March 7, 2025 • 29 mins
Dive into our exhilarating adventure at Wild West Hackin' Fest, where our casual visit transformed into a thrilling Capture the Flag (CTF) competition! Join us as we share our journey from team formation to victory, highlighting the unique dynamics of working as a group in high-pressure scenarios. In this episode, we discuss the preparation that went into strategizing and setting up our technical environments, showcasing the importance of diverse skill sets among team members.
Capture the Flag events challenge participants not only to excel in their technical abilities but also to think critically and adapt quickly. Our discussion reveals the real lessons learned from both successes and setbacks, where communication played a critical role in navigating the challenges faced during the competition. You’ll hear stories of camaraderie and shared knowledge as we engaged with our peers and competitors, making connections that extend beyond the event.
As cybersecurity continues to challenge professionals in innovative ways, our experiences at the Wild West Hackin' Fest provide valuable insights into the blend of fun, teamwork, and learning that defines CTF competitions. Whether you're a seasoned competitor or just starting in cybersecurity, there’s something to learn from our adventure. Be sure to subscribe and share your thoughts with us!
We are joined by our guest today Derek Rook
LinkedIn - https://www.linkedin.com/in/derekrook/
YouTube - https://youtube.com/@derekrook
Twitter - https://twitter.com/_r00k_
Socials
- Join our Chipmunk community Discord server: https://discord.gg/9yfWP6evYQ
- Follow us on Twitter: https://twitter.com/SecChipmunk
- You can find us online at: https://securitychipmunks.com
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
is from a cooperative project for acquiring skills
essential to learning.
Speaker 2 (00:06):
Welcome to the Security Chipmunks podcast.
I'm Edna Johnson, I'm here withmy co-host, neil Smalley, and
today we have a very special day.
Special guest today Rick Rickis here joining us.
Speaker 1 (00:21):
Hello.
Speaker 2 (00:23):
Hey Rick, how are you ?
Speaker 1 (00:24):
I'm good.
How are you?
Speaker 2 (00:26):
I'm doing great.
Thank you for joining us.
Speaker 1 (00:29):
Well, thanks for having me.
Speaker 2 (00:30):
Yeah, absolutely so.
We had a really fun experiencewhen we went to Wild West
Hackenfest.
We competed together on a team.
Do you want to talk a littlebit about that?
Speaker 1 (00:44):
Yeah, well, I mean, first of all, I got to meet you,
which I think was super fun,and we had yeah, we had a pretty
good team.
I believe you started the team.
If I remember correctly, it wasannounced and I was there with
some of my friends, some of ourmutual friends.
How I met you and we had notintended on playing the CTF that
(01:07):
weekend, how I know them isactually through CTFs.
We used to compete CTFstogether quite a bit, so we were
just kind of planning onhanging out and enjoying the
conference and instead we hungout and enjoyed the conference
in a very different way, throughthe CTF, which was a good time.
Yeah, we had a blast.
(01:27):
I forget, did you say we wonSpoilers?
We won, yes, we did Sorry.
Speaker 2 (01:38):
Yeah, we did great.
Speaker 1 (01:41):
Yeah, we did super well.
I think we played well as ateam.
One of the things I really likeabout that format of CTF is
that it's not just hacking allthe time it gives.
I think CTFs I think this ischanging a bit, but I think CTFs
are largely focused onoffensive skills, and attack and
(02:04):
defense really gives anopportunity for more skill sets
to participate and have a goodtime.
So, yeah, I think we did afantastic job yeah, yeah, no,
that was really interesting.
Speaker 2 (02:15):
This is my first like attack and defend ctf
competition it was my first ofthis kind and, uh, that was a
bit of a learning curve initself, like what do I do?
And I was really glad that Ihad you and jose and others on
the team that kind of knew whatneeded to get done.
(02:35):
Um, I remember on thursday likewe found this table behind the
fireplace and like we're justlike trying to stay out of the
way but like trying to work alltogether at this big table, um,
getting things lit, yeah yeah,yeah, no, I I think I think one
(02:57):
of the things, one of thereasons we weren't going to
compete, is because we don'treally have a, a casual
competition mode.
Speaker 1 (03:03):
We kind of we either go all in or we don't going to
compete is because we don'treally have a, a casual
competition mode.
We kind of we either go all inor we don't.
And if your objective is to dowell in a ctf, um and in a
competition, the main thing youneed to understand about ctfs is
that, while the ctf is itselfis time bound, there is ample
(03:24):
opportunity to do work and gethead start and gain advantages
outside of that time.
And so that's what we weretrying to do the day before is
just prep as much as we could,knowing full well that most of
it was going to be thrown away.
But prepping scripts, debbingagainst the APIs, making sure
that we had scripts uh, debbingagainst the APIs, making sure
(03:46):
that we had um, you know, goodtemplates set up and kind of
strategy around, like how wewant to handle certain things.
And you know, do we want to um,collect and replay attacks or
do we just not want to careabout what the other team is
doing?
Like having all those decisionsahead of time, sort of like
incident response.
You don't want to be decidingall that complicated nuance
stuff Like while an incident'shappening.
(04:11):
You want to solve as much ofthat as upfront as possible so
you're not having to think asmuch, and that's kind of the way
we handle CTOs as well.
Speaker 2 (04:15):
Yeah, it was really good to see because this is my
first time being on such acompetitive team and so it was
great to see how y'all work andit was quite the learning
experience.
And everybody had theircomputers all like you had
everything set up for a lot ofthings, even like you weren't
(04:39):
planning to compete, but youalready brought your computers
with the environments ready togo and everything like that, so
it was a lot of fun to watch andbe a part of.
Speaker 1 (04:51):
I think that's a testament to how Roman and the
Meta CTF team run CTFs.
I've played a lot of CTFs thatare very much a CTF versus a
skills event I don't know how todescribe this.
(05:17):
I didn't bring a CTF computerand I didn't have like ctf
specific vms.
I just had, like my, the stuffthat I do work with um and
sometimes you have to downloadlike a bunch of esoteric, like
nuanced niche tools to solvechallenges, because they're very
(05:40):
kind of on the edge of ofreality, uh, which is fun
because it lets you exploreskills that you don't touch a
lot.
But I do enjoy CTFs that arevery much like.
Here is a kind of hyperaggressive version of kind of a
real world sort of a thing.
Like you wouldn't deal withthis number of bugs in this
(06:01):
short amount of time in reallife.
But none of the bugs and noneof the things we were working on
was this.
You know out there sort of aconcept.
It was.
You know we were in VS Code, wewere in Terminal, we were, you
know, writing Python and Go andyou know just doing stuff, we
normally do.
Speaker 2 (06:19):
Yeah, I think our team.
We were lucky that we had somany people that knew different
languages like C and Go andPython, because some of the
challenges involved thoselanguages and I think that gave
us a competitive edge havingsuch a diverse team with a lot
(06:40):
of experience with differenttechnologies, with a lot of
experience with differenttechnologies.
Speaker 1 (06:44):
I agree, I think you know, back when Jose and Ethan
and I and Sean wasn't presentbut Sean was part of the
original group and I met Cooplater.
Coop was kind of part of a morerecent iteration of that group.
But one of the reasons weworked so well together is
because of that diverse set ofskills that we had.
(07:05):
Like, I come from systemsadministration and systems
engineering, so I know a lotabout Linux and firewalls and
I'm kind of a serial generalist.
I got started as a webdeveloper and then got into help
desk and all kinds of stuff, soI've got a really broad
background but less dev.
And Jose and Ethan and Sean allcome from dev backgrounds of
(07:27):
various languages and so kind ofthat's the, that's the.
That is a very well put togetherCTF team is when you have all
those diverse skills and then anattack and defense.
We added people like you and wewho had more of a blue teamer
background incident response,soc kind of security engineering
(07:48):
stuff which in attack anddefense is just as important, if
not more important, than justhaving pure offensive skills.
Right, yeah, I mean we had.
I mean obviously we had thebest team of the day.
There were other very talentedgroups as well, so that could
(08:09):
have been very different adifferent weekend, but we had a
very good team.
We had a solid, well puttogether team and it's all
because of that.
You don't want eight people whoall know the same thing, no
matter how well they know thatthing.
You really want that kind ofdiverse background and
experience, uh, as part of theteam.
Speaker 2 (08:29):
Right, yeah, so I was really glad to see us uh, do so
well and um, and then we hadour points were just off the
charts, um, but it was great anduh, uh, so it was my first ctf
win and uh oh, congratulations,that's exciting.
Speaker 1 (08:52):
I didn't realize that oh yeah, thank you.
Speaker 2 (08:55):
I love playing ctfs, but like I've never um been in
the top, so I was like yay, yay.
Speaker 1 (09:04):
It's a, it's a good feeling.
It's addictive, for sure.
Speaker 2 (09:07):
Yeah, I've been doing CTS for a few years, but first
time winning, so it was fun.
So, yeah, and we got.
We got some cool prizes, likethe training that we got for 12
months and we got one of us gotthe black badge.
Speaker 1 (09:25):
Yeah, yeah, showed off.
Do you have it?
Speaker 2 (09:28):
I do have it.
It's right here.
Speaker 1 (09:30):
Heck, yeah, that thing's awesome, yeah, so it's
always nice, it's always nice tohave, you know, kind of a black
badge, cause if you wear itaround the conference, people,
um, you know, people notice andthey're like, oh, who is that?
Like why, why don't, why don't?
I know that person, that personmust be cool.
And the whole time you'rethinking like, oh, they don't
know, I'm just me like yeah but,yeah, no, that's awesome,
(09:56):
that's really cool.
Speaker 2 (09:57):
Yeah, it was really nice of uh cooper to once we got
off the stage he he just hadhis laptop ready and he plugged
it in like here's your firmwareupdate.
And I was like yes.
Speaker 1 (10:10):
I was sitting next to him while the closing
ceremonies were happening and hebefore the, basically when the
CTF announcement started.
So ours was announced lastbecause it was the main event.
But as the CTF announcementstarted he pulled out his laptop
and started working on it, sohe had it like ready instantly.
Yeah yeah, coop's a good guy.
I haven't known him very long,but I'm glad I know him.
(10:32):
He's rad.
Speaker 2 (10:33):
Yeah, he's really nice.
Yeah, so you know, wild West iswhere I met you, but I've heard
you go to other conferences too.
So what are some of yourconference recommendations?
Speaker 1 (10:49):
I think Wild West, in any of its iterations, is
probably the top right now.
I haven't been, unfortunately,the last couple of years since
the pandemic I haven't reallybeen traveling as much as I used
to pre-pandemic, but Wild Westeven since the very beginning,
traveling as much as I used topre-pandemic, but Wild West even
since the very beginning.
The talent and the communitythat Black Hills drives and I
(11:13):
usually credit John for this,but I mean Black Hills is much
bigger than John these days andso it's one of the few places
where I can go and my partnerwas with me for this one and she
even noticed she's just like weshowed up early the conference
that was there before I don'teven know what it was, but it
was very different vibe and mypartner took off to visit a
(11:34):
friend for a couple of days andwhen she came back the Black
Hills conference had started.
And she's just remarking on,you know, everybody's happy,
everybody's excited to see eachother, the, the excitement
levels are very high, um, youknow, and the speakers are all
top-notch.
There's a huge breadth of labsthat you can try and skills that
(11:57):
you can enjoy.
So, uh, wild west, any of theones you can get to even online,
I think, are great.
Uh, they keep the price prettylow, which is, I think, a boon.
Um, yeah, I, you know localb-sides.
Uh, I hear orlando isspectacular.
One of these days I'm going tomake it out to orlando I'd love
that yeah, yeah, I'd really liketo make it out there because I
(12:20):
think, um, you know, outside ofvegas, for obvious reasons, uh,
for vegas, but outside of vegas,obvious reasons for Vegas, but
outside of Vegas.
I think it's probably thesecond most well-known
nationally.
I mean, I'm on the other sideof the country, so I think
Orlando is really well-known.
Speaker 2 (12:35):
But any of the besides.
Speaker 1 (12:36):
Yeah, yeah, I mean we were talking pre-show that I'm
really bad at my local communityand I need to take more of a
effort to participate, but yourlocal community is what matters
to you the most as far assupport and professional
opportunities and networking andall that stuff.
So you know, if you have alocal B-Sides, get involved, go.
(12:58):
But but yeah, I like the.
I like the smaller conferences.
I kind of came out of SANS so Iwas taking SANS classes and
then I taught for them for acouple of years.
But, like you know, those aremuch more, I think, education
focused kind of events ratherthan conferences.
So yeah, I think Wild West andB-Sides are kind of where it's
(13:22):
at.
Def CON is just a big, you knoweverybody's going to be there
kind of thing, so it's good tonetwork, but I think for sheer
concentration of good events,wild West is where it's at.
Speaker 2 (13:37):
Yeah, I agree, Wild West is just.
It's the kindest conference andthat's the best way I can put
it.
If you talk to any of thesepeople, they just become like
your best friends immediately.
Pretty much, they're so nice.
Speaker 1 (13:55):
I think one of the ways I describe DEF CON is that
it's the clickiest conferenceand so it's not necessarily a
bad thing.
It's not like most of thoseclicks are exclusionary.
But I've talked to severalfirst time Defcon attendees and
they hear about how great Defconis but they're struggling to
see it.
They're like I just don't seeit.
(14:16):
It's not.
I don't get the same vibes thateverybody else is getting and I
, one person specifically I saw,not last year but the year
before.
I saw them like three hourslater and they had found kind of
their tribe.
You know like they ran intothem and once you do that, I
think DEF CON can be that way.
I think individual groups arevery accepting.
(14:36):
But Wild West, like there is noclick, it's just kind of
everybody is your tribe at aWild West event.
Yeah, yeah, it's a stellarenvironment and honestly, I've
attended Wild West a coupletimes remotely, just in their
Discord, and I think you don'tget the same level of 3 am
(15:00):
hallway conversations that youmight get at the event, but it's
still very active and veryinclusive and you still get a
lot out of it, which is which isnice to see.
It's not everybody can travel.
Speaker 2 (15:12):
Yeah, yeah, no, that's for sure.
And their online is great.
They will send you swag and awhole badge and it feels like a
great value for what you pay asa virtual attendee, because you
get so much and they are verygood about including you online
(15:33):
yeah john is john is on recordthat he doesn't want to make
money through wild west.
Speaker 1 (15:37):
Uh, so like basically all money that goes into that
conference from you know, uh,attendees and everything kind of
goes back into the conferencewhich is why the prices are low
and you get such good value outof it.
And you know it's, it'sfantastic yeah.
Speaker 2 (15:53):
Yeah, all right, so you used to teach for
cybersecurity.
You used to teach forcybersecurity.
Do you want to tell us a littlebit about that?
Speaker 1 (16:07):
Yeah, so I started.
How did that start?
I spoke at a lightning talk ata SANS conference one year
no-transcript like blurb abouthow, um, how I was trying to
(16:31):
implement like offensive stuffinto my security engineering
role.
Uh, back before I ran offensiveteams, um, and a couple of the
instructors at the timeafterwards asked me if I had
thought about teaching and Ihadn't, um, and nothing really
came of it for a while.
Uh, sans is notoriously hard toteach for they.
(16:53):
They have a very long funnel ofinstructor development, um, and
so what I ended up doinginstead was I started making
videos, um, I think as a CTFwrite-up one time, and what I
realized is that, even thoughI'd been in tech for 15
something years by that point 20years something everything I
(17:16):
knew I kind of knew how to do,but I didn't really know why
those things were the way theywere or what series of
implications led to things beingthis way, which is kind of
something you need to be able todo to teach, especially the way
my brain works Like it's hardfor me to follow along with
somebody if I can't kind ofderive what's happening and
(17:41):
making those videos reallypushed me, um, really pushed me
to kind of learn things more indepth and I made those videos.
Then I started a YouTubechannel and from the YouTube
channel is I got back into SANSand kind of followed through
their instructor dev.
But I love teaching, I enjoypushing myself to know more, but
(18:08):
I really love especially likeas I had trouble in school
growing up because either it washard for me to latch on to
things or really understand whatthe teacher was trying to
describe.
I really love it when I'mdescribing or trying to teach
somebody a really complex topicand people are like okay, I
(18:29):
understand, like I get it now,like I, I understand why this is
the way it is, um, and that's,that's stellar.
That's something I don't seeenough of.
When I interview people, uh, forjobs is is, I get a lot of
people that were kind of like meearlier in my career where they
just kind of know if I typethis in, this happens and and I
know to type that in becauseit's doing this thing sort of
(18:52):
knowledge which is fine througha lot of your career.
But as I interview for like redteam and offensive roles, like
you really have to have a deeperunderstanding of how things are
kind of built and put togetherso that you can be very
deliberate and precise in howyou apply pressure to an
environment to to make it dowhat you want it to do.
(19:14):
So I, I like, I like, I likepromoting that sort of
understanding inside of tech.
So so yeah, yeah.
Speaker 2 (19:26):
That's very nice, very neat.
Speaker 1 (19:28):
Yeah, I'm actually writing right now.
I'm writing two classes.
I'm writing two classes.
I'm writing a linux class um,that's basically just
foundational linux, because Idon't think enough people know
it um, but applied to securityand and things like that.
And then I'm I'm writing a, um,kind of a full stack.
I call it full stack hacking,which is just buzzwordy nonsense
(19:51):
, but basically it's.
You know, if you're going toattack a web application, you
should know how web servers work.
If you're going to do SQLinjection, you should know how
to write SQL.
If you're going to, you know,do command injection into a web
or app like mobile app, youshould understand what Linux is
doing with that command thatyou're injecting and basically
teaching penetration testingfrom a developer and system
(20:17):
administrator perspective of.
Once you understand how thisinfrastructure is put together,
you can make more intelligentdecisions about what attacks you
want to apply.
You can do better at yourwrite-ups on how to fix things,
stuff like that very nice, thatsounds exciting I hope so.
Speaker 2 (20:38):
We'll see yeah, um, all right.
So I know you've told me thatyou are running teams and doing
management things.
So what are some things thatlike, once you got into that
role of running teams thatreally like you're, like this is
something people should knowabout.
Speaker 1 (21:00):
Huh, I think I think it's a lot of just what I was
talking about.
I think I'll I'll beinterviewing people and I'll ask
questions about I don't knowlike.
So SQL injection is like, let'ssay, the canonical example.
(21:21):
If you've got this website,it's got a login prompt.
Sometimes when we do interviews, like in-person interviews I
don't do take home stuff, but inperson interviews we'll kind of
do like kind of a live hackingthing where it's like hey,
here's a, here's kind of a CTFthat I wrote.
You know, let's walk through itand you know, tell me how
you're thinking about theseproblems.
(21:42):
And a lot of times I'll justsee people throw in like a you
know, the canonical, or oneequals one SQL injection into
the login field, canonical, orone equals one SQL injection
into the login field.
And I'll ask them like why theydid that or like what you know,
like what do, what does that?
I call them incantations,because they're basically
casting spells.
At that point, if they don'tknow SQL, then they're just
(22:02):
saying the magic words and hopethat the thing falls out.
But I'll ask them, like whatdoes that do?
How would you change it?
Things like that.
And I'll just kind of get backwell, it's a login page, you put
in this string and then it letsyou log in.
And I think people, when you'refirst learning, I think that's
(22:24):
acceptable just to kind of go oh, sql injection exists.
You can do malformed SQL tomake the database do weird stuff
.
Well, the next level of thatisn't you're putting in
malformed SQL, you're actuallyjust writing SQL statements.
And the more you know SQL, themore advanced SQL injection you
(22:45):
can do.
And I think when you're learning, when people are learning,
especially when people aretrying to get into offensive
security, you need to push pastthat surface level.
Oh, this is how I make thething break and push into the
how does this thing work?
Because a lot of times,especially internal teams, we're
(23:05):
not testing test environments.
We're in the corp environment,we're in prod, we're in these
environments that you can't justthrow a, you know, an automated
scanner at and if it knockssomething over, like okay, well,
that's a problem.
You know, like here's a denialof service finding that we found
it's well, you knock somethingover and now we're losing like a
(23:26):
million dollars a minute untilthat thing comes back up, right.
So you have to kind of considerwhat you're doing and why.
Also, you're doing yourcustomers, whether they're
internal or external, adisservice if you can only break
the thing and you can't helpthem fix it.
The whole reason offensivesecurity exists is to make
things better and to improvethings, not to just kick over
(23:46):
somebody's sandcastle and laughat them.
That's not what we're here for.
So I want to see more people intech.
This is not just Red Teamspecific, but I want to see more
people in tech really drivepast this.
Like I'm a cybersecurityprofessional, I learned
cybersecurity and all I do iscybersecurity.
(24:09):
Cybersecurity is really justkind of advanced IT and advanced
development.
If you're really good at IT,you're really good at software
development.
You don't need security becauseyou don't have any bugs.
You have all of your resiliencyin place, like nothing falls
over.
Now that's an unattainable goal.
(24:30):
I'm not saying that we neverneed cybersecurity, but I want
there to be more of a blurredline between people who do IT
and people who do security, andI think that security has been
held up as this like easy, highpaying industry that people can
(24:50):
just get into, where there'slike jobs everywhere and we're
just like throwing you know jobsout of a plane for anybody who
can grab them and I thinkanybody who's an entry level can
clearly see that's not true.
You know there's a lot ofcompetition at the, at the entry
level areas, because of thisthis huge influx of people
taking, you know, gettingcybersecurity degrees and things
(25:12):
.
So I think the way that you canreally stand out is don't just
be a cybersecurity person likeunderstand what you're, what
you're protecting, why you'reprotecting it.
You know what, what.
What outcomes are you tryingLike?
Why?
Why is the company paying youthe money?
They're paying you Like they?
They're doing it for a reason.
(25:33):
they're not doing it becausecyber security is cool yeah um,
I also think, oh, red team islike over hyped, like and
obviously I do it, I enjoy it, Ithink it's a great job.
I, I love it.
But I I see a lot of peoplekind of like getting into
college or coming out of collegeand it's like, oh, I want to be
a pen tester and it's like,well, I mean, great, that's good
(25:54):
, we need great pen testersalways.
But I think that there's thisreally good PR about how cool
pen testing is and I think thatthere is less of that PR for
other areas of security and Iwant other people to see how
interesting security operationsis.
Incident response is fascinating.
(26:14):
That's actually what I taughtfor SANS.
I didn't teach hacking, Itaught IR and incident handling,
which is fascinating.
It's super important.
It is more high pressure andmore badass than red teaming.
When you get into it, it's alot of the same skillsets.
Like I want, I would, yeah, Ijust I want people to see the
(26:34):
reality of security and reallyenjoy doing it and learning
about it.
Um, more than just this, youknow like, oh, I saw Mr Robot
and I want to do that.
Like I want, I want people tocare about it.
I guess is what I want to seein that I interview.
Speaker 2 (26:50):
Yeah, that's great.
Yeah, there's definitely a hugenumber of people that go into
you know school forcybersecurity and their goal is
I'm going to become that greatpen tester and I'm going to
become like the next JohnHammond or something like that.
Because that's what they seewhen they go on YouTube and, you
(27:14):
know, looking on InfoSec,twitter and all of that, it's
like they see a lot of thatoffensive side and think that's
so cool, but there's just notenough jobs for all of the
people that want to do the redteam.
But there's still a lot of likegreat jobs out there, like IAM
and GRC and SOC.
That has a lot of demand foryou know people, but it's not as
(27:38):
um, as shiny as the red team.
Speaker 1 (27:43):
Sure, but it, but it can be.
I think, I think it can be.
It's just like the PR for thosefields aren't, aren't quite
there, quite?
There yet yeah, but you know,threat hunting is super exciting
, ir is super exciting.
Ir is is literally just likefacing off with adversaries,
like like that's, that'sincredible, incredibly exciting,
(28:05):
you know, it's just I don'tthink it's marketed very well is
the problem?
Speaker 2 (28:09):
yeah, yeah, no, I, no , I do, I are, I definitely
agree.
It is so fun.
Speaker 1 (28:14):
Yeah.
Speaker 2 (28:14):
It's fun when you get to kick somebody off a box.
Speaker 1 (28:18):
Yeah, or when you like, when, when I mean, I've
experienced this from the otherside.
But you know, you, you kicksomebody off the box and we're
like, oh okay, I guess we'll getin and through our you know
back doors or whatever, and like, as we're starting to log in,
those get slammed shut too.
And you're like whoa, like yeah, it's, it's gotta be satisfying
to to execute that kind of IRprogram.
(28:42):
So you know as long as, as longas you know, we aren't burning
out our incident handlers, whichI think is you know.
Another big industry problem isis you know we burn out a lot
of our people because, frankly,from a business perspective,
there's more people lining up totake those jobs.
So, like, I don't agree withthe business practice, but it's
definitely something we do inthe industry yeah, yep, all
(29:06):
right.
Speaker 2 (29:08):
Well, thank you so much.
We're glad to have had you onthe episode.
Speaker 1 (29:11):
Yeah, thanks for inviting me.
I'm always happy to to rambleat people, right?
Well, thank you so much.
We're glad to have had you onthe episode.
Yeah, thanks for inviting me.
I'm always happy to ramble atpeople.
Speaker 2 (29:17):
Yeah Well, I wasn't rambling.
You're telling us great thingshere.
Speaker 1 (29:22):
Great, I'm glad you enjoyed it.
Speaker 2 (29:24):
Yeah, appreciate you having me on.
Speaker 1 (29:27):
Yeah Well, thanks so much for the invite.
Speaker 2 (29:32):
Yeah, all right, this has been an episode of Security
Tipmunks.
Remember as you're learning,keep chipping away at it.
is from a cooperative project for acquiring skills
essential to learning.
Speaker 2 (00:06):
Welcome to the Security Chipmunks podcast.
I'm Edna Johnson, I'm here withmy co-host, neil Smalley, and
today we have a very special day.
Special guest today Rick Rickis here joining us.
Speaker 1 (00:21):
Hello.
Speaker 2 (00:23):
Hey Rick, how are you ?
Speaker 1 (00:24):
I'm good.
How are you?
Speaker 2 (00:26):
I'm doing great.
Thank you for joining us.
Speaker 1 (00:29):
Well, thanks for having me.
Speaker 2 (00:30):
Yeah, absolutely so.
We had a really fun experiencewhen we went to Wild West
Hackenfest.
We competed together on a team.
Do you want to talk a littlebit about that?
Speaker 1 (00:44):
Yeah, well, I mean, first of all, I got to meet you,
which I think was super fun,and we had yeah, we had a pretty
good team.
I believe you started the team.
If I remember correctly, it wasannounced and I was there with
some of my friends, some of ourmutual friends.
How I met you and we had notintended on playing the CTF that
(01:07):
weekend, how I know them isactually through CTFs.
We used to compete CTFstogether quite a bit, so we were
just kind of planning onhanging out and enjoying the
conference and instead we hungout and enjoyed the conference
in a very different way, throughthe CTF, which was a good time.
Yeah, we had a blast.
(01:27):
I forget, did you say we wonSpoilers?
We won, yes, we did Sorry.
Speaker 2 (01:38):
Yeah, we did great.
Speaker 1 (01:41):
Yeah, we did super well.
I think we played well as ateam.
One of the things I really likeabout that format of CTF is
that it's not just hacking allthe time it gives.
I think CTFs I think this ischanging a bit, but I think CTFs
are largely focused onoffensive skills, and attack and
(02:04):
defense really gives anopportunity for more skill sets
to participate and have a goodtime.
So, yeah, I think we did afantastic job yeah, yeah, no,
that was really interesting.
Speaker 2 (02:15):
This is my first like attack and defend ctf
competition it was my first ofthis kind and, uh, that was a
bit of a learning curve initself, like what do I do?
And I was really glad that Ihad you and jose and others on
the team that kind of knew whatneeded to get done.
(02:35):
Um, I remember on thursday likewe found this table behind the
fireplace and like we're justlike trying to stay out of the
way but like trying to work alltogether at this big table, um,
getting things lit, yeah yeah,yeah, no, I I think I think one
(02:57):
of the things, one of thereasons we weren't going to
compete, is because we don'treally have a, a casual
competition mode.
Speaker 1 (03:03):
We kind of we either go all in or we don't going to
compete is because we don'treally have a, a casual
competition mode.
We kind of we either go all inor we don't.
And if your objective is to dowell in a ctf, um and in a
competition, the main thing youneed to understand about ctfs is
that, while the ctf is itselfis time bound, there is ample
(03:24):
opportunity to do work and gethead start and gain advantages
outside of that time.
And so that's what we weretrying to do the day before is
just prep as much as we could,knowing full well that most of
it was going to be thrown away.
But prepping scripts, debbingagainst the APIs, making sure
that we had scripts uh, debbingagainst the APIs, making sure
(03:46):
that we had um, you know, goodtemplates set up and kind of
strategy around, like how wewant to handle certain things.
And you know, do we want to um,collect and replay attacks or
do we just not want to careabout what the other team is
doing?
Like having all those decisionsahead of time, sort of like
incident response.
You don't want to be decidingall that complicated nuance
stuff Like while an incident'shappening.
(04:11):
You want to solve as much ofthat as upfront as possible so
you're not having to think asmuch, and that's kind of the way
we handle CTOs as well.
Speaker 2 (04:15):
Yeah, it was really good to see because this is my
first time being on such acompetitive team and so it was
great to see how y'all work andit was quite the learning
experience.
And everybody had theircomputers all like you had
everything set up for a lot ofthings, even like you weren't
(04:39):
planning to compete, but youalready brought your computers
with the environments ready togo and everything like that, so
it was a lot of fun to watch andbe a part of.
Speaker 1 (04:51):
I think that's a testament to how Roman and the
Meta CTF team run CTFs.
I've played a lot of CTFs thatare very much a CTF versus a
skills event I don't know how todescribe this.
(05:17):
I didn't bring a CTF computerand I didn't have like ctf
specific vms.
I just had, like my, the stuffthat I do work with um and
sometimes you have to downloadlike a bunch of esoteric, like
nuanced niche tools to solvechallenges, because they're very
(05:40):
kind of on the edge of ofreality, uh, which is fun
because it lets you exploreskills that you don't touch a
lot.
But I do enjoy CTFs that arevery much like.
Here is a kind of hyperaggressive version of kind of a
real world sort of a thing.
Like you wouldn't deal withthis number of bugs in this
(06:01):
short amount of time in reallife.
But none of the bugs and noneof the things we were working on
was this.
You know out there sort of aconcept.
It was.
You know we were in VS Code, wewere in Terminal, we were, you
know, writing Python and Go andyou know just doing stuff, we
normally do.
Speaker 2 (06:19):
Yeah, I think our team.
We were lucky that we had somany people that knew different
languages like C and Go andPython, because some of the
challenges involved thoselanguages and I think that gave
us a competitive edge havingsuch a diverse team with a lot
(06:40):
of experience with differenttechnologies, with a lot of
experience with differenttechnologies.
Speaker 1 (06:44):
I agree, I think you know, back when Jose and Ethan
and I and Sean wasn't presentbut Sean was part of the
original group and I met Cooplater.
Coop was kind of part of a morerecent iteration of that group.
But one of the reasons weworked so well together is
because of that diverse set ofskills that we had.
(07:05):
Like, I come from systemsadministration and systems
engineering, so I know a lotabout Linux and firewalls and
I'm kind of a serial generalist.
I got started as a webdeveloper and then got into help
desk and all kinds of stuff, soI've got a really broad
background but less dev.
And Jose and Ethan and Sean allcome from dev backgrounds of
(07:27):
various languages and so kind ofthat's the, that's the.
That is a very well put togetherCTF team is when you have all
those diverse skills and then anattack and defense.
We added people like you and wewho had more of a blue teamer
background incident response,soc kind of security engineering
(07:48):
stuff which in attack anddefense is just as important, if
not more important, than justhaving pure offensive skills.
Right, yeah, I mean we had.
I mean obviously we had thebest team of the day.
There were other very talentedgroups as well, so that could
(08:09):
have been very different adifferent weekend, but we had a
very good team.
We had a solid, well puttogether team and it's all
because of that.
You don't want eight people whoall know the same thing, no
matter how well they know thatthing.
You really want that kind ofdiverse background and
experience, uh, as part of theteam.
Speaker 2 (08:29):
Right, yeah, so I was really glad to see us uh, do so
well and um, and then we hadour points were just off the
charts, um, but it was great anduh, uh, so it was my first ctf
win and uh oh, congratulations,that's exciting.
Speaker 1 (08:52):
I didn't realize that oh yeah, thank you.
Speaker 2 (08:55):
I love playing ctfs, but like I've never um been in
the top, so I was like yay, yay.
Speaker 1 (09:04):
It's a, it's a good feeling.
It's addictive, for sure.
Speaker 2 (09:07):
Yeah, I've been doing CTS for a few years, but first
time winning, so it was fun.
So, yeah, and we got.
We got some cool prizes, likethe training that we got for 12
months and we got one of us gotthe black badge.
Speaker 1 (09:25):
Yeah, yeah, showed off.
Do you have it?
Speaker 2 (09:28):
I do have it.
It's right here.
Speaker 1 (09:30):
Heck, yeah, that thing's awesome, yeah, so it's
always nice, it's always nice tohave, you know, kind of a black
badge, cause if you wear itaround the conference, people,
um, you know, people notice andthey're like, oh, who is that?
Like why, why don't, why don't?
I know that person, that personmust be cool.
And the whole time you'rethinking like, oh, they don't
know, I'm just me like yeah but,yeah, no, that's awesome,
(09:56):
that's really cool.
Speaker 2 (09:57):
Yeah, it was really nice of uh cooper to once we got
off the stage he he just hadhis laptop ready and he plugged
it in like here's your firmwareupdate.
And I was like yes.
Speaker 1 (10:10):
I was sitting next to him while the closing
ceremonies were happening and hebefore the, basically when the
CTF announcement started.
So ours was announced lastbecause it was the main event.
But as the CTF announcementstarted he pulled out his laptop
and started working on it, sohe had it like ready instantly.
Yeah yeah, coop's a good guy.
I haven't known him very long,but I'm glad I know him.
(10:32):
He's rad.
Speaker 2 (10:33):
Yeah, he's really nice.
Yeah, so you know, wild West iswhere I met you, but I've heard
you go to other conferences too.
So what are some of yourconference recommendations?
Speaker 1 (10:49):
I think Wild West, in any of its iterations, is
probably the top right now.
I haven't been, unfortunately,the last couple of years since
the pandemic I haven't reallybeen traveling as much as I used
to pre-pandemic, but Wild Westeven since the very beginning,
traveling as much as I used topre-pandemic, but Wild West even
since the very beginning.
The talent and the communitythat Black Hills drives and I
(11:13):
usually credit John for this,but I mean Black Hills is much
bigger than John these days andso it's one of the few places
where I can go and my partnerwas with me for this one and she
even noticed she's just like weshowed up early the conference
that was there before I don'teven know what it was, but it
was very different vibe and mypartner took off to visit a
(11:34):
friend for a couple of days andwhen she came back the Black
Hills conference had started.
And she's just remarking on,you know, everybody's happy,
everybody's excited to see eachother, the, the excitement
levels are very high, um, youknow, and the speakers are all
top-notch.
There's a huge breadth of labsthat you can try and skills that
(11:57):
you can enjoy.
So, uh, wild west, any of theones you can get to even online,
I think, are great.
Uh, they keep the price prettylow, which is, I think, a boon.
Um, yeah, I, you know localb-sides.
Uh, I hear orlando isspectacular.
One of these days I'm going tomake it out to orlando I'd love
that yeah, yeah, I'd really liketo make it out there because I
(12:20):
think, um, you know, outside ofvegas, for obvious reasons, uh,
for vegas, but outside of vegas,obvious reasons for Vegas, but
outside of Vegas.
I think it's probably thesecond most well-known
nationally.
I mean, I'm on the other sideof the country, so I think
Orlando is really well-known.
Speaker 2 (12:35):
But any of the besides.
Speaker 1 (12:36):
Yeah, yeah, I mean we were talking pre-show that I'm
really bad at my local communityand I need to take more of a
effort to participate, but yourlocal community is what matters
to you the most as far assupport and professional
opportunities and networking andall that stuff.
So you know, if you have alocal B-Sides, get involved, go.
(12:58):
But but yeah, I like the.
I like the smaller conferences.
I kind of came out of SANS so Iwas taking SANS classes and
then I taught for them for acouple of years.
But, like you know, those aremuch more, I think, education
focused kind of events ratherthan conferences.
So yeah, I think Wild West andB-Sides are kind of where it's
(13:22):
at.
Def CON is just a big, you knoweverybody's going to be there
kind of thing, so it's good tonetwork, but I think for sheer
concentration of good events,wild West is where it's at.
Speaker 2 (13:37):
Yeah, I agree, Wild West is just.
It's the kindest conference andthat's the best way I can put
it.
If you talk to any of thesepeople, they just become like
your best friends immediately.
Pretty much, they're so nice.
Speaker 1 (13:55):
I think one of the ways I describe DEF CON is that
it's the clickiest conferenceand so it's not necessarily a
bad thing.
It's not like most of thoseclicks are exclusionary.
But I've talked to severalfirst time Defcon attendees and
they hear about how great Defconis but they're struggling to
see it.
They're like I just don't seeit.
(14:16):
It's not.
I don't get the same vibes thateverybody else is getting and I
, one person specifically I saw,not last year but the year
before.
I saw them like three hourslater and they had found kind of
their tribe.
You know like they ran intothem and once you do that, I
think DEF CON can be that way.
I think individual groups arevery accepting.
(14:36):
But Wild West, like there is noclick, it's just kind of
everybody is your tribe at aWild West event.
Yeah, yeah, it's a stellarenvironment and honestly, I've
attended Wild West a coupletimes remotely, just in their
Discord, and I think you don'tget the same level of 3 am
(15:00):
hallway conversations that youmight get at the event, but it's
still very active and veryinclusive and you still get a
lot out of it, which is which isnice to see.
It's not everybody can travel.
Speaker 2 (15:12):
Yeah, yeah, no, that's for sure.
And their online is great.
They will send you swag and awhole badge and it feels like a
great value for what you pay asa virtual attendee, because you
get so much and they are verygood about including you online
(15:33):
yeah john is john is on recordthat he doesn't want to make
money through wild west.
Speaker 1 (15:37):
Uh, so like basically all money that goes into that
conference from you know, uh,attendees and everything kind of
goes back into the conferencewhich is why the prices are low
and you get such good value outof it.
And you know it's, it'sfantastic yeah.
Speaker 2 (15:53):
Yeah, all right, so you used to teach for
cybersecurity.
You used to teach forcybersecurity.
Do you want to tell us a littlebit about that?
Speaker 1 (16:07):
Yeah, so I started.
How did that start?
I spoke at a lightning talk ata SANS conference one year
no-transcript like blurb abouthow, um, how I was trying to
(16:31):
implement like offensive stuffinto my security engineering
role.
Uh, back before I ran offensiveteams, um, and a couple of the
instructors at the timeafterwards asked me if I had
thought about teaching and Ihadn't, um, and nothing really
came of it for a while.
Uh, sans is notoriously hard toteach for they.
(16:53):
They have a very long funnel ofinstructor development, um, and
so what I ended up doinginstead was I started making
videos, um, I think as a CTFwrite-up one time, and what I
realized is that, even thoughI'd been in tech for 15
something years by that point 20years something everything I
(17:16):
knew I kind of knew how to do,but I didn't really know why
those things were the way theywere or what series of
implications led to things beingthis way, which is kind of
something you need to be able todo to teach, especially the way
my brain works Like it's hardfor me to follow along with
somebody if I can't kind ofderive what's happening and
(17:41):
making those videos reallypushed me, um, really pushed me
to kind of learn things more indepth and I made those videos.
Then I started a YouTubechannel and from the YouTube
channel is I got back into SANSand kind of followed through
their instructor dev.
But I love teaching, I enjoypushing myself to know more, but
(18:08):
I really love especially likeas I had trouble in school
growing up because either it washard for me to latch on to
things or really understand whatthe teacher was trying to
describe.
I really love it when I'mdescribing or trying to teach
somebody a really complex topicand people are like okay, I
(18:29):
understand, like I get it now,like I, I understand why this is
the way it is, um, and that's,that's stellar.
That's something I don't seeenough of.
When I interview people, uh, forjobs is is, I get a lot of
people that were kind of like meearlier in my career where they
just kind of know if I typethis in, this happens and and I
know to type that in becauseit's doing this thing sort of
(18:52):
knowledge which is fine througha lot of your career.
But as I interview for like redteam and offensive roles, like
you really have to have a deeperunderstanding of how things are
kind of built and put togetherso that you can be very
deliberate and precise in howyou apply pressure to an
environment to to make it dowhat you want it to do.
(19:14):
So I, I like, I like, I likepromoting that sort of
understanding inside of tech.
So so yeah, yeah.
Speaker 2 (19:26):
That's very nice, very neat.
Speaker 1 (19:28):
Yeah, I'm actually writing right now.
I'm writing two classes.
I'm writing two classes.
I'm writing a linux class um,that's basically just
foundational linux, because Idon't think enough people know
it um, but applied to securityand and things like that.
And then I'm I'm writing a, um,kind of a full stack.
I call it full stack hacking,which is just buzzwordy nonsense
(19:51):
, but basically it's.
You know, if you're going toattack a web application, you
should know how web servers work.
If you're going to do SQLinjection, you should know how
to write SQL.
If you're going to, you know,do command injection into a web
or app like mobile app, youshould understand what Linux is
doing with that command thatyou're injecting and basically
teaching penetration testingfrom a developer and system
(20:17):
administrator perspective of.
Once you understand how thisinfrastructure is put together,
you can make more intelligentdecisions about what attacks you
want to apply.
You can do better at yourwrite-ups on how to fix things,
stuff like that very nice, thatsounds exciting I hope so.
Speaker 2 (20:38):
We'll see yeah, um, all right.
So I know you've told me thatyou are running teams and doing
management things.
So what are some things thatlike, once you got into that
role of running teams thatreally like you're, like this is
something people should knowabout.
Speaker 1 (21:00):
Huh, I think I think it's a lot of just what I was
talking about.
I think I'll I'll beinterviewing people and I'll ask
questions about I don't knowlike.
So SQL injection is like, let'ssay, the canonical example.
(21:21):
If you've got this website,it's got a login prompt.
Sometimes when we do interviews, like in-person interviews I
don't do take home stuff, but inperson interviews we'll kind of
do like kind of a live hackingthing where it's like hey,
here's a, here's kind of a CTFthat I wrote.
You know, let's walk through itand you know, tell me how
you're thinking about theseproblems.
(21:42):
And a lot of times I'll justsee people throw in like a you
know, the canonical, or oneequals one SQL injection into
the login field, canonical, orone equals one SQL injection
into the login field.
And I'll ask them like why theydid that or like what you know,
like what do, what does that?
I call them incantations,because they're basically
casting spells.
At that point, if they don'tknow SQL, then they're just
(22:02):
saying the magic words and hopethat the thing falls out.
But I'll ask them, like whatdoes that do?
How would you change it?
Things like that.
And I'll just kind of get backwell, it's a login page, you put
in this string and then it letsyou log in.
And I think people, when you'refirst learning, I think that's
(22:24):
acceptable just to kind of go oh, sql injection exists.
You can do malformed SQL tomake the database do weird stuff
.
Well, the next level of thatisn't you're putting in
malformed SQL, you're actuallyjust writing SQL statements.
And the more you know SQL, themore advanced SQL injection you
(22:45):
can do.
And I think when you're learning, when people are learning,
especially when people aretrying to get into offensive
security, you need to push pastthat surface level.
Oh, this is how I make thething break and push into the
how does this thing work?
Because a lot of times,especially internal teams, we're
(23:05):
not testing test environments.
We're in the corp environment,we're in prod, we're in these
environments that you can't justthrow a, you know, an automated
scanner at and if it knockssomething over, like okay, well,
that's a problem.
You know, like here's a denialof service finding that we found
it's well, you knock somethingover and now we're losing like a
(23:26):
million dollars a minute untilthat thing comes back up, right.
So you have to kind of considerwhat you're doing and why.
Also, you're doing yourcustomers, whether they're
internal or external, adisservice if you can only break
the thing and you can't helpthem fix it.
The whole reason offensivesecurity exists is to make
things better and to improvethings, not to just kick over
(23:46):
somebody's sandcastle and laughat them.
That's not what we're here for.
So I want to see more people intech.
This is not just Red Teamspecific, but I want to see more
people in tech really drivepast this.
Like I'm a cybersecurityprofessional, I learned
cybersecurity and all I do iscybersecurity.
(24:09):
Cybersecurity is really justkind of advanced IT and advanced
development.
If you're really good at IT,you're really good at software
development.
You don't need security becauseyou don't have any bugs.
You have all of your resiliencyin place, like nothing falls
over.
Now that's an unattainable goal.
(24:30):
I'm not saying that we neverneed cybersecurity, but I want
there to be more of a blurredline between people who do IT
and people who do security, andI think that security has been
held up as this like easy, highpaying industry that people can
(24:50):
just get into, where there'slike jobs everywhere and we're
just like throwing you know jobsout of a plane for anybody who
can grab them and I thinkanybody who's an entry level can
clearly see that's not true.
You know there's a lot ofcompetition at the, at the entry
level areas, because of thisthis huge influx of people
taking, you know, gettingcybersecurity degrees and things
(25:12):
.
So I think the way that you canreally stand out is don't just
be a cybersecurity person likeunderstand what you're, what
you're protecting, why you'reprotecting it.
You know what, what.
What outcomes are you tryingLike?
Why?
Why is the company paying youthe money?
They're paying you Like they?
They're doing it for a reason.
(25:33):
they're not doing it becausecyber security is cool yeah um,
I also think, oh, red team islike over hyped, like and
obviously I do it, I enjoy it, Ithink it's a great job.
I, I love it.
But I I see a lot of peoplekind of like getting into
college or coming out of collegeand it's like, oh, I want to be
a pen tester and it's like,well, I mean, great, that's good
(25:54):
, we need great pen testersalways.
But I think that there's thisreally good PR about how cool
pen testing is and I think thatthere is less of that PR for
other areas of security and Iwant other people to see how
interesting security operationsis.
Incident response is fascinating.
(26:14):
That's actually what I taughtfor SANS.
I didn't teach hacking, Itaught IR and incident handling,
which is fascinating.
It's super important.
It is more high pressure andmore badass than red teaming.
When you get into it, it's alot of the same skillsets.
Like I want, I would, yeah, Ijust I want people to see the
(26:34):
reality of security and reallyenjoy doing it and learning
about it.
Um, more than just this, youknow like, oh, I saw Mr Robot
and I want to do that.
Like I want, I want people tocare about it.
I guess is what I want to seein that I interview.
Speaker 2 (26:50):
Yeah, that's great.
Yeah, there's definitely a hugenumber of people that go into
you know school forcybersecurity and their goal is
I'm going to become that greatpen tester and I'm going to
become like the next JohnHammond or something like that.
Because that's what they seewhen they go on YouTube and, you
(27:14):
know, looking on InfoSec,twitter and all of that, it's
like they see a lot of thatoffensive side and think that's
so cool, but there's just notenough jobs for all of the
people that want to do the redteam.
But there's still a lot of likegreat jobs out there, like IAM
and GRC and SOC.
That has a lot of demand foryou know people, but it's not as
(27:38):
um, as shiny as the red team.
Speaker 1 (27:43):
Sure, but it, but it can be.
I think, I think it can be.
It's just like the PR for thosefields aren't, aren't quite
there, quite?
There yet yeah, but you know,threat hunting is super exciting
, ir is super exciting.
Ir is is literally just likefacing off with adversaries,
like like that's, that'sincredible, incredibly exciting,
(28:05):
you know, it's just I don'tthink it's marketed very well is
the problem?
Speaker 2 (28:09):
yeah, yeah, no, I, no , I do, I are, I definitely
agree.
It is so fun.
Speaker 1 (28:14):
Yeah.
Speaker 2 (28:14):
It's fun when you get to kick somebody off a box.
Speaker 1 (28:18):
Yeah, or when you like, when, when I mean, I've
experienced this from the otherside.
But you know, you, you kicksomebody off the box and we're
like, oh okay, I guess we'll getin and through our you know
back doors or whatever, and like, as we're starting to log in,
those get slammed shut too.
And you're like whoa, like yeah, it's, it's gotta be satisfying
to to execute that kind of IRprogram.
(28:42):
So you know as long as, as longas you know, we aren't burning
out our incident handlers, whichI think is you know.
Another big industry problem isis you know we burn out a lot
of our people because, frankly,from a business perspective,
there's more people lining up totake those jobs.
So, like, I don't agree withthe business practice, but it's
definitely something we do inthe industry yeah, yep, all
(29:06):
right.
Speaker 2 (29:08):
Well, thank you so much.
We're glad to have had you onthe episode.
Speaker 1 (29:11):
Yeah, thanks for inviting me.
I'm always happy to to rambleat people, right?
Well, thank you so much.
We're glad to have had you onthe episode.
Yeah, thanks for inviting me.
I'm always happy to ramble atpeople.
Speaker 2 (29:17):
Yeah Well, I wasn't rambling.
You're telling us great thingshere.
Speaker 1 (29:22):
Great, I'm glad you enjoyed it.
Speaker 2 (29:24):
Yeah, appreciate you having me on.
Speaker 1 (29:27):
Yeah Well, thanks so much for the invite.
Speaker 2 (29:32):
Yeah, all right, this has been an episode of Security
Tipmunks.
Remember as you're learning,keep chipping away at it.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com