Dan Miessler Talks About Recon/Automation, Seclists, Certifications, Mental Health & More!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Music] yo what's going on chat we have another guest today i think this has been one of the most requested most anticipated and also one of the most exciting interviews for me at least uh given the fact that we talked about um cyclists a lot but before i get started let me know in the chat if you can hear me um again i'm using a new setup i'm not really used to this uh new setup that i have so let me know if you can hear me in the chat let me know if you can hear me they can see me properly and let me know if you're excited about this guest if you're not familiar dan is the man he has a awesome github repo that a lot of you may already be familiar with if you're not familiar with cyclist i highly recommend going to github looking for cyclists um set this as a probably the biggest word list you can come across so if you're not familiar with it dan has put this together years and years ago i'm not gonna you know talk about it too much but i'll let him explain it um but dennis put this together years and years ago and the point of this repo is that he uh pretty much collected a lot of data on different stacks um different software different uh anything can think of he has some data on it but we'll talk about a little bit when i bring him on um quick few announcements if you're new to this stream i'm here every sunday i'm going to be going back to my regular streaming schedule here in a few days i'm taking it day by day i want to i don't want to jump into it and get burnt out again but if you're not familiar with my streams on i'm on here every sunday i have a guest that comes on i either interview him like today uh with dan which i'll bring him on in the next few minutes or i do some live recon myself or i bring a friend of mine who can help me with live recon so if you haven't seen the previous ones you can go on youtube all of the uh interviews go on youtube the live recon doesn't because if we find something sensitive i don't want to go on youtube we haven't done it yet but it's just to be a little cautious if you are new to bug bounty hunting or new to the stream kick back relax and if someone said they want to do bottomless mimosas grab your drink of choice grab some snacks this is just an interview i try to do the interviews to a way that everybody whether you're new or you are a bug bounty vet veteran you can also enjoy the show um what else as of last week i also mentioned that top donors and topped um subscribers will be subscribers bits and donors will receive a one-on-one session with me for 30 minutes so if you are one of the people that's regularly gifting stuff i appreciate you um you're going to get it when i want to share with me uh egg ryan f delete and i think somebody else i don't see your name anymore but thank you so much for those subs i really really appreciate it um last but not least make sure you're on discord if you want to come hang out within the homies we are all on discord so go on there um join us all right enough talking about me let's get this chat hyped up and i am going to bring on dan here in just a few seconds but i need you guys to get loud spam some emotes uh hype up the chat and then we'll bring on our guests what about channel points for one on one i'm working on it it's kind of complicated as zero kill is also saying it but i promise i'm working on something i'll make it work eventually all right should we bring on bring him on you guys ready all right let's add him to the stream there you go you're on my friend how you doing hey how's it going i'm doing good chad let me know if you can hear dan um i'm not going to do an introduction for you because i feel like i wouldn't do it justice um tell me man who are you people that don't know you for some reason who are you what do you do and how long have you been in infosec um so i've been in infosec for about uh 20 years actually i guess 21 22 something like that but started right at the very very end of the 90s and um started off as like a general infosec practitioner like ids firewalls all that kind of stuff and then went right into offensive security right after that first on the network side um and then into the application side and then transition pretty quickly into a lot of advisory and consulting stuff and i've basically always kept this osint recon stuff going the whole time uh it's been like a constant thread through the career i feel like um so for people that are watching this and aren't familiar with you i think you don't do bug bounties right no no not usually but you have done a lot of work that's being used in bug bounties and um like the offensive security area right yeah so i excuse me i essentially do the same exact stuff as bug bounties because i'm using it for other processes usually either in like a red team capacity or in a blue team capacity so i'm basically trying to the thing i'm absolutely obsessed with is not being surprised so i love the idea of of um essentially when you're looking at a site if you have a site that you really cared about whether it's yours and you're trying to defend it or you have someone a friend site or something and you just want to make sure that they're somewhat safe like i just want to put in all the things that i want to know about that site and have them run continuously i want to have them run continuously so that um if they pop up i'm notified immediately and i can go check it out before someone else does right and of course that's the same exact methodology as like you know uh bounty in that case you're trying to get there before someone else gets the bug but to me it's really the same it's like how many ways can you interrogate a difference a given site and uh get the answers back continuously you said something about um red team and blue team um what's your experience like as far as like red teaming and blue teaming goes um so i'm pretty much always kind of in both camps doing that for for companies um essentially building programs so like building programs red team programs or building blue team programs um but mostly it's just running automation honestly that just keeps going and this is mostly on the website not on the uh netsex side i haven't really done too much in that such stuff in a while because i've been really focused on uh basically recon and ocean so someone that's new for innocent what's your uh what's your biggest advice where do i start so my biggest advice is to be very clear about the questions that you wish you had answers to about a given a given um target and don't think at all about tech when you first start when you start thinking about a target just make a giant list of everything you want to know and um so uh a friend of mine jason jason haddocks we think very similarly along these slides it's like methodology first right yeah and for me that's questions first it's like what are all the things that i want to know and you basically whiteboard that out things you basically whiteboard that out [Music] and make sure that's solid and then what i do is i go and just find the best tools of the time to match to that if nothing exists so you write your own tool um and then importantly you can swap those things in and out based on the performance that you're getting right like i've seen several tools um like a masses one for me where i was heavy into it yeah i would get a i would get away from it for months and then they come out with a new release i would be back into it for months and it would just sort of oscillate right so it's really important to me that you have the set of questions which makes up the methodology and then you just move tools in and out of that system to have the best performance or the best results and oftentimes what i'll do is run multiple and concatenate them all together or i'll i'll find the best one and just uh just use that one so we'll we'll come back so i think i think there's a lot here to unpack and talk about uh we'll come back to in just a bit um i want to kind of understand about your background a little bit uh before we jump into before we jump into the uh technical aspects of hacking and that kind of stuff um how did you get into hacking what you said you've been in infosec for 20 to 21 year uh 20 to 21 years what how did you get into it 20 years ago how did you hear about infosec what got you to go oh hacking like i want to do that how did that start there was that it was actually in a university um it was during like code red and all kinds of crazy worms um and the university network in georgia where i happened to be i'm from from the bay area in california but i was in georgia because the military when i got out i went to college in georgia and the uh the way the university was set up was just giant flat network it's one six eight one eight actually i know the whole ip address range but i don't i won't say the whole rate but it's one six eight one eight is like the class b that it was on and it was literally you're just like one hop away from every other ip address on the entire university network and the whole network was being absolutely destroyed like every windows box was just falling over and i had a friend two two mentors early on a guy named jason orms and a guy named ken swain uh basically taught me like what a server was and what linux was like very quickly after i learned like what a computer was so i just like dove immediately in and jason orms was managing the entire network for this this part of the the campus and he took a job at fermilab um and left yeah and and he basically gave the whole thing to me so i was running around the campus installing linux and uh replacing boxes as they were falling over and just trying to keep this network alive um and it was basically just defending the network from real attacks i i was gonna do pre-med i i was i was working in the computer lab getting ready to do a completely different education and then someone's like oh yeah this and that and server and this and that and watch out for hackers or whatever and i'm like what are you talking about and it just it just uh it captured me 100 and within a few weeks i was defending the network and installing linux and learning what linux was and then installing linux so it all happened within the course of like six months just i went from um not knowing anything to having like my own office and everything i was in charge of defending the whole campus network i was yeah and i was coordinating with other campuses uh within the state to try to help them as well um and then my first job out of college what i actually started on like night shift just monitoring like ids you know like blue team type stuff and i started writing articles um i started writing articles uh the first one was the tcp dump article and um that was like yeah super late 90s or early 2000s and um and basically i was writing it because i was explaining it to myself so i put it on my own website i would just explain the technology in my own words and then i would put it on my own site and then i started getting a lot of traffic so i just started writing more and more and it just accelerated so i'm trying to understand it because this is this is really cool your first exposure was to hear about linux and just getting involved with it and then your security so that was technology pretty much but with security you did mostly your start was like blue teaming kind of thing it was like on the defensive side of things yes yes it was it was it was definitely blue team which at the time it wasn't even that because it wasn't even in security it was more like how i want to use this computer they're like oh that one's destroyed you can't use that one it's turned off i'm like okay i'll use this one they're like oh now that one's destroyed too i'm like what's going on so i'm just like thrust into this thing going on because uh because of worms flying around the internet uh so yeah i was kind of like pushed into this blue team's scenario and then of course the admin leaves and gives the whole thing to me after they gave me like a 10 minute primer on on computers so i'm just kind of like thrust into it uh and then my first job was i guess that was general infosec it was uh absec uh netsec all of it yeah and then i immediately started studying offensive uh on night shift and then uh i left there within like a year and a half two years to go right into a pen testing job that's brilliant what made you want to do offensive instead of the defense side of things like what made you want to what got you intrigued in the offense side of things do you want to go pursue it i i i think it was just that i just i don't know i just i just saw how effective it was and that we were getting destroyed by it and i was like this is i have to learn this like how is this happening how is this possible and uh yeah i just i just wanted to learn how to do what they were doing very fascinating before we go to the next question i just gotta give a huge shout out to i see jason in the in the chat gifting a lot of uh subs bitcode ash and uh energy brew so thank you so guys thank you so much guys for the subs and also all the gifts what's up jason i i don't actually see the chat i only see you so what's up jason um yeah so i'm gonna read the stuff that comes into the chat but i know a lot of people here are excited about having you on here and i want to keep talking about your um your experience a little bit more so you mentioned you were in a university so is it safe to say you have a college degree in computer science of some sort yeah i actually left before i finished um i got about okay i got like 11 hours left or something but i left before i finished because um because i got an offered a job to go do the thing that i was at the time i mean at the time i just thought it was worthless because the whole point of the university was to get offers and offered a job yeah and and i um i did i got the offer of the job based on uh knowing somebody who worked there and um they knew i was into the scene or whatever and uh i got offered the job so i took it but yeah i did i did a pretty traditional computer information systems so a slash basically half computer science and half business do you think that um is it required to go in today's age especially do you think it's a requirement to go to college what's your take on you know school and degrees oh yeah um this could be many podcasts um i uh no definitely not required definitely not required the way i think of credentials now is um get as many as you can because you don't know who will value them right yeah so so if someone is like you know uh what was that if you're hiring manager you mean like as a hiring manager or you just don't know what um social element you're about to be in in your in the future that might that might respect a given credential so you might live with a bunch of hacker friends yeah and they even they look down on degrees so you never think you want to get one right and then you move to london and you're hanging out with a whole new group of friends and you go out drinking with them all them have degrees and they're like hey what's up so what'd you get your degree in and you're like uh well no i i don't i don't value that my friends don't value that well your new friends do and also the people who hire over in london maybe they do as well so it's like you never know what's going to be valued like maybe uh what the ethical hacker um credential which mostly universally is not super respected but maybe someday in the future you live in a universe in which that is valued so if it's easy to get these credentials and and cue them up i mean don't string them after your name and list them everywhere you walk around that's ridiculous but i mean don't pretend that they're your identity but it'd be nice if you could enter different social circles or different career circles and someone is like oh by the way do you have a cisp by the way do you have a masters by the way do you have this and you're like oh yeah i think so let me dig through here oh yeah here's one you know and just have it if they ask but it doesn't define you it doesn't define your skill set so one reason i left without finishing was because my unix teacher didn't know what ssh was oh rough they were teaching telnet and i'm like okay this is clear text let me show you in tcp dump i can see all the traffic and they looked at me they were like yeah we don't cover that in this class right so they didn't know was unencrypted they didn't know what ssh was it's just and i was like i have no time for traditional education when i could be teaching myself right um and i kind of view certificates and certifications and and traditional education the same in the sense that you can learn more yourself self-learned yeah but it's two different value systems like if people value bitcoin then it has value if people value a four-year degree then it has value so you might as well just have it but don't think that it represents your real security education or your real ability to find vulnerabilities or defend against vulnerabilities because they're not the same yeah i think uh i've never thought of it in the like your social circle kind of thing right like getting a degree because you don't know who you're gonna come across i've always thought about my whole thing with school was i finished my degree because i didn't know who the hiring manager is going to be the kind of person that are an academic and like they're really big on school or is it somebody you know a lot of tech companies nowadays i don't care about you know at school they care about more experience if you're a good learner you know you go get a go-getter or whatever that is right but i finish it because uh this is something that my family always tell me is like you never know who you're gonna go against in that job process it may be both equally as good but this other person may have a not even like a master leader he could have a bachelor's degree of computer science and you have no degree they're going to go he's more educated he's more about learning than you are even though that may not be the case but on paper you're kind of screwed right because they're proving on paper that they have done more than you have no that's that's exactly right and so i've i've still got friends like most of my friends are like in the tech scene and they're in like the bounty scene or they're in some sort of uh technical scene right and so so they respect me they respect my peers even if they have a degree even if they don't i've got some friends who i've been friends with for a very long time and uh they kind of just still treat me like a child because i haven't finished those 11 credits as if for some reason if i were to finish those 11 credits i would suddenly learn so much right and it's like i'm sitting over here i read like three to five books a month and i'm like constantly gathering knowledge right and it's like they don't really read and they don't keep their kind of education current but because they did this 20 years ago this this degree they just kind of look down on people who don't have it and to the point of like what you were taught you want to be defended against those types as well you don't want to give them an arrow to be able to shoot at you so you might as well get the coverage i i would say if you can get a bachelor's i would do it i'm definitely gonna finish mine because i'm i'm thinking about other stuff like masters and maybe your phd so obviously you need the earlier uh credential so um i'm gonna go after it for a different reason uh but as far as hacking as far as technical stuff hell no especially now even like the last three to five years the the quality of content on youtube you could do a curated course on youtube yeah and learned way more than like a high quality education um especially when a lot of the best quality education it's all in like moocs it's it's online anyway so the only thing you're really getting is like the self-discipline of like making sure you're in the chair and you're listening right and driving you to complete the class but as far as the content absolutely not um it's funny you say that i actually passed off my calculus courses because of youtube really i couldn't understand i don't so there was a teacher that i understood really well he did pre-calc with him and then he didn't teach calc one i think so i took calc one twice failed it twice and he started teaching calc one again took it with him i passed and then calc 2 and calc 3 i just couldn't understand the teachers man i just didn't get their style of teaching it was just too much for me i stopped going to class i would show up on fridays take the quizzes but monday through thursday excuse me but monday through thursday i would go to the library whatever he was gonna teach i was looking on youtube and i ended up getting a b b minus maybe to pass but if it wasn't for youtube man like a lot of the stuff that even like a lot of the java courses that you have to take in college i don't like colleges because they teach you like java and stuff teaching so that i want to learn this art school was like that yeah um but you're you're nailing it on the head like with how much content is on there i don't care what you're learning like there is any topic you want you just have to put in the umbrella topic into youtube and there is tons of people talking about it and that includes bug bounties that includes you know programming that includes science chemistry physics uh anything you can think of is on youtube and it's mind-blowing that you can learn it all on your own yeah it's funny i'm actually diving into a whole bunch of math i'm doing a little bit of machine learning stuff and so i'm learning a bunch of advanced math but i'm learning it through three blue one brown uh this guy named uh i can't remember his oh grant sanderson maybe it's his name amazing youtube channel he just explains all this math uh it's funny you mentioned uh calculus i only passed calculus because i was able to store algebra formulas inside of my ti-92 calculator i'm so bad i mean i was better at calculus than i was at algebra so yeah i i absolutely agree with you let's talk about certificates because we you kind of brought those up and i see a lot of people in the chat are um bringing up oscp someone said having your oscp doesn't matter in a social circuit social circle which is great uh it's hilarious but what is your take on search before you answer actually do you have any certificates yourself yeah i did um i did a bunch of sans stuff early on um and i did uh cissp and i did a couple of auditor certs i i thought it was really cool to have technical cssp because like everyone thinks it's great and then um and then like audit so i did like csa i think or cism i did one of those and this was like 15 years ago and i've kind of stopped pursuing the certs um i think ocp has a lot of respect i imagine it's probably declining just because certs uh work on an s-curve where it's like nobody knows about it it becomes super hyped it peaks and then it starts declining as as more people get it so i think there'll probably be a new one like that like maybe offensive uh i i don't know who would come out with a new one but those always move uh i i would say that similar to degree if everybody loves a thing just go get it like because you don't know who you're gonna talk to so here's a good example let's say um let's say you're in the hacker scene and throughout your entire career and you just have no interest in anybody who cares about a traditional credential and suddenly you decide you want to help the government you want to help defend against china or something and a bunch of your hacker buddies are going to work for some elite group that's going to defend against china um and they're like yeah so you got to have your bachelor's or your cissp or something and you're like [ __ ] that thing that is totally worthless i need to have and they're like yeah sorry and this has happened to people that i know they tried to get a job that they really cared about but they they care about this cssp or they care about some sand search or something um so that's that's why it's good to have them um what did i do do i did a g sec back when you had to write a paper [Music] um that was a sans certificate it was actually the hardest uh i think jason did it as well we agreed it was the hardest uh cert that we've ever done it was really good it was taught by um eric cole um now dr cool i think but um and i also did a gcia with uh mike poor and that was a lot of fun and i think i did maybe one or two more sand certs but i never kept them fresh do you think for people that are new to infosec are cert a good place to go like something like oscp i'm i'm not going to someone chat to ch we'll talk about that a little bit but that's the one i was referring to earlier ceh um very good go ahead i know i just want to know like because a lot of people that watch these you know the interviews especially they want to hear like where do i go start do i go learn on my own when do i do a cert what search should i do is it worth investing my time uh what's your take on it like do you think it's a good place to start to learn on the hacker mentality the basics and whatnot so i think certs are good for one particular thing which is um getting the book that goes with the cert to use as an outline especially if you're first starting so um oh you know some other search that i did actually some of my favorite certs were the plus ones so i did linux plus network plus a plus i was required to i did like a va thing um yeah jason is saying do assert if you have an employer to pay for it i 100 agree my overall rule is if it's easy get it yeah so your parents are paying for your degree go get it um your employer is paying for your degree go get it your employer is paying for a cert go get it pick up as many as you can but as as far as someone's starting off from the very beginning i would say that something like linux plus or security plus it's great to learn a broad set of skills a broad curriculum so linux is a great example i jumped right into linux because i had to and i started learning stuff very quickly within you know a week or two of being exposed to it um but there were whole realms of linux that i didn't know about because i didn't study it formally so getting a cert will will cover the surface area that you haven't covered before um so that that's the reason i do like certs um even the cissp for that reason like if you ever need to know about fire hydrants you you get that covered with cisp like i didn't know i needed to know how to put out a fire uh when there's no whatever water suppression available but evidently that's a skill i need to have they actually talk about that in cssb yes unfortunately like how high should the fence be how high should the fence be around a certain building like what type of fire retardant do you use in one kind of building versus another you're not joking right now oh no no this is serious this is serious and they got whole sections on it i might oh and then laws yeah tons of laws there's just a whole bunch of stuff it's like the uh the the non-hacker cert hundred percent oh my god all right moving on um no so just reiterate i agree with the you know like i don't have any certs i don't i like reading and learning things on my own you know the whole reading book thing i had someone asked me it's like oh like do you not have any like education goals do you don't want to go to school and i was just like no i did school i did labs around my school for extra years i don't want to go back exactly um it was painful enough i still have ptsd i still dream of i wake up from nightmares of me being in class and like failing at class and i need it for graduation i still have to have those nightmares like it's not going away yeah so so i've got i've got a point for you so this is um it's a little bit orthogonal to what you're saying but check this out the best certs now you know what the ultimate proxy is for both degree inserts it's doing what you're doing right on your now having a ch having a channel emoting describing knowledge pursuing knowledge being curious in a public way sharing the knowledge that you gain with others you have a username you have a website you have a youtube channel you have twitter you have all these channels this is the clearest signal of competence now so this is i i get asked this question all the time like how do how do i move forward in security what do i do first and my advice is always the same get a domain get on twitter yeah get on all these things and even if you're an absolute noob your first twitter post should be hey i'm a total noob what should i try to learn someone responds they're like oh you should try to learn linux or you should try to learn uh buffer overflows or you should try to learn recon or whatever yeah and they're like okay cool i'm going to try to do this publicize and describe your attempt to learn say i tried this i tried to use this code this didn't work people will show up and help you and now what you will have done you've posted multiple things on your blog which started out as like i'm a total noob how do i do this yeah six months later it's like hey guess what i figured out how to do this pretty soon google figures that out they start going to that webpage because you're now the authority on solving this one little problem yeah and that snowballs and pretty soon you're known for solving whatever type of problem that it is you happen to get good at because it happens to be interesting or you just got lucky or whatever the reason is but over time like nobody cares about the degree nobody cares about the search nobody cares about previous experience what they care about is are you curious are you seeking new knowledge are you lifting others and helping them explain their stuff and and celebrating in their successes and if you're doing that visibly the people who i know who get the fastest jobs are people like you right so if there was a there was a hacker job that was open and like ben is applying like tons of people on the hiring team or tons of people who are part of the hiring uh you know panel they're going to be like you're talking about pen you're talking about namsec oh yeah 100 the filtering is done nobody cares about what what grades you got in your classes when you're in college because they know you as a brand as somebody who is pursuing knowledge and helping others do the same that is a thousand times more powerful than certs it's it is the premier brand um or it's the premier way to broadcast that you actually care and are interested in an industry yeah i mean the reason why i started my channel and i think i've said this a few times it's i want to do what i always triple had done when i first started seven years ago none of this existed i don't care what people say none of this [ __ ] existed seven years ago nobody was talking about how to learn nobody wanted to share their secrets because they all wanted to keep it to themselves yeah and there was a lot of resources man there was a handful of us that were doing blog posts back then and um if you go down to my twitter feed you scroll down to like 2014 2015 um i was posting on twitter like hey does anybody know what parent pollution is i have no idea what i'm doing i see this on the scanner i want to know what the hell this thing is how do i you know how do i use that you can go see all those features or there was a few times when i was like hey can anybody help me with a sequel injection for example i'm so bad at them by the way i'm not good at sql injections but back then i was just like can anybody show me how to exploit this i have a sequel injection but i don't know what i'm doing and godless there's a few kids in egypt i don't think they do any hacking anymore if you're watching this dude hit me up but there was a few kids out of egypt that were making tools for sql injections and they really on twitter they messaged me like hey i saw you posted this let me take a look at it and they helped me exploit it and stuff like that so twitter has been absolutely one of the um best things to ever happen i mean granted there's a lot of lots of drama on twitter yeah twitter drama in any industry though it's not just um it's just it's not just infosec it's just i think what twitter is designed for is the toxicity of every industry ends up on twitter which is a part of it but honestly there are a good percentage of people that want to teach you how to get started they want to answer questions but you just have to make sure you're not just saying how do i linux you actually go and say how do i do this thing using the you know operating system that i'm in and people want to help you when you are being more detailed about your questions and you ask them absolutely that is a great point and i think what you're mentioning is super important so the the favorite hackers that i know are are happy to come out and just be like i don't know this right um you look at you you look at um jason you look at stoke you look at lots of these other people like stuck not not stoke um it's a swedish thing but um but yeah you look at all these people like just so willing to to put themselves out there and be like i don't know how to do this and get help from others like uh a lot of noobs think that it's like um you have to know everything yeah and you have to be like the expert and you must never show weakness it's the exact opposite for the best people the best people are like okay here's a new type of wall i know nothing about it who knows anything about it oh and to your point also here's what i tried here's the error i got like show your work show that you actually put in the work it's like people who ask for help in the industry you're likely to get help from somebody if you're like i read all these tutorials i tried all these things and now i'm stuck here in this specific place i'll reach out i'll spend time on it on a sunday night writing them a long email but if someone is like teach me how to hack that's that's hard to do especially with all this youtube out there it's like what do you mean just type how to hack into youtube and you'll get a million hours of study yeah it's um i i i'm gonna regret saying this but i read all my dms almost but i pick and choose who i answer too i answer the people messaging me like you know hey ben i've done this and that um you know i'm stuck with this thing what do i do or you know i people that are you know complimenting whatever i'm doing but they're you don't have to compliment yourself i'm just saying you have to compliment to get an answer i appreciate it but i would just rather have you send me a question exactly what you want detailed then you're saying my least favorite thing can i ask you a question you already did it you already you had the one chance it's something i don't want to answer it but it's like i'm going through these you know 20 dms a day 30 games a day i'm clicking on what gets my attention like this person is serious they want my help i'm going to respond because if i tell them go do this they're not going to come back and say but uh i tried no there's no buts you haven't done it yet on this side you're doing the wrong resources but uh yeah the my my least favorite thing is can i ask you a question or how do i hack it's just like i can't help you with those you know those questions have been answered go through my twitter feed not just mine hundreds of other people have answered these questions um i've actually got macros set up to respond with a full with a full write-up on twitter yeah so i've got it all through the os so i could just respond quickly and it expands out a snippet it's like okay here's where you start blah blah blah and that sends them off in a direction that like curates the knowledge if they respond back and they're like um i don't have time to read that or something you know just that's not somebody you want to help because they're not yeah they don't want to help themselves right um so yeah i try to give them something but not too much uh because you don't know if they're one of the time seeks yeah yeah it's um i you the the way you approach somebody to get their help it sends a very good signal of who you are and how much work you're willing to put in totally um you said something about blog post you mentioned um you were asking questions i want to learn this thing and then you would go and write something about this solution to become the authority is that why you have so many freaking blog posts on different tools is that your obsession that you want to learn how to perfect these tools you go do it for a month or so and then you publish results exactly so i i would usually just pull up the man page and then just be like okay which one of these do i want to learn how to do um if i wasn't forced into it by some other uh workflow um oh nice security is over here as well it's very cool um yeah so 100 so i would try to learn something but then i wouldn't trust that i had learned it unless i would write it myself so i would write down what i believe i had captured well there you go yeah this is what jason is saying writing about your learning put it into best practice 100 so it's like if you think you know something oh this goes back to like richard feynman uh or maybe it's einstein i can't remember but it's like if you think you understand something get on the stage and explain it so you're like yeah 100 i know about cross-site scripting so you do this this and this and you're like well actually hold on is it here maybe i don't know and so i would get in that position and i would be like okay if i can't explain it to myself where i could read it perfectly then then i don't know this so i would force myself to write a tutorial for every subject that i was trying to learn so i've got hundreds of them up there now um over time i probably got to like 10 500 posts probably on the site overall i pruned most of them because a lot of them were like one or two lines but um feynman learning technique yeah that's probably something about explaining if you can't explain something simply you don't understand it 100 believe that and that's that's why i'm so obsessed with tutorials because it proves to my own self that that i actually understand something what you just said about if you want to get good at something go on a stage and explain it if it wasn't for public speaking dude yeah i would have never been able to overcome my uh imposter syndrome just the fact that you know i'm going on a stage this is getting recorded i need to make sure i can explain this thing and then when i did my udemy course this is like something that i i've never talked about but you don't realize how much you don't know until you try to teach people people think it's easy to like you know make a course or everyone's making a uw course everyone's making a youtube channel dude it's not easy it's so much work to try to explain even cross-site scripting and you go wait did i just what you were saying did i cover this thing did i explain it properly i look at my team that i have a team that i work with when i record they don't know much about um hacking when i look at him and i go did i sound like a [ __ ] idiot in this portion too many circles and if they say no we kind of understood what you meant i'm like okay if you guys are non-technical you understand then then i'm doing a proper job but it's just it's it had different when you were like if you really want to learn something go on you know a stage and i was just like like the glass just shattered in my head i'm like when i did ssrf things if it wasn't for me trying to explain this to a mix of technical and non-technical audience then i would have known how to master the expansion of ssrf or yeah if you're working for the course i wouldn't be able to teach the basics of these things and i'm learning things because of my course right now a lot of people that watch my streams they know i'm really bad at this organization stuff i have to learn stuff and get good at it because i have to teach people how to do it and it puts a lot of pressure on you when you have to explain to other people well exactly and you expose yourself to some you expose yourself to people who ask really smart questions that'll make you change your mind like sometimes like you're explaining ssrf or whatever and they're like well you sure but why don't you just do it this way and you're like well because oh actually that is a better way and it's like people know stuff way deeper than what you're usually covering in a course or in a tutorial and i get all the time people are like yeah you could just use this flag instead of that flag and i'm like oh [ __ ] i guess that's true on the topic of hacking and just the basics of it what's your take on knowledge of like code like knowing how to code is it required for hacking because with bug bound it's a little bit different people have different takes on it um what's your take on it do you think you should be a i would have to be a full stack developer but it helps what's your take like where do you think people should stand how much do they need to learn about coding versus you know security fundamentals and other things because with hacking it's not just coding right it's like knowing networking knowing programming knowing basic security understanding web whatever you're attacking operating systems whatever whatever else what is your take i guess my ta i don't know if it's still controversial or not a couple years ago it was controversial but i think you need to know how to code um i think you don't need to be a full stack developer and i don't know too many hackers who are there are some and they tend to be pretty good it's like if you have the hacker mentality which is fundamentally about curiosity and you add the ability to code to that it's it's an exponent it's a superpower if you can code and you're not curious it doesn't you're you can't really be a hacker you have to be curious uh i think fundamentally but um there are a lot of people who are trying to get into hacking or offensive or defensive security of any type and if you only know things at like a cssp level like you're good with fundamentals you will always be dependent on people who can code the moment you have an idea that's kind of interesting if you can't translate that idea into something practical you'll always be reaching out and say hey is there someone who could script this for me is there someone who could code this for me so that slows down your progress if you can turn ideas into action or into a small little tool or a little utility yeah you you're just much more effective as a security person um i think that everyone should know uh programming fundamentals like loops and storage and data structures and stuff like that and you should be decent at translating that to multiple languages like oh i could do that same thing in javascript or i could do it in python or or whatever right you don't need to be a developer you don't need need to be able to make websites that have middleware and talk to the backend and jdbc and all that right but i do think coding matters i think it matters a lot what languages do you recommend for people that want to get into the offensive security part of stuff to learn shell shell first yeah and uh probably python next um and then go really python show and go yeah okay shell first because shell is like the closest to the system uh jason and i both really really love shell um it's i still do most most everything in shell and then if i need to do complex http stuff i switched to i used to switch to python and now i'm switching more to go um so yeah i would say stitch everything together assembly uh someone's asking about assembly if you're into the reverse engineering scene um anything binary related i would say absolutely assembler but um not if you're going to be just pure uh bounty or pure offensive security assembly it's really good for like when you said reverse engineering stuff but with like i don't it's a very niche thing that you have to go for but i think for the basics and the majority of um offensive security you could do without assembly yeah so someone is also asking uh why python doesn't go lane replace python so here's a good lesson because i've seen so many of these trends uh ruby came along and ruby replaced python for a long time and everyone was like oh it's all ruby now so long to python and then uh machine learning came out and so many uh researchers switch over to python from r to do machine learning and it kind of just lifted python again and now hardly anyone's doing ruby so think of it think of it this way in the olden days there used to be a thing called pearl and actually a i was i was in a marketing class in college and i was reading a pearl book and i was getting so excited about programming because i realized what you could do i never wrote anything at pearl i switched immediately to python but python is the new pearl think of it that way it's going to be around for ever and it's the thing that people keep coming back to um okay so it says i'm killing them i don't know if that's good or bad um it's going to be around for a long time who knows it wouldn't get faced out or not i think golang is absolutely amazing and it maybe it'll be the new thing but it's not as approachable as python is um so i think that will be more of a barrier um i think just back to your point like any scripting language would be very helpful i love doing stuff in bash just because like there's something about it i don't know what it is it's something about it that's obsessively fun to play with with gosh well it is the system that's what i like i don't need to translate from a language into the system command shell is the system command right that's what i love about it um and i think python i'm not really good at python it's something that's been on my to-do list for a very long time to get better at it but the point of saying you need to know programming because you're going to get stuck you're going to always rely on others it's very very true in a lot of my cases before i picked up getting better at bash if you want to pull data from some websites and you want to automate it like how are you going to do that on your own you know you can use burp suite but there is a limit to that you have to probably learn how to use bourbon street in that time versus knowing how to do it globally with anything in bash and it's not really that hard to learn bash at all or just you know any um show but just bash itself it's just just i think it's just an easy thing to learn and there are so many resources out there that teach you how to do all these things i just have to know about what i look for um let's let's talk about ctfs a little bit um do you or did you ever play ctfs and do you think they're helpful for people that want to get into infosec and like uh or offensive security yeah i think they are somewhat helpful um i have played multiple in fact jason and i met playing a ctf um in a burp class we teamed up he scored most of the points just just for everyone to know um i think i've heard this story before yeah yeah um i think they're cool um i am actually not so great at them uh because i have this thing where i'm trying to be perfect um i also have this other problem of like when i go a long time in between ctfs uh ctfs are all about the tool set in my opinion it's like do you have all your commands and all your tools ready to go so that the second you need it you're ready to shoot it off and what will happen to me is i'll be like oh i haven't done a ctf in like a year and a half and i'll walk into this class oh how hard can it be i sit down i'm like okay i need to send a uh a custom request i need to modify a tcp packet yeah uh i'm i'm gonna use nemesis oh let me download nemesis jason's over here uh he's got two flags i'm downloading nemesis and it won't it won't compile so now i'm freaked out i'm just like why am i so bad at this like why didn't i build these tools before i got here so for me it's just like this real time stress of the thing um in other words if i were to get good at it i would have to have my thing perfectly built and i have to stay in practice almost like a martial art uh you can't like do it casually you got to be really really good and practiced i think um in a competitive ctf absolutely right but do you think ctfs bring a value in like teaching you the basics and getting better at the fundamentals or even beyond that's a great question i i hadn't thought about that normally when i do them it's like we got 20 minutes we got to get the most flags and it's like very time pressured those are the ones i don't like i think the ctfs or the challenges i would say um in the uh the the wah you know the um yeah those are fantastic and i think to your point those are a great teaching tool uh so yeah i would agree with you there they are um it's the the high pressure ones that i i kind of i stay away from just because i need to be ready for them but as a teaching tool 100 yeah i think um i used to not be a fan of um conference ctfs it was just so unrealistic for a while and then i realized that not some of them aren't realistic at all but the basics you learn from those um ctfs are very very good in a hands-on way where you know you get to learn from other people if you're on site i picked my first not my first stock but this was one of those um combination logs you know i picked one of my combination locks for the first time at a conference i'd be san francisco before the covet stuff shut down because it was a part of the ctf and no one wanted to do it because i was like oh i don't want to pick a lock i was like i want to go do it i looked over to dude's shoulder he's watching a video and i'm like how do you how are you doing this he goes watch this video and we're both just sitting there doing you know this combination thing and it's like about pulling it and how it feels while you're pulling on it and you get to learn like you you realize like okay back to what you were saying everything's on youtube but also you get to see how others are doing it and that was one of the most like you know there was a wholesome experience of seeing okay i don't need to know everything but by doing these ctfs i could find out what areas are fun for me and what i want to learn more or you know what i'm lacking or whatever it is how to learn it i think ctfs are a really good way to just learn some of those stuff and if you're new to infosec it's one of the probably the best ways to see what interests you maybe web isn't for you maybe you know something else is that that thing that piques your interest and it's a really good way of seeing what you can be passionate about yeah and i really like one of the points you made there um so the the most interesting thing about ctf for me is like if you're hitting a wall and you just cannot see how to get past this thing and then you find the answer and you realize it's a completely different way of thinking um i actually had a github for these actually at one point i had a repo around ctf solutions so i could remind myself of all the different ways of thinking that were different than i would normally think because i wanted to have all those different techniques like built into my brain so i could just call them easily like from cash and because because i just think it's super valuable because so many of them follow like the same sort of tropes um especially for web ctfs does do you still keep that um repo current or is that an old project no i haven't messed with it i think it's still there before we switch i want to talk about this live recon so we have to talk about recon a little bit and i want to make sure i give uh i don't keep you more than expected especially on a sunday there's a good question that came in and people in the chat also want to hear your thoughts on this i'll put on the screen but i'll read it off can you ask him if um he has any tips or advice for students applying for internships like how to show off your your skills on a blank resume or maybe example projects to make in python or preferably go link um so i think the answer goes back to what i was saying before the best thing you could do for an internship is um show the places that you're talking about what you've learned so if you were to be like um you know go to sallyjones.com and this is where i've charted all of my learnings over the last six months yeah and so me as the hiring manager i go to sallyjones.com and i see that she's she's done all this different hacking stuff she's tried all this different stuff oh here's where i try to do the same recon tool in javascript as well as in uh whatever going yeah and and then um i go over to her twitter account and i see that she's talking about all these same things and she's asking questions and getting feedback i'm in i know this person is engaged i know this person is trying to learn and i know they've been doing it for six months or a year before applying to this application so it's not just it's not generated for the purpose of trying to get this job there's a history here um because that's the thing about an interview it's a proxy for the thing that you actually care about and as a hiring manager the thing that you care about is like will you be able to do the job in the future best possible way to know look at the past and that's what the website represents that's what twitter represents that's what a youtube channel represents it means you are grinding towards improvement in a consistent way so if you show up to an internship and you're like here's my um here's my website here's my twitter here all the different projects that i've done go to my website slash projects here are all the projects that i've done well as a hiring manager i'm going to be like yeah this person is 100 percent the right person i think uh absolutely the the website thing is absolutely awesome with with regards to bug bounties and like projects you have done also like you know outside your website explaining what the projects are now so the way i did for my first job i didn't have any background in tech zero background intake all i had was bug bounties so i listed my self as self-employed and then i put every vulnerability type that i've found there you go in parentheses i would link to the blog post saying confirmed by yahoo confirmed by paypal confirmed by microsoft and link to those blog posts yeah and the logo of the program the logo of the program is nice as well right it's like look at all these brand names where i contributed to making them more secure there's a lot you can do and it just comes down to what you know have you done the work of whatever you're going to um put on on your resume you just have to you know do the work so you can actually put it on your resume and it doesn't have to just be work experience it could literally be stuff that you have done on your own like you were mentioning yeah the the other thing is super valuable for this i did a post on this something like uh i don't know skills that hiring managers are looking for or whatever if you can somehow intuit what the hiring manager needs like sometimes hiring managers it depends what kind of emphasis job but like at a big corporate one one of the big things is like find out if a technology works another one would be like go audit the security of a new technology to see if we should even bring this thing in yeah so if you could in your uh internship say okay here's what i've done and you're kind of showing them the exact problem that they're trying to solve they'll be like well that's exactly what i need and here's a list of times that they already did it so it's like the more you know about the exact problem they're trying to solve like show them that you've done it in the past because anything else is just a claim like if you claim that oh i could do that oh i could do that that's that's nothing if you say i've already done it go look at my notes that's way more powerful yeah i'm having a solution for it and proof for it it's a entire different thing um all right i'm gonna try and speak to some of these questions we have to talk about recon a little bit i know you're really good at it and i want to talk about recon um first thing i want to know what does uh what does recon mean to you what does recon mean to me me to me recon means like i was saying before never being surprised um asking a million questions and having the answers always ready for you um so what i do with the methodology is i ask a million questions i did a talk on this called mechanizing uh the methodology and this was a red team village i think last year and uh you should check that one out because it kind of breaks things down it actually uses jason's methodology as an example of how every methodology branch becomes a question the question becomes associated with a piece of code and that code basically functions like a unix command and produces output and that output becomes an input to another one and this is how i've built so i don't do bounties but as we're speaking i have probably dozens of running campaigns and they're all doing hundreds of different things and bringing them all together and sending me alerts and email and sending me alerts and slack because i never want to be the one who was surprised um there there are multiple analogies for this um some involving role-playing games which i won't get into but it's like if you're going strength versus strength that's one thing but if you know what's how you're going to be attacked before you get attacked you have time and time is everything in this game right so so if you look at all the different tools that are available and all the different things that you could do with each tool so fluff for example like that's that's a directory tool um it's a fuzzing tool so i do so many things with that tool it's insane and i bring it all together into output uh which you've got to check out that um that video if you've not seen it but um when you go and get that content and bring it back but so here's an example that i did a long time ago when i was doing uh network fantastic so i would go to a site i would sit down unpack my stuff and i would start attacking the domain and try to get domain controller access and uh domain admin essentially and um so i would start writing all these scripts uh to automate the thing and i would just go from place to place and within about an hour and a half or so i would have domain admin we'd be done i started writing the report i got it to the point where i would initiate the the scans the results of the scan would go into a different tool and it would just chain until i i could sit down unpack plug in press go and just wait and it would come back and i would be done and that that is why i'm obsessed with recon because you can have that running against your own infrastructure at all times i i just assume there are bounties running against any website that i have i mean i've got canaries all over my stuff so i could see when someone who's doing bounty comes and touches my stuff i get alerts like i'll find them i'll send them an email and say congrats like and just be like yeah nice job for finding that um i've done all sorts of things with like um uh i had one called like finances.xls and it was actually like a zip file and it fired off a little piece of javascript that sent me a thing basically if they opened it up and it was like uh what did i name it i named it something like taxes 2016 or something and just like all this kind of fun juicy stuff um plus messing with headers i just i'm obsessed with the idea of always knowing what is happening that's why i think this old style of like every once in a while run a scan i just don't like it um a lot of the stuff that i'm doing i'm doing every minute i'm checking every minute to see if something has changed and some things it's only like every hour or whatever but i don't do like weekly scans or anything like that um i saw recently that someone else was doing i think it was might have been tom was doing it with um sleep have you seen that i'm not yeah so basically doing automation like um let's say a fuff command and he would put like sleep 100 and then it would just stop see it would stop for 100 seconds the reason i don't like that one is because you have all these background processes and if the host stops then all your processes stop so what i like to do is put it into chrome and basically quran holds like 15 different chains and all the chains run and feed each other and then i should just sit back and look at slack so i could be out and about at any moment and suddenly i see a slack knock knock a new sub domain was added well that hap i'm going to be the first one to know about that because i check every minute yeah right so to me recon means never being surprised about either something that's happening on your target if you're attacking um the moment that vulnerability shows up you should know and if you're the defender the moment it shows up on your side even if it's not a phone even if it's just new attack surface um i want to know immediately what are um what are some of the tools you use for your recon uh fluff i use a lot i use a lot of tom nom noms tools a lot um the other tool set that i use the most is uh project discovery yeah i am so uh like enamored with their stuff it's it's of a quality level that it's just a lot of the stuff i've done myself uh in the past but not nearly as high of quality um there's another one called uh semgrep have you ever heard of some grub sim grip now yeah it's um it's like a code analysis tool but really it's like um it's like semantic evaluation of text essentially so it can extract out certain things that you really care about kind of like gf from tom num nom yeah um but um i just basically chain these all together into workflows so tom nom noms tools i assume you are talking about find them no that's not fine domain asset finder is one of those um http probe uh meg no those kinds of tools and then project discovery i'm assuming nuclei and um i can't think of the other ones https maybe are the ones that you're referring to um so meg yes um yes um there's a new one by detectify i believe called page fetch which is a rewrite of uh well it's not an actual rewrite it's just a new version of um it's basically a go-based chrome uh requester of a web page um because i i did that i've got a one-liner where i could do that with chromium uh it's essentially like curl except for it uses chromium to request the webpage so i chained that together i used a lot of different ones from from project discovery yeah nuclei definitely there's another one um oh is it actions pd pd actions oh my goodness that thing is insane so pd actions i think that's the name of it it is basically an automated this thing is basically like a recon mssp all built into a single tool okay it has the it has the oh and and it's backed by github so the whole thing runs in github actions okay so it's actually this is crazy like this probably won't even exist for very long because it's too awesome they're using github actions to run the recon processes which means it's actually github standing up the linux box and running all the tools because you can see clearly in the in the code it's you can see the ansible um of how they build the box and everything yeah yeah it's really cool i'm looking at the readme it says their workflow is you echo a website it feeds it to subfinder and then there's dnsx to filter dns records they use nobu to do port enumeration httpx for um probing obviously and then nuclei to do vulnerability scanning and then they notify you through slack and i'll do it very cool i gotta look into that that saves me a lot of time yeah so um most of us already have like that kind of infrastructure already built up i i think it's just really cool to see what they did and of course they use nobu instead of like masking or or nmap because it's their own tool um but oh yeah that's another tool that i use uh notify notify is really cool um i i think we're probably getting close to time i actually set up a little thing to show how you could build like a little mssp type situation using slack but i think we'll save that for another time um because yeah this notify tool is really powerful um so i i got a thing set up where you basically pipe to notify and it shoots it right over to slack so for example if you have a new subdomain that's found like i get it in slack and um it allows you to send notifications to like discord as well with my clients or other services so because we're almost the time i have a few good questions that are non-hacking related i feel like we talked a lot about like a high level of hacking and how to get started i'm going to reach out to you maybe we can bring you on for another live recon but this summer because i've wanted to do an interview with you for a while the way it works i interview people and then i bring them on to do actually like hands-on hacking a little bit uh we'll schedule that for maybe postdefcon i mean we can have you on here if you're up for it and just kind of show us some of the things you do um we can do some hacking together sure then we'll take it from there because i feel like a lot of people would want to see it's not so much about what tools you use it's mostly like how do you use those tools because yeah definitely right good question coming in are you going to defcon this year by the way i don't think so i don't think so um i've got a friend who if they decide to go i'll probably go um but other than that i don't i don't think so is that friend the person asking this question right here that is him damn it jason [Laughter] jason are you going are you going has this changed has this changed um the real question is jason are you going to defcon because i think uh i don't think that we're going based on our last uh conversation but um definitely next year i will be there if you guys both show up please let me know i would love to oh nice person 100 um but that's just when you're like i have a friend and i'm like trying to ask me this question all right one last uh technical question burp suite what are your favorite plugins oh i've got a i've got a whole list um i actually haven't done much with birth burp lately my favorite one um i've got three different ones that i alternate between uh for one particular bug it's like the main thing that i use burp for uh i think it might be called authen or authex it's essentially you pass multiple cookies in and it tells you um if using forceful browsing will allow a lower user to get to a higher level of content and that's like one of my favorite bugs but generally i've been doing full uh linux-based automation not using burp very cool um let's jump into my favorite portion of the interview this is the the part that i get excited about um do you have a routine every day um no not right now uh i'm about to um i'm about to and i'm also about to put that routine on github and check this out so um so i had i had this talk a long time ago about algorithmic versus um osmosis based learning and i'm a real huge fan of this algorithmic learning so essentially you have a methodology for doing x yeah and when you go to a talk if you get something from the talk you update your methodology and you do attribution to like where you why you updated that thing so that if you end up like what i'm about to do i just read this book how not to diet i read this other book by dave sinclair about aging and stuff like that and um yeah so so um what i'm essentially doing is i'm building a methodology from what to do from waking up to going to sleep and each line of that i'm going to attribute to all the books that i've read to arrive at that decision so if someone wants to see exactly why i do this workout routine or i skip breakfast or i do whatever it's a full list of references and it's in the github history i'm a fan man i want to see what i want to see this in action yeah i'm about to do it like incredible starting next week because i might be actually moving so yeah this is this is a big thing i'm thinking about but my routine for the pandemic was overeat and not exercise enough that was my routine it's not on github but anyone could follow it it's coming to a get help report near you on the next week yeah um you're speaking of books i've been big on reading a lot more recently i think i'm trying to do one book a month because i used to not read at all what are some books we recommend for just personal growth non-tech um i've i'll give you some of my favorites i've done like atomic habits um i did um i did some books on okr's don't ask me why um personal growth has been something that i've been really working on um atomic habit is what kind of like got the gears moving if that makes sense yes what are some other ones that you recommend you said you've been reading things i've been pushing you to do you know things differently what are some favorite ones david goggins book you can't hurt me it's absolutely fantastic if you haven't read that in the chat i really recommend it can't hurt but one of the best books you can come across so subtle art of not giving um yes it's a really good one that is unbelievable so here's what i would say uh there's a number of books i can send a full list um or you can post it uh stoicism get into stoicism so there are i read um when i first got into it this was like the year before the pandemic so i guess 2019 i guess um i went and read all the canonical books for stoicism which was like 15 different things starting with uh marcus aurelius the book um meditations so i read that and i read the entire cluster around it but then i read the cluster around that which is modern interpretations of those things so there's a book by bill irvine about stoicism essentially this is the most powerful like life methodology in my opinion because it's all based on resilience it's all based on the fact that you basically you can't get well so here's fundamental concept fundamental concept which is amazing um there's a difference between the thing that happens and how that thing makes you feel they are completely disjointed you have control one more time say that one more time there's a difference between the thing that happens and how that thing makes you feel there's a separation between the two so you have control over your reaction to an input you don't have control over the inputs and you shouldn't try to think that the inputs actually determine everything because they don't and you don't have control over them but you do have control over how you respond yeah and that is like the central tenet i think of stoicism and it's really powerful and it's all throughout all the all the different books in different ways but uh ryan holiday is a um yeah one's an event and one's an emotion 100 and you could control the emotions that's the thing so you combine that with mindfulness um you combine that with some books by like ryan holiday he writes about this a lot um really good stuff you said meditation by marcus uralis is that what the name was yeah meditations yep i'll look into it i literally added to my um yeah i've been there one thing that i've realized you know when i was like i trigger happy and i was like oh it's all in your head the thing that i've learned a lot it's like you're in control of this like your thoughts don't make you you just i saw this quote that it was like you're an observer of your own thoughts just pick him throw him out if you don't like him like don't let him get you know get bigger than what they are it's a thought it's going through your head it's going across if you don't like it like question it or battle that thought that you don't agree with and don't let it become your entire existence whatever it is yeah that is that is a really powerful concept so this is that's the central tenet of mindfulness it's actually really weird so if you imagine if you like massively hurt your elbow by the way i recommend this app called waking up by sam harris it's like the best meditation app in my opinion um but so check this out there's a thing that you could do with any sort of pain or suffering but let's just take the example of your arm is like broken if you try to think about peanut butter uh a peanut butter sandwich while your arm is broken you will be distracted you will be destroyed because your arm is hurting so much if you take your mind and you turn it and you stare directly into the pain it goes away if you if you notice if you pay close attention to the thing that's actually happening to you you could do this with anger you could do it with sadness you could do it with anything if you stare directly at it you don't think about anything else but it it fades away so and what this means is that distraction is essentially the cause of a lot of the suffering yeah i i agree i think so i i can't talk about this too much as there's a i did a piece with uh with a blog post for the company and they asked me about personal like mental health and i opened up a little bit about my depression and anxiety that i dealt with last year um i won't get into it right now leave it up for the blog but the thing that i wrote in there the tl dr is we all know what is causing our depression and anxiety we're just too afraid to face it yeah deep down if you ask yourself what is causing my anxiety today you know the answer you damn well know the answer you just don't want to admit it to yourself because you're scared of the move to change what's going to come with it um so you're absolutely right man like i threw myself into distractions a lot and then i just cut everything out i disappeared that's why i disappeared from streaming for a while i just was like i have to face this thing no there's not amount of alcohol drinks smokes whatever that's going to cause you know you can numb it for a while but until you face it it's never going to go away absolutely on the topic of anxiety depression um mental health how do you deal with burnouts um i rotate the inputs um and i usually switch the mode pretty extremely so if i'm very much in a technical push and i feel technical burnout i switch to say stoicism or i read fiction i switch the the channel completely um i don't really schedule it i i just until i feel um [Music] relaxed it to me it's it's like using a muscle too much it's like if you just curl like over and over it's like your bicep is destroyed so you switch to another muscle right and and that that's a huge part of it um i think um in the case of the scene that that we're in like where you're public the muscle is often uh presenting and displaying and being on a stage and that is the bicep muscle that's getting tired is that you're constantly performing for others and that becomes the thing that you have to switch off and it sounds sounds like you you absolutely did that and that's how you were able to come back yeah burnout says it's still something that i don't fully recognize a lot of times until i'm deep into it and i realize i'm no longer myself but now like with streaming man like i'll be honest like when i go on these breaks i'm like are people gonna forget about me are people gonna come back watch me again like am i gonna is my sunday prime 11 to two gonna get taken away from somebody else yep it's a it's a it's business it's not personal i get it you know people are going to want the same yeah you know i complain about my life sometimes i used to a lot and then this is why i mess with me as it's like people would kill to be my position in some cases and i always messes with your head because if you give up that position of my sundays that i do my streams you know last week when i came online there was like 200 people watching i was just mind-blowing that people are still willing to come back and watch me but now it's at the point that i'm just like listen like if i lose it if i mentally lose it it's not going to matter if we're going to come back or not they're not going to come back i won't be here for him to come back right well yeah so i'm having this conversation with so many people who are in our scene as well as similar scenes in other spaces and it comes down to taking inventory of like what are you ultimately getting out of this thing right and it's like can you get that a different way um and how can you do the thing that you're doing in a sustainable way right it's like can you do this in a in a way so i've had a show for like five years and i have a very strict rule which is i only do a thing that i'm going to do naturally anyway if i feel myself have to muster up the courage or the strength to do it then i say no to that because i know i can't do it consistently for 52 weeks a year so i i whittled down the effort that i do to make sure it's right inside this line in my case it's reviewing the news and doing analysis on the news which i have to do every week anyway so i just turn that natural thing that i'm doing into this output to maintain sustainability um but i think the stoicism conversation will really really illuminate some of that um it's really powerful i'm gonna i'm gonna read some of this stuff and i'm gonna give you a ring when i'm done with it but it's just um i don't know it's one of those things man i realized like you know you said that the best your fans are always going to be there the ones that really the people that i call the homies are gonna show up no matter what they're gonna be there man it's a hard concept to come to terms to know like people give a [ __ ] they're gonna show up if you disappear for three weeks no one's gonna not want to show up if that makes sense but that's there's a constant struggle of knowing like am i going to be replaced am i going to lose my position or if somebody else is going to come out and do it again that came to the point of just saying screw it right well it's really dangerous so check this out it accelerates with the amount of effort you put into it it gets more dangerous so let's say you decided wow i've got 200 people watching oh i've got 2 000 people watching you know what i bet i can get 4 000 if i post it every day yeah what if i posted twice a day and what if i bought a bigger studio and now it's like every waking moment is stressing about the next show it takes over you yeah it takes quite a lot it took that's why i was so depressed and i had so much anxiety last may in june um it was literally because of that well and let's say you post on wednesday and you're like oh i had to go take care of my dog on thursday i'm back on friday you see some comment it's like where were you thursday you suck and it's like i skipped a day to take care of my dog like can i have a little bit of time and they're like you said every day and now it's not every day and it's like suddenly you're beholden to this and it just takes over yeah i had this routine of like friday saturday sunday monday i stream wednesdays i'll post from youtube do this on as a psych dude [ __ ] it it's too much it was just too much and i realized like the biggest one was i don't know who told me this but someone what i just said earlier if you're not here none of it matters if you're mentally not here you check out mentally you lose it and you never want to come back again none of that's going to matter and when i'm doing the hong kong every year it just mentally drains me totally um that's why i disappeared i was like okay i put this show on it was great it was beyond my expectations but i just gotta go i'm not gonna post anymore i'm just gonna and here's the trick and what you said earlier is like you can't tell when it's happening again this is where you've got to put a system in place that says i will not cross this line because i know if i cross this line that's when i become blind to it happening again because like you could be like i feel fine let me add another show i'll do a wednesday and a sunday oh and i'll do one on monday too and pretty soon six months later you're like why am i so like depressed and sad oh crap i'm back to three shows a week again how did that happen and i think anyone who's doing this who's writing you know putting themselves out there doing streams giving back to the community like we all have to take care of each other yeah um you know i think a lot of us talk on the side and i think it's super important because we got to be willing to say to each other hey you know too much are you okay and basically be that safety check for them yeah um i mean it's it's one of the reasons why i'm not streaming regularly on saturdays and mondays and i want to go back to it i i said it earlier when i was doing my intro um i don't want to go back to where i was it was just a drag it's just i can't i'm probably gonna do mondays more saturday sundays and mondays but i need a saturday i go hiking on saturdays now and i've realized like i need that one day off to myself working seven days a week isn't fun especially when you work full time nine to five in the weeks and then you do pentest after work and you're working after work and then you don't even have a saturday sunday i realized like a lot of it stems from that a lot of it comes from me not taking care of myself and letting my brain just breathe so saturdays now if i have time i'm gonna stream but i'm gonna i'm probably gonna go back to my mondays just because it's during work hours i can make it happen but i need a day to myself from now on and i gotta be selfish about it i thought it was selfish and i hate that i said i had to be selfish but it's not selfish myself first you you got it it's like put your mask on first there's lots of metaphors i use for this like put your mask on first is one the other one is like the sustainability of a forest it's like sure you could pull the trees out as fast as you want because you're going to run out of trees yeah you know and i've learned to delegate someone agent still has asked me like have you thought about hiring some help i have a team now that i work with they're my really good friends really good videographer i do have some fun stuff with him if you go on my instagram you can see how like i paid one of my videographer and six thousand dollars at once do fun stuff like that with him but it's been helpful having the i don't do this for money it's great to make some money from it but i realized like when i have people working with i can actually say okay i don't have to worry about editing videos because that's that itself is stressful oh 100 so just delegating things and also letting things break at this point now i'm like [ __ ] it let it break i'll deal with that when i can and then i went through the prioritization thing for myself i was like okay is this a priority nope toss it out we don't need it um i prioritize and that's why like live recon is it a priority yes i want to do i have fun doing sundays i look forward to my sundays it gets me excited uh well yeah and do and don't ask yourself if you could do this for a month or for six months ask yourself if you could do this for five years yeah right because because those extra shows and that extra time it'll sneak up on you and it accumulates it accumulates and pretty soon you'll just be like why do i not want to get out of bed i've been there yeah i agree um one last one imposter syndrome it's big in every industry especially ours do you still deal with that this level i honestly don't but i think it is because i've already accepted that everybody is a noob um i read a lot of autobiographies uh that have nothing to do with security i read a lot about people who spend their life's work um a lot of philosophers who would go into a room and for seven years by candlelight write a giant treatise right and basically go and release it to like a philosophy salon in france and everyone looks at them and says you're a complete joke this is garbage uh never show your face in this in this one again and the person would go back and for another seven years they would write it again and the third or fourth time they got the recognition and it's like that combined with stoicism it basically just tells me to keep pushing and it doesn't really matter if people like it or not if you're driven by the curiosity then um i feel like it is a defense against imposter syndrome if if you're driven by the fact that it's okay if i don't know it i i think the thing that powers imposter syndrome is the belief that you have to know everything and that that's the thing that saves me from it is that i'm okay not knowing uh everything and those things actually and i think if we were to teach in the industry that most people don't know everything in fact nobody knows everything and that everybody is a noob then it would take that pressure off and you wouldn't have so much imposter syndrome right i mean the hacking scene is just so heavy with like eliteness and tears and all this stuff that and that is what's putting the pressure on on imposter syndrome yeah it's uh it's very i don't want to say i'm too good but i feel like a lot of people have that mentality of you know i'm too good for whatever it's just who cares yeah 100 who cares i don't deal with impostor syndrome for the exact reason i've become okay with saying i don't know how to do these things people become like oh that's you should you try having this i'm like i don't know how to do it but if you guys want to laugh at me laugh with me at me sucking at this let's do it like i'm down yeah but i've been okay with just saying i don't know what this thing is i'll look into it you know let's get it together let's google some stuff yeah that's absolutely the key is to be okay with putting it it's an ego thing it's okay to put your ego aside and say i don't know everything i'm okay with it like controlling your ego is one of the biggest things i think that's it that's it um on the topic of we talked about impostor syndrome routines one last question before we do a fun game that i put together i will be very very quick um do you have a how do you balance stuff like with life work and then learning and hacking and improving yourself do you have some sort of a thing you follow or is it just i do things as i feel like it how does that work um i generally stay pretty free form but i do try to do a little bit of a plan every once in a while so i i really try to track what i'm trying to do long term uh there's this uh guy who writes for new york times called david brooks and he talks about you eulogy goals versus resume goals it is ultimately powerful it's like resume goals is like what you're trying to get on the resume or whatever eulogy goals is what you want your friends to say at your funeral yeah yeah so now now plan out now plan out your your next year and your streams and your walks and your vacations and your time at conferences and music festivals and are you going to hang out with your friends what are your friends going to say what are your family going to say about you if you were dead and what you do is you reverse engineer and you say okay well i wouldn't want them to say that i was really good at writing uh tools on github i i would like to say them something else so is the effort that i'm putting into my daily life contributing to being a good person yeah i have so um oh i resonate with that a lot uh two years ago um a friend of mine passed away from a sudden um he just his heart just stopped um went to his funeral and the amount of people that showed up was just incredible just people that hadn't seen years i didn't think that would show up nobody had anything bad to say about this guy and i just didn't get the same vibes from him you know we were really good friends but you know i just didn't feel the same i was always nice and it was always nice to me but it was just i saw him in a different light because of our dynamic yeah that was a turning point the eulogy thing of you know if i die i don't want people to i want people to say he was a piece of crap but he also did these things like we all have our you know we all have our you know we have done our bands or we have had the the light that we looked at looked at perspective right uh but putting in the way you did resume goals and you led your goals it's the perfect way to put it it's just uh i say jokingly when i do all these streams i do you know charity work at it whatever it is it's true when i do pass people show up to my um my funeral i wasn't just a piece of crap i did also i had things that i did on the side to make up for all the uh degenerate stuff that i've done in my life totally um there's a good question that came up um masoma is asking would you uh do you have any productivity guilt i'm guilty of it but i'm just curious to see if you uh feel guilty about not being productive enough um i would say yes i would say i do have that sometimes um so it's funny everything i see everything is a methodology this is why i'm so into methodologies for recon so the way i think the way i think of it is i reverse engineer from those eulogy goals and like my ultimate ultimate meaning that i'm trying to do and what one of the big ones for meaning if you if you study it across cultures is doing something that's bigger than yourself yeah so in my mind explaining things and and helping others is the equivalent of like uh raising children or doing something just bigger than yourself right and so what i try to do is i i try to say okay is the thing that i'm doing right now helping towards that so for example if i'm watching some tv show by myself and it's just kind of like a garbage tv show i'll get done with the series and i'll be like that was a giant waste of time i should have wrote a tutorial i should have done wrote an essay i should have done something and um however if i'm with a loved one or a friend or a companion and we're watching it together and having fun and smiling and laughing 100 that is time well spent so i i think of productivity guilt in terms of like is it helping any of my long-term goals including eulogy goals and not resume goals so just because it doesn't help me directly or i don't make any money off of it i don't really care as long as i'm helping something or someone that's the way i think about that it's such a hard thing to get over there to be honest with like you know there's days when i do a lot and i felt good but i saw at the end of the day i go i could have done more but there's no cure for it i don't think there's it's just it's kind of it's a it's a i want to say to my head you know it's something that you have to actually get used to overcoming as you reflect so i've learned to reflect every few months compare myself only to myself from three to six months ago let's see where i'm at i think that's been very helpful to um not feel guilty of whatever is going on in the world so what you just said is really powerful so here's a really great metric for how healthy someone is especially in the scene of what we do of like producing content how happy are you when you see other people including your friends blowing up getting super popular getting massive kudos if the first thing you think is oh my god i'm so happy for them you know you're healthy yeah if the first thing you think is oh [ __ ] i should not have rested i should not have took that vacation i should not have walked my dog i should have made more content because now now they're getting credited i should have done that and blah blah blah that's an unhealthy place and and that's why you have to constantly reevaluate you know what matters to me um one of the primary things that matters to me is seeing them do well as well so it's like if you can align those two interests so that them doing well is also you doing well that's a healthy place yeah i can't sit there and say i haven't been in that position of seeing you know somebody's success and going damn i should have done that or should have been gone for a few weeks now it's the point of like i'll celebrate with people you know i will celebrate with them about um whatever the success is i think there is more beauty to celebrating with people than getting jealous or hating about whatever they're doing but i never thought of that as being a healthy thing it was just more of a growing up you know growth whatever you want to call it but yeah not competing with anybody else but yourself has been a very good place to go it's just competing me against me and just me reflecting on you know two three months ago whatever that is yeah um i think that was it man this is this is probably one of the longest interviews but it's this was very very insightful i can't thank you enough for being here um thank you for having me give it up for dan this was very useful and very helpful i think it unpacks a lot we didn't do too much on i want to talk about cyclists a little bit more but we can talk about it when we bring you back on but i think um there was something there's something cool about talking from other people's perspective of how they've overcome hardship or how they've gone to the level that i've gone um so i really appreciate being here and you know um sharing your experience and your knowledge with us i'm definitely going to read the books that you mentioned uh take a note of it somewhere i'm going to actually order the meditations book soon but i want to end it uh end this with a fun game the way i it works is i give you a word and you just tell me the first thing that pops into your mind um i have one two three four five i might be like ten of them uh it could be a sentence it could be a story it could be whatever you have in mind i'll make it easy the first one i'm gonna say is jason haddix friendship cyclist project oscp respected certification ch the opposite infosec a strange animal uh burp suite history ctf fun uh youtube amazing uh recon love project discovery respect and last but not least tom nom nom wonderful thank you man this was uh all the things i could come up with for this um it's just this way of ending every interview uh it's upon a tradition of live recon um i enjoyed it thank you so much for being here man i appreciate it so much and uh can't wait to have you back post def con to do some live recon together absolutely thanks for having me thank you man we'll talk soon we'll see you have a good sunday all right that was that was it um this was an incredible um interview i can't thank dan enough for being here i had a blast uh i'm mind blown with some of this stuff looking forward to reading some of this stuff that i've owned here i have another guest coming up next week if you want to stick around come around uh hang out with us next week next sunday same time it is 1 30 my time right now i usually go on two hours earlier than this around 11 30. if you know the tradition of hanging out with me every time we do a stream we end up going into uh a raid we'll usually rate somebody that's uh doing something similar to ours so stick around when we go into this raid i need you to be very loud representing the homies and um be respectful be nice other than that i'll be back next sunday uh come and get me on twitter if you want to know about what i'm doing my speaking schedule um discord is also a good way i'll be around but that's it enjoy your weekends enjoy your sunday evening sunday morning afternoon wherever you're at uh let's raid and i will talk to you all next week same channel 11 30 a.m california time i love you be nice to each other and i'll see you soon peace you

Info

Channel: Nahamsec

Views: 5,757

Rating: undefined out of 5

Keywords: bug bounty, recon, hacking, ctf, oscp, STOKfredrik, thecybermentor, defcon, tryhackme, metasploit, zseano, bug bounty methedolgy, bug bounty hunting, pentest, red team, nahamsec, nahamcon, bug hunter, hacker, hackerone, bugcrowd, synack, owasp, owasp top 10

Id: DVdB0Z18HCA

Channel Id: undefined

Length: 114min 10sec (6850 seconds)

Published: Tue Aug 31 2021