July 13, 2025 • 26 mins
Eddie Miro joins us as a guest on the Security Chipmunks podcast, a social engineer, cybersecurity pro and a community leader, Eddie shares tips and advice for cybersecurity newcomers, shares his past and talks about the competition Octopus Game.
At the heart of Eddie's current work is his involvement with DEF CON, where he runs "Octopus Game" which became an official Black Badge contest designed as a "tutorial quest" for conference newcomers. The game sends participants on missions throughout the conference, helping them navigate the overwhelming environment through accessible challenges and puzzles. What began as a Squid Game-inspired battle royale has evolved into a beloved event making cybersecurity more welcoming to beginners, embodying DEF CON's push toward greater accessibility.
Eddie's transparency about his past, documented in his memoir creates powerful connections with others on similar journeys. After talks, people regularly approach him to share how his story resonates with their own struggles, finding inspiration in his transformation. For aspiring cybersecurity professionals, Eddie emphasizes building strong foundations in IT before specializing, getting involved with community groups, and developing communication skills. His most powerful advice may be the simplest: keep showing up. "Grit correlates higher with success than intelligence," he notes, explaining that persistence often matters more than technical brilliance in career advancement. Whether you're attending your first cybersecurity event or looking to pivot careers, Eddie's story proves that with determination and community support, anyone can reinvent themselves in this dynamic industry.
Socials
- Join our Chipmunk community Discord server: https://discord.gg/9yfWP6evYQ
- Follow us on Twitter: https://twitter.com/SecChipmunk
- You can find us online at: https://securitychipmunks.com
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
is from a cooperative project for acquiring skills
essential to learning.
Welcome to the SecurityChipmunks podcast, where we keep
chipping away at it.
I'm your host, edna Johnson.
I'm here with my co-host, neilSmalley.
Hello, and our guest today isEddie Miro.
Welcome, eddie.
Speaker 3 (00:20):
Hey, thanks for having me on the podcast.
I'm really excited to be here.
Speaker 1 (00:24):
Absolutely.
Please tell us about yourself.
Speaker 3 (00:28):
Well, like you said, my name is Eddie Miro.
I've been in the IT space forabout 25 years.
My first job way back in theearly 2000s was dial-up tech
support, so I'm pretty old.
I'm really involved in thecyber community.
I speak at a lot of conferences.
I run a local DEF CON grouphere in Utah County called DC385
(00:54):
.
I run an official DEF CONcontest called Octopus Game,
which was a Black Badge contestlast year.
And yeah, I'm just generallyinterested in social engineering
and have a kind of aninteresting backstory also.
Speaker 1 (01:15):
Wow, that is fascinating.
All right, so you know I loveDEF CON and you have a game
there, octopus Game, and it's ablack badge Last year.
That's amazing.
So what is that game like andhow do people participate?
Can they just join in?
Speaker 3 (01:33):
Yes, so I'll give you a little bit of backstory and I
don't want to bury the lead,like the reason we were a black
badge contest and the reasonwe're so popular is due to my
wife, who also is the contestlead, and all of our volunteers
who make it really amazing.
But the first year we did itwas DEF CON 30, I think yes, and
(02:00):
the idea was that we were goingto rip off the popular Netflix
TV show Squid Game and create abattle royale where players met
up and played kids games to dueleach other, and it was just a
battle royale to the last personstanding.
It was really fun.
The whole idea was just to getpeople to meet each other and
(02:24):
outside of their comfort zoneand, yes, it was pretty great.
After that it's kind of evolveda little.
Now we have themes.
This year our theme is Avatar,the Last Airbender, so the title
is Octopus Game for the Orderof the White Tentacle.
Yeah, our whole thing is justbeing really accessible to
(02:46):
people who are new toconferences and not really sure
what to do or where to go.
We kind of gamify that process.
I like to refer to us as like atutorial quest for conferences.
We send players on missions todifferent villages and different
areas so they can interact withother areas of the conference
they might not normally interactwith and make some friends and
(03:10):
be more human.
Speaker 1 (03:14):
Wow, that sounds amazing.
So I love how that helps peopleget to know the conference.
So is it kind of like ascavenger hunt for you going
around or what?
Speaker 3 (03:25):
yeah, I mean like it's kind of a yeah, it's, it's.
It's hard to describe, but wedo have.
We have like small puzzles andbasic crypto challenges that
they have to solve and we givethem maps and different puzzles
that will lead them to differentareas and, depending on what
year it is, they have differentthings they need to do.
(03:46):
Sometimes we just have them gotake a selfie with somebody in a
village or if it's say, it'slike lock picking village, then
they have to pick a lock and wehave one of the volunteers there
kind of validate that theyinteracted.
And, yeah, we it's kind of likea scavenger hunt and like a
basic crypto challenge sort of.
There are plenty of good CTFsand crypto challenges.
(04:08):
Ours isn't meant to be reallyhard because it's meant for
noobs and for people who arekind of brand new, and we wanted
to yeah, we just kind of gamifyit and give people like a kind
of a direction to go, and yeah,it ends up being a lot of fun of
a direction to go and yeah,it's a, it ends up being a lot
of fun.
Our last, our last year, when wewere selected as a black badge
(04:33):
contest.
The organizers of DEF CONreally liked the vibe of our
contest and they're reallypushing to make you know
information security and cybersecurity more accessible and DEF
CON is becoming more familyfriendly and our contest is kid
friendly.
So we just kind of really hitthe nail on the head that year
and our winning player got ablack badge and I'm sure your
(04:55):
audience knows the significanceof that.
But just in case there'ssomebody who doesn't know, a
black badge basically gets youback into the conference for the
rest of your life for free.
It's a very special thing andthere are very few contests that
get to be a black badge contest.
Def CON's cool and sometimesthey select random ones and we
just happened to be that one.
Our winning player got a blackbadge for a game of Simon Says
(05:20):
at the end.
So it was kind of crazy.
Speaker 1 (05:24):
Wow, that's amazing.
Yeah, black badges are reallyspecial, so that is wonderful.
So I know you do a lot ofsocial engineering.
You're a volunteer with theSocial Engineering Adventure
Village so I wanted to ask youlike, how did you get started
(05:47):
with social engineering?
And I heard you did a talk onit at DEF CON, so tell me about
that.
Speaker 3 (05:56):
Well, my talk at DEF CON was at DEF CON 27 in the old
SE Village and it was on how toweaponize the rideshare
relationship.
So I was in between jobs at thetime and was driving for Lyft to
make some extra cash and I'm avery social person, obviously,
(06:20):
so I enjoy talking to passengersand, despite everyone saying
they don't like talking todrivers, that was the opposite
response that I got, and maybeit's just because I'm more
approachable and social, but Ifound that people were having
these really deep conversationswith me and it kind of felt like
(06:40):
this sort of like pseudorelationship could be formed,
kind of like the way people openup to bartenders, where I kind
of feel like an anonymous personand people were sharing really
intimate details.
And the talk was kind of onthat experience and I
hypothesize on what could bedone if you were to weaponize
(07:00):
that sort of interaction and howI might utilize rideshare as
like a vector in a socialengineering attack.
You know parking near a targetwould pretty much guarantee you
get that ride.
You know it's all geolocationbased and yeah, that was my
first big talk that I did at DEFCON.
Very, very interestingexperience for sure.
Speaker 1 (07:25):
Okay, that's interesting.
Yeah, yeah, nice.
So have you done other socialengineering thing since then?
Speaker 3 (07:40):
So when I was making my transition into cybersecurity
, I, much like everyone else,wanted to be a pen tester, so I
started focusing on that.
I did some pro bono pen testsfor some unsuspecting companies
in my hometown.
It was a lot of fun.
My partner and I we did thewhole like covert entry.
(08:01):
We broke in and we ran amok inthe office and it was super fun
and it was great.
The company had no idea howvulnerable they were.
We found the CEO's computerunlocked, sitting right there on
their Outlook.
So yeah, pretty fun to do thatdebriefing with them.
(08:22):
And they had cameras and I wassurprised that nobody responded
to it and they said that therewas just too many alerts.
So yeah, alert fatigue strikesagain.
I was pretty shocked.
It was really bad.
But at that time I wasapproached by one of the
(08:45):
department heads for a communitycollege in Northern California
called Butte College and sheasked me if I wanted to teach,
which I had never consideredbefore because I only have an
associate's degree.
Why would I be a communitycollege teacher?
But I transitioned intoeducation and I did that for a
few years.
It was a very interestingexperience.
(09:07):
Eventually I moved out here toUtah.
I worked for a company calledArctic Wolf.
They're a big MSSP.
I was a senior technicaltrainer there, and, yeah, I've
worked for a few other companiessince then.
Most of my talks, though, areon social engineering, and I'm
trying to make a transitionright now in my career to go
(09:28):
towards the marketing side andkind of like the idea of being
an evangelist, going out thereand doing talks and doing field
marketing and using my socialskills and all the public
speaking and content creation Ido so.
I don't know if that answersyour question, but there it is.
Speaker 1 (09:48):
Yeah, absolutely.
I like that you had theopportunity to do education,
because that can be so rewardingand it's very interesting like
path that you took there.
When you're giving peoplefeedback and like advice on
getting into this kind of careerand wanting to do social
(10:12):
engineering, what are somerecommendations that you give
people?
Speaker 3 (10:18):
I mean it's really hard.
That's a question that I thinkabout.
A lot Excuse me.
So that's a really hardquestion to answer and I've been
thinking about it a lot latelyand my path to where I got to
today is not something that Ithink anyone could replicate.
Today is not something that Ithink anyone could replicate.
(10:41):
So I, in a certain way, I'malmost reticent to give people
advice, because how can I tellyou to do the things that I've
done?
And I know I glossed over likea major part of my history
earlier.
Sorry, I got distracted by thechat, so I know I kind of
(11:09):
glossed over like a big part ofmy history.
Earlier I wrote a book which Iknow we talked about earlier.
It's called Outlaw Summer CyberDreams.
You can't buy it, but you canactually find it on my LinkedIn
profile.
I uploaded the PDF for free.
The reason I wrote that book isbecause Phil Wiley was having
(11:29):
breakfast with me at DEF CON afew years ago and he asked me
why I haven't written a book.
And the reason he asked me thatis because I have a really
interesting family history andI'll kind of give you the TLDR.
But yeah, when I was born, myparents were bikers criminals.
My dad was a drug dealer.
(11:49):
When I was a young child, I wasthere when we got raided and my
dad went to prison.
When I became a young man Ifollowed in those footsteps and
worked for a couple of years asa criminal.
I had a boss who was a knownorganized crime figure.
(12:10):
We traveled around the countryand committed lots of crimes and
I have firsthand experiencewith social engineering and
being a threat actor.
I kept that a secret for a longtime for obvious reasons.
I was never arrested orconvicted of anything.
So I have a clean background,which is very helpful.
(12:30):
But it was kind of a thing thatI always wanted to share with
the world and get off myshoulders and I felt ashamed of
who I used to be.
So I wrote a book about it.
I tried to get it published bysome publishers.
They didn't think I was famousenough, so hey, fair enough.
(12:51):
But I decided to self-publishit.
I wrote it myself, I hired aneditor to proofread it and I
hired a typesetter and Ipublished it on Amazon and it
was an interesting experienceand I had a lot of people that
were supporting me and wanted meto share my story.
(13:11):
And it's interesting becauseit's really counterintuitive to
share with the world some of theworst parts of yourself and the
fact that you were a bad guyonce, and now you're a good guy
and you try to teach people hownot to get, how not to be
victims of people like you usedto be and people like the
(13:32):
redemption story arc.
So I don't regret telling itand it's been very cathartic and
it's been very therapeutic tobe able to share that and almost
break down crying in front oflarge audiences of people.
But yeah, so if you, if you wantto hear that whole story, check
out my LinkedIn.
It's, it's on there.
It's a PDF.
(13:53):
But once, once it was clear,all the people that were
supporting me had a copy.
I stopped selling it because Inever did it to make money.
The people that were supportingme had a copy.
I stopped selling it because Inever did it to make money and
in hindsight I wish I had spentmore time on it and I could
easily make it two or threetimes as long.
I remembered so many morestories that I left out and you
know it was a personalexperiment and I'm glad I did it
(14:15):
wow, that's uh.
Speaker 1 (14:19):
I'm glad to see that you you, um were able to put
that down in writing and andshare it.
That's a lot to share with theworld, and I'm glad to see that
you're on on the good side ofthings now.
Um, that's a great likeredemption arc story, um, and I
know that you have a lot of umknowledge and experience that
(14:42):
you can share with people thatare going through the bad side
of social engineering, andthat's so amazing that you're
now helping people.
Speaker 3 (14:55):
And not only am I using my experience to be a
security practitioner and tohelp people you know and teach
people how to think like athreat actor and how to you know
, understand how an attack works, but also like a side benefit.
That's really meaningful to meis I can always count on at
least one person coming up to meafter I do a talk.
(15:17):
After I do a talk, or even onLinkedIn.
This morning, I got a messagefrom someone who who read my
book or someone who'll see mytalk, and they'll come up to me
and they'll say that my story isso similar to theirs and they
they appreciate like myvulnerability and like seeing
that we don't have to be definedby our past and we can be
(15:39):
whoever we want to be and we can, we can take what?
may have you know, beentraumatizing, and we can reframe
that in a way that's empoweringand it's yeah, that's the only
reason I still do the talks oror share my story anymore is
just for those like thoseindividuals who really resonates
with and who who reach out totell me things.
(16:01):
That's an amazing feeling.
Speaker 1 (16:09):
Yeah, you're taking control of your destiny, and
that's wonderful.
Speaker 3 (16:14):
I'm trying, neil, are you going to ask me a question?
I see you over there.
Speaker 2 (16:21):
Certainly, certainly, see you over there, certainly.
So, uh, just real quick, Iactually um first came across
your work in, uh, this volume of2600, where you do our article,
um, but uh, just thinking moregenerally, like you've obviously
(16:42):
held a lot of different rolesand done a lot of different
things over the years.
What's something you've changedover the years, like, is there
certain processes or advice thatyou would have used to give
that you wouldn have necessarilydo today, now that you know
(17:02):
more?
Speaker 3 (17:05):
I think I'll just direct this towards like career
advice.
I do a few talks on likehacking, the hiring process, and
I think my general advice topeople is, when you're first
starting out, be as general aspossible and, like I know,
(17:26):
everyone wants to be like a pentester or they want to be a SOC
analyst, and I think I would.
I would recommend people takeroles that are in IT help, desk,
tech support, networking whicharen't cybersecurity, but they
are foundational and I'm old, soI came from a time where you
(17:48):
had to be in networking and ITfor a long time before you kind
of graduated to cybersecurity,and I'm really happy that there
are less barriers to entry nowand I'm not a gatekeeper, but I
also find my networkingexperience is very valuable.
So it's tempting to want toskip all of that and just go for
(18:10):
Security Plus and then try togo for your OSCP or go into like
a SOC analyst role and I thinkit's good to build your
foundations first and get someof that experience there.
Be general, but try to identifywhat your specialty is going to
be as early as possible andreally look very broadly,
(18:31):
because cybersecurity is so muchmore than just pen testers or
SOC analysts.
I mean there are dozens anddozens of domains and it takes a
while to kind of checkeverything out and experience
different roles.
And I mean you might find thatyou love GRC.
I mean there's something foreverybody in this field and it's
really a lot of people thinkthat being a pen tester is very
(18:54):
sexy and it can be, but very fewpen testers are out there doing
like red team, covert entries,Like most of them are just
sitting in a cubicle.
It's very automated.
It's very much about writingreports.
So a lot of people they thinkthey want to be pen testers and
they finally get there andrealize that they don't really
(19:14):
like that and there's so muchout there to try.
So another thing I just want tofinish up this thought, and
this is something that I alwaysrecommend and some people take
this advice and some peopledon't but get involved with the
cyber community.
I mean, your viewers arewatching this, so they're
already part of that ecosystem.
(19:36):
They are probably in a cyberdiscord and they probably go to
cyber conferences and theyshould keep doing that and they
should volunteer and they shouldbe active on LinkedIn and other
social medias and be a part ofthe community.
Every job I've gotten for thepast 10 years has been through
my network and through word ofmouth.
And yeah, it's something that Iknow a lot of people don't like
(19:59):
because a lot of us areintroverts and that's okay.
Just push yourself a little bit.
I used to be very shy.
My first talk I told Ednaearlier about.
I had a panic attack and it washorrible, but I just kept doing
it and I've been on huge stagesnow and I don't get stage
(20:20):
fright anymore.
I know that's not typical forpublic speakers.
I know I'm a psychopath, butthe more you put yourself out
there, the easier it gets.
So join a local DEF CON or 2600group or whatever you have in
your area.
Go to B-Sides, volunteer, checkout the Social Engineering
Adventure Village.
Just try to be part of thecommunity.
Speaker 2 (20:44):
That's so very true.
One of my favorite pastimes nowis convincing people who've
never gone to a conference to goand have peer pressure, you
know, and come see what it'slike.
Speaker 1 (20:56):
Peer pressure.
That's my favorite too.
Love it.
Speaker 3 (21:05):
Look, introverts need someone, some extroverts, to
come in and adopt them and, like, force them to do things, and
I'm totally willing to be thesocial nerd.
Speaker 2 (21:10):
So, yeah, just be careful if I'm wrong yeah, it
just changes the dynamic.
If you're by yourself andyou're trying to break into like
one of those groups of people,uh, it can be.
An extra person makes it mucheasier to get into that dynamic
oh, you're right, it's.
Speaker 3 (21:25):
In some places it's tough, like my first defcon
group was dc530 in chico,california, and I love those
guys but like I had to go totheir meeting like five or six
times before anybody would talkto me, I would just like sit
there awkwardly and, like youknow, some, some groups have a
little thick, thick exteriorthat you have to get through.
You know hackers can besuspicious people but you just
(21:48):
keep showing up and you knoweventually it'll all work out.
Speaker 1 (21:54):
You end up wearing down there their thick armor.
All of a sudden, you're one ofthem.
Speaker 3 (21:59):
Yep Exactly yeah, not every group is like that, just
for the listeners there are somevery welcoming groups trust me,
I run a group, and edna, do youdon't?
You run a group down there tooyes, dc47 exactly so like we
(22:20):
would love for you to join ourgroup.
It's like very hard to findmembers and like it's such a
struggle.
So, um, join a group and beactive.
Speaker 1 (22:33):
And, yes, we love you Exactly.
Yeah, we even have virtual ones.
So if you don't have a DC grouphome, you're welcome to join us
.
Anywhere in the world, we havepeople from other countries.
Come join us.
Speaker 3 (22:45):
You guys have an awesome group and you're always
doing cool things.
My group is small.
We struggle out here, but we'realso really close to DC801,
which is the first DEF CON groupin Salt Lake.
Speaker 1 (22:56):
City.
Speaker 3 (22:58):
They're a really established community.
We're in the county just southof Salt Lake so it's challenging
, but we're doing what we can.
Speaker 1 (23:08):
That's okay.
You have a group for the peoplein your area.
Sometimes people feel likeanother group is too far.
Speaker 3 (23:16):
We don't want to drive all the way up to Salt
Lake.
Speaker 1 (23:18):
It's like 20 miles.
Speaker 3 (23:19):
That's so far.
Speaker 1 (23:20):
Exactly, there's a group for everyone.
I'm glad you have a good groupright there.
Even if it's small, it's a goodgroup.
I've joined your Discord.
Your members are awesome people.
They're cool.
Speaker 2 (23:35):
I mean, it depends on what you're trying to achieve
too.
A lot of times, if the group istoo large, it can be kind of
hard, as a new person coming in,to actually make those
one-on-one connections.
Speaker 3 (23:48):
Totally.
Speaker 2 (23:51):
So you don't have to do it all at once.
You can start out smaller forsure, so true yep, absolutely.
Speaker 1 (24:00):
As long as you're consistent, your group will grow
and exactly, just show up justshow up, keep showing up dude,
like you have no idea how truethat is.
Speaker 3 (24:11):
Like people know of me and I get a lot of really
cool opportunities and part ofthat is just I just kept showing
up and I've just been aroundfor a long time.
So, yeah, don't, don't give up.
And I know it's really hardright now for people who are
looking for jobs and you've alot of us have been lied to that
there are all these unfilledjobs out there and I know it's
like really challenging, but youjust like don't give up.
(24:33):
And I love this statistic.
I don't know if it's a realstatistic, but it sounds really
good, so I'm going to say itanyway.
So it's just that gritcorrelates higher with success
than intelligence.
So, like, the people who justlike don't give up are more
likely to be happy and succeedin the end versus just having,
you know, a skill set that youknow may be better than yours.
(24:56):
Like for me, I I get a lot ofjobs and I'm not the most like
technically, like advancedperson and there are people who
are smarter than me, but I bringa lot of other things to the
table and part of that is justbeing part of the community and
my network.
So don't sell yourself short.
Speaker 2 (25:12):
Right.
I think that goes to show justhow important communication is.
It's not just about thetechnical skills You've got to
be able to communicate theconcepts to other people.
Speaker 3 (25:21):
I mean, soft skills are key and I have friends who
are hiring managers and yeah,that's really discouraging, I
know, for a lot of people whoare introverts.
But you won't work in a silo.
You will work on a team, youwill have to communicate and you
will have to have you knowyou'll be able to communicate
through verbal and throughwritten skills.
If you become a pen tester, amajority of your time is going
(25:44):
to be writing reports.
So like find ways to to, tobeef those up, join a toast
masters group, join a local.
Speaker 2 (25:53):
Just gonna say that, you know, I think, uh, one of
the things that frustrates methe most is like people acting
like you can't learn theseskills.
You absolutely can.
You just have to practice itagain and again I wasn't good at
public speaking.
Speaker 3 (26:05):
The first time I did I was awful.
But there are ways to learn andpractice and, yeah, there's a
lot of opportunities out thereif people really want to do that
.
Speaker 1 (26:15):
Absolutely, and I think that's a great final
thought for today.
So thank you everybody forlistening to this episode of
Security Chipmunks, where wekeep chipping away at it.
Make sure to like, comment,subscribe, do all the things,
push all the buttons here and wewill see you on the next one.
Take care.
is from a cooperative project for acquiring skills
essential to learning.
Welcome to the SecurityChipmunks podcast, where we keep
chipping away at it.
I'm your host, edna Johnson.
I'm here with my co-host, neilSmalley.
Hello, and our guest today isEddie Miro.
Welcome, eddie.
Speaker 3 (00:20):
Hey, thanks for having me on the podcast.
I'm really excited to be here.
Speaker 1 (00:24):
Absolutely.
Please tell us about yourself.
Speaker 3 (00:28):
Well, like you said, my name is Eddie Miro.
I've been in the IT space forabout 25 years.
My first job way back in theearly 2000s was dial-up tech
support, so I'm pretty old.
I'm really involved in thecyber community.
I speak at a lot of conferences.
I run a local DEF CON grouphere in Utah County called DC385
(00:54):
.
I run an official DEF CONcontest called Octopus Game,
which was a Black Badge contestlast year.
And yeah, I'm just generallyinterested in social engineering
and have a kind of aninteresting backstory also.
Speaker 1 (01:15):
Wow, that is fascinating.
All right, so you know I loveDEF CON and you have a game
there, octopus Game, and it's ablack badge Last year.
That's amazing.
So what is that game like andhow do people participate?
Can they just join in?
Speaker 3 (01:33):
Yes, so I'll give you a little bit of backstory and I
don't want to bury the lead,like the reason we were a black
badge contest and the reasonwe're so popular is due to my
wife, who also is the contestlead, and all of our volunteers
who make it really amazing.
But the first year we did itwas DEF CON 30, I think yes, and
(02:00):
the idea was that we were goingto rip off the popular Netflix
TV show Squid Game and create abattle royale where players met
up and played kids games to dueleach other, and it was just a
battle royale to the last personstanding.
It was really fun.
The whole idea was just to getpeople to meet each other and
(02:24):
outside of their comfort zoneand, yes, it was pretty great.
After that it's kind of evolveda little.
Now we have themes.
This year our theme is Avatar,the Last Airbender, so the title
is Octopus Game for the Orderof the White Tentacle.
Yeah, our whole thing is justbeing really accessible to
(02:46):
people who are new toconferences and not really sure
what to do or where to go.
We kind of gamify that process.
I like to refer to us as like atutorial quest for conferences.
We send players on missions todifferent villages and different
areas so they can interact withother areas of the conference
they might not normally interactwith and make some friends and
(03:10):
be more human.
Speaker 1 (03:14):
Wow, that sounds amazing.
So I love how that helps peopleget to know the conference.
So is it kind of like ascavenger hunt for you going
around or what?
Speaker 3 (03:25):
yeah, I mean like it's kind of a yeah, it's, it's.
It's hard to describe, but wedo have.
We have like small puzzles andbasic crypto challenges that
they have to solve and we givethem maps and different puzzles
that will lead them to differentareas and, depending on what
year it is, they have differentthings they need to do.
(03:46):
Sometimes we just have them gotake a selfie with somebody in a
village or if it's say, it'slike lock picking village, then
they have to pick a lock and wehave one of the volunteers there
kind of validate that theyinteracted.
And, yeah, we it's kind of likea scavenger hunt and like a
basic crypto challenge sort of.
There are plenty of good CTFsand crypto challenges.
(04:08):
Ours isn't meant to be reallyhard because it's meant for
noobs and for people who arekind of brand new, and we wanted
to yeah, we just kind of gamifyit and give people like a kind
of a direction to go, and yeah,it ends up being a lot of fun of
a direction to go and yeah,it's a, it ends up being a lot
of fun.
Our last, our last year, when wewere selected as a black badge
(04:33):
contest.
The organizers of DEF CONreally liked the vibe of our
contest and they're reallypushing to make you know
information security and cybersecurity more accessible and DEF
CON is becoming more familyfriendly and our contest is kid
friendly.
So we just kind of really hitthe nail on the head that year
and our winning player got ablack badge and I'm sure your
(04:55):
audience knows the significanceof that.
But just in case there'ssomebody who doesn't know, a
black badge basically gets youback into the conference for the
rest of your life for free.
It's a very special thing andthere are very few contests that
get to be a black badge contest.
Def CON's cool and sometimesthey select random ones and we
just happened to be that one.
Our winning player got a blackbadge for a game of Simon Says
(05:20):
at the end.
So it was kind of crazy.
Speaker 1 (05:24):
Wow, that's amazing.
Yeah, black badges are reallyspecial, so that is wonderful.
So I know you do a lot ofsocial engineering.
You're a volunteer with theSocial Engineering Adventure
Village so I wanted to ask youlike, how did you get started
(05:47):
with social engineering?
And I heard you did a talk onit at DEF CON, so tell me about
that.
Speaker 3 (05:56):
Well, my talk at DEF CON was at DEF CON 27 in the old
SE Village and it was on how toweaponize the rideshare
relationship.
So I was in between jobs at thetime and was driving for Lyft to
make some extra cash and I'm avery social person, obviously,
(06:20):
so I enjoy talking to passengersand, despite everyone saying
they don't like talking todrivers, that was the opposite
response that I got, and maybeit's just because I'm more
approachable and social, but Ifound that people were having
these really deep conversationswith me and it kind of felt like
(06:40):
this sort of like pseudorelationship could be formed,
kind of like the way people openup to bartenders, where I kind
of feel like an anonymous personand people were sharing really
intimate details.
And the talk was kind of onthat experience and I
hypothesize on what could bedone if you were to weaponize
(07:00):
that sort of interaction and howI might utilize rideshare as
like a vector in a socialengineering attack.
You know parking near a targetwould pretty much guarantee you
get that ride.
You know it's all geolocationbased and yeah, that was my
first big talk that I did at DEFCON.
Very, very interestingexperience for sure.
Speaker 1 (07:25):
Okay, that's interesting.
Yeah, yeah, nice.
So have you done other socialengineering thing since then?
Speaker 3 (07:40):
So when I was making my transition into cybersecurity
, I, much like everyone else,wanted to be a pen tester, so I
started focusing on that.
I did some pro bono pen testsfor some unsuspecting companies
in my hometown.
It was a lot of fun.
My partner and I we did thewhole like covert entry.
(08:01):
We broke in and we ran amok inthe office and it was super fun
and it was great.
The company had no idea howvulnerable they were.
We found the CEO's computerunlocked, sitting right there on
their Outlook.
So yeah, pretty fun to do thatdebriefing with them.
(08:22):
And they had cameras and I wassurprised that nobody responded
to it and they said that therewas just too many alerts.
So yeah, alert fatigue strikesagain.
I was pretty shocked.
It was really bad.
But at that time I wasapproached by one of the
(08:45):
department heads for a communitycollege in Northern California
called Butte College and sheasked me if I wanted to teach,
which I had never consideredbefore because I only have an
associate's degree.
Why would I be a communitycollege teacher?
But I transitioned intoeducation and I did that for a
few years.
It was a very interestingexperience.
(09:07):
Eventually I moved out here toUtah.
I worked for a company calledArctic Wolf.
They're a big MSSP.
I was a senior technicaltrainer there, and, yeah, I've
worked for a few other companiessince then.
Most of my talks, though, areon social engineering, and I'm
trying to make a transitionright now in my career to go
(09:28):
towards the marketing side andkind of like the idea of being
an evangelist, going out thereand doing talks and doing field
marketing and using my socialskills and all the public
speaking and content creation Ido so.
I don't know if that answersyour question, but there it is.
Speaker 1 (09:48):
Yeah, absolutely.
I like that you had theopportunity to do education,
because that can be so rewardingand it's very interesting like
path that you took there.
When you're giving peoplefeedback and like advice on
getting into this kind of careerand wanting to do social
(10:12):
engineering, what are somerecommendations that you give
people?
Speaker 3 (10:18):
I mean it's really hard.
That's a question that I thinkabout.
A lot Excuse me.
So that's a really hardquestion to answer and I've been
thinking about it a lot latelyand my path to where I got to
today is not something that Ithink anyone could replicate.
Today is not something that Ithink anyone could replicate.
(10:41):
So I, in a certain way, I'malmost reticent to give people
advice, because how can I tellyou to do the things that I've
done?
And I know I glossed over likea major part of my history
earlier.
Sorry, I got distracted by thechat, so I know I kind of
(11:09):
glossed over like a big part ofmy history.
Earlier I wrote a book which Iknow we talked about earlier.
It's called Outlaw Summer CyberDreams.
You can't buy it, but you canactually find it on my LinkedIn
profile.
I uploaded the PDF for free.
The reason I wrote that book isbecause Phil Wiley was having
(11:29):
breakfast with me at DEF CON afew years ago and he asked me
why I haven't written a book.
And the reason he asked me thatis because I have a really
interesting family history andI'll kind of give you the TLDR.
But yeah, when I was born, myparents were bikers criminals.
My dad was a drug dealer.
(11:49):
When I was a young child, I wasthere when we got raided and my
dad went to prison.
When I became a young man Ifollowed in those footsteps and
worked for a couple of years asa criminal.
I had a boss who was a knownorganized crime figure.
(12:10):
We traveled around the countryand committed lots of crimes and
I have firsthand experiencewith social engineering and
being a threat actor.
I kept that a secret for a longtime for obvious reasons.
I was never arrested orconvicted of anything.
So I have a clean background,which is very helpful.
(12:30):
But it was kind of a thing thatI always wanted to share with
the world and get off myshoulders and I felt ashamed of
who I used to be.
So I wrote a book about it.
I tried to get it published bysome publishers.
They didn't think I was famousenough, so hey, fair enough.
(12:51):
But I decided to self-publishit.
I wrote it myself, I hired aneditor to proofread it and I
hired a typesetter and Ipublished it on Amazon and it
was an interesting experienceand I had a lot of people that
were supporting me and wanted meto share my story.
(13:11):
And it's interesting becauseit's really counterintuitive to
share with the world some of theworst parts of yourself and the
fact that you were a bad guyonce, and now you're a good guy
and you try to teach people hownot to get, how not to be
victims of people like you usedto be and people like the
(13:32):
redemption story arc.
So I don't regret telling itand it's been very cathartic and
it's been very therapeutic tobe able to share that and almost
break down crying in front oflarge audiences of people.
But yeah, so if you, if you wantto hear that whole story, check
out my LinkedIn.
It's, it's on there.
It's a PDF.
(13:53):
But once, once it was clear,all the people that were
supporting me had a copy.
I stopped selling it because Inever did it to make money.
The people that were supportingme had a copy.
I stopped selling it because Inever did it to make money and
in hindsight I wish I had spentmore time on it and I could
easily make it two or threetimes as long.
I remembered so many morestories that I left out and you
know it was a personalexperiment and I'm glad I did it
(14:15):
wow, that's uh.
Speaker 1 (14:19):
I'm glad to see that you you, um were able to put
that down in writing and andshare it.
That's a lot to share with theworld, and I'm glad to see that
you're on on the good side ofthings now.
Um, that's a great likeredemption arc story, um, and I
know that you have a lot of umknowledge and experience that
(14:42):
you can share with people thatare going through the bad side
of social engineering, andthat's so amazing that you're
now helping people.
Speaker 3 (14:55):
And not only am I using my experience to be a
security practitioner and tohelp people you know and teach
people how to think like athreat actor and how to you know
, understand how an attack works, but also like a side benefit.
That's really meaningful to meis I can always count on at
least one person coming up to meafter I do a talk.
(15:17):
After I do a talk, or even onLinkedIn.
This morning, I got a messagefrom someone who who read my
book or someone who'll see mytalk, and they'll come up to me
and they'll say that my story isso similar to theirs and they
they appreciate like myvulnerability and like seeing
that we don't have to be definedby our past and we can be
(15:39):
whoever we want to be and we can, we can take what?
may have you know, beentraumatizing, and we can reframe
that in a way that's empoweringand it's yeah, that's the only
reason I still do the talks oror share my story anymore is
just for those like thoseindividuals who really resonates
with and who who reach out totell me things.
(16:01):
That's an amazing feeling.
Speaker 1 (16:09):
Yeah, you're taking control of your destiny, and
that's wonderful.
Speaker 3 (16:14):
I'm trying, neil, are you going to ask me a question?
I see you over there.
Speaker 2 (16:21):
Certainly, certainly, see you over there, certainly.
So, uh, just real quick, Iactually um first came across
your work in, uh, this volume of2600, where you do our article,
um, but uh, just thinking moregenerally, like you've obviously
(16:42):
held a lot of different rolesand done a lot of different
things over the years.
What's something you've changedover the years, like, is there
certain processes or advice thatyou would have used to give
that you wouldn have necessarilydo today, now that you know
(17:02):
more?
Speaker 3 (17:05):
I think I'll just direct this towards like career
advice.
I do a few talks on likehacking, the hiring process, and
I think my general advice topeople is, when you're first
starting out, be as general aspossible and, like I know,
(17:26):
everyone wants to be like a pentester or they want to be a SOC
analyst, and I think I would.
I would recommend people takeroles that are in IT help, desk,
tech support, networking whicharen't cybersecurity, but they
are foundational and I'm old, soI came from a time where you
(17:48):
had to be in networking and ITfor a long time before you kind
of graduated to cybersecurity,and I'm really happy that there
are less barriers to entry nowand I'm not a gatekeeper, but I
also find my networkingexperience is very valuable.
So it's tempting to want toskip all of that and just go for
(18:10):
Security Plus and then try togo for your OSCP or go into like
a SOC analyst role and I thinkit's good to build your
foundations first and get someof that experience there.
Be general, but try to identifywhat your specialty is going to
be as early as possible andreally look very broadly,
(18:31):
because cybersecurity is so muchmore than just pen testers or
SOC analysts.
I mean there are dozens anddozens of domains and it takes a
while to kind of checkeverything out and experience
different roles.
And I mean you might find thatyou love GRC.
I mean there's something foreverybody in this field and it's
really a lot of people thinkthat being a pen tester is very
(18:54):
sexy and it can be, but very fewpen testers are out there doing
like red team, covert entries,Like most of them are just
sitting in a cubicle.
It's very automated.
It's very much about writingreports.
So a lot of people they thinkthey want to be pen testers and
they finally get there andrealize that they don't really
(19:14):
like that and there's so muchout there to try.
So another thing I just want tofinish up this thought, and
this is something that I alwaysrecommend and some people take
this advice and some peopledon't but get involved with the
cyber community.
I mean, your viewers arewatching this, so they're
already part of that ecosystem.
(19:36):
They are probably in a cyberdiscord and they probably go to
cyber conferences and theyshould keep doing that and they
should volunteer and they shouldbe active on LinkedIn and other
social medias and be a part ofthe community.
Every job I've gotten for thepast 10 years has been through
my network and through word ofmouth.
And yeah, it's something that Iknow a lot of people don't like
(19:59):
because a lot of us areintroverts and that's okay.
Just push yourself a little bit.
I used to be very shy.
My first talk I told Ednaearlier about.
I had a panic attack and it washorrible, but I just kept doing
it and I've been on huge stagesnow and I don't get stage
(20:20):
fright anymore.
I know that's not typical forpublic speakers.
I know I'm a psychopath, butthe more you put yourself out
there, the easier it gets.
So join a local DEF CON or 2600group or whatever you have in
your area.
Go to B-Sides, volunteer, checkout the Social Engineering
Adventure Village.
Just try to be part of thecommunity.
Speaker 2 (20:44):
That's so very true.
One of my favorite pastimes nowis convincing people who've
never gone to a conference to goand have peer pressure, you
know, and come see what it'slike.
Speaker 1 (20:56):
Peer pressure.
That's my favorite too.
Love it.
Speaker 3 (21:05):
Look, introverts need someone, some extroverts, to
come in and adopt them and, like, force them to do things, and
I'm totally willing to be thesocial nerd.
Speaker 2 (21:10):
So, yeah, just be careful if I'm wrong yeah, it
just changes the dynamic.
If you're by yourself andyou're trying to break into like
one of those groups of people,uh, it can be.
An extra person makes it mucheasier to get into that dynamic
oh, you're right, it's.
Speaker 3 (21:25):
In some places it's tough, like my first defcon
group was dc530 in chico,california, and I love those
guys but like I had to go totheir meeting like five or six
times before anybody would talkto me, I would just like sit
there awkwardly and, like youknow, some, some groups have a
little thick, thick exteriorthat you have to get through.
You know hackers can besuspicious people but you just
(21:48):
keep showing up and you knoweventually it'll all work out.
Speaker 1 (21:54):
You end up wearing down there their thick armor.
All of a sudden, you're one ofthem.
Speaker 3 (21:59):
Yep Exactly yeah, not every group is like that, just
for the listeners there are somevery welcoming groups trust me,
I run a group, and edna, do youdon't?
You run a group down there tooyes, dc47 exactly so like we
(22:20):
would love for you to join ourgroup.
It's like very hard to findmembers and like it's such a
struggle.
So, um, join a group and beactive.
Speaker 1 (22:33):
And, yes, we love you Exactly.
Yeah, we even have virtual ones.
So if you don't have a DC grouphome, you're welcome to join us
.
Anywhere in the world, we havepeople from other countries.
Come join us.
Speaker 3 (22:45):
You guys have an awesome group and you're always
doing cool things.
My group is small.
We struggle out here, but we'realso really close to DC801,
which is the first DEF CON groupin Salt Lake.
Speaker 1 (22:56):
City.
Speaker 3 (22:58):
They're a really established community.
We're in the county just southof Salt Lake so it's challenging
, but we're doing what we can.
Speaker 1 (23:08):
That's okay.
You have a group for the peoplein your area.
Sometimes people feel likeanother group is too far.
Speaker 3 (23:16):
We don't want to drive all the way up to Salt
Lake.
Speaker 1 (23:18):
It's like 20 miles.
Speaker 3 (23:19):
That's so far.
Speaker 1 (23:20):
Exactly, there's a group for everyone.
I'm glad you have a good groupright there.
Even if it's small, it's a goodgroup.
I've joined your Discord.
Your members are awesome people.
They're cool.
Speaker 2 (23:35):
I mean, it depends on what you're trying to achieve
too.
A lot of times, if the group istoo large, it can be kind of
hard, as a new person coming in,to actually make those
one-on-one connections.
Speaker 3 (23:48):
Totally.
Speaker 2 (23:51):
So you don't have to do it all at once.
You can start out smaller forsure, so true yep, absolutely.
Speaker 1 (24:00):
As long as you're consistent, your group will grow
and exactly, just show up justshow up, keep showing up dude,
like you have no idea how truethat is.
Speaker 3 (24:11):
Like people know of me and I get a lot of really
cool opportunities and part ofthat is just I just kept showing
up and I've just been aroundfor a long time.
So, yeah, don't, don't give up.
And I know it's really hardright now for people who are
looking for jobs and you've alot of us have been lied to that
there are all these unfilledjobs out there and I know it's
like really challenging, but youjust like don't give up.
(24:33):
And I love this statistic.
I don't know if it's a realstatistic, but it sounds really
good, so I'm going to say itanyway.
So it's just that gritcorrelates higher with success
than intelligence.
So, like, the people who justlike don't give up are more
likely to be happy and succeedin the end versus just having,
you know, a skill set that youknow may be better than yours.
(24:56):
Like for me, I I get a lot ofjobs and I'm not the most like
technically, like advancedperson and there are people who
are smarter than me, but I bringa lot of other things to the
table and part of that is justbeing part of the community and
my network.
So don't sell yourself short.
Speaker 2 (25:12):
Right.
I think that goes to show justhow important communication is.
It's not just about thetechnical skills You've got to
be able to communicate theconcepts to other people.
Speaker 3 (25:21):
I mean, soft skills are key and I have friends who
are hiring managers and yeah,that's really discouraging, I
know, for a lot of people whoare introverts.
But you won't work in a silo.
You will work on a team, youwill have to communicate and you
will have to have you knowyou'll be able to communicate
through verbal and throughwritten skills.
If you become a pen tester, amajority of your time is going
(25:44):
to be writing reports.
So like find ways to to, tobeef those up, join a toast
masters group, join a local.
Speaker 2 (25:53):
Just gonna say that, you know, I think, uh, one of
the things that frustrates methe most is like people acting
like you can't learn theseskills.
You absolutely can.
You just have to practice itagain and again I wasn't good at
public speaking.
Speaker 3 (26:05):
The first time I did I was awful.
But there are ways to learn andpractice and, yeah, there's a
lot of opportunities out thereif people really want to do that
.
Speaker 1 (26:15):
Absolutely, and I think that's a great final
thought for today.
So thank you everybody forlistening to this episode of
Security Chipmunks, where wekeep chipping away at it.
Make sure to like, comment,subscribe, do all the things,
push all the buttons here and wewill see you on the next one.
Take care.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.