- [Sparc] I'm trying to
convey a thought pattern. It's not about the vulnerability itself, it's about the insight that got the hacker to witness or discover or
exploit that vulnerability. There are other skills that make you more valuable on the market. And these skills are like about software design, software architecture. So, I couldn't put that in the book, because everybody would just like, yeah, like you said, "Oh, that's, nobody would do that." Well, actually. (light contemporary music) - Hey everyone, David Bombal
back with a very special guest. He's the author of a whole bunch of books. Here's one of them, Hack Like a God. Here's another, Hack Like a Pornstar. Very, very cool names. Hack Like a Ghost. And a very new one. Well, here's another one, actually, Ultimate Guide for Being Anonymous. And here's a very new one. I don't have the physical copy, but when you watch this, it should be available
for order from No Starch, How To Hack Like A Legend. Sparc Flow, welcome. - [Sparc] Thank you, thank
you for having me. Hello. - It's great to have you here. So, I was going to, let's start with this. So I think these are the two latest books that you've got, right? - Yeah. - So, Hack like a Ghost. And then Hack like a Legend. I mean, maybe you can
just give us a rundown of like a quick overview
of, what's the difference between all of these books? Because I can't say I've read everything, but I really have enjoyed what I've read in each of these books. I don't know if you want to start with perhaps the newest book. Because this is the one... - Yeah. - That's just come out,
Hack Like a Legend. - Yeah. Of course. Well basically, the
idea of all these books is to take the reader
through what it's like to actually hack a company. So it's not a list of vulnerabilities, it's not a list of, a
to-do list, if you will. It's rather, let's get in
the mind of the hacker, shadow the hacker, and see what are the frustrations that they meet, what are the technical challenges, what typical insight they
gain or they can come up with, during certain situations. The idea is to simulate a
real corporate environment. And so each of these books kind of targets a different type of company,
a different type of context. So How To Hack Like a Pornstar
was really the first one, kind of like an experiment. - Cool name. But I will show you this, because actually, and sorry to interrupt, I just wanted to show this
because, I've read a few. No, I think it's the other one, Hack Like a God, sorry to
just go off on a tangent. I just wanted to show this
while I've interrupted you. You've got like the NSA, busy
opening up Cisco routers in, but that's in Hack Like a God. So sorry. Apologies. Back to Hack Like a Pornstar. - Yeah. Exactly. I took that one from the
files leaked by Snowden. So the first one basically, How to Hack Like a Pornstar, really takes you through
any old big company, really. Fortune 500 company. They have Windows all over the place. They have legacy systems,
they have mainframes, they have all this kind of stuff. And it's just about like hacking them. And that was really
what my pentesting days looked like. Literally. I mean it's a mega scenario composed of many small scenarios. You don't need to go
through the whole thing to hack a company, actually. Just subset of it will
do most of the time. But yeah. And then I said, okay, because when you do a scenario, you don't get to explore
every variation of every vulnerability and every mistake. And so that overflow of ideas that kept stayed in my head, I dumped
it in the second book and that's how it went really. - So your second book,
which one is that one? - How To Hack Like A God. Yeah. - Great. - And so when I did finish
those two books, really I kind of explored all the
basic vulnerabilities that we found in every company
that we pentested. And then I set myself
a different challenge. I was like, you know
what, all these books, we take this assumption that the company that we're trying, that we're targeting, are really bad at security. Let's for fun, imagine that
actually they're pretty good. They're actually very good. Like they have detection
and they have monitoring, they don't have legacy stuff. So yeah, how would that work? And so that's basically
the scenario behind How To Hack Like A Legend. And it's really about a hacker, I don't want to give away too much, but basically hacker gets inside using all the traditional methods and then suddenly they get
booted out of the network. And how do they get back inside? How do they manage this
time to not get kicked out, and so on. And it's really about like you are facing an adversarial context. Like there's machine
learning, there's detection, there's monitoring. That's the idea of that book. - I love it because on YouTube videos, I always get this complaint. David, what you're showing is, is stupidly simple and unrealistic. But we all know that some
companies have great security, some have very bad security. And I think it's great that you're taking a modern day example where
they've spent the money and they've got good systems and how do you get around that. - Yeah. And I want to come back to that interesting remark about simple
or stupid vulnerabilities. We saw some stuff in the
field that is actually, that I couldn't put in the book because people would not believe it. Oh, come on. - I'm glad you said that. - Nobody would do that. Well, I'll give you an actual
vulnerability for instance. I remember like in a pentest
one day they asked me like, "Oh, can you look at this
Citrix isolation kind of thing?" And I'm like, "Okay, let me see." They told me that it's very secure and it's very hard and et cetera. And I'm just like, "Okay,
I will try my best." I don't know. And I listed the users because anybody connected to the system and Windows actual directory, can list the users. And in the attributes of the
users so publicly available to anybody connected to the environment were the actual passwords of the users. So I mean I couldn't put that in the book because everybody would
just, like you said, like, nobody would do that. Oh, actually. And I think that's what's interesting about these books, honestly. I mean, it's totally biased opinion, but a lot of the time you
don't need a buffer overflow to get inside a company. And I think that was the
realization that I got when I started doing this pentesting work. And I contrasted that observation with what I've read before. And I'm like, well that's not
what happens in the real life. You know what, let me take a stab at it. So yeah. - So I want to ask some
questions about your books. So there's something that
I think is really important that you highlight that a
lot of other books don't. But what about Hack Like A Ghost? Because this changes the
scenario quite a bit, doesn't it? - Oh my God. That that
one was a pain to write. That one. Well basically, here's
how it went through. I written all these books about Windows. Then I got a call to change jobs. I got a call about an opportunity. And the call went something like this. So we're looking for somebody
to build our security system, et cetera. That would mean me changing literally the type of jobs that I would be doing. I'm like, "Okay, that sounds interesting." And they're like, "Well, do you know AWS? Do you know Kubernetes? Do you know anything
about Cassandra? Kafka?" I'm like, "What are you talking about?" And it was interesting
because I discovered this whole ecosystem of cloud
environments, et cetera. I mean, that was back in 2017. And I realized that all the tools, all the tricks that worked
in a Windows environment simply did not work on this company. And I'm like, there is
so much stuff to unpack. So I spent the next years
actually leveling up on this. And I thought, hey, that would make for an interesting scenario. Because all these tech companies, I mean, nobody sets up
a new infrastructure. No. They just go to the cloud. All these startups, these scale ups. And I didn't find something
that was really good or really addressing these in
the way that I imagined it. So I just wrote about it. - I mean, so you've covered, this is like cloud, so
breaching the cloud. And like you said, that's so important because a lot of companies
are going that route. And then hear you back to Windows, right? - Yeah, that was Windows. Yeah. - A modern version of Windows
modern systems. Sorry, go on. - Yeah, sorry. I mean, the thing with
technical books is that the minute you release
them, they become obsolete. (melancholic music) And what I want to do, what I
try to do in that latest book, How To Hack Like A Legend, and maybe in any of those books, is that I'm trying to
convey a thought pattern. It's not about the vulnerability itself, it's about the insight that
got the hacker to witness or discover or exploit that vulnerability. So I hope that's what
readers get from these books. I mean, even the modern one, like how to evade the
endpoint detection response where all the machine learns and stuff. I specifically say, this technique I found while researching the book, or I copied or it worked
when I was doing the book. But basically this is the
steps that I followed. Don't hesitate to follow the same steps, and maybe you could
have a different result. So that was in How To Hack Like A Legend. I think that that summarizes the spirit of the book. - I'm trying to see which book it's in, but in one of your books you talk about how frustrating it is. You love and you hate this industry. - That's the intro of How To
Hack Like A Ghost I believe. - Yeah. So in Hack Like
a Ghost, you said this, the security industry is tricky. I maintain a love-hate
relationship with this field, due in no small part to its
fickle and fleeting nature. You can spend months or
years honing your skills in a particularly area of security, say privilege escalation
and lateral movement using PowerShell. And then only to feel completely useless when you find yourself in a full Linux or macOS environment or in a cloud environment I assume. So that kind of highlights
what you're saying, right? - That was exactly my fueling when I got into that new company in 2017. Exactly. Yeah. That was day one. - So what would your
advice be to young people? Is it just don't give
up hope, just go for it. because it's changing, but you
have to keep learning, right? - You have to keep learning. Honestly, we can go
different directions here, but for people basically new to the field, they feel so overwhelmed by just the sheer
enormity of all the fields and you have to dig deep in web application network
and system, et cetera. And my advice is usually just
pick one and dive into it. That's it. Pick one, dive into it until you don't like it anymore, or you just feel like your
attention is being captured by something else, and then switch and so on and so forth. And after a couple of years,
you'll get the hang of it. And the effort to level up will no longer be as tremendous and as big because you already have that
thick base going on for you. And yeah, I mean the people that I find are thriving in this industry are people who are hungry to learn. So right now I'm managing a team, security team on the blue team side. And for recruitment purposes, that's the one requirement that I have. I don't care about what
language do you know. I don't care if you know how to program. I don't care if you know
how to write legal policies. I don't care about that. What I do care about is, are you hungry enough to learn? And if you see a problem, will you learn any necessary skill to get that problem solved? If you have those two
skills going for you, it doesn't matter. I mean, you don't know Python? I'm sure you'll pick it
up in two weeks. Let's go. So, yeah. - And it's exactly right. I mean, you can't teach someone to have that fire or that
desire to want to learn. They've got to have it. - Yeah. And that's so important. And that's one of the things, that's one of the traits that I highlight in the book as well. Because as a hacker, you can't possibly cover all technologies. And so, come in front of Kubernetes, you don't know what Kubernetes. Well, you know what, download it, install it, play with it. See what assumptions people made that you can disprove for instance, or that are not totally
right all the time. And then there you have
it, that's a vulnerability. - I love what you said. I mean you were doing
a lot of Windows stuff, and then suddenly you were
thrown into the cloud. And I'm sure it was
painful in the beginning, like that quote says, but you picked it up and now it's just another skill you have. - Yeah. Like people took
a chance on me honestly. So when I remember that
interview as that guy, he asked me all these questions about all these technologies
that I didn't know. And I said, "Well, look. I don't know. But here are the principles of security that I followed in these other contacts. I didn't know this in that
technology, SAP or whatever. But I leveled up on it. So if you give me a chance, I'll do the same for AWS
and other technologies." And it worked out pretty fine. And somebody's got to give
you a chance, for sure. I was lucky to have that. - But I love what you said there. Because I think the
mistake some people make is when they don't know the answer, they pretend or they
bluff as if they know it. And that's a big mistake. If you don't know, you don't know. You can't know everything. - Yeah. That's something that I probe
for in interviews actually, when I hire people. I would just ask them
questions that, I mean, it's okay if they don't know. And I ask them like,
"How does Docker work?" And then they say, "It's
like virtualization." Really? How does virtualization work? And I'll just probe deeper,
deeper until they give up. And what I'm looking for really is just that, I don't know. Give me five minutes and I'll level up or two weeks or whatever. That's what I'm looking for. And people just start making up stuff. But it's okay to not know. I mean, the interview
game is such a silly game. I just got to ask the difficult question because I got the chance to go first. Like the roles were
reversed, you could ask me a difficult question and I
would be like, "I don't know." So yeah. - Yeah. I really think
it's important to highlight that you can't know everything. And I mean, I'm older and perhaps a lot of people half my age. And as soon as I remember
the old days of learning, just showing my age here, learning Windows NT or Windows
three or 11 or whatever, and it's like, as soon
as you know that stuff, then it's replaced. So you can't know everything. - Yeah. And it's okay. It's okay to not know everything. - Now there's something in
your book I want to highlight, and I mean this might be a good place to have a good conversation, is in all your, well not all of them, but a lot of the books you talk about the difference between a pentester and a hacker. Like a pentester or a red teamer, if they get caught, it's like, okay, tomorrow's another
day. Well done blue team. But with a hacker it's not like that. - Yeah. That's a big difference indeed. And so we felt it a lot when
we did penetration testing, is that you don't pay too much
attention to your footprint, you don't pay too much
attention to anything else except the purpose of the mission. So if the assignment
is about replaying this or testing for this and
that threat scenario, like for instance hacking, getting into the CEO's
email box, let's say, we really don't care about anything else, like hiding your IP addresses
using stealthy tool, et cetera, et cetera. Now I say generally we don't care. Some people, some teams
take it to an extreme, and say, "I don't want to be detected. I'm going to replay the whole thing. I'm going to do my own infrastructure." Some people do that, and good on them. But it's not a necessary
requirement to get the job done. That's what I'm saying. And you don't have the luxury of time. I mean a hacker has
unlimited, not unlimited time, but virtually unlimited I would say. And so they can spend so
much time on something. And they're not constrained by a scope. Because usually even
in red team operations, theoretically there's no scope. But the reality is,
usually there's a scope. You should not go beyond that scope. And so all these exercises
make it a very different, all these constraints, sorry,
make it a very different, yeah, it's a different types of exercises. And it's necessary to be
aware of these differences. Especially when you're doing assessments, when you're doing your recommendations, when you're talking with a
client about all this stuff, what do they get from that audit? You must ensure that they are aware that, you didn't find any
vulnerability in these two weeks that you penetrated that
you tested the thing, or that something similar to that. - Yeah. Because you say here a lot of people make the mistake because they, you say
in Hack Like A Legend, you may be a capture-the-flag wizard or you may be the best
ARM reverse engineer. But if you don't take care
of setting up a safe harbor, you may not be busted today, but they're going to maybe
come off to you two months or the countdown starts. And you have a big emphasis, I noticed it in all the books, about setting up a infrastructure. So I want to talk about like you mentioned going to
McDonald's or wardriving, you mentioned certain versions of Linux. I want to talk around that. Because I think a lot of people, from what I've read you say here, make the mistake of assuming, "Okay, I'm going to attack
this guy like a red teamer," but then they forget that
they could also be exposed. - Yeah. I just say that
basically in red team, you don't have to sit in a McDonald's just to hide your identity. It's just like, okay, you
may set up an infrastructure with like on AWS or Namecheap et cetera. But you pay for it with your own credit card
or company's credit card. You don't care that much. A hacker basically, or
hack activist if you will, a journalists or whatever, they have to think about this stuff, and it could get very perilous for them. And so they have to think about what footprint they leave on the internet. But also physically. Because usually what happens is like you follow all these guides and they say, "Connect to TOR. Connect to
like this version of Linux," et cetera and it's good. But if you do it from your
home or your university or something like that, I mean no, you're being vulnerable, you're being exposed. You're one IP address
away from being busted. So there's the physical aspect of it that you should also take care of. And obviously the money. I don't go too much into the money when I talk about in the books purposely. I didn't want to go in
that talk about Zcash and stuff like that because that would be too much. But yeah. There's all these aspects that
people need to be aware of. And I try to cover them in the
most exhaustive way possible in the books, just as a prelude, just to set the context again. And this is what basically it means for a hacker to do their soft business. - So let's talk through that because I mean I think this is going to be a great appetizer for people who are
interested in the books. One of the things you say, and I mean you mentioned right now is you have to be careful
about your physical trail. You want to be truly anonymous. So you mentioned like wardriving. Can you explain what you mean by that? And then let's talk about McDonald's and some of the other options. - Oh yeah. Okay. So it's a very old concept, like maybe from the '90s. You take your car, you go around town
looking for open WiFi's. You connect to them and
you do your business. That's basically wardriving. It has evolved to maybe cracking passwords of
weakly protected WiFis. Like if they use some weak encryption like web or something like that, or easily guessable WPA two password. But that's roughly the scheme of it. - And then you've also
mentioned like WiFi map, right? - Yeah. There are some tools, websites that allow you to just locate
these open WiFi networks. So you don't have to just drive with your antenna
connected to your computer, looking for some public WiFis. You just like, "I'm going to target this one that is in this street, in this city." But then again, you got to be careful of your human nature of going to the same place all the time. Because that creates a pattern. What I would usually
recommend is basically just traveling around, going around cities, going
around different places. You have places with cameras,
places without cameras. You have places with a little
bit of like some cameras, but there are too many people. So it's okay to blend in there. You have to pay attention to this stuff. And sometimes it gets
cold in train stations. - I think this is a great topic because a large part of the audience are interested in hacking
and things about hacking, but a large part of the audience
also interested in privacy. Like you mentioned like journalists or people that want to
hide what they're doing or, I mean there's many
reasons why people do this. So like you would say, go to McDonald's, like go to a train station. But like you mentioned right now, and you mentioned in your book, be careful about the human nature of going to the same place. And also don't go in your
own city type thing, right? - Yeah. I mean when I did
some basically activities that required privacy, I would say, I would go from one place to another. I would have different computer, different sets of logins, be very rigorous about my activity when I was on business
really. That's the thing. Like you can't get sloppy. - And that's why you don't
do it at home. Sorry. Go on. - Yeah. And that means,
you don't do it at home. It also means that if you book three, four
hours to do your business, then you can't go around
checking your personal emails or "I'm curious if that person
responded on Facebook." You can't do that. You need to be rigorous. You need to be like very
methodological and very rigorous. Yeah. So that's important. - Okay. So physically you
are going to do wardriving or go to McDonald's or go somewhere. And then you've mentioned also in your Ultimate Guide For Being Anonymous, and I see there's some
correlation between these, like people make the mistake
that they're just going to use, and I won't mention names,
but XYZ VPN, and I'll be safe. - Yeah. Oh my god. There's a lot of debate about
VPNs on Twitter, all the time. Basically VPNs have been touted
as the most anonymous thing. And they're like, "If you want
to be anonymous, use a VPN." People got tired of that, I would say. And then they started to say the opposite, "VPNs are worthless, are useless." And unfortunately, like
all extreme positions, neither are really true. You need to reason
about your threat model. Who are you protecting against? These are the two most important... There are two important
questions in security. Who are you protecting against?
What are you protection? If you try to answer who
you're protection against. Like let's say I'm a journalist,
I don't care about, like, let's say I might care about ad trackers because ad trackers get
ultimately affiliated exploited by governmental
agencies, and stuff like that. And so I would go to certain extremes. So a VPN is not good enough. I would go to certain extremes
like physical security, I would go like a VPN, I would go to a rebound
server after that VPN, another rebound server after that. So I would chain multiple layers, that way even if one gives up, it's okay, it's not dramatic. But as a personal, let's say citizen that I just don't want to be tracked by ad trackers or something. I would just use... - Google. Yeah. - ... Google or Facebook or whatever. I would just use a VPN in combination with Brave, for instance. That would be enough. Because a lot of these ad
trackers, they just base, some of them are very
advanced like Facebook, but a lot of them are just a
combination of the user agent in the IP address. So if I get these two
different every time, I'm good. And that's the setup that I use at home. I'm always connected to a
VPN. I always have Brave. I have some extensions
that personal extensions, private extensions that randomize some attributes of the browser, and I have some add-ons. That's it. - So just for everyone who's watching, we are not getting an affiliate fee. This is just our opinions
or Sparc Flow's opinion. Sparc Flow, in your book you
mentioned A VPN and Proton VPN. I've seen those two, A AVPN specifically, in a few of your books. Is that still your
personal recommendation? Let's say I want to stop
ads, or is it Proton VPN? Do you have any sort
of recommendations or? Because there's a thousand out there. There's millions of dollars
are spent on marketing. So what's your advice? - Honestly, I personally like Proton VPN. It's good. It's okay. It works well. It works across platforms. And so for my personal needs, for my threat model, and my threat model doesn't
include the NSA going after me. - Yes. - Right? So my threat model is simply like ad trackers that annoy the hell out of me. For this kind of threat, it's okay to use Proton VPN plus add uBlock Origin, Privacy Badger, and honestly and Brave, and that keeps me going. Yeah. I'm just saying if the threat changes, I'll consider something else. But for now it's okay. - Yeah. I think it's important
what you've mentioned because like what's the threat. If it's just ads from like Google, Facebook tracking you, whatever, then these tools that
you've mentioned are fine. So if someone just is at the level of, okay, I just want to stop
Google, I'm at a home, I'm not going to go sit in a cold train station somewhere and try and like hide my identity then Brave, Proton VPN, and these others, which I'll list below, are great. Go on. - Yeah. They're great. But then again, if you still use Gmail because
no other email provider is good enough, I mean that's why it's
hard to draw the line. I mean I'm not afraid of let's say, because look, I've experimented with other search engines I've experienced with a lot of emails. And I tried to get away from Google. But honestly, Google search is still good. Gmail is still the best. And I've tried to pay for other services, and I couldn't find something
that I really, really liked. And my default is DuckDuckGo, and when I can't find
the answer that I want, I switch to Google. So yeah. - Yeah. It's interesting because I mean Brave have their browser, their search engine now. But I'm in the same boat as you. There's controversy about DuckDuckGo or being a bit of controversy. And like Brave's okay, But it's like frustrating, because Google knows me so well and knows what I'm looking for. - Yeah. There's some power to customization. And of course, yeah. - Okay. So let's take
it to to the next level. Okay. So I want to like hide. And in your book you talk about this fact that it's different, hacking totally different to red teaming because the person that you're up against might come after you. So then you go, that's when you go wardriving
or you go McDonald's, whatever. Then you mention Linux. And I believe you got two
flavors of Linux that you like. - Yeah, I like Tails. I mentioned UX as well. But Tails is good. And the idea is, you have
to operate in layers. So you have your physical
layer that is probably set up different from where you
are, from where you work, et cetera. So it can tie that back to you. And then you have the system protection, you have the network protection. So the system protection is indeed like which operating system do you use? Does it store data on the hard drive? Like if they capture that hard drive, are you in trouble? And basically, it's
always the same question. If a layer gives up, are you in trouble and how
much trouble are you in? And it's funny because
it's the same approach we use in defense, same thing. You stack protection, detection. If this gives up, am I in
trouble? And so on and so forth. So it's really the same thing. And yeah, like Tails, I mean get a USB key, put it on the computer, and then it boots everything from memory and it keeps everything from memory. And so if something comes up, you just remove the USB key and that's it. - So for people who
don't know about Tails, the idea is it's all in RAM or memory. If something goes wrong, the
power is lost, it's all gone. Right? - Exactly. So in the operating
systems Linux Flavor, you just put it preloaded on the USB key, and then you just plug it in, and you connect to this like ephemeral environment I would say. And then from that ephemeral environment, you connect to your actual
bouncing server, I would say. So that gateway that will
allow you to access different other servers where your tools reside because you need some
persistence of tools, you need some persistence of
your data that you collect. And so from that ephemeral environment, that machine, you connect to a bouncing server, and from those bouncing servers, you rebound across the
planet to other servers where you can store information. - And I want to talk
about the infrastructures. I just want to cover the basis
of like, what am I doing? Because I think a lot of people watching will be really interested in this. So laptop, you take a laptop with you, you go somewhere that's not at home, then you use Tails because it's ephemeral. As soon as the power's lost, it's gone. You mentioned TOR in the book, and I forgot to ask about that. So the VPN that you'd be
using, would it be TOR, would it be like one of
these other VPNs on Tails or is there something else that you do? - Either a VPN or TOR. I don't have a strong opinion, because either way, if you're up against the federal agency in the US, I would say, I don't think either of them
would really protect you. Here you have to rely on not
pissing off federal agencies, or if you do, to not be in the US. Because and this anonymity thing is also about decreasing the likelihood of raising your value
in their eyes as well. Because if you hack bank A, B, C, D and you get like 800 million in total, I mean you're a big target. They can justify spending
time chasing you, and money chasing you. But if you can somehow mislead them and decorrelate the attacks, you are suddenly much less valuable. Like the person that hacked Uber, I don't know if it's the same
person that hacked GTA six. I would advise against that because so then suddenly you're this person that actually
hacked two big companies. So yeah. - I don't have it right with me now, but I remember in one of the books, you said something along the lines, you don't want to let an analyst try and like work out who you are and leave trail of who you are. Because then they might
want to come after you and give you like a fancy name,
like fancy bay or something. Is that right? - Yeah. Something like that. Because I was a digital
forensic investigator. It's actually my first professional job. And when we were like researching, investigating these incidents, I mean if you get a lead
that matches another lead, oh my god, it's ecstatic. It's like all those hours
are suddenly justified and you have this boost of energy that justifies going even further. I mean, it's so cathartic that yeah, we should avoid giving
people that kind of feeling. - And that's why you've got Tails, and you go from different places so you're not leaving like
sort of falling into that trap of doing things the same
way over and over. Right? - Yeah, exactly. That's why you need to rechange, change your environment every time, and make sure that it's very different. You don't work on this, like you don't use the same
tricks or the same Tails, I would say, Tails. No. Was it? You don't use the same... - Tricks to play? - Physical or tricks. Yeah. You don't use the same tricks
on the multiple targets. Yeah. - And I mean I believe you've got some controversial opinions. So please feel free to go for it. But like you mentioned Chromebooks. On Chromebooks, good? - No. Nothing that... No. I mean, again, it depends. What's your threat level? Who
are you protecting against? Because in a company, I would say, if you're protection
against outside attackers, that is not Google, I mean, it's okay. Chromebooks are excellent. But if you're going to, I want to be like protected against tracking and stuff like that. No, I mean obviously not. It's not good. So, again, it really boils down to who you're protecting against,
what are you protecting. - Okay. So I've got a laptop, I've decided to go to McDonald's. I'm using Tails, I've got a VPN let's say or TOR. And you mentioned this
concept of a bouncing server. Can you explain what that is, and then explain a bit about the infrastructure that you would spin up? - Yeah. So all this is, here's the thing. The whole thing about the
infrastructure came up on this specific book, How To Hack Like A Ghost, is so detailed because I
wanted to let the reader experience what these
infrastructure administrators go through when they set
up their own systems. Because there's some interesting concepts that you can borrow and use
them in the security field. For instance, there's this concepts of immutable infrastructure
in the sense that, if you spawn a server,
you don't change it, you don't change its configuration. It stays there until it dies. And if you want to change something, like upgrade it or do something else, you spawn another server. You need to automate that. And so I use that in
the concept of security by saying, if it's easy to automate the creation and instruction of servers, then you can have the luxury of having dedicated servers per target. Because it's so easy
to manage 100 servers, it's so easy to spawn 100 servers. That's why I went into
so much details about the automation, terraform,
and all these other tools, containers and all these other tools. And now the idea is, you're on your computer. So you access these first
layer of servers, I would say. And then from these servers, you go to different servers according to which type
of operation you're doing. Are you doing phishing, are
you doing reverse shell, are you doing Nmap scan
or something like that? Are you doing it on target A,
are you doing it on target B? And so that's the idea, to have this kind of
infrastructure for attack that is easily configurable. - In the Hack Like A Legend, you kind of bold in this it seems, and correct me if I'm wrong, but like you've got the target, and then you've got a frontline server, and that's attacking the
actual target, right? - Yeah. - And can you just like give us an overview of how they work? So I've got a target, and then I've got server that's, you've done something within the cloud that's attacking, right? And then behind that
you've got something else. Is that right? - Yeah. Exactly. But basically you don't
want to attack your target from TOR or from the VPN. Because then, the IP
address of TOR and the VPN, would get leaked in the
logs of that company. And so then suddenly the
network layer is down. Like there's one layer of
protection that you use that is suddenly worthless. And so if you can imagine that they would hack it or crack it or legally challenge something like that, they can get back to you. And so the idea is to
add another layer simply, and that other layer would be a server. So instead of you attacking from TOR, you connect through TOR or a VPN, to a server X frontline server. And that frontline server actually interacts with the target. And so if the IP of the frontline server is on the logs of the company,
that's the rough idea. And the idea is basically, you want to have a server per function. So for instance, if you start
scanning from that server and that server gets down and in parallel you're
doing a phishing campaign, well then you want to
have two servers separate. Because if your scanning gets detected and they block that IP, you don't want that to impact
your phishing campaign. And so that's the idea of
modularity and resilience, that you must have also
on the attacker side. - And you also have your
command and control servers in the cloud as well, right? And they're controlling all these devices. - They're controlling the
devices that get pwned inside the company. And the idea is, Again, I just give the blueprint
and the thought pattern, but you can extend it. Like you can say for instance, I did phishing campaign, and I hacked a couple of workstations. So I'm going to make
them report to server A, they're going to contact that server A. And then I can execute
commands to that server A. But then I spent some time
hacking other servers, and it was difficult. I secured these servers, I
hacked them, I got inside. Should I make them report
to that server A as well? Well, it was so difficult
to get into them. Now if an analyst just busts one of the workstations that you hacked, suddenly you lose this privileged access that you got on the
server. So that's not good. So I will make the report to a server B independent of server A. And that way you can keep some resiliency. Even if you lose one way into the company, you have other ways. So that's the idea,
that's general concept. - So I mean you've also got redirects that sits between the phishing attack
server command and control and the target, right? - Yeah. Again, it's just
the same concept applied ad nauseum, I would say. Basically when the company, when you set up that command and control, so it's a Meta's ploy tool or Empire or Covenant, or what have you. So it's a tool that controls all these zombie machines, I would say. Do you want to configure
that tool 36 times? Probably not. So either you automate the configuration of that tool 36 times. I mean you can do that. Or what you can do is configure it once and then place in front
of it multiple servers, and that way, and you would
do these kind of redirections. So target A will go
through the redirection A and go into that framework. Target B will go through that. And then you have one console
to manage all these machines. But they the company, the different targets have the impression that they're communicating
with different machines. And they are. But behind the back
it's really one console. So that's... Yeah. - I love that because I think, I'm not sure if you mention in your book or it's just me and my team discussing it, the problem with a lot of other books is they just go straight into the hacking, but they don't show you any of this stuff. And you make a big emphasis right in the beginning of your books, like cover your tracks. - Again, like a lot of the other books are simply a list of vulnerabilities and simply a list of stuff like techniques that are very good. I mean, you need that. You need to absorb those facts. But those facts are not
rooted in a context. And so the idea of these books is really to give you the full context. I mean this is what goes
in the mind of a hacker, the fear, the frustration, the joy, the anticipation, apprehension. So you actually feel it and you can understand some
more like how they operate. And it demystifies the
whole thing, I believe. - I love it. I mean it's brilliant how you've explained it. And I love the way that you shared a bit of your
frustration like learning. Because I think a lot of
people who are beginning will feel that frustration. Like, it's impossible
to learn all this stuff. And it's only guys like
you who know everything. But I'm glad that you shared, you went for that frustration
of going from say, Windows to a cloud environment. But it's important to do this. I mean, I think it's good
from a privacy point of view because a lot of people
interested in privacy, like I said. And the difference between
red teaming and hacking, I'm glad you've highlighted that. And let's get something
else controversial. In your Hack Like A Ghost, you've got here something about CTFs or I'm using puzzles. Want to talk about that? - Oh my God. Yeah. You want to go... - We've got to have something
controversial. Come on. So what's the difference between
CTFs and like real world? - Oh my God. So I wrote a
book, an article about this. So I did a lot of CTFs. I loved them. And I did them on the side, I did them before actually doing my job. But the thing is a CTF, if
it's really, really good, it depends on the goal of the CTF. If the goal of the CTF
is to emulate real life, it will not look like it
looks right now really. A lot of them are based on guessing, A lot of them are based on
exaggerated flaws or mistakes that are made by people. And so that's what I don't like. But maybe I just encountered
like really bad CTFs, that being said. But I've seen some videos
of IppSec, for instance. He has a YouTube channel, and he does all these hack the box, solves them. Those are great. I love those. Those are great. I mean, you don't have to guess, there's not that much guessing going on. Like it's really about
piecing the puzzles. But it's a lot of CTFs, they're just lazy. They just like, you have to guess that this thing is like that. And there's no basis of getting or justification for
getting to that guess. So that's what I dislike about it. But that's it really. And yeah, in nature it's not the same. I mean it's like you're solving a puzzle, whereas there, you get in the mind of the person who designed it. And they designed it, not to annoy you. They designed it because they had real constraints in the real world. I mean, managing systems
is tough, is really tough. And so you got to make
sacrifices, you got to make... Things not work out exactly like you thought they would. And bam, you have a vulnerability. And so getting there is not
simply a matter of guessing, it's actually getting into the
shoes of the person designing that system, and then finding what wrong
assumptions they made. That's the main difference. And that's why I ranted about it. - No. I mean, it's good. What I really like
about what you said now, is that you said, okay, this is the problem with them. But then you mentioned IppSec, as a good YouTuber to go and look at. Any other, like CTF... Again, a lot of people watching might be new to the industry, and then they get swept up
and like, where do I go? So I'll put these links below. Those are good ones to watch. Right? Any other like sort of YouTube channels or like places like articles? Like you said you wrote about some stuff. Is there any places that you can recommend people would go to if
they want to do CTFs? Or how do you get hands on experience? That's a problem? - Oh yeah. Okay. Well, I can tell, I can share the story of how I did it. - That'd be great. Yeah. - Yeah. That might be
suitable for everybody. But so basically I got out of school after years of advanced math and physics, and I wanted this university that was doing cybersecurity. So that was long time ago, dozen a year ago or something like that. But then I came to this university. And at the end, like, no, cyber
security is only six months, at the end of those three years. I'm like, "Shit." So I skipped 60% of school. And I just got books and
read them, articles, blogs. And I started by learning
about the systems. So web server, SQL, programming languages,
C, C++, PHP, Python. All this kind. So basically I viewed security as a layer that is put on top of these systems. So you need to understand the
systems, the network first. So that's what I did. So I spent nine months doing just that. And for the hands-on
experience, is simple. Like, I would read something about, I remember I read book about
the Linux Kernel structure, literally like you had structures
for five pages going on. It's crazy, crazy book. And then I was just like, "Hey,
let look at the source code. Let me download an old
version. Let me set up this, let me set up that. Oh,
I'm reading about SQL. Let me set up a my SQL
server and play with it. Let's see." And then after those nine months, I started taking books about securities. So Contract Hack Reloaded,
Art Of Intrusion, I started reading flac articles. I started watching Def Con
conferences, Black hat. And every time I would see something, I would just take it, download it, and try to play it in a
safe environment, in my box. And that's literally how it went. And then I started doing some CTFs. I liked it in the beginning. But at some point after I started working, I was like, "Oh man,
this does not look like what I've seen in that CTF." And so that's the journey that I took. - The best way to learn this
stuff is to understand it. And I think that's why people
who have lots of experience, it's not a stretch to learn
something else like you did because you've just got all
that foundational knowledge. - Yeah. And the idea is that
afterwards, like for instance, I see a new Explorer
or something like that, I don't start from scratch, because I already have this space. And it just like takes me 10 minutes to... I just like scroll and, "Oh,
I see what he did there, let's move on." So keeping up does not require that big of an investment in time. - So I'm an old guy, but it's amazing. The world just keeps reinventing stuff. So if you've learned technology, just building and building, it makes it so much easier
to learn newer stuff. - Okay. So the best example is Kubernetes. I mean, it looks like a really scary technological component. But at the end, at the root of it, when you really dig into it, it's just a combination
of containers, capability, Linux capabilities, and IP tables. So yeah. - So let me jump on that. If I'm new or I'm starting
out end of 2022 or 2023, what advice would you give, say your younger self or someone
like me, if I was starting. I wish it was me, but let's say it was someone young. What should I focus on? Do you have any sort of recommendations from your experience? I mean, you've given us
like the journey you took. But like if you were starting over, try not make the same mistakes, what would you advise me to do? - Don't be intimidated by stuff. I mean, yeah, it looks like
everything is unreachable. It looks like everything
will require a lot of work. But there's really
something unique about time and the exponential nature of it. Like it compounds. Knowledge that you gather, compounds. And what happens is
basically as a young person, you fail to account for that. You just do a linear
progression of your skills. But the truth is, it's
an exponential thing. And so it's very hard for humans to grasp the power of like compounding. You got to bet on that. And so, yeah, read an article today. Read an article the next day. And then continue. And consistency is key, in
anything really, in any skill. Just make it a habit to read
something about security, or do something about security every day, like 10 minutes, 15 minutes, 30 minutes. And if you enjoy it,
increase it to 45 minutes and keep going. But any technology that
seems daunting, give it a go. If it's too daunting, dial it down and focus on a subset of it. So I'm going to take Kubernetes. So if you take Kubernetes, the documentation is horrible. It does not explain what it does. It starts with, at the time when I read it,
it was like about mechanical, like analogies with mechanicals. And I'm like, what are you talking about? Like, just explain to me
what do you do simply. But no. There were like
all these metaphors about how they came up with their idea and how great they are now. So anyway. And so I had really a
lot of trouble with it. I'm like, okay, well Kubernetes is what? Container orchestration, apparently. I see this stuff coming up a lot. So you know what, I'm going
to focus on a container. Okay. What's a container? Oh, you have LXC, you have
container of the year. I'm going to choose one. What's the most famous one? Docker. Okay, let's go. What do I need? A Linux machine? Okay, let's start. Docker. Google, YouTube. There's a great talk about, I think I link to it in the Hack, like it goes that deconstructs stalker. And yeah, that gives you the foundation. And let's say you deconstruct Docker, and like the guy starts talking or the person starts
talking about capabilities, Linux and stuff. I don't know Linux. You know what, let me take a book on about
Linux or something like that, or see a conference, get enough. And it's okay if I still don't know
anything about Kubernetes. I will in time, but at least I know something about Linux and containers now. That's the idea. - I love that. And I
think it's human nature, especially perhaps when you're younger that you want everything, I want it now. But it doesn't always work that way. I love the what you said
with the exponential. You build. And I find just like you said, the longer you spend on something, the quicker you're learning that thing, and the more you can learn. - Yeah. Because anyway, the
learning does when you sleep. I was reading these books about sleeping and why it is important to sleep. And the neural pathways
really form and get cleaned up when you sleep. And so you're not going
to get it now anyway because anyway, it needs to move from the hippocampus area to
the long term memories. So you need sleep anyway. So that helps. Yeah. - Any hot technologies that
you think I should look at? Like, is there any way that I can, ride is the kind of term I like to use? Or if you were starting like today, what would you focus on? - Like How To Hack Like A Ghost, I wrote it in part because I've seen
everybody focus on Windows for such a long time. And it's because these
consultancy companies, they get hired by big corporations, Fortune 500 that don't
have the skills internally. And these folks have Windows, right? And so a lot of the talks,
a lot of the like Def Con, black hat, all these good conferences, they focus on Windows. And unfortunately I don't see so much stuff going on in the cloud. I don't see so much stuff going on on AWS. Like AWS, like the new Gartner was out. And it's again the leader in the market. And Microsoft tries to do
something in the cloud, but it's not as good, it's not as secure, and it's not as professional, I would say. Like right now, if I was speaking to somebody who was just starting security, I was like, "Your resume looks good. But I want to see more cloud. If you want to work with us, like scale up kind of thing,
I want to see more cloud, I want to see more containers,
I want to see more." That's really what I would advise people. But if you want to work for a
big company that has Windows and you want to work in that environment, of course, like go Asia, go Windows, go... But just determine what gets you off. And oh, if you want to go with mainframes, please go ahead. I mean, there's enough room for
you and enough pay for that. I mean it's a fantastic world. - Yeah. I think you hit
it on the head there. It's in life, you've got
to do what you enjoy, as much as you can. And if you prefer Windows, then do that. If you prefer mainframes, then do that. Find what excites you. Because your career isn't six months. - Yeah, exactly. And I mean the frustration thing with like young people starting out, they're like, "Oh, I don't
know what I want to do. I don't know what my passion
is." Well, try something. Here's a thought. I mean, try something. If you don't like it, you don't like it, but at least give it a try. I tried doing sailing. I didn't like it. It was just too much trouble. But then I tried other
hobbies, and I got into it. I tried doing hardware hacking. I'm so bad at hardware hacking by the way. It was not for me. I was like, that's it. And I'm okay with that.
At least I tried it. I have my own opinions. And
I moved on to something else. Yeah. - Yeah. I love that. I mean, it's so vast. You can become an expert,
just like you were saying, you were expert in say Windows, and then you had to like
relearn for the cloud. You could do the same with hardware. There's so many areas, and the field is so vast
and so many opportunities. Did you want to talk more about that? I'm going to talk a
little bit about email, and then we'll wrap it up. - I want to talk about an
important skill to have. A lot of people, they focus
on the cybersecurity thing and they go all the way down like hacking, security reverse, et cetera. But the thing is, there are other skills
that make you more valuable on the market. And these skills are like
about software design, software architecture,
distributor computing, all this kind of stuff. And it's very good. Go... It's like a T, you can imagine like you go
deep down on another subject. But if you have a thick T on the sides, you can be very, very valuable. And not enough security people talk about this peripheral
thing that you can go into. There was one guy, I think Halvar Flake that went from security to optimization. I was like, that's a very good move. You have this guy that's
very expert in security, and now that's very expert in performance and optimization. And it also makes your
recommendations more valuable as a pentester. So it's easy to say, oh just
do that. Just patch systems. No, it's not easy. - Yeah. Exactly. - Shut up. No, it's not easy. Patching breaks stuff,
because vendors are lazy because there's no accountability, because they just ship stuff. Like versioning is not a thing that is... I've upgraded once a system from a minor version of a system that should be 100 percent compatible. It broke the whole production. And so what is more really critical, this risk of unavailability
from a broken patch, or the risk of that
excess S being exploited? That's a real trade off
that has to be done. And you need to be kind of an expert knowing how to do patch and knowing how to do stuff. So yeah, it gives you more
credibility in the field if you actually know all this other stuff related to the computer science world. Yeah. That's the tangent I would say. - No. I think let's talk about that. Are there any specific skill sets or any like areas you think or any certs? Or how do I get that knowledge? Like you said, it's important. What do I do? - So I've seen a lot of security people are very good at scripting. They don't take the time to
be really good developers or really good software
architects, people or designers or something like that. And these are interesting skills. Or just get into the
production environment. I mean, try to run machines, try to ensure their availability. Solving these simple
questions is not easy. Patching, firewall rules, et
cetera, it's not that easy. That's what I was thinking mostly about. - So would you say they need to spend time on the blue team or at
least just before you... Don't just be like red team slash hacking. You need to spend some time like learning what actually happens day to day. - Yeah. In the production environment. I mean you don't need to, but it makes you valuable
in the market, I would say. There's an interesting book called Designing Data Intensive Applications that gives you, for instance, all these databases and how they work and how indexes work and how you reach consensus
through some protocols like craft protocol, et cetera. And incidentally, that's
been used by Kubernetes like ETCD database that's
been used by Kubernetes, et cetera. And it makes you more credible again when you talk about this stuff. Like when you say, "I don't
know, let's take that one. I want to filter outgoing traffic from all my applications." I mean that's a recommendation
that is often made by a lot of security experts. Why don't you just filter all
the traffic that is going out of your servers? That's easy. A server does not make a connection. It usually receives one.
Why don't you filter? Well, it's not that simple. You have like plethora of
providers that you need to handle. How do you handle change
management in that time? Like, I'm a developer, I
want to introduce a feature. Now I need to wait for you
to whitelist that stuff. And how can I test it and understand that the error that I
get is really related to a filtering rule that I forgot
and something like that? So there's really that whole ecosystem of how can you properly
put security in place? And for that to work, you need to understand all these facets of the computer security world, computer world, sorry,
outside of computer security. And that's why a lot of
security filtering companies, really security stays
in their corner. Yeah. - Yeah. I think it's valid. Because, I mean, it's easy
to say just do this, do that. But if you don't
understand the consequences of what you're actually asking. I interviewed Tanya who she acts purple. And she was complaining
about redteamers or hackers coming in and like a obliterating
the code of developers and then saying, "Oh you need to fix it." And it's like, do you understand what you're asking that developer to do? - It's so 100 percent right. In my team, we have a philosophy is, you cannot point a vulnerability if you're not part of the
team that is fixing it. I don't care. You say, but you need to learn how skill? Yeah, go two weeks. There you go. You need to learn how to test
an application? I don't care. Make it happen. But yeah, she's 100 percent right. Indeed. It's so easy to write a
one-line doc recommendation that says implement this
kind of countermeasure. It's very hard to actually
implement it, test it, do the quality assurance test, understand the business impacts of it all. And the productivity loss
that may happen from employees having to do that extra
step in order to comply with that security requirement. So is it really worth it? I don't know, but you
need to figure that out. - But if I understand you correctly, and you may correct me if I'm wrong, if I take the time to understand that, I suddenly become much
more valuable to a company. Because just to point out a problem doesn't really help me as a company. I need to know how to fix it, and impact the business, right? - Exactly. That's why a lot of security fails. It's because it's, they're
in this audit mode. I'm going to audit stuff,
I'm going to hack stuff. Because security is really
rooted in that hacking mindset. So I'm going to point stuff,
I'm going to do my job, and I'm going to point
all the vulnerabilities that plague the company. Yeah. That has zero value. Sorry to say. You need to fix stuff. You need to help fix stuff. Otherwise, you're just a guy
shouting from the sidelines, and that's not good. - So do you see in the coming years that it changes from like becoming purple rather than like red and blue? Do you think it's going that way, or is that something that needs to happen? - So I'm currently
writing a book about it. - Good. Yeah. I saw you on Twitter,
you wrote about a book. Can you tell us more about what's coming? - Oh my god. It's the
first time I talk about it. Basically it's the story
of a security engineer that joins a company. And it's about destroying all these myths in the security world, that you need user awareness, that somehow user awareness is effective. I'm saying this in the user
cybersecurity awareness month. So take that. So the idea that user
awareness is the magical bullet that everybody's been waiting for. No, it's not. It's useless. Let's move on. The idea that it's easy to do this kind of patching this kind of stuff. The idea that TLS vulnerabilities are such an important thing. No, it's not. As a company, it's not. I don't care. So all this kind of stuff. And I just put it all in context, and I blurt out all these
controversial takes. And I mean, the ISO 27 K, don't
bother me with these norms. I don't care. So all this kind of stuff. And it's made in contrary
to the other books. Like the other books were just like the reader and the hacker. Here is the reader, the security engineer, and the ecosystem of a company. So you have the compliance
officer, you have the CTO, you have the unfriendly developer who doesn't want to touch their code, you have the friendly guy. So yeah, it was challenging to write. It took me a year and a
half or something like that. But yeah. - It's important that
you're highlighting this. And I think what I really liked, one of the things, I
mean there's many things, but one of the things I really liked about the books that I've got here, is you make this point
that it's fine to hack, but then they could come after you. You've got a bold this stuff. And a lot of other books
don't talk about it. And I think you're highlighting again, another problem that
needs to be addressed. - Yeah. In the security enterprise world. Yeah. I have a lot of build up frustration about a lot of stuff that I see and read. And I mean, as I started
writing this sub stack just to shout and just to like let it out. So yeah, we'll see. - We're looking forward to that book. Any sort of ETA of when it'll be released? - Probably by end of the year.
- Oh, so it's not that long. So end of 2022, right? - Yeah. - Sparc Flow, I really want to thank you for sharing your knowledge and experience, especially with people who
are new to the industry, and encouraging people who
are new not to give up, and giving them some ideas
and things to think about. Before we wrap up, is there anything else you want to share or talk about? - No. I think we covered it, pretty much. Thank you very much for
the insightful questions. Yeah. Really loved it. Thank you. - No. Thanks so much for taking the time. And hopefully we can get you back. Maybe when your next book gets released, you can come and rant. I love rants. So come and rant about it, and why it's so important that everyone read it. Sparc Flow, thanks so much. - Thank you very much. (light contemporary music)
