- [Marcus] Have you ever
found yourself wondering how it is that hackers
get into company networks? Well, I'm gonna show
you one of the simple, but very common techniques. You're probably familiar
with Microsoft Word, but did you know Microsoft
Word document can run code? For example, I wrote one here that will just open a message box saying, you've been hacked. And you might notice I had
to click enable content to run the code. So how would we get a user to do this? Set a nice Microsoft blue background. I'm gonna add the Windows security logo, and then I'm gonna make
a convincing message telling the user they
need to click the button. I'll add a screenshot as
well just for example. Final product looks fairly convincing, so now it's time for
some real malicious code. For my example, I'm using
a PowerShell script. They'll download and run some malware, it'll give me full access to the computer. In the real world, we'd probably
disguise this as an email containing a financial invoice so that they would download
and open the document. For demonstration purposes, the system on the left
is the company computer and the system on the right is the hacker. I'm using reverse (indistinct) software so that the company computer
will connect to mine, that way we don't have to
worry about the firewall. Moment of truth, let's
click enable content. As you can see from the window flash, that our malware has ran and it's now connected
to the hacker's system. We basically have full control
over the company computer. We can see whatever's on the screen and even move windows around like so. This is actually one
of the most common ways hackers get into company systems. So if you see that enable
content warning, don't click it. - Hi everyone. David Bombal back with
a very special guest. Marcus, welcome. - Hello, it's great to be on here. - On TikTok, I've seen you've
answered a lot of questions. What are some of the, like,
the craziest questions that you've got? And like, I see you do
these response videos. I like the one that you
did with the Airbnb. - [Marcus] So here's how
to spot hidden cameras in an Airbnb or hotel. Now, the first thing
you're gonna wanna look for is devices that are conveniently placed where a creeper would want to look. Take this fire alarm for instance. It's placed right above the bed. Now, one way to see if
a device is a camera is to shine a bright light at it. If you hit a camera lens, it's gonna give a bluish reflection. Now you can test this by
shining a light at your phone and seeing how the camera looks when placed under a flashlight. Now this clock is mirrored, but if we shine a bright light at it, we can see through the glass
and see there's a camera there. Now this technique can also
work on two-way mirrors. So the camera is USB powered and the wall charger it's plugged into is actually also a camera. If we shine the light on it, you can see that little
pinhole in the middle with the blue reflection,
that is the camera lens. Night vision cameras use
infrared LEDs to see, and if we turn off the lights and use the front facing phone camera, we can actually see these LEDs. Now the front facing camera is the only one that tends to work 'cause the back facing
one has an IR filter. Now you can sort of see the infrared LEDs on this clock already, but if we cover up the main LED, we can actually see them a lot better. Now I wouldn't rely on this method because people usually
don't shower in the dark. So if they're placing
cameras in the bathroom, then they're probably not
gonna bother with night vision. So these camera lenses are
very small as you can see here. So they can be hidden in
anything, even a hole in the wall. - So can you just explain
what you did there? (David laughing) - I'm gonna be honest here. I absolutely hate that video. It was like- Well, you
got like 30 million views or something. - I know, that's why I hate it. (David laughing) So it was a kooky like kind of question. How do I find hidden cameras in my Airbnb? And I was like, yeah, there
are news articles about this. It does happen. It's very, very rare. It's kind of like, how do I stop sharks from
attacking me in the ocean? It's like, you can stop sharks from attacking you in the ocean, it's not a real risk that's very common, but hey, I'll show you how
to stop the shark attacks. And it was kind of a video like that. I didn't expect it to blow up. And then, of course, like
it gets 35 million views, people are like going crazy
tearing apart their Airbnbs and I'm just like, oh, no. (both laughing) Like this stupid video I made
just because someone asked has become like this,
like worldwide phenomenon, like it was like in like major news sites. I was getting interview requests from like the New York
Times and all of that. And I just- [David] Because of that video? - Yeah. Well, not to interview me, they were specifically wanting
to interview about the video that was pretty much every
major news outlet I can think of wanted me to say something
about that video, and I just like, I wish I could unmake. (both laughing) - I'm just laughing. Sorry, I have to laugh about this. This is like the second time
I think I've heard you say that you didn't like the limelight or the spotlight of the news
organization on you, yeah? - Yeah, I'm just not good with publicity. Like I'm getting more
comfortable with it now, but when it's like the whole,
like, the thing is blowing up, you have all of the media just
like sliding into your DMs, everyone wants to hear about it. It's very overwhelming. - I think it's quite
funny and ironic in a way. You saved the world from WannaCry. (David chuckling) And your next big stunt was to use a phone to find cameras in an Airbnb.
- I know. I feel like both of those things were like equally as useless. Like the WannaCry thing
had very big implications, but like at the very core, it was like one of my
least technical feats. And then again with the Airbnb, like this was just like
a silly video I did, and it wasn't like some
huge technical feat that took like months to work on. And I think this is like
the theme for my life is doing like minimally technical things and then somehow becoming famous for them. - It's funny 'cause I heard
Jack of Darknet Diaries and he said, if you really
wanna make your name or like people, and I'm probably saying it wrong, but something along the lines like, if you really wanna impress people, don't go to like DEF CON or somewhere and talk to a bunch of techies. You need to go and talk to
people who don't know this stuff and then they'll think
you're like this God in tech. And it sounds like
that's what you've done. - Yeah, it's definitely the case. It's like, I've like done technical feats that I'm like proud. Like I feel like this is
my lifetime achievement, but they're so technical that only people in the industry
understand what they are. Whereas like stopping a
global ransomware attack, that's something that
end users can understand, like the general public can understand. Okay, this person has stopped a bad virus. And same with the Airbnb cameras. It's like, okay, this
is how you find cameras. And that is very common
thing in cybersecurity is the really technical, like
amazingly impressive stuff, it usually doesn't get
past like a tech audience. (intense rock music) - Marcus, you've got a very
interesting story like I said, and people can see it in
lots of detail on Wired and on YouTube videos. And we don't expect you
to do the same here, but if you just could give us like the highlights of your background, because I want people just to realize that you did something really special. You've got an interesting story, but what's really cool, I think, is that you're taking that
knowledge and experience and now you're helping others, who for instance, are trying
to get into cybersecurity. So if you could just
give us a quick rundown of how, how we got to where we are today. - Okay, so I think the quick rundown is, so I started out writing
malware as like a teenager. I got out and I got into cybersecurity, ended up stopping WannaCry, which was this global ransomware virus that was launched by North Korea. Right after that happened, I kind of ended up getting
thrust into the spotlight in somewhat uncomfortable way. And then immediately I
got picked up by the FBI on the old stuff I did as a teen. And then kinda as that all blew over, I just started teaching. - Yeah, I love it. I mean, I think you've said, or I've seen it said that you like were the most famous
person in the UK for two days. (Marcus laughing) - Yeah, that's pretty accurate. - Yeah, I mean, I'll just say, I mean, I'm based in the UK. So just for everyone who's watching who don't know what the NHS is, it's the National Health
Service in the UK. And I mean, it was a major problem. It's better if you tell the story, but you registered a domain that basically was a
kill switch for WannaCry, is that right?
- Yeah. Yeah, it beacon out this domain. It's not clear why, but basically, if the domain is online, it will just seize all activity like it doesn't decrypt the
files, it doesn't spread, and I typically registered
these kind of domains as a job, like we will try and find
unregistered malware domains and then hijack the malware. So I went and registered this one and it just stopped the
entire cyber attack. - I mean, it's an amazing story, and I mean, again, just
for everyone watching, you can go and see Marcus' full
story using the links below. It's a fantastic story, but Marcus let's bring it to today. You have about, if I went and looked over 400,000 followers
on TikTok, is that right? - I think so. I haven't checked in a while. Yeah, it's probably around 400,000. - Tell us why did you
start your TikTok channel? - So I'd kind of always been
wanting to get onto TikTok 'cause it just seemed like
a really cool new platform. But I was so nervous 'cause it's a very different generation. Like YouTube is typically
like millennials and above, whereas TikTok is Gen Z, and I was like, I was just terrified that I was gonna get roasted. And someone forced me to go
on there to do an interview, and like people really liked my channel. So I was like, oh, okay. I guess I'm not gonna
get roasted by Gen Z. So I'll continue on this platform. - But yeah, how do you
think I should feel? like I mock myself. I'm not really a boomer, but I often get called a boomer, where's my walking stick? So I mean, guys like me get really roasted on platforms like TikTok, but I think it's amazing. I mean, I think it's amazing
that someone like you with that really cool
story is now teaching what I would call the next generation. But you're also in YouTube, is that right? - Yeah, so I started out
on YouTube originally. Oh God, it's gotta be like
10 years ago, I think. I found it quite a hassle. People are quite picky about
like the video quality, the editing quality, the audio quality, and it feels like you are
basically making this like production grade movie just to upload and get
like maybe 1000 views, and it was just such
a huge time commitment and I just like, I couldn't
keep doing it consistently. - I mean, that's a problem. And I think you do a great job of it. Like the other one I saw you
posted recently was like, should I use, someone asked you, Should I use the school Wi-Fi? - Yeah, yeah, yeah, that one was like a couple of days ago,
I think, I posted that. - I was warned not to
connect my cell phone to the WiFi at my school. - Yeah, this is pretty much true. Whenever you go to website, it does a DNS lookup and that
DNS lookup is not encrypted. So they can see the domain
for the website you're on. So if you go to google.com,
they can see google.com, but if the website is encrypted, they can't see what page
you are on on that website or what you're doing. Now when it comes to emails, things are a little bit more complicated. It depends on if your client
is encrypting messages or not. Some do, some don't. If it isn't, then any
emails you send and receive while on the network, they
could theoretically read. They might not have the software to actually intercept and log those, but it is possible. - I think what's really cool about that is you are taking technical terms and you are bringing it down to non-technical users understanding you. - Yeah, so that's always
been the primary purpose of even my blog when I was
doing malware analysis, it was geared towards something that someone who maybe
doesn't work in the industry could read and understand. Like I did have some very technical blogs, which were like going through my process, but a lot of it was like, here's how this malware feature
works in terms that like, you could just go and find
like one of your parents and just be like, Hey, would you want to learn about malware? And then I carried that on
with TikTok and it was like, let's take this like complex
cybersecurity concept and try and boil it down into a way that like people can take
something away from it. - When I spoke to shenetworks
or notshenetworks depending on if you're
on Twitter or TikTok. I asked her the question, how on earth do you
take a technical concept and boil it down into like 60 seconds? So let me ask you the same thing, because I'm more on YouTube than TikTok, and I find it easy to just
like explain in like 15 minutes or 10 minutes a concept, but like the two of you are explaining it in like 60 seconds. How on earth do you do that? - So I was always the kid
in school who would like, I would write the essays
and it would be like, I would just ramble for like
1000 pages of like prelog because I couldn't write long things. So I would just add words for no reason. And I was always the guy
trying to pad his essay with like meaningless words to make it reach the
minimum character limit. So when there was a platform that's Hey, you can say things in short
form, that was already my area. Like my whole life, I had been someone who would just like convey a concept in like a couple of minutes and it was like just great
to finally have a platform that allowed me to do that. It's why I struggle so much with YouTube. I find it very hard to
drag like these things out into like multi, like 10,
20-minute long videos. - Yeah, huge respect for both of you, because I've watched
quite a few of your videos and you are showing like
demos really quickly. And one of the ones I really
liked is like you were showing, I mean, it's difficult
to see how long it was, but it was like 60 minutes, sorry, 60 seconds or so, you were showing like,
how do you use malware within like a Microsoft Word document? And you just had this
like very basic VBScript. So tell us about that. I mean, I find that on YouTube, I get a lot of flack about
like, this is stupid. You're showing like a basic hack and guys wanna like have a
lot of these hardcore hacks. But have you found that
you've had a lot of, I mean, okay, forgetting the Airbnb, but have you found that you
get a lot of good response on these types of like techy videos, which is like showing a bit of code and explaining how it works? - Yeah, so I actually
struggled with that video 'cause that was back when TikTok had like a hard limit of a minute and that one was one that should have maybe been two minutes, and I was just struggling
to condense that one down. I feel like my TikTok
audience is very different from say, my Twitter audience. My Twitter audience is somewhat mixed now, but it used to be purely
like very technical people. And if I were to just do
a very, very simple video, like basic VBScript macros, they would probably roast me, but then on TikTok, I have a more general public audience. So this is stuff they haven't heard of, and being able to show it in
its most simplistic format is the easiest to understand, 'cause like real macros, we could spend three hours going through every feature of that, but this is just simple snappy like here is the most
raw purest form of it, and you can see it working is a lot easier when it comes to teaching
to like a wider audience. - Do you think it's worth
learning like VBScript? I mean, one of the first
languages I learned was Visual Basic, and then when I looked at that, I thought, well, that's great to
see VB is still around. - Probably no. (laughing) I learned VB6 back when that was a thing, like probably early 2000s and I do not remember a
single thing about it. Like for that video, I
had to go and relearn VB, or at least learn little bits of VB because it was just so
useless, I'd forgotten it. - I love what you're doing as well. I mean, you used the "Mr. Robot." Was that a did you spark
that you were demoing with the "Mr. Robot" video?
- Yeah. - Sorry, go on.
- Yeah, is a did you spark. I just had this idea one day is like, there are some shows
where hacking is real. Like "Mr. Robot" tries
very hard to do real hacks, and I actually have a lot of the things that they use in the show. So I was like, why don't I
actually like show people how these hacks work, like how to do them yourself. And then TikTok, of
course, banned my video for criminal activity. And I had to beg someone on the like quite high off
on the trust and safety team to basically put it back. So I decided to make a tiny hacking device out of this little thumb size USB chip that I got for a couple
of dollars on Amazon. Now this was actually featured in one of the "Mr. Robot" promos. - We're not done. - [Marcus] Now this is
actually a tiny Arduino device. So what I'm gonna do is
program it to be a keyboard, and when the user logs on, it's gonna input a predefined set of keys, which are gonna run a
malicious PowerShell command that'll give me access to the system. Now typically with something like this, we would hide it in the
back of the computer where the user wouldn't see it, but I'm just gonna put it in the top for demonstration purposes. As you can see, it has
a little flashing LED, which I've just programmed so
that you know it's working. So the laptop in the foreground
is my hacking computer and the monitor in the background
is the victim's system. So right after the user logs on, the command window is gonna flash quickly as the payload is executed, and then it's gonna connect
back to my hacking machine. Now that we're connected, any commands I type into my machine are gonna run on the victim's system. So I'm gonna open notepad, calculator, and just for example purposes,
I'm gonna browse the files. - Serena was saying the same thing, and this is what I'm
concerned about on TikTok. I've heard the same thing. So for me, like a personal story would be, I have a credit card
cloning video on YouTube that's got a million views or whatever. And it's like old technology
just showing like, just to try and educate. Be careful with your cards. I mean, someone took that exact video and put it on TikTok, obviously in short form format, and they got like, I don't
know, crazy a number of views. And then I took the same
video and put it on TikTok and they pulled it down. So how are you navigating teaching cyber hacking stuff on TikTok? 'cause as like a content creator, like I'm nervous to put stuff on TikTok 'cause they seem to just pull it down. - I learned the line 'cause I grew up making
like YouTube videos back when YouTube was
a little more hostile towards hacking content. There's a line where if you show the, I guess criminal aspect of the hacking, but then you go into talking
about like how to stop it, how to defeat it, how to detect it, they will usually give it a pass. But then I tried that strategy on TikTok and they will watch like
the first five seconds, it'd be like, this is crime, ban. So in the end I actually just, I gave up doing those kind of videos. I've been meaning to try
again because there is rumors that the community
guidelines are different if you're verified and I
just got verified last week. So I'm gonna like test the water and see if they would let
those videos have a pass now. But it was the case where
I just stopped doing them because I think I was one
more videotape down away from a permanent ban. - Yeah, you should come to YouTube. I think it's... Go on, sorry. - Oh, sorry, I was gonna say,
yeah, YouTube is better now, but I did have a video
taken down like a week ago and it was like a very questionable video for them to take down. It was me entering my
like credit card details into like one of those phishing sites to show what they did
with the credit card. And it's like, it's not
like I'm showing you how to steal credit cards or I'm stealing other
people's credit cards, it's like, I'm literally
just entering my own details into a phishing page and
apparently that is crime now. Scan so you don't have to. I got this email from Stevieee G, which said she saw a video of what looks like a very suspicious page. She got a similar link and
wanted me to investigate. So when I click the link, it takes me to this USPS tracking page. Now the first red flag is that the domain contains
the word USPS nowhere. A good scam page might
actually try to look like the USPS URL or at least have
the word in there somewhere, but I don't think these guys
have really tried at all. Anyway, let's enter my
credit card details. The previous page asked
for my shipping address, but really what it was
probably trying to get is my credit card billing address, which would usually be the same. Now this page is asking for a $2.13 fee to process the redelivery, which sounds reasonable. Now typically a real site would
immediately charge my card, but I got no charge here, which means they probably just saved my card details for later, which is a huge red flag. It claims to have sent me an SMS message, but I got no such thing. What I did get is a charge
for $16 about 10 hours later and I'm guessing the 750%
markup is not state tax. So yeah, it only took about 10 hours for the scammers to use my stolen card. - Yeah, I find that like it's on YouTube, don't show credit card
stuff or like phishing, even though I've just done
a phishing video with Corey, and that's doing really well. But we're explaining how it works and how to be careful with it. But yeah, it's interesting. It's a hard line, and I mean, this is a problem, I think, for all like content creators
who do cyber or hacking stuff, it's a very difficult line because you wanna educate the audience, but it doesn't look like
the platforms are there yet. - Yeah, it's very hard because
like the general public doesn't understand ethical hacking. Like the idea of someone knowing and using criminal techniques, but in a good way is foreign to them. Like I most saw this with my
hotel key card cloning video. I got like so many hate
comments from like, you're showing people
how to like do whatever, illegal stuff, and like the reality of the
video was I bold it down in a way to show the concept without actually showing how to do it. Like I make it look very easy, but that's because I'm cutting out what you actually have to do to get there. Like when you clone these cards, you have to basically program
the cloner to clone them. And I just left out the programming part. If you just watch the video
not knowing how that works, it looks like I just have a magic device that just clones key cards. And then it looks like I'm
advertising said magic device. But the reality is that is like, there's a lot of work that goes into that and people don't understand that. So they were like, basically accusing me of like teaching criminals how to like break into people's houses. This is why you probably
shouldn't leave access cards lying around. This is a device I picked up
for a few hundred dollars. It's called a Proxmark
and it can clone anything from HID cards to hotel keys. Here's how quickly it reads
the data off my key card. And it still works from a few inches away. The best part is it'll even
work through a coat pocket. Now, obviously this whole
setup with the laptop is a bit conspicuous. So you can actually put it in mobile mode and it'll work from a battery pack. Holding down the button will start a scan, and when it comes into contact with a key, it will save the data. Now all we need is a hoodie, connect up the USB power
pack to my Proxmark and put one in each back pocket. I'll connect the antenna
to a really long USB cable, put it down my sleeve and then plug it into
the back of my Proxmark. Now I can log a key card
just by brushing past it. Once I've got the data off the card, I can create an identical key, but it's actually a lot more fun to use the Proxmark itself as a key. - Yeah, I mean, I have
the same on YouTube. I mean, you get the guys
or the people who love it, and then you get the people who hate you and say you're teaching criminals, but I'm really happy to
see in the last few years that ethical hacking has
become more mainstream. And I think "Mr. Robot"
helped perhaps with that to get people more interested. But I mean, with all the hacks out there, how are companies gonna protect themselves if you don't know what's going on? - Yeah, like there's more criminal, sorry, there's more
non-criminals in the world than criminals. So if I teach everyone how to do a crime, then you have maybe like 5% of people who are gonna commit crimes, and then you have the rest of the people who now know how to stop that crime. So it's always gonna be a net benefit, but people don't really understand that. - So you finding that, I mean, based on the questions I see that you're getting asked on TikTok, are you finding that it's
just a general audience who are interested in getting to cyber or is it just like general education, like what you'd see on television perhaps? - It's a mix. I get a lot of comments. So like, Hey, I'm looking to
transition into cybersecurity, like how can I do that? But a lot of the people are like, they don't have any interest
in getting into cybersecurity, they just think the stuff is cool and they like to learn things. And I'm very much the same way. Like, oh man, I think I spent like an hour watching some dude like
explain how to unclog drains. Like his job was unclogging,
(David laughing) like street drains. And I was like, this is fascinating. And I had no intention of
going to unclog street drains, but I just found it interesting. So I would just follow him. - Yeah, I've seen videos, guys
like cleaning, what are they? They mow the lawns and they
clean the pavements and stuff. It's like, that's definitely
a job that I don't wanna do, or they're washing cars. It's amazing how many views those kind of videos get on YouTube. - Yeah. There's the pool cleaner guy who has like millions of followers
and he just cleans pools, and it's like, it's interesting to watch. - One of the things I wanted to say, I was surprised you've got like an Instagram hacking type video
that didn't get pulled down. - Yeah, that one was... I thought that was gonna go, but I think it was 'cause it was geared purely towards like awareness, like I didn't really show how to do it. - Here's a common way hackers
get into an Instagram account that you might want to watch out for. The hacker will get access to
one of your friends' accounts and then contact you basically saying that you've been nominated to help them get back into their account. On Instagram, the way the
password reset feature works is instead of sending you
to a password reset page, it just sends you a link that will log you
straight into your account and then you can change
your password from there. So what they actually do is they go to the forgot password page, then they enter your
account rather than theirs, which results in Instagram
sending you a login link. And then they'll try and trick you into sending that link to them, which is what you see here. And if you do send that link to them, it will log them straight into account and then they can change the
password and lock you out. Like and follow for more safety tip. I explained how it works, but that seems to be the line for TikTok, it's whether you explain how it works or explain how to do it. YouTube, the line is you
can explain how to do it as long as you explain how to undo it, but TikTok, it seems like really, if you can say how it works, but if you show how it works, you're done. - From what we've said offline, you are gonna be uploading
content to YouTube. So for people who wanna subscribe, please use the links below. Show your support, or if you prefer TikTok,
go to that platform. So on YouTube, are you
gonna be doing long form or is it like TikTok type style shorts? - Yeah, so people on YouTube
seems to hate my TikTok shorts. (David laughing) It was always supposed to
be my long form content. Like I'll do some short
snappy videos for TikTok and then I do the longer videos
on YouTube when I have them. - Again, for everyone who's watching, please go and subscribe,
show your support, show your love from the community. It's amazing like from my point of view to have people like you that are willing to share
with the next generation. So let's talk about like cyber and your sort of experience and advice, 'cause I know you've been
putting some of this on TikTok and YouTube, but I'd like to like just
try and wrap that information into a video for people
who are interested. This has been recording sort
of midway through the year and I've done some career
stuff early in the year, but it'd be nice to get an update and sort of get your perspective. So let's ask you this question. Do you have degrees,
certifications, whatnot in cyber? - Me personally, no. - Yes. But you have been very
successful in what you've done. So I think the question is, are certifications and degrees required? - Absolutely not. I feel like there's no true
path into cybersecurity. Degrees and such are
actually a very new thing to my understanding. Like there wasn't cybersecurity degrees, at least in the UK when
I grew up until about, I'd say maybe even like 2015, like it came out quite late. So before that, you would just go and get like
a computer science degree, which would be entirely
useless for cybersecurity, and that would be if
they required a degree that would meet the threshold. But a lot of companies
realize that computer science, it is not cybersecurity. So if you could show
some kind of experience, they would waive those requirements. - So would you recommend certs for someone trying to get into cyber, or would you recommend
they do something else? I've seen some of your TikToks, but you've kind of
recommended different things. Is certs good or would you
just say like get experience, or what would you recommend if I'm 18 or someone trying to get into this field? - So I try to avoid recommending 'cause like I try to give a balanced view 'cause everyone is different. Like I really struggled at school. I'm not good at structured learning, probably 'cause I have
like weapons-grade ADHD, so I can't just sit in a class all day. So I found it very easy
to just learn on my own. Just go on YouTube and Google
and blogs and just research. But then there's people who
do like structured learning. So it really depends on like, what do you feel like fits you most? Like if you feel like
you're more of a like a university/college kind of person, then maybe get some certs. Degrees are a little... I probably wouldn't go the degree route 'cause it's a lot of time commitment for not really a huge benefit. Certs seem to be like more of a thing that companies look for. They typically prefer those over degrees 'cause it has like
domain-specific experience, whereas like a cybersecurity
degree would be very general. So I would lean towards certs if you like structured learning, and if not, you can do it without certs. I think it's very
dependent on the country. In the UK and US, it's very
easy to get a job without certs, but in other countries,
it might be different. So I can't really say for those. - But let's focus on the US mainly, 'cause I think you're
basically in the US now, is that right? - [Marcus] Yeah. - One of the things I've heard you say, and I'm a real believer in this
is put your work out there. You've got a very famous blog. Can you tell us about that blog and tell us how it helped
open doors for you? - Yeah, so my blog is pretty
much what made my career. I just wanted to document my work. Like I was doing malware research. So I would work through
my malware research and I would just document it as I go, and then I'd publish that to my blog, and, of course, what I
was unknowingly doing was building a career profile. I was basically showing not only can I reverse engineer malware, but here's like an entire
walkthrough of me doing just that, which actually turned
out to be more valuable than any degrees, certs or whatnot, because I was showing
like real world experience in the domain that they
wanted to hire me for. - Yeah, I mean, I love that. I mean, it's like when
I look at hiring people, I mean, it depends on the job, but like in, I'll just take an example of
video editing or something. It's like, I don't care what cert you got, show me your work, show me what you can do. And I think your blog is
a great example of that. I believe there's a story
where your blog opened up doors to say the UK's version
of NSA or something. Is that right? - Yeah. (chuckling) (David laughing) - GCHQ. Yeah, sorry, go on. - It was kind of funny because
I had just applied for GCHQ and at the time my blog,
it was MalwareTech blog, and then there was me Marcus Hutchins. And Marcus Hutchins went
and applied for GCHQ. And then while I was in the
application process for GCHQ, someone reached out to
MalwareTech and was like, Hey, we would like to hire you. And I had just basically
been formally offered the job at GCHQ under my real identity. So I was like, this is me. Like you're already hiring me. - That's such a cool story. And I think it just shows again, put your work out there
and people will find you. What do you think? I mean, I think it's obvious, but what do you think about like people posting stuff on Twitter, posting stuff on like LinkedIn, getting involved on social media? - Yeah, I think that is by far one of the most useful things
you can do for your career, because when you're just Tweeting, like you don't have to be serious. You can have fun on social media, but you will come across
people who work in the industry and those people know people. I think my first real job offer came as a result of
someone I knew on Twitter. I just got a DM one day and he's like, Hey, I work for blah,
blah, blah, big company. Would you like to come work for us? And I just feel like the more time... This sounds counterproductive, but the more time I spent on social media, the better job offers I started getting. - I mean, there's a big
community in cyber on Twitter, so it makes a lot of sense. So if I'm like brand new, is there any like tips you'd give me? Like obviously start a Twitter
account, go on LinkedIn. Is it like, just like post stuff, like stuff that I'm
doing, tag people like you or any kind of recommendations? - I typically say avoid tagging people because it feels like you're kind of throwing it in their face. Whereas like the people who are interested will find your stuff. Definitely document what you're doing. Blogs I find are the best form. Videos are cool too, but blogs really, 'cause they show up when people are searching
for other things. Like there's been countless times where I've been doing research on malware and I've come across my own
blog and I've been like, oh, okay. (David laughing) And like that will happen. And then obviously like
Tweet those links on Twitter. Not really familiar with LinkedIn, but I assume that would be a better place given that that's all the
business professionals. I really don't know, but just get as much exposure
on social media as you can. - That's really interesting. I mean, I was interviewing
someone the other day and one of the comments
on YouTube was like, David, you're a real boomer asking a millennial about LinkedIn. So you just use Twitter, you
don't use LinkedIn really? - Yeah, I find LinkedIn
to be somewhat obnoxious. It's like, I can see the
purpose it was meant for, but it really feels like, it's more like a social
media platform for executives and it's just like, it's not the kind of
content I want to read. Like I don't want to
read about some executive like patting himself on the back. - Let's put this into perspective. How old were you when
you started writing code? - 11 or 12, I think. It depends whether you class
HTML as a coding language. I personally don't
(David laughing) so I just say 11. - But I mean, so in other
words you were writing HTML before you were 11, yeah? - Yeah. I think about like
eight or nine years old. - I think some people who are
older might see that as like, I'm not as clever as you are, and I think that's also the
wrong way to look at it, but the way I'd look at it is I've got daughters who are in their teens. It's never too early to
start working with IT if you love it. Look at you, you started young. When were you starting to do malware, or when did you understand malware, that you could reverse
engineer it or create, how old were you? - So I started creating
malware around like 12 or 13, and then I didn't really start
fully understanding it enough to reverse it until I was about 15 or 16. I definitely find that like I still am learning new things every day, but I definitely find
that when you're young, your brain just absorbs
knowledge so much better. Like they say kids find it the
easiest to learn languages, and I assume that probably
applies to programming languages. It's gonna be like harder
to learn the older you get. So it's definitely a bad idea to assume that like you are too young, like you don't have the
knowledge and intelligence, because actually it might be better. - Okay, I wanna get into cyber. I should blog, I should create
content, put it out there. I should like go on
Twitter, follow people, interact with the community. I mean, be a nice person
is what I always say. Be someone positive and
bring stuff to the community. Don't spam people. But the big question I always get is, okay, how do I get
experience without a job? And it's that old joke. You need to have 20 years of experience to get through the door, and the product has existed
for five years or whatever, stupid example out there. How would you tackle that, or what would you advise someone to do? - Cert are building experience, like degrees are less so actually, but certs build a little
bit of practical experience. Doing the thing yourself, where to document on
your blog is experience. Like what I found is they
want experience by any means. They want to see that you can do the job. And if you have a blog post up
where you are doing the job, then that will count towards experience. So I would just say, find
some projects you like. For me, when I started
out software though, I would just pick some random
idea that came into my head and I would go and code that, and then I'd do the same with malware. I would just find a
random piece of malware and I would just reverse it, and just finding cool projects to do and then documenting them on
your blog is very, very useful. They don't even have to be like typically projects you would do for work. Like here's some silly
app I wrote for fun. It's still showing that you can program, it's still showing that
you can document your work. - Is programming required in cyber or would you recommend programming? And is there specific
language you'd recommend? What are your thoughts about coding? - So it's absolutely not required, but I would say it will
not only boost your skills, because when you understand the coding, you can understand more about
like how to protect a product or how to defeat it. I found it increased my salary a lot because not only could I
do cybersecurity stuff, I could write solutions. I could be like, okay, here's
the problem we're having. Like I know, I've reversed some malware and here's something we could
build around what I've done. So I would definitely say that like coding is an invaluable skill, but it's not necessary. It takes a long time to
become proficient in coding. If I had to say a language, I'd probably say, start with Python, 'cause that's one of those languages where you can just
throw something together and it's fairly easy,
it's fairly forgiving, and it's very commonly
used in cybersecurity. - What's your thoughts about like Golang versus Python in the future? I mean, I've heard that Apple
are removing Python from Macs as an example. Do you think Golang is another language people should look at? - So I'm on the fence about Golang because it hasn't really
gotten widespread adoption, it's still quite niche. - [David] Yeah. - It's a very good language. It's very easy to program, again, very forgiving. It's basically someone has combined the best aspects of Python, C-Sharp, C of maybe even a bit of PHP, but I don't see it that much. Like if I were to go to a
random company and be like, Hey, can we write this in Golang? They'd probably tell me no. My company specifically does use Golang, but I don't see it around very much. - Do you think there's a future in it or is there's like still
like, if you're on the fence, just learn Python, yeah? - Yeah, I would definitely
say Python right now. And the beautiful thing
is once you learn Python, Golang is a breeze. Like I think it took me a couple of weeks to be able to write Golang
from just like knowing Python. Well, I did know C, but once you get some languages down, learning new languages
becomes very, very easy. - How would you go about
learning languages? Did you have books, stuff like that or was it just like YouTube videos? How would you suggest to someone? Or look at TikTok, but
what would you recommend? - Again, I'd probably say
it's personal preference. Go and watch some YouTube videos, and if you find that
sticks for you, great. Maybe if not, get a... Actually, I wouldn't say get books, like most of the stuff you can find in like in virtual format. So I'd say maybe go and find
a PDF version of a book, and if that works for you, great. But what really, really worked for me was just coming up with an app idea. I think my first app was some kind of like
trading bot or something. I just like, I wanna make a trading bot, and then I just threw that together. - I'm very much in agreement with that. I remember taking a
university course on Python from the famous UK university, which I won't mention right now, but I thought it was the
most boring course on earth because they were just teaching Python, like from a math or maths for
the UK viewers point of view. There wasn't a real reason. And I wanted to learn Python at that time for like network automation. - Yeah. - Go on, sorry. - Yeah, I was gonna say, I struggled a lot with
math or maths in college because I really did enjoy math. I was very good at it, but the way they would teach
it was a very just theoretical. It's like, they're not
telling me how is this useful? How can I use this? What can I do with this? They're just like, blah, blah,
blah, plus blah, blah, blah, blah, blah, blah. And it was just so unbelievably
boring, I couldn't follow. - Yeah, I mean, I think I've heard you say that you found the computer
courses, same thing, computer courses so boring that you just went and studied books. Sorry. Well, you tell us, what did you do? 'Cause the courses were boring, you did like a whole bunch
of stuff on the side, yeah? - Yeah, I think I was
studying malware development at the time. (chuckling) So I was writing malware while
they were trying to teach. What were they trying to teach? I think it was HTML5 or something. Like the course was
supposed to be, I think C, but a lot of the class was struggling with like the basic
foundations of programming. So they dropped it back to HTML5, which is a lot simpler. And like the course was supposed to be an object-oriented programming. So doing HTML as
object-oriented programming was just ridiculous. And it was so unbelievably
boring I just couldn't. - Was that at uni or was that at school? - So it was a community college. I don't know what the American
equivalent of that is. Maybe it's the same thing, but it was that bit between
like high school and university. - Again, I was gonna say,
I really agree with like, don't learn programming for the sake of learning programming, learn programming to accomplish your goal. Like you were doing like malware analysis. Is that why your blog
is called MalwareTech? Is that like sort of where it came from or why is it called that? - It was kind of a joke
about the fact that like when I very first started the blog, it was when I was still
a malware developer. So it was kind of an inside joke about like me writing malware. - So let's talk about that. If I wanna get into malware
or reverse engineering, do you have any recommendations for that? 'Cause that's what you
do now, is that right? - No, but I think it's the closest thing that is explainable to what I do. Yeah, so malware is a
very hard one to get into because it's not a foundational skill. It's basically the opposite
of software engineering. So first you have to understand
how the software is built, then you have to understand
how to take it apart, then on top of that, you
have to understand the tools and all of the like
mitigations malware can have. So it's really three levels of skills. My background was programming. So I came from a programming background, I didn't have to learn that specifically. I would probably suggest that it would be best to learn programming if you're gonna do malware analysis. I haven't heard of anyone getting in from a non programming background. I'm sure there are people, but I can imagine it
would be very, very hard to learn how to reverse engineer code at the same time that you're
learning how code works. - Yeah, so I mean like do computer science or like at least like learn Python or at least get into the
coding world, is that right? - Yeah, so if you're doing
native software reversing, you'd probably want to
learn x86 assembly or x64. - The other question I wanted to ask you, which I missed earlier is
do you recommend bug bounty as a way to get experience? - Honestly, I hate bug bounty. (David laughing) - What do you mean? You're gonna become a millionaire
doing bug bounty, come on. (both laughing) - Like it genuinely feels like, what's it called? There's those schemes where
people like sell hair products and then you have to get people on duty to sell the products. It feels- Yeah, like a down line, that like multilevel
marketing or whatever, yeah. - It feels like that, 'cause you have some very
skilled people at the very top making millions and everyone
else is just making dimes. Like if you are from like a poor country, then I would very much recommend it because that money in like an
impoverished country is a lot, but if you're living in the US, like $500 for a month of work is like, you could just go and get a job and get paid like 10 times that. - You covered this on TikTok as well, you said, do it when you're in school, I think was what you said. Like do it to get
experience, is that right? - Yeah, so my recommendation was, if you're gonna do bug bounty, do it as either a side job or while you are in school learning because the money is not consistent, the companies, they will screw you, and it's very like anxiety inducing to try and rely on something that essentially there is no guarantee you're gonna get paid. There's no monthly
income, there's no 401k, there's no medical leave. You're basically just, you
have to find a bug to get paid. So I think it's quite
a predatory industry. You're basically essentially
asking people to work. Like, I don't know if the US has the word, but in the UK we call
it zero-hour contracts. And it seems very much
like exploiting labor, but again, if you come from
a lower income country, that money is very decent,
and yeah, I would do it. - Yeah, I like what you're saying. Do it when you've got another
job or you're in school and you wanna get experience, yeah. Don't go quit your job to do that. Do that on the side, I
think is what you're saying. - Yeah. I see people on Twitter, like there's a couple of
bug bounty millionaires who are basically just
suggesting people quit their job to do bug bounty. And it scares me. - Yeah, I mean, I think it's important that we look at the good, the bad and the ugly of everything. And I wanted to ask you about CTFs. What's your opinion of CTFs, 'cause that also gets a lot of like, people say, do CTFs. - I think it's a good way
to tune certain skills. I find a lot of them don't correspond to like real world hacks
or real world skills, but it'll be like a CTF that
covers reverse engineering. It doesn't matter what
you're reverse engineering, you're still reverse engineering. But I do find that a lot of them don't really show the real
world things like Hack The Box. A lot of the hacks on Hack The Box are not things you would
typically encounter in like a real network, but you are still learning like Python and you're learning about exploits, and you're learning how like Linux works. So you are getting valuable skills, but it's best not to assume that you are learning everything. - I think it's important, like you said. I mean, the goal is to get a flag. In the real world you're not
gonna necessarily get a flag, are you? But I like what you said earlier, different people learn differently, and in your path isn't the
path necessarily for everyone. - Yeah. - I like what you said, find
what works for yourself. If it's YouTube videos, use that. If it's TikTok, use that. I find it like strange
how some people like say, because this is their view, they try and force
everyone down that path, and people are different. I mean, you're from the
UK and you live in the US, I'm from South Africa, I live in the UK. Everyone's different. You gotta find what works
for yourself, right? - Yeah, I really don't
like the people who will, they will say, oh, you
need to have certifications 'cause I had certifications, or you need to have a degree
'cause I have a degree. And they just try and
like funnel everything into this very narrow
world view they have. Whereas like I've spoken to people who have gotten into cybersecurity, through like they worked
in a medical field and because they
understood medical devices, they could understand how to secure them. And it's like, there is no set path. In fact, I would say
cybersecurity or tech in general is one of the like
least structured fields. There are a million ways in, and I don't like when people
try and make it sound like you have to do this or you have to do that in order to get into the field
'cause it's simply not true. - Yeah, I mean, and I think
it was either YouTube video. Yeah, I think it was one
of your YouTube videos you showed that chart where
like how vast it was, right? - Yeah, it I was a YouTube video. Now this is something someone sent me. It's basically a map of
all the certifications, which correspond to
different areas of InfoSec. So once you've figured out what area of InfoSec you want to get in, you can look at what
certifications map to that area. - Marcus, what's the plans? Because I want to ask people to go and subscribe to YouTube channel. What are sort of your plans going forward? Are you gonna create more
content on TikTok, YouTube? Where can people go and what
would you recommend they do to like learn from you? - So I think the YouTube videos
are the most informative, 'cause they're longer form. TikTok is cool to like learn
like quickly a concept. It's very snappy, it's not
too much of a time commitment, but I am gonna be focusing, like I'm trying my hardest to
come up with YouTube videos, but it's a lot of the stuff I do just ends up being a minute or two and it's better off on TikTok, but I would definitely
just check out my YouTube. I do have a lot of videos on reversing, how to get into cybersecurity, and probably check out my TikTok as well. - But Marcus, you need to have
like a decade of experience and a degree before you can actually teach or write code, right? (Marcus laughing) - Actually people make jokes about it, but I do genuinely see like
job postings like that. There was one I think famously
that got posted on Twitter where their job was genuinely requiring more experience in a language than that language had existed for. So yeah, you will find
a lot of job postings with insane like requirements, and my advice is just don't
get disheartened by them 'cause it's actually a very
small minority of jobs. It's just the companies
that people think of. Like the biggest issue I
see people running into is they think tech companies, they think Microsoft, Google, Cisco, and those are very big corporations
with like HR departments who are gonna have all
these filtering techniques and they're gonna do keyword
searches on your resume. And if you don't have certain keywords, they're just gonna throw it
in the bin without reading it. But then there's plenty of small companies who will hire you at like
insanely high salaries with just the minimal needed experience. So I think it's more like, it's kind of a perspective thing, is it seems like you need
all these qualifications to get into cybersecurity because some of the very
big companies require those, but then if you look around
the smaller companies, it's actually very, very liberal. - I think that's great advice, and I think it's a great advice for someone who wants to create
content or just to learn, and it's great advice for
someone who's looking at a job and there's like 100
different requirements. Don't let that put you off. I always say apply even if you don't meet the
requirements straight off. - Yeah. So one thing I would
definitely add to that is I have seen job
postings where it's like, you must have a degree and
you must have certifications, and then a recruiter has
reached out to me and be like, Hey, we would like to
hire you for that job. And I was like, I can. I don't have the qualifications there. Don't worry we'll just waive them. And there are a lot of companies that are willing to
waive the requirements. So absolutely what you said, even if you don't meet the
requirements, apply for the job, 'cause there is a good chance they're struggling to fill that position and they will look to you
as a viable candidate. - Yeah, I mean, I think you've
said it on TikTok as well. I mean, the companies are
so desperate to have people. There's a lot of opportunity, isn't there? - Yeah, like I know we've hired people who don't have any skills in the area we're hiring them for 'cause you can tell if someone has the, like the drive and the
ability to pick up new skills. I love to hire people who like, maybe they don't necessarily
understand malware or they don't understand like whatever we're hiring them for, but they've shown like initiative and they can teach themselves. They can be self-sufficient. Like those are my favorite
kind of employees. 'Cause maybe we are doing
malware analysis today, like maybe malware gets sold and we have to go and find something else. Well, now we've gotta
retrain that employee. But if you have someone who
can just teach themselves, they're self-sufficient, then it doesn't matter
what you want them to do, they will just go and learn it. - Yeah, I love that. I mean, so you interviewing people, like the candidates
that you've interviewed, what's like really stood out? Like it made you think, okay,
this is someone I wanna hire? You've mentioned like they need to be able to like teach themselves. Like any other tips like for someone who goes to an interview. What advice would you
give me as an example? Okay, not me, but someone
like who's younger, perhaps who wants to
be interviewed by you, what are like tips to let you make them more
likely to be hired by you? - So I don't really do hiring much, but I must caveat that my hiring practices probably are not in line
with the industry norm, (both laughing) but my first thing is, of course, like, is this person like self-sufficient? Are they gonna be someone we're gonna have to
give lots of training to and we're gonna have to
point in the right direction, or is it someone who has
like a knack for learning and they like to explore and they like to like bring in new things. Yeah, so self efficiency is my main one. And well, probably the last
person I tried to hire, we weren't successful in
hiring them, they got poached, but he was in a chat I was in and he was like sharing his work and collaborating with others, and I was just looking at this person like they can teach themselves, they can go and find
new things on their own, they work great with others, they're like very open to collaboration, and like that's my perfect employee. Even to the point where like, if someone collaborates with
other companies, I don't mind. Like as long as they're like, they're doing the work for us and they're like, they're learning things from their collaboration
with other companies, like, I really couldn't care less if they're also helping another company. - I mean, I love that. In school and places
that are not real world, they expect you to like
take a test by yourself, but in the real world, it
doesn't work like that, you have to collaborate. - Absolutely. Like cybersecurity is probably one of the most like
collaborative fields I've seen. It's like, it's so vast and like everyone has like
a little bit of insight that someone else doesn't have. So the more people you have collaborating, the better it is. I've got to the point where we've like actually given
technology to rival companies in return for their tech, and like the rising tide,
it raises all boats. So we are not losing out by actually giving away
our IP to rival companies because there is so much to be learned. - I wanna wrap this up with like, what's your final advice, for instance, someone who's
young or someone who's older? Do you have any advice for... And I mean, you can give
us your age if you like, but you don't have to, but like someone who's younger and wants to get into this
field, what's your advice? - Yeah, I think it really goes
back to what I said earlier. Find what works for you
when it comes to learning. Learn some things, while you are learning, show
those things to other people. I find it seems counterproductive to be teaching things
that you are learning, but I find it's like, that's when the knowledge is the freshest and you actually solidify your knowledge by then trying to explain
the things you've learned to other people. I definitely did that a lot on my blog. I was blogging things that
I had only just learned and I think that's very valuable, not only from a career perspective, but from a just
solidifying your knowledge. - I really wanna just talk about that because I've seen like people, I hate to use the term, but gate keeping saying you have to have like
a certain amount of knowledge before you share and
I'm really against that, 'cause I agree with what you've just said. There's no better way
to learn than to teach. And even if you teach it to yourself, put it in a blog and five people read it or you read it later. - Yeah, 'cause- Because you... Sorry, go on. - Yeah, so one thing I've
definitely has happened to me is like, I've been struggling
to understand the concept because maybe the person who
first portrayed that concept didn't put it in the best words, and then someone who did
understand their words came along, they learned it, they
put it out on their blog in some different words, and I like, ah, that it just like clicked. And I think that is a very, very valuable and I think it's complete nonsense that you have to have lots of experience or you have to be an expert in order to portray something
you've just learned. - Marcus, I could keep you here for hours. I really wanna thank you
for sharing your experience, and thank you for putting
yourself out there because I know as a content creator, some people throw stones, but I really appreciate you sharing. - Thanks so much for having me on. - Great. Thanks man. (intense rock music)
