Jack Rhysider’s origin story. With an engineering background Jack found himself doing odd jobs at first. Looking to get back into tech he “certed” up and got a job in the NOC (Network Operation Center) and eventually became a SOC architect building a SOC from scratch. Looking to do something different, he started Dark Net Diaries and it’s been an adventure since!
Jack Rhysider started his professional career in a NOC and then became a network security engineer. Doing a lot of work around hardening the network and detecting threats in the network. He became a security architect and successful built a SOC for an MSSP. Currently he’s the host of the podcast Darknet Diaries where he interviews hackers or those who’ve suffered a major attack. The podcast has experienced phenomenal growth so Jack now works on it full time.
- A glimpse into the life of a security analyst and a Managed SOC
- Takes about 3-6 months for an analyst to baseline and come up to speed
- First hack was hacking the Sim City savegame file. Dad was thrilled!
- Several years of blogging his journey in Infosec helped Jack with his communication skills and explaining difficult concepts to people.
- “As a Security Engineer, I need to know a little bit about everything.”
- “I would do things like remove (rm -f /) the whole root directory, just to see how many files I could delete before the whole operating system would crash!”
- “Be fearless grandma!”
- “I think there is a lot of shaming that goes on of people that do security wrong… that kind of makes things stressful.”
- “I think what us as security people lack sometimes is good communication.”
- “Taking on tasks when nobody asked them to take it on… in the eyes of … wherever you work… this is amazing!”
- “…I would keep corrupting files over and over but eventually I figured out which byte in the file was for the amount of money and I was able to give myself a Billion Dollars!”
Intro Music by Trash80
Outro Music by Mid-Air Machine
Getting Into Infosec
- Breaking IN: A Practical Guide to Starting a Career in Information Security: https://www.amazon.com/dp/B07N15GTPC/
- T-Shirts, Mugs, and more: https://gettingintoinfosec.com/shop/
- Sign up for sneak peaks, updates, and commentary: https://pages.gettingintoinfosec.com/subscribe
Ayman Elsawah 0:17
Hey everyone, I'm Ayman Elsawah and this is getting into infosec. My guest today is jack reciter. You may know him from his excellent darknet diaries podcast, we talk about Jack's origin story and how he got started in infosec.
Jack Rhysider 0:28
do things like move dash RF, the whole root directory, right like to see how many files I could delete before the whole operating system will crash and then what will happen if it crashes
Ayman Elsawah 0:39
the offers a lot of advice from his career in infosec, from what he looks for, when hiring to how to excel in your career,
Jack Rhysider 0:44
that's how you can move into that senior role is to find projects and tasks to do and just take it upon yourself to do it.
Ayman Elsawah 0:51
Jack also walks us through a really interesting moment where he had to replace a firewall for client
really late at night.
Jack Rhysider 0:56
I give them my address, they send me this firewall. It comes in seven boxes power supply and one the network adapter card and another I think there's a fan and another box like I had to assemble this thing because it had some old clients config on it.
Ayman Elsawah 1:11
Yeah, it was really fun episode can't wait for everyone to listen to it this weekend getting into infosec News and just my travels on the webs. I found jack Miller at mechanical and Chronicle Comm. He has some pretty good guides on everything penetration testing, power show coding, ever worth checking out that site, see if there's anything there that help you along your getting into infosec path, happy new year, and I'm really excited about 2019 written a book and have some finishing touches on it. So really excited about that. I have a couple of talks and looking to do some more. So that's also exciting. It's really exciting, but also a little nerve wracking as well. Got to say, if you have any questions or comments like to get in touch, you can reach me on Twitter, LinkedIn, or email, everything is that getting into infosec comm there, you could subscribe to my mailing list where you get access to my spoof at archive updates and other insights. All right on to the show. Hey jack, welcome to the show. Hey, thanks for Haven't been really excited about being here. Yeah, thanks for coming on. Really appreciate it. Definitely very exciting. We're gonna kind of talk about either jack 2.0 1.0 like before dark net, right? Want to kind of find out what jack was doing, you know how he got into information security kind of the jack origin story. So maybe give us some background on what you were doing professionally before dark net?
Jack Rhysider 2:20
Yeah, way back a million years ago, I did go to university and got a degree in Computer Engineering. And these are always really general degrees. They never teach you like a lot about something just teach you a little about everything. So it's like one course in assembly, one course in Perl, one course and operating system. What can you really get out of one course. Right? Mm hmm. So I mean, out of that I didn't really have like a specialty. And I had a really tough time getting a job. I don't know. Like if I had this expectation that Oh, I'm worth like, $80,000 a year now and I should just go in as like a senior or something. But like I just had a really tough time finding anything that's coming out. Really.
Ayman Elsawah 2:58
Yeah, even just reading entry level engineering driver, I thought, yeah, it just I couldn't find it.
Jack Rhysider 3:04
Okay. And so I just took out an ns jobs like, I was working in a casino for a little while as a dealer, I was working in a pharmacy for a while, and just doing whatever I could to get by, okay. And then I, like, you know what, I need to go back to my roots and get a tech job. So I reasserted or I started up, I got a CCNA, the Cisco cert. And from there, I was able to land a job in a knock. Okay, and network center monitoring. It was a multa managed service provider. So we monitored about 80 different clients, their network, and so we'd monitor up down status of all these routers and switches as well as phone lines, and of course, security stuff. Mm hmm. And from there, they had like engineers that work there too. And I always wanted to be an engineer, you know, and not just watching the UP DOWN status all the time. So I eventually was able to get like a bunch more certs. I got a CCNA CCNA security CCNP They said, oh, wow, you're really dedicated. That's you as an engineer position. So I moved over as a security engineer. And that's when it kind of all clicked to me. Okay, oh my gosh, all this stuff in university that taught me a little bit about everything in tech is now coming back to me. As a security engineer, I need to know a little bit about everything. I need to have like a good solid understanding of operating systems of programming languages of all those things that they taught me and university. But now I can become a little bit more specialized in security, but still having that wide knowledge was so helpful.
Ayman Elsawah 4:34
Nice. Okay. And they ask you to go into security, or did you proactively ask her? How did that turn just an extra happen?
Jack Rhysider 4:40
Yeah, I was just kind of desperate to do any engineer position. Okay. And they were really hesitant to be like, are you sure you want this one? And I'm like, Oh, yeah, definitely security. Sure. Right. And so glad I did. Because if I would have taken like, just a data network engineer. I was just been doing BGP for the rest of my life, you know, right. Or having to go into security I think was just kind of coincidence that that opening was open, and I got into it. Okay. And so from there, I was able to really start up a lot more and just specifically security ccmp, security checkpoint security bluecoats, Certified Ethical Hacker. And like a bunch more, just turned me into a kind of a senior level role after being there for a while. And I was doing everything firewall, everything intrusion detection, monitoring, I was doing a lot of syslog analysis, hardening the network, securing the network, and then trying to find threats in the network. And then after doing that, for a long time, the company wanted to build a sock, a security operation center. And I was the architect for that. So I had to build out tools and the procedures and even get the team built up to build a sock out of nothing. And that was the hardest challenge I've ever had in my life.
Ayman Elsawah 5:50
Nice. That's awesome. So how many people were running the sock at that point?
Jack Rhysider 5:53
There were about three or four of us analysts that we're trying to watch it 24 seven and if you do the math, it's impossible for for people to walk through 24 seven. And that was really a big frustration of mine is we just didn't have enough people to launch it successfully if you ask me.
Ayman Elsawah 6:08
Mm hmm. Kind of like the over subscription model Really? Oh, yes, exactly. So a lot of the folks out there when they're trying to get an entry level job, it's going to be like a security analyst position are similar, right. So something where you are doing for some time, give us a little insight as to you know, what the life is like of a security analyst, you know, just starting out?
Jack Rhysider 6:27
Yeah. So what we would have them do is use the tool in this case, it was sim security and Event Manager, which is collecting all the logs and telling the analysts that there's something potentially a threat here, you know, rule would trigger and say, This doesn't look right. Let's look into this further. And so you as an analyst would take a look at that, and investigate. And you might investigate by doing, who is lookup on the attacking IP and what kind of system Uh attacking? Is it a is a hitting a Windows machine or a Linux machine and you kind of have to do this investigation as to what this threat is, how important is this threat? Is it legitimate threat? Is it a false alert, because if it's attacking PHP, but that's not a system that's running PHP, then we can mark that as a false positive. So it does take, you know, some time to investigate each alert to determine whether it is a true alert or not. And, you know, at that point, if it's considered a true alert, it would be escalated to an engineer to take a look at it further, an incident responder or the customer to investigate the issue a little bit more detail.
Ayman Elsawah 7:38
Yeah, I mean, there's a lot of stress with trying to make sure that what you're looking at is a false positive, you know, see if it's a false positive or a true positive. Right. So, you know, at one point, do you know that what you have in front of you is a false positive? I imagine it's a stressful environment, right.
Jack Rhysider 7:54
Yeah. And I think a lot of my texts, they just kind of erred on the side of caution and said, it's a true event. Let's make some fun. calls. And that would probably be a better way to handle it, because it covers your butt, you know, you're not going to call someone and it'd be a false positive, and then you wish you didn't, you might get chewed out a little bit about it, but the opposite is even worse is seeing something market as a false positive. And then it actually was a big event, and you didn't do anything about it. That would be you know, could, you know, lose your job over that. And so I'm just getting chewed out. So a lot of people just erred on that not knowing, you know, and I always told them to, you know, if you're not unsure, just, you know, call an engineer called person and have them help you take a look at it, see if they can determine this. So it is difficult, and I did have a challenge trying to get people trained up on knowing all the different threats that could happen, and how to rule out false alerts. So one of the things that I've noticed is, it might take about 90 days, you know, three to six months for an analyst to kind of click in their head of how to see things clearly. How to see that's a false positive how to recognize that's a true alert and kind of be a value add to the team. And so I think that six months is kind of a sweet spot. And once you get there, then you're really looking better and you can start teaching other analysts how to find false positives or not, you know, a little bit better way. So it there's just a learning curve, I think to it.
Ayman Elsawah 9:18
Tell us about how you got into tech maybe when you younger, some important influences in your life that led you to, you know, technology and things like that.
Jack Rhysider 9:27
I think my first computer was Apple, two, he and this was before windows 3.1. And then we got, you know, some IBM computer that was running DOS, we still didn't have Windows yet. And the computers just totally fascinated me. Of course, the video games were fun. But then I would start thinking things out of basic and I could do you know, basic programming to spit out all the colors or make a sound of every every frequency and hear it go up and down route, right row and I would just love experimenting with it. So those were the early days but then When the internet came along, and you could just connect with people and talk to them, and share ideas, and, ah, it was so amazing. Like he really felt like, I don't know, like the whole world opened up at that time. So it just like, you know, my parents were trying to teach me how to type but I had no interest but then when a chat room was in, I could talk to other teenagers my age and stuff, all of a sudden, I wanted to type real bad. So you know, those early days of just tinkering around on there, I think is what just struck my interest to get going. And, you know, that just stayed strong. I guess all my life. I've always had some, you know, a bunch of computers around or a lab or something to just tinker with, you know, as going through high school and college I'd find old computer parts at you know, the Goodwill store or whatever and build, you know, really cheap Linux machines just to play around with and Unix In fact, I played with every operating system at a time and I would do things like remove dash RF, the whole root directory, right? Like to see how many files I could delete Before the whole operating system would crash and then what would happen if it crashes? So, and this was, you know, on a cheap thing that I just built like an hour ago, so it was okay if I broke it because now and then when it does break, when it does get to the point where it's unusable, is it restorable and I would try to fix it from that point, you know, could I restore some of these files? Could I reinstall the drivers, whatever it was that I deleted, to try to get out of that situation? You know, because my grandma was always so worried about doing the wrong thing on a computer. And I'm like, I could fix anything you do wrong. You know, I know how to get out of any situation. Be fearless Grandma, do click anywhere, do anything you want, I can get us out of it. And so I just had that experience of and you know, the opportunity to just experiment and play and just to have it around in my house to just go nuts with and I think that really gave me the you know, the jungle gym, the lab to really explore.
Ayman Elsawah 11:52
Yeah, it's that itch. Right? That is the gist you want to scratch and then just keep exploring. Yeah, exactly. That's awesome.
Jack Rhysider 11:58
And there's always so many computer's going around in college days, like I would try running password cracking on one computer and just see, you know, a month to try to crack some passwords. They'll just keep running and running and running. And I'd see how long I could do it. And there's just always some sort of project going on.
Ayman Elsawah 12:13
Yeah, there's something about this. It's so can you remember what you'd like your first hack was and your hat could be technical, but it could also be non technical to what was your like first life hack.
Jack Rhysider 12:24
The first one I remember clearly was SimCity, which was a single player in a world building game, the SimCity one, and I got into the save game file, which was totally unreadable by humans. Okay, it was jibber. But I opened it up in a hex editor. And I started playing around with some of the numbers in there, like just it's still gibberish to me, you know, and then I would see something like, oh, there's the name of my town. And there's the date on my town the year and you could see you know, just little things like this in there, and then I would look for how much money I have. Add, and then I would change the number there. And of course, I would totally corrupt the save game file and I'd have to build a new save game file and then I try changing it again. And I would keep corrupting files over and over. But eventually I figured out exactly which bytes in the file was for the amount of money and I was able to give myself like a billion dollar swing. And dad who literally like playing the game was thrilled that he had a fresh SimCity game with a billion dollars that he could just go nuts with. Because at the time, there wasn't any other like hacks that you could do to just get a bunch of money. So we were able to do that. And that kind of shortcuts, your whole gaming perspective, you know, like, instead of spending a month to try to get a billion dollars in the game, what if I just spent a week to hack the program to get a billion dollars to me it was like the same game like it was just as much fun if not funner, to try hacking it than it was to actually play it. Yeah,
Ayman Elsawah 13:53
that Doberman effect, right. It's like, you know, that reward system that you just got? Yeah, exactly. That's cool. It's cool. And we're your parents into tech. Did you have other friends who are into tech like, this happened in a silo? Right by itself?
Jack Rhysider 14:08
I think I didn't really have anyone around me that was into tech. But being you know, once I got America Online and eventually IRC, I found those people who were into tech, I lucked out to find such a strong influencer early on who could tell me like, Oh, you should get this book on how to learn, see, and I'll even give you some challenges on how to program and see. And at the time, that person was running a mud and they let me be a programmer on a mud which is a video game. That's all text based like dungeon, the dragons, but it's all text based. And so I started programming and C on their mud. And that was, you know, some of my early projects that I was doing, learning how to program with other people and stuff. I really think it's a good idea to as you're learning something about tech is to kind of help out on another project. And there's so many GitHub projects out there in open source projects out there, that there's got to be one that you love or love the idea of, and they definitely need help. I'm sure some projects that you love, need help getting them you know, even more done. And you'd be surprised how you could help even not knowing that much about programming, you can start talking to the main contributors and say, hey, what can I look at here to try to help build this project a little bit further along, and I'm sure they'd love to, you know, help you help the project and collaborate with you because everyone needs help programming their thing. I just think it's so it can change your whole life just to be in some of these early projects, because you don't know how big it's gonna get. And you don't know how cool of a mentor you could get out of this. And there's just so many great opportunities that you can get out of helping out.
Ayman Elsawah 15:46
Yeah, exactly. I think two things out of there that you just hit on the head was get involved, but don't be afraid of getting involved. I think a lot of that latter part A lot of people are afraid of getting a vote like oh, what can I contribute? Right and just getting that confidence. What would you say about that?
Jack Rhysider 16:01
Yeah, I mean, you pick up a book, you read some tutorials I never really like, was the person that was like, let's learn this programming language and then go build something, I really have this idea of this is what I want to make, what is it that I need to learn in order to get there. And so I guess that's just been my mentality of like, what needs to be done here, and then I'll learn what I need to do in order to get it done. So if you just have the passion to like, want to build something, either build like a web app or a program, or something, you know, maybe on GitHub that you find that's cool. Once you have that passion, then nothing should really stop you because you want to do it. And you know, you have the capabilities and go to library and use a computer if you need to, like you should be enabled to just do what it is you need to do. Because, you know, you got things in front of you.
Ayman Elsawah 16:45
You know, something I've been finding out a lot lately is that a lot of security folks have this creative side to them. And it can be really big, it can be really small, right? Take for example, you know how you have the show right now you've created something. So tell me about Like your reflections about, you know, your security side, your tinkering and the creative side that you've now tapped into, and how other folks can kind of use that as far as like
Jack Rhysider 17:10
getting into the field. Yeah, I mean, I've always had this idea that I want it. I don't know, be an entrepreneur make something for myself. And so that's always been like, something I've wanted to do. But I never felt good enough to do it. One of the things that I did early on in my career as a security engineer was just start blogging. And I mean, I even started with a WordPress blog, which I think is incredibly insecure, and probably not a good idea. But it didn't matter to me at the time, because I was just like, I want to get these thoughts out. And basically, I blogged about lessons learned, where I would click that button, and that was the absolute wrong button to click. You should never type that command ever. And that's like a lesson learned. And so I would blog about that to say, Hey, remember, never push this button. And then things I would blog about are when I would try to look up something that I needed. To do on a firewall, and it just isn't in the documentation, nobody's talking about it online, there's no help. And so you're off the map. And you're learning how to do things on your own, maybe by trial and error and opening up tickets with Cisco or whatever it is. And so those situations I would absolutely blog about too, because I'm positive, someone else is looking for that same question online. And so maybe my blog can help them. But at the same time, I think the majority of reason why I was blogging at the beginning was to help myself when I need to do that again, instead of looking back in your notes, what notepad did I put that in or, or Trello card? Or did I write it down on a piece of paper, just put your notes on a blog, because it's going to help you later, but it's absolutely going to help a ton of other people as well. At this point, there's something like 30,000 people a month that visit my blog, to just look up basic questions, like how to do a factory reset on a firewall, because I had to do this so many times and I'm like, let me just write down the step by step guide for not only me, but my juniors and everyone else. So anytime anyone asked me I'm just like, Look, here's a procedure, you just use this procedure. So this was kind of a creative outlet, you know, like, I had to, you know, make some graphics on there. And I did switch it from WordPress to a more secure a Jekyll blog with just a flat HTML, there's no PHP or anything that you can use to exploit but this was definitely a creative outlet because then, you know, some stuff I would do think pieces on and stuff. And it was interesting to hear other people comment on, you know, whether that was right or wrong and, and ideas behind it. So there was a lot of just creativity there. I mean, there's another thing of like, if I just felt like all I was helping out was my coworkers and my clients, and there was, and that was just a handful of people, right? And I felt like I wanted to help more people. I wanted to help, maybe dozens more or hundreds more. And by blogging, I felt like I was doing that I was reaching that bigger audience with people who were appreciative of what I was doing, and saying, You know what, I spent six hours looking for this answer and here it is right here. On your blog, thank you so much for putting this up. You saved my butt this weekend. And those are just great feelings. So that was just part I think that's where a lot of it started was just blogging.
Ayman Elsawah 20:09
That's really good. And even the act of blogging or writing about it will help you learn it more, right? What kind of cemented in your brain a little better?
Jack Rhysider 20:16
Oh, yeah, definitely, explaining really complex concepts clearly, is a very difficult task. Specifically, like, I had a blog about troubleshooting a VPN. And you know, post about that, and it started out as a mess. And then over the years, I was able to simplify it and simplify and simplify it. And it's one of my top articles now is when people are hitting certain error codes on VPNs troubleshooting, they'll find my blog right away, but especially for Cisco, right? So getting it down to just like, kind of the above the fold thing as well. So no scrolling is needed to find the answers, put the darn answer right at the top of the page. This is the question you have this is the answer for you. End of story. What more do you need to know? Right? And so, you know, just explaining these complex concepts clearly took a long time to figure out and I went back and I revisited a lot of articles just to explain it more clearly and more clearly and more clearly, simply, right? You don't want to overly complicate it, you just simply explain it. And people will appreciate that so much so much. You know, what's amazing is that sometimes you have an idea in your head, or you know, how something works. But when you go explain it, you kind of either freeze or you can't fill in the gaps or whatever it is. Maybe it's a memory imprint issue, right? Where you kind of, you know, in your head, you think you know it, have you ever heard of people saying you'll you know, just explain it to your cat, your dogs, your little sister or brother, things like that. Has that resonated with you ever before? Yeah, absolutely. There's this one guy I worked with, or it seemed like every time that I would ask him a question, as I was asking it, I was realizing what my answer was. And I would just say, nevermind. And I'd go back, and I knew the answer. And it was always weird to him like Why does he always ask me a question and then never want me to answer it like this is the strangest thing and then I'd explain to him like every time I start asking it now that I'm saying it, I know the answer like I know what you're going to tell me is the answer, at least, you know, like that much is you started listening to what you expect them to say to you in response, like, Did you try looking here or something? Oh, yeah, I didn't try that yet. So Hold on, I'll get back to
verbalizing It is one thing. But then again, like when you think you have a concept, trying to teach it to someone else, is when you're really going to have that concept as well, you're really going to understand it because now you can explain a little bit more detail of why it's like that or come up with the theory behind it. And so many things in the Cisco world, there is no theory behind it there. This is ridiculous the way this is done, and I can't explain it. But this is a way it is and you know, some people wouldn't accept that as an answer. But, you know, that's just part of trying to teach someone is getting past some of those more complicated questions that they have, like, Well, why would it be like that? And now you got to really try to understand the reason why it's like this and not just how to do it, but know why do it that way. And that really solidifies it in your head. And yeah, by teaching others by blogging and trying to just teach others was really what I think helped me boost my career to a higher level. What are some things you were looking for when you were hiring someone, especially someone junior or new to the field? Unfortunately, we didn't get a lot of good candidates. So I kind of lowered my expectations. And what I was looking for was one of three things. Number one, you have experience. So you've done this before, you know the role, your experience, you know what's going on. Right. So if you were a security analyst before, great, you know, I'm hiring a security analyst. You've been this before. Excellent. So that would be a you know, a first pass I like you already kind of thing. A second thing that I would look for is certs. So maybe you don't have any experience but you have this strong desire to learn and by getting certs proves to me that you have this desire to learn. Because if you say you have a desire to learn, but you have nothing to show for it. We'll take those steps before coming into the interview. Have you you know, I don't want you to just come in because you want to learn this, I want you to kind of show me that you have learned this before coming to me, because that shows me the drive and the passion that I have. And that's kind of the third thing that I look for is passion in this. And I've interviewed people who are like, yeah, I'm super passionate about security. And I'm like, what are your favorite blogs that you read up on? I don't read any security blogs. What are your favorite conferences that you've gone to? I don't have never gone to a conference. What is your favorite security tools that you use? I've never used a security tool. What do you mean, you're passionate about this? If you have nothing that you've ever done insecurity like, show me the passion. So I think the biggest way you can show passion in an interview is to show me your home lab. Show me what projects you've worked on before. Or show me like some CTF that you've done. And the CTS are amazingly great at teaching you these are the Capture the Flag challenges, where they're usually free and online that you can take from your home or even from the library. You don't even have have to have any special tools and their little puzzles, security puzzles, like, elevate your access on this Linux machine to find the flag or something right, or decrypt this encrypted message. And it's not even encrypted. It's just base 64. So it's just encoded in a way that it doesn't look like it's readable. But you know, maybe it's just rotation 13 or something like it's really basic decryption. And so now you get into like seeing how messages get hidden and stuff like that. And so if you could show me a list of CTF that you've completed or competed in, holy cow, that shows me so much passion on your side, and that alone, just the fact that you want to complete these things is good enough. You don't need experience, assert and passion. I just need to see one of these three things. And so many people come to me with none of these things and they just didn't even want to I don't know how I can you know, do anything with you if you haven't even made the first step. So making any of the first steps in any of those directions. It's good enough for me to listen to see if now you know I'm listening for are your team fit. Are you teaching Are you someone who could teach me something? Is that something that you want to do? And those you know, those are just the basic interview questions that you're going to ask in order to try to find if somebody wants this position and they'd be a good fit.
Ayman Elsawah 26:12
Have you heard of the website I CTF time?
Jack Rhysider 26:14
Yeah, CTF time has a bunch of challenges up all the time. You can get together with teams and tackle various competitions. It's really great. And those are the exact places that if you can get in on that and get some of those done, wow, that's I think that's for the resume, put those on the resume the challenges you've completed, put them on the resume.
Ayman Elsawah 26:33
And now a message from our sponsor.
Are you prepared for why three k? Will your software be compatible with the year 3000? Don't waste time before it's too late. Have your software reviewed by our y three k experts? Make sure your business continuity plan is solid for the next millennium. You think we as a society or as infosec community? are we setting the bar too high Are you do you think we're not doing a good job of Trying to helping those that are new to the show? Or what are your thoughts on that?
Jack Rhysider 27:04
It's hard to say, I think there's a lot of shaming that goes on people who do security wrong, and then they get pointed fingers and laughed at. And that kind of makes things stressful. Like, you know, am I doing it right? I don't know what's the right way. And nobody really wants to help and tell you what the right way is. Because it's really complicated. And so I think some more compassion there of just like, Look, security's really hard, and you're going to mess up. And that's okay, as long as you have a plan on how to recover. And you know, like, you know, what the consequences could be if you mess up and that kind of thing. But I think it's becoming more of a, there's more technology out there and more complexities and more things need to be secured because it's not just securing your servers and your computers. Now it's securing printers and securing the mobile phones and the desk phones and any other tablets and projectors and you know, smart stuff that's coming into the office network, and so on. The landscape is just growing wider and wider. And now it's not even the stuff isn't even in your network now. It's now in the cloud. So where is the perimeter of your network? Who knows? Like, I don't own this IP, Amazon does, but I host on Amazon. And so can I pen test against this like, it becomes like, so much more complicated at such a fast speed, that it's really hard to keep up with, even when you are very senior in this space. And so I think if we give people entry level jobs that are more focused on a specific task, and not so wide, I think that'll help us get more people into this space, maybe, because then they'll be like, Oh, I can do that. That's not so hard. That's, you know, you might do this one thing. And then from there, you can, you know, teach them two things, three things, five things because your employees will figure out what it is they want to do next, and they'll start having an interest. Well, I'd like to also do auditing or, you know, malware reversing or something, and you'll see where they want to go next and you can try to fit them in that spot.
Ayman Elsawah 28:53
Yeah, sometimes companies try to put everything in the kitchen sink in a job description and kind of has a counter effect where it intimidates folks tonight. Don't even apply, right? Where they really only need 30% of those skills for their actual job. But they'll put 10 other things. Where did she say?
Jack Rhysider 29:06
Yeah, and something I've noticed from people applying as well is that the guys, the males, that apply will apply to jobs that don't have all the qualifications. They're like, hoping that, you know, they didn't really require you to have all those requirements, and they'll apply anyways. And the females, they won't apply unless they have all the qualifications. And so they don't feel like they fit. If, you know, it's saying, you know, you have to have these 20 requirements. Well, I don't have those, so I'm not going to apply. And that's what I've kind of seen overall, as far as people applying to some of these positions as well. I don't know if it's just like a game of the way corporate is of they're like, Oh, well, it would be nice if we had these 20 things but we'll settle on these five. I think it's just a struggle of making the right opening, you know, wording, the wording the job opening properly, because I've never seen him look good and like a million companies all over the place. So I would say just, you know, give it a try. If they like what you have on your resume, then they're going to bring you in. And if they don't, then no big deal, you'd go on the next company and apply there. So I'd love to hear how you transitioned from managing a sock to starting darknet diaries and becoming all in in darknet diaries where you're doing it full time now. Yeah, that's been quite a fun transition. I'd like I said, I had this idea of wanting to work for myself and being an entrepreneur, making a startup something where I am able to, you know, make a living on my own work. And you know, that the blog itself was actually making some money as far as ads go on there. Not very much, but it's one of those things that's like, Okay, I have this crack in the wall. Now, I need to build this crack bigger. I just need to get more people to the blog or something, you know, so I was starting to get really focused on how do I get more people to find me and use my site. Maybe if I make some instructional videos, maybe that'll help or something, you know, so I kept really adding to the blog. And I was like, You know what, I think there needs to be a podcast that talks about infosec stories. And I want to hear stories about people who were there that got hacked, and not so much some experts saying, well, it's a good idea if you're in this breach situation to do this. No, I want to hear about the person who was breached. What did you do first? What was your first steps? What was your second steps? Was that a good step? If you look back on that, do you would you do steps differently? And I want to hear those exact stories from you know, ground zero. And I didn't really hear anyone talking about that. Nobody wanted to share on podcasts, at least their company getting hacked stories. And I go to the conferences, and I hear people telling these stories. So I'm like, let's get these stories out there. Like, you know, I want to hear this. And at the same time, I want to hear the story from the hacker side. What was it that you saw that got you into this network and what did you do when you got in there and you know, I want to hear those stories as well because I think those are equally as interesting. So I started talking to Some podcasters, but they didn't really have any interest in covering that kind of thing. They thought that was too hard or didn't understand that or something. So I really wanted it and I just decided to build it myself. So I worked on the podcast darknet diaries, to create a couple episodes to test with my friends to see if this is interesting enough for me to pursue. And that worked out they liked it. They said, Yes, do it. I love it. And so while I was working as kind of a side hustle at nights and weekends, I would work on this podcast. And, you know, I launched it and I immediately started marketing it trying to get more people to listen, you know, I read I was emailing journalists and other influencers and saying, hey, do you think you can tweet about this or something you listen to, if you like it, tweet it. And that was working, like people were spreading the word. And at the same time, I was getting really burnt out at work. Like I said, building that sock was just like the biggest test I ever did. So 10 years of working there and being burnt out. I was just like, I need a break. And I'm going to take a break. I'm going to take like a sabbatical. Let's just take three months off and work on this podcast and see if I can pull it up to make money over that three month break. So I had already been podcasting for six months. So six months plus another three months is probably nine months into podcasting. And I took that three months off, I quit my job, and just put all my focus into the podcast. And sure enough, I was able to get it to a place that was not making where I was before, but enough to live on. And I thought, okay, if I could do that, in, you know, the first nine months, maybe in a year, it'll be, you know, more substantial and then, you know, two years will be where I was or something, I don't know what's gonna be in the future, but it's enough now that I don't need to go looking for a job. It's where it's enough for me to live on.
Ayman Elsawah 33:38
Yeah, I mean, the sound editing, there's a lot of work that goes into podcasting from learning from myself. So the sound design, all that stuff, it's just been great. It's a really good hook. They got me hooked. I remember hearing it and I was like, wow, this is you know, it was blown away. Listen to in the car. You know if you ever saw me driving and just like laughing hysterically, that was me like To your podcast. So yeah,
Jack Rhysider 34:01
I remember we met at DEF CON and you came right up to me and said, I love your show. And those were kind of the reinforcements of like, what I've got here is something special. And I should focus on this because of random people, strangers, because I didn't know you then coming up to me and tell us, then I'm touching the right audience. I'm affecting the right people. Because, you know, security, you've been here for 10 years yourself. And it still was, the story is amazed you and they surprised you and they made you laugh, and they made you excited about listening to the next one. And I thought, okay, if I can capture your attention as someone who's an expert, but then also make it broad enough for someone who may not know that much about it, that's still reachable to them. And I really think I had something and the thing is security is just so has so much darn drama in it. You know, there's always some hack going on. And it's high stakes stuff. So I just think it's ripe for you know, a riveting show.
Ayman Elsawah 34:55
Well, it's amazing. It's just everywhere now. I mean, even a black mirror episode, you know, recently they're trying to hack out The game right so there's, you know, hacking now is just so mainstream. But yeah, you know, how do we explain like you said before difficult concepts in a way that everyone could understand, right? That's just takes a special skill.
Jack Rhysider 35:10
Yeah. And somebody told me that if you can explain these difficult concepts, clearly that's worth money to some people. And I think this is how it's paying off, you know, having this podcast now I can explain what a VPN is to my dad who doesn't understand tech at all. And he gets in enough to understand that part of the story to let the story you know, continue that he's not totally lost about it. So okay, I understand this. And it was only after having that VPN blog posts that I've been modifying for like six years to try to explain VPN. So is that practice of blogging for seven years got me to the point where I can do something to reach a wider audience. And I'm not saying you know, people should turn their career into podcasting, but it's just one of those experiences that I really think that you know, being able to reach the right people can be really impactful and If that could be your client, or your boss or somebody to convince them like this is what needs to be done, because I think what I said security people lack sometimes it's good communication. We're good at explaining technical things. But that doesn't always mean that's what we need to do to explain it to our boss or a client. Because they don't always care about the technicalities. They just want to know how does this impact me? What's the bottom line here? Is there money involved? Is there people involved? Tell me like, you know, in my language, not ignore language, and that's where I think we break down in the communication. And like I said, the blogging helped me explain these concepts in a way that was different and unique and really helped me get there. So one of the things I was able to do to convince, you know, some people outside of my circle, like my boss and my clients was to explain the financial impact, and this is totally outside my expertise as a security person is figuring out how much does it cost for a breach because I don't know how much people are paid per hour. I don't know how much these computers cost. company like all these things that I just don't know, because I'm not in the purchasing, you know, division or whatever it is that you know we did to acquire that I don't even know how many people work there, you know. And so actually trying to figure out these answers and then give that to the client was a massive success because now it's in their terms, it's in their language like, Okay, if we don't take action here, this could cost the company $80,000. But if we do apply this firewall rule, then it may not cost that much, it may not cost anything. So now they're like, okay, you know, we see the risk versus reward here. And I think that was really valuable to a lot of people. Yeah, being able to be that translator is important in and of itself. So, kind of getting out of your bubble and being able to translate to everyone. I want to ask you so something that is important as a you know, someone trying to enter the field is kind of eating your own dog food, right. So if you're gonna tell folks to be secure, you kind of need to be secure yourself, right? Like, you know, if you're telling employees to use two factor authentication telling your friends to use it, but you're not using it well, you know, eat your own dog food so you can learn it and to kind of empathize with them. Right. So and you know, we call that operation security right objects. So is there any opsec that you could show? So I think just at work, I had an engineer that worked with me that I was really impressed with what he did all the time. And one of the things he really did a lot of is adopted new technology as fast as it would come out. This is a guy who's running an old flip phone, right? This is not a person who likes the newest technology in the world. But this was his job was to secure clients networks. And to do that he needed to understand the latest tech because if he understood the latest tech, then he knew the latest security. And if he understands the latest security, then he knows if he needs to go to his clients to update to the latest security like is this groundbreaking is this changing? And if he keeps up to date and like to the bleeding edge up to date, then we're going to have the most cutting edge security. And when whenever we get a client that you know wants those cutting edge security, we're ready. We have it because we've been Practice it ourselves is eating your own dog food kind of thing, right? Like, let's put all the factor authentication in to see, is that like a better solution or not, you know, and he was extremely experimental in a very safe way at work to secure our own network, to the point that nobody could understand the pace that he was moving. He was just moving so fast. But because he was moving that fast, it made us go into the future in a way that was so much more advanced. And, you know, maybe other other teams that worked at the company that, you know, were under us or something, right. We're running much older equipment. And it's like, Well, guys, you haven't updated your software in six years, compared to us who updates it nightly, you know, like, there's this big difference. And I think just getting on the latest stuff and staying on the latest stuff and utilizing all the features and technologies and stuff like that really helps you understand what it is you're missing or need to implement and all these things and try and just keep trying to build it better and build it better and build it better. And that constant work of him trying to make it better all the time made our network extremely secure. Because we knew every possible way to secure our network, because we had tried every possible way. Nice.
Transcribed by https://otter.ai