How to Turn Your Hacking Skills Into a Career

2:52PM Jul 30, 2020

Speakers:

Keywords:

certifications

people

hacking

security

interview

question

good

company

social skills

job

gatekeeping

cv

awesome

building

clients

tom

passion

bit

important

fun

Hello hope 2020, I'm Phil ham Baker. This is a call for volunteers to help build something that could be wonderful. Mathematical mesh is a threshold key infrastructure. That means it uses advanced cryptography, to make computers, easier to use, by making them more secure, and it offers a new level of cryptographic security. It allows it puts you, the user in control of your personal digital life. Now it's almost ready for launch. We're almost. We've almost passed the 300 unit tests that we need to go into alpha release, but I'm going to need your help to complete and deploy it, and you don't need to be an expert in cryptography to help. Obviously, the more crypto geeks can help willing to work on this, the better. But you don't need to be an expert in cryptography to help. If you want to learn. I've got a free crypto course on YouTube that you can learn from. And you don't need to be a developer, either. Obviously, that's useful again, integrating the mesh into existing applications. So you can wrap security around them. That's going to be powerful, but what we're going to need most off is people willing to try out the alpha release and give us feedback, tell us is the code working, is it solving a problem for them. And what features could we add that would make it better. Make it more useful to solve real problems. So you can find out more about the mesh in my hope talk which is in the archive. And on the mesh website math mesh Comm. So thanks for listening to my bump and please stay safe, and have a great remainder of your hope conference experience.

Thank you.

Good morning and welcome back to the next talk at hope this talk is actually a panel discussion, and we have with us three gentlemen to talk about their backgrounds in hacking their backgrounds in cybersecurity and how they built a career in IT security, with us in the room we have awesome Mosley nas makuta, and Tom Krantz, and I'm going to let each of them, give you a quick introduction to themselves so without further ado, awesome.

Oh, and yeah so the first question is really about our background so I might as well start with that. So, I first started really playing with computers when I was about 12 or 13 years old. I had a desktop PC and Windows XP. And at some point, I found out about Linux sounded really cool. It was open source the first time I'd really come across that type of stuff. So I downloaded that and stuck on a CD and had it as my main operating system for a few years. And then when I was about 14 or 15. I saved up when I got my laptop. And at that point, I, again I downloaded Alan's distress right away. And the sun was off limits and had fun playing with that because it was one where you download their you partition your hard drive, you select how much swap space you want you configure your networking and you install whatever you want on it so you kind of installed it from the ground up and I used to find that really fun, and that was a period where I sort of used my computer, more as kind of a toy or a play thing where it didn't really matter if I destroyed my entire operating system, or I had to reinstall everything. And I just thought that of the learning process, and I really liked learning the tools and the way things worked. And then when I was about 16 or 17. I first started to get into programming. So I did kind of try that before that, I think I tried to c++, and maybe quite from about, I never really got into those because it was very abstracted for me, and I really wanted to understand how computers worked low level. So, I thought I go all the way back to the 80s and 90s, and learn about CPUs back then so I started learning about. You said it, and I read a brilliant book by Rodney Zacks on programming Zed 80. So I set that up and had that as my environment. And then I got quite interested in malware from frac online and on the evening. I got quite interested in malware. So, I done another really good book is the giant black book of viruses and the Zen of assembly language by Michael airbrush those were kind of two of my favorite books. And at that point, I got into writing malware for DOS. So, learning about the 286. And then that and I found that really fun. And as well as when I was a kid I really loved playing with my Gameboy Advance and my Gameboy, so it was always kind of a dream of mine to write something for Gameboy or the Gameboy Advance. So I got into assembly and I'm just well just programmed stuff on my Gameboy Advance I found that quite fun. And then eventually I needed a job. My parents had a job. So I went for an interview somewhere and explain to them sort of my passion what I've been up to. I haven't gone to uni enough stuff. And yet I took me on and been working ever since. I kind of did my hand and various things like red teaming pentesting, those sorts of things and recently I've gone back to the low level stuff so kind of hacking kernel hacking, that kind of thing. So yeah,

that's how about you.

So yeah, I kind of started off around, 12 and 13, same as awesome. I mostly was like, trying to bypass at school like certain quantum field theory, stuff. So, I like tried to get some proxies access gaming websites and flash websites as well about kind of boards that moved on to something like a, like booting distros like knoppix and that truck if you can remember that got familiar with online, start to play around with Unix systems configuring certain installation environments. We actually got internet quite later on. So, I was mostly spending time after school on the internet, but my bypass kind of proxy. And looking at certain sites, and was learning from there. And after we got some internet house. We will I learned about Wi Fi hacking and how to crack WEP and stuff like that had had a few kind of tutorials that I was following remember looking at a video on YouTube a lot. I think the channel was called hack five. I'm not wrong. I'm not mistaken. And so yeah I built this weird contender thing that I put outside my window, and it was about. No, 1415. And, yeah, that was that was pretty awesome had loads of wireless networks around the area where was the go to go to stand

out of the UK for a number of years but I'm trying to record you have Pringles cans you're using, what kind of camera yes

yes yes yes that

was actually quite hard to come by, to be honest. But when I did. I had convinced my parents to get me a Belkin USB Wi Fi adapter. So it was small enough I can fit into, into the, If I caught a little hole, and just, and a wire plugged into my computer, I was that was quite hilarious. And after that I signed up to a few hacking forums online, learn a bit about web application security, did some, some stuff on them botnets learn how they work. Try to follow a few more guides written my own tutorials as well. A few, few months later I started to hack random websites. In my spare time, like, really late at night, or it would be like something that I would see on TV like an advert, and our thinking. Let's just poke around, see what we can find. And one a good example of was a used mobile phone, kind of cell reselling service so you just send them your old mobile phone, and they'll send you some cash back or something. And this particular one had a search bar, and being me I just typed some random cruise in it and apparently was vulnerable to SQL injection which is quite interesting at the time. And so yeah, I thought that was awesome and just start to learn more, start to test over the websites. Fast forward a few, few more months or years. I rather than registering to other hacking firms I created my own hacking forum. I also hosted a instant chat Java server. And I was quite cool. It was based on proxy dot i am i think. Although this this talk said that we bypass university I actually went to university. But I just started computing. Just, just want to point that out, and maybe in I think it was my second year, I, I got arrested by the NCAA. And then I got charged a few months later I ended up getting sent to prison for, which was probably the worst time of my life, to be honest.

I sat down. After I was released.

I tried to look for jobs is really difficult to find. Most of them required security clearance, which for me was like almost impossible to get on this it was spent to spend time was like four to five years anyway. I got really lucky. I landed a job. The company I currently work for now and funny thing is, Tom man awesome did interviews, just quite awesome. I think that's really great. And some of the stuff I do now. involves like hardware hacking, so we had this router that we took apart, found a bunch of bugs in there. There's another like a Chinese brand. 4g, kind of a router or modem or something like that. We also did some building phishing campaign infrastructure. So like, create a phishing simulation, basically, for the red teamers did a bit of work on 4g and 5g was really curious about MC catching and developing like your own base station. For those pretty awesome did a few conferences. Just, just regular. Not that. Very, very high level, about web application security and our top 10. And, yeah, that's about me.

So you are all working together at least at one point or whether you still are, to some extent, but Tom, why don't you give us a quick update on your background and who you are.

Yeah, sure. Hi everyone. Luckily my webcams not very good so you can't see me actually gray, but I'm old. I'm really old I got started when I was 10 years old back in 1984. So back in the UK the government had this great idea they team up with the national broadcaster, and launched this campaign a national campaign for it literacy. They generate the BBC Micro, hands down the best computer ever in the history of mankind. And every school had a BBC Micro every student was taught how to program how to code and the idea was the UK become this this coding powerhouse that would rule the world. For me, it meant my dad who was a teacher at the time came home one day with a BBC Micro tape deck and a huge thick manual, and a modem and basically slapped down the kitchen table and said oh apparently you're supposed to learn how to do this. Off you go. That'd be too hard to teach myself how to program just to get the thing working, got into copy breaking copy protection games because for a 10 year old because the games thing was outrageously expensive. And I also wanted to make copies backup copies of my favorite game so my younger brothers and my dad didn't overwrite my saves on them. gone into that a bit more, and then start to explore the features the modem found a local BBs is which is always good for a laugh. And at the time the national telecommunications company bt ran a system called presto which is a bit like AOL for the 80s. They had this cool thing called email, and it cost a fortune yet to pay for a local phone call to diamond up here to pay a fortune for subscription. And I was desperate to get in on that, and the Prime Minister had an email address on presto Prince Charles had an email address on presto. I was desperate to get in. so I spent ages trying to brute force passwords, eventually managed to guess the password used by some of the BT engineers gave me full access set myself up with a mailbox. Send some really great emails to Margaret Thatcher the Prime Minister at the time which Luckily, land me in too much hot water. And then got busted when my dad came home one day and wanted to work out why on earth I was doing logged into presto at five o'clock on a Friday afternoon. So, the modem got taken away I got grounded for a bit. But luckily, where I grew up, was right in sort of the tech corridor of Southern England so we had Silicon Graphics we had Sun Microsystems we had Ico we had IBM we had Cray, they're all a local phone call away, which meant cheap late night PBS thing so I spent. Really the rest of my teenage years breaking into local computer companies, and then emailing their sis ops and saying, Look guys, you've got my password on the app in for your Silicon Graphics cluster or Cray ynp actually got access to as well the Cray guys were pretty chill about some free manuals off the back of that, I managed to land a summer holiday doing PC and networking support that got me into Novell NetWare, if any of you are old enough to remember that. And where I was working at a bunch of Unix systems as well I mentioned that I got experience with Unix that got me into sun Solaris and Silicon Graphics RX and kind of hardcore way and then moved into system administration, and all the way through that sort of progression as I went from looking after systems to designing systems to building systems. I deployed a bunch of high performance computing supercomputers using science Silicon Graphics gear back in the late 90s early 2000s, but all the way through that I seem to be the only person in the corporate environment, who was, it was trying to break this stuff who kept on flagging up and saying that there's a security issue here wasn't locked down there was this process running. So it kind of almost by accident as I as I got more seniority looking after Unix systems and then migrating into Cloud and building out solution architecture. I was always the person who was tagged as a security person, so gradually moved into a security career moved into doing security architecture so moving from actually administering machines through to designing machines through to implementing the security and the large scale architecture. And then basically end up as a siso and a director, which is where I am now. The previous company I worked as an as mentioned, that's where I'm at Austin and as I can remember seeing as a CV come through and his name ring a bell and things. I know him I've read about him when he got busted Let's get him in for an interview was a great interview, really, really good to chat and, obviously, the company hired us and he's still there, which is to their credit to be honest. Excellent.

Nice to meet you all. And I'm sure our viewers are saying the same thing. So let's explore that a little bit more, and, you know, but before we dive into to sort of four rounds of questions I just want to come back at the comment tree there in the background discussion of, you know, we've got some folks coming up without University some folks coming up with a criminal background. But when you look at the market today. What is your point of view, as far as whether or not you need to have a degree whether or not you need to have even. We got people nowadays talking about Master's cyber security degrees and things like that.

So, I left school after sixth form, which, for those of you in the US is current high school based I spent the majority of my time at school. Basically breaking into the school system and reducing the grades of the bullies. I got fed up of being pushed around so there's a whole bunch of people out there, I doubt very much that you're watching but if you are on the reason you flunk to GCSEs and a levels by me. I was an indifferent student so when I left my levels I had quite frankly mediocre and rubbish grades. And I didn't go to university at all, all the way through my career, I've not really had the training courses I've taught myself. I've seen things and so I want to find out how that works and I've learned how to to pull it apart, get to the guts of it and then then work out what I do with it. So, now I'm in a sort of senior leadership position I'm a senior. I'm a director of consulting company. I absolutely see no value at all to be honest in degrees, we're going to university I get why people do it, but realistically I'd much rather see someone who spent four six years of their life trying to work out for themselves how something work teaching themselves something because they're interested in it rather than somebody who sat in a classroom and had this knowledge fed to them because they think it's the right thing to do. And certainly looking at some of the people I've hired the best people are the ones who are hackers, they've, they've got into trouble or they're scattered around the edges but they've, they've broken into systems they've tried to work out how stuff works and that gives them a sense of inquisitiveness sense a passion about the subject that really makes them really great security people and sets them up for a fantastic career and security.

Super. And I think you may be the only 10 year old I've come across who wanted to email Prince Charles but I want. But so, as we look at, you know, folks who are maybe in your shoes from however many years ago. And looking at the environment today what are the resources available online today to learn about cybersecurity and about hacking for folks that maybe can't get that from a more traditional academic forum.

Go.

Go unless you say that one. Oh,

so yeah there's plenty of open public web forums out there, some, some are really good infosec Institute, it's a really good one. I've learned, tons of things from there they have like really great categories that you can choose from search functionality so if you see something and you have interest in it. Probably gonna have a GitHub. So a really great resource. A lot of the times people post, like awesome hacking resources nothing, awesome, awesome. There's loads of kind of linking back to other sources of information which is really nice. Read it of course, ask around people that are in the industry already. Definitely are somebody. I mean, what's the worst that could happen they could just reply and not reply. There's also, I remember reading exploit dB, so that usually website is for like bugs public. They show like what's the most recent bugs and shellcode and stuff, but they also have a category on papers and and PDF documents, people have come up with tutorials and methodologies

that you mentioned earlier, you got started with backtrack so was was the offensive crowd of insecurity crowd, a lot of where you came from with that or. Was there any other particular influences that you had.

Oh yeah, I remember. So there's quite prices. So I remember touring, a few videos about ethical hacking and offensive security guides and stuff like that. And that, that definitely helped. But I really, really enjoyed reading designs like these text files that show how hackers went about in this system what they did, how they got there, what kind of credentials were posed to what they did with them, and stuff like that. I thought that was really cool. There's also if you do want to get into like web application testing or security in general, or website is really really good. They have really great examples, they have intentionally vulnerable applications such as web go where you can just try out SQL injection cross site scripting, whatever. There's also Vaughn hub. They like mostly have pre to pre configured fumble servers. And what's nice about it is you can just install Docker and get set up in minutes. So rather than setting up an environment in VirtualBox or something you can just download. Download the vulnerable. Apache version and then start exploiting. I think that's a really good. Good way to learn.

Some of the ones. Join

over the wire had beside. They have great challenges that you can do, as well as cracked knees. All the OBS crashed. Give me a second.

You're live.

And we're back. Apologies for the audio video problem there but I believe the streaming session is now back online and hopefully everyone is reconnecting and appreciate you you're trying to reconnect the stream there. So we're going to dive back in, and I think the next thing that we want to talk about, there's been a few questions on the q&a channel if you're not in matrix go to matrix chat. Throw your questions into QA, but a few questions around certifications so I think the question here boils down to a few things right one is what certifications are relevant in your parts of the world. And I know, obviously UK background but I believe Tom you're now in Europe as well right and and so what certifications are relevant there are certifications important, and in general. You know when you're looking at presenting these different backgrounds from a consulting standpoint, how do you showcase those skills to employers.

So for the certification certification question is an excellent one there there are definitely when I'm looking at building out teams. I've done for sort of last four or five years now. There are certain certifications which are largely worthless and reboot all the Certified Ethical Hacker anything from the EC Council, you're paying money to be taught how to use tools, you know if you're interested in the work. You can you can find that out every weekend playing in the rain gear awfully, awfully vallila is a complete waste of money. Anyone who has gone for a specific certification, rather than gone for experience that shines through the CV and it really shines through from the interview. So you know don't. My advice to people would always be don't pursue certifications as the goal. Go for go for experience, understand the subject matter and then get the certification is like the extra icing on the cake. I have a shedload of certifications I've been in the industry now for almost 30 years that's how old I am. I've got boatloads of stuff I'm particularly proud of my latest cc ml certification, that's a job open if ever I saw one. But it certainly I've always use certifications as a way to break past the HR and the hiring manager doorways and get down to an actual interview where you can talk to someone who knows what they're talking about and knows what they're doing. I've got the system that I got that off the back off. 10 years of security experience, and people were asking for and I thought okay it's an easy way to get past HR on the CV screening. Certainly when I'm hiring people I'm always looking for. Where's the experience first and then what certifications have they got to underline that they've got that experience as opposed to someone with no experience you've got a whole, whole raft of certifications. I'd say if you could at least five or six years the system is always a good one to have because it's just, you know, it requires five years of experience and if you've got the knowledge, why, why not sit the exam right it's easy to pass if you know what you're doing. oscp is always good if you're doing pen testing that's a standout one for me. Now's an awesome you guys are a bit more hands on at the moment, what are your views.

Yeah, so for me it's I'd say it largely depends on the culture of the company, and also depends on what job you're applying for. So for example if you're applying for a pentesting job, and having a crest certification in webapp hacking audit or infrastructure hacking is useful for the company. Because they can go to a client and they can say, Okay, well, we have a few members and they have this certification. So it's just kind of a baseline. But then you kind of you know sometimes people don't want to take certifications and they're the opals, and there's the RCP that Tom mentioned I quite like that, that one because it's very practical. So instead of going in and taking multiple choice questions. You actually have to have stuff, 24 hours, and only if you successfully touch the flags Do you pass the exam. So I think that's a good one. And again, what type of jobs so reverse engineering I'm kind of into reverse engineering, and that type of stuff. For me I don't personally think there's that the certifications are that important in that aspect, because it's more about examples of what you've done so for example if you reverse engineered patchguard on Windows, or you've had some game or console, and you have that on GitHub. And you have the code and you can explain that and you've written some blogs for me that's a lot more interesting than having a certification in reverse engineering.

Oh, okay. Thank you, and and so you know we've got a few folks talking about this in the, in the q&a chat and I think there's a very common refrain there which is that these certifications are used the gatekeeping and to get past HR and other than that, well, one guy says, other than that it's practically useless I think what we're hearing from you is. Other than that, maybe if you're going into it to learn something for the right reasons. It isn't useless and and you know Tom when you go out on on your engagements now and you see the legacy Novell NetWare implementations you know what to do. Um, but but so you know there was another question asked about degrees again and you know what degree and boy you're doing I think we've kind of touched on that in general. But by the same token, when you're having conversations with your clients Tom, how much of an uphill battle is it to convince them of this, or are they very receptive we got some of the folks in the q&a chat saying, We're from fortune 100, you know, this is how we're feeling. Are there any segments of the market where you see it being a harder sell.

Good, good question. So, so I've, I've done a lot of work with regulated environments so government Financial Services Research r&d critical international infrastructure as well. And to be honest, the biggest thing I hear from people is that they can't find people with the skills and it's almost like certifications and degrees kind of take a backseat until they go to the hiring process and then HR stick there already and say oh but everyone must have a degree everyone must have this certification that certification, so there's there's a bit of self defeating gatekeeping going on by a lot of clients there. I definitely say when talking to clients and wanting to help them hire a team and building a security team that ends up being a fairly quick conversation about where you can hang around for the next four years and wait for this unicorn to come up who's got a master's in cybersecurity and assess and the oscp and some sans giac certifications and blah blah blah blah blah blah blah. And you won't be able to afford them because they'll be up to the rise in Dev and got that a lot and they'll want a shitload of money to come and work for you, or you can hire people know what they're doing, and you can build your own team that does the right things for you as a client as opposed to whatever analysis doing in the industry person I've had huge huge amount of success with that building out teams of specialists who grow into their roles, but also provide the clients exactly the sort of skills they need. And more often than not, the key thing of that is, is that kind of hacker mindset, you know, critical thinking, problem solving, inquisitiveness yeah that's that's stuff you can't really list on a CV that your job interview should be pulling out, and they're definitely clients. Once they understand this is a way for them to solve what they see as a skill shortage, they'll start hiring the right people as well.

Absolutely. And so, you know, one of the other things that I think comes up time and again, is around, passion and and we've seen this on the q&a chat that that that word was used there. And, you know, talk about what you've done talk about what your passion is there for the field rather than talking purely on experience and certifications. And so I'm going to ask this as as kind of a two part question right so first of all, do you feel like there is in fact any kind of shortage of resources any any kind of shortage of talent in the information security environment. And when you're looking at talent. How important is passion because I think there's been some debate back and forth over is that a reasonable, you know, equally back to the gatekeeping thing right. Is it reasonable to require that somebody has passion or is it fair just to say you know what come and do your day job and and do your nine to five or six whatever it may be.

Good, good question. So,

I,

I would certainly say that passion is important because

people think it's a job it's a nine to five I'm a chair warmer I'm looking at alerts, the people who are attacking your organization or your client organizations don't work nine to five, you know that some of them I can very very sophisticated they've got follow the sun attacking teams. If any of you ever tangled with the PRC and the Chinese and you've unfortunately come under attack from them you know they just got thousands of people they can throw at it, and they keep on going and going and going until they, they, they cause a breach. If you're responding to a breach or a security incident, it doesn't stop just because it's reached five o'clock and Evan says oh yeah you know I'm going to go home now and have some tea. Some of the worst incidents I've dealt with when I was in financial services environments, they lasted for 3040 hours trying to work out what the root cause was reach out to law enforcement and external teams and try and fix that sort of stuff. So, having people are genuinely interested in it is key because that's anything that's going to drive them through a real world attack. And the other thing is that some of the paperwork is really tedious to be honest. I know Austin has done a lot of red teaming and pen testing and writing up the report is a is a complete and utter ball ache afterwards. It's so boring, but it's a huge chunk of the work. And if you're not interested in the work you're not going to push through that I've got to write a 50 page report what have been doing I just want to get back to the fun stuff, you know. And also, if you've experienced that firsthand what are your views.

Yeah, I'm

sorry. Can you repeat the.

Something Tom brought up there is actually a fascinating question, so right. You know, as of now, you know where you are in your career right now. What is the fun stuff for you today,

the fun stuff for me today. And so for me, kind of the process of learning is is some of the fun stuff. So for me at the moment I've got I've just got into trying to write rootkit on Windows. For the red team. So,

yeah what So,

is it more about for you. You know certainly you're saying there's there's an element of the exploration the learning

side,

but but is there also an element of that you are passionate about reducing company exposure reducing company risk or you're very much focused on what you want to learn the tools and show them that weather holds up.

Yeah, and I'm probably really bad. For me it's, it's just fun like it's play so. So if you can put me on something that I'm really passionate about, like, low level stuff for writing rootkits or writing tools, the red team, then you know I really do

the best job possible.

So I'm gonna put it to you and I will put it in as Actually, I appreciate your answer. Awesome. So, in fact, is the issue with passion not simply do does this guy have passion or not passion like it's some kind of gatekeeper thing is it about making sure that people are applied, where their passions lie and to the extent that their passions lie.

I think you can,

like, if you get set a task that you're not passionate about. And you immediately know that this is not right for me but if

I don't know how to describe it.

Maybe Can you say in a different, different way maybe.

Sure, absolutely so so I think what I'm asking is, if you, you know, take a person that you consider to be a great information security resource. Yep.

Are they going to be equally great in all roles or what determines which role, they're going to shine in.

I'm not sure about that one. To be honest, do

you have any thoughts on that.

So I think at the end of the day it's, it's, it's a job right there's always going to be boring stuff. The question that we will have to ask ourselves is how much of our working day is the boring stuff and how much of it is the interesting stuff, you know I can, I can put up with a couple of days worth of tedious meetings and report writing and strategy document but if there's not something interesting, exciting after those two days. I've kind of lost interest I'm sorry it's just it's just it's just not fun anymore. And we've all got that like boredom threshold we've all got that judging level thing where we go okay I'm being paid this much that means I've got as much tolerance for some tedious meetings and some boring reports. But you constantly have to look at that because the job changes over time you get more skilled you get more experience the people that you're working with and for they get more experience they they use new technology and so the nature of it is that it changes over time. And very often, some people. I know it's happened to me I've stopped there and thought actually is, is the work boring or have I just gained enough knowledge and experience that I should I've outgrown this role I need to look for something else so certainly looking back on my career, there's lots of, lots of times where I've left safe boring well played jobs, just because I thought I'd outgrown it and I wanted to do something new and interesting and a bit kind of dangerous for me personally, so I think there's there's always that level of you need to check in with yourself about why, why you showing up on a Monday morning, and yes Monday suck and Tuesdays and Wednesdays probably suck as well and Friday come can't can't come fast enough but why why is that is it is it because the job's boring or is it because you've got too skilled for the environment you're working with and you need something new.

It's super. One of the things we're getting a lot of questions about in the channel as well, is back on this HR side of things and that gatekeeping, and you know you have questions around how do you get past that,

as well as,

you know, having gotten past that is the return on investment for all of that credential gathering and degree gathering worth it. So, you know I I'll, I'll throw both of those thoughts out there at you and see what you're interested in that.

Yeah, why am I. Sorry awesome Go for it.

Yeah sensor pays, and in terms of game pass HR I suppose you could do some sort of open source intelligence and work out what the values are of the company. So, if it's a company that values, the passion and the work you've done before, rather than the degree, then it'll be a lot easier to get into that company, for example, I was watching a live stream by Jia Jia Hots psecu has the chrome AI self driving car company, and he was talking about interviews for his company and he was saying you know he's really into people with passion, and people that have actually done it and coded. And that's what he would be looking for as a hacker. So, I suppose. Finding the right companies where you can get through HR and and or have someone reading the CV, that looks past that, you know, the your service or the degrees on it. I think that's important.

mean, you can also, if they do have some sort of bug bounty program you can try to help them out. Get, get in contact with a security team if you can maybe look them up on Twitter, replied to CERN. I don't know if you do find something definitely do it in confidence to just release online. Like I was doing. And, yeah, maybe that will get your foot in the door. You could also do other like bug bounties depends on if the company's

part of them too. That's my opinion.

Yeah, I think increasingly in this day and age, there's lots of opportunities with the bug bounty programs to, even if it doesn't give you the direct foot in the door, it gives you the opportunity to exercise your skills and demonstrate experience that can get you that foot in the door but, but yeah. One of the other things that one of the one of the questions was just commenting is, you do need to work on social skills when you're when you're looking to get into these companies. There's a. I don't see anyone wearing a hoodie right now. But there is a mentality of a hacker, a what a hacker is and that mental image right. How important is social skills for the careers you've chosen.

Say, I move.

I would say, fairly important,

but within limits.

I'm on the autistic spectrum, social skills are incredibly hard. But I've still managed to do just enough to get into sort of senior leadership roles. The thing is that when when you're interviewing people or when you want to build out a team, it. The thing you should be driving it is more about does this person fit in well with the team and the culture that I'm building out, you know, when when I interviewed Naz was instantly just like yeah okay he's gonna get really well with awesome, and between the two of them we can build a really great team we could do some really really good stuff. You know, I you're going to take them down to Buckingham Palace and have a formal banquet into their new which knives and forks to use doesn't know the correct term to address senior leaders, kind of, kind of, doesn't matter at some level I mean if you're a pen tester you're gonna have to present the report, and that's gonna have to go to the C suite leadership team, you're gonna have to have some sort of sort of social skills I mean I've, I've literally been with someone who has stood up in front of the board of a fortune 250 company and said, shits fact your you've been hacked. And that was their pen test report and it's like, dude, you're right, okay that's great but you, you can't say

that.

Right, right.

Totally, totally and honestly, they're just like thank you very much that's very informative, there's the door. Goodbye. But you know, certainly for things, things like interviews I think it's really important to be yourself. And then, touching back on you know getting past HR and getting into the interviews and things I would always say it's it's a two way process right if, if, if you were yourself in an interview or you're yourself on your CV and you don't get the job. That's not you being turned down that's you dodging a bullet. You've managed to avoid working for a company where you wouldn't feel happy doing. I've been really blatant about leaving jobs because they hired people and I couldn't work with them, or walking away from interviews because I didn't feel comfortable working for that client. I interviewed with Google, many years ago and got to the final offer and turned them down because the people who interviewed me were absolutely terrible human beings and I just didn't want to work with them at all. It doesn't matter how great your social skills are you can't hide that level of not fitting into the culture.

So, have you. It sounds like you have you have a clear code of ethics of your own. But have you ever found that something like the code of ethics has been constraining or has has guided you to do something that you might not otherwise have done.

Say it I've did this there's some, some weirdos in the system code of ethics particularly,

and it touches over into sort of the history of, you know, nouns, for example, it came up an interview. You know the stuff he's done that he got caught for and he had to serve time for his stuff I've done and didn't get caught for because there were no laws about it, there was stuff that other people in the interview did on behalf of the government and didn't actually get rewarded for it so all of this stuff is all about you know perspective. And I think regardless of formal codes of ethics, or those appalling company statements of culture company values do you live up to the Amazon 12 point company values, all that stuff nonsense right Be yourself be true to yourself, do what you think is right. If, if that lands you in trouble, then it's a sign that you are not suited to work in that environment or with those people. And there are plenty of other companies out there who will work with you and who will reward you for being you.

Did I notice how you found it.

Um, yeah, obviously, my interview I was really, really, really nervous. I don't really to be honest have any social skills whatsoever. I get, I get asked, like to come, come out for drinks and stuff and I just constantly say there's something else. Thanks, though. But I think I'm really lucky to have this role that I work in the lab kind of away from everybody else, and it's, it's, it's no like consultative consultation or anything like that. I don't really have to talk to clients and stuff. But at the same time it's good, good to be thrown in there once in a while, for example like this talk right now like I'm still kind of struggling with the, you know, being on the public eye but because it's it's a good experience for us.

We had a question or in the channel asking, Is it better to be a captain than an Admiral.

What does that mean.

Oh come on dude if you don't watch Star Trek. That's a great question.

I'm totally with Kirk on this when he resigned as Admiral ship to remain the captain so he could still, still come on the enterprise.

I would always

personally and I'd encourage other people as well is walk away from the fancy job titles if it means doing something you don't enjoy. Yeah I'm lucky that I can do the strategy work during the day, and then I get home, and it's it's time to get my freak on and start hacking on my own kit because I've got like 30 years worth of old kit that I've built up and lug around from house to house but if I was ever faced with a role that meant I could never do any hands on hacking I walk away from out I don't care how much money there is involved, it's, it's, it's life's life's too short for that sort of stuff and maybe there are some people out there who would go you know what I'll, I'll take the really tedious stuff and I'll take the money and I'll keep quiet about it and fair play to them. Yeah, we're all different but it gets gets back I think to my saying earlier on about you know do are you doing what's true to you are you doing what's right to you because if you are, you're always gonna have a good career you're always gonna be happy about it.

Yeah, for me it's Are you working to live or living to work. Yeah, for me it's it's really important that the process of what I'm doing in terms of, you know, when I wake up in the morning and I go to work. It's kind of relatively enjoyable and it's a fun process rather than having an end goal when I you know I want to have a million pounds and I want to be retired, but I have a terrible kind of process terrible, and for me it's kind of about enjoying what's happening in the moment, your every day. So yeah, for me it's, it would it would be just following the passion rather than the money for the job title.

Asked agrees with awesome, just follow your passion, and I love what I do. And it's always, always interesting on boards and learning. That's why I really liked about this job. This lets me learn what I want, and my own time as well. So if I want to learn something about mobile exploitation I can do, I can dedicate some time. And if I was somewhere higher up, I wouldn't have the ability to do that, because I'll be managing people or telling. Turning just direction on the company or something like that. I don't know,

I don't think that's worth it for me. Yeah, I think that's probably what was it is a lot of companies really rushed you know they want to get to the end product. And you know there's three weeks to do it, and the three weeks have been decided by someone that's non technical and then you're kind of kind of rushing through things. And then you get to the end product, and then it doesn't work, and then it's packed and then, you know, those of money's wasted so I think there's definitely value in in in spending, you know, having spending time thinking about stuff and letting people kind of go off piece of it and and explore and, and, you know, find something that might be useful during their everyday work.

It's been an interesting conversation for me because I feel like we've, we've gone from talking specifically about security whether you want to call it information security or cyber security or whatever, and ended up talking about, you know, life, and and what a job should be. So thank you for all the ground you've covered I think that's really great we've got only a couple of minutes left. And what I'd like to do is just go around each of you and see if there's anything that you wanted to say that you didn't get a chance to say with any of the, the questions that were posed. So why don't we just take it in reverse order from the last question as you want to do you have any last comments.

I don't really

remember the last question What was it,

no no I'm saying it was anything else you had to throw in there. Awesome, are you, do you have anything you want to throw in or come back to nasm maybe.

Yeah, it'd be fun to get on to the chat and ask some people after So did

I see this the screens absolutely just started taking off and scrolling past now so I think there are some folks that want to talk to you afterwards on there and you can move that to the hallway conversation as well. So thank you for that Tom any thoughts.

Just Just an appeal to anyone who is thinking about working in the security industry within it, start building your portfolio start building a list of stuff that you've been doing that is really interesting. It doesn't matter if it works, it doesn't matter if it's complete, even if it's just you attended some conferences like this and you spoke to some people. Put it down somewhere maybe a separate document to your CV maybe stick on the end of your CV but something that shows. This is what I'm doing. And this is why I'm interested in that, because that stuff stands out a mile, it's shining shining beacon to people like me who are trying to hire good people, and give good people good careers, so you know there's there's loads of stuff out there to get stuck into there's open source projects there's conferences like this. You don't even need to have a completed body of work some of the best talks I've heard at conferences are people who, who tried to solve something or find out how something worked and didn't, and you get to the end of the talk. An hour later and they kind of like, and I still don't know how this stuff works or how to fix it, but their journey and their exploration of our stuff is hugely, hugely interesting and it's really valuable for the people. So, you know, get get talking with people get stuck into projects, do your own thing joining with others everyone always needs help everyone needs new, new opinions new points of view so do that and then build up your sort of stuff because that's that's a fantastic thing that will really stand you in good stead, getting into and then building a career in the industry.

Awesome, and thank you again to each of you for coming and presenting at home, even if it was virtual. We will very much.