A Journey to Mastery

we have our great keynote for the conference Louie neeger the journey to Mastery Louie is a season security engineer and the founder of pentester lab a platform dedicated to teaching web penetration testing with over a decade of experience in cyber security Louis is focused on pentesting architecture analysis and code reviews he recently launched a YouTube channel AB School further extending his passion for education in application security we are very privileged to have Louie so let's welcome him to the

stage can everyone hear me okay yep perfect we okay that's starting the bullying okay I see so greeting hackers it's an honor to be speaking in front of you uh when Sy Kylie and Sylvio because Kylie is the one actually doing the work asked me to do the keynote because they needed an Australian speaker and as you can tell by my accent I'm the Australian speaker sorry let me rephrase that I'm the oie speaker mate so they asked me to do the keynote and I was like oh that's great I'm going to do keynote first keynote and then I realized like what am I going to talk about like I'm not MD Stone I'm not mad

I'm not Mike Burgas I'm just like Louie from pentest lab and so I had to think about like okay what I'm going to talk to like all these people for like nearly an hour and what can I show them what can I like teach them like what is valuable and what is something they can't just Google in five minutes or ask chat GPT and so iord iord I and I did this introspection and so I found it so as uh syia said I'm the founder and C CEO of pentes I train people for a living and and uh since pentab is rather still very small and maybe because I hate myself a little I do customer

support now it's actually a great way to learn how people learn and what mistake they make and create better content and since uh yeah recently I started doing something even worse than customer support I do office hours so basically anyone on the internet can contact me and talk about if applic security startup or their career and most people talk about their career and that gives me a lot of information and I think a pulse on what people are struggling with in security and I'm also very lucky to have a lot of friends who are pretty good at computers uh some of them are here some of them talk during the conference some of them talk at bit conferences uh yeah

I had a lot of fun with a mid journey to create like friends hackers uh you can tell it's CB because like she got like a apple like no one ha with a Mac and no but most seriously so let's get back to customer support so when I do customer support it's for people who are beginner and people who are more intermediate as well so think of people who can already find z w top 10 easily so they're not like complete beginner in computers and I get the same issue again and again and even people who can find bugs in bug bound CE or play CTF even with those people I get the same issue again and again and can

you gu what the issue is anyone in the room like most people when I tell them they can't believe me I will give you a int rfc1918 people the issue I come across the most is people don't know the difference between a public and a private IP address yeah that surprises a lot of people especially like if you're old school it's very very surprising and first time I was like okay this is because you're using a public IP address that's not going to work on the internet second time I was like and I keep having that pattern again and again and I'm talking about like very often over like six years or something like that so I as myself like

what's going on and so I did again more introspection for leadership so I thought about like oh how did I learn about this and I remember like back in the day playing like Lan with my friends and we had that like private IP address and we were playing computers and it was fun and then we start going on the Internet to play and we have we had this like modem that we nickname the blue stingray if you like screen you can maybe see it and it was great USB modem because at the time every computer with a USB modem had a public IP address so imagine people running Windows 98 Windows 2000 be on the internet like

people nowadays complain about oh you have ldp on the internet but back on those day you could like I heard SMB Mount shares of other people on the internet just by using their public IP address and sometime you have to put a password alleged allegedly so that's what and that was great because you had a public IP address so you could run like your DNS server your mail server back in the day people were running their own DNS server and mail server and HTTP server and you could share like Linux isos with your friend really easily and then we move to something a bit more modern and like people start having more than one device one computer

so they move to like a a modem with Nat which was really great for security because you didn't have your Windows system directly naked on the internet the bad part is that it was a lot harder to run your DNS server your mail server and you had to learn learn about like port forwarding why it wasn't working what a public IP address is what a private IP address is and all those stuff and this is basically how back in those days you were learning um computer hacking so first you were doing like a bit of operating system because you needed your computer to work you needed to install your pirated version of Windows 98 Alle

allegedly uh then you needed to do a bit of programming sometime because it was fun and you like we're learning that on the side for fun like when I'm saying programming is HTML and finally you were learning a bit of networking and as part of learning networking you were learning about public and private IP addresses but nowadays things have changed like you don't have necessarily the same needs like you don't it's a lot easier to do things like email DNS or even sharing files with your friends so you don't need that and when people so but and then on you had done all these things sorry you were jumping to hacking so most of the people had like this good

foundation across the board and then they were moving to hacking nowadays and for multiple reasons people learn hacking they directly jump to hacking without necessarily having all this knowledge about programming uh networking operating system and as part of learning hacking when they come to me or when their reverse Chell doesn't work they learn about Network a bit more and they learn about public and I public and P private IP addresses and that's what I call Just in Time learning nowadays people are learning when they need it and there are a few reasons for that like um first uh the amount of knowledge is growing all the time so back I think in 1900 like the amount of

knowledge was doubling every Century but now it's I think according to IBM so it's probably true um the amount of knowledge is doubling every 24 hours or something like that so not only knowledge is increasing the quantity of knowledge is increasing but the velocity at which knowledge is increasing is increasing so we have more and more and more stuff so you don't necessarily have the time to start learning programming networking operating system you just need to jump into hacking because hacking is growing so fast that if you start doing those things you don't necessarily have the time to jump to hacking because those things are growing too fast and hacking is still going at the same

time another thing that is interesting um back in those days is this thing is not great um back in those day knowledge was really hard to get by so basically when you wanted to learn hacking first you needed to be able to connect to the internet which wasn't that easy at the time it was a lot less Plug and Play that it's now but also knowledge around hacking was a lot harder to find you had to go like on dodgy websites where like a third of the content was about uh hacking a third of the content was about carding like making fake credit card and a third of the content was about how to make

bombs so if you're lucky you can learn how to hack and keep all your fingers now but so and it was really hard to get by this knowledge and now uh what we are really lucky is for long time more and more knowledge was available freely and publicly on the internet but what we can see now again is the other way around is that knowledge is now disappearing it's growing but part of it is disappearing first due to private research uh when you're selling an iOS zero day for or an iOS chain for 20 millions or as M said like a lot less but still people are tend to keep their secrets secret and that makes sense so

it's people are sharing less than they used to do probably like since for the past five 10 years and yeah another thing is uh we forget uh it's really hard if you want to uh do research on Old bugs which is one of my hobbies to um get old stuff like get Old Source Code get old application working it's really really hard and also we forget we have this wheels of knowledge that seems to like okay something is really like on the spotlight right now in security and then we forget about it we forget about it we forget about and then it comes back and it's again in the spotlight and if you look at uh research for example done by

Stoke at uh presented at black hat it's something that people used to do like 20 years ago and then we forgot about it and then we have back into it and yeah and the last thing is um artificial intelligence uh since people are not are no longer writing down things or asking question publicly they're asking chat GPT all this knowledge is disappearing so the knowledge we use to train AI uh is slowly disappearing or no new knowledge at least is created for most people so people who run the AI still have that knowledge because they have the question and the response but we are not we don't have access to that knowledge um so I'm going to mostly talk about uh

my experience as people training redish team but I think it applies to Blue teams as well uh after all it's like two faces of the same coin in my opinion but we can discuss that some people disagree they're wrong but so I did this like all this research around learning and I start uh looking up things and I came across this uh Japanese is thing named Shu Hari and it's the steps of learning so uh Sho is the first step you're beginner you start learning things you start the basic you start understanding how things works then you get a bit bit better and you start learning patterns and you you have a deeper understanding and then finally

you add the re and like you're like master of hacking or whatever it is and you got you gain a deep understanding and also something really interesting is that you break Z rules and the patterns you learned before and if we look at security research a lot of people are doing research on breaking the rules if you look for example at Jes Kettle all these research around like HTTP header injection and things like that all the time it's like you shouldn't have these two headers in a request that's a rule of HTTP but he breaking that rule slightly and that's how we find cool bugs one thing that is fascinating about Shari is that soou is very

uh beginner and H is really Advanced is the complexity of the Kenji is increasing over time and I find that fascinating there's probably a German word for that as well but I don't know it um another thing is the UNC unconscious incompetence and like it's a pyramid and the wrong intution is really good I think you probably came across it in security pretty often like you have people saying like very stupid stuff uh like oh you should UNC that information shat two because that way we can't decrypt we only need the key for decrypt it now you can't encrypt with shat and this kind of thing so that happens a lot in security but what I find even more

fascinating is the right intuition when you talk to people who are pretty good at computers and you see them like looking at source code for example or attacking a web app they know there is something there they can feel it like their spidey sense it's tangling and they can't explain to you why but they got this tion that there is a bug and most of the time they are right they they have this way of spotting that something wrong they can't put their finger on it but they know that something is wrong and I think if when you get good you got this intution at least that's what people are telling me um another one is like the drif model

of skill acquisition created by uh two brothers in the 1980 and you go from novice to expert so to explain it a bit in a simpler way this thing is a nightmare uh so oh I got a lock it's probably secure that's a novice that's also the wrong intuition I guess um then you keep learning oh so this is something it's called TLS there is an encrypted tunnel and a trust relationship then you keep learning and it's like oh the server the key of the server is used to sign data and then you have the certificate authorities blah blah blah you keep learning and then you move to like oh actually def man that doesn't work like

necessarily like that then um we have Sni like seven name indication as well and you have all this layer of like more and more knowledge about TLS and finally the fun one is when you start reading and writing source code of TLS libraries and um I think that 3D is illustrate that knowledge is like an onion like you can keep peeling peeling peeling and you're going to find like more layers to learn and I think TLS is a great uh view like great demonstration of that because not only there has all this layer you're going to peel peel peel in TS but also you're going to cry with every layer thank you true

story another thing we don't have with uh hacking or Security in general is is we don't have ratings you know if you play chess you have ELO rating so you can say like oh I'm 2400 you 1,200 I'm going to destroy you uh we don't have that in hacking uh in the same way we don't have uh Olympic Games or world champion of hacking uh and if you think about like oh things like uh bugbounty payout or uh like being the best has like C all the ctfs worldwide and top 1% of one on one platform it's like you're missing I think the point and you're missing a big part of the industry who doesn't do CTF

in the weekend who doesn't do bug Bounty who doesn't do like who doesn't train the same way as more a lot of people train and unfortunately we can't tell like oh this person is a world champion of hacking we don't have that we can't even tell like this person is better than this person I have a friend with really really really really good at web stuff and way better than me and most people people can tell the difference between the two of us because it's really hard to tell like who is the best I know that he's way better than me he is polite so it doesn't say it but and I think you have this thing that it's

really hard until unless you really deep down into like one some something very specific to know like who of two person is the best because we don't have all these ratings you are not like grandm of hacking like we have it in chess but to keep it simple we're going to cut things in like three categories beginner intermediate and advance and don't get too cut off of like what you should do to be an advance it's more like to illustrate the points uh like if you're beginner you start understanding things like common vulnerability and exploits then uh intermediate to have deeper U deepend your understanding you understand patterns and then Advance you do your own research but don't get

caught up because like everyone is different everyone works differently and it's not because you don't have all these point that you're not Advanced or whatever and no one cares if you're Advanced or intermediate anyway and in the same way uh you can't be like master of hacking anymore like you have to be specialized nowadays like when I started in security we were like security consultant and we were doing everything nowadays you're like you're not even a pentester you're web pentester or like architecture like infrastructure pentester so people get more and more specialized and that's for for example like someone with pretty good at Windows let's say and you can split knowledge in like this arbitary um uh categories but

again it's more like to illustrate the point than uh to really like that's the best way to do it there is no best way and another thing is like you may think when you start hacking that it's going to look something like that you're going to be beginner then intermediate V Advent and it's going to be leonaire and it's going to be amazing and what you realize quickly is that uh the reality is a bit harder so when you start it's amazing you're like drinking ho drinking water from the hose it's like you're learning so much it's so great and then you like start going to the intermediate level and it's get a lot harder and it

takes a lot more time uh to get better and better and better and most of the time and that's something I see when I do like office hours is people tend to Plateau so they at these stages where they feel like they're not progressing and I've been there like uh if you're working somewhere and you're doing like the same web app all the time you you tend to not progress so you need to like find a way to break out of that plateau and that's usually when people like start changing job or find try to find a new role and yeah so and now to illustrate that I'm going to talk about mistake you can make

and I'm not judging because I made those mistakes I'm still making them every day uh like do as I say not as I do and I hope this will help you and maybe you're going to recognize yourself and say like okay but I'm totally doing that doing that I should probably change my Strat strategy so early on what a lot of people do is they think hacking is cool they watched a TV show and they can't wait to find like oh I'm going to hack with this person and we're going to be together in the keboard and it's going to be super cool the reality is like hacking in for cyber it's a lot of

grinding you have like really good moment but it's a lot of grinding and like that never happens like I've been doing security for a long time that never happens like if you knew like not not happening not today not tomorrow never or maybe I'm not good enough yet but yeah so like people like the idea of being a hacker but they don't like hacking because hacking is a lot of grinding and sometime you got success um another thing is um people don't have Direction people don't know like I got a lot of like people who want to get in cyber and they like I want to get in cyber and they don't have direction or goal goals they don't know

like okay I want to be uh I want to work in GC I want to be a pentester I want to work in the blue team they just don't know where to start because it's so big but if you want to make progress you really really really need to have a direction you need to know what you want to do and it's not doesn't have to be like forever it has to be like maybe for the next two years or three years or even to start just have something have a goal say like okay now I want to be a GSC person and I think that's what a lot of big are struggling with another thing I see is people who

um I don't made I didn't make that mistake hey um so people uh picking money or a nice job title early on if you can afford it and not everyone can I'm well aware of that try to pick the job where you're going to learn the most your most uh your first position is going to be really really important and two things especially the team you're going to be working on and uh working with and the work you're going to be working on that's critical to like you saw like this uh like line between reality and expectation I made like that's really going to decide what the end go of the first line is and it's also going to

help you like make connection with good people and things like that it's really really key so if you can afford it make sure you pick a job where you're going to learn a lot over aob where you're going to get money because trust me if you learn a lot at the beginning you're going to make the money down the road it's going to happen um another one so um I think that's from the movie Star [Music] Trek um so uh when you run a training platform people come to you and like they come with a sub story like oh my guine pig is sick and I really need to need to learn pen testing can I get a

free V and I'm a sucker for a sub story so some time I say like okay yeah I'm give you one vouer like let me let let me know how you go and also like since I'm super admin on the platform I can see who is doing what and some people get the voucher and they kill it the majority of people don't do anything with it which is very interesting and I again like why is that and some people think they need to have the training access to the training to start learning and once they get access to the training they kind of run out of excuses they're like oh now I need to do it

computers are boring and and I think that's really interesting and um not a lot of people realize that um when you sell training like I do as I do I don't sell like knowledge the knowledge is out there you can get it um if someone is selling you like secret knowledge most of the time uh that's BS like it's snake oil there's no not real like secret knowledge some knowledge is harder to find than others but there's no real secret knowledge when you buy training you're paying someone to like create knowledge organize it in a nice way make stupid videos and stuff like that like that's what you're paying for the knowledge is out there the knowledge is free you're

just paying someone to create for you like what people in chemistry call like a cataly catalyst basically a catalyst in chemistry does not change the reaction it just speed it up so the reaction is still going to happen the chemical reaction but with a catalyst it's going to be faster and that's exactly how you need to look at training training is just a cataly just a way to learn faster it's not some magic uh ingredient that's going to make you good just going to help you get better another issue um and the last one for beginners is the impact of AI and I'm not not going to talk about Singularity or stuff like that it's more

like uh AI makes people struggle less and that makes people not as good as finding information debugging things like I don't know if you looked at someone like working with AI with ch GPT when they like hacking or doing programming just like get an err message copy paste in chat GPT change the thing that chat GPT tell them to do like when you're doing that you're not really learning you're solving problem but you're not learning and I think that's one of the biggest danger when you're a beginner is that if you do that you're not um really getting better and at the end of the day you may have solved some challenges you may have

found bugs but you're barely better than you wear in the morning and I think that's one of the biggest danger because once you want to get better you don't have those like big strong foundations to to get better sorry intermediate oh so uh until like what people usually do is they learn like all the thing at the beginner level and they all beginner in everything and then they start learning at an intern intermediate level and it's like just to demonstrate a point more like what reality is like we're looking at pattern not the reality like when I show the moon don't look at my finger and they keep learning like that and then they do a bit more Linux they do PI

more Linux and now they like intermediat Linux and what most people do when they at this point and that's what I think one of the biggest mistake is they jump to windows at and try to like fill all of them to intermediate because that's what they did for when they were a beginner and that's I think a big mistake because um you're doing things that are easy and comfortable what you should be doing instead is we go back here and now you start grinding on Linux and get to advance at Linux things and not all Linux things try to find something tiny something you really like like sorry for me when I was doing web stuff

it was Tomcat I got obsessed with Tomcat I don't know why tomat Java um and try to get better better and better at this one thing instead of spreading th because if you really want to go to advance and like do good things good do research and stuff like that you need to be really good at one thing and then you keep doing it more and more and more until like you run out of IDs because um this keep being like intimidate is really comfortable you're doing the same thing you're just like buying another training buying another certification uh you're just doing more of the same thing we're going to advance is you need to change everything and

that's where it's going to be uncomfortable it's going to suck you're going to hate it but that's where you're going to

learn and it's also sorry and I think being and also I'm using manager between codes it's like manager being like no someone who is like doing something that is Technical and other things that are less technical on the side it's not like dising people um yet no no no but like if you want to like be a practitioner be someone who does security at very technical security and at a high level you need to like try to be really good at something and it's especially important when you think of it as a Team Dynamics let's say you have like 10 pent testers or 10 blue team you want each of them to be really good at something so

in total you have like a team that is really good at everything where if everyone is average at everything you got a team that sucks no fans but like so yeah and then you can learn from each other and there's even more important than that is that um I got something oh sorry yeah so some of the mistake people do is uh moving to manager role and I'm saying manager is like uh for example doing content creation starting a business and it makes it really hard to stay at the top of your game because you have other things like my aim today is not to be a expert an expert at hacking it's to be an expert at teaching

hacking that's how it works and if you want to be a manager you should aim to be an expert at managing hackers not an expert at hacking anymore because that's no longer what you're doing but again it's on average some people are really good manager and amazing hackers so um another thing is not keeping notes mistake like people do I was really lucky when I was young I had like really like amazing memory so I I didn't take any notes like ah I'm going to remember that and turns out like when you look at stuff like 10 years later surprisingly you forgot so get good at keeping notes as early as you can and like keep them over

time like you use like text file mind map whatever works for you but keep notes and because you don't keep notes for you in a year a month two years you're keeping notes for you in 10 years because sometimes especially with Enterprise um it going so well you run on system where like you act 10 years ago and still there so it's important um God damn it um another thing to start doing when your intermediate is working on your resilience and doing exploratory work I manag to say it correctly basically um work where uh so exploratory work where work where you don't have guidance for it work where you trying to find new things that haven't been done before

work where the answer can't be found by Googling something and you need to do that because that's what you're going to do later on and um for example some people have a really hard time moving away from moving from CTF to uh vulnerability research not because um vulnerability research is harder but because vulnerability research is less comfortable when you play CTF you know that there is a bug hopefully uh you know that there is an exploit that can be made this thing can be exploited and you know that it's time bound you know when you to cut your loss where when you do vulnerability research a big part of it is like being resilient enough to know like there may be

something there may be something and until you find it you don't know and that's really hard if you don't start building it up early on uh I love this illustration like oh you are so close and I think like that's what a lot of people when they do like security research and things like that some of the time you realize like H I was so close and I didn't find it because I just like stopped too early and that's why you need to work on resilience exploratory work so you get use uh of to this um another mistake so that's a bit long but basically uh when when I was younger I looked at people doing talks

and oh that's amazing they doing talks they're so cool uh and I thought like oh they were doing like all the research just to do the talk and the reality like if you talk to like people who do like research and stuff like let's for example team we did a talk like two days ago on like uh deep fake and uh identification you may think like oh he did that research to do the talk but he actually te does this kind of shenanigans all the time it's exhausting now but like you see my point is like people some people are doing that like rock stars rock stars are not Rockstar because they like to be

Rockstar in front of 20 200 people they're Rockstar because they're like practicing shitty instrument every day and that's the same for hacking and the final point is when you're like finishing this intermate you may think that what got you here nice transition uh we'll get you to the top but it's not true like famously Tiger Woods had to unlearn how to swing like tigerwood golf for people like me who don't know much about golf um to unlearn how to swing uh to get better and it's the same thing with hacking you have to unlearn some of the stuff you're doing every day if you want to go to that advanced level because uh at that advanced level you don't have

like Google giving you answer you don't have like chat GPT telling you this is where the zero day is Louie and no that doesn't work like that so you need to change uh the way you learn you need to change uh how you work um and the good thing is that the lesson you learn here are the hardest but they're also the most valuable oh my God this things is uh also the most valuable because once you learn things at this advanced level you can easily replicate it to something else and I'm not going to tell you like oh exploiting stuff on Linux is the same thing as exploiting stuff on Windows I'm talking about the meta things you're

going to learn uh things around uh Cod review like advanc cod review being able to like take a big piece of shitty software and like read that code uh debugging not like print but just like really like looking at stuff in depth and see what is happening not what you think is happening what is actually happening uh everything around methodology is like um trying to find the shortest um feedback loop when you're debugging an issue or trying to exploit something those are hard things to learn autonomy as well um knowing that oh you can't rely on Google search you can't rely on chat GPT you can't rely on other people research you need to think on your own and I think that's

what a lot of people have trouble with and finally complex patterns trying to like having a more advanced understanding of security issues um yeah another thing like so when you at Advance what is really hard it's staying up to date especially when you start aging you have kids and stuff like that you become a manager or whatever um another thing is to find the right difficulty to work on um because you don't want to be climbing the stairs on the right basically you need to find stairs with steps that are the good size for you and with size with size is that increases all the time you don't want like big stairs where you like in front

of them like oh man I can't do it and you're just like uh not progressing because it's just too big you can't climb them how like it's like trying I'm going to start code review let's open chromium source codeo and like that's not going to work you need to find something that is easy enough but not too hard like you need to find something which is above your comfort zone and under your failure Zone just in that uncomfortable space and you don't want even to find something that is too comfortable that's the stairs on the right because like you're going to jump the stair up but you didn't learn anything so you need to really find like those perfect stairs

for you another one is be lucky and if you work hard enough trust me you're going to be lucky that's how it works like in security there is a lot of luck involved to finding bugs but surprisingly people who spend hours and hours looking at the same source code get lucky no idea why but that's how it works so yeah you need to be lucky but I think if you work hard enough you can be very lucky very quick um another one is really important for everything is that's basically the job of security is challenging people's assumption including your own and um I got a good example for that um if this clicker works so um that was last year a

research from uh someone named Felix who used to work at Google and you find this bug in uh passport saml which is the not GS implementation of saml and this bug is nothing short of amazing so basically you can bypass authentication if the application is using uh pass uh passport not node passport and what V issue relies on is basically what you learn uh like the first rule of XML Club is um when you have an XML document you only have one root uh element only one but the first R rule of XML Club this bug relies on the fact that the underlying uh XML passers accept two Roots element and yeah so I think it's really

good to like ch assumtion is like okay what when I'm looking at something being blue team or red team what are the Assumption I'm making to think this thing is secure or insecure and question that all the time because that's how you're going to find cool things another one is failure um it's really important at conferences we only talk about like successes uh but failures is a big part of uh having successes and like people tell you like when you start learning to SK like if you're not failing you're not learning and I think that's really true for like computers or riding as well um but yeah and like since everyone is talking about success I'm going to share

one of my failure and it's on Twitter as well because I'm that stupid so I was like looking at this cve and I'm like um in Apache James which is a basically a mailbox so you have like your email somewhere and there was this cve and I was looking at the patch to see like how they were preventing the directory traversal so the issue was like something like that vas pool mail do do Etc passwd classic directory traversal and I looked at it and have a tweet about it because I thought like the way we're fixing the bug were pretty clever and a bit later there was another CV on the same stuff like ah what did I

miss so stupid and I tweeted about it and now I told you about it and and turns out director TR veral are a subpart a sub family of big or a bigger family named path manipulation and the do do/ magic wouldn't work anymore I tested that but what could happen is that the user route one to three you could access the emails from the user route because I didn't check there was a slash at the end and yeah so that's why one of my failure I'm sure you have failure to share as well hopefully so I don't feel as lonely right now and it's okay to fail because that's how you learn now if we move to my favorite

subject certifications that's a deep uh part of how we assess knowledge and a certification is a picture to know where you at on this uh scale of all this knowledge are you like good enough at Windows to get the certification or not good enough it's basically people checking like where you at if we look at the over diagram it's basically a line saying like oh you're actually here what uh the certification doesn't tell you is what's going to happen after that are we going to go up or are we going to like I don't know start doing some stupid stuff or stop doing computers at all or like I don't know and stop learning and

what we do as people or at least what I do is I project my trajectory to other people and like oh if at that level they're going to keep progressing like I did and that's not necessarily true because they may get way better or way worse and I think as an industry we suck at being able to assess someone else knowledge in an hour or two hours interviews but we suck even more if that's possible at judging how someone will progress over time and that's actually what we should be uh what's that's what we want to know I don't care if you don't know what a JWT token is in in if in like a year or two

you can find OD days in every like JWT stack I give you like fun like yeah and I think that's really something we really bad at like when we interview people is judging not only where they at but judging where they're going to go and like impossible to judge in my opinion so you may ask that's a lot of talking Louie how do I get better at learning um so I think it's good that you're asking yourself this question that's the first step what you need to do is hack the way you learn because if you get 1% better at learning it's going to compound over time and you're going to learn more and more and more and more

so spend time trying to think of how you learn um I don't know if anyone know this nerd no offense we all nerds um so this guy is named Joshua whin and uh he won the US junior Championship in chess and they made a movie of him big deal nerd and then what he did he world the champion uh world champion in t Push Hands I think he wor his title in taian uh Taiwan which is like super martial arts super hard to win blah blah blah blah blah and why how did he manage to do that so that's very impressive impressive in my opinion like managing to be like to work on two things very

different and be at the top level in both things what Joshua does is he hacks the way he learns and he has different techniques and some of them are from me from him some of them are from other people and don't like he has even have a book around like the art of learning don't blindly follow it but just try to find the thing that works for you what makes you a better learner what allows you to learn faster I think that's really important especially if you're early on in your career because that's going to compound and compound and compound over time and you may need to change it over time as well and we can actually learn a

lot from chess because uh chess has been around for ages and ages like way before computer ping trust me and it's I'm going to it's way harder to be like world champion in chess than in computer hiking first there is no watch in computer hiking so but yeah and um it's really interesting inter because chess has book around learning chess but they also have book on the best way to learn chess like how to optimize the way you are actually learning chess and we don't have that in computer hacking yet and also like a lot of other things like chess is a lot about uh patents recognition they also have like uh how you call that a damn it opening

middle game and end game which can be like probably like what you can compare to compare like with exploitation like you like you find a way in then you try to get a bigger fingerprint and then you can to you try to stay here like a lot to learn from chess another thing is learning from content and by content I means YouTube blog post advisories all these security content we got like bombarded with over time um what most people do when they read an article or watch a video is what the impact of this hate it or like it we like to think like Risk Managers and we read that article and like oh what's the impact of this am I

impact it should I care about it should I not care about it what you should start asking yourself is how can I learn from this so that's the first stage what can I learn from that article are they doing things uh what did they find how they find it now you go one level up what patterns can I apply to something else I learned about this attack maybe this attack on JWT works with Sam all or maybe this attack on Linux will work with Windows it won't be the same but the same pattern and that's really important you need to think in patterns like people do in chess they don't learn exact position they learn

patterns and then why I didn't find it and you think like oh silly I didn't look there and yeah no what I mean is like if you look at a bug and you wonder like okay we if I had looked there will have I find it and another f failure from Louie uh CV 2022 21449 uh so basically it's uh a vulnerability in Java 15 16 17 when you're using ecdsa so when you do signature verification with ecdsa you got two big number s two numbers S and R and the issue with that is that if S and R are both zero you can bypass the signature verification which for me is an amazing bug because I love saml I love which can

use ecdsa I love JWT that uses ecdsa uh as well and I was like okay will have I find this bug and the answer is no because I wouldn't I would have blindly trust Java to do the right thing and I would have audited all the library in Java uh using ecdsa but stopped at the fact that I trusted the underlying Java uh software to do this properly which is rather silly because this information is even available on Wikipedia s andr should be between one and N minus one otherwise the signature is invalid so if I had look a bit if I have not trusted Java and if I were to spend more time reading reading Wikipedia I

will find better bugs and I think that's the kind of lesson that you can learn by inspecting things like really bit being critical about your skill set and like okay will have I find it and I think you canar learn a lot from doing that introspection work um you can also look at other people and ask yourself like how they learn and what they do differently from you and try to emulating this um disclaimer the way someone who is for example really good at computer does something right now may not be the way they learn to do it so what they are doing right now may not be the best way for you to do it because they like you

want kind of to look at what they did where they when they were at your level not what they are doing right now but it's a great way like look at someone else research and it's like oh that's so cool I wish I would do that but look at what they're doing like look at when you read read the blog post read it twice once what's the impact of this blah blah blah and twice like what are they doing differently what are they doing that I'm not doing um uh another slide addiction uh uh not great like and I'm not talking about not not great for your Learning Journey but I'm not talking just about like drugs alcohol but also

like social media Tik toks like um everything that take your attention away um back in the day like if you look at people doing like professional surfing or skateboarding these people were getting hammered before a competition hammered the day before and then they were doing the competition and winning and blah blah blah now what they like athletes they just like Don't drink don't smoke nothing like push-ups the morning and like I think it's going to be more and more the case in security that uh you're going to if you want to like go at that top level is you're going to be need to be careful about what you do and what impacts your um the

way you think the way you work so to wrapping wrapping it up I don't know I'm doing in time um so first one is act the way you learn really really important if you can take just one thing from today's hacks the way you learn really important because it's going to compound over time enjoy failing because it's when you're learning if you're not failing you're just in your comfort zone doing cool stuff doing training doing certification but not really learning you need to fail regularly and you need to fail bigger and bigger and bigger every time you need to do hard things as well push yourself try to do things that uh you didn't know how to do if something feels

hard try to do it uh like when I have like people coming to pentest some of them have like zero background in it and I'm like uh I can't tell you if you're going to be successful or not like everyone is different some people hate failing some people hate being uncomfortable some people love it and so I I'm like yeah I can't tell you like try it and we'll see how it goes um and finally happy I King and hopefully you get some good know L from this talk or at least I made you think or made you laugh and Final little quote from todor roselt nothing in the world is worth having or worth doing unless it means

effort pain and difficulty thanks for your time [Applause] everyone thank you Louie for that great talk do we have any questions to Louie uh in the audience there's one um just in the middle

uh hi Louie thank you so much for talk uh it was great resemblance to chess I just would love to ask you one question as you were talking a lot about Chess and you seem very passionate about it so in your opinion uh what will be your queen queen tool in pentesting you know like which tool you would consider as your queen where you know it's your most valuable skill or asset on From pentesting perspective oh that's a good question so first thing in the addiction I forgot to mention chess not laugh um I think that's a great question I think first I wouldn't I think I wouldn't say the queen is a tool or something I think a

queen would probably be um a pattern like a skill set like curiosity or something like that or pushing a bit harder I think it's like yeah I think probably the best thing the most important thing is like stay curious and yeah keep learning I say that all the time but just stand stupid but like I think and I think what is also really important is the queen would be different from everyone else for every for every single person like what will work for me may not be the same thing for you like I think it's really like a journey people need to get on to find like what works for them and also like the queen is pretty good but you can

still win game if you lose your queen in the first two or three move which would be really bad if you play chess but yeah you can still like it's not because you don't have your queen but you can't be very successful yeah I'll just take one last question at the front hi Louie great talk um do you have any advice for people when they're as opposed to picking the area to be an expert in choosing which areas not to invest time into I think you need to find something that you really like and um I like to talk to people about what their superpower is and like what they are really interested in what they have or

what they enjoy doing but people like other people may not enjoy doing and I think look at that and like try to find something that you really enjoy doing because at the end of the day like when you're grinding uh you really need to enjoy it it's like the same when you start a business if you start a business you better do a business in something you really enjoy doing because sometime it's going to be very hard and you need to enjoy that as well we have a speaker gift for you before you leave but let's thank Louie one more [Applause] time