Here with us today is the one and only @maderas !
Be sure to comment any further questions you have and to vote for our next guest in the Poll at the bottom.
Thanks for stopping by!
Professional Career and Advice
1. For starters, can you tell us a bit about yourself and your current role/job/work?
I am a guy who believes that InfoSec/Hacking is my best chance to make the world a better place and leave/make an impact that outlives me.
I’m obsessed with making an impact upon the world; I believe that this art (hacking, by which I also mean Red Teaming/Penetration Testing) presents me with an opportunity to make this world a better place.
I think that to achieve all of the latter, I must endeavor to share all that I learn/experience to help this game evolve.
As the bar rises, those who work toward being the best they can be evolve as well.
I believe that if you are afraid to share everything you know, then you are not working hard enough.
Much of this experience originates from my career. Since January of 2011 I’ve worked as a Penetration Tester/Red Team Operator.
From the beginning, I have focused my skill set on real world, adversarial tactics. This involves a ton of extra study /prep on my part, as I need to track down the work/C2 of BlackHats in the wild study/train until I can emulate their tactics.**
For the last few years (and ever on into the future if I can help it) I’ve endeavored to only work in sectors where I believe I can make an impact that is meaningful to the world at large.
In the past, I’ve worked as the Cybersecurity Penetration Test and Vulnerability Assessment Lab for Schneider Electric and as Senior Red Team Operator/Penetration Tester for National Grid.
Currently, I am between gigs and doing volunteer work for Tutanota (pentesting their next e-mail platform) and running the #CyberpunkisNow project via Twitter, which seeks to create a dialogue between people around the world as to how technology continues to permeate our civilization.
I also release original InfoSec content by my Twitter account, which has grown rapidly and is now reaching millions of screens after only 3 months
2. How did you first get into the field? (What was your first hack?)
As long as I can remember, I wanted to be a hacker. I saw a cable news story about The L0pht when I was 12; as a son of Massachusetts, I realized that this was happening in my backyard. I could do this…
As for my first hack, when I was working a customer service gig I used to hack around on the Intranet. The buildings HVAC systems had default creds & the Intranet itself was horribly insecure. I used to bring a live distro of Knoppix STD into work and practice there…nothing really malicious, just exploration.
3. Can you give a rough map from your beginnings to where you are now?
As far back as 2006-2007 I was screwing around with Knoppix STD in my former employer’s Intranet (with their permission) after work/on breaks (I was also maintaining AV/AM and that kind of stuff though it wasn’t my or anyone’s job).
By 2009 /2010 I was using Google’s bug bounty program as an excuse to practice vs. their networks/infrastructure; in December 2010/January 2011 I started doing consultant work and officially entered the world of professional InfoSec (where I have been professionally ever since in some form).
4. What is one of the biggest struggles you overcame? And what’s been the biggest lesson you’ve learned in your career?
My biggest struggle was also my biggest lesson: learning that in most big businesses, most of your managers/fellow employees arent going to care much about InfoSec. It will almost always take a back seat to profitability.
You have to realize that you yourself are there to help ensure the profitability/prosperity of your employer. Solutions are almost always going to be way more important to them then problems.
5. Any advice for someone trying to land in a similar role/job?
Understand the actual basics of Computer Science/Networking/It. You should endeavor to be able to exploit a system/network with the minimal resources possible.
I focused on living of the land from the very beginning of my career/training; it requires that you invest in actually learning things like Windows AD administration & not cutting corners in you training/study, but it is a priceless skill set to have.
Learn defensive skills; spending some time as a Network Analyst is invaluable. Again, the solutions are almost always worth more to the customer/client/employer then the problems.
Make friends with IT & System/Network Administrators if you are working an in-house position. Buy them coffee, talk to them often; there is usually a mutual interest in your and their interests that can result in an incredible skills/knowledge exchange.
You should learn to value all of the skill sets/experience of all the technology employees around you and endeavor to establish relationships based on mutual respect and skills/knowledge exchange.
If one of these employees is a greybeard Unix guru, they will provide insights into Linux/Unix Administration that are priceless (and almost all those I met could/would talk with me for hours, which was incredible).
We all suffer imposter syndrome; not knowing something is ok as long as you endeavor to learn it.
And ICMP/ping doesn’t have a dedicated port; managers running technical interviews love this question.
Fun, personal stuff
6. Windows, Mac, or Linux What do you run?
I run Linux; usually Devuan (Debian without System-D), Qubes or On the job, I am OS agnostic; whatever gets the job done. If possible, I will try to suggest/demonstrate the value of open source, but I am not going to be an obnoxious neckbeard about it.
7. Programming language(s) of choice?
Python 2.7, bits and pieces of many other languages. Mainly enough to change/alter code in exploits/tools to get it to do what I need and recognize vulns like deserialization.
8. Do you use a mechanical keyboard? Is it ortholinear?
No; I use plain old HP keyboards; I’ve seen some of the mechanical keyboards that have programmable tabs for scripts and stuff and would like to own one some day to build my Master Rig.
9. Do you have any other hobbies or interests outside of infosec?
Martial Arts; I’ve had 13 professional fights since 2005 in MMA/Muay Thai/Kickboxing. I’ve competed in kyokushin full contact tournaments as well; I’ve been training in some form of combative since I was 5 (my father was an amateur boxer).
I love reading; I read voraciously. I love film; anime…learning.
I am a huge proponent of self improvement, but not necessarily through self improvement gurus or teachings. I like the classics, like the Tao, Hagakure, The Book Of Rings…and challenging myself.
Challenging myself to know/exceed my limitations probably satisfies my definition of self improvement perfectly.
10. Any other fun gadgets or hardware at home/the office?
I’m a huge proponent of the Nexus 7 for Red Teaming/general computing given its power vs cost and ARM architecture; I will have material posted here about ti in 2019.
11. How’d you find 0x00sec?
The NullByte exodus; I used to number that amongst sources I checked out weekly. I lurked this place forever before joining.
12. Any other fun fact or detail you’d like to share with the community?
I admire all of your work; I have infrastructure I’ve built out to keep an eye on things of interest. I don’t know if everyone here knows how rare/beautiful the level of courtesy/talent is here.
13. Do you have any advice for new, up-and-coming hackers?
Don’t cut corners; realize tools are just a means of helping to express skills/knowledge that there is no shortcut to ascertain. Your tooling no more makes you a hacker then buying a brush makes you a painter.
14. Is there anything you’d like to say to the 0x00sec community?
Thanks for providing a home for me; I went it alone for a long time and realized the upper levels of ability lay in congress with peers. I was right; my skills have grown exponentially in the last 2 years.
15. Can you give us a HEX for your hat “color”?
No Hex needed. I’m Gray through and through. I have nothing against BlackHats; we aren’t opponents until a job or circumstance makes us so and then it is only temporary.
I’ve learned more from BlackHats/GrayHats then WhiteHat; most of it was knowledge I had to seek out/cultivate myself, but that is the best kind.
I am an ethical hacker not because it is a convenient term for marketing myself, or because a cert tells me what I am, but because my actions/work are governed by my ethics.
Thanks for joining! Vote below for our next guest. See you then!