Programming Throwdown - 130: Ethical Hacking with Ted Harrington
Episode Date: March 28, 2022"Hacking" is a word that evokes awe from the public, laughter from developers, and pure fear from technology leaders. But what really is hacking? What does trust really mean and how do we... acquire and keep trust on the Internet? It turns out that, while hacking is associated with computers, the methods behind it have been around since the dawn of time. Today we have Ted Harrington from ISE to dive deep into hacking, all the way from the medieval times to today. 00:00:15 Intro00:01:25 Introducing Ted Harrington00:07:10 Ethical Hackers, Non-Ethical Hackers, and Productivity00:11:58 Starting out in Ethical Hacking/Security00:14:40 Imposter Syndrome00:19:34 What is Hacking?00:30:48 Is Hacking like magic?00:38:14 Defense in Depth00:42:04 Earning trust and The Departed movie (Spoiler alert)00:59:52 DEF CON® Hacking Conference01:02:46 Tips on how not to get hacked01:10:08 ISE.io culture and opportunities01:24:13 Farewells Resources mentioned in this episode: Companies: ISE (Independent Security Evaluators)o Website: https://www.ise.io/o LinkedIn: https://www.linkedin.com/company/independent-security-evaluatorso Twitter: https://twitter.com/ISEsecurityo Facebook: https://facebook.com/ISE.infosec People: Ted Harringtono Website: https://www.tedharrington.com/o LinkedIn: https://www.linkedin.com/in/securityted/o Twitter: https://twitter.com/SecurityTedo Book: https://www.amazon.com/Hackable-How-Application-Security-Right/dp/154451767X Sponsor: MParticleo Website: https://www.mparticle.com/ If you’ve enjoyed this episode, you can listen to more on Programming Throwdown’s website: https://www.programmingthrowdown.com/ Reach out to us via email: programmingthrowdown@gmail.com You can also follow Programming Throwdown on Facebook | Apple Podcasts | Spotify | Player.FM Join the discussion on our DiscordHelp support Programming Throwdown through our Patreon ★ Support this podcast on Patreon ★
Transcript
Discussion (0)
programming throwdown episode 130 ethical hacking with ted harrington Take it away, Jason. Hey, everybody. So this is a super, super exciting
episode. I think I remember, and I'm totally drawing a blank, but there was, I remember some
movies from the 90s, you know, about hacking. And, you know, when I got into computing,
you know, when I was in high school and middle school, there weren't a lot
of folks who are into it, you know, at least in my neighborhood, in my area. And everyone thought
that that was hacking, like, oh, you know how to program. Does that mean you can just, you know,
plug into this ATM and take all the money? And sadly, I've never been able to do that.
But it would be pretty awesome if you could just get money that
easily. But I've always had a fascination with it. I think that it's an intersection of so many
different disciplines, sociology, psychology, computing, networking, so many different areas.
And we've wanted to do this episode for a really long time. I'm so excited
that we have Ted Harrington, who's number one bestselling author and a partner at ISE, who's
going to explain all about hacking and ethical hacking and what that all means. So thank you so
much for coming out to the show, Ted. Yeah, thanks for having me, guys. Cool. So let's maybe just start with a bio on you. So how did you get into this industry,
and what was the path that led you to ISE, where you're at right now?
It's funny you mention hacking ATMs, because there was this funny thing that happened in college.
This is a little bit tangential, but it will color the picture a little bit. I went to school in Washington, DC and it doesn't matter that it was DC. I went to college and
ATM on campus. And I remember there was this thing that happened one time where there was a bug in
the software where whatever the denomination was that you typed in, the ATM actually spit out four times that.
So like people were putting in, you know, $100 that they want to take out and they were getting
400. And so of course, you know, once the word spread about this, like the whole student body
went and like emptied this ATM. It happened in like an hour. And I remember that time,
it sort of struck me, but it was one of these seeds of a thought that stayed in the back of my mind.
I didn't really do anything with it at the time, but was, wow, software really runs everything.
And when the software bugs out, really bad things can happen.
And it's kind of interesting to think that that was how I rolled.
I was in college, I don't know, 20 or something. And fast forward to many years later, that is my profession
now is not specifically necessarily robbing ATMs, but helping companies who are building things
using software to make sure that stuff like that doesn't happen. And I first got into it about 10
years ago when I met a guy who has become my business partner now. And at the time, we were
just talking about some of the things he was doing with his business. And I was talking about things
I wanted to do with my life and some of my principles and philosophies. And it was like
the perfect marriage. I'm driven to do difficult things that matter in the service of others. I
want to get better every day. Those are are kind of some of my defining principles.
And those are the principles that are required to succeed in security.
And so once I sort of found that, it was like, this is what I got to do.
And I've since dedicated my entire life to it.
And now I'm in the position that I get to lead some of the smartest group of ethical
hackers ever anywhere.
And that's what we do all day is
help companies build better and more secure systems. Wow. Super, super cool. So I have a
similar story. It's not my story, but I'll share it anyways. And Patrick, you also took this. We
both took VXWorks training, probably at different times, definitely different times. But Patrick probably just breezed
through it. I was having trouble. I hadn't done any embedded stuff. And so I was working my way
through it. But I remember the instructor saying that he noticed the gas dispenser at a gas station
was running VXWorks. And he noticed it because it had a certain JTAG kind of connector and he just connected in and got a VX works terminal.
And he found that the price of gas was literally just called price of gas.
And it was a global variable in the program. So he just,
he just changed it to zero, uh, pumped his gas for free. And then,
and then went back and like, you know, reported it to whatever, you know, uh,
multinational was running that gas station.
But yeah, it does sound like the early days of computing was sort of this wild west.
And then through a lot of work done by people like you, the security has just become a lot
tighter now.
And there's a lot more on the line now than there used to be back then when things weren't as so tightly connected as they are now. And there's a lot more on the line now than there used to be back then when things
weren't as so tightly connected as they are now. Yeah, I would actually maybe even challenge the
assumption that things are tighter now because this is going to sound contradictory. They are
and they aren't. So what's really good that we see happening all over the place is that where the efforts of the security community, the security research community, the ethical hackers, like where those of us that are really driving and pushing for this type of improvement in security, where we focus our efforts, it is changing.
Like things are getting better. But the problem is that the world, I mean, we're talking about the entire planet is so relentlessly adopting software to replace previous processes or systems sometimes that were often very done manually or by human action are now being done by computers.
And new ways of applying computational approaches are constantly being innovated.
And that itself introduces two problems. One is change. Any type of change fundamentally
adjusts the security model. But two, the second part of the problem is that oftentimes people
will think, oh, well, this is completely new. This is like the new age,
state of the art, whatever, fill in the blank. We don't have to worry about those security
challenges the same way anymore. It's like, actually, you have to worry about them more
because it's now a different thing. So that mindset really becomes quite a problem.
So I'm not necessarily disagreeing with you fully, but I'm just modifying the way you stated it.
Some things are getting tighter, but some things are actually getting worse. And actually both are happening at the same time.
Ah, interesting.
Yeah, that makes sense.
Yeah, it's a real arms race.
It's an arms race between the ethical
and the non-ethical hackers.
And it's also an arms race between the ethical hackers
and productivity.
The developers who want to just get this beta version of this code out really
quickly, and who cares if it has some security issue, we just need to get this result really
quick. And so it seems like there's a sort of triangle there. So there's a lot of truth in what
you just said. The conflict actually is less that developers don't care about security.
I think any developer listening to this right now would probably dispute that because they're being told like either they already care about it or they're being told by their boss or their, you know, any member of the leadership in the company.
Like you have to care about this.
The problem isn't whether they care or not.
The problem is how are they going to do that?
Because building and breaking are two fundamentally different things. So here's a way to think about it. I'm
a big believer in using metaphors to try to explain what can be sometimes really complicated
ideas. This one, I don't think is that complicated, but this idea that you think about building a
skyscraper, right? There is a person, a type of general contractor who that's what they specialize in.
They build high rises.
If you went to that contractor and you said, okay, now we need you to be the demolition
expert.
Can you demo a skyscraper?
They'd be like, maybe.
Yeah.
I mean, I guess I know where the weakness is.
I could probably, yeah.
Yeah.
Okay.
Let's do that. But would they know what they're doing relative to the person who spends every waking minute demoing buildings? Right. It's like, it's an impossible ask to think that just because they're related, that someone can be the expert in both. And that's really, that's what businesses are asking of developers. They're like, you have to build it and you also have to be the expert in how to break it.
And that's just unreasonable.
And that's impractical.
And when push comes to shove and when the boss says to the developer, you have to build it.
It has to be done by this time.
It has to meet this quality standard.
Oh, and it has to be secure.
When push comes to shove, what's going to get axed? The security part, because it's also not with the developer's area of expertise. So that sucks for a developer, right? Because that's
really bad for a developer because they're being pushed into this difficult box of so much empathy
for that situation that they're in. Once we realize that is the business problem that it is, then we can
start to figure out how do we address it. Yeah, that totally makes sense. Yeah, I think,
yeah, to continue your analogy, I think there's a whole bunch of really interesting
bits there on how people demo buildings in real life and how they make it so the building implodes,
it doesn't like fall on another building
and kill a bunch of people or something.
And so people who build buildings
wouldn't know anything about that.
And yeah, and speaking from experience,
I've built a lot of software and we had an issue,
this is about a year ago,
where we had a external facing website for a team.
My team was working on an open source system
that was published in the open source
really for brand awareness and advertising of our work
and to contribute back to the research community.
And we had an internal version.
And to kind of cut the story short,
one of the engineers accidentally allowed anybody to, um, to take over, to hijack our website.
And, uh, um, and there was a team internally that actually is just focused on hijacking
company websites. And so within, I want to say within maybe even less than an hour,
I mean, it must've been automated. Basically they instantly hijacked our website and then,
and then they set up a meeting on our calendar where we could talk about how we totally got
owned. And they explained a whole bunch of stuff to us that us researchers had never known before.
But, um, but
yeah, I mean, that team totally saved our bacon because, uh, we didn't, I would have been terrible
if we had been hijacked by somebody else. Totally. Yeah. Well, I'm glad they reached out to you.
They went through, it sounds like they went through responsible disclosure. Uh, there's
maybe some questionable parts of what exactly they did. Um, but yeah, you're right. You want
the good guy to find it, not the bad guy to find it.
Yeah, totally.
So this is really interesting.
So you're in DC and you're in college, right?
And so you met this gentleman while you were in college
and the two of you,
yeah, can you bridge the gap from that to go to ISC?
Did you start ISC right then and there
or is there what's in the middle
there? No, there was actually a pretty significant gap there. And one of the things that I would
highlight out of this is for anybody who's right now thinking about security as a career, but
thinks, well, I don't know as much as all these other people, or I don't have enough, you know, the ship has already sailed. I'm already down whatever this engineering path is that I'm
down. It's not too late. I didn't enter security until I was, I would have probably been at that
point. I should know this, but I would have been probably my late twenties. So, you know, I'd been in, I'd had 10 ish years of a career already. And, uh, so I knew nothing by my late twenties. And then over And the time in between, I was essentially, I wasn't even in tech.
I was chasing my entrepreneurial dreams, which was, I was looking for some mentorship.
So I worked at a company for a little while that I was able to work directly under the CEO of this one company.
And then I became the CEO myself of a tech company that was focused around water.
And then I met the guy who would become my business partner almost by chance. We knew a
guy in common. I knew this guy from the NSA who went to the PhD program with my business partner.
And this guy in common was like, you guys are in such different worlds, but you should meet.
And so we did. And so in a sense, it was being open to whatever opportunities might present themselves.
Because on paper, like, we shouldn't even have met each other.
We were just like in such different worlds.
And we knew pretty much right away because philosophically, we were very aligned. Um, and in a way, all those years, not in security at all, have helped me be able to be a better communicator about security. Because I came in to this profession so much later than most people. I mean, I'm surrounded by people who are like, Oh, yeah, I like ripped open a video game console when I was five. And I'm like,
I didn't, what? I didn't even know what the principles of security were until I was like 29.
You know, like there's a huge difference between that. But because I was able to come from this other perspective that was like, explain that to me. I don't understand that. All of the assumptions
that I should know anything, I was not troubled by them.
And that's one of the things I think holds a lot of people back.
They're like, oh, I have a degree in computer science.
I should probably know this thing.
So I'm not going to ask a question that might make it seem like I don't know what I'm talking about.
I'm like, hey, guys, Ted here.
Don't know what I'm talking about.
Quick question.
And because of that, I was able to sort of like build this foundation of knowledge over a long period of time. And that was something
I hope everyone listening to this can realize like, no one knows anything about anything.
So just ask questions. No one's going to judge you. Like we all have imposter syndrome.
We all think we're not smart enough. Just keep pushing and asking questions and you'll figure it out.
Yeah, that's really, really good advice. Yeah, definitely. I think, you know, every job that I've ever had, I went through the imposter syndrome phase where basically I said, you know,
I, you know, I kind of, you know, I got lucky in this interview or, you know, I interviewed at four places and I
picked one job that's because, you know, I got lucky that one time. And, you know, or, you know,
I really oversold myself in the interview and now I don't know what I'm doing. This is completely
common. You know, everybody goes through imposter syndrome every single time. Um, and, and so, you know, I think that, uh, um,
the, the, the thing that, that, you know, over time I've learned is to, is it's, it's kind of
like, uh, uh, I'm trying to remember what, what there's a program, but like the first step of,
uh, I think it's like a alcoholics anonymous or something, but, but the first step of like a lot
of these programs is like recognize, uh, you know, be able to see yourself from the outside
as an outsider. And so, so I've learned that, you know, this, this, uh, you know, this imposter
syndrome, uh, I've, I can kind of see it from the outside. And now when I start something new,
a new team or a new job or new, whatever I say, look, I'm going to go into this,
you know, the dumbest person in the room on say, look, I'm going to go into this, you know, the
dumbest person in the room on this subject, and I'm going to know I'm the dumbest person in the room,
and everyone else is going to know that. And that's okay. That's totally fine. Because the
company is not hiring you, or that person is not hiring you, you know, if you're a freelance
developer, for what you can do in the first five minutes. You know, they're hiring you
to do a task that's going to take months, maybe even years. And especially if you're doing things
that require, you know, NSA clearance and these things. I mean, they have to have multiple year
horizon when they evaluate somebody. And so I think, you know, that you're always going to have
that imposter syndrome, but recognizing it for what it is helps tremendously. Totally. I mean, I even think if
for anyone who feels the imposter syndrome, which maybe we should define that real quick for anyone
who doesn't familiar with this, the idea is people who feel like I'm not smart enough.
I shouldn't be in this room. I shouldn't be in this job. There's other people smarter than me. That's called the imposter syndrome. And I think anyone who feels that way
actually is probably one of the smarter people in the room because you recognize there's more
to learn. There's always someone who's more of the expert at something. And the fact that someone's
more of an expert than you doesn't make you stupid. It makes you on the path to becoming an expert yourself, or it makes you smart to realize that let me get the expertise of this
other person to help me solve this problem. And maybe I don't even ever want to become that expert.
I don't want to become an expert on how to fix plumbing in my house. I don't want to do it.
I am always going to have an expert plumber. I'm not going to watch YouTube videos to figure out how to replumb any part of my house.
I'm going to hire somebody.
And I think that's, there's strength in that and realizing like, okay, well, I'm going
to choose my brainpower to focus on something else.
Right.
Yep.
Yep.
Yeah, totally agree.
So, um, so, you know, when, when a lot of people think about hacking, so we'll, we'll talk about
hacking and then we'll talk about ethical hacking. When people think about hacking,
I think there's two extremes. I think on one extreme, people think it's like, you know, CSI,
you know, that, that meme where the person's like, I'm going to write a visual basic script
to trace the hacker did to do, do, do done. You know, and now we know everything about them.
And then there's the other extreme and where they feel like there really is no such thing as technical hacking.
It's all just phishing and sort of social engineering.
Right.
And so, you know, kind of where are things?
How has that spectrum kind of changed over time? And what really is hacking at the end of the day?
That's the question that we should answer first is what is hacking?
Or another way we could ask it is what is a hacker?
And here's how we have to think about that, is that most people actually think that a hacker is a malicious person, somehow associated with wrongdoing, evildoing, whatever.
And that's actually not entirely true.
A hacker is a problem solver.
A hacker is somebody who sees the way a system works and says, can it behave differently than it was intended to?
That's not good or bad. That's just a way
of thinking. That's a predisposition, I guess. The fork in the road comes when we think about
motivation. So someone who wants to take a system and repurpose it or make it behave in ways that
it wasn't intended to behave, and they want to do that to obtain some sort of personal benefit at
someone else's expense. They want to harm an organization or some other malicious outcome.
That's what would be an attacker, a malicious hacker. But the other side of the fork of the road
is people who come from my corner of the world, which are ethical hackers. And those are people
who still want to find those same flaws in the way that the system works, but they want to do that so that they can advise on how to fix it.
And both are professions. I mean, there is a very mature marketplace for malicious
attackers out there, and there is a mature marketplace for ethical hackers. And so that's
really what hacking is. And all the examples that you described, those all are hacking, you know, social engineering, where you try to trick somebody,
or attacking via a technical method where you're actually manipulating a software system.
Maybe the idea of trying to have some sort of like attribution or, you know, chain of custody of who is a person that did a thing,
like that's a slightly different thing that might not be hacking. That's more post incident. But
these are all types of hacking because essentially they're like, how do I take a system,
make it behave differently? A person is a system. I can give you a social engineering example
that is a system, right? Like one time I wanted to get into a bar
and there was a long line and there was a cover charge to get into the bar and I didn't want to
do either of those. And so I recognized for what it was, right? It was a system. There was a system
that says, you know, you're a patron, you go through this line, at the end of the line, you
pay a cover and you go into the bar. That's how the system worked. But I also noticed there's
another feature to this system, which is if you're a VIP, you can go in the VIP line, there's no wait, and you don't pay
cover. And so what did I do? I did what any hacker minded person would do. And they said, well, how
do I make the system behave differently? I'm not VIP, but how can I make it so the system thinks
that I am? And so I went through a whole series of sort of
leading questions and specially crafted inputs, the way that I said things to the
VIP hostess to get her to reveal to me through the way I asked questions,
who was a group on the VIP list. And then I could just say, I'm with that group. And sure enough,
that's exactly what I did. She was able to let me in the bar, didn't wait in line, didn't pay cover.
I have a similar story to that.
That's amazing.
I have a story where I was, yeah, I always fly coach pretty much.
I mean, I've flown first class a few times because I had enough points.
One time I flew business class for work, but I'm generally flying coach.
There was a massive line at the check-in area.
And this is before, I mean, now you would just check in on your phone.
It's no big deal.
This was before that.
And so there was no line for first class.
And so my idea was that I would get in the first class line and I would upgrade to first
class and just pay whatever
it is because it was worth it. Otherwise, I was going to miss my flight. And that extra value
made first class worth it. And so I did that. I got the first class line. I upgraded. It cost me
out of me 200 bucks or something. And because of that, I didn't miss my flight. And the people who
a couple of people heard what was happening because when I passed, you know, hundreds of people in the regular line, obviously that drew a lot of attention. And a couple of people heard what was happening because when I passed, you know, hundreds of
people in the regular line, obviously that drew a lot of attention and a couple of people were
listening and they saw what I did and they got really upset. And, uh, um, you know, I think
maybe that's, that's part of hacking is, is, is when you do, when you abuse a system, you instantly
sort of draw the ire of everyone around you. But, was, I think, though, one of the few times I could think of my life where, yeah, I kind of purposely kind of took
advantage of a bit of a gray area. I wasn't first class yet, but I was about to be. And so that got
me on the flight. And so, yeah, those moments are a little bit magical. Like it's, it is kind of,
you know, a weird feeling, but, you know, when you kind of use a system in a different way, there's a certain, you know, feeling that you get,
I can't really, you know, you'd probably describe it way better than I do, but there's a certain
feeling you get like, like, yeah, like I managed to pull this off, you know?
Absolutely.
There's, there's such an interesting element to, I love that story, by the way.
Um, I would probably do that all the time.
Like if you knew that, like, Hey, just go in this line, pay a little bit more, and then your life is, yes.
Transfer money for time anywhere that you can.
I'm all about that.
But there's a really interesting element to the story that you just described.
And it is the reaction of, I don't mean this in a diminutive way, but the reaction of the regular people.
Because we're talking about what's the definition of hacking. Well, there's people who, most people,
when they see a system, they say, how does the system work? And I'm going to comply with the
rules of the system. And then there are hackers and hackers say, how does the system work?
And I am going to either modify the system or abuse the system within the rules or change the rules.
And the reaction that you saw was the inherently human feeling we have about fairness of those people who are like, hey, I followed the rules, and I didn't get the benefit. But most people are in that mode.
Most people are, let's follow the rules. And that's why hackers, both of the good variety
and the bad variety, are good at what they do and are necessary in, we're talking about social
engineering right now, but in all aspects of building anything, because the average person
doesn't look at things that way.
Those people who got mad at you for doing what you did, why were they mad? Because they didn't get the benefit. But what did they not do? They did not look at that system and say,
how do I make it behave differently? It's a special kind of mindset that's required to do that.
And that's why people like us have a profession actually, you know, get hired by companies to
help them solve problems like these. And it's a really, really, really important distinction.
Yeah, that makes sense. So, so would you say the majority of, let's say breaches,
for lack of a better word, are from social engineering nowadays? Or, you know, what's that
mixture like? I wouldn't be able to answer that definitively i'm
sure there's endless statistics out there that could answer that question without an a shadow
of a doubt in their mind in any direction um because the truth is that at some point we don't
actually know everything about every attack in fact we probably know very little about most attacks. But I do believe, not even believe, this is a fundamental
truth, is that there is a human element to any attack. Now, I spend my energy, our entire
organization, our company, we spend our energy really focused on how do we prevent
software systems from being breached? That's really the main thrust. And then by extension,
networks, computer networks and things like that. We don't focus as much on social engineering,
but even I, as a person who focuses on software, recognize that the human is actually at the heart of all of these problems. So even if it's
not that someone called up engineer Jane and said, Hey, engineer Jane, I'm gonna send you something.
Will you click it? Even if that's not what happened, engineer Jane might've built something
and let's not make it Jane's fault. Engineer Joe, Engineer Joe and Jane together. But they're humans and they didn't realize that an attacker might abuse functionality
that they were building in a certain way. And that is why that particular software system
got breached. So anyone who's out there saying that, you know, 85% of breaches are the result
of social engineering. It's like, maybe. I mean, sure, there's data that
might show that, but I don't know if that data sets complete. Yeah, that totally makes sense.
I mean, this is such a, or maybe just the circles I run, this is such a cliche, but other people,
people out there might have not heard this. Patrick, I'm sure you've heard this. The World
War II story about the planes that came back with bullet holes. So, uh, I'll just recap this
for people who've never heard this story. Um, you know, the, in world war two, they're sending out
planes. Some of the planes were getting shot down. Some of them were getting, uh, uh, I guess,
wounded or, or damaged and then come back. And then some of them were coming back, you know,
totally undamaged. And so they were looking at the damaged ones and saying, Oh, you know,
they're getting shot a lot in this spot and that spot let's put some more armor so that they
don't come back with a big hole in them in this spot and uh it actually didn't didn't help at all
um or very little it definitely didn't improve the kill rate and and the reason is because the
ones that were downed were not coming back so So it's like if your plane is coming back,
that's actually a good thing. And so maybe those spots are actually fine and you want to reinforce all the spots that you don't have any bullet holes in. And so it's similar here where it could be
such that the breaches that occur from social engineering just end up being more public. And so you're just not
seeing the distribution accurately. And so to your point, it could really be anything. But I guess the
high level bit we can take away from this is that they're both still used extensively. So there's
still a lot of social engineering. I actually just got a text message saying, hey, I need some
information, blah, blah, blah, signed. And it's the CEO of my company. And my first reaction is
like, who signs a text message? And my second reaction is like, why does the CEO, you know,
like, like, they're like, why would he ever text me? And then sure enough, this is like,
this got sent to like tons of people.
So that's definitely happening all the time.
But to your point, you know, the software side, I'm sure is happening just as often
or is happening in large numbers.
And it's something that folks should definitely be aware of.
Absolutely.
Yeah. something that folks should definitely be aware of absolutely yeah yeah so um is is is hacking
kind of like magic where you know kind of once you tell someone the secret is not useful anymore
like like what are the parallels there wow first of all i love the phrasing of that question uh
a lot of people do think it's like magic. They think we have this magic wand. We get contacted almost every day by someone who's like, oh, can you? So what I do is what we do, we help companies like who are building software and there's like big projects, but I get contacted all the time by individuals who are like, my ex hacked my phone and is looking at my email. And I'm like,
what am I going to do with that? They're like, well, you have a magic wand, right? So people
always think that ethical hackers, we have this magic wand. So I love the way you phrased the
question. And the nuance to your question is that once someone knows how a magic trick works,
it loses, it's not as enchanting. And that is in fact, not the case
with ethical hacking. It's not like, well, once we reveal the method, all of a sudden,
somehow it's no longer effective. In fact, the methods have been long established for a very,
very long time. And that was one of the things that I was thinking about a lot when I was writing my book is if you're going to write a book
that has to do with technology and it's going to take, you know, I wrote my book actually very
fast for writing a book. It was about 17 months from when I started it until it was published.
That's like crazy fast. Most people take like 10 years to write a book or five.
But even in my case,
where it's like as fast as it can be, the question is, well, how will that be useful to people in
three, five, 10, 20 years? Will it be useful? And when technology changes that fast, that's a valid,
valid question. And so for that reason, I really focused on, well, what are some of the things that
are either timeless or are going to be highly resistant to change in time? And that's the principles of security. These principles
that we have to think about today are pretty much the same principles as they were 10, 20,
30 years ago in tech. And you can even see these same principles in ancient books about war.
Like for example, Sun Tzu wrote the art of war and many of the principles, the art about war, like, for example, Sun Tzu wrote The Art of War, and many of the principles in The Art of War, many of the principles in Machiavelli's The Prince, these books are crazy old, and these principles apply to how we defend software systems today.
You have to think about it differently, obviously, than an emperor ruling a kingdom. And it's a slightly different application of the ideas,
but the ideas are the same.
So when you read a book like the one that I wrote,
which it's called Hackable,
when you read a book like this
and you see it lays out exactly like,
here's how an ethical hacker goes through the process.
Here's what you're looking for.
Here's why it matters.
Here's why most companies are stumbling
when they like skip this part. I point it all out, the whole thing.
It's not going to change the way the attackers attack. They're still going to attack. They're
going to evolve and adapt. But now that it's completely open kimono, and I'm not the first
person to have described the ideas, it's not like the magic trick
where now it's like oh well the magic trick doesn't work anymore it still works because
these principles are pretty timeless or at least time resistant that makes sense i remember um
i somehow oh when i was taking systems engineering um that gentleman, the professor, he also taught this cyber forensics course,
which I didn't take that course, but it was interesting. He would tell stories about it.
And the one story that really resonated with me was he said, so at some point, people were kind
of challenging him and saying, well, I could do this and I could use this VPN and I can use, and I'm going to say a bunch of things I don't know a lot
about, but I can use like this onion router and I can use that. And at some point he kind of stopped
and he said, here's the thing, you could do all of these things, but it's just another sort of
dimension, right? It's like, it's like if you commit a crime, you know, now you, you know,
have to deal with making sure that there's no evidence in the physical world and you have to
deal with making sure there's no evidence in the digital world and you have to be experts on both
of those and, and, um, um, you know, and, and, and all the different dimensions that, that, you know,
that you can, you can think of within those two universes two universes he's like and so this is an area where someone might slip up they might have really good uh way to some evil person might
have really good way to cover their tracks um but not digitally and so that that kind of really
resonated with me it's like it's like um um you know there's so many different vectors here and um and so even if you might learn kind
of uh kind of like one magic trick it doesn't mean you know every magic trick right doesn't
mean that you know every and and people are constantly coming up with new uh there's that
Penn and Teller show on on uh um I don't know on like where it's syndicated but you can see it on
YouTube where people kind of invent new tricks and share it with Penn and Teller.
And so to your point, what really stays constant is the philosophy and the principles.
But then beyond that, there's, there's always more to learn and there's always sort of this
adaptive, this complex adaptive system that's, that's being played out.
And so, and so just knowing if you were to, even if you
were to become an expert on all the different, um, you know, uh, um, like exploits, it doesn't
mean that it doesn't put you, uh, um, Ted out of a job. Right. Yep. Things will continue to evolve
and adapt. And, uh, I mean, let's be honest. If, if I could put myself out of a job, that would be a life's achievement.
But I just don't think that it would ever be ever be possible.
Yeah, you know, it actually fascinates me and it's something I just haven't ever taken the time to study.
But just how things like trust, you know, really worked, especially in the past. Yeah, I was, I was,
my, my son is now getting older. And so I'm starting to show him the, the amazing glory
of video games. And so I was showing him, I don't remember which game it was. But anyway,
so I walked up to the king and he gave me a quest and, you know, showing this to my son.
And it just kind of crossed my mind that like, you know, I'm carrying this sword and I could decapitate all these different things
and the king just lets me walk right up to him, you know?
And so it made me think like, I wonder in the medieval world
how that actually worked.
You know, like how did people with weapons get close to the king
and there's sort of a trust there and how do you watch the watchmen
and all of that.
And so to your point, I mean, these are just timeless parts of human nature that will just never go away. and you know if we take the politics out of it which unfortunately is in this day and age is
pretty hard to do now but if we just look at like purely the idea of the scientific control of uh
you know a pandemic and you think about like why why did we have masks and social distancing
and minimizing um you know gatherings and closed businesses.
And like, why did we do all of these things?
Because these were all exercises in defense in depth.
Like defense in depth is a security principle
that essentially says, let's add layers of things
to make it so that the bad outcome
we wanna make sure we avoid is less likely to happen.
And so that's why you do masks and social distancing
and washing hands and like all these things. Because none of them, no single approach is
wholly effective. And that's the same with, you know, building a system, the security mechanisms
in a system. So kings, medieval times wonderful metaphor. When we think about the King,
actually, I talk about castles a lot as a security metaphor. And you look at something like
the tower of London, you know, and that used to protect the crown jewels. It doesn't anymore,
but that literally used to protect the crown jewels. And if you wanted to get to the crown
jewels, you had to get across the moat with the
alligators in it you had to somehow like now scale the walls that had the guys pouring the hot oil
down on you and the archers up on the turrets and once you get over the wall then you have to deal
with the king's guard and you're now fighting them in hand-to-hand combat and then you have to get
through all these you know perimeter uh concentric perimeter walls in the castle and if you can
eventually get through all that then maybe you can get to the king and then what now you have to get out you
have to like do the whole thing in reverse yeah that's such a good metaphor for this really
important principle defense in depth and so you were obviously talking about a video game they
simplified it for like yeah you could walk up to the king holding a sword because a video game
absolutely not an average person would not walk up to the king with a sword in medieval times
right yeah unless they uh unless they got in through all those circles of trust right so that
that that sort of closes the whole loop on the social engineering part right like somebody's
next to the king with a sword and so and so there's the sort of physical layers you know of
getting to the crown jewels but then there's also all of these social layers and if you could i mean
if this person was willing to spend the time and energy and they they had that evil in their heart
or whatever like they they could eventually get to the point where they're right next to the king with the sword um um and and so that's that's
a whole another uh aspect of it so someone um um someone said something interesting the a while
back about basically uh the you know that that the people who are sort of most really interested
and obsessed and focused on something um that that on average more of them
are good people or i i'm trying to like you know mincing words here but but uh but yeah it's this
idea that like you know so many people who will go through all that training to be the king's
right hand person the king's protectorate or something, that at some point the odds of that
person being evil just becomes so incredibly low that it passes some bar. You say, okay,
now this person gets to be right next to the king with the sword, or this person gets to be in the
secret service to make it more modern. And so that's the social engineering moat and alligators and boiling cauldron and all of that. And, and so I think, uh, uh, you know,
building that trust over time is, is, is equally important. Yeah. I think a great metaphor for how
do you, how do you deal with that? Right. It's not even a metaphor. It's just real life is you look
at something like the movie The Departed.
I'm originally from the Boston area,
so I'm very partial to all things set in or about Boston,
including gangster movies, for whatever reason.
Nice.
But so this movie, I'm going to maybe include some spoilers,
but it's like 20 years old.
So if you haven't seen it yet- You can spoil it, go for it.
Yeah, that's kind of on you.
But you've got one of the main characters is an FBI agent and he goes to go undercover to try to get close to the kingpin,
this guy, Whitey Bulger. And it really chronicles what it was like for that guy trying to do this,
right? Because how do you earn the trust of a gangster? You have to do stuff that's directly opposed to your profession as a investigative police officer.
Like, literally, you have to kill people.
You have to rob people.
You have to beat people up.
And if you don't do those things, you fail the test and you'll probably die because the gangster is like, oh, this guy's not trustworthy according to gangster code.
And then it talks about how it like, you know, as you watch the movie, how it
morphs this individual. And it's like, is he maybe starting to become bad himself now? And you don't
necessarily know. And it's, I guess it's supporting your point that it's like, at some point, we have
to trust people, we have to trust systems. And so we have to have a criteria by which we assign
trust. And it shouldn't, we we assign trust. And we should assume
hostility. We should be like that gangster who's like, hey, I need to test everyone who's around me
just so they can be around me. Otherwise, how do I know? And then eventually they go through
enough tests that you can trust them or you cannot trust them. And unfortunately, we do have
to cross that barrier at some point, being able to trust. And this idea of trust is one of the big things that I actually argue about
in my book, which is that security isn't actually just about securing something. It's about being
able to earn trust, right? You need to be able to secure a system and you need to be able to prove
it. And those are two different things. And One of the big failures that exists across industries, across geographic locations,
across maturity of both individuals and security programs is that we oftentimes think that we can
just tell somebody that something's secure. We think that we can prove it without
actually securing it. And that doesn't work. That's like the person who's, I don't know,
the Olympics are going on right now, right? It's like the person who's like, I'm the fastest speed
skater. I should be on the team. And they're like, okay, well go in this race. And if you win the
race, you'll qualify for the team. And they're like, no, no, no, no. I'm the fastest.
Just trust me.
Yeah, right.
That's the way a lot of people talk about security.
They'll say things all the time.
Pick a website, right?
They'll go to it and they'll be like, fast, reliable, and secure.
And you're like, I can determine if it's fast. I can determine if it's reliable.
But only someone with security expertise can determine if this is
actually secure. Yeah, that makes sense. Yeah, that's really interesting. The analogy with the
movie, you know, I feel like, you know, because one could argue that it's hopeless, right? That
there's no way of guaranteeing, and I'll go back to the medieval times because i feel like uh talking about modern times is uh it makes me nervous but but but there's nobody who can guarantee that the king's
you know right hand person isn't going to kill you can't guarantee but to your point like maybe
that king's right hand person has to do so many things you you know, in service of the king that, and get so intimate with the king
and his family and the whole thing that at that point, even if he came in with the intention of,
you know, killing the king, he would have been like brainwashed with all of these experiences
that would have eventually defined his life and then he wouldn't do it. So I think, I think, yeah, maybe you could make the claim that it is then possible to create, you know,
such a comprehensive set of hoops that even the most like untrustworthy or mal like intended
person goes through that trial and comes out the other end trustworthy. That's kind of an interesting
thing to think about. Yeah. I mean, I guess there's two ways that you'd get that insider.
This is what we're talking about right now, right? The insider threat. One would be, yeah,
someone joins the organization with the express intent to earn trust in order to harm the
organization. But in other ways, they could be recruited. And so in the case of someone who's
close to a high ranking head of state or whatever, how do you kill a king? Maybe there's a weakness
of that person who's in the guard, or maybe they, I don't know what their weakness is,
but whatever the weakness is, an enemy can take advantage of that. And whatever the situation is, these are the things that,
this is why every organization, irrespective of time, we're talking about medieval times,
let's talk about modern times, like everywhere in between. This is why we really need someone,
or not even someone like a team who is constantly thinking those more malicious thoughts,
but for good. I mean, that's,
again, this is why my whole profession exists is because most people don't think this way.
It's a very uncomfortable way to see the world. It's like, I forget in the matrix, which pill it is that you take that all of a sudden you unplug from the matrix,
but it's like taking that pill. Yeah. The red pill, you unplug the blue pill,
you stay in the matrix, I think. Yeah. So it's like you take the red pill,
you're unplugged and now you're like, well, this is way worse you stay in the matrix, I think. Yeah. So it's like you take the red pill, you're unplugged.
And now you're like, well, this is way worse than being in the matrix was.
Like now I see it's so uncomfortable.
I see the ugliness of the world.
But just like the main characters in that movie, we need people to see the ugliness
in the world in order to improve the world.
And like those of us who come from
the ethical hacking world, it's like, we see everything this way. Like I told the story about
the bar or whatever, but it's like literally every situation in my life, I look at it in that more
malicious, like, well, how would you defeat this? And that's not for everybody to think that way.
That's, that's probably not healthy. In fact, for everybody to think that way. But that's why we have to have someone or someone's, plural, thinking that way. Because
going back to the medieval king metaphor, if someone's not analyzing who's close to the king
and what are the weaknesses that person might have, a bad apple might get close.
Yeah, totally. So when a company approaches you and says, Ted, we want you and ISE to help us out, let's say they haven't had a breach yet because that's probably a totally different situation. But let's say they just want you to come in and help to secure their company. What do you do? What is day one like? How does that go down?
Well, it depends on the scope of the project and what they're trying to do. But let's say
someone who's building a software system and their motivations may be several. They might
themselves realize, hey, we know we need this to be secure. Or we may realize we're building
something that is going to
be very, very valuable to attackers. So we should get out ahead of this. But most likely,
the reason that they want to do this, or they're being asked to do it is a customer of theirs is
asking them to do it. Or a regulator in an industry they are building the system for
is saying, hey, you got to prove it in some way. And so usually what happens is that we get
to the heart of what do they want to achieve? Why do they want to achieve that? Usually what
they're asking for winds up being a little bit different than what they actually need.
Most people think of security as a box to check or a cost to minimize. How do we do this the
least expensive way that will satisfy my customer?
That's the way a lot of people think about it.
But the smart companies are the ones who say,
well, if one customer is asking for this,
I bet a bunch of my others are too.
So why don't I not do the minimum?
Why don't I capture the competitive advantage that this is
and do it the right way
and be able to differentiate from everyone else
who's going to see what's the lowest bar that I can do right now. That's huge.
It's kind of like, yeah, the analogy is kind of like, you know, the robber in the neighborhood
will try and rob the easiest target. Most people don't rob every house in the neighborhood or even
half the houses. They're going to find like the one or two houses that they can rob.
And so you just need to be better than them. Or
I guess the other analogy is like, you know, if there's a lion chasing you, you just have to be
the second slowest runner, you know? Well, here's maybe, okay. I like the combination of homes and
lions. Let's, let's use a metaphor of homes in South Africa. Okay. So the home security,
South Africa is significant because there's, you know, home
robberies are like a really big problem there. And so really what we're talking about is the
person who sells homes in South Africa, what they want to be able to do is say to their rich
clientele, look at how good this security system is. Look, here's the cameras, the guards, the,
uh, the walls, the doors, whatever. Whereas most people
are like, yeah, this is a secure house. That's a really, really big difference. Someone who's like,
I put some locks on the thing versus someone who's like, let me walk you through the many ways we
thought about security, built it into the design and then executed on it and then improved upon it
throughout the build process. That's really the key.
And so to your original question, how do we get started? Once we define the goal,
we help reshape what's the best way to achieve the goal. Then we define what the scope of the
project is. Are we talking about, let's say it's a web app, are you talking about just the front
end? Are you talking about the back end? Are you talking about both? Are you talking about just the front end. You're talking about the back end. You're talking about both. You're talking about any integrations with other third-party systems.
Then we go about actually looking at items within scope and trying to determine, well, how would someone break this?
And where there's areas that might be of concern, we'll dig a little bit deeper to actually determine, can you exploit it?
And anywhere that the answer is yes, now we actually will build a proof of concept,
like how would it work? Not build it, like actually go run and execute it, but we would
show here in the code is where the issue lies. And then we tell them, here's how you fix it.
They go and fix it. And then we come back and verify, did that fix actually work?
So that they can now turn around and turn to their
customers and say, not only did we do some security testing that you asked for, Mr. or Mrs.
customer, but look at how deep we went. Look at all the issues we found. Look how we resolved them.
Here are the ones we didn't resolve yet. And here's why we're not going to resolve them.
It's a much more powerful position to talk to your customer when you've actually done it right. Then when you're trying
to be really hand wavy and smoke signals and, you know, hope they stop asking questions because if
there's one thing that makes people ask more questions, it's when they feel like that the
person they're asking questions of is being evasive. Sponsor for today's show is Imparticle. At the end of the day, your customer has to be at
the center of everything you do. This starts with the right customer data strategy, as well as the
right foundation to solve the challenges that typically inhibit success, such as data quality,
data governance, and connectivity. Imparticle is your real-time customer data infrastructure
that helps accelerate your data strategy by cleansing,
visualizing, and integrating your customer data
from anywhere to anywhere.
Ultimately, better data leads to better decisions,
better customer experiences, and better outcomes.
Some of the best brands in retail, financial services, hospitality, media, travel, gaming,
and many other industries have chosen MParticle.
Learn more by visiting www.mparticle.com.
Better data, better decisions, better outcomes.
Visit MParticle.com to learn how teams at Postmates, NBC Universal, Spotify, and Airbnb
use MParticle's customer data infrastructure to accelerate their customer data strategies.
I worked on, well, I built this thing called Eternal Terminal, which is like an SSH
replacement. That's my one foray into doing like C++ and kind of low-level unix stuff and um and an ethical hacker reached
out to me with an exploit uh it ended up not being that big a deal basically uh it lets you masquerade
as another user but not root maybe or no even that is more than what it did anyways it was not oh no
here's what it was you could basically
crash the equivalent of like the ssh server and that would kick everyone else off that's basically
what it so so at any point in time you could run this and everyone would get kicked out of the
server they'd all have to log back in so effectively like a denial of service in a sense or at least
yeah make service painful exactly it's exactly denial of service and and sense, or at least make service painful. Exactly. It's exactly a denial of service. And the person, they're super professional about it.
They actually reached out to me in an email. They didn't make an issue on GitHub, which would have
just told everybody. And they gave me literally a Python script. And I didn't even know some of
these things you could even do them in Python. They're pretty low level networking stuff.
But they actually gave me this Python script and I could run it.
And sure enough, like it kicked me out of the terminal.
And it's just clear as day.
And I could, you know, I put in a patch and then I ran with the patch and, you know, the Python script didn't do anything.
But it was just, it was just, it was beautiful.
Like kind of the way it worked, it was repeatable.
It wasn't like a suggestion or, oh, this happened when, or I was able to do this to your point, like with the Olympic skater,
it's like, here's a program and I can run this script and sure enough, it'll do this every
single time. And that was a really powerful to see. Yeah. It sounds like you're describing
what's called responsible disclosure, which is where a security researcher, an ethical hacker will perform research on an organization.
When they find an issue, they'll then submit it to that afflicted organization in order to help them fix it.
And then once it's fixed, then they can turn around and write a white paper about it or speak about it at a security conference like DEF CON or something like that. And that is the way that security research is supposed to be done,
as opposed to just publishing the issue. But one of the problems that comes up a lot,
it sounds like you were very engaged with this researcher who was trying to help you.
Yeah, he did tell me that after 60 days, he would publish it externally, which I was fixed long before then, but it kind of did
encourage people to upgrade to the latest version when they did find it.
Yeah, you have to put the shot clock in there because otherwise you'd be surprised how many
companies, despite receiving these known issues, won't do anything. And that hamstrings the
researcher a little bit, because first of all, the issue is not getting fixed, which is the real
problem. But then researchers are essentially compensated in one of two ways, financially
or through recognition. And so financially would be where that's the business, right? So I've
talked before about how companies hire us. That's the business. Someone will pay us
to do a project for them. But the condition is, of course, this is private to them.
There is non-disclosures. We don't talk about this to anybody. Occasionally, we'll talk about
broad strokes of a story, but no one's identified. No technology is identified. So that's one way
you're compensating. Someone pays you to do it, but it's kept private. The other way is you don't get paid for it,
but you can talk about it. And talking about it does a lot of things. It helps
advance the state of the industry. It helps educate other researchers. It takes a researcher's
profile and elevates that profile so that they can maybe get a better job or start their own company or
just be more prestigious or write a book or whatever they want to do.
But the problem becomes when they're not getting paid and they're not allowed to talk about it.
And so that's why responsible disclosure has to have a shot clock on it,
because otherwise the companies could just not do anything.
And now both sides kind of lose because
the company doesn't do anything. The researcher's like, when is appropriate for me to talk about
this if the company doesn't know? Now at least the company's been notified. And when they go
talk about it, they won't disclose the actual attack script if the company hasn't fixed it,
because that would just be irresponsible. Yeah, totally makes sense.
Totally makes sense. I think some things might be somewhat nebulous too. Like in this case,
it was a pretty deterministic thing. You could just run it and boom. But in some cases, it might not work every time. Like it might be something that's based on some context that's difficult to
reproduce. And so the company might not know
they fixed it 100%. They might not know if they fixed 90% of the cases or 100%. And so they might
have this, the company is going to have a strong incentive for that reason, at least for that
reason, not to disclose it. But as you said, that then you have this problem of we can't really tell
who's out there doing great work in the security space.
So I've heard a lot about DEF CON.
I've had friends who go every year and they're super into it.
Can you explain DEF CON?
I've never been.
So can you explain DEF CON or not to like put your phone in airplane mode because everyone gets hacked.
Like, are these, how much of these are fantasy?
How much of these are real?
There's, well, there's a combination of the two.
They are very real.
That stuff happens at DEF CON.
But it's, I wouldn't say it's fantasy. It's not like you walk into the
convention center and you're hacked immediately, but it is definitely the place you want to proceed
with extreme caution in terms of your technical life or your technology life. Yeah. So DEF CON is,
it's a security research conference. So it's for researchers. And that's an important distinction because I think when most of us think about security conferences, we think about things that are more commercialized, like an RSA or something like that.
Maybe if there are students listening who haven't been to conferences at all, maybe you aren't more about the business of security,
DevCon is really all about the security research itself.
It's where new research is published.
It's extremely technical.
So if you don't have interest in learning the technical side,
you might have a difficult time there.
But it's all about breaking things.
And it truly is a community. I mean, like any community, there are people who are jerks and, you know,
arrogant and stuff like that. But for the most part, I find that the DEF CON community is people
who are very supportive of each other. They're all there to learn. They feel comfortable amongst
each other. I mean, it really does. Community is the right word, I think, for what is a very, very large conference.
And, uh, yeah, hot new research gets dropped all the time.
Like here's the newest way to attack a solar array or a satellite or, you know, cars or
stuff like that.
Um, we organized part of it.
They have this concept at DEF CON it's called, it's a, they call it the villages and there's
the villages are kind of like
a conference within a conference where it's focused on a particular area. And we run one
that's focused on Internet of Things and all the software that surrounds the Internet of Things.
And yeah, it's just a cool place to learn and to meet people and hack stuff and meet other hackers.
And it's just it's it's
a cool vibe very cool so i definitely want to dive into um is uh is e and uh you know the company and
and how um you know uh you know what positions you have available and all that but before we
jump into that what are some kind of uh like a like, you know, piece of advice you could give to people who
don't want to get hacked? You know, so this could be, you know, professional, you know,
people who are developers, but it could also be just people out there who have a cell phone
and they're worried about getting hacked or they hear about their friends getting hacked. What is sort of like some advice you would give to people like that?
So the question is advice for individuals as opposed to advice for companies or software
development teams and things like that. Right. So this would be, you know, if it could be someone
writing software on their side, let's say a college student or something like that, but this would be a sort of non-enterprise folks out there. What would be
advice to them if they are worried a lot about this stuff?
Yeah. So a lot of the common advice that you'll hear around this question is things like,
first of all, just be aware, right? That that's first and foremost,
you want to be aware. So that means things like, uh, being cautious of clicking links
or downloading attachments that come your way. Uh, I re you, you mentioned at one point that
you received a text message and I assume it had like a link in it or something,
some sort of request. Yeah. Yeah. So like anytime something like that you received a text message and I assume it had like a link in it or something,
some sort of request from a person with authority.
Yeah, so like anytime something like that,
just delete those things or better yet report
if you are at a company that has any sort of IT
or ideally security team, send that to them
so they can hunt it down.
But so many of these attacks originate
from things like text messages or emails that
have attachments or links. So being aware of that kind of stuff, being aware of how authorization
is typically given. So for example, I still think it's pretty funny the way that doctor's
offices operate right now. They call you and they're like, Hey, is this, you know, is this Ted? And I say, yeah. And they're like, all right, well, we just, we just need to verify that you are
who you say you are. So can you give me your social security number? And I'm like, no, you
verify yourself. You just called me. Yeah. Right. And so even though that one, that is actually the
way most doctor's offices operate, which is ridiculous, still push it back on them.
They have to prove that they are, in fact, your doctor before you give them any information.
So just being aware that we live in kind of a hostile world and being aware of, yeah,
attacks are coming, whether that's clicking links and downloading attachments are the
biggest things and forwarding that information to someone who can uh couldn't help with it if you don't have someone to forward it to at least just
delete it don't don't do anything with it if it's something that matters you'll find out about it
like it won't it won't be the end of the world if you deleted a link that was like oh i was supposed
to have that because that person will probably call you and be like hey i set the thing did you
we got to sign this contract for this thing or whatever, you know, you're trying to sign a mortgage. Like it would, you'll figure it out.
Yeah. Really good advice. Yeah. I mean, I know my wife and I constantly get calls from
the quote unquote IRS, you know, and they're like, you, uh, you owe us a bunch of money
and, uh, they're totally fake. I mean, that's a a that's i think the irs scam is now probably one of the
most common um um you know we we looked it up once and there's just website after website after
website telling you all about the scam and how it works and everything um but uh other scams that
you know if we're talking about maybe college students or younger audience there's two others
to be aware of that are really, really effective.
And you can pick them out pretty easily, but they're still really effective. So one is
similar to the IRS scam that says, hey, you owe back taxes or whatever. It's about student loan
debt. And so I fortunately don't have student loans anymore. I paid them off already. So that's how I know these are scams. They're like, oh, your, your loans are in default or whatever. And so every time I get them, I'm always looking at them and I'm like, how, you know, how does this work? What's what psychological tools are they trying to use? I mean, I probably get one or two of those calls a day. And so that's a big one. Be aware of like, if you're getting calls,
especially if they seem really urgent and scary about your student loans, just go to whoever you
have your loans with and call them directly and ask. Don't respond to someone who's contacted you.
The second one that's really, really effective right now is these housing scams on Craigslist,
especially if you live in a hot market. So if you're listening to a podcast like this and you're trying to get a job
in tech, you're probably going to wind up in like San Francisco or New York or Los Angeles,
Austin, these places that rent is really high, places are gone before they even hit the market.
And so it can be really tempting when you find a place on Craigslist and it's like, wow, that's in
my budget. It's even a little nicer than my budget.
Oh, wow.
Look at that.
They replied to me.
Oh, wow.
They didn't need a background check.
All I need to do is send my first month's deposit, security deposit, first month's rent, and this is mine.
They'll mail me the keys.
Oh, yeah.
Yeah, don't do that.
People who rent you places, even if they'll send in the scams really effective because they'll send you
what looks like a really legitimate contract,
a lease contract.
Yeah.
And you're like,
well,
how am I going to get housing?
If I don't,
it might even be a place that's,
that's being rented.
Cause you could just go on Zillow and find a place for rent and say,
yeah,
this is me.
Right.
Totally.
Totally.
Yeah.
They'll always,
there'll always be a story like,
Oh,
I can't
show it to you because I'm deployed overseas or I had to go take care of a sick family member,
but don't worry. I have the keys. I'm going to mail them to you. Just go look at the place from
the outside, but I can't let you in. You got to be able to see it. You got to know that this person
can let you in. So those are two that I would definitely keep an eye out for that are targeted specifically at
a student demographic. Cool. That makes a ton of sense. I saw one that was coming at it from a
totally different angle, but it's still hacking based off the way we were talking about it
earlier where somebody, someone found a place that had included utilities. So utilities were free. We were included in the rent
and they proceeded to set up a Bitcoin mining farm and a laundromat. And so the owner got a
$300 electrical bill and $250 water bill the first month. Now, fortunately, you know, they're in the contract. It says you
can't run businesses, you know, it's meant for living. And so I'm pretty sure that they're,
the owner is able to, to, to take care of that. But that's, that's, that's also an example of,
of, of hacking where you kind of, you know, the, the included utilities, you know, was,
was kind of not meant to include you like running your own laundromat
well that's definitely an example yeah of someone who said well how can i
you know make the intended use of this system be different and so yeah they found that there
was contract language it sounds like that prevented that but i even applaud that person
they're like whoa utilities are included hold on a a second. Yeah, that's pretty clever. So cool. So let's jump into ISE. So ISE.io is the website.
And it's a, I guess it's a group of folks who assist other companies with security issues. Is that correct?
Yeah. Yeah. So we're a company of maybe about 50 people or so today and growing. And yeah,
essentially companies hire us when they're trying to understand what their security flaws might be
in a given system and how can they improve them? And so basically we hack
stuff all day and it's really rewarding in fact, to see, you know, when people find out about our
company who like, that's what they want to do with their free time on the weekend or whatever.
And they're like, this exists as a job or like, yeah, you got to do bad guy stuff and don't go to jail. So it's great.
Very cool. So for folks who are super into this space and would love to kind of work with you,
what sort of positions you have? Do you do internships? Is it full-time? Where are these
positions located if they're not remote?
And yeah, what are some of the details there?
Yeah, we have a lot of jobs that we're hiring for right now,
ranging from security analysts to we have some,
I believe we have some project manager type positions. We have some software developer positions that we're looking for. And there's probably some operational or administrative type jobs as well.
We're headquartered in Baltimore.
We actually came out of the PhD program at Johns Hopkins.
And our West Coast office is in San Diego.
But we already had a pretty liberal remote work
sort of situation before the pandemic.
And then as we've been polling our people as pandemic seems to be winding down, who
knows if it is or not.
But I think the general consensus is everybody wants to have a hybrid work environment.
And some people want to be fully remote.
And so whether people want to be fully in the office fully remote or hybrid we support all of that um within the united states
uh there's all kinds of visa issues with people outside the united states that we still haven't
quite crossed that um barrier yet but within the united states we're good with all those and
yeah i mean that's kind of the culture is community. I
mentioned that about DEF CON, but that's one of the defining words of what our culture is about
is it's definitely a community. It's like the first word in our mission statement is to build
a community. And so for that reason, I think a lot of people do like to come into the office.
I personally much prefer it to being remote because I want to interact with people,
but we're amenable to whatever situations people want.
Cool.
That makes sense.
And so are there sort of internships or co-ops or is it mostly full-time at the moment?
Oh, yeah.
I knew that.
I was like, there's one more aspect of the question I can answer.
Yeah, our internship program is one of our best.
I don't know if it's one of our best. There's so many great parts coming. But our internship program is one of our best. I don't know if it's one of our best.
There's so many great parts coming.
But our internship program is very robust.
At any given time, we have one or a handful of interns.
I mean, obviously, they kind of follow internship cycles, like typically summer.
But what winds up happening with our interns pretty frequently is once they start an internship with us,
they usually wind up – like they don't go back to,
I mean, they go back to school,
but they stay work,
you know, their availability shrinks.
But they wind up doing, you know,
maybe a project during the semester
and then they'll ramp back up again for the winter
and then do a project in the spring
and then do summer.
So it's really great.
So they get, you know,
the people who come for our internships
generally don't have any security background.
Some of course do, but really it's just computer science is the big thing that we're looking for.
Depending on the job, if there's other jobs that we don't need computer science background for.
But yes, we have internships and also obviously full-time positions. There's a few part-time
positions and occasionally once in a while we'll hire a
contractor, but it's primarily full-time and interns. Very cool. Yeah, that makes sense. So
what is something that makes working at ISE unique? What is something like, it could be the
desk layout. It could be, maybe you have a, once a month you have a competition to see who can
break in a Ted's iPhone.
You know, I mean, what is something that makes working at ISC different than working somewhere else?
Yeah. I mean, besides that, we pay people to hack companies.
Yeah, totally. What's the unique thing about the culture?
Yeah, we're not the only ones who do that.
So one of the things I love about our culture is it's just like it's just fun
shenanigans and we that we kind of grapple with how do you communicate that to people outside the
company right that this this is a fun place to work like people like working with each other and
this is not your corporate toxic culture that people are like stepping on each other and
backstabbing it's not it's like it's, it's a community. I mean, that word is, that's, that is intentional. And some of the ways that
that manifests is, I don't know, we do like a lot of the stuff that I think interesting tech
companies do, like pay for a lot of meals, pay for a lot of like social events out. But we also
have like awards to reward people for both the serious contributions they make, as well as like the goofy and silly contributions that they make.
There's like one guy at the company right now who his ability to create memes about what our culture is.
It's like, how do you it's so spot on.
And we're like always disseminating those to people. And we have a, it's changed a little bit with offices being closed during the pandemic,
but we have what we call the inter office travel budget. So like each person has an amount of
money every year earmarked so that whether they're based in Baltimore or they're based in San Diego,
they can go travel to visit the other office and like build relationships but then also like hey if you want
to make a trip around that it's cool um we have unlimited vacations so people can like one of my
big things when we were building this culture is i was earlier in my career i uh before i went out
and on my own um i worked for a company that their vacation policy allowed two weeks of vacation.
And I told them when I signed the thing, I was like, just so you know, I'm going to take more than two weeks.
Like if you have to not pay me, like so be it.
But it's just not going to work for me.
And I remember distinctly having this feeling, you know, that was my early 20s.
All my friends are getting married.
I was one of the few that lived in California.
Everyone was sprinkled all over the country. And I remember being made to feel
guilty when I had to fly on like a Wednesday so I could arrive in time for the events on Thursday
and Friday for the wedding on a Saturday. And I was like, when it's time for me to build my company,
I will never allow anyone to feel that way. And so our culture is just like,
you got to live your life,
like ISD and your life have to be integrated. You have to do work that matters. You have to
be around people who are smart and make you better. Um, and, and that's, I think the culture
that we've built and that I think is very unusual. Yeah. I had a similar situation where
I joined a company and I was, I was, um, just finishing my PhD. So I still had
a commitment to go to a conference. And so I had to go to, um, um, I had to go to the conference,
you know, after being at the company for like two weeks. And so I ended up having to go into like
negative vacation. So I found out negative vacation was a thing. So, so I'd like negative,
like one and a half weeks of vacation. And it just just kind of like seeing Mickey Mouse backstage, you know, like the person takes
the mask off and you realize it's just a person running around with a Mickey Mouse costume.
It's like, sorry to spoil it for people out there, Disney fans, but sort of like when
you have to go negative vacation, you realize that it's just like another system to be hacked,
you know?
And, and so it's like, it's, it's nice to just say, look, like let's, we're all adults here.
You know, when you need to recharge and all of that. Yeah. I think the bigger problem that we
have is actually making sure that people will take vacation, take enough vacation,
actually take the time off. Like I'm
always berating my, within my reporting berating is maybe the wrong word, but like within my
reporting structure, I'm always telling people like, Hey, you're taking the, you're taking next
week off or two weeks or the next three weeks, whatever it is. Like I better not hear from you.
You better not check in on your email and responding to, you know, messenger and all
that stuff. And I think now
people are like starting to get it because you have to really set that tone from the top.
Right. And most companies do the opposite from the top, right? The leadership is so engaged in
what's happening that they're willing to work on their vacation. That signals to everybody else,
like, oh, vacation isn't really vacation. I'm supposed to be checking email, even though I'm like, you know, in Aruba with my girlfriend or whatever, boyfriend, like,
no, that you have to clearly communicate that. And I think I think we're doing a good job with it.
Very cool. Yeah, I found that as an engineer, I could code on vacation. But as a leader, I make absolutely terrible decisions. And, you know,
at first I thought maybe it's because I'm just frustrated that people are reaching out to me
on vacation. But then I realized it was much more fundamental than that. When you're on vacation,
you only get emergencies. And so your view, you know, I've taken, it's been a few times where
I've taken like, you know, one, two month long vacations, you know, because I'll kind of batch it up that way.
And so I'll notice that, yeah, while I'm gone, it's just all I see are emergencies.
And so, and it's kind of a compressed timeline because you're not, you know, working a full 40 hours or anything.
And so it just feels like everything is on fire and you just get really upset.
And then only in hindsight was I able to figure that out.
And so, yeah, I totally want to echo what you're saying.
When you're on vacation,
definitely take your vacation, check out,
put that person who's going to backfill you,
let them take that role and run with it and shine
and just be totally
off the grid. Totally. I'm, yeah, I so strongly agree with that. And the, well, we have to also
realize, and I get that what I'm about to suggest probably feels like a leap for somebody who maybe
is still like figuring out their career, maybe they're earlier in their career or whatever, but is that you actually have to let the
organization figure out how to do your job or how to get the job done that you're there for without
you. And that most people, when they hear that idea, they're like, well, then the company might
realize they don't need me and they might fire me. So I have to show them that I'm important.
And it's actually kind of the opposite.
Like you need to allow, you need to prepare your team.
I mean, that's one of the, to be able to have an unlimited vacation policy like we have,
it is a requirement that, you know, people have to notify as in as much advanced notice
as they can, their team, their manager, it's everybody.
They have to come up with a plan for like, okay, what's going to happen before I leave, while I'm gone,
and then right afterwards, who do I have to prepare? What information do I have to give them?
That's why a lot of people wind up checking in when they're on vacation, because they don't do
that, right? They're like, oh, no one can do this thing, because I'm the only one who can do it,
I'm the only one who has access. And that's really, really bad planning. And what we have to do instead is we have to be able to
equip the people around us to be able to survive for like a couple of weeks without us. And that,
no matter your level in an organization from entry level to the CEO, that makes you a better team
player. It makes you understand the processes better. It makes the systems run smoother because you understand them well enough to communicate them. You can find like, why do we do it that way? We don't need that. Let's get rid of that.
Yep.
And that can be scary for people to say like, I'm going to actively do something so that they can live without me. Like what? But trust me, it makes everyone's lives so much better once you can do it.
Yeah, totally, totally agree. Yeah. I mean, it's, it's, it's, I mean, I think especially in leadership, like for you to build the next layer of leadership, you have to replace yourself.
So in that case, it's, it's crystal clear, but then, you know, even as a tech leader or as a,
as a technologist, the same is still true.
For you to build the next system, someone has to take over the current system.
And so it holds true for that as well.
Thank you, Ted, so much.
This was awesome.
I know some folks out there are saying, oh, why didn't we go over SQL injection?
I mean, you can read all of that stuff on the internet. There is, you know, and,
and, and as, as Ted said, you know, if we covered that a year from now, there'd be something
totally different. And we get people who listen to our episodes from 2011 and still today. So,
so, you know, what we said here, in my humble opinion, we said here is, is timeless. It's
always going to be true. It's, it's facets of human nature. And we, uh, uh, you know, Ted, you did a great job of
kind of explaining, you know, what security is, why it's important and how it breaks down and
what you do when you join, uh, you know, an organization to help them out. And so I really
appreciate your time. Fascinating stuff. Um, definitely, you know, check out to help them out. And so I really appreciate your time. Fascinating stuff. Definitely, you know, check out Ted's book, number one bestselling author on ethical
hacking. So definitely check out the book. Do you want to kind of give us a rundown of what
is your book, your site? Like how can people read more about this? How can people catch you? Yeah, the simplest thing to do would be to go to tedherrington.com.
There you'll find anything you could possibly need based on what we covered today.
So there's information about my book.
It's called Hackable.
You can find where to follow me on social media.
You can contact me directly.
If you need advice on security testing, if you want to apply to work
at our company, anything you could need, just go to tedherrington.com. Very cool. Thanks again for
coming on the show. Super, super interesting. I really appreciate it. My pleasure. Thanks for
having me. music by eric barno
programming throwdown is distributed under a creative commons attribution share alike 2.0
license you're free to share copy distribute, distribute, transmit the work, to remix, adapt the work, but you must provide an attribution to Patrick and I and share
alike in kind.