BSidesNYC 0x03 interview with Ryan Rutan

hello Ryan thank you so much for chatting with me today oh hello nice to be here and nice to have you at bsides NYC yeah that's great this is my first year being here I'm looking forward to coming back next year great wonderful that's exactly what we want to hear so can you tell us a little bit about why you chose to come to besides NYC because there are a lot of conferences happening at this point there's RSA besides SF why besides NYC uh so for me I think uh New York is always been a place that I'd like to kind of get to know the community like I love going to conferences to find like the sampling if

you will the culture of the hackers in that area um been to Chicago been to Vegas been um to DC and whatnot and I've always really wanted to come to New York and it's just been one of those things where finding the right conference um I love the bsides just general like Mission and overall so finding a bsides here this hasn't been in New York for a while okay um and so when I found it I was the first thing I jumped on it and was like because again wanted to experience the New York culture here I love meeting the people here great sampling of students and professionals and just just generally great people so

great that's been my favorite part of it that's very nice uh I think I have done a little bit of you know like going around different conferences but I don't think I've ever approached it from the sense of oh let me try to find the right kind of uh cultural fit for me the conference cultural fit but I think that's a great thing I might start doing that from now it's it's the thing that keeps the the culture alive in my opinion like if you find the find your right people find find your it was it find your tribe I guess is possibly a a way to kind of trivialize it but it's like you know finding the people who get

you and kind of exude that outward projection of of the things you like I think that's really important especially for the hacker culture great thank you so much for offering that and for our audience here what would you say you do at syac and what has your journey been so far oh my gosh uh so I would call myself a cat herder at senak so um so my title is the senior director of community at senak so I run the senak red team um so my job is literally to go out into the in the world find the world's best hackers and find a way to bring talents to our platform and ultimately provide their skills to our

customers to make them more secure so um again I have a great job of just being able to work with some amazing hacking Talent um find a way to get to know them find out what makes them tick how to connect them with other people that can create positive synergies of Engagement with them and ultimately just you know I'm a I'm a networker of people nice and so again I just love getting meet really cool people that have sometimes social padillos like random things and quirks and odds that match my own and then ultim I would say that also just finding people who do just some amazing research that you would never believe was like

how did you get there and then finding out like how their mind works it's it's very inspiring and it's also just like also humbling at the same time yeah yeah I can see that and I guess that's the reason you hire them right yeah so that's again that's what we look for we look for people to jump off the page wonderful you touched upon two things that really piqu my interest there the first thing is how to hire the people with the right mindset I think it's Tak taken for granted but I don't think it's that easy or that simple so you must have definitely cracked the code with that you know hiring people with the right

mindset it's it's interesting um and so again it's one of those things where you have to have an an ultimate goal in mind like if you come at it as like every researcher is just another Cog in the wheel then it's just you're going to get exactly what you put into it okay um the way all of our programs are set up at syac is that you know we we have a minimum bar that you need to get in obviously there's everyone has a minimum level and how you establish that is you know is varies from company to company but what I look for is ultimately in the long term is finding those people who

fit and understand the principle that as a single individual you can only do so much it's how you work together as a team how you're willing to help others and and kind of both give and get that help from a community is that's what I'm looking for so when I find those type of people or I see that that property being exuded out in social media whatnot those are the type of people that I look to try to recruit because I know that if they're doing it unprompted and unmotivated unincentivized they're doing it for the love of it that when they come into our community that they'll they'll be incentivized to do it even more and it'll kind of take I get

goosebumps talking about stuff like about this like I love when I can find a person um find it when I can find a person that actually like will thrive in that environment and seeing the product of that and which reason why I love building communities nice and I think this sounds like this is something that you do unprompted right building communities it's something I do it's it's uh one of the things I always joke about I had a manager I'll I'll name drop her because she's awesome Ria um as an individual I was off the charts I was you know ego pat on the back a little bit but like from an IT developer and systems developer and

integration specialist I was like hitting every single bar and whatnot and at the end of the day towards the end of my inure with her she's like all I need you to do is replicate yourself and it kind of gave me this goal like well I can't I'm not going to do DNA splicing I'm not going to do any kind of cloning things but um how can I you know impact others and provide my skills or my passions and get others excited about them so I really got into uh communities and ultimately becoming a person that spearheads a community around passions or interest of myself um I've been in and around technology and hacking since

I was eight and building communities building computers communities computers um longterm earlier and just have been around it for so long that it's just finding a place to actually marry technology Community hacking all that in one job is just been like it's a perfect Synergy for me wonderful thanks for sharing your insights on what it is that keeps you motivated right that building Community aspect so that's great you also mentioned something you started at 8 yes I know a lot of people would be raising an eyebrow at that and I think a lot of people would be interested in starting early so what are some what's some Pro tips that you would give them I

mean at this point I would say that there's there's really nothing holding anyone back if you really are interested in in doing uh cyber security or hacking um there amount of tools and uh training that's out there that's for free even to get you started determine whether or not you want to continue that interest it's amazing how much you can get done um the one that I I threw out there all the time like there's a for people who are just interested in the space they've never done anything before uh portswigger Academy is one of my go-to um places that I send people and again the reason why the content is really good it's easy to understand um they

give you great resources and links out to other things and topics that are more deep like database management or the underlying elements of what success is um you can go off in research again those are rabbit holes that you can go down but again sometimes you don't need to know those you may just innately understand the concept and be able to execute it obviously the more you know the better you will be over long term uh but ability to you know get at that content is is pretty much ever presentes YouTube videos there's people you modules you can buy on udemy and other you know individual platforms so if you're really really interested there's a lot of ways to OU into it and then I

think what you end up realizing is that after about I would say maybe three months if you give yourself three months and you're like you realize that you can't put the keyboard down you can't stop looking at at Targets you can't stop like reading and researching you find it just endlessly fascinating then you'll find a great career because there's almost no unemployment and cyber security out there there's tons of opportunity and it's just all about how do you prepare for that job that you want I'm a big believer in the whole the notion of like if you do what you love for a living you'll never work a day in your life I couldn't agree more I completely agree

with that and the other point that you mentioned was that there are tons of resources but there could also be this confusion of oh I have too many resources I don't know which one to look at there could be overwhelm so how would you say one approach this uh be focused and still get the most value I know you mentioned a couple of resources but there are there certain other things like for example a common question that I've heard for from people who are looking to enter into the industry is should I pursue X certificate or Y certificate U is this better than the other uh should I do projects it's always these kinds of questions these

are about 90% of the questions that hit me um what is your approach or answer to this so my approach to this it's also kind of twofold one I'm I'm not a big fan of Cs um I've never been a big fan of Cs I've always thumbed my nose at search my entire career and now I'm in this position now where as a as a hacking practitioner like I have you know I would put my myself like I said as a bb+ person like I I don't on a daily basis have to hack it's not something I do but I understand all the concepts and technicals and I'm learning all the tools and whatnot but at the

same point so at this point in time I'm like oh do I want I'm asking that same question do I want to go get aert or do I just want to be okay with my with the skill set that I've got um the one thing I always tell people is the notion of like cyber security the the best and worst problem cyber security is that it covers everything the Modern Age Technology powering everything so your sampling of whatever you want to do is endless and so the ability to say well I've got to know about this and this and this and this and this in order to be successful is actually a detriment because you can't cover the gamut of

everything and so for me what I always tell people is to start somewhere um specific like if you come from a developer background or if you have QA experience um or something like that then offensive security is a really great opportunity for you because you actually can actually have ideas and and insights as to what the application might be doing on the back end and you're basically geared towards poking holes and fixing problems so you can take that knowledge and apply it in that regard um so web app penetration testing might be kind of like your jam specialize in that like take that one discipline and go deep on it whether it's port swigger or whether it's

whatever other application you do but figure out how to do that and as you're going down there like figure out is this the passion do I have the Thrive to keep going because this is an endless puzzle it's always going to happen it's always going to have another layer yes so go down there and if you're like I've hit the road I have no interest in going down this anymore you've established a base from which you can step from Step you can go laterally go to API testing probably do a hop skip and a jump to mobile or you can slide back into Network testing or go into whatever other specialty you want but that's

where the biggest problem that I see is when I've talked to I've talked to kids in high school I've talked to kids in college I've talked to professionals that are looking to do career jumping and they just see all the world's their oyster and they just want to do so many things and the number one thing I tell them is like look give yourself be okay with saying look I'm not going to know this stuff but I'm going to focus here and almost any professional that I've worked with as long as you know what you say you know and say what you don't know and own that upfront they're not going to expect you to know stuff but if

you're the mindset of I will know that if you tell me I need to know it you know the the was it the open mindset or the growth mindset the growth mindset that was it if you have that people can buy into that because a hacker is a basically person just finds an obstacle I find a way around it in this case it's I just need to learn that and that in my opinion is what the world should be looking for when they're hiring people like you look for aert great that's nice but I want the person that's going to find the wall figure out how to scale it walk around it or punch a hole through

it and get me to the next one that's the person I want to hire that's the person I want in my community I think that's a great Point uh I'm also not a big fan of um certifications I don't have any I got my first job mostly because I had some relevant experience which I gain through projects but that doesn't mean you shouldn't get a certification it just means everybody has a different path to entry and just choose your path but don't get like too pigeon hold into just doing like one certification and being extra focused on that that you actually lose sight of the opportunity ahead of you I think that's something that I

typically tell people and you touched upon another important thing which is having growth mindset and going deep and relying on other people I and I think that's where the community piece comes in right so that's exactly where you lean in on the community that you've built yeah and I and I think that's the piece that I've I think I've come to and again I don't want to say I over fantasize the hacker culture but like growing up in the 90s like you know this you know there's a lot of there's a whole thing I can go on on this but long story is is that before the internet you know the only way that you could

transmit information about hacking or about technology was you know magazines and other V you know various Publications and it was very hard to get it I grew up in a very small town in Texas did not have any of that okay um and so when it came time to actually getting our town online it was like Rand I was interested I knew a lot of technology and I just randomly got got as part of an inner circle of young kids who are like put in this position to be sis BB be BBS ssops that turned into you know an ISP that turned into a great opportunity of a high school job to work in high-tech without you know with keys

to the kingdom type thing so fun those are like but that mindset I would have never gotten there if it wasn't for IRC if it wasn't for my ability to jump out and find rooms that were hey I've got I need to figure out how to configure this thing where do I go well you can go ask people and that was the way you did that people shared that knowledge because they understood how important it was for people to understand it and so that's as my opinion is old school hacker mindset is the ability to like Les yes I need to you know I need to hold on to my skills I need to make sure that I'm kind of

unique and I'm ultimately you know I don't share all my IP but when it's something that's mediocre and simple and and it's people asking you can tell that they've done the work and that they've tried to do their best and that you can tell that they're they're focusing and pointing them in the right direction and not just giving them the answer that is kind of imbued in this in this community and so for me that's what I love about it is like the ability for you know if you put in the hustle if you put in the work that there's a community out there that can recognize that and help you along and then finding ways to tap into

that is like just amazing wonderful I heard you also uh utilize your hacker mindset in a unique way uh by writing a book oh yeah so can you tell us about that sure yeah so no um I guess long time ago I had this checklist of things I wanted to accomplish in my life and one of the ones was an author of a book and when I wrote this list I was uh 16 and R O'Reilly books were very popular and so I was like I want to write an O'Reilly book um and so when I wrote that that goal I was like okay that's what I'm going to write and um I can read manuals left and right on I've

actually read more Tech manuals than actual books sadly and so which is kind of weird uh it's not I can say iPhone on the same so so um and so from my perspective uh I started kind of realiz I did theater work as well and so I wanted to find a way to get creative expression and so I started like well you know I read a book I actually read R player one um by Ernest Klein and I love the tone I was like you can write like this and this is actually you sell a lot of money or make a lot of money whatever and then uh I was like I think I could

do this I could write a book and so I was like what would I write about um well I ended up writing about um it's a it's a tribute to the 9s of like the power that was given in my case to kids that were untrained but's say we need someone to help you know grandmas and grandpas and adults get online and figure out how to like you know turn their computer into something that was interconnected you know and it's this whole uh Empire Records meets Halt and Catch Fire meets High Fidelity but the the kind of like the protagonists are all ISP support people and it's like the shenanigans that go on behind the scenes

in the 90s at isps and all the craziness so it's kind of like an homage to to that world and and uh but yeah but I had I had this idea of a story and I was like I think I'm going to write it and then but I was like I had to figure out like how do you write a story how do you carry something on for 300 plus Pages how do you whatever so I went through this process of like okay well let me go skim a bunch of books let me figure out how many work counts I need you and so I basically deconstructed books into this abstract like okay this is my formula of what

bestselling books look like so I'm going to try to fill in and work this through and then again just it became a an exercise and learning a new skill figuring out a way to do it that fit my lifestyle I had two you know two kids that were you know under like I think there were six or seven at the time and so it's like fitting that into a lifestyle that that supported that so it was it was a fun exercise so nice and have you had anybody solicit movie wrs or Netflix web series rights for your book not yet I haven't pitched it I actually started it um Netflix was doing open call for screenplays and so

originally started as a screenplay and then I realized that I didn't like writing dialogue as much so so I pivoted it to a book but um my goal is to write three of them as a series and then and solicit them at some time but we'll we'll get there one day fun fun fun thank you so much for sharing that and this is perhaps um a curveball okay so well not necessarily but I asked you to put a prompt into chat gbt oh uh about your expertise uh in your area of expertise and I believe you asked a question about um how do we teach or how do you explain web uh application uh penetration testing and CH came up with

a lot of answers so what did you like about it what did you not like about it or what did you think was oh that's interesting yeah I mean if I look at it can see that real quick yeah abut it gave back like a diet tribe of very stuff so um overall I mean again it it went straight down the process like if you look at the Recon like whoa the steps sorry about that the audio uh but the the steps when I'm looking through it I mean it goes you right through the attack chain uh the kill chain rather going through down to the end but again the thing where I thought was really

interesting is that it went light on the actual penetration testing it actually went straight into the model like how do you manage it and go so goes into reporting and Remediation as as a strong piece um but again it goes off and talks about you know becoming a critical component of security program testing which Ian can't get that wrong don't need AI to to tell that point so um but no again I think it's a great tool um I think what's really interesting you know the thing that I love about uh chat GPT or just other AI models are in that space is that you know people are running in fear from it right and it's

it's not something to be feared as much as something a way to harness and I think so too it's a great augment of tool exactly and I think that there's a lot of repetitive work that we would rather not do um and I finding ways to work that into your life cycle whatever you're doing whether you know you're writing a book or whether you're doing security testing or you know writing reports or automating something like finding a way to sanity check your knowledge and potentially grow it and or out Out Source the remediation of of simple Outsource the the mediocre tasks if you will um I think it's a great it's a great era to be alive I think that's

one thing I love most about the the people that are coming up in indust in the industry right now is that the tools have never been more prevalent if anything we have an abundance of tools an abundance of knowledge an abundance of things and the notion that you can have like as a sidekick an AI tool that will help you produce quality work um and still you know and still be learning at the same time and kind of like learn in line with the AI I think that's a really novel thing like your buddy can be you know learning the same way you are so seriously I couldn't have put it better in fact a lot of um Academia in

Academia they're doing a lot of research on um human plus AI combination systems and the benefits of that so um I think it'll be interesting to hear uh and see what the results of those research would be yeah I think one of my favorite I'll throw this out there because this is one I thought was most interesting is I've seen um so lawyers doing proon work hisor have you seen this or not where lawyers are using chat GPT to write briefs for them for pro bono work to reduce the amount of work that they have to do to Essence to allow them to have more proon work or pool money so for me that's awesome if you know for services

that are historically like you know if it's if it's trivial like you know why not have someone help you get it done faster and then you could do more of that philanthropy or good stuff so for me I think that's where I love to see it go because I think at the end of the day like having these artificial Gates of M required skill require certifications or something like that just so you can get access to an output that you could technically reverse engineer correct why would you not do that and so I think that's where again the meritocracy element of the hacker culture I think AI is like a natural player in that field

wonderful thank you so much for your time it was a great chat I really appreciate the time that you spent here and I'm so glad you're enjoying bid NYC and coming back again next year that's what we're looking forward to great thank you so much for your time no worries thank you bye