Wirefall: An OG Hacker's Journey

[00:00:01] Welcome to the Phillip Wylie Show. Take a look behind the curtain of professional hacking and hear compelling discussions with guests from diverse backgrounds who share a common curiosity and passion for challenges and their job. And now here's your host, offensive security professional, educator, mentor, and author, Phillip Wylie.

[00:00:33] Hello and welcome to another episode of the Phillip Wylie Show. Today I'm extremely excited to have my good friend Wirefall joining. We go back to around 2013, whenever he founded Dallas Hackers Association, which we'll discuss on this episode. So welcome to the, welcome to the show Wirefall.

[00:00:54] Thanks Phil. And I think we've been talking since about that long as well of getting me on here.

[00:00:58] Yes.

[00:00:59] But it just never happens.

[00:01:01] Finally, I'm trying to be better about that. I think of people and know people I need to get scheduled and I finally said, yeah, I got to get this done. So yeah. So Wirefall was on my old podcast, but it's taken a while to get him on the new podcast. So fortunately, fortunately he's on, he's got a lot of good stuff to share and Wirefall has been in the pen testing industry for a lot longer than most people. So he's, he's seen really seen some things when it comes to pen testing.

[00:01:29] Yeah.

[00:01:30] Yeah.

[00:01:33] Before there really, before there really was a pen testing scene.

[00:01:37] Yeah.

[00:01:37] Yeah.

[00:01:38] It's pretty interesting how things change in a little time I've been in it, how much has changed.

[00:01:43] So can imagine how much you've seen.

[00:01:46] Oh, you've been in it a while now here, you're, you're, you're long in the tooth and for pen testing years.

[00:01:51] Yeah. It's about 12 years, but you've been more than twice that.

[00:01:55] Yeah.

[00:01:55] Uh, 96 was my first paid engagement before that. It was, uh, I guess you'd say pro bono work.

[00:02:01] Yeah.

[00:02:03] Yeah.

[00:02:04] So, uh, before we get too far into the show, why don't you share with our listeners, your hacker origin story?

[00:02:10] Sure.

[00:02:11] Uh, well, I, I personally believe that we are all born hackers, uh, 100%.

[00:02:16] I mean, a baby is absolutely helpless. It has to learn how to manipulate its surroundings, the people around it to feed it, uh, take care of it.

[00:02:26] Um, that's social engineering. Uh, and that's something, you know, we, everybody's innately born with that. And I believe they're innately born.

[00:02:34] Most people with curiosity, kids love playing. They love learning until they go into our education system and it beats them, beats it out of them. So unfortunately we don't all flourish into hackers, but I believe we all are born there and we all have the innate ability to be that if we allow ourselves to be.

[00:02:55] So luckily my parents, um, this was back, you know, uh, early seventies were, um, a little advanced at that time and put me into the Montessori system, which encourages, um, uh, learning through creativity, through just exploring. Uh, there were no tests, there were no grades. There were no, any of that, but I learned more in that school.

[00:03:25] Leaving at about the equivalent of fifth grade that I was doing logarithms and things in math that I didn't see until coming into later high school college. So, um, definitely was a, uh, that was, uh, I think probably the launching point of my hacker career because it was engendering curiosity, which is the fundamental, um, the, the, the, basically the found stone of being a hacker in my, in my mind.

[00:03:53] Um, also my stepfather was a, uh, electrician and electronics were getting big.

[00:03:59] Then IC chips were coming out to the masses.

[00:04:02] And so I was given a 501 or I think it was 501 electronic set.

[00:04:09] So I did, you build circuits and, and, you know, create noises and, uh, do all sorts of fun things with a little IC chip and resistors and transistors and capacitors.

[00:04:19] And so I learned all about that and, uh, uh, learned, went through the book, did every single project and then decided, uh, okay, well, let's now that I've learned this, how can I make it do the things I want it to do?

[00:04:30] Um, which again is another found stone of being a hacker is making things do what you want them to do.

[00:04:36] Not necessarily what they were designed to do.

[00:04:39] Um, so that definitely very, very fundamental.

[00:04:43] And then I moved with the other family and my stepmother was a systems analyst.

[00:04:49] Uh, this is 82.

[00:04:52] Uh, so she brought home a, uh, computer, disclets, IBM compatible, uh, really the first computer I had exposure to.

[00:05:01] But before that, um, she would take me in at night when she had got called in to like fix a printer queue or do something that was just, uh, required her to go in and reset something.

[00:05:12] And she didn't like to do that alone.

[00:05:13] So she grabbed me, take me in and, uh, put me in front of a terminal so I could play text-based games like, uh, you know, a colossal cavern or those types of things.

[00:05:23] And it was fun because I didn't, you know, there was no internet.

[00:05:27] There was no, anything, uh, to, to occupy us.

[00:05:29] So that was the entertainment.

[00:05:31] But, um, yeah.

[00:05:33] So anyway, she brought home this computer so that she could dial in on a audio coupler and do all of that remotely, which was awesome for her.

[00:05:41] But sucked for me because now I could no longer play colossal cavern.

[00:05:46] So, uh, but like you, um, Gen X, uh, Latchkey Kid, I think we've had some stories, very similar backgrounds on that.

[00:05:56] Um, I learned that I could use that audio coupler to dial into the mainframe and play my games.

[00:06:04] Um, so I'd say that's probably the first real hack.

[00:06:08] Uh, but anyway, um, things move on.

[00:06:11] The computer ended up in my room.

[00:06:13] I started, uh, this is, I was into Dungeons and Dragons and Dragon Magazine started publishing basic programming games in Dragon Magazine.

[00:06:24] So, uh, uh, I started typing them up and creating characters and doing all of that.

[00:06:30] I was a dungeon master, so random monster generation and all that.

[00:06:34] Uh, and I learned that the basic random command was not actually random.

[00:06:40] If you gave it the same seed, it would always produce the same series of numbers.

[00:06:44] And so, uh, you could really mess with me knowing that information.

[00:06:50] Uh, so that was really a hack, I guess my first quote hack.

[00:06:53] Um, but, uh, anyway, I saw my stepmother, long story short, I saw my stepmother working all these hours, always in front of a screen.

[00:07:02] And I was like, yeah, that's not what I want to do with my life.

[00:07:05] Um, so I pretty much abandoned it.

[00:07:08] Uh, you know, little did I see the future of where we have screens in front of us all the time now.

[00:07:12] Um, but I wanted to go out and do things.

[00:07:14] So I abandoned that, went in the military.

[00:07:17] Well, I went to college, dropped out, went in the military, um, came back from the military.

[00:07:22] And it was the mid-90s dot com boom.

[00:07:25] Everybody's talking about the web and this will change everything.

[00:07:29] Uh, so being curious, I get a local dial-up account and start poking around just because I'm curious and basically could access the hard drive of everyone who was joined onto the same, uh, uh, free net.

[00:07:43] Which I thought that's not going to take off.

[00:07:46] If, if, if you can do that, that's definitely not going to take off.

[00:07:49] And I was completely 100% wrong.

[00:07:53] You know, it did explode despite that fact.

[00:07:56] And, uh, you know, I realized I didn't want other people accessing my stuff.

[00:08:01] There were no, you know, degrees.

[00:08:04] There were no certifications.

[00:08:05] There were no anything.

[00:08:06] You just had to kind of learn how to do it.

[00:08:07] And so I did that.

[00:08:08] And then all of a sudden the big companies that were embracing the dot com realized, oh shit, uh, this is kind of, uh, uh, important.

[00:08:17] And so wrote blank checks just because I didn't want people accessing my hard drive.

[00:08:22] And that was more than most people know.

[00:08:27] Very cool.

[00:08:28] So where, when did you start your first, uh, if you could kind of describe when you started your first pen testing job, paid pen testing job.

[00:08:34] Sure.

[00:08:35] Yeah.

[00:08:35] Well, that was, um, I actually was in, uh, went back to school, uh, from the military, uh, use the GI bill to get a associate's degree in computer network operations.

[00:08:45] You know, security didn't exist at the time.

[00:08:47] Um, but networks were exploding.

[00:08:50] I, uh, I secured a job at a sheriff's office doing radio work, which is what I did in the military, uh, fixing radios.

[00:08:59] And they were building out a network.

[00:09:00] So I was like, okay, this is great.

[00:09:02] I learned how to do this networking.

[00:09:05] And, um, it was a colleague who was working for a credit union and was in charge of their networks and realized, holy crap, this stuff you talk about the security.

[00:09:14] I don't know if we're safe.

[00:09:17] And so I got paid, I think it was $200 to do an assessment for them.

[00:09:23] Um, you know, no experience.

[00:09:24] This is before end map.

[00:09:27] And Nessus were, were things.

[00:09:30] So, I mean, it was definitely not, uh, you know, in the, uh, uh, realm of what was being done.

[00:09:37] So I poked around, looked at configs and, uh, yeah, uh, basically showed them the security holes that I could find.

[00:09:45] But yeah, 96, um, that didn't parlay though until a pen testing job.

[00:09:53] Uh, until the 99.

[00:09:56] Uh, so in between that, I did some other network jobs.

[00:10:00] Uh, I did have an information security position at a bank.

[00:10:03] Um, but it wasn't pen test specific.

[00:10:06] And then I was hired as a consultant down here in Texas.

[00:10:12] I was from the Northwest down here in Texas.

[00:10:15] Uh, they sold me to the company as the preeminent cybersecurity, uh,

[00:10:22] resource something or other.

[00:10:23] And I'm like, no, I just know how to keep people getting into my hard drive.

[00:10:27] That's, that's all.

[00:10:28] But if you're going to pay me a hundred, it was, I think it was $120 an hour or something.

[00:10:32] It was like in 99, like, hell yeah.

[00:10:34] Hell yeah.

[00:10:37] Yeah.

[00:10:39] That's pretty amazing.

[00:10:40] That was a lot of, a lot of money for back then.

[00:10:42] Oh yeah.

[00:10:43] Yeah.

[00:10:43] I did some stupid stuff when.

[00:10:47] Yeah.

[00:10:47] Yeah.

[00:10:47] So, so, so you've been around to see a lot.

[00:10:50] So what do you think about how things have evolved?

[00:10:54] I mean, you know, cause you started out when you didn't have certain tools.

[00:10:58] Now we have all these tools.

[00:10:59] Do you think it's, what do you think it's any easier or more difficult now than it was

[00:11:03] then?

[00:11:07] I think it's both.

[00:11:09] Honestly, I think there are things that are easier.

[00:11:12] Like you said, there's tools that exist where there were not tools previously.

[00:11:16] Um, there are, uh, very efficient tools where, uh, before it was build your own, uh, or use

[00:11:24] somebody else's and try to modify it.

[00:11:26] Or they would actually on, on a packet storm.

[00:11:28] A lot of times the, uh, the tools would be sabotaged.

[00:11:31] So you would have to know what the code did and able to fix it so that it wasn't, it would

[00:11:35] prevent script, script kitties from just running it.

[00:11:38] Um, and now you can pretty much ask AI to write you a script, uh, to Pona box.

[00:11:43] So, um, tools definitely better, but complexity is anathema to security and the environment

[00:11:56] we work in now, whether it's from network, mobile web app, AI has never been more complex.

[00:12:04] So, um, you know, that makes it much more difficult.

[00:12:07] There's a lot larger footprint that we're dealing with.

[00:12:10] It's not just Cisco routers and maybe HP curve routers or something.

[00:12:13] You have 5,000 different brands of different things doing different things.

[00:12:20] Yeah.

[00:12:20] It's pretty interesting.

[00:12:21] One of the things I find interesting.

[00:12:23] So what do you, what's your opinion on this?

[00:12:25] Because I would, you know, kind of, you know, when people were starting out, like when you

[00:12:29] did, there weren't all the tools and stuff, you were a little more, uh, dependent on scripting

[00:12:35] and writing tools.

[00:12:36] So do you think that's kind of, kind of the, with the tools, the way they've evolved in

[00:12:42] my work from what I've seen, I think that things like burp suite, some of these other tools have

[00:12:47] kind of made people to where they really didn't need to know how to code or how to script because

[00:12:53] some of these things did it for them, made things easier and not requiring people to script.

[00:12:59] Kind of what are your views on that?

[00:13:01] I would, I would overall agree.

[00:13:04] And I think it's a good thing.

[00:13:05] Uh, you know, those barriers to entry may prevent some of the best hacker mindsets from actually,

[00:13:12] you know, getting involved.

[00:13:14] Uh, the people who can think differently can understand how maybe you can subvert the

[00:13:19] logic of this application that other people wouldn't think of, but they don't necessarily

[00:13:23] know how to manipulate JavaScript.

[00:13:26] Um, so it's brought a lot more people into the fold, which I think is good for the industry

[00:13:31] and that it brings a lot more viewpoints, a lot more diversity.

[00:13:34] Uh, you know, it, this started out very, very male centric, honestly, very white male centric

[00:13:42] as a, a group.

[00:13:44] And that is not the case now.

[00:13:45] And we'll talk about Dallas hackers.

[00:13:47] I know later, but if anybody has been to a Dallas hackers, that is not what you see when

[00:13:51] you go to Dallas hackers.

[00:13:52] And it's wonderful that we're here.

[00:13:55] That's good.

[00:13:55] One of the things too, that you mentioned the barrier to entry lower.

[00:13:59] I think that's a good thing, especially considering with the needs for these type of professionals,

[00:14:03] if everyone had to be able to code or be at a certain level would probably, you know,

[00:14:08] take a lot longer to get in.

[00:14:10] You wouldn't have as many people coming in.

[00:14:11] So, so I think that's a good thing, but, but it's very interesting to see how things have

[00:14:16] just kind of looking at pen testing in general, how things evolve with some of the autonomous

[00:14:21] and automated pen testing tools, how that's come about.

[00:14:23] And then thinking of the fact that one time when you started, there wasn't Nessus or Nmap

[00:14:28] to be able to test.

[00:14:30] Yeah.

[00:14:30] Yeah.

[00:14:31] And now it's point, click, pwn, right?

[00:14:34] Yeah.

[00:14:35] Yeah.

[00:14:36] But, but at the same time too, what did you back then, as far as when things were just

[00:14:39] getting started out, people weren't really securing things.

[00:14:42] So how was it to be able to, to pwn those environments?

[00:14:45] It was, it was a shooting fish in a barrel.

[00:14:48] I mean, literally if, if, if you didn't gain access to everything you were hoping to gain

[00:14:52] access to on a, on a pen test, you failed back then.

[00:14:57] You know, we're now externally, especially there's times where, yeah, there's nothing

[00:15:01] I can do.

[00:15:02] And that's great.

[00:15:03] That's fantastic.

[00:15:04] You know, outside of the things that are not allowed, you know, I, I can't go blackmail

[00:15:09] the sysadmin, but you know, criminals can, I can't.

[00:15:15] Yeah.

[00:15:17] So, uh, kind of mentioning, you know, thinking about how pen testing has evolved.

[00:15:22] So what have you seen?

[00:15:23] Because I know you've seen a lot of, you know, even more than I have just kind of seeing

[00:15:27] how a lot of pen tests were required because of compliance.

[00:15:31] How do you think that's affected the type of testing and the scopes of pen testing?

[00:15:36] Uh, very, very good question that, uh, yeah, I, I think I'm seeing the pendulum swing back

[00:15:43] now, but yeah, at first with PCI and all the compliance that was coming out, everything

[00:15:48] was about scope reduction.

[00:15:50] Okay.

[00:15:50] We need to be compliant.

[00:15:52] Therefore, how can we get as much of our infrastructure, as much of our applications, as much as everything

[00:15:56] we have outside of scope?

[00:15:59] So, so we're only looking at this tiny, you know, niche of our, our environment.

[00:16:05] And, um, that was terrible.

[00:16:07] I mean, those were terrible tests to do because yes, they could focus all their security resources

[00:16:11] on those.

[00:16:12] Um, and then there was, it was, I mean, it was unrealistic as well because they would put

[00:16:19] you in an environment where you couldn't access it, where they had admins that could access

[00:16:23] it.

[00:16:24] If I were an attacker, I would compromise the admin, but that was out of scope.

[00:16:28] So, um, it was really unrealistic.

[00:16:30] It was, they were depressing tests to do.

[00:16:33] And my thought was always, so you're in business to take credit cards.

[00:16:38] You know, you sell X widget or you do Y or Z type of thing, but your whole risk profile is

[00:16:46] credit cards.

[00:16:47] No, there has to be a reason you're in business.

[00:16:50] Secure that business.

[00:16:52] And, uh, I think we're seeing a swing back now in that, uh, I've definitely seen more

[00:16:57] full scope.

[00:16:58] Uh, more people are understanding that.

[00:17:00] Yeah.

[00:17:00] What, especially I think the biggest thing that did that was, um, uh, ransomware.

[00:17:06] Uh, they realized, yes, uh, we do have other functions in the business that are critical

[00:17:11] when everything shuts down.

[00:17:13] Yeah.

[00:17:13] So.

[00:17:14] Yeah.

[00:17:15] That's a good point.

[00:17:15] Being, being PCI compliance, not going to prevent you from being ransomware.

[00:17:19] Right.

[00:17:20] Hey, uh, hate the ransom wearers love the ransomware.

[00:17:26] Yeah.

[00:17:27] Yeah.

[00:17:27] It's, yeah, it's pretty interesting and it's good to see people doing that and not just

[00:17:30] depending on the checkbox, just being compliant.

[00:17:33] I mean, cause that, yeah, it's just kind of frustrating when you, you see those type of

[00:17:37] environments or those organizations where they're just testing for, for compliance, but

[00:17:42] good to see that that's starting to change.

[00:17:45] Yeah.

[00:17:46] I'm not sure everywhere, but I'm definitely seeing an uptick in full, full scope.

[00:17:51] Yeah.

[00:17:51] So hopefully that'll catch on more.

[00:17:53] Just some of the, one of the things that along with that, that used to be frustrating too,

[00:17:57] is to see people filing risk acceptances for things that shouldn't been a risk acceptance.

[00:18:03] They should have remediated.

[00:18:04] Oh, absolutely.

[00:18:06] Yeah.

[00:18:06] Yeah.

[00:18:07] Yeah.

[00:18:09] It's probably what saved me in the industry actually was my early pivot into consulting

[00:18:14] because I did have several corporate jobs prior to that.

[00:18:18] Specifically the one in the, um, there was one in a high tech, uh, semiconductor company

[00:18:23] and another in a, uh, uh, a very large bank.

[00:18:28] And I was hired for my expertise and they did not listen to it.

[00:18:35] So like, why am I here?

[00:18:36] You know, uh, uh, I understand the risk needs, uh, the decision for the risk needs to be higher

[00:18:41] than my, my pay grade.

[00:18:42] Uh, but it was just, everything was just risk acceptance.

[00:18:45] And, uh, um, I thought, well, maybe I just can't communicate very well.

[00:18:50] Uh, maybe I'm not meant for this.

[00:18:52] And then I found consulting where I go in, I do my job.

[00:18:54] I, I explain it to them in the terms that I feel are going to, you know, encourage them

[00:19:00] to do what I consider the right thing.

[00:19:02] And then I say goodbye, you know, I hope you do it.

[00:19:04] Um, good luck.

[00:19:06] It's not my company that you're affecting, you know?

[00:19:10] Yeah.

[00:19:11] It's kind of interesting the way people listen to consultants sometimes more than they do their

[00:19:16] internal employees.

[00:19:18] I did a, I did a test one time was the first company I worked for.

[00:19:22] We did a pen test of this large global law firm and we went in, the CSO was showing us

[00:19:30] vulnerable apps and systems and environment.

[00:19:32] He said, make sure you look here because he'd been reporting it all these years, but no one

[00:19:37] would listen.

[00:19:37] So he wanted that pen test report to reflect what he was seeing and hoping that they would

[00:19:43] listen to a consultant.

[00:19:45] Absolutely.

[00:19:46] Yeah.

[00:19:46] It's a very, very sad fact of life, but it's true.

[00:19:48] Uh, and, and that's the first thing I do whenever I go into a, uh, a new environment with a new

[00:19:54] customer is, you know, we, why are we doing the pen test?

[00:19:59] You know, if it's just to do compliance, fine.

[00:20:01] I'll hate it, but we can do that.

[00:20:03] If it's to, you know, uh, find as many of these vulnerabilities, exploitable vulnerabilities

[00:20:08] as possible across just the entire environment because they know nothing.

[00:20:12] Fine.

[00:20:12] We can do that.

[00:20:13] Um, they know where all the skeletons are buried though.

[00:20:16] And so my first question is always, what do you want to accomplish if they've been banging

[00:20:22] their head against the, uh, you know, the, the C-suite, uh, for remediation of things

[00:20:27] that are critical to them?

[00:20:29] Tell me, I'll make sure that's top priority in the report.

[00:20:33] Yeah.

[00:20:34] So what's the best advice you could give someone that's wanting to get a pen test done?

[00:20:38] What, what is the best advice that you can share on that?

[00:20:43] Hmm.

[00:20:44] Uh, well, one of my favorites was, uh, I was at a, uh, conference in Austin and, uh, had

[00:20:50] done a presentation Q and a afterwards.

[00:20:53] Somebody asked how often they should get a penetration test.

[00:20:57] And, uh, I don't know where it came from, but it was just like, well, you know, how often

[00:21:01] do you want to report?

[00:21:02] Because you're always getting a penetration test.

[00:21:05] So how often would you like a report?

[00:21:07] You know, and, uh, that's the truth.

[00:21:09] You know, um, if it's not a professional, uh, that you're hiring, it's somebody else is

[00:21:14] doing it.

[00:21:16] So, um, but as far as are you, are you asking how to identify a good resource, how to, uh,

[00:21:23] engage, what questions to ask, what type of, what exactly are we?

[00:21:27] Yeah.

[00:21:28] That's all the above.

[00:21:29] That's not, okay.

[00:21:30] That's a good, yeah.

[00:21:31] Uh, I would say more than just about any other, um, technical field.

[00:21:39] Uh, everything is about trust in business, but in security, it's, that's all there is

[00:21:46] trust.

[00:21:46] I mean, cause these, the people you're allowing into your networks, um, you know, if they were

[00:21:52] malicious, you would probably never know.

[00:21:54] So trust is key, uh, in, in security, especially, uh, what we do.

[00:22:00] Plus, you know, they're, you're allowing them to do dangerous things.

[00:22:03] Even if you could stop them, you're allowing them to do it, to find out what could happen.

[00:22:08] Uh, so there can be bad things that happen.

[00:22:10] I've caused bad things before I've locked out entire, uh, domains, uh, uh, uh, by misreading

[00:22:16] the lockout policy, um, once.

[00:22:19] But, um, so trust.

[00:22:22] And how do you, how, how do you know who to trust, uh, word of mouth?

[00:22:26] Who do you trust and who do they trust?

[00:22:28] The, the chain of trust.

[00:22:29] Um, so that's how I would say to find the person to do the testing or find the company

[00:22:34] to do the testing.

[00:22:36] Um, but then what to ask for, I really believe it depends on where you are in your journey

[00:22:43] on security.

[00:22:45] Uh, if you know absolutely nothing, um, tell, you know, honestly, you should be doing a vulnerability

[00:22:50] assessment first.

[00:22:51] If you haven't, you know, find those things, uh, start a program so you can address those

[00:22:56] because the penetration test is going to find a lot more than that.

[00:22:58] And if you do not have a process on how to remediate things already in existence, you're

[00:23:04] going to be completely overwhelmed.

[00:23:06] So, you know, get that process, get those steps done and then bring in penetration testers

[00:23:11] to, to, uh, you know, attack what you've already started to, uh, once you've started

[00:23:15] to mature your security process.

[00:23:17] Um, but then I would say, keep as much, you know, tell as much information as you can.

[00:23:24] Like I said, if you know where the skeletons are, tell them, uh, if there's key critical

[00:23:28] assets, tell them and otherwise let them do what they're paid for and what they've trained

[00:23:38] to do, which is not be limited is to, to do everything they possibly can to gain access.

[00:23:44] Uh, I would, I would, uh, um, definitely start with internet focused, your internet, uh,

[00:23:51] perimeter just because it's, you know, asymmetric as far as there's some, all,

[00:23:58] all attackers that are on the internet, which is every attacker, uh, has access to that

[00:24:03] environment.

[00:24:04] So you have a lot more adversaries start there.

[00:24:07] And then internally, because not all of your, even, you know, it could not even be a malicious

[00:24:13] insider.

[00:24:14] It could just be a incompetent insider can do serious damage, uh, move inside.

[00:24:18] And then I would also, uh, you know, the number of attackers that you have to worry about for

[00:24:24] physical penetration testing is very, very minimal unless you're a nation state or critical

[00:24:30] infrastructure or financial, like, you know, uh, or, you know, casinos or those types of

[00:24:35] things.

[00:24:36] But, uh, um, definitely include that if that is a risk profile for you.

[00:24:42] Yeah.

[00:24:42] Great advice.

[00:24:43] So to kind of shift the conversation a little bit, uh, you know, you've seen a lot over

[00:24:48] years, you've worked with a lot of folks who've mentored people and helped others get

[00:24:52] started in industry today.

[00:24:55] How would you reckon, what would you recommend for someone that wants to start a career as

[00:24:58] a pen tester?

[00:25:00] Uh, the, the only thing I can really say is get involved in your local community, you know,

[00:25:09] online, if that's all you have, uh, you know, that's a good step to start online.

[00:25:14] But, um, in person is, is what you really, really need to do.

[00:25:20] Uh, if it doesn't exist where you are started, there are other people looking for that opportunity.

[00:25:25] So, um, you know, uh, networking, networking, networking.

[00:25:30] I used to have this belief that everything should be meritocracy, right?

[00:25:34] Networking was all BS.

[00:25:36] Uh, everything should be meritocracy, but that's great.

[00:25:39] You can be the, you know, let's say the best, uh, uh, web app pen tester or the best mobile

[00:25:44] app pen tester, the best reverse engineer in the world.

[00:25:47] If nobody knows who you are, it doesn't matter, right?

[00:25:52] If nobody's seen your work, if nobody's seen you get up on stage and show off how you were

[00:25:58] able to do some something, then nobody will know.

[00:26:01] Um, and plus, like I said before about this trust issue is I know from interacting with

[00:26:09] the community who I trust, you know, and that trust has been built by being exposed to them

[00:26:15] within the community.

[00:26:16] Um, now if you are untrustworthy, this is probably isn't good advice because I also people who

[00:26:20] I would definitely would not allow onto my networks.

[00:26:23] But, uh, um, yeah, that would be the one thing because technology wise, I can't tell you what

[00:26:28] to do.

[00:26:28] When I started, we said there were no tools, there was, there was no, there were no certifications,

[00:26:34] no, no, you know, college degree.

[00:26:37] Now you can get a PhD in cybersecurity.

[00:26:39] That just blows my mind.

[00:26:40] So I don't know how you start from that, but what I will say is I will encourage them

[00:26:47] in that it sounds like there's so much more to do.

[00:26:50] And there is, if you can get a PhD and I just had to, you know, learn how to script a few

[00:26:55] things, but I'm having to learn now.

[00:26:59] I'm having to catch up now.

[00:27:01] I'm not cloud native.

[00:27:02] I'm not mobile native.

[00:27:04] I'm definitely not AI native.

[00:27:05] And if you're coming up in the industry now, and this is where you're cutting your teeth,

[00:27:09] you have an advantage over me.

[00:27:11] This is your native environment.

[00:27:12] This is what is comfortable for you.

[00:27:15] This is all a new learning experience for me.

[00:27:17] And yes, old dogs can learn new tricks.

[00:27:19] It just takes a lot more training.

[00:27:24] So since you kind of mentioned community, what a good time to, to segue into, uh, Dallas

[00:27:30] hackers association.

[00:27:31] So if you kind of explain to our audience what Dallas hackers is and just kind of,

[00:27:37] how you founded Dallas hackers and the whole Dallas hacker story.

[00:27:42] Yeah.

[00:27:43] Uh, well, what Dallas hackers is, is a unprofessional meetup of what I would call it.

[00:27:51] Basically it's a, uh, a cyber circus.

[00:27:55] Um, it's, it's a mini con every month.

[00:27:58] We, uh, we do fire talks.

[00:28:00] You sign up when you get there, uh, you get 15 minutes to talk about whatever you want,

[00:28:06] literally whatever you want.

[00:28:07] There's very few things we won't allow.

[00:28:11] Um, but most of it's around hacking, making things do what they weren't necessarily intended

[00:28:17] or it's just something you learned.

[00:28:19] I mean, um, but we also have, like I said, it's a mini con.

[00:28:23] We have a career room.

[00:28:24] We have book swap.

[00:28:25] We have a lock sport.

[00:28:26] We've had a CTF.

[00:28:27] We're trying to get that back on, on a consistent basis.

[00:28:31] We've had a hardware hacking village before to learn to solder.

[00:28:35] Um, it can get overwhelming.

[00:28:37] We had like 150 plus people there.

[00:28:40] So we also have a chill out room so you can get away from everyone and just go play board

[00:28:43] games or chill.

[00:28:45] But, um, the genesis of it was I did a lot of work down at the state for quite a while

[00:28:52] and there is the mothership.

[00:28:54] Aha!

[00:28:55] Austin Hackers.

[00:28:56] They call themselves Austin Hackers Anonymous.

[00:29:00] Um, it was a group of people, a smaller group.

[00:29:02] Uh, but if they were the, the names in the industry at the time are snake HD more, all

[00:29:09] these people that you would know by name.

[00:29:10] Um, and, uh, their whole thing was they wanted to learn just as much as they wanted to share.

[00:29:16] They didn't want fanboys and fangirls to come in and just, you know, leech information.

[00:29:21] They wanted everybody to participate.

[00:29:22] So their whole mantra was participate or do not come.

[00:29:26] And they were serious about it.

[00:29:28] Um, so, uh, I mean, I still go down there and like, I'll be down there for LazCon and

[00:29:35] it's always during LazCon, uh, the aha.

[00:29:37] Uh, I, this'll be now what?

[00:29:42] I think 2006 was my first one.

[00:29:45] Maybe a little later.

[00:29:47] Um, I still am intimidated.

[00:29:51] Like looking there, uh, but, um, do we call ourselves a kinder, gentler aha.

[00:29:57] But the whole reason that happened was, you know, there was already a flourishing, uh,

[00:30:01] hacker security community here in Dallas.

[00:30:03] There was NASIG, North American information security group.

[00:30:06] I know you went to that.

[00:30:08] Um, there was our DEF CON group, DC 214.

[00:30:11] Uh, and I, I attended those and I love those, but those are very, uh, they're focused on

[00:30:16] long format talks.

[00:30:17] So you go have some intros and then somebody comes up and talks for like an hour on this

[00:30:22] specific subject, which is, you know, if you're interested in it, it's fantastic.

[00:30:27] Um, the, for me, if it was like on PCI, I'm having a really bad night because I'm not going

[00:30:33] to get up and leave, but it's not going to be enjoyable.

[00:30:36] Um, where off how was these short fire talks because they wanted everybody to participate.

[00:30:42] So you, you get up and you talk about something you're just working on with them.

[00:30:46] It was 10 minutes with, I think five minutes Q and a.

[00:30:48] And literally if you went past 10 minutes, they'd throw stuff at you.

[00:30:51] Um, again, we're a kinder, gentler, uh, version of that.

[00:30:55] But I wanted to see that format here.

[00:30:57] I would have loved for it to exist here, honestly, uh, because, um, my favorite meetup

[00:31:07] are all the others, but DHA, because I'm not involved.

[00:31:10] I can just sit back and, and spout stupid things from the peanut gallery, uh, where there's

[00:31:15] a lot of work involved with DHA, but, um, but the community that I've seen grow around

[00:31:21] it, uh, from our leadership team that we've, you know, started out with just

[00:31:25] me and buying wings and, uh, pitchers of beer at a, uh, local pub, uh, getting about dozen

[00:31:31] people, 20 people out, uh, to now taking over Korean karaoke bar and having a hundred plus

[00:31:37] people regularly.

[00:31:39] So, um, the, the number of careers we've seen launched there, uh, the, uh, it's just been

[00:31:45] amazing.

[00:31:46] Uh, absolutely amazing.

[00:31:47] And, and I call it our sanctuary because to me, that's really what it is.

[00:31:54] It is, um, it's a techno cyber circus church.

[00:32:00] It really is.

[00:32:01] It's, it's, that's, everyone is welcome.

[00:32:04] Uh, if you don't feel comfortable there, there's something wrong at talk to me.

[00:32:08] So, yeah.

[00:32:12] Yeah.

[00:32:12] Does that kind of explain your experience at, at the HTA?

[00:32:15] Yeah.

[00:32:15] Yeah, it has.

[00:32:15] It's, it's, it's pretty amazing to see how it's grown and it, and just kind of some of

[00:32:19] the people that have kind of cycled out over the years because Tinker would help was the

[00:32:26] MC and then whiskey neon did the audio video and, and just kind of moving from those venues,

[00:32:32] you know, uh, when pub closed, moved to the other location and then there was the incident

[00:32:38] where someone, when you were out of town, breached their payment card system there and how you

[00:32:45] weren't, they asked you to guarantee it wouldn't happen.

[00:32:48] And, you know, you said you couldn't do that and moved around some other locations and ended

[00:32:53] up at the karaoke place.

[00:32:55] And so it just seems like once hit the, the karaoke place, it just, things really just

[00:32:59] kind of blew up.

[00:33:00] Oh yeah.

[00:33:00] And, and it, it's still wonderful.

[00:33:02] I love the venue.

[00:33:04] I hope we'll never have to leave.

[00:33:05] In fact, when we were getting to the point where it was getting too crowded, people would

[00:33:09] ask, so when are we moving to a bigger venue?

[00:33:11] And it's like, well, we're not, uh, if you it's too crowded, don't come, you know, it's

[00:33:15] just so perfect.

[00:33:16] We're not changing.

[00:33:17] But, uh, but in the beginning, I think it was just even so much more hacker because it's,

[00:33:23] it's on good night lane down in K town at the time there were no street lights

[00:33:28] and it was a gravel road.

[00:33:29] And so the first time people coming up are like, what the hell am I settled into?

[00:33:34] You know, now it's all paved and well lit, but yeah.

[00:33:39] Yeah.

[00:33:39] It's still on good night lane.

[00:33:41] Interesting because it seems like there's, I can eat.

[00:33:44] Mickey making his cameo.

[00:33:45] He likes to, he photo bombs and joins.

[00:33:52] Hey daddy.

[00:33:53] Hey daddy.

[00:33:53] Yeah.

[00:33:54] And it's usually, he doesn't really want my attention until I'm doing something.

[00:33:57] But, uh, one of my favorite stories wasn't Dallas hackers, but, uh, remember the one

[00:34:03] time at DC 214 when the person was talking and something came about conferences and they

[00:34:10] were complaining about red team conferences or no play.

[00:34:14] I forget exactly what the conversation was.

[00:34:17] Yeah.

[00:34:18] So, so I was complaining about, uh, all these blue teams taking over hacker conferences,

[00:34:23] which I think they absolutely should have conferences.

[00:34:26] You know, that's, uh, it's critical and important again to network with the people that are doing

[00:34:31] and trying to, uh, expand on the, what you're doing in the industry.

[00:34:37] Uh, but they didn't exist.

[00:34:39] And so instead they would start having talks and tracks at hacker conferences.

[00:34:43] And it really, there's some technical, you know, uh, in that Venn diagram, there's some

[00:34:50] technical overlap, but they're different mindsets.

[00:34:53] They're completely different things.

[00:34:55] And, um, so I was complaining about that because a lot of the, like the Hugh sitcom was

[00:35:00] one of them, uh, that I saw just going really blue and, and, um, fine, you need that.

[00:35:06] But don't take mine.

[00:35:07] That's my whole view is don't take mine.

[00:35:09] And then there was no, there was no talk lined up that night.

[00:35:12] And so Isaac opened it up the floor and a guy got up and did a complete talk on sock

[00:35:18] something.

[00:35:19] They're doing blue team stuff.

[00:35:21] It was, it was so ironic that that happened.

[00:35:24] The guy come up and did something on blue team.

[00:35:26] Yes.

[00:35:28] Which is critical.

[00:35:29] I mean, blue team is critical.

[00:35:31] I absolutely, I, I'm glad they do it so I don't have to, uh, you know, and, uh, you

[00:35:36] know, although I'm, I'm more and more, uh, passionate about the whole concept of purple

[00:35:41] team stuff is let's make each other better.

[00:35:43] You know, really let's work together at a integral level and make each other better.

[00:35:49] And for the listeners to DC two and four is not strictly, you know, offensive security

[00:35:55] related.

[00:35:55] There is a mixture, but just the irony of this conversation and the guy gets up.

[00:36:01] When I wasn't talking about DC one, two and four, I was talking about the cons, right?

[00:36:04] I was talking about, yeah, yeah.

[00:36:05] You were talking about the cons.

[00:36:06] Yeah.

[00:36:06] Yeah.

[00:36:07] Yeah.

[00:36:07] We're just letting the listeners know they're listening.

[00:36:08] Cause we, there's a mixture of stuff just like even Dallas hackers.

[00:36:12] You have people come in and tell thing different, uh, have different talks from time to time.

[00:36:17] Just like someone.

[00:36:18] We have compliance talks.

[00:36:19] Yeah.

[00:36:20] You know, V, V and, and, uh, Zerfboard, they, they talk about compliance all the time

[00:36:24] and that's great, but it's only 10 minutes and I can, well, I can't go anywhere cause

[00:36:28] I'm stuck on the, the audio boards, but other people, if they, if they're not interested,

[00:36:32] they can go into the, you know, the, the, the lock sport room or go hang out outside

[00:36:36] and vape cause everybody seems to vape.

[00:36:38] But, uh, yeah.

[00:36:40] Yeah.

[00:36:41] That's the, the nice thing that got the different rooms.

[00:36:43] So if someone is not wanting to listen to the talks or someone like myself that talk too

[00:36:47] much that have to go back in the lock sport room or the career room to talk to people.

[00:36:53] Yeah.

[00:36:54] You're not bad.

[00:36:55] You're not bad now.

[00:36:55] You're, you're no low down.

[00:36:57] You're no low down.

[00:36:58] Yeah.

[00:37:02] Yeah.

[00:37:02] Yeah.

[00:37:03] Pretty interesting, but yeah, it's been pretty interesting.

[00:37:06] Some of the things over the years to, uh, Dallas hackers being in the popular mechanics article.

[00:37:12] Yeah.

[00:37:12] Well, we, the whole community was, uh, you know, what I love is the, when they're talking

[00:37:16] about Dallas hackers and they're showing the pictures, it's all of Pwn School.

[00:37:19] Yeah.

[00:37:20] Cause Dallas hackers, for those who don't know, we don't allow video or recording or photos

[00:37:24] or any of that.

[00:37:25] Um, uh, we will allow people to take pictures of, have people take pictures of themselves

[00:37:30] on stage.

[00:37:31] Uh, if there's no other audience members, if that's what they want, cause yeah, this is

[00:37:35] your time on stage.

[00:37:36] Some people it's their first time.

[00:37:37] We are basically a, a, you know, uh, uh, toast masters for nerds.

[00:37:42] Um, some people have never, ever been on giving a talk before.

[00:37:45] And then we've seen them go from doing that on DHA stage to giving a long talk at DC 214,

[00:37:50] giving it, then giving a full presentation at our local B-sized DFW all the way to, we've

[00:37:56] had several then go on to DEF CON.

[00:37:59] So yeah, it's a journey.

[00:38:00] Yeah.

[00:38:00] It's, it's pretty amazing too, to see the environment seems so comfortable, comfortable

[00:38:05] for folks to, to, to present, open up and speak because, you know, we've had people

[00:38:10] come in first timers and they would speak.

[00:38:14] Yep.

[00:38:15] Absolutely.

[00:38:16] Yep.

[00:38:17] One of our long time members in Voodoo Child, uh, you know, um, she made, had attended and

[00:38:23] then let's circle back real quick to about aha, about participating.

[00:38:28] If you're attending a local meetup, you are participating.

[00:38:33] That's my 100% belief because we get, like I said, you know, a hundred plus people out a

[00:38:40] month.

[00:38:40] How many hackers, cybersecurity professionals are there in the DFW area?

[00:38:45] Tens of thousands, if not more, um, a hundred plus show up.

[00:38:52] You are participating.

[00:38:54] That's my, my belief 100%.

[00:38:56] But anyway, she, she had attended quite a bit and, uh, um, but it never spoke and promised

[00:39:02] her daughter because it terrified her, you know, promised her daughter, I'm going to get

[00:39:05] up there and speak.

[00:39:06] Like, and she did.

[00:39:11] Yeah.

[00:39:11] It's very cool.

[00:39:12] A lot of cool, cool stories like that.

[00:39:13] Like you said, a lot of careers that have launched through there, come through there over the years

[00:39:18] and, and people speaking just like Rainmaker.

[00:39:21] I mean, that guy's all over the globe speaking and, and pretty interesting and good to see that.

[00:39:27] Well, and, and, um, hear your opinion as well, because I used to do, uh, consult all across the world as well.

[00:39:34] Constantly on the road.

[00:39:36] Thankfully that has ended.

[00:39:37] I'm mostly, uh, remote now.

[00:39:39] Um, if I'm going across the globe, it's cause I want to, uh, but Rainmaker, uh, still travels quite a bit all around the world.

[00:39:48] You speak everywhere, uh, all around the world as well.

[00:39:51] Um, Rainmaker and I have told numerous times that nowhere in our travels have we ever seen as robust of cybersecurity hacker community as there is in DFW.

[00:40:03] You could do something just about every night, at least two or three times a week.

[00:40:06] Yes.

[00:40:07] Yeah.

[00:40:08] Yeah.

[00:40:09] I haven't seen that anywhere else either.

[00:40:10] And, you know, before the pandemic, I would say there was at least three times a week.

[00:40:14] And now, like you said, there's something at least one or two times a week and, and all different types of stuff too.

[00:40:21] I mean, at least it's nice that we have a couple of DC groups in the area and, and, uh, and, uh, you know, OWASP chapters and all that.

[00:40:29] So it's a wide variety.

[00:40:29] It's not just one, one set type and our North Texas ISSA group is the biggest in the world.

[00:40:37] And, and, uh, you know, uh, unlike many of the ISSAs I've experienced, uh, I don't know if that's changed over the past few years.

[00:40:44] Um, they are very embracing of our community.

[00:40:46] It wasn't always the case, but in the past, I would say at least five or six years, uh, really embracing the hacker community, inviting us into their, uh, their conferences.

[00:40:58] And, uh, you know, having us speak, you just ran a hacker corner in the last conference of theirs.

[00:41:06] Yeah.

[00:41:07] It's nice that they're more, more welcoming, even though we're not professional.

[00:41:10] Right.

[00:41:12] Yeah.

[00:41:15] So, uh, so yeah, one of the things that I wanted to discuss too is, you know, how you're one of your new passions and this actually kind of helped you open up, be more comfortable speaking and making you more open to speak.

[00:41:29] Uh, yeah.

[00:41:29] Improv.

[00:41:31] I, I, I'm like a, a new religious convert in that all I will want to do is talk about it and shut up about it.

[00:41:38] Um, uh, the, the value of improv, I, I, it depresses me a bit because I wish I'd have found this earlier in my life.

[00:41:48] You know, I'm in my mid fifties and, uh, uh, there's little over about a year and a half of focusing on improv has completely changed my life.

[00:41:57] I can't imagine what my life might've been like.

[00:42:02] Had I found this earlier?

[00:42:03] I got involved earlier, but I also might not have been ready for it.

[00:42:06] Who knows?

[00:42:07] Uh, but the, um, there are so many similarities, uh, between I find between improv and hacking.

[00:42:15] Uh, and I think a lot of people are finding that as well.

[00:42:19] I've brought it, there's a, a large tech, uh, group within the improv.

[00:42:24] Uh, I brought a number of them over to DHA, uh, and I've gotten probably about a dozen folks from DHA involved with, uh, improv at the, where I study.

[00:42:33] Um, but the, like one of the questions I hate the most on a penetration test.

[00:42:41] So this is one thing you were asking about how, how does a company engage a penetration tester?

[00:42:45] Do not ask them.

[00:42:47] So what tools will you use?

[00:42:50] Um, I don't know.

[00:42:51] I don't know what I'm going to find, right?

[00:42:54] I'm going to, I'm going to use the best tool for whatever I find within the environment.

[00:42:57] I don't know what that is.

[00:42:59] Yes, there are some that are pretty much default.

[00:43:01] I'm going to do some reconnaissance using, uh, you know, port scanners, probably NMAP.

[00:43:06] But, you know, uh, if there's nothing there, I might go down into trying to manipulate packets with HPing or something.

[00:43:13] I don't know what I'm going to do.

[00:43:15] Uh, I will run a vulnerability scanner, probably Nessus, but you know, um, once I find what's in the environment though, that's when I'm going to use the tools that are specific to that environment.

[00:43:27] So I don't know what I'm going to use.

[00:43:28] I have to be adaptable.

[00:43:29] I have to try to, uh, have as much of my tool belts as possible, ready to, uh, engage with what I, with what I encounter.

[00:43:39] But there's very likely a chance I'll run into something I've never seen before and I need to be able to adapt.

[00:43:44] Uh, that's improv.

[00:43:46] You step on a stage, you don't know who you are, where you are, or what you're doing.

[00:43:51] And you have to figure it out together and adapt consistently, constantly.

[00:43:55] Now you have a tool belt, you learn things to do and improv on how to handle situations and how to make the best of types of environments for the highest likelihood of success.

[00:44:06] But you're going into it completely blind.

[00:44:07] There's, you have no idea what you're going to do.

[00:44:10] Uh, so I find a lot of similarities there, but, um, I was back in the day, I was terrified of public speaking.

[00:44:19] I went to the point where I would shake, get tunnel vision and want to throw up, uh, when somebody said, so tell us a little bit about yourself.

[00:44:28] Something that simple.

[00:44:29] I mean, how, how nobody in the world knows as much about me as me.

[00:44:33] And I still would feel like I, uh, yeah, it would, it would overwhelm me.

[00:44:37] And so then I did this stupid thing of starting up Dallas hackers where I had to get up in front of people and talk every month.

[00:44:44] Um, so after, I mean, we've been at it 11 and a half years.

[00:44:48] I, that was no longer bothering me.

[00:44:49] I, I, I could get up and I could talk in front of people most of the time.

[00:44:53] Um, occasionally I'd have relapses, but, uh, most of it was because I knew what I was going to talk about.

[00:44:59] If I did give a talk at DHA, I'd prepare, I'd have the slides.

[00:45:03] I'd have run through it 20 times and exactly mostly what I was going to say, how I was going to say it.

[00:45:10] Um, and I, I was, I was confident in that fairly confident.

[00:45:15] Um, but the, if you asked me something, you know, Hey, get up and talk about X, Y, or Z, or like a panel.

[00:45:21] You have no idea what's going to be on a panel.

[00:45:24] Um, I'd get terrified because I don't know what I'm going to say.

[00:45:27] And again, that's improv.

[00:45:31] It has helped me so much now where it's like, okay, I have a base knowledge.

[00:45:34] I have my tool set.

[00:45:36] Um, use it.

[00:45:39] Right.

[00:45:40] Uh, and, and it's, it's changed my, I actually did, uh, I think it was like six, eight months after I started taking improv.

[00:45:48] Um, I did my very first ever DHA talk completely improvised.

[00:45:53] Uh, I had two slides.

[00:45:55] The first was the title that said improv will change your life.

[00:45:58] And so will everything else.

[00:46:01] And the second was some pictures of people that I've interacted with in the improv community, which if I can kind of diverge real quickly, there is a crisis, uh, in our country.

[00:46:15] Of loneliness.

[00:46:17] Uh, loneliness they've shown in studies is as least as bad as smoking half a pack of cigarettes a day for your body.

[00:46:26] Uh, I think the, this was already a trend.

[00:46:32] The, the pandemic heightened it and a lot of people didn't come back out.

[00:46:37] Um, but adults have a hard time making friends.

[00:46:42] And if you are experiencing that, if you're in suffering from that, in that camp, please, please try improv.

[00:46:51] It's going to terrify you.

[00:46:52] Most likely it terrified me.

[00:46:54] Um, in that seven week course I took that first course, you know, um, I developed relationships that were deeper and stronger than people I've known for 20 years.

[00:47:11] Um, you included Phil or besties, but, um, it was incredible because what you're doing is you're being vulnerable.

[00:47:21] Um, you're, all of you are going in there and going, okay, we are going to fail together.

[00:47:25] We're going to fail in front of each other.

[00:47:27] Non-stop.

[00:47:29] Humans are afraid of failure, especially public failure.

[00:47:32] And that's all we do in improv is we fit every once in a while something works and you're like, wow, that was awesome.

[00:47:38] And let's go back to failing.

[00:47:40] You know, but, um, yeah.

[00:47:43] Uh, so, uh, I don't know how I diverged onto that, but please, please.

[00:47:47] Yeah.

[00:47:47] If, if, if you're having, because we are in improv, it's the, the very fundamental is, is adult playing adults, playing make believe we're being kids and kids have almost most kids have no problem.

[00:48:00] Making friends.

[00:48:02] No.

[00:48:03] So.

[00:48:03] And to kind of share the power of that too, like in Toastmasters, it doesn't go as in depth, but there's an improv speaking portion of the meeting where they'll bring up topics that you've got to speak on for a minute.

[00:48:17] To two minutes that you know nothing about, and it could be total nonsense that you've got to talk about or whatever, but you just kind of get used to speaking on your feet.

[00:48:25] So I can just imagine the results you get from, you know, a full blown class and doing that for, you know, minutes on end.

[00:48:33] Yeah.

[00:48:34] I did take a few Toastmasters courses.

[00:48:36] Uh, it was at the bank and they were definitely not my people.

[00:48:39] Um, so, but I remember that.

[00:48:41] I remember that section and that was the worst section, uh, ever.

[00:48:44] It was terrifying for me.

[00:48:45] Um, I mean, all of it was terrifying for me, but that was just like, I, I can't do this.

[00:48:50] I, there's no way I, I can't talk about something.

[00:48:52] I don't know.

[00:48:53] Um, and in improv, you talk about things you don't know with conviction constantly.

[00:48:59] You know, uh, um, uh, my, one of my favorite games, uh, that, uh, they play is, uh, this, um, it's being a preacher.

[00:49:10] You come out firing brimstone and you're this preacher and you start proselytizing and then you point to somebody in the audience and they say a random word like artichokes and you don't have to incorporate artichokes into your rant.

[00:49:23] Right.

[00:49:23] And you keep going on that until you point to somebody else in the audience and they say, you know, skateboards and you've got to immediately bring that into the, the, you know, your, your sermon skateboards.

[00:49:33] Uh, it's so fun.

[00:49:35] Yeah.

[00:49:36] One of the things I'm just kind of curious about just because I know you kind of gotten away from social engineering, uh, in your career.

[00:49:42] How do you think this would have helped your social engineering?

[00:49:46] Well, as far as helped, um, I don't know how much more it could have helped in being successful in that just about every time we did a social and physical social engineering engagement, we were successful.

[00:49:59] I mean, it's that bad out there.

[00:50:02] So I don't think I would, would have been that much more successful at it.

[00:50:07] I just wouldn't have been, maybe I wouldn't ever quit.

[00:50:10] I mean, cause it was to the point where I would go week, a week before flying out, knowing I'm having to do this, I would be getting physically sick.

[00:50:18] Uh, uh, out there, I would, you know, do so much reconnaissance because I didn't want to take that first.

[00:50:24] I, I, I, I, it killed me.

[00:50:28] I, I, I literally get physically sick, ill, um, and succeed.

[00:50:33] But if I was that smooth talker or whatever type thing, and was just saying, this is what I'm doing, it would have probably been a lot easier.

[00:50:41] Maybe I wouldn't have stopped.

[00:50:42] Um, and you know, maybe it's something I'll consider later getting back into.

[00:50:46] But, uh, at, at the time, you know, I had this big dilemma.

[00:50:50] I was like, why is this bothering me so much?

[00:50:52] You know, and I was like, well, you could say, you know, cause like when I'm attacking, uh, doing email social engineering or attacking a system, you're, you're attacking systems.

[00:50:59] You're attacking people.

[00:51:00] Somebody designed it.

[00:51:01] Somebody built it.

[00:51:02] But I don't feel guilty about any of those.

[00:51:04] How come it's when I'm talking face to face with somebody, you know, um, when I'm interacting with them.

[00:51:09] And I, you know, the thought is, well, I'm lying to them all.

[00:51:13] Yeah, true.

[00:51:14] But you lied.

[00:51:15] As a society, we tell lies all the time to smooth the grease, the rails, you know, and little white lies.

[00:51:21] It's, we don't always tell the truth.

[00:51:24] Um, and then I realized it was because, uh, I built my whole career on trust.

[00:51:30] You know, there are so many brilliant people that we interact with in the community, uh, whether it's in person here at DFW or online.

[00:51:39] Um, I am decent at what I do, but I am not one of them.

[00:51:43] What I've had to really sell myself on is, uh, trust.

[00:51:48] You know, I've got a background in military law enforcement.

[00:51:50] I, I, I can communicate, uh, with, from the CXO down to the, the engineer.

[00:51:58] But most of it's, you can trust me, right?

[00:52:02] There's some of those people that are elite that you just can't trust.

[00:52:06] Uh, and when I'm talking to these people, social engineering them in the back of my mind, there was this little voice going, you shouldn't trust me.

[00:52:16] And that hurt.

[00:52:17] Yeah, I think that was because, because if I don't have trust, if that person doesn't trust me, uh, I don't have anything really.

[00:52:26] Yeah.

[00:52:26] Very interesting perspective.

[00:52:29] So, so we're getting down toward the end of the episode.

[00:52:32] Is there anything you'd like to share before we close it out?

[00:52:36] Hmm.

[00:52:38] Uh, I would say it's a little topical.

[00:52:41] Um, in the, in our local community, we are dealing with some issues, uh, that in some, some people would call drama.

[00:52:52] Uh, I, I don't like that word because I think it implies, it implies there's a, somebody's causing something that shouldn't be caused versus or upsetting the status quo or, I just don't like the word.

[00:53:04] But there are, all is not the sanctuary that I would hope it to be right now.

[00:53:12] And, um, is just, you know, we started off DHA and we didn't have, our mantra was be excellent to each other.

[00:53:22] Uh, Bill and Ted just be excellent to each other.

[00:53:25] And then we had to, you know, um, develop a rule list.

[00:53:30] And number one rule, don't hack the venue, as you mentioned, because somebody hacked the venue and we get kicked out.

[00:53:36] So now there's a rule for it.

[00:53:37] If there's a rule on a, on the list, it's because there has to be a rule on the list.

[00:53:41] Um, and then we went from that, which was like 10 bullet points to now we have a full code of conduct because we have to, uh, unfortunately.

[00:53:48] And I would just say, uh, get involved with your community, but please, please don't be the reason for a rule or a code of conduct.

[00:53:57] Just be excellent to each other.

[00:53:59] Just go out, learn, share.

[00:54:01] I don't care what the other person's religion, politics, leave all of that at the door.

[00:54:08] We have a mantra at DHA of what happens at DHA stays at DHA.

[00:54:12] That's why we don't have video so people can share freely without the fear that there'll be repercussions outside.

[00:54:19] Um, but the corollary is true.

[00:54:22] What happens outside of DHA or outside our community should stay the hell out there.

[00:54:27] You know, come in here, share information.

[00:54:29] And that's really my ulterior motive is I want you sitting down next to somebody that maybe you would never, ever speak to,

[00:54:35] but you can share in this knowledge, share together what both of you are passionate about and then maybe start communicating.

[00:54:43] And that's what we need a lot more of is communication these days.

[00:54:47] I totally agree.

[00:54:48] And that's everywhere for sure.

[00:54:50] Yep.

[00:54:51] Absolutely.

[00:54:52] Well, thanks for taking the time to be on the podcast.

[00:54:55] It was an honor to have you on.

[00:54:58] I'm glad we finally get you scheduled.

[00:55:01] Happy to be here.

[00:55:04] Yeah.

[00:55:04] Yeah.

[00:55:07] Well, I appreciate it.

[00:55:08] And for anyone in the Dallas Fort Worth area or passing through Dallas hackers association is the first Wednesday of the month that family karaoke at 7.

[00:55:17] PM.

[00:55:18] Yep.

[00:55:18] And, uh, uh, DC 214 second Wednesday.

[00:55:23] Libra Technica third Wednesday.

[00:55:25] DC 940 is what?

[00:55:27] Third Monday.

[00:55:28] Third Monday.

[00:55:28] Yep.

[00:55:29] Third Monday.

[00:55:30] And hack Fort Worth is third Tuesday.

[00:55:32] Uh, like is it, like we said, Oh, and North Texas cybersecurity group will be doing its relaunch.

[00:55:36] Uh, this month.

[00:55:38] So, uh, fourth Thursday, last Thursday of the month.

[00:55:43] So yeah, something going on all the time.

[00:55:45] And, and, uh, uh, I typically am performing in Thunderdome the first Friday of every month.

[00:55:52] Uh, um, it's cast differently every month, but I, I, I tend to play it quite often.

[00:55:57] And that's a post-apocalyptic competition between improvisers, uh, which is a lot of fun.

[00:56:04] Yeah.

[00:56:04] I've been, it was a very good time.

[00:56:08] Well, thanks again.

[00:56:11] Thanks.

[00:56:12] Thanks everyone.

[00:56:13] And we'll see you on the next episode.

[00:56:18] Thank you for listening to the Philip Wiley show.

[00:56:20] Make sure you subscribe.

[00:56:21] So you don't miss any future episodes.

[00:56:24] In the meantime, to learn more about Philip, go to the hacker maker.com and connect with him

[00:56:30] on LinkedIn and Twitter at Philip Wiley until next time.

[00:56:35] Bye.