BSidesNYC 0x03 interview with Erik Cabetas

hi uh Eric it was really nice meeting you and thanks so much for taking the time out of your schedule to talk to me no problem nice to meet you thank you first things first you're here at Biz NYC there are a lot of security conferences that are happening and I heard that you have gone to a lot of conferences so what's so unique or different about bze NYC that made you want to come here so uh you know as you mentioned there's lots of conferences hundreds if not thousands uh and then New York's even got their own conferences uh I I like the mix in besides NYC there's uh there's a good bit of hacking but also um other

security talks here so um I feel like a lot of uh conferences that are already in New York uh may be just a little too offensive or or pentesting oriented um this one is a little bit more well-rounded um and also there's just a larger Community here so um larger venue means more people that you can interact with with and learn from and uh yeah those are some of the reasons yeah absolutely I've noticed it firsthand myself right there are more than 900 registrations and about 800 people showed up so that's amazing that's a great turnout for sure yeah and the other thing that I wanted to talk to you about is your work in this

industry talk us through your journey what it is that you do and what keeps you motivated sure so I run a company called in include security and we do uh hacking of applications everything from low-level kernel all the way to highle web apps uh mostly for US tech companies and you know my my path to this is over 25 years uh of of just like kind of starting with underground hacking and and uh hacking contests like ctfs and uh now I'm I'm doing what I'm doing now but what keeps me motivated uh in the past uh like in my early career was just this constant desire to learn and what's the next thing and what's the next thing and

every time I I feel like uh you know okay I've learned Linux command line like now let's learn about Linux networking and now let's learn about this and so there was always just this ongoing NeverEnding desire to learn um it slowed down now in my like you might call it midcareer um and now what keeps me entertained is instilling that like drive for creativity and new topics with the people that I work with so um I like to say that if I'm ever giving you the same type of app twice in a row that I'm not doing my job like giving a my team a variety of apps a variety of different Tech challenges uh is kind of uh what I

strive to do and what I currently do so I try and give them that wonderful so it looks like you like setting the challenges and moving the target further and further away so that people are more challenged yeah you know um that you'll hear a lot of security people just say like oh I'm not challenged in my job like I you know I'm doing the same thing day in day out and uh I I want to create environments uh where no one's saying that than abutre that's that's that's wonderful and you said your background is in doing a lot of offense and security and you started off doing ctfs I also heard that you've been

participating in Defcon you participated prior years and you've had a lot of success there what are your biggest takeaways and why should people do ctfs sure um ctfs have been around going on 20 years now and I was lucky enough to win Defcon CTF with my team back in 2003 and I find that and now there's to the point where there's so many there's there's ctfs every weekend and I find that uh there's now very very high level ctfs where it's just the best hackers in the entire world like Defcon CTF and then there's more beginner oriented ctfs and uh they're more friendly and they're just a way to get into learning new things and make it to kind of like a

gamified competitive way of learning so it's not just what's the next dry thing in a textbook I read it's oh well how can I get this flag from The Challenge and like what do I need to learn to do that and gamification makes learning more fun and ctfs in security are the ultimate fun in my opinion wonderful one thing that I'm noticing in all your answers is your love for Learning and this definitely comes with a mindset so what really keeps you going and what are some of the things that you've learned today um so you know these days the things that keep me going are are very different from the the things that kind

of got me into the industry and they get what got me into the industry were technical challenges and nowadays where I am in my career is more business challenges and management challenges are the things that are interesting to me and you can frame them all the same way way like uh you know getting onto a server with a remote exploit is no different than selling into a business it's just how you frame it and how you think about it I love that you're doing you're doing reconnaissance you're like you know you're trying to figure out the same general information sometimes you're using social engineering is very much the same from the business side to the technical side these problems can

all be kind of aligned um I think that was the first part of your question what was the second one what did you learn today oh what did I learn today um so yeah I think today I learned the most about terraform uh which is a kind of like a a server configuration uh language uh made by hash Corp um that's very commonly used in the cloud and for me personally uh you know that was kind of an area that I had not learned a lot about so it was good to see some uh hands on time to uh play around with that and see what some of the security problems and the ways of solving those

things were were there other talks that you were very excited about for today yeah I think uh the serverless uh hacking talk maybe the iot hacking talk those those were ones I was pretty excited to see wonderful and for those coming to besid NYC what's your suggestion to make the best use of this community here sure so my this is my general recommendation for any any conference is uh pick your pick your favorite talks and have them be no more than half the talks for the day okay so if there's eight talks presenting the day pick your four favorite and make sure you go to those four okay um but allow yourself flexibility to engage with people and have

conversations outside of your like go-to talks so I think that's a wonderful tip because I wish I had known that my first conference which was black hat and I was so overwhelmed with multiple tracks going around and I wanted to attend everything oh this was interesting that was interesting everything was a shiny object but then I realized that okay that's not sustainable I definitely need to just focus on a few things and then Network because that's what I'm here for in the end that Community will pay forward and it's a weird thing to think about but you're going to learn more from the people that you meet there than you will from one any any single talk

yes right so these are going to be your future mentors your future colleagues uh your future peers and and all sorts of sense of those words um so yeah I think uh just the the interaction on the professional level and then social level like there's where besides myc a ton of people here are local so like even if you don't work with these people like you make new friends absolutely thank you so much for sharing your insights it was really wonderful having you here I'll finally close with this question and this question is I heard that you have done a lot of Consulting for TV shows so this is like a Vogue like episode or a wiik episode where they ask

what are the real things and what's not so real about it so give us your hot take sure I I mean I'm not sure it's a hot take I can tell you how it really happens uh like here's here's how a TV so when you're a consultant for a TV show um so I did Consulting work for Sony Pictures Entertainment and MGM on some of the TV shows that they had and uh I I was specifically talking about security and technology and helping them out with that so in Hollywood when you're making a show or a movie uh you have your script and then the script gets notes everybody gets notes the Wardrobe Department gets notes the sound

design team gets notes the director gets notes the director's cousin gets notes like everyone gets notes um so my my input is just another set of notes okay and um after each set of notes there's another revision of the script so what I needed to do is uh you work with the the the production staff so the director and the lead writer and the writing team those types of folks and what you need to do to them is set this understanding of reality and what like was the most real sure and then what fits the narrative like what fits your story got it so I would always give them three options here's what's absolutely real

here's the really true way to do this and then here's one that's kind of real but more fits your narrative possible yeah possible and then here's one that like it fits your narrative perfectly but it's not real and so I would just give them those options for every every time there's technology presented in the in the script the show or the movie um and then they like that flexibility because they sometimes would go all real sometimes they would go all narrative and sometimes they choose the middle and they the writing team together with the lead writer would decide okay this is what we're going to do a little bit more of this a little bit less of that and um

yeah I think they really appreciated that kind of way of doing it because uh if they did everything real then it would be way too challenging for the writers and it might not look good on screen if they did everything fake then everyone would laugh at them and everyone you know be two people typing on One keyboard we've we've seen that yes yes wonderful thanks for sharing your journey there and walking us through what it actually is like you know that's a perspective that I not heard from anybody else before so thank you so much it was wonderful chatting with you and have a wonderful after party you too thank you take care pretty