June 23, 2023 • 74 mins
Did you know your involvement in open source communities could lead you into an exciting cybersecurity journey? Join us as we chat with our cybersecurity enthusiast guest, Olivia, who made her entry into this intriguing field through Reddit's open source community. We discuss the potential dangers of malicious code uploaded to open source repositories and the importance of staying updated on secure coding practices.
Dive into our conversation about Olivia's experience double majoring in computer science and security, where she faced challenges in understanding vulnerabilities in coding and their fixes. We also emphasize the significance of companies providing their application security teams with access to the source code to ensure better testing and secure coding practices development.
Lastly, we explore the value of traditional education, online learning, boot camps, and certifications in the cybersecurity industry. We discuss the importance of engaging learning experiences, a supportive community, and spreading positivity and motivation to others. Don't miss out on this insightful discussion with Olivia, where we uncover the fascinating world of open source and cybersecurity.
Merch: https://cyberwarriorstudios.com/store
Youtube: https://youtube.cyberwarriorstudios.com
Twitch: https://twitch.tv/CyberWarriorStudios
Twitter: @CyberWarriorSt1
Discord: https://discord.gg/eCSRzM6mJf
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:01):
Welcome everybody, welcome back.
It is me, it is the cyberwarrior, this is cyber warrior
studios, and I know you are allhere for security happy hour And
I've got an amazing guest andamazing show plan that synco to
mount, synco de mayo, revenge ofthe fifth, and it's fray as day
.
So it's going to be an amazingepisode.
So I hope you're all here forit.
I hope you're all here to enjoyAnd I promise you, if you hang
(00:25):
with me for just a second, we'llbe right back.
And we're back and look, hey,real quick, there it is, the
sound of security happy hourkicking off.
(00:47):
And this evening I have the oneand only Olivia, and I'm going
to butcher the hell out of thatlast name.
I'm going to try.
I'm going to try.
So how you doing?
Speaker 2 (01:02):
this evening, olivia, i'm doing wonderful.
How about you?
Speaker 1 (01:05):
I'm fantastic.
I mean, come on, it's a Fridayevening And it's revenge of the
fifth And it's synco de mayo.
So you know, the chaos is boundto ensue.
That's just what we do aroundhere.
So how was your day, olivia?
How was your day?
Speaker 2 (01:23):
My day was great.
I went to the gym for the firsttime in a very long time and
very excited and very proud ofmyself.
Speaker 1 (01:31):
You know my wife keeps telling me I need to go
back to the gym because shestarted going back to the gym
and she's like you really getsomething out of it, especially
because of your back and allthese other things, because I'm
broken And I'm like, yeah,probably.
But you know I don't like goingafter work, and before work
requires me to wake up at like430 in the morning, so kind of
see how that plays out.
And hey, for everybodylistening, if you hear any
(01:55):
background noise is because myson refuses to leave my office.
He is currently building a newLego set for the Slytherin house
.
So just so you're aware.
Anywho, olivia, i got to askhow did you get into
cybersecurity?
I want to ask that first beforewe get into the education
aspect of the show.
(02:15):
How did you get intocybersecurity?
Speaker 2 (02:18):
Sure.
So it all actually started withopen source, specifically open
source on Reddit.
When I was in 11th grade, mycomputer broke And at that time
I had just gotten into roboticsbecause I transferred schools
and I was like, wow, like Ididn't know robotics could be an
(02:40):
extra curricular and all that.
So I was getting into computingand, since I was a newbie in
the space, i had to rely on alot of, you know, online
materials.
Try to catch up to my peers soI could, you know, talk about
computers and stuff with them,and my robotics teachers like,
hey, you might enjoy programmingand all this.
And there wasn't those resourcesat my school, so I'd watch
(03:02):
YouTube tutorials and try tocreate my own programs.
That, when it came to debugging, i had nobody to ask.
So I went to open sourcemultiple open source communities
on Reddit and people wouldspend hours helping me And that
community aspect was justsomething I really enjoyed.
And so I was like, okay, i loveopen source, but I don't really
(03:24):
have that like, i guess, careergoal with it, and so I wanted
to figure out what I could dowith my career in open source.
And so one day I was on anairplane and I downloaded a
Netflix documentary about thehacker group anonymous.
Speaker 1 (03:41):
And that one.
It's a good one.
Speaker 2 (03:44):
Yeah, it's great.
And so at that moment, whenthey were talking about like the
Egyptian internet shut down andlike all that stuff, i knew
exactly what I wanted to do withmy career and it was offensive
security in the open sourcespace.
And at that moment I it wassuch a strange moment because I
knew exactly what I wanted to doand that purpose and that drive
has stuck with me and that samegoal.
(04:07):
I've maintained it since that,that day in the 11th grade And
yeah, so open source was whatgot me to the tech space And
it's kind of what keeps me here.
The community and offensivesecurity is just the thing that
I enjoy doing And want to makesure that I can spread knowledge
and, you know, help people inthat space.
Speaker 1 (04:29):
So prior to um, because, because I know you're,
you're, you've got your oryou're working towards your
degree, correct, yes, okay.
So prior to getting your degree, with open sport, open source,
okay, i'm doing a show, buddy,you got to, you know, cut me a
(04:49):
break here tonight.
So, with open source and witheverything you've been doing.
So we all know open source wasgood and bad, right, depending
on if the person reviewing ithas the ability to really review
the code before they do.
Hey, yeah, we'll accept yourpull request or your pull, what
I think is a pull request pushrequest.
Speaker 2 (05:11):
Yeah, I can't remember.
Speaker 1 (05:13):
Before we accept it we got to review it and make
sure that it's all valid.
So that is how you can see.
sometimes malicious code getuploaded onto, like GitHub and
these different repos that areopen source.
So when you have these issues,have you come across anything
like that in your time?
(05:33):
you know, going through opensource because I do a little bit
of open source The last companyI worked for was heavily open
source on what we kind of wentwith.
Have you come across a lot ofmalicious stuff?
Speaker 2 (05:45):
Oh, all the time.
and it's interesting when youuse the word malicious, like I
think there has this connotationof like, oh, someone knows
they're doing something bad.
And yes, those things happenwhere people you know will
accept pull requests from otherpeople, well intentioned or
otherwise, and they just don'treally know how to review the
(06:06):
code and it just breakseverything.
Heck that that help thathappens at.
you know, like that happens allthe time.
I think in almost any timeyou're collaborating with people
like someone might, you know,change the wrong branch or
whatever, and it just messeseverything up.
What I think is reallyinteresting is when it comes to
the knowledge of programmers andwhen people who are just, you
(06:26):
know, making personal projectsand all that stuff, program
something insecurely and thenother people use that source
code in their code and now theircode also has the same source
code, also has the samevulnerabilities, and they don't
update it And so it just createsthis like really insecure cycle
that just never gets fixed Andyeah, so there's a lot of
(06:48):
insecurity in the open sourcespace and it's sad because I
think sometimes people like viewit as this thing that nobody
should use now, when inactuality people just actually
have to look at the code, reviewit more and be more trained on
how to properly review code andask for help when they don't
know what they're doing.
Speaker 1 (07:07):
And I think you know, when you're looking at things
like some of the vulnerabilitieswe see in open sources, like
buffer overflows, and you knowthings that really just expose
an application which you know,part of me is really happy that
I believe it was Twitter.
I believe it was Twitter thatwent open source.
One of these closed offapplications I don't know.
I don't keep track of opensource.
(07:29):
Not gonna lie, i like.
I find applications that I like, for instance, like Lee Bairds
Discover Scripts of me and himhave talked a lot.
There's a few otherapplications and programs I've
used and I pay attention tothose, but I want to say it was.
I know Microsoft release somethings.
I want to say Twitter went opensource.
(07:50):
This is where we found someissues within the code, where
people were pointing it out withscreenshots, like look what
they're doing.
This is BS type of deal, but Ithink open source can bring a
lot of attention to the nuancesand the issues with code.
Well, at the same time, i thinksometimes we rely too heavily
(08:13):
on the community to be like ohyeah, this is good, just
download it and go.
You're good to go, everything'sokay because it's open source
and you should trust thecommunity.
That's like trusting an exploitdeveloper that their code is
not going to hone your ownsystem.
Speaker 2 (08:29):
No, and that's awesome.
I love that example too.
I just recently I had torestart, like er, like erase my
whole computer, and I have likea test computer that I just like
run like absolute garbage on,and I've used the same one for
four years And so I've learnedso much in the past four years.
How is it still living, i know.
(08:51):
And so so much stuff had brokebecause I would go on like these
random, like blogs andtutorials, blindly, follow them
just like executing stuff.
I didn't know what was going onAnd like my like the computer
was just nothing worked anymoreAnd I was just like okay, this
is what happens when you justlike blindly install stuff and
(09:14):
just rely on public resourceswithout knowing what you're
doing.
And in my defense, though, i'vebeen learning over the past
four years and all that and Idon't do that anymore, but it
really shows what can happen.
Speaker 1 (09:25):
Well, so we got it.
We got a question here from me,show, one of my warriors and
part of the family, so we aregoing to bring that up here in a
second.
I got my buddy will here withanother comment, but which, by
the way, all the warriors inchat, thank you for being here,
love having you here.
As always, you're all amazingpeople and part of the family.
Now I will say, though, on yournote of having a computer for
(09:47):
like blowing shit up my personalcomputer for years, because I
custom built all my computerswas I've always done that, right
until I started working insecurity full time and had to
like segregate kind of what Idid and started using more
virtual machines.
I had a computer this is backinto my space days and anybody
(10:09):
who knows anything Yes, i'm kindof like leading my age here of
how old I am, but my space wasall you could do, all HTML code,
and so you were allowed toexploit a lot of people and
really do a lot of damage to toindividual users.
But there was always thesepages Hey, download this to see
(10:31):
this page.
Now, me being me always knew wasmalware.
I was always like, fuck, youknow it's not going to happen.
But then I started delving moreand more into security And I
was like you know what?
let me see what this does.
At one point Yeah, it was theworst thing I could have done
because I was like download andI was running Windows Vista
Ultimate 64 bit.
(10:51):
I had dumped a ton of moneyinto my computer.
I had like eight or 16 gigs ofRAM at the time.
I forget what it was Like.
Literally I could have ran thisthing into the ground.
It would have been fine.
And so I got hit with thisbecause I can't.
It was a bomb of some sortsBasically just ran pop up after
pop up and it was like a logicbomb or something like that.
(11:13):
And I ended up I was like I gotto kill this.
How do I kill this?
And I was like hold up And I'mlike hitting control, shift,
escape and you know, trying toget into my task manager.
But even if you killed it, itcame back and you know.
So eventually I got into like MSConfig or something like that,
killed it from startup, rebootedmy computer and just never ran
(11:36):
it again.
I didn't even get rid of it.
I literally was just like youknow what I don't want to fuck
with it.
Just never run again.
Never.
As long as you never start up,we're okay, because that's how
bad it was.
I didn't even want to deal withit.
So, yes, i have blown up somecomputers because you look at it
and you're like, oh, this isgoing to be bad, this is really
(11:57):
going to be bad.
And I had the UAC, i hadeverything.
Are you sure you want this torun?
Yeah, sure, go.
No, no, i should have said no,i should have.
But on that note, we do havesome questions here.
First, from Misha, for thosewho may be newer explain open
(12:18):
source and offensive versusclosed and defensive and
layman's terms.
And I will say this as basic aswe can take it, down to
kindergarten, crayola, marinestyle.
Yeah, i'm a soldier, don't getat me.
As basic as we can take it,because I do have friends and
(12:39):
family that are trying to getinto security and IT but don't
necessarily understand the terms.
So, olivia, if you can explainthis in the best way possible,
Yeah for sure.
Speaker 2 (12:49):
And that's actually in terms of breaking things down
.
That's actually why I turned toReddit instead of Stack
Overflow.
The terms that were used inStack Overflow were so technical
I couldn't understand them, soI'd have to go to Reddit and ask
for people to break things downso much because I just couldn't
read Stack Overflow.
So I totally understand thatOpen source is when you can view
(13:14):
source code, so the stuff thatprogrammers write.
People will put that code onthe internet and it is now open
source.
Open source is a catch all term,though.
So just because someone makessomething public, it doesn't
mean that you can always use it,redistribute it or modify it.
That's where certain thingscalled freedoms come in, and
(13:38):
there's something known as freeand open source software, where
the free stands for freedom, notlike free as in free gear And
the freedoms is where you can,number one, see the code.
It starts with zero, but Iforget which order then.
So it's like can you see thecode, can you modify the code,
can you share the modified code,And how do you redistribute it?
(14:03):
So that's what open source is,and so just remember that open
source is a catch all term andit just means you can see source
code.
Hold on.
Speaker 1 (14:13):
Let me stop right there.
There's open source.
I've seen a few licenses comeout and I know we're breaking
this down kind of basic.
But I've seen a few licensescome out for open source.
So does GitHub, which is wherea lot of your open source code
resides.
These days.
I've seen they provide a fewdifferent licenses for the code
(14:34):
that you put up there.
So does that break down thedifferences between the type of
code that you're releasing,whether it's completely free,
free but with a pay type deal,free with hey, you still got a
contact.
That's a lot of stuff.
You're using it like that typeof deal.
Speaker 2 (14:49):
So the license itself is very long and, yes, it does
break it down.
If you're inside GitHub, though, and you're selecting the
license, it will put up thislittle helpful banner up at the
top, and it will just show checkmarks like oh, does it include
a warranty?
Oh, does this support paid?
or whatever.
And so those little checks atthe top are very helpful, and it
will break it down very simply,and if you just want to know
(15:12):
what like if that descriptionisn't helpful enough for you you
can actually search.
I think, like Creative Commonsoffers like a very simple
breakdown of what each of thoseterms mean.
You can see exactly what thatlicense will do, and like very
simple terms, because, honestly,reading the licenses themselves
is often a pain.
(15:32):
So, yes, it will break it downup at the top, or else you just
have to read the license or justGoogle it on.
Speaker 1 (15:41):
Creative Commons.
All licenses are a pain.
So now let's dig even further.
So, before we get intooffensive and defensive, let's
go into closed.
So what would be closed sourcecode?
Something that you view asclosed source?
Speaker 2 (15:55):
So closed source code is just like when you don't
share it.
So if you have a proprietaryapplication, you just don't
share the code and you just relyon people to use it hopefully
not reverse engineer it todiscover things, and just keep
it up with it, why we never dothat, why That never happens.
Speaker 1 (16:20):
Yeah, and that's one of the big things, but I find
that as one of the problems,right.
So, even in you know, whenyou're working in cybersecurity,
you do things like AppSec, andAppSec is huge for this.
Are you going to allow me tosee your code, because you've
got a lot of vendors, you've gota lot of companies out there
that build their own code andtheir own applications, and some
of them are very tight-knit andthey're like no, you're not
(16:40):
allowed.
All right, well then, i'm goingto break it, but I don't know
what I'm breaking or how,because you're not letting me
see the code.
So I don't know what variablesor what you know equate.
I don't know how I'm breakingthis.
I just know I'm breaking it orhow maybe the wrong term But I
don't know what part of yourcode I'm breaking.
I just know that I'm breakingit.
(17:01):
So I think that, in terms ofAppSec, these people that want
to be closed source but stillwant someone to, like pen test
their application, really needto open up that source code to
the companies they're going for,because that will allow someone
to look through and actuallyhelp you develop more secure
coding practices, which is whatI think a lot of programmers
(17:22):
lack, and it's not becausethey're not intelligent, it's
because they're taught the easyway to program and just make
things work versus hey, this ishow you securely code things,
it's how you prevent bufferoverflows, it's how you prevent
this and the third.
So that is where I thinkreleasing that source code to
(17:44):
the companies that you have anNDA with you have all this stuff
with you should really probablygive your AppSec people the
source code so that they canproperly test it.
Speaker 2 (17:55):
Yeah for sure, that's actually a huge problem.
When I decided to attendcollege for this, i decided to
double major in computer scienceand security And my main goal
was to find a school thatactually understood that these
were two different subjects thatneeded to be separated, because
(18:15):
it really frustrates me whenpeople are like, oh, css
security, no, no, it's not.
So a lot of schools had donethat.
My whole goal with doublemajoring is so that I could
understand code enough to beable to look at it and read it
and all that and then understandsecurity and the ways that I
(18:36):
could actually check my code andcheck other people's code,
because one of the problems thatI had talked to some of my
mentors about and people inindustry about before going into
college was how security peoplecouldn't actually communicate
how their code was vulnerableand how to fix it.
So they were in a scanner andthey'd be like, well, it's
vulnerable here, it does thisthing.
(18:56):
The programmers would be like Idon't know where to fix it.
Where in my code is this issuebeing caused?
And I was just like, wow, thismakes a lot of sense And I
wanted to make sure that when Itold people that something's
insecure, that I could actuallytell them what exactly it was so
I could help fix it.
(19:16):
And when it comes to consultingand stuff, i recently started
doing freelance consulting.
That has been my biggestfrustration, where smaller
companies will be like we wantyou to pen test our company
before we preach sorry, notpreach pitch to investors or
(19:38):
whatever.
We want you to sign off on it,but we don't want to share any
source code And I'm like youjust want me to sign off on
something saying that you'resecure and do nothing.
It's very frustrating.
Speaker 1 (19:50):
That's the equivalent of like.
So this is my problem withcompanies today, and so for
anybody listening, whether nowin the chat or afterwards, this
is my issue with companieslooking for a pen test or a red
team engagement, even thoughthey're not even up the par to
get a red team engagement, isthey put this very closed scope
on it, like, hey, don't test ourproduction systems, we're going
(20:13):
to give you these subnets Andthat's all you get.
If you go outside of that,we're coming after you.
Type of deal.
Like look, an attacker is notgoing to give a damn what type
of scope you have.
They have all day, all week,all month, all year to come
after you if they truly want to.
So when you put this limitedscope and you say only go after
(20:34):
Dev and test or only go afterthese, and if you say, all right
, well, what about this IPaddress over here?
And they're like, oh no, no, ifthat gets hit too hard, that'll
bring the system down.
So you know you have a fuckingproblem, but you don't want to
expose that problem to higherups to get it fixed.
There's a problem.
I'm seeing here people come onSo and I see that in code too,
(20:59):
where there's a problem, i can'ttell you how to fix it because
I can't see the code.
And now you're not giving methe code to tell you how to fix
it.
Like we can go round and roundhere.
I'll tell you what thevulnerabilities are, but I can't
tell you how to fix it if Ican't see what you've got
written down.
And so, yeah, that's veryvaluable And I think they need
(21:20):
to implement more secure codingpractices into your CS programs.
And the problem with that is oneof the top CS programs in the
at least a nation, if not theworld, is Carnegie Mellon.
And when I drove Uber, i droveUber for a while, drove some CSP
(21:41):
students and I said, oh, whatlanguages are you learning?
As good as Carnegie Mellon is,they don't necessarily teach a
particular language.
They teach the foundations ofhow to do certain things and how
things should react andinteract and da-da-da-da.
So how are you gonna teachsecure coding if you can't teach
someone how to really secure aparticular code?
(22:03):
So you're teaching properpractices but not secure
practices necessarily.
And that's my issue When one ofthe top schools in the world
are not teaching a particularlanguage and every language has
its own way of securing it.
Speaker 2 (22:22):
That's not just CMU, though.
One of the benefits of going tothe Rochester Institute of
Technology and, i think, similarlike tech schools is that the
majors become very specific.
For example, we have a softwaredevelopment or software it's
called software engineeringmajor.
We have a computing securitymajor and a CS major.
Cs is something that's so broad, and so you end up studying CS
(22:44):
theory.
It seems like CMU is spending alot of time on the theory
aspect rather than teaching thesoftware development side, and
when you look at RIT softwaredevelopment program, there's so
many languages, there's so manythings to learn in terms of
securing things, and so even ifyou do major it's something like
software engineering you're notactually gonna get the
(23:07):
experience securing thatlanguage.
Same thing with computingsecurity.
When we do our programmingcourses, security is huge.
There's incident response,there's offensive security.
In offensive security there'seven further breakdowns of that,
and so like yeah, like there'sso much to teach people.
It's kind of frustratingbecause CS programs also don't
(23:36):
update their curriculum verymuch.
So when they do teach programs-.
Speaker 1 (23:40):
You say very much, I'd say at all, let's be honest.
I mean half of the fuckingexploits they put out there,
like Windows XP, MS-06-017 orsome shit like that, like it is
the most basic exploit out thereAnd we'll get into that when we
talk about offensive anddefensive measures.
But seriously, now thesecybersecurity programs are like
(24:01):
oh yeah, run this exploit and itjust works.
Yeah, fucking just works, Causeyou're running Windows XP,
maybe Windows 2K, And seriously,if it doesn't work, you got a
fucking problem.
So you're not wrong, you're notwrong.
They don't update shit.
Okay, Just let it go Ask yourcollege who's running Windows 10
.
We're not.
Speaker 2 (24:22):
What about Windows 11 ?
Speaker 1 (24:23):
Fuck you, that's too far ahead.
We ain't gonna do that shit.
Sorry, i just need to chuck alot of that, cause the
military's even worse.
The military in theircurriculum is even worse than
colleges.
So, yes, you're absolutelycorrect.
They don't update shit for shit.
Speaker 2 (24:45):
That is.
That's actually one thing Ifind really interesting.
I did a presentation where Imentioned something like that.
It was like it was like thestate of like Maryland, or it
was New Jersey, like somedepartment had their website
hacked twice the same waybecause they didn't fix it.
And I was just kind of like,cause the first time, i think
(25:08):
like some kid did it, and thekid explained exactly how he did
it, exactly how he fixed it,and then they didn't fix it and
then they got hacked the sameway again And I was just like
how did this happen?
Speaker 1 (25:20):
Cause, like explained it, they hit that five.
They hit that five.
They hit that five.
That's how.
Speaker 2 (25:26):
It's all better, we fixed it.
Speaker 1 (25:34):
So so I love that because, yeah, it happens.
Companies don't fix they'repointed out these
vulnerabilities, how they werebroken into, all these issues.
They don't fix it.
So let's, let's break this downa little further.
Right On top of this, she saidMisha said open source and
offensive versus closed sourceand defensive.
And I want to get into this alittle bit, because offensive
(25:57):
and defensive are different, butyou can even flip those to open
source and defensive and closedand offensive.
Break down your view ofoffensive security.
Speaker 2 (26:10):
Inventive security to me is just any form of
attacking something and yeah,there's no, I think, morals
behind it or anything.
it's just attacking somethingAnd in the career sense it
usually means attackingsomething and trying to see if
there's a way to either fix itor if there was a way to prevent
(26:31):
it, either at that time or at alater date.
Speaker 1 (26:36):
So what about the defensive side?
The?
Speaker 2 (26:38):
defensive side sorry.
Speaker 1 (26:41):
I was gonna say with the defensive side, where do you
go with that?
Speaker 2 (26:45):
It really depends, because sometimes and this is
kind of what frustrates meThere's a social engineering
aspect that happens all the timeAnd it's completely unavoidable
, and when it comes to incidentresponse and defense, you always
have to rely on the userfailing, on the person who's
(27:05):
using the thing failing.
And it frustrates me whenpeople are like, oh, we need to
teach people more security,education and all that.
It's like no, let's just assumethey're not gonna do it, let's
just assume they're just gonnafail, because there's always
gonna be that edge case.
And so, when it comes tosecuring something, i think it's
really important to actuallylook at what the exploit
developer did.
What did that red team do?
(27:27):
What type of thing did they doto actually harm the systems
once they got in?
And once you protect the waysthat they were able to go
through a network or whatever, ithink those are kind of the
best ways to secure something anetwork or a device Because it's
like people are gonna clickstuff they shouldn't, people are
(27:51):
gonna do things that theyshouldn't.
And, unfortunately, painting apicture that like, oh, education
will fix everything, i think issomewhat flawed, and that's why
I really try to focus on thetechnical aspects of it Because
I've seen personally.
I've seen more results withjust fixing the original problem
of what they were able toexploit than just saying how
(28:14):
about you stop reading youremails Like.
Speaker 1 (28:17):
I mean, let's be honest, most blue teams give up
reading their emails becausethey get so many alerts that are
just bullshit.
And when I think about it, thisis where purple team comes into
effect, because any red teamerworth his salt and this is why I
say if you're a red team, youshould know blue team, if you're
a blue team, you should knowred team.
Any side worth his salt shouldbe able to explain how to do
(28:41):
each other's job.
So if you were a red teamer,you should be able to go in
there and be like hey, did yousee this?
Did you see these logs?
Did you see this event?
Did you see whatever?
No, okay, we need to fix yourlogging system or the events or
the alarms, because you shouldhave caught this and stopped us.
(29:02):
If you didn't, we got a biggerissue.
So that is where I think theeducation comes down to knowing
both sides, which is, by the way, now that we know both.
I'm gonna get to my buddy'scomment here in a little bit,
but I'm gonna hide this one.
This gets me into more of theeducation side of things.
(29:23):
You are currently going throughcollege, correct?
Yes, i can't stand college,even though I have a degree.
I absolutely despise it, but Iunderstand the need.
So, with that and understandingeducation, do you feel that
(29:46):
YouTube and Google and Reddithave been more valuable towards
your education of the field notnecessarily just getting a
degree, but education of thefield have been more valuable?
Speaker 2 (30:05):
No, it's because I don't think that they're
actually all that comparable.
Speaker 1 (30:10):
Okay explain.
I'd love to hear it, pleaseexplain.
Speaker 2 (30:13):
I absolutely love college.
I'm not sure if you looked atmy LinkedIn, but I hope to
graduate within the top 1% of mydegree program.
I love academics and the reasonwhy I like school so much is
that it creates oneaccountability system So you're
able to, i guess, track yourprogress very easily, and I like
(30:36):
the ability to mark my learningwith a rank like that I get
100% on a test or whatever.
And studying isn't reallyeverything, because half the
time when I said, i don'tactually remember what I was
studying.
But I really like thataccountability structure.
Number one, number two, when itcomes to education and CS and
(30:57):
security and all of that.
Everybody has to searchsomewhere And, yes, it's bad to
just be like, oh, run thisexploit on Windows Vista or
whatever.
But if you have never actuallyran an exploit before, you need
to have a grounding point, astarting point, and when people
go to college, most peoplehaven't actually done this stuff
(31:19):
before, and that included me.
So it was very helpful toactually see what these things
actually look like and whatthey're doing.
When it came to also withschool, is it you have somebody?
you can ask My biggest problemand why I had to rely on Reddit
so much when it came to openresources was that I didn't have
people to ask.
(31:40):
I didn't have people who werewilling to always spend time
with me to answer questions, andTAs and professors despite how
expensive they are overall canreally do that, and especially
at a university, like a lot ofkids don't actually use it live,
uh-oh.
Speaker 1 (31:57):
You're just.
I had made you big, It's allyou.
Speaker 2 (32:01):
You're okay.
Okay, i was like hey.
Speaker 1 (32:04):
I have control.
I want them to hear and see you.
That's all it is.
Speaker 2 (32:08):
I was like oh no, but yeah, a lot of kids don't
actually utilize the professorsand the TAs and all of that, and
so what just kind of happens isthat they get this degree.
They don't actually understandwhat they're doing And it's like
wow, like great, you didn'treally learn anything here.
When it comes to Reddit andYouTube and all that, if you
(32:28):
have a lot of drive andmotivation, you could probably
learn everything that I learnedin college from YouTube.
It's just do you have thepeople that you can ask?
is the help and support thatyou're getting on Reddit quick
enough and fast enough to keepyou entertained?
And for me, as much as I loveReddit and rely on it heavily to
learn and grow and still tothis day, i heavily rely on
(32:50):
Reddit is that structure oflearning always going to work?
for you, is it fast-pacedenough?
And for me it wasn't.
And yeah, so I really likecollege.
That's the experience I getfrom it, and it really just
takes the type of person.
Are you going to benefit fromthat type of environment?
And it's not always a yes forsome people.
For me it is.
Speaker 1 (33:13):
Yeah, and that's the big thing, right, it's all about
what we're going to get fromthings.
It's all about what you'regoing to get out of it, and I
stand behind this right.
No matter where you come from,no matter how you grow up, you
get out of any college, anyinstitution, any high school,
any school in general, what youput into it.
If you don't show up for class,if you don't ask questions, if
you don't kind of push the limitof the education system that's
(33:36):
there for you, then you're notgoing to get anything.
But I also feel like, at thesame time, that there is a lot
you can get outside of collegethat you don't necessarily get
from college, due to your point,olivia, and my point as well,
that some of these systems andthese curriculums are too far
behind the curve of what isreally going on in the world,
(34:00):
and so that is where I thinkcollege could benefit, and this
is where I think college doesbenefit.
It gives you more of thefoundations.
It gives you more of what issecurity.
What are the foundations ofsecurity?
What are the foundations of IT?
And this was my problem when Iwent for my master's degree,
which, by all means, i neverfinished.
(34:20):
I will not lie, i neverfinished my master's degree,
mainly because I hated writingpapers and that was how all
finer grades were determined.
Is you know?
it came in as an introduction.
This is a firewall, this is arouter, this is da-da-da-da.
It was like a basic security,basic IT class And I was like
homey, i've been in this fieldfor I don't know how many years,
(34:43):
i really don't need this classin a master's degree program.
And they were like oh well,we're taking it because we have
other people from other areas.
I'm like huh-huh.
Masters for me means you havethe prior experience.
Not hey, you have experiencesomewhere else and we just wanna
pull you into a master's degreeprogram, like that didn't work
(35:03):
out for me, but from abachelor's program or an
associate's program.
Understanding the foundations ofsecurity, IT networking, system
administration, help desk, allthese things make utter and
complete sense to me.
Don't even get into all theoperating system and intricate
details of the current operatingsystems, Just to understand how
(35:25):
all these things communicate.
That makes sense, And so thatis where I think college could
be invaluable, because thatnever changes.
The OSI model will never change.
The TCP IP model will neverchange.
These things are gonna remainthe same.
If you can teach thesefoundations, then a lot of
(35:47):
people can get a lot of benefitfrom college versus boot camps
which teach just a topicSecurity plus is only gonna be
security plus.
Ccna is only gonna benetworking.
In Cisco terminology, Net plusis only gonna be networking.
So I find that college has abenefit if you find the right
(36:10):
one.
Speaker 2 (36:12):
No for sure.
And also that's actually.
I have a really, i guess, likeangry point, i guess, about one
of the things you mentioned whenit came to you going into a
master's program with priorexperience.
I've noticed that some kids,when they go in undergrad or
masters or whatever, theyalready know what they're doing.
(36:33):
They know a lot about whatthey're doing and they won't be.
also this couldn't be me.
I have had no idea what I'mdoing, so I've needed all those
foundational classes for therecord.
but some kids know what they'redoing already and it's
frustrating to both them and methat they can't get out of that
class Because one that kid'sborn to death, because they
(36:55):
don't wanna be there.
They already know everythingthat's gonna be taught in that
class And in many ways theacademic program is really
holding them back.
And I had a wonderful managerlast summer and his whole
philosophy is that if peopleenjoy what they're doing,
they're gonna learn more,they're gonna be a better
(37:16):
employee and all this stuff, andhe really just changed my
thinking about how employmentshould work, how education
should work and all of that.
And if you can make things funfor people, you can make things
entertaining and allow them toutilize their self drive and
motivation to actually gothrough with something and get
something.
the results in the alumni thatyou will get are so much better
(37:39):
than just putting them throughthis really weird structured
system that doesn't actuallyserve the original goal of what
it intended.
And yes, so I really do getfrustrated with academic
programs that just kind of forcekids that have already put in
that effort to just sit thereand be bored.
Speaker 1 (38:01):
Yeah for sure.
And that's one of the biggestthings to me because I went in
so I never finished my masters.
Prior to that I had a 3.8 ornine, and it was because of one
class.
I got an A minus And it wasbecause I taught the class and
then pissed the teacher offbecause she knew I was the one
to talk shit When I said shedoesn't know a damn thing.
(38:23):
So of course they're anonymous,but when you're the smartest
person in the class, includingthe instructor, she knows who
said what.
So I do wholeheartedly agreethat she knew it was me and was
like your final paper is a D,fuck you, like you failed, i
don't know, but I just.
(38:49):
I look at it and it was one ofthose things.
I taught the class at the smokepit during breaks.
And one of the biggest thingsfor me was I went up to the
instructor because I was stillkind of in the middle.
I knew the offensive side ofthings.
I didn't know the defensiveside of things, because all of
my career, all of my instruction, had all been offensive.
(39:10):
I can break into anything, ican do anything, da, da, da.
And so she had brought up IDSsand IPSs.
So for those that don't know,that's an intrusion detection
system and an intrusionprevention system.
One detects, one prevents.
And I said all right, let meask you a question.
And now I knew the answer to anextent, but I wanted to hear her
(39:33):
answer as the instructor totell the class, because it was
something that was never broughtup.
And I said if you have anattacker breaking into your
network and they get stopped bysomething, will they not know
that there is something in theirway?
And her response and I wouldlove for anybody in the comments
(39:53):
to correct me if I am wrong inthis thinking but her response
was it depends on how much moneythey spent.
What does that have to do withthem being stopped and being
able to see that they're stopped?
So I ask you again if somebodybreaks in or is attempting to
break into your network and theyget stopped, what are you
(40:19):
telling me here?
Well, it depends on how muchmoney they would spend.
And I was like lady, you donetold me you worked at the NSA,
the CIA and every three digitagency out there.
And you're telling me moneydictates whether or not they
will know they're being blockedby something.
And it went round and round.
(40:40):
And so, finally, i was like youknow what?
fuck you, i'm done and I'm out.
And so I taught the studentsfirewalls outside of the smoke
pit.
I taught them IDSs, ipss, allthese differences.
I sat there and told them allthis And so, when it came to the
final paper, i got like an Aminus or a B plus or something
(41:03):
like that.
I don't know.
All I know is it ruined my 4.0for my master's degree.
Speaker 2 (41:08):
Ooh, it's down.
That's so upsetting.
Speaker 1 (41:11):
Right.
and so when I moved and Icouldn't take the course again,
like I couldn't finish my degreebecause it wasn't quite online
yet, i was kind of like I ain'teven mad at it, like I don't
even care When you hire ateacher like this.
no, i'm done.
Speaker 2 (41:25):
No, that's-.
Speaker 1 (41:26):
When that is your response.
Is money, not technology.
We got an issue.
I'm out.
Speaker 2 (41:33):
No for sure, And I think problems like that are
probably seen everywhere, likewhere there's like a power
imbalance and stuff.
I had one terrible experiencewith a professor and this is
what ruined my 4.0.
And this professor wouldliterally call me miss below
average in class.
Like it was absolutely wild,and he refused to hold office
(41:55):
hours.
So I started sending him likeemails every two days, like copy
and paste the same email everytwo days, over and over and over
again.
And cause I was just getting soannoyed, cause there was a few
times he would schedule anoffice hours with me and then
cancel or just not show up, andso I was just getting so furious
that I was like I'm just gonnabe annoying.
So I just I started doing thatAnd I got a grade that I was
(42:18):
like, how on earth did I getthis grade?
I got like a hundred percent,like all of the assignments and
all this crazy stuff, and so Ireported it And the great thing
was that in this instance it wasactually all written, like
everything was written, so likethe insults and all of that, and
so I was like, wonderful, ihave evidence.
And then the people who I had togo through wouldn't actually
(42:41):
allow me to submit that evidence.
So it became a he said, shesaid, and I was like, how did
this happen?
I like this is like the onetime I actually have, like you
know, written, like I have thereceipts, and so it really
frustrated me.
And you know, i hear storieslike this all the time from tons
of universities and like evenlike people at work not at my
(43:06):
work, but like just like ingeneral, like it's a pretty
common experience And it's sadwhen you're smarter than the
instructors, it really is, but Iwant to.
Speaker 1 (43:17):
I want to tag on here because, sacred goddess and she
knows I'm not going to say herreal name because I can't
pronounce it, especially now Sheknows who I'm talking to.
And we got a lot of peoplesaying I'm intimidated about all
of these 4.0s.
Let me let you in on a littlesecret.
I graduated from computerinformation systems with a GPA
(43:39):
of 2.67.
Yes, i graduated, i had mydegree.
I still have my degree with a2.67.
So don't get it twisted.
I did not graduate with abachelor's with a 4.0.
I drank, i played video gamesand I still made my way through.
(44:00):
So, yes, do not worry aboutyour GPA, because it doesn't
mean a damn thing about what youknow.
I just wanted it for mymaster's because I wanted to
show something off and I neverfinished.
So fuck it.
You're damn right.
I didn't even try, mrs Tarver,i'm not even gonna try, but yeah
(44:27):
, it's crazy.
So let's take it a little bitto this education thing because
I think it has value.
I have mixed feelings on college.
I really do.
I think it gives a lot to thesocial construct.
I think it gives a lot to allowpeople to build themselves as a
person.
My problem comes into more.
(44:50):
It's more financially right.
That's where my issue lies isthe financial aspect and the
lack of curriculum, because theydon't keep up the date.
But I think if we make itstandard that you're gonna learn
the foundations here, you haveto build on your own, then it
has more of a standing.
What say you to that?
Speaker 2 (45:12):
I think that's totally valid.
And when it comes to collegeand I think we've already made
this point it's like you getwhat you put in.
And for me personally, it'slike conferences, like
independent learning, reddit andI just putting Reddit in its
own category because likeanswering and responding to
questions, creating my ownquestions, just trying to learn
more about a subject, and alsolike pursuing internships and
(45:37):
other opportunities, these arethings that kind of have to go
with your college experience inorder to even get the most out
of college, which is kind ofweird.
And yeah, i really just thinkthat people have to have a very
holistic education And if peopleare not investing, i guess, in
(45:59):
everything, it's pretty easy tofall short.
And yeah, and when it comes tothe expenses of it too, the
whole thing with a 4.0, right,the main reason why I cared
about 4.0 so much is that whenit comes to applying to
scholarships, so many peopleapply to scholarships because
all you're doing is writing anessay.
Writing essay, you get what athousand to $10,000?
(46:19):
Like sure, i'll write you acouple paragraphs to get some
money, like sure And the amountof money that it takes to pay
for a degree these scholarshipsget extremely competitive.
But when you have a 4.0,because a lot of them will
filter by GPA when they reviewscholarships, they just will cut
out all the applicants thatdon't have above a certain GPA.
(46:42):
And I kind of realized that my4.0, it was a numerical thing
and I could help get that moneyto help pay for my degree, and
so that was a really bigmotivator because, even though
it doesn't, and it's actually sofunny how people put so much
(47:04):
weight into it, people.
So I have a 4.0 and one of myvery close friends like there
was times where he would forgetto submit his homework and he
had spent like hours helping mewith mine.
I'd get 100, he'd get a zeroAnd I just I think it's so funny
.
Speaker 1 (47:23):
Well, i was like I laugh at that, because that was
like when I was going for mymaster's right Again, i was
friends with everybody.
I taught them at the smoke pitI'm a smoker, when I get done
with this show, i'm gonna gohave a cigarette.
That's kind of how things go.
But I laugh because at thesmoke pit I taught them all this
.
And so when I got my grade andI was talking to all these
people that were like, wait, yougot what They're like.
(47:45):
I got an A, i got a 4.0.
And I'm like, yeah, she didn'tlike me.
They're like, yeah, i can seethat.
I can see.
That is why.
And Mike, so that is why I lookat this and I'm like, yeah, i
get it.
I get it Cause it's like youhelp everybody else and she's
just like you know what, i knowyou're smart, but fuck, you Like
we don't care.
(48:06):
I get a chuckle out of thatCause you were able to get the
grade and he was like shit, iforgot to turn it in.
Speaker 2 (48:17):
Yeah, it is so funny.
I absolutely.
I have an amazing friend grouphere and I do think it's very
funny how like so many peoplewill like help me with things
and all of that, and then liketheir grades just like won't
match up because like they won'tmake like the worksheets in
time or whatever, and likethey're so much smarter than me
And it's just.
(48:37):
It's very interesting, cause itshows how much like prestige
and numbers and stuff factorinto the way that we judge
people and how like we don'talways look at people as people
and said we're like, oh, youhave a 4.0 or oh, you went to
Harvard or something, and wejust like marked that person as
smart And then the person whoactually helped them get there
is just kind of like there.
Speaker 1 (48:59):
Which, by the way, you mentioned Harvard and I know
it's just kind of like a wordythroughout there and ecology
throughout there.
But still, let's be honest nomatter where you go to school,
it's just a fucking name Thecurriculums are the goddamn same
.
No matter where you go law,doctor, whatever you can't learn
something fucking different,because you're gonna learn the
(49:21):
same shit.
To be a lawyer or a doctor orin cybersecurity, It's all the
same.
So why the hell does the namematter?
I'm just gonna throw it outthere.
Why spend $100, $200, $300,000to go to a school When you can
go to a state school, get thesame exact damn education and
learn the same thing?
Speaker 2 (49:42):
I've okay, i actually take issue with that one.
The reason why I think a lot ofkids don't go to state school
is because it's actually moreexpensive than private schools
are.
Speaker 1 (49:52):
How so?
Please explain how so.
Speaker 2 (49:55):
So if you're a kid who did well in high school and
you apply to a private college,that is like slightly below what
your stats are.
your stats would be somethinglike your GPA and your SAT score
.
the chances you will get apresidential scholarship to a
full ride are quite high.
A lot of schools really careabout their rankings, and the
(50:15):
way that they improve thoserankings is by having kids with
high SAT scores and incomingGPAs and all that, and so one of
the reasons why I went to RITdespite the curriculum and they
also have an open source programand all that was the fact they
gave me so much money And a lotof kids that I know did the same
(50:36):
thing.
because it's like if you have areally high SAT score and GPA
and all that, you can go tocollege for essentially free.
When you go to a state school,though, there's so many kids who
go to state schools and allthat, and the chances that you
are going to be picked to getspecial finances or whatever
over a kid who has extremefinancial circumstances or
(51:00):
whatever are quite low.
Speaker 1 (51:03):
So And I see your point on that, because that
makes a lot of sense And thatyour private schools, your
Harvard, your Yale, yourwhatever your tier one, d1, d2,
d3 schools however you want tothink about it they have the
opportunity to give morescholarships, more money for
your capabilities in what youbring to the table.
(51:24):
However, for any of those outthere still funding it
themselves, state schools arestill cheaper.
They still get the sameeducation and you're still going
to get the exact same thing.
So, in terms of money, yeah,sure, if they're going to give
you scholarships, that coversbasically 90, 99% of your
(51:44):
tuition go for it.
Room and board, yeah, go for it.
But in terms of education, idon't think, in my eyes, the
education differs.
I think the money given differs, not the education, because
really, when we think about it,how can you give a different
education for something like alawyer, a doctor, cybersecurity,
(52:06):
it, whatever?
it's all the same foundations,it's all the same information.
And if you're giving differentinformation, we got a bigger
problem.
That is legitimately a biggerproblem if you're giving
different information.
Couple of lawsuits, like if yousay, the OSI model has nine
layers, not seven.
We got a problem we got to talkabout here.
Ha ha, ha, ha ha.
(52:27):
So that's the way I look at it,but I get your point on why the
money matters.
I didn't have scholarships.
I still got $56,000 in studentloans I got to pay for, which,
by the way, if anybody wants todrop down in the description of
the YouTube video that you'rewatching right now and donate to
the Cash App or PayPal orwhatever the fuck, i'll sign up
(52:49):
there.
I'd greatly appreciate it,cause I got a lot of student
loans.
Just saying, but I do have someother stuff here and I want to
get back to it earlier.
One so that we can drop down inthe more Programmers, by nature
, don't think about security.
Does it get the requirementdone?
(53:09):
If so, it gets deployed.
Very true, and you, as someonewho loves open source,
understands this that this isthe way a lot of programmers
have been taught.
Speaker 2 (53:20):
So I want to say And it's also the environment that
is enforced at a lot ofcompanies that can't hire
security teams or where thesecurity teams don't have a lot
of power, because, you know,ideally, once you program that
code right, that would be sentto someone to actually test, to
actually review that code, andall of that, and hopefully, you
(53:41):
know, companies will factorthose decisions into their
deadlines, and I think a lot oftimes they don't, though, and
that's where that problem comesin.
Speaker 1 (53:50):
Yeah, and I think when you're looking at a lot of
that, like even looking at, so Ilook at a lot of like web app
security.
I hate web apps, i hate tryingto pen test web apps, because
it's not like a network thingwhere I can just scan it and go
through the steps.
It is like, okay, does it haveSQLI?
Does that have something in thesource code?
(54:10):
Like there's no steps you canreally follow.
So when I look at things likethat, i look at programmers and
applications.
Again, there's really no stepsyou can follow.
It's let me look at the sourcecode.
Let me see if there's bufferoverflow.
Let me see if there's this.
Let me see if there's that.
I'm not an application person,so look, that's why I'm not
(54:30):
throwing a bunch of terms outthere.
I don't fucking knowapplications, don't judge me,
but you look at all these thingsAnd I think again.
I think it is programmers whoare taught to make the blanky
lights blink.
If it don't blink, you're atfault.
If it blinks, then if it getspounded, then it's not your
(54:52):
fault, it's somebody else's.
We're gonna blame it on DNS.
That's the staple way theythink, and so I do.
I look at this and I'm justkinda like that's how
programmers are taught.
Just make it work.
It could be the ugliest fuckingcode.
No comments, no, nothing, makeit work.
All right, best I got you.
(55:13):
We're gonna open up Telnet tothe world and we're gonna open
up FTP to the world, becausethat will allow people to talk
to us and we'll be okay.
Oh my gosh.
But you see that shit.
You see that shit to this day.
Speaker 2 (55:32):
No, and it is.
And it's weird because I reallylike to stress that security and
programming are usually twodifferent things And so if
you're someone who's justinterested in software
development, you wanna make yourspecialty like I think that's
fair.
It's just people need to atleast think about security and
(55:53):
know that they don't have thatknowledge to be able to test
something.
And one of the things that I'vegotten really frustrated with
developers with is when I saysomething's insecure and I can
prove it, and they just say, oh,don't worry about it, like it's
gonna be fine, like nobody'sgonna care, and I'm like but if
I can find it, and if I'm atsophomore college and I've only
been doing this for two years,like there's people who are way
(56:16):
smarter than me, like withmalicious intent.
So I just wish people there wasa little bit more humility
there, because I don'tnecessarily think they do need
to care And like in terms oflike knowing how to find it,
it's just listen to the peoplewho do know how to find it,
because then bad things happenAnd if you don't listen to them
and then you point fingers, it'slike no, that was just your
(56:37):
fault And so I.
Speaker 1 (56:40):
And then you look like an.
Speaker 2 (56:41):
A-hole.
Speaker 1 (56:42):
I'm not gonna lie, because I came back.
So I got my grant, i got myreverse engineering malware
certification from Sans And whenI came back from the training,
before I got the certification,i was going through like hack
the box and a bunch of othershit just to kind of like keep
up the date on reverseengineering stuff.
I had a 17 year old schoolmate.
(57:04):
17 years old This motherfuckerscolded me And I was like I
didn't even know how old he wasor her, i don't know.
I don't know.
It was some random name onDiscord.
We were just bullshitting And Iwas like look, homie, i just
gotta ask how old are you?
He was like 17.
I had to tie him up as 34.
(57:26):
I was like I'm 34 years old,you're scolding me in assembly
and C and Python and everything.
As 17 years old, you're scoldingme in all things that are even
older than me.
This is ridiculous And I'mproud of you.
Can you please teach me?
(57:47):
But I think that is what we'relacking, right.
And when we look at education,when we look at whether it's
boot camps, whether it'scolleges, whether it's school of
YouTube, whatever the case maybe we're lacking the inability
to realize that people youngerthan us, people that have been
(58:07):
alive 15 years old My 15 yearold knows more shit than me on a
lot of things.
I ain't gonna lie, he fuckingdoes.
So when you look at thesethings, we are so elite that
we're like, oh, we can't learnfrom them.
Not this guy, this guy's like.
My son was like, oh yeah, youcan do all this on Discord And I
(58:28):
was like teach me please.
I'm an idiot.
Please teach me.
I got a 17 year old schoolingme on reverse engineering shit.
Go ahead, please teach me,cause I'm an idiot.
I can't figure this shit out Andyou got these elitists out
there that literally talk downto people, just breaking into
(58:48):
the field, where it's like, look, homie, they might know more
than you.
Actually, they probably knowmore than you, cause, guess what
, they grew up with this shit,not you, just saying they grew
up with it.
So, setting that, and I'm gonnaget on a rant if I keep going I
(59:10):
want your opinion on somethingelse Your opinion on boot camps
versus colleges.
Speaker 2 (59:19):
I haven't done a boot camp.
Speaker 1 (59:21):
Okay, let me try to restructure this question to fix
that If you had a boot campthat was given more towards the
test or more towards theknowledge, which would you pick?
Speaker 2 (59:36):
A boot camp.
What is it?
The college because of thesocial stuff, or what?
Speaker 1 (59:45):
No, no, no, no, maybe I said that wrong The knowledge
, not the college.
So a boot camp geared moretowards the knowledge of the
certification that it's goingfor, or just the test.
So either pass the test we'llgive you a 98, 99, 100%
(01:00:05):
guarantee you're gonna pass orwe're gonna teach you your shit
and if you understand theconcepts and what goes in and
all this other stuff you stillhave to understand these things
and then you'll pass.
So we're not gonna give apercentage on passing passing
percentage, we're just gonnatell you if you understand these
(01:00:27):
concepts, you'll pass.
Kind of get more understandingabout that.
Speaker 2 (01:00:34):
No, I definitely do, And I think a few things are at
play.
It's I think some people willalways view people without
college degrees as beinginferior, And I think, when it
comes to boot camps and stuff,if like boot camps or
(01:00:54):
certifications or whatever like,if you take something like the
OFCP right, people actually havegenuine respect for that.
People look at it and they'relike okay, that's cool.
There's a lot of othercertifications, though, that
people just don't like like.
they look at it and they'relike great, like it's so great.
you did that And-.
Speaker 1 (01:01:12):
Cool.
have fun.
That's amazing.
Speaker 2 (01:01:14):
Two thumbs up, yeah and it's like, when it comes to
the boot camp, it's like, evenif you can get your skills and
all the things that you need inthat boot camp, can you get
people to take you seriously?
And for me it's like thatneeded to be taken seriously.
Like, will people view me as avaluable person to hire?
(01:01:36):
Like I think that's thequestion I would have to ask
myself Is it a reputable program?
Even if I do get the skills,will people still look at me?
Will people look at me anybetter?
Because that all those things gointo employment, all those
things go into the way to how wetreat other people.
And I'm not always sure, justbecause I don't actually know
(01:01:59):
enough about boot camps, so Idon't know how to like rank them
.
Like is this a good boot camp?
Or like, if I was an employer,like the boot camp would have to
be reputable?
because I think a lot of timesI think employers kind of rule
out people without degrees,wrongfully assuming that people
with degrees are like smartbecause they went to college for
(01:02:22):
four years for some reason.
Speaker 1 (01:02:25):
I want to call it four years.
I ain't gonna say I'm smart.
I mean I am smart, but it's notcause I got a degree, it's
because I've been doing the jobfor 15 plus years.
It has nothing to do withdegree, cause I gotta get degree
in computer information systemsto taught me ethics and a
little bit of computer scienceand a little bit of everything I
self taught myself, everythingI know in terms of security.
(01:02:47):
So this is why, when I hire, iam now a practice manager.
So when I get to the pointwhere I can hire people, i don't
give a damn about your degree.
I don't give a damn about yourboot camps, i don't give a damn
about your certifications.
I care about how you putyourself out there and are you
learning.
(01:03:09):
If you're learning in public andhave no certifications, then
that matters to me, because nowyou're putting yourself out
there.
Now, if you're not learning inpublic but you have
certifications, great, i'm goingto interview you and test you
on those certifications and thatknowledge that you have.
You taught me how to circuitsecurity plus.
(01:03:31):
Cool, what's port 443?
What does that do for you?
What does HTTPS do for you?
What does DNSSEC do for you?
What do these things do for you?
If you can't answer thosequestions with a security plus,
then I have no need for youbecause you can't answer the
basic questions that areimplemented in the certification
(01:03:53):
you say you have.
I can teach technical anything,but if you have a basic
knowledge, you should have abasic knowledge.
Speaker 2 (01:04:04):
No for sure.
And you made a point aboutlearning in public, and I think
that's probably the mostimportant thing anybody can do,
Because when I made that pointabout boot camps in college or
when I said my opinion on bootcamps in college, I was assuming
that I had a piece of paperthat said one or the other.
But when you can actually showthat you know something through
a blog or through research orwhatever, you're actually able
(01:04:27):
to prove that you know something.
And so when people hire othersbecause there's times where I'll
see posts on Reddit and CSmajors how are these people
doing it?
They don't even go to collegeor whatever It's like.
No, they have a reallywell-developed blog with a lot
of research, So people actuallyknow that they know what they're
talking about.
And if you don't have thosethings, like sure you have a
(01:04:49):
degree from MIT, but it's likeyou've done nothing to prove
yourself.
And when you're just relying onresumes to get through an ATS
scanner and, hopefully, someoneat some company.
Speaker 1 (01:05:02):
Well, where'd you go?
We lost her all of a sudden.
There you are, you're back.
Speaker 2 (01:05:10):
Sorry, but yeah, when you're just relying on an ATS
machine to fill to your resume,it's like no crap, people aren't
going to trust you, aren'tgoing to trust your knowledge.
And so, yeah, i think learningin public is probably the
biggest thing, because itactually shows that you know
something, rather than a pieceof paper that just says you did
(01:05:31):
something.
Speaker 1 (01:05:32):
And on that note, I will add in the importance of
networking, right.
So this is all about education.
Let's not lie.
This show is supposed to be allabout education and the
importance thereof, And I do Asmuch as I hate the cost of
college and I think it literallyis destroying people's
opportunity to get an education.
(01:05:55):
I do think of that as value.
I do, Don't get me wrong, Ihave a degree.
I think colleges, boot camps,whatever training you can get,
you get what you put into it.
It has value.
However, the cost of collegeand even boot camps and sands
and all these other trainingsthese days even look at off-sec
(01:06:16):
and the OSCP the prices areoutrageous.
Like shit is just gettingunreal to where the general
population can't afford it.
So, yes, I do think it hasvalue, but I think it has a
limit.
But if you're learning in public, you're looking at your
tri-hack me's, your hack-the-box, your hey, I found this
(01:06:37):
vulnerability.
Or hey, I'm building securityon you For others that don't
know, I have a playlist outthere about security on you.
Go ahead and start running iton your network.
You can fucking do it, homie.
You know you look at thesethings.
You can do Blue Team, you cando Red Team, you can do GRC.
All this stuff is out there foryou to learn free of charge.
(01:06:58):
But if you're not putting outthere what you're doing in
public, it damages everythingyou're giving.
I have gotten many of my jobsbased on the fact that, well,
guess what?
I've talked to people that knowwhat I can do, And I've been
doing this show and doingtechnical content and doing
(01:07:19):
everything else that I do foryears now.
So, guess what?
Put your face out there, Putyour name out there.
I don't give a damn if you giveyourself a handle like well,
you can't take mine, The cyberwarrior is taken, but take one
for yourself.
But then attach it to yourself,Make it who you are And you
(01:07:39):
will get somewhere.
People will recognize you know,you see you and understand that
you know your shit.
If you don't want to go tocollege, that's fine.
I don't have a master's degree.
I got a bachelor's in computerinformation systems.
My education comes fromself-taught YouTube, trained,
homie, YouTube, trained.
(01:07:59):
That is where I got all myinformation, Not from anything
else.
And then we got man.
Speaker 2 (01:08:07):
I got so many.
Speaker 1 (01:08:08):
I can't even read all the YouTube chat right now
because me and you are havingsuch great conversations, but
this is the way I see it.
So, when you're looking ateducation, so we're well over
the top of the hour, well,almost 10 minutes.
So I want to end this.
Before I end it, i want to getyour final thoughts.
For those that don't understandthe foundations of IT and
(01:08:31):
cybersecurity I'm talkingacronyms, technologies, things
like that right, so me, i grewup building computers.
It is very hard for me to givethis advice, because I grew up
understanding hard drives,memory, tcp, ip, all this stuff.
As someone who came around alittle bit later in the game,
(01:08:52):
what advice would you give tonewcomers breaking into IT and
cybersecurity to learn the tech,the knowledge, the acronyms,
things like that?
Speaker 2 (01:09:03):
For sure.
The first thing is to pick asubject that you want to know
and watch a ton of YouTube and,like you know, udemy and stuff
on it, and the reason being isthat you have to build a
foundation that you can actuallyask competent questions and do
things with.
There will come a point in yourknowledge where something or in
your process of learningwhatever subject you pick say
(01:09:27):
Python or Java or whatever thatyou're going to need to debug
something.
You're going to need help andyou're not going to have people
to ask.
And you need to make sure thatyou get through those points.
One before deciding to actuallypursue something before, like
signing up for a course or acertification or enrolling in
college, and just to make surethat you're actually want to do
(01:09:51):
that thing that you did.
Because when you're motivatedand you start you know reading
books and doing certainactivities that only that
specific niche does, you willthen be able to start slowly
understanding that vocabularyand all that.
But that takes time and youhave to have motivation to
essentially suffer through it,like your own ignorance, to be
(01:10:14):
able to learn and pick up on allthose things, because just
Googling you know a certain wordand all that won't always give
you the context that you need toknow for how something
interacts with other things andall of that.
And so that that context andthat understanding only comes
with time and experience and,honestly, pure frustration and
problem solving.
(01:10:35):
And if you can't make itthrough those periods, you know,
maybe you should take, you know, try, different subject within
the security field or you know,adjacent career or something,
because I think a lot of peoplewould benefit from just trying
out like severe problem solvingbefore jumping into something.
Speaker 1 (01:10:59):
Yeah, that's, that's fantastic, because it is.
I've got some family members,i've got some warriors that are
trying to break into the field,or at least trying to understand
the field, and don't reallyunderstand how they're not able
to grasp them on the terminologyand how to learn the
terminology because it is verydifficult.
And so when I came up, iunderstood hard drives and RAM
(01:11:22):
and all these things.
I learned it as I went, did myresearch And again I'll date
myself 56 K modems, going to astore, talking with somebody and
me and talking my dad orsomebody else about figuring out
what the hell this shit is.
And I did it.
Now, to this day, can I tell youwhat a graphics card and all
these fucking numbers and shitmean?
(01:11:44):
Probably not.
I'm not a gamer.
I don't understand the gamingaspect of things, but I
understand.
Hey, if I have this much memoryand a piece of software uses
this much memory, then I knowhow it's going to interact.
I know how these things aregoing to work.
So, valid point It is veryfrustrating.
You got to do your research Ifyou, if you see something like
(01:12:04):
RAM.
Okay, what does RAM mean?
Well, it means random accessmemory.
Okay, what the fuck does thatmean?
Well, it means that this istemporary storage.
This is da, da, da, da.
So it's gonna.
You know it takes a lot ofresearch, so completely
understand.
Thank you, olivia.
That is very valid andeverything you said And you're
(01:12:25):
not wrong.
It is very frustrating foranybody new breaking into the
field.
It is very frustratingespecially if you don't
understand hardware, itnetworking, operating systems.
It can be very be verydifficult to understand the
security aspect of things,because how can you do a buffer
overflow if you don't understandhow RAM works?
(01:12:46):
Just saying, how can you SQLIif you don't understand how SQL
works and SQL statements, allthese different things?
So it all goes hand in hand.
You have to understand yourtarget and what you're trying to
do.
No saying that It is Freya's day, it is revenge of the fifth, it
(01:13:09):
is Cinco de Mayo.
I truly hope you all arespreading chaos and love
throughout the world, becausethat is what we do here Motivate
each other, love each other,show each other some support.
Olivia has been amazing,absolutely amazing, and without
her it would have just been me,and I know y'all love this beard
(01:13:30):
.
I do, i do I need astraightener, but I know y'all
love this beard, but otherwise,look, i love you all.
Please be sure to tune in nextweek to another amazing episode,
the security happy hour righthere on Cyber Warrior Studios.
I am the Cyber Warrior, i havewith me my guests, olivia
Galucci, and I will see you allnext week for another amazing
(01:13:54):
episode.
Welcome everybody, welcome back.
It is me, it is the cyberwarrior, this is cyber warrior
studios, and I know you are allhere for security happy hour And
I've got an amazing guest andamazing show plan that synco to
mount, synco de mayo, revenge ofthe fifth, and it's fray as day
.
So it's going to be an amazingepisode.
So I hope you're all here forit.
I hope you're all here to enjoyAnd I promise you, if you hang
(00:25):
with me for just a second, we'llbe right back.
And we're back and look, hey,real quick, there it is, the
sound of security happy hourkicking off.
(00:47):
And this evening I have the oneand only Olivia, and I'm going
to butcher the hell out of thatlast name.
I'm going to try.
I'm going to try.
So how you doing?
Speaker 2 (01:02):
this evening, olivia, i'm doing wonderful.
How about you?
Speaker 1 (01:05):
I'm fantastic.
I mean, come on, it's a Fridayevening And it's revenge of the
fifth And it's synco de mayo.
So you know, the chaos is boundto ensue.
That's just what we do aroundhere.
So how was your day, olivia?
How was your day?
Speaker 2 (01:23):
My day was great.
I went to the gym for the firsttime in a very long time and
very excited and very proud ofmyself.
Speaker 1 (01:31):
You know my wife keeps telling me I need to go
back to the gym because shestarted going back to the gym
and she's like you really getsomething out of it, especially
because of your back and allthese other things, because I'm
broken And I'm like, yeah,probably.
But you know I don't like goingafter work, and before work
requires me to wake up at like430 in the morning, so kind of
see how that plays out.
And hey, for everybodylistening, if you hear any
(01:55):
background noise is because myson refuses to leave my office.
He is currently building a newLego set for the Slytherin house
.
So just so you're aware.
Anywho, olivia, i got to askhow did you get into
cybersecurity?
I want to ask that first beforewe get into the education
aspect of the show.
(02:15):
How did you get intocybersecurity?
Speaker 2 (02:18):
Sure.
So it all actually started withopen source, specifically open
source on Reddit.
When I was in 11th grade, mycomputer broke And at that time
I had just gotten into roboticsbecause I transferred schools
and I was like, wow, like Ididn't know robotics could be an
(02:40):
extra curricular and all that.
So I was getting into computingand, since I was a newbie in
the space, i had to rely on alot of, you know, online
materials.
Try to catch up to my peers soI could, you know, talk about
computers and stuff with them,and my robotics teachers like,
hey, you might enjoy programmingand all this.
And there wasn't those resourcesat my school, so I'd watch
(03:02):
YouTube tutorials and try tocreate my own programs.
That, when it came to debugging, i had nobody to ask.
So I went to open sourcemultiple open source communities
on Reddit and people wouldspend hours helping me And that
community aspect was justsomething I really enjoyed.
And so I was like, okay, i loveopen source, but I don't really
(03:24):
have that like, i guess, careergoal with it, and so I wanted
to figure out what I could dowith my career in open source.
And so one day I was on anairplane and I downloaded a
Netflix documentary about thehacker group anonymous.
Speaker 1 (03:41):
And that one.
It's a good one.
Speaker 2 (03:44):
Yeah, it's great.
And so at that moment, whenthey were talking about like the
Egyptian internet shut down andlike all that stuff, i knew
exactly what I wanted to do withmy career and it was offensive
security in the open sourcespace.
And at that moment I it wassuch a strange moment because I
knew exactly what I wanted to doand that purpose and that drive
has stuck with me and that samegoal.
(04:07):
I've maintained it since that,that day in the 11th grade And
yeah, so open source was whatgot me to the tech space And
it's kind of what keeps me here.
The community and offensivesecurity is just the thing that
I enjoy doing And want to makesure that I can spread knowledge
and, you know, help people inthat space.
Speaker 1 (04:29):
So prior to um, because, because I know you're,
you're, you've got your oryou're working towards your
degree, correct, yes, okay.
So prior to getting your degree, with open sport, open source,
okay, i'm doing a show, buddy,you got to, you know, cut me a
(04:49):
break here tonight.
So, with open source and witheverything you've been doing.
So we all know open source wasgood and bad, right, depending
on if the person reviewing ithas the ability to really review
the code before they do.
Hey, yeah, we'll accept yourpull request or your pull, what
I think is a pull request pushrequest.
Speaker 2 (05:11):
Yeah, I can't remember.
Speaker 1 (05:13):
Before we accept it we got to review it and make
sure that it's all valid.
So that is how you can see.
sometimes malicious code getuploaded onto, like GitHub and
these different repos that areopen source.
So when you have these issues,have you come across anything
like that in your time?
(05:33):
you know, going through opensource because I do a little bit
of open source The last companyI worked for was heavily open
source on what we kind of wentwith.
Have you come across a lot ofmalicious stuff?
Speaker 2 (05:45):
Oh, all the time.
and it's interesting when youuse the word malicious, like I
think there has this connotationof like, oh, someone knows
they're doing something bad.
And yes, those things happenwhere people you know will
accept pull requests from otherpeople, well intentioned or
otherwise, and they just don'treally know how to review the
(06:06):
code and it just breakseverything.
Heck that that help thathappens at.
you know, like that happens allthe time.
I think in almost any timeyou're collaborating with people
like someone might, you know,change the wrong branch or
whatever, and it just messeseverything up.
What I think is reallyinteresting is when it comes to
the knowledge of programmers andwhen people who are just, you
(06:26):
know, making personal projectsand all that stuff, program
something insecurely and thenother people use that source
code in their code and now theircode also has the same source
code, also has the samevulnerabilities, and they don't
update it And so it just createsthis like really insecure cycle
that just never gets fixed Andyeah, so there's a lot of
(06:48):
insecurity in the open sourcespace and it's sad because I
think sometimes people like viewit as this thing that nobody
should use now, when inactuality people just actually
have to look at the code, reviewit more and be more trained on
how to properly review code andask for help when they don't
know what they're doing.
Speaker 1 (07:07):
And I think you know, when you're looking at things
like some of the vulnerabilitieswe see in open sources, like
buffer overflows, and you knowthings that really just expose
an application which you know,part of me is really happy that
I believe it was Twitter.
I believe it was Twitter thatwent open source.
One of these closed offapplications I don't know.
I don't keep track of opensource.
(07:29):
Not gonna lie, i like.
I find applications that I like, for instance, like Lee Bairds
Discover Scripts of me and himhave talked a lot.
There's a few otherapplications and programs I've
used and I pay attention tothose, but I want to say it was.
I know Microsoft release somethings.
I want to say Twitter went opensource.
(07:50):
This is where we found someissues within the code, where
people were pointing it out withscreenshots, like look what
they're doing.
This is BS type of deal, but Ithink open source can bring a
lot of attention to the nuancesand the issues with code.
Well, at the same time, i thinksometimes we rely too heavily
(08:13):
on the community to be like ohyeah, this is good, just
download it and go.
You're good to go, everything'sokay because it's open source
and you should trust thecommunity.
That's like trusting an exploitdeveloper that their code is
not going to hone your ownsystem.
Speaker 2 (08:29):
No, and that's awesome.
I love that example too.
I just recently I had torestart, like er, like erase my
whole computer, and I have likea test computer that I just like
run like absolute garbage on,and I've used the same one for
four years And so I've learnedso much in the past four years.
How is it still living, i know.
(08:51):
And so so much stuff had brokebecause I would go on like these
random, like blogs andtutorials, blindly, follow them
just like executing stuff.
I didn't know what was going onAnd like my like the computer
was just nothing worked anymoreAnd I was just like okay, this
is what happens when you justlike blindly install stuff and
(09:14):
just rely on public resourceswithout knowing what you're
doing.
And in my defense, though, i'vebeen learning over the past
four years and all that and Idon't do that anymore, but it
really shows what can happen.
Speaker 1 (09:25):
Well, so we got it.
We got a question here from me,show, one of my warriors and
part of the family, so we aregoing to bring that up here in a
second.
I got my buddy will here withanother comment, but which, by
the way, all the warriors inchat, thank you for being here,
love having you here.
As always, you're all amazingpeople and part of the family.
Now I will say, though, on yournote of having a computer for
(09:47):
like blowing shit up my personalcomputer for years, because I
custom built all my computerswas I've always done that, right
until I started working insecurity full time and had to
like segregate kind of what Idid and started using more
virtual machines.
I had a computer this is backinto my space days and anybody
(10:09):
who knows anything Yes, i'm kindof like leading my age here of
how old I am, but my space wasall you could do, all HTML code,
and so you were allowed toexploit a lot of people and
really do a lot of damage to toindividual users.
But there was always thesepages Hey, download this to see
(10:31):
this page.
Now, me being me always knew wasmalware.
I was always like, fuck, youknow it's not going to happen.
But then I started delving moreand more into security And I
was like you know what?
let me see what this does.
At one point Yeah, it was theworst thing I could have done
because I was like download andI was running Windows Vista
Ultimate 64 bit.
(10:51):
I had dumped a ton of moneyinto my computer.
I had like eight or 16 gigs ofRAM at the time.
I forget what it was Like.
Literally I could have ran thisthing into the ground.
It would have been fine.
And so I got hit with thisbecause I can't.
It was a bomb of some sortsBasically just ran pop up after
pop up and it was like a logicbomb or something like that.
(11:13):
And I ended up I was like I gotto kill this.
How do I kill this?
And I was like hold up And I'mlike hitting control, shift,
escape and you know, trying toget into my task manager.
But even if you killed it, itcame back and you know.
So eventually I got into like MSConfig or something like that,
killed it from startup, rebootedmy computer and just never ran
(11:36):
it again.
I didn't even get rid of it.
I literally was just like youknow what I don't want to fuck
with it.
Just never run again.
Never.
As long as you never start up,we're okay, because that's how
bad it was.
I didn't even want to deal withit.
So, yes, i have blown up somecomputers because you look at it
and you're like, oh, this isgoing to be bad, this is really
(11:57):
going to be bad.
And I had the UAC, i hadeverything.
Are you sure you want this torun?
Yeah, sure, go.
No, no, i should have said no,i should have.
But on that note, we do havesome questions here.
First, from Misha, for thosewho may be newer explain open
(12:18):
source and offensive versusclosed and defensive and
layman's terms.
And I will say this as basic aswe can take it, down to
kindergarten, crayola, marinestyle.
Yeah, i'm a soldier, don't getat me.
As basic as we can take it,because I do have friends and
(12:39):
family that are trying to getinto security and IT but don't
necessarily understand the terms.
So, olivia, if you can explainthis in the best way possible,
Yeah for sure.
Speaker 2 (12:49):
And that's actually in terms of breaking things down
.
That's actually why I turned toReddit instead of Stack
Overflow.
The terms that were used inStack Overflow were so technical
I couldn't understand them, soI'd have to go to Reddit and ask
for people to break things downso much because I just couldn't
read Stack Overflow.
So I totally understand thatOpen source is when you can view
(13:14):
source code, so the stuff thatprogrammers write.
People will put that code onthe internet and it is now open
source.
Open source is a catch all term,though.
So just because someone makessomething public, it doesn't
mean that you can always use it,redistribute it or modify it.
That's where certain thingscalled freedoms come in, and
(13:38):
there's something known as freeand open source software, where
the free stands for freedom, notlike free as in free gear And
the freedoms is where you can,number one, see the code.
It starts with zero, but Iforget which order then.
So it's like can you see thecode, can you modify the code,
can you share the modified code,And how do you redistribute it?
(14:03):
So that's what open source is,and so just remember that open
source is a catch all term andit just means you can see source
code.
Hold on.
Speaker 1 (14:13):
Let me stop right there.
There's open source.
I've seen a few licenses comeout and I know we're breaking
this down kind of basic.
But I've seen a few licensescome out for open source.
So does GitHub, which is wherea lot of your open source code
resides.
These days.
I've seen they provide a fewdifferent licenses for the code
(14:34):
that you put up there.
So does that break down thedifferences between the type of
code that you're releasing,whether it's completely free,
free but with a pay type deal,free with hey, you still got a
contact.
That's a lot of stuff.
You're using it like that typeof deal.
Speaker 2 (14:49):
So the license itself is very long and, yes, it does
break it down.
If you're inside GitHub, though, and you're selecting the
license, it will put up thislittle helpful banner up at the
top, and it will just show checkmarks like oh, does it include
a warranty?
Oh, does this support paid?
or whatever.
And so those little checks atthe top are very helpful, and it
will break it down very simply,and if you just want to know
(15:12):
what like if that descriptionisn't helpful enough for you you
can actually search.
I think, like Creative Commonsoffers like a very simple
breakdown of what each of thoseterms mean.
You can see exactly what thatlicense will do, and like very
simple terms, because, honestly,reading the licenses themselves
is often a pain.
(15:32):
So, yes, it will break it downup at the top, or else you just
have to read the license or justGoogle it on.
Speaker 1 (15:41):
Creative Commons.
All licenses are a pain.
So now let's dig even further.
So, before we get intooffensive and defensive, let's
go into closed.
So what would be closed sourcecode?
Something that you view asclosed source?
Speaker 2 (15:55):
So closed source code is just like when you don't
share it.
So if you have a proprietaryapplication, you just don't
share the code and you just relyon people to use it hopefully
not reverse engineer it todiscover things, and just keep
it up with it, why we never dothat, why That never happens.
Speaker 1 (16:20):
Yeah, and that's one of the big things, but I find
that as one of the problems,right.
So, even in you know, whenyou're working in cybersecurity,
you do things like AppSec, andAppSec is huge for this.
Are you going to allow me tosee your code, because you've
got a lot of vendors, you've gota lot of companies out there
that build their own code andtheir own applications, and some
of them are very tight-knit andthey're like no, you're not
(16:40):
allowed.
All right, well then, i'm goingto break it, but I don't know
what I'm breaking or how,because you're not letting me
see the code.
So I don't know what variablesor what you know equate.
I don't know how I'm breakingthis.
I just know I'm breaking it orhow maybe the wrong term But I
don't know what part of yourcode I'm breaking.
I just know that I'm breakingit.
(17:01):
So I think that, in terms ofAppSec, these people that want
to be closed source but stillwant someone to, like pen test
their application, really needto open up that source code to
the companies they're going for,because that will allow someone
to look through and actuallyhelp you develop more secure
coding practices, which is whatI think a lot of programmers
(17:22):
lack, and it's not becausethey're not intelligent, it's
because they're taught the easyway to program and just make
things work versus hey, this ishow you securely code things,
it's how you prevent bufferoverflows, it's how you prevent
this and the third.
So that is where I thinkreleasing that source code to
(17:44):
the companies that you have anNDA with you have all this stuff
with you should really probablygive your AppSec people the
source code so that they canproperly test it.
Speaker 2 (17:55):
Yeah for sure, that's actually a huge problem.
When I decided to attendcollege for this, i decided to
double major in computer scienceand security And my main goal
was to find a school thatactually understood that these
were two different subjects thatneeded to be separated, because
(18:15):
it really frustrates me whenpeople are like, oh, css
security, no, no, it's not.
So a lot of schools had donethat.
My whole goal with doublemajoring is so that I could
understand code enough to beable to look at it and read it
and all that and then understandsecurity and the ways that I
(18:36):
could actually check my code andcheck other people's code,
because one of the problems thatI had talked to some of my
mentors about and people inindustry about before going into
college was how security peoplecouldn't actually communicate
how their code was vulnerableand how to fix it.
So they were in a scanner andthey'd be like, well, it's
vulnerable here, it does thisthing.
(18:56):
The programmers would be like Idon't know where to fix it.
Where in my code is this issuebeing caused?
And I was just like, wow, thismakes a lot of sense And I
wanted to make sure that when Itold people that something's
insecure, that I could actuallytell them what exactly it was so
I could help fix it.
(19:16):
And when it comes to consultingand stuff, i recently started
doing freelance consulting.
That has been my biggestfrustration, where smaller
companies will be like we wantyou to pen test our company
before we preach sorry, notpreach pitch to investors or
(19:38):
whatever.
We want you to sign off on it,but we don't want to share any
source code And I'm like youjust want me to sign off on
something saying that you'resecure and do nothing.
It's very frustrating.
Speaker 1 (19:50):
That's the equivalent of like.
So this is my problem withcompanies today, and so for
anybody listening, whether nowin the chat or afterwards, this
is my issue with companieslooking for a pen test or a red
team engagement, even thoughthey're not even up the par to
get a red team engagement, isthey put this very closed scope
on it, like, hey, don't test ourproduction systems, we're going
(20:13):
to give you these subnets Andthat's all you get.
If you go outside of that,we're coming after you.
Type of deal.
Like look, an attacker is notgoing to give a damn what type
of scope you have.
They have all day, all week,all month, all year to come
after you if they truly want to.
So when you put this limitedscope and you say only go after
(20:34):
Dev and test or only go afterthese, and if you say, all right
, well, what about this IPaddress over here?
And they're like, oh no, no, ifthat gets hit too hard, that'll
bring the system down.
So you know you have a fuckingproblem, but you don't want to
expose that problem to higherups to get it fixed.
There's a problem.
I'm seeing here people come onSo and I see that in code too,
(20:59):
where there's a problem, i can'ttell you how to fix it because
I can't see the code.
And now you're not giving methe code to tell you how to fix
it.
Like we can go round and roundhere.
I'll tell you what thevulnerabilities are, but I can't
tell you how to fix it if Ican't see what you've got
written down.
And so, yeah, that's veryvaluable And I think they need
(21:20):
to implement more secure codingpractices into your CS programs.
And the problem with that is oneof the top CS programs in the
at least a nation, if not theworld, is Carnegie Mellon.
And when I drove Uber, i droveUber for a while, drove some CSP
(21:41):
students and I said, oh, whatlanguages are you learning?
As good as Carnegie Mellon is,they don't necessarily teach a
particular language.
They teach the foundations ofhow to do certain things and how
things should react andinteract and da-da-da-da.
So how are you gonna teachsecure coding if you can't teach
someone how to really secure aparticular code?
(22:03):
So you're teaching properpractices but not secure
practices necessarily.
And that's my issue When one ofthe top schools in the world
are not teaching a particularlanguage and every language has
its own way of securing it.
Speaker 2 (22:22):
That's not just CMU, though.
One of the benefits of going tothe Rochester Institute of
Technology and, i think, similarlike tech schools is that the
majors become very specific.
For example, we have a softwaredevelopment or software it's
called software engineeringmajor.
We have a computing securitymajor and a CS major.
Cs is something that's so broad, and so you end up studying CS
(22:44):
theory.
It seems like CMU is spending alot of time on the theory
aspect rather than teaching thesoftware development side, and
when you look at RIT softwaredevelopment program, there's so
many languages, there's so manythings to learn in terms of
securing things, and so even ifyou do major it's something like
software engineering you're notactually gonna get the
(23:07):
experience securing thatlanguage.
Same thing with computingsecurity.
When we do our programmingcourses, security is huge.
There's incident response,there's offensive security.
In offensive security there'seven further breakdowns of that,
and so like yeah, like there'sso much to teach people.
It's kind of frustratingbecause CS programs also don't
(23:36):
update their curriculum verymuch.
So when they do teach programs-.
Speaker 1 (23:40):
You say very much, I'd say at all, let's be honest.
I mean half of the fuckingexploits they put out there,
like Windows XP, MS-06-017 orsome shit like that, like it is
the most basic exploit out thereAnd we'll get into that when we
talk about offensive anddefensive measures.
But seriously, now thesecybersecurity programs are like
(24:01):
oh yeah, run this exploit and itjust works.
Yeah, fucking just works, Causeyou're running Windows XP,
maybe Windows 2K, And seriously,if it doesn't work, you got a
fucking problem.
So you're not wrong, you're notwrong.
They don't update shit.
Okay, Just let it go Ask yourcollege who's running Windows 10
.
We're not.
Speaker 2 (24:22):
What about Windows 11 ?
Speaker 1 (24:23):
Fuck you, that's too far ahead.
We ain't gonna do that shit.
Sorry, i just need to chuck alot of that, cause the
military's even worse.
The military in theircurriculum is even worse than
colleges.
So, yes, you're absolutelycorrect.
They don't update shit for shit.
Speaker 2 (24:45):
That is.
That's actually one thing Ifind really interesting.
I did a presentation where Imentioned something like that.
It was like it was like thestate of like Maryland, or it
was New Jersey, like somedepartment had their website
hacked twice the same waybecause they didn't fix it.
And I was just kind of like,cause the first time, i think
(25:08):
like some kid did it, and thekid explained exactly how he did
it, exactly how he fixed it,and then they didn't fix it and
then they got hacked the sameway again And I was just like
how did this happen?
Speaker 1 (25:20):
Cause, like explained it, they hit that five.
They hit that five.
They hit that five.
That's how.
Speaker 2 (25:26):
It's all better, we fixed it.
Speaker 1 (25:34):
So so I love that because, yeah, it happens.
Companies don't fix they'repointed out these
vulnerabilities, how they werebroken into, all these issues.
They don't fix it.
So let's, let's break this downa little further.
Right On top of this, she saidMisha said open source and
offensive versus closed sourceand defensive.
And I want to get into this alittle bit, because offensive
(25:57):
and defensive are different, butyou can even flip those to open
source and defensive and closedand offensive.
Break down your view ofoffensive security.
Speaker 2 (26:10):
Inventive security to me is just any form of
attacking something and yeah,there's no, I think, morals
behind it or anything.
it's just attacking somethingAnd in the career sense it
usually means attackingsomething and trying to see if
there's a way to either fix itor if there was a way to prevent
(26:31):
it, either at that time or at alater date.
Speaker 1 (26:36):
So what about the defensive side?
The?
Speaker 2 (26:38):
defensive side sorry.
Speaker 1 (26:41):
I was gonna say with the defensive side, where do you
go with that?
Speaker 2 (26:45):
It really depends, because sometimes and this is
kind of what frustrates meThere's a social engineering
aspect that happens all the timeAnd it's completely unavoidable
, and when it comes to incidentresponse and defense, you always
have to rely on the userfailing, on the person who's
(27:05):
using the thing failing.
And it frustrates me whenpeople are like, oh, we need to
teach people more security,education and all that.
It's like no, let's just assumethey're not gonna do it, let's
just assume they're just gonnafail, because there's always
gonna be that edge case.
And so, when it comes tosecuring something, i think it's
really important to actuallylook at what the exploit
developer did.
What did that red team do?
(27:27):
What type of thing did they doto actually harm the systems
once they got in?
And once you protect the waysthat they were able to go
through a network or whatever, ithink those are kind of the
best ways to secure something anetwork or a device Because it's
like people are gonna clickstuff they shouldn't, people are
(27:51):
gonna do things that theyshouldn't.
And, unfortunately, painting apicture that like, oh, education
will fix everything, i think issomewhat flawed, and that's why
I really try to focus on thetechnical aspects of it Because
I've seen personally.
I've seen more results withjust fixing the original problem
of what they were able toexploit than just saying how
(28:14):
about you stop reading youremails Like.
Speaker 1 (28:17):
I mean, let's be honest, most blue teams give up
reading their emails becausethey get so many alerts that are
just bullshit.
And when I think about it, thisis where purple team comes into
effect, because any red teamerworth his salt and this is why I
say if you're a red team, youshould know blue team, if you're
a blue team, you should knowred team.
Any side worth his salt shouldbe able to explain how to do
(28:41):
each other's job.
So if you were a red teamer,you should be able to go in
there and be like hey, did yousee this?
Did you see these logs?
Did you see this event?
Did you see whatever?
No, okay, we need to fix yourlogging system or the events or
the alarms, because you shouldhave caught this and stopped us.
(29:02):
If you didn't, we got a biggerissue.
So that is where I think theeducation comes down to knowing
both sides, which is, by the way, now that we know both.
I'm gonna get to my buddy'scomment here in a little bit,
but I'm gonna hide this one.
This gets me into more of theeducation side of things.
(29:23):
You are currently going throughcollege, correct?
Yes, i can't stand college,even though I have a degree.
I absolutely despise it, but Iunderstand the need.
So, with that and understandingeducation, do you feel that
(29:46):
YouTube and Google and Reddithave been more valuable towards
your education of the field notnecessarily just getting a
degree, but education of thefield have been more valuable?
Speaker 2 (30:05):
No, it's because I don't think that they're
actually all that comparable.
Speaker 1 (30:10):
Okay explain.
I'd love to hear it, pleaseexplain.
Speaker 2 (30:13):
I absolutely love college.
I'm not sure if you looked atmy LinkedIn, but I hope to
graduate within the top 1% of mydegree program.
I love academics and the reasonwhy I like school so much is
that it creates oneaccountability system So you're
able to, i guess, track yourprogress very easily, and I like
(30:36):
the ability to mark my learningwith a rank like that I get
100% on a test or whatever.
And studying isn't reallyeverything, because half the
time when I said, i don'tactually remember what I was
studying.
But I really like thataccountability structure.
Number one, number two, when itcomes to education and CS and
(30:57):
security and all of that.
Everybody has to searchsomewhere And, yes, it's bad to
just be like, oh, run thisexploit on Windows Vista or
whatever.
But if you have never actuallyran an exploit before, you need
to have a grounding point, astarting point, and when people
go to college, most peoplehaven't actually done this stuff
(31:19):
before, and that included me.
So it was very helpful toactually see what these things
actually look like and whatthey're doing.
When it came to also withschool, is it you have somebody?
you can ask My biggest problemand why I had to rely on Reddit
so much when it came to openresources was that I didn't have
people to ask.
(31:40):
I didn't have people who werewilling to always spend time
with me to answer questions, andTAs and professors despite how
expensive they are overall canreally do that, and especially
at a university, like a lot ofkids don't actually use it live,
uh-oh.
Speaker 1 (31:57):
You're just.
I had made you big, It's allyou.
Speaker 2 (32:01):
You're okay.
Okay, i was like hey.
Speaker 1 (32:04):
I have control.
I want them to hear and see you.
That's all it is.
Speaker 2 (32:08):
I was like oh no, but yeah, a lot of kids don't
actually utilize the professorsand the TAs and all of that, and
so what just kind of happens isthat they get this degree.
They don't actually understandwhat they're doing And it's like
wow, like great, you didn'treally learn anything here.
When it comes to Reddit andYouTube and all that, if you
(32:28):
have a lot of drive andmotivation, you could probably
learn everything that I learnedin college from YouTube.
It's just do you have thepeople that you can ask?
is the help and support thatyou're getting on Reddit quick
enough and fast enough to keepyou entertained?
And for me, as much as I loveReddit and rely on it heavily to
learn and grow and still tothis day, i heavily rely on
(32:50):
Reddit is that structure oflearning always going to work?
for you, is it fast-pacedenough?
And for me it wasn't.
And yeah, so I really likecollege.
That's the experience I getfrom it, and it really just
takes the type of person.
Are you going to benefit fromthat type of environment?
And it's not always a yes forsome people.
For me it is.
Speaker 1 (33:13):
Yeah, and that's the big thing, right, it's all about
what we're going to get fromthings.
It's all about what you'regoing to get out of it, and I
stand behind this right.
No matter where you come from,no matter how you grow up, you
get out of any college, anyinstitution, any high school,
any school in general, what youput into it.
If you don't show up for class,if you don't ask questions, if
you don't kind of push the limitof the education system that's
(33:36):
there for you, then you're notgoing to get anything.
But I also feel like, at thesame time, that there is a lot
you can get outside of collegethat you don't necessarily get
from college, due to your point,olivia, and my point as well,
that some of these systems andthese curriculums are too far
behind the curve of what isreally going on in the world,
(34:00):
and so that is where I thinkcollege could benefit, and this
is where I think college doesbenefit.
It gives you more of thefoundations.
It gives you more of what issecurity.
What are the foundations ofsecurity?
What are the foundations of IT?
And this was my problem when Iwent for my master's degree,
which, by all means, i neverfinished.
(34:20):
I will not lie, i neverfinished my master's degree,
mainly because I hated writingpapers and that was how all
finer grades were determined.
Is you know?
it came in as an introduction.
This is a firewall, this is arouter, this is da-da-da-da.
It was like a basic security,basic IT class And I was like
homey, i've been in this fieldfor I don't know how many years,
(34:43):
i really don't need this classin a master's degree program.
And they were like oh well,we're taking it because we have
other people from other areas.
I'm like huh-huh.
Masters for me means you havethe prior experience.
Not hey, you have experiencesomewhere else and we just wanna
pull you into a master's degreeprogram, like that didn't work
(35:03):
out for me, but from abachelor's program or an
associate's program.
Understanding the foundations ofsecurity, IT networking, system
administration, help desk, allthese things make utter and
complete sense to me.
Don't even get into all theoperating system and intricate
details of the current operatingsystems, Just to understand how
(35:25):
all these things communicate.
That makes sense, And so thatis where I think college could
be invaluable, because thatnever changes.
The OSI model will never change.
The TCP IP model will neverchange.
These things are gonna remainthe same.
If you can teach thesefoundations, then a lot of
(35:47):
people can get a lot of benefitfrom college versus boot camps
which teach just a topicSecurity plus is only gonna be
security plus.
Ccna is only gonna benetworking.
In Cisco terminology, Net plusis only gonna be networking.
So I find that college has abenefit if you find the right
(36:10):
one.
Speaker 2 (36:12):
No for sure.
And also that's actually.
I have a really, i guess, likeangry point, i guess, about one
of the things you mentioned whenit came to you going into a
master's program with priorexperience.
I've noticed that some kids,when they go in undergrad or
masters or whatever, theyalready know what they're doing.
(36:33):
They know a lot about whatthey're doing and they won't be.
also this couldn't be me.
I have had no idea what I'mdoing, so I've needed all those
foundational classes for therecord.
but some kids know what they'redoing already and it's
frustrating to both them and methat they can't get out of that
class Because one that kid'sborn to death, because they
(36:55):
don't wanna be there.
They already know everythingthat's gonna be taught in that
class And in many ways theacademic program is really
holding them back.
And I had a wonderful managerlast summer and his whole
philosophy is that if peopleenjoy what they're doing,
they're gonna learn more,they're gonna be a better
(37:16):
employee and all this stuff, andhe really just changed my
thinking about how employmentshould work, how education
should work and all of that.
And if you can make things funfor people, you can make things
entertaining and allow them toutilize their self drive and
motivation to actually gothrough with something and get
something.
the results in the alumni thatyou will get are so much better
(37:39):
than just putting them throughthis really weird structured
system that doesn't actuallyserve the original goal of what
it intended.
And yes, so I really do getfrustrated with academic
programs that just kind of forcekids that have already put in
that effort to just sit thereand be bored.
Speaker 1 (38:01):
Yeah for sure.
And that's one of the biggestthings to me because I went in
so I never finished my masters.
Prior to that I had a 3.8 ornine, and it was because of one
class.
I got an A minus And it wasbecause I taught the class and
then pissed the teacher offbecause she knew I was the one
to talk shit When I said shedoesn't know a damn thing.
(38:23):
So of course they're anonymous,but when you're the smartest
person in the class, includingthe instructor, she knows who
said what.
So I do wholeheartedly agreethat she knew it was me and was
like your final paper is a D,fuck you, like you failed, i
don't know, but I just.
(38:49):
I look at it and it was one ofthose things.
I taught the class at the smokepit during breaks.
And one of the biggest thingsfor me was I went up to the
instructor because I was stillkind of in the middle.
I knew the offensive side ofthings.
I didn't know the defensiveside of things, because all of
my career, all of my instruction, had all been offensive.
(39:10):
I can break into anything, ican do anything, da, da, da.
And so she had brought up IDSsand IPSs.
So for those that don't know,that's an intrusion detection
system and an intrusionprevention system.
One detects, one prevents.
And I said all right, let meask you a question.
And now I knew the answer to anextent, but I wanted to hear her
(39:33):
answer as the instructor totell the class, because it was
something that was never broughtup.
And I said if you have anattacker breaking into your
network and they get stopped bysomething, will they not know
that there is something in theirway?
And her response and I wouldlove for anybody in the comments
(39:53):
to correct me if I am wrong inthis thinking but her response
was it depends on how much moneythey spent.
What does that have to do withthem being stopped and being
able to see that they're stopped?
So I ask you again if somebodybreaks in or is attempting to
break into your network and theyget stopped, what are you
(40:19):
telling me here?
Well, it depends on how muchmoney they would spend.
And I was like lady, you donetold me you worked at the NSA,
the CIA and every three digitagency out there.
And you're telling me moneydictates whether or not they
will know they're being blockedby something.
And it went round and round.
(40:40):
And so, finally, i was like youknow what?
fuck you, i'm done and I'm out.
And so I taught the studentsfirewalls outside of the smoke
pit.
I taught them IDSs, ipss, allthese differences.
I sat there and told them allthis And so, when it came to the
final paper, i got like an Aminus or a B plus or something
(41:03):
like that.
I don't know.
All I know is it ruined my 4.0for my master's degree.
Speaker 2 (41:08):
Ooh, it's down.
That's so upsetting.
Speaker 1 (41:11):
Right.
and so when I moved and Icouldn't take the course again,
like I couldn't finish my degreebecause it wasn't quite online
yet, i was kind of like I ain'teven mad at it, like I don't
even care When you hire ateacher like this.
no, i'm done.
Speaker 2 (41:25):
No, that's-.
Speaker 1 (41:26):
When that is your response.
Is money, not technology.
We got an issue.
I'm out.
Speaker 2 (41:33):
No for sure, And I think problems like that are
probably seen everywhere, likewhere there's like a power
imbalance and stuff.
I had one terrible experiencewith a professor and this is
what ruined my 4.0.
And this professor wouldliterally call me miss below
average in class.
Like it was absolutely wild,and he refused to hold office
(41:55):
hours.
So I started sending him likeemails every two days, like copy
and paste the same email everytwo days, over and over and over
again.
And cause I was just getting soannoyed, cause there was a few
times he would schedule anoffice hours with me and then
cancel or just not show up, andso I was just getting so furious
that I was like I'm just gonnabe annoying.
So I just I started doing thatAnd I got a grade that I was
(42:18):
like, how on earth did I getthis grade?
I got like a hundred percent,like all of the assignments and
all this crazy stuff, and so Ireported it And the great thing
was that in this instance it wasactually all written, like
everything was written, so likethe insults and all of that, and
so I was like, wonderful, ihave evidence.
And then the people who I had togo through wouldn't actually
(42:41):
allow me to submit that evidence.
So it became a he said, shesaid, and I was like, how did
this happen?
I like this is like the onetime I actually have, like you
know, written, like I have thereceipts, and so it really
frustrated me.
And you know, i hear storieslike this all the time from tons
of universities and like evenlike people at work not at my
(43:06):
work, but like just like ingeneral, like it's a pretty
common experience And it's sadwhen you're smarter than the
instructors, it really is, but Iwant to.
Speaker 1 (43:17):
I want to tag on here because, sacred goddess and she
knows I'm not going to say herreal name because I can't
pronounce it, especially now Sheknows who I'm talking to.
And we got a lot of peoplesaying I'm intimidated about all
of these 4.0s.
Let me let you in on a littlesecret.
I graduated from computerinformation systems with a GPA
(43:39):
of 2.67.
Yes, i graduated, i had mydegree.
I still have my degree with a2.67.
So don't get it twisted.
I did not graduate with abachelor's with a 4.0.
I drank, i played video gamesand I still made my way through.
(44:00):
So, yes, do not worry aboutyour GPA, because it doesn't
mean a damn thing about what youknow.
I just wanted it for mymaster's because I wanted to
show something off and I neverfinished.
So fuck it.
You're damn right.
I didn't even try, mrs Tarver,i'm not even gonna try, but yeah
(44:27):
, it's crazy.
So let's take it a little bitto this education thing because
I think it has value.
I have mixed feelings on college.
I really do.
I think it gives a lot to thesocial construct.
I think it gives a lot to allowpeople to build themselves as a
person.
My problem comes into more.
(44:50):
It's more financially right.
That's where my issue lies isthe financial aspect and the
lack of curriculum, because theydon't keep up the date.
But I think if we make itstandard that you're gonna learn
the foundations here, you haveto build on your own, then it
has more of a standing.
What say you to that?
Speaker 2 (45:12):
I think that's totally valid.
And when it comes to collegeand I think we've already made
this point it's like you getwhat you put in.
And for me personally, it'slike conferences, like
independent learning, reddit andI just putting Reddit in its
own category because likeanswering and responding to
questions, creating my ownquestions, just trying to learn
more about a subject, and alsolike pursuing internships and
(45:37):
other opportunities, these arethings that kind of have to go
with your college experience inorder to even get the most out
of college, which is kind ofweird.
And yeah, i really just thinkthat people have to have a very
holistic education And if peopleare not investing, i guess, in
(45:59):
everything, it's pretty easy tofall short.
And yeah, and when it comes tothe expenses of it too, the
whole thing with a 4.0, right,the main reason why I cared
about 4.0 so much is that whenit comes to applying to
scholarships, so many peopleapply to scholarships because
all you're doing is writing anessay.
Writing essay, you get what athousand to $10,000?
(46:19):
Like sure, i'll write you acouple paragraphs to get some
money, like sure And the amountof money that it takes to pay
for a degree these scholarshipsget extremely competitive.
But when you have a 4.0,because a lot of them will
filter by GPA when they reviewscholarships, they just will cut
out all the applicants thatdon't have above a certain GPA.
(46:42):
And I kind of realized that my4.0, it was a numerical thing
and I could help get that moneyto help pay for my degree, and
so that was a really bigmotivator because, even though
it doesn't, and it's actually sofunny how people put so much
(47:04):
weight into it, people.
So I have a 4.0 and one of myvery close friends like there
was times where he would forgetto submit his homework and he
had spent like hours helping mewith mine.
I'd get 100, he'd get a zeroAnd I just I think it's so funny
.
Speaker 1 (47:23):
Well, i was like I laugh at that, because that was
like when I was going for mymaster's right Again, i was
friends with everybody.
I taught them at the smoke pitI'm a smoker, when I get done
with this show, i'm gonna gohave a cigarette.
That's kind of how things go.
But I laugh because at thesmoke pit I taught them all this
.
And so when I got my grade andI was talking to all these
people that were like, wait, yougot what They're like.
(47:45):
I got an A, i got a 4.0.
And I'm like, yeah, she didn'tlike me.
They're like, yeah, i can seethat.
I can see.
That is why.
And Mike, so that is why I lookat this and I'm like, yeah, i
get it.
I get it Cause it's like youhelp everybody else and she's
just like you know what, i knowyou're smart, but fuck, you Like
we don't care.
(48:06):
I get a chuckle out of thatCause you were able to get the
grade and he was like shit, iforgot to turn it in.
Speaker 2 (48:17):
Yeah, it is so funny.
I absolutely.
I have an amazing friend grouphere and I do think it's very
funny how like so many peoplewill like help me with things
and all of that, and then liketheir grades just like won't
match up because like they won'tmake like the worksheets in
time or whatever, and likethey're so much smarter than me
And it's just.
(48:37):
It's very interesting, cause itshows how much like prestige
and numbers and stuff factorinto the way that we judge
people and how like we don'talways look at people as people
and said we're like, oh, youhave a 4.0 or oh, you went to
Harvard or something, and wejust like marked that person as
smart And then the person whoactually helped them get there
is just kind of like there.
Speaker 1 (48:59):
Which, by the way, you mentioned Harvard and I know
it's just kind of like a wordythroughout there and ecology
throughout there.
But still, let's be honest nomatter where you go to school,
it's just a fucking name Thecurriculums are the goddamn same
.
No matter where you go law,doctor, whatever you can't learn
something fucking different,because you're gonna learn the
(49:21):
same shit.
To be a lawyer or a doctor orin cybersecurity, It's all the
same.
So why the hell does the namematter?
I'm just gonna throw it outthere.
Why spend $100, $200, $300,000to go to a school When you can
go to a state school, get thesame exact damn education and
learn the same thing?
Speaker 2 (49:42):
I've okay, i actually take issue with that one.
The reason why I think a lot ofkids don't go to state school
is because it's actually moreexpensive than private schools
are.
Speaker 1 (49:52):
How so?
Please explain how so.
Speaker 2 (49:55):
So if you're a kid who did well in high school and
you apply to a private college,that is like slightly below what
your stats are.
your stats would be somethinglike your GPA and your SAT score
.
the chances you will get apresidential scholarship to a
full ride are quite high.
A lot of schools really careabout their rankings, and the
(50:15):
way that they improve thoserankings is by having kids with
high SAT scores and incomingGPAs and all that, and so one of
the reasons why I went to RITdespite the curriculum and they
also have an open source programand all that was the fact they
gave me so much money And a lotof kids that I know did the same
(50:36):
thing.
because it's like if you have areally high SAT score and GPA
and all that, you can go tocollege for essentially free.
When you go to a state school,though, there's so many kids who
go to state schools and allthat, and the chances that you
are going to be picked to getspecial finances or whatever
over a kid who has extremefinancial circumstances or
(51:00):
whatever are quite low.
Speaker 1 (51:03):
So And I see your point on that, because that
makes a lot of sense And thatyour private schools, your
Harvard, your Yale, yourwhatever your tier one, d1, d2,
d3 schools however you want tothink about it they have the
opportunity to give morescholarships, more money for
your capabilities in what youbring to the table.
(51:24):
However, for any of those outthere still funding it
themselves, state schools arestill cheaper.
They still get the sameeducation and you're still going
to get the exact same thing.
So, in terms of money, yeah,sure, if they're going to give
you scholarships, that coversbasically 90, 99% of your
(51:44):
tuition go for it.
Room and board, yeah, go for it.
But in terms of education, idon't think, in my eyes, the
education differs.
I think the money given differs, not the education, because
really, when we think about it,how can you give a different
education for something like alawyer, a doctor, cybersecurity,
(52:06):
it, whatever?
it's all the same foundations,it's all the same information.
And if you're giving differentinformation, we got a bigger
problem.
That is legitimately a biggerproblem if you're giving
different information.
Couple of lawsuits, like if yousay, the OSI model has nine
layers, not seven.
We got a problem we got to talkabout here.
Ha ha, ha, ha ha.
(52:27):
So that's the way I look at it,but I get your point on why the
money matters.
I didn't have scholarships.
I still got $56,000 in studentloans I got to pay for, which,
by the way, if anybody wants todrop down in the description of
the YouTube video that you'rewatching right now and donate to
the Cash App or PayPal orwhatever the fuck, i'll sign up
(52:49):
there.
I'd greatly appreciate it,cause I got a lot of student
loans.
Just saying, but I do have someother stuff here and I want to
get back to it earlier.
One so that we can drop down inthe more Programmers, by nature
, don't think about security.
Does it get the requirementdone?
(53:09):
If so, it gets deployed.
Very true, and you, as someonewho loves open source,
understands this that this isthe way a lot of programmers
have been taught.
Speaker 2 (53:20):
So I want to say And it's also the environment that
is enforced at a lot ofcompanies that can't hire
security teams or where thesecurity teams don't have a lot
of power, because, you know,ideally, once you program that
code right, that would be sentto someone to actually test, to
actually review that code, andall of that, and hopefully, you
(53:41):
know, companies will factorthose decisions into their
deadlines, and I think a lot oftimes they don't, though, and
that's where that problem comesin.
Speaker 1 (53:50):
Yeah, and I think when you're looking at a lot of
that, like even looking at, so Ilook at a lot of like web app
security.
I hate web apps, i hate tryingto pen test web apps, because
it's not like a network thingwhere I can just scan it and go
through the steps.
It is like, okay, does it haveSQLI?
Does that have something in thesource code?
(54:10):
Like there's no steps you canreally follow.
So when I look at things likethat, i look at programmers and
applications.
Again, there's really no stepsyou can follow.
It's let me look at the sourcecode.
Let me see if there's bufferoverflow.
Let me see if there's this.
Let me see if there's that.
I'm not an application person,so look, that's why I'm not
(54:30):
throwing a bunch of terms outthere.
I don't fucking knowapplications, don't judge me,
but you look at all these thingsAnd I think again.
I think it is programmers whoare taught to make the blanky
lights blink.
If it don't blink, you're atfault.
If it blinks, then if it getspounded, then it's not your
(54:52):
fault, it's somebody else's.
We're gonna blame it on DNS.
That's the staple way theythink, and so I do.
I look at this and I'm justkinda like that's how
programmers are taught.
Just make it work.
It could be the ugliest fuckingcode.
No comments, no, nothing, makeit work.
All right, best I got you.
(55:13):
We're gonna open up Telnet tothe world and we're gonna open
up FTP to the world, becausethat will allow people to talk
to us and we'll be okay.
Oh my gosh.
But you see that shit.
You see that shit to this day.
Speaker 2 (55:32):
No, and it is.
And it's weird because I reallylike to stress that security and
programming are usually twodifferent things And so if
you're someone who's justinterested in software
development, you wanna make yourspecialty like I think that's
fair.
It's just people need to atleast think about security and
(55:53):
know that they don't have thatknowledge to be able to test
something.
And one of the things that I'vegotten really frustrated with
developers with is when I saysomething's insecure and I can
prove it, and they just say, oh,don't worry about it, like it's
gonna be fine, like nobody'sgonna care, and I'm like but if
I can find it, and if I'm atsophomore college and I've only
been doing this for two years,like there's people who are way
(56:16):
smarter than me, like withmalicious intent.
So I just wish people there wasa little bit more humility
there, because I don'tnecessarily think they do need
to care And like in terms oflike knowing how to find it,
it's just listen to the peoplewho do know how to find it,
because then bad things happenAnd if you don't listen to them
and then you point fingers, it'slike no, that was just your
(56:37):
fault And so I.
Speaker 1 (56:40):
And then you look like an.
Speaker 2 (56:41):
A-hole.
Speaker 1 (56:42):
I'm not gonna lie, because I came back.
So I got my grant, i got myreverse engineering malware
certification from Sans And whenI came back from the training,
before I got the certification,i was going through like hack
the box and a bunch of othershit just to kind of like keep
up the date on reverseengineering stuff.
I had a 17 year old schoolmate.
(57:04):
17 years old This motherfuckerscolded me And I was like I
didn't even know how old he wasor her, i don't know.
I don't know.
It was some random name onDiscord.
We were just bullshitting And Iwas like look, homie, i just
gotta ask how old are you?
He was like 17.
I had to tie him up as 34.
(57:26):
I was like I'm 34 years old,you're scolding me in assembly
and C and Python and everything.
As 17 years old, you're scoldingme in all things that are even
older than me.
This is ridiculous And I'mproud of you.
Can you please teach me?
(57:47):
But I think that is what we'relacking, right.
And when we look at education,when we look at whether it's
boot camps, whether it'scolleges, whether it's school of
YouTube, whatever the case maybe we're lacking the inability
to realize that people youngerthan us, people that have been
(58:07):
alive 15 years old My 15 yearold knows more shit than me on a
lot of things.
I ain't gonna lie, he fuckingdoes.
So when you look at thesethings, we are so elite that
we're like, oh, we can't learnfrom them.
Not this guy, this guy's like.
My son was like, oh yeah, youcan do all this on Discord And I
(58:28):
was like teach me please.
I'm an idiot.
Please teach me.
I got a 17 year old schoolingme on reverse engineering shit.
Go ahead, please teach me,cause I'm an idiot.
I can't figure this shit out Andyou got these elitists out
there that literally talk downto people, just breaking into
(58:48):
the field, where it's like, look, homie, they might know more
than you.
Actually, they probably knowmore than you, cause, guess what
, they grew up with this shit,not you, just saying they grew
up with it.
So, setting that, and I'm gonnaget on a rant if I keep going I
(59:10):
want your opinion on somethingelse Your opinion on boot camps
versus colleges.
Speaker 2 (59:19):
I haven't done a boot camp.
Speaker 1 (59:21):
Okay, let me try to restructure this question to fix
that If you had a boot campthat was given more towards the
test or more towards theknowledge, which would you pick?
Speaker 2 (59:36):
A boot camp.
What is it?
The college because of thesocial stuff, or what?
Speaker 1 (59:45):
No, no, no, no, maybe I said that wrong The knowledge
, not the college.
So a boot camp geared moretowards the knowledge of the
certification that it's goingfor, or just the test.
So either pass the test we'llgive you a 98, 99, 100%
(01:00:05):
guarantee you're gonna pass orwe're gonna teach you your shit
and if you understand theconcepts and what goes in and
all this other stuff you stillhave to understand these things
and then you'll pass.
So we're not gonna give apercentage on passing passing
percentage, we're just gonnatell you if you understand these
(01:00:27):
concepts, you'll pass.
Kind of get more understandingabout that.
Speaker 2 (01:00:34):
No, I definitely do, And I think a few things are at
play.
It's I think some people willalways view people without
college degrees as beinginferior, And I think, when it
comes to boot camps and stuff,if like boot camps or
(01:00:54):
certifications or whatever like,if you take something like the
OFCP right, people actually havegenuine respect for that.
People look at it and they'relike okay, that's cool.
There's a lot of othercertifications, though, that
people just don't like like.
they look at it and they'relike great, like it's so great.
you did that And-.
Speaker 1 (01:01:12):
Cool.
have fun.
That's amazing.
Speaker 2 (01:01:14):
Two thumbs up, yeah and it's like, when it comes to
the boot camp, it's like, evenif you can get your skills and
all the things that you need inthat boot camp, can you get
people to take you seriously?
And for me it's like thatneeded to be taken seriously.
Like, will people view me as avaluable person to hire?
(01:01:36):
Like I think that's thequestion I would have to ask
myself Is it a reputable program?
Even if I do get the skills,will people still look at me?
Will people look at me anybetter?
Because that all those things gointo employment, all those
things go into the way to how wetreat other people.
And I'm not always sure, justbecause I don't actually know
(01:01:59):
enough about boot camps, so Idon't know how to like rank them
.
Like is this a good boot camp?
Or like, if I was an employer,like the boot camp would have to
be reputable?
because I think a lot of timesI think employers kind of rule
out people without degrees,wrongfully assuming that people
with degrees are like smartbecause they went to college for
(01:02:22):
four years for some reason.
Speaker 1 (01:02:25):
I want to call it four years.
I ain't gonna say I'm smart.
I mean I am smart, but it's notcause I got a degree, it's
because I've been doing the jobfor 15 plus years.
It has nothing to do withdegree, cause I gotta get degree
in computer information systemsto taught me ethics and a
little bit of computer scienceand a little bit of everything I
self taught myself, everythingI know in terms of security.
(01:02:47):
So this is why, when I hire, iam now a practice manager.
So when I get to the pointwhere I can hire people, i don't
give a damn about your degree.
I don't give a damn about yourboot camps, i don't give a damn
about your certifications.
I care about how you putyourself out there and are you
learning.
(01:03:09):
If you're learning in public andhave no certifications, then
that matters to me, because nowyou're putting yourself out
there.
Now, if you're not learning inpublic but you have
certifications, great, i'm goingto interview you and test you
on those certifications and thatknowledge that you have.
You taught me how to circuitsecurity plus.
(01:03:31):
Cool, what's port 443?
What does that do for you?
What does HTTPS do for you?
What does DNSSEC do for you?
What do these things do for you?
If you can't answer thosequestions with a security plus,
then I have no need for youbecause you can't answer the
basic questions that areimplemented in the certification
(01:03:53):
you say you have.
I can teach technical anything,but if you have a basic
knowledge, you should have abasic knowledge.
Speaker 2 (01:04:04):
No for sure.
And you made a point aboutlearning in public, and I think
that's probably the mostimportant thing anybody can do,
Because when I made that pointabout boot camps in college or
when I said my opinion on bootcamps in college, I was assuming
that I had a piece of paperthat said one or the other.
But when you can actually showthat you know something through
a blog or through research orwhatever, you're actually able
(01:04:27):
to prove that you know something.
And so when people hire othersbecause there's times where I'll
see posts on Reddit and CSmajors how are these people
doing it?
They don't even go to collegeor whatever It's like.
No, they have a reallywell-developed blog with a lot
of research, So people actuallyknow that they know what they're
talking about.
And if you don't have thosethings, like sure you have a
(01:04:49):
degree from MIT, but it's likeyou've done nothing to prove
yourself.
And when you're just relying onresumes to get through an ATS
scanner and, hopefully, someoneat some company.
Speaker 1 (01:05:02):
Well, where'd you go?
We lost her all of a sudden.
There you are, you're back.
Speaker 2 (01:05:10):
Sorry, but yeah, when you're just relying on an ATS
machine to fill to your resume,it's like no crap, people aren't
going to trust you, aren'tgoing to trust your knowledge.
And so, yeah, i think learningin public is probably the
biggest thing, because itactually shows that you know
something, rather than a pieceof paper that just says you did
(01:05:31):
something.
Speaker 1 (01:05:32):
And on that note, I will add in the importance of
networking, right.
So this is all about education.
Let's not lie.
This show is supposed to be allabout education and the
importance thereof, And I do Asmuch as I hate the cost of
college and I think it literallyis destroying people's
opportunity to get an education.
(01:05:55):
I do think of that as value.
I do, Don't get me wrong, Ihave a degree.
I think colleges, boot camps,whatever training you can get,
you get what you put into it.
It has value.
However, the cost of collegeand even boot camps and sands
and all these other trainingsthese days even look at off-sec
(01:06:16):
and the OSCP the prices areoutrageous.
Like shit is just gettingunreal to where the general
population can't afford it.
So, yes, I do think it hasvalue, but I think it has a
limit.
But if you're learning in public, you're looking at your
tri-hack me's, your hack-the-box, your hey, I found this
(01:06:37):
vulnerability.
Or hey, I'm building securityon you For others that don't
know, I have a playlist outthere about security on you.
Go ahead and start running iton your network.
You can fucking do it, homie.
You know you look at thesethings.
You can do Blue Team, you cando Red Team, you can do GRC.
All this stuff is out there foryou to learn free of charge.
(01:06:58):
But if you're not putting outthere what you're doing in
public, it damages everythingyou're giving.
I have gotten many of my jobsbased on the fact that, well,
guess what?
I've talked to people that knowwhat I can do, And I've been
doing this show and doingtechnical content and doing
(01:07:19):
everything else that I do foryears now.
So, guess what?
Put your face out there, Putyour name out there.
I don't give a damn if you giveyourself a handle like well,
you can't take mine, The cyberwarrior is taken, but take one
for yourself.
But then attach it to yourself,Make it who you are And you
(01:07:39):
will get somewhere.
People will recognize you know,you see you and understand that
you know your shit.
If you don't want to go tocollege, that's fine.
I don't have a master's degree.
I got a bachelor's in computerinformation systems.
My education comes fromself-taught YouTube, trained,
homie, YouTube, trained.
(01:07:59):
That is where I got all myinformation, Not from anything
else.
And then we got man.
Speaker 2 (01:08:07):
I got so many.
Speaker 1 (01:08:08):
I can't even read all the YouTube chat right now
because me and you are havingsuch great conversations, but
this is the way I see it.
So, when you're looking ateducation, so we're well over
the top of the hour, well,almost 10 minutes.
So I want to end this.
Before I end it, i want to getyour final thoughts.
For those that don't understandthe foundations of IT and
(01:08:31):
cybersecurity I'm talkingacronyms, technologies, things
like that right, so me, i grewup building computers.
It is very hard for me to givethis advice, because I grew up
understanding hard drives,memory, tcp, ip, all this stuff.
As someone who came around alittle bit later in the game,
(01:08:52):
what advice would you give tonewcomers breaking into IT and
cybersecurity to learn the tech,the knowledge, the acronyms,
things like that?
Speaker 2 (01:09:03):
For sure.
The first thing is to pick asubject that you want to know
and watch a ton of YouTube and,like you know, udemy and stuff
on it, and the reason being isthat you have to build a
foundation that you can actuallyask competent questions and do
things with.
There will come a point in yourknowledge where something or in
your process of learningwhatever subject you pick say
(01:09:27):
Python or Java or whatever thatyou're going to need to debug
something.
You're going to need help andyou're not going to have people
to ask.
And you need to make sure thatyou get through those points.
One before deciding to actuallypursue something before, like
signing up for a course or acertification or enrolling in
college, and just to make surethat you're actually want to do
(01:09:51):
that thing that you did.
Because when you're motivatedand you start you know reading
books and doing certainactivities that only that
specific niche does, you willthen be able to start slowly
understanding that vocabularyand all that.
But that takes time and youhave to have motivation to
essentially suffer through it,like your own ignorance, to be
(01:10:14):
able to learn and pick up on allthose things, because just
Googling you know a certain wordand all that won't always give
you the context that you need toknow for how something
interacts with other things andall of that.
And so that that context andthat understanding only comes
with time and experience and,honestly, pure frustration and
problem solving.
(01:10:35):
And if you can't make itthrough those periods, you know,
maybe you should take, you know, try, different subject within
the security field or you know,adjacent career or something,
because I think a lot of peoplewould benefit from just trying
out like severe problem solvingbefore jumping into something.
Speaker 1 (01:10:59):
Yeah, that's, that's fantastic, because it is.
I've got some family members,i've got some warriors that are
trying to break into the field,or at least trying to understand
the field, and don't reallyunderstand how they're not able
to grasp them on the terminologyand how to learn the
terminology because it is verydifficult.
And so when I came up, iunderstood hard drives and RAM
(01:11:22):
and all these things.
I learned it as I went, did myresearch And again I'll date
myself 56 K modems, going to astore, talking with somebody and
me and talking my dad orsomebody else about figuring out
what the hell this shit is.
And I did it.
Now, to this day, can I tell youwhat a graphics card and all
these fucking numbers and shitmean?
(01:11:44):
Probably not.
I'm not a gamer.
I don't understand the gamingaspect of things, but I
understand.
Hey, if I have this much memoryand a piece of software uses
this much memory, then I knowhow it's going to interact.
I know how these things aregoing to work.
So, valid point It is veryfrustrating.
You got to do your research Ifyou, if you see something like
(01:12:04):
RAM.
Okay, what does RAM mean?
Well, it means random accessmemory.
Okay, what the fuck does thatmean?
Well, it means that this istemporary storage.
This is da, da, da, da.
So it's gonna.
You know it takes a lot ofresearch, so completely
understand.
Thank you, olivia.
That is very valid andeverything you said And you're
(01:12:25):
not wrong.
It is very frustrating foranybody new breaking into the
field.
It is very frustratingespecially if you don't
understand hardware, itnetworking, operating systems.
It can be very be verydifficult to understand the
security aspect of things,because how can you do a buffer
overflow if you don't understandhow RAM works?
(01:12:46):
Just saying, how can you SQLIif you don't understand how SQL
works and SQL statements, allthese different things?
So it all goes hand in hand.
You have to understand yourtarget and what you're trying to
do.
No saying that It is Freya's day, it is revenge of the fifth, it
(01:13:09):
is Cinco de Mayo.
I truly hope you all arespreading chaos and love
throughout the world, becausethat is what we do here Motivate
each other, love each other,show each other some support.
Olivia has been amazing,absolutely amazing, and without
her it would have just been me,and I know y'all love this beard
(01:13:30):
.
I do, i do I need astraightener, but I know y'all
love this beard, but otherwise,look, i love you all.
Please be sure to tune in nextweek to another amazing episode,
the security happy hour righthere on Cyber Warrior Studios.
I am the Cyber Warrior, i havewith me my guests, olivia
Galucci, and I will see you allnext week for another amazing
(01:13:54):
episode.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.