they were mainly tech focused like game hacking some like ddr we had one on how to make ramen which eventually landed on attack of the show which was pretty cool um i didn't go to college i my plan was to go probably in the air force because i was too lazy to apply to college and then i got a job as a sysadmin so i mean that's pretty much my career like i have one big like the big differences

like and who pulled you into the community um i just started attending smukon uh my brother attended shmukon so i was i think shmukon 6 was my first one another great community event and as an another aside we should have heidi uh coming up later today on the panel uh this afternoon who runs shmucon by the way and then probably uh as carol said the career you may think it's important to go consulting where you can like interact with all the companies but if you just go in a career you can do both sides of things and more find what you want to do i think going back to that it's on the career side

you get to you get to see more sides you get to play more roles and consulting it's like you have to do all those at once and i think that's just it's hard to do it once three minutes left all right right yeah so i totally agree with you on the on the career uh versus consulting thing consulting is something you probably do after your career or toward towards the end uh on the nature versus uh nurture question for me it was uh it was more nature i had an entire career doing marketing uh before i touched infosec at all but as soon as i touched infosec i was like oh this is it i'm home i met the community

i was like hey these are my people and it was just sort of a very immediate thing for me i didn't have a lot of people who sort of led me or showed me the way um to me it was just you know like i showed up and i was like oh this is this is the thing it's named a career uh mostly nature i always want to know how things work and how to make things do things they're not supposed to do which is really what we can you build a community yourself did someone else else get you into that i mean it was the it was the austin hackers association that had the nova hacker model uh but really

i just wanted to know everyone in this area when i moved here and when i would go to o auspin um [Music] what was felix thing um there were a few other groups no one talked to anybody they would come listen eat pizza and leave and i wanted to actually know people and i'm shy all right well uh thank you everyone for joining today um i hope you enjoyed this conversation as much as uh i did and coming up next we have some more great panelists but we've got to get out of here so that we can make room for them tune in another five minutes