Syntax Episode Notes
- Was arrested in High School for disclosing a vulnerability in the school IT system
- Syntax is an internal pentester for a large organization
- Went to college for Computer Science, but dropped out
- Inspired by the Movie Hackers
- First computer had a 1MB hard drive (Yes, not a typo!)
- Still went to Defcon even when he was not in IT or working in security
- Was a professional motorcycle racer
- Kept all his rejection letters as a way of motivation to keep going
- Had some business and entrepreneurial experience in the past, which helped him get back into the field
- Got back into security through… IT!
- “A lot of our time is spent arguing with the other departments and justifying our findings.” [2:58]
- “Is this cross-site scripting really a problem.”
- “I get stuck a lot… it’s kind of the nature of the beast.” [5:17]
- “I’m not going to work in tech again.” [12:21]
- “You’re a motorcycle mechanic… why should we hire you?”[19:07]
- “It’s my hacker family. These are my people. Everyone in security, they make sense to me, cause they’re all kinda like me.” [19:41]
- “I kept getting this projects coming my way and I constantly said YES.” [22:07]
- “Have you done this before… no, but I’ll learn!” [25:06]”
- “No, this is website scraping… because I had that mindset… I was seeing it different than other analysts.” [26:00]
Syntax Episode Links
- Syntax on Twitter: https://twitter.com/syntax976
- DCZIA: http://dczia.net/
- Queercon: https://www.queercon.org/
- Outro Music: “Pure Decking” by Patient Zero from the album “Screen Saviour” her link is http://patientzero.bandcamp.com and she is @DoctorKraft on the twitter
Getting Into Infosec
- Breaking IN: A Practical Guide to Starting a Career in Information Security: https://www.amazon.com/dp/B07N15GTPC/
- T-Shirts, Mugs, and more: https://gettingintoinfosec.com/shop/
- Sign up for sneak peaks, updates, and commentary: https://pages.gettingintoinfosec.com/subscribe
I have a folder in my email. It's like rejection letters and there's hundreds hundreds in there.
Ayman Elsawah 0:22
Welcome to getting into infosec. I'm your host, Ayman Elsawah. My guest this week is Brandon Prince, aka syntax. Brandon was influenced by computers from an early age, but ran into the pitfalls of responsible disclosure the hard way.
I got arrested in high school for computer crimes.
Ayman Elsawah 0:39
He then got burned again, as a result of his success.
Yeah, I was so mad. I was like, No, like, I'm never going to work in tech
Ayman Elsawah 0:46
again. But he eventually got drawn back into tech, yet really had to persevere through the rejections.
You're a motorcycle mechanic, like why should we hire you?
Ayman Elsawah 0:54
In the end, he made it. He didn't give up and he was creative about getting it once a hacker always a hack. By the way, I wrote a book. Here's a sample from the audiobook version.
Unknown Speaker 1:02
I was once in your shoes trying to break into the industry, learning everything I could online, buying books and trying out new things in a virtual lab, applying for jobs, barely getting interviews, not hearing anything back, but I knew this field was for me, it was part of my personality. More on my journey later. This book is intended for those who are looking to get into the information security field but are not sure where to start or overwhelmed with the information out there are not able to close any interviews. Let's make sure to clear up any misconceptions. This book is not going to teach you how to program or code this book is not going to teach you how to hack this book is going to teach you the mindset you need. This book is going to map the open sea of information security and how to navigate it
Ayman Elsawah 1:41
website for this podcast is getting into infosec comm sign up to the email list if you want a sneak preview of my episodes. Alright, on to the show. Hey Brandon, welcome to the show. Hey, how are you?
Good. How are you? I'm wonderful.
Ayman Elsawah 1:54
Awesome. You go by syntax as well on Twitter.
I do just about anywhere on the Yeah,
Ayman Elsawah 2:00
okay, that's awesome. So maybe you could explain to the folks out there what you do, at least by day.
So I am a web app penetration tester. Now, I'm on an internal pen test team. So I basically get to sit in my office and hack things all day.
Ayman Elsawah 2:18
Okay, and you do it for other companies or for your own company.
We do it for our own company. I'm on an internal team. Now, granted, we have hundreds of web apps out there. So each week, we've got two or three that we test for about a week. And we just go really hard on them finding anything we can from like the simplest like HTML injection all the way to getting remote code execution and getting onto the back end server. And then the real fun begins there.
Ayman Elsawah 2:46
Yeah. And so how is life as a internal app pen tester? Is it as glamorous as everybody thinks it is?
I really want to say yes, that we are like, the rock stars are the infosec mafia, but really not. I mean, a lot of our time time is spent arguing with the other departments and justifying our findings. They're like, so is this cross site scripting really a problem? Like Yeah, yeah, no, it is like, stop it. So, yeah, it's a lot of report writing. And you know, people think, oh, you're on an internal team, the reports can't be as bad and they're not as bad as doing like a big huge report, but we're doing them every week. And we're doing a lot of them. Okay. Yeah. It's a life.
Ayman Elsawah 3:35
Yeah. And is it just you out on your own? Are you working with a team kind of collaborating on a project?
No, it's we've got a team. So there's, yeah, the pen test team. There's 20 of us, okay. There's 18 or so active pen testers. And I mean, juniors mid seniors. There's some people who are just starting out as pen testers you know, they don't know a ton but in their I love our juniors because they're all really excited and they really want Want to learn, and then you know, mid seniors. And you know, the seniors go after the really kind of weird complex things that you don't normally see. But now they still find some really neat things. And we've got a pm and our team lead. And so it's actually a fairly large team, especially for just a single organization.
Ayman Elsawah 4:21
But like, if you're going on a web application, for example, or a particular project or application, would it be a team of 234?
It depends. It depends on how many tests we have that week. If there's like one or two tests that we have to do, then everyone is going to be on everything. And you just get to choose what you want to do. Gotcha. If we've got three or four or five, then we'll get broken up into usually two or three teams. And our team is nice. It's about 40% on site, 60% remote workers. So there are times when I'm collaborating with someone from we have a pen tester in Hawaii. We've got some in Seattle. In LA, so there's people all over the country that we get to collaborate with, and we're doing it over Skype or slack. You know, okay, it's a lot of fun. What do you do when you get stuck?
Ayman Elsawah 5:13
So I know that getting stuck is just part of the game. But what do you do to get unstuck?
I get stuck a lot. Everybody here. Yeah, yeah, it's kind of the nature of the beast, right? Especially with pentesting. Because there isn't a set like Oh, do this, and then this and then this, and then shell, right, even though that's how it looks sometimes. In fact, I did this today where I was stuck on the CSRF. And I couldn't get it to pop. So I stood up and went and walking around our office and our office is big, and it's all so it's both blue team and red team in policy. Like everyone is in this one office. Oh, okay. So I wandered over and I talked with incident response and went in and talked to some people in the sock and just kind of got up and left my cube and ended up like wandering down. downstairs and outside, right, and now for about 10 or 15 minutes. And then, you know, went back and sat down and started working on it again and actually got it to go. But I think that's one of the best things. And I try and tell people like, yeah, nice. If you get stuck, like, stand up disconnect, even if it's, you know, spinning around and not looking at your computer for five minutes, you know, just disconnect from it, watch a YouTube video or listen to some music, something that's not like, this is what you should be doing or, you know, just get disconnect.
Ayman Elsawah 6:32
Yeah, like a different part of your brain. Yeah, yeah. And that could probably relate to just getting into the field in general, right, in any part of information security, would you say?
Yeah, absolutely. Okay.
Ayman Elsawah 6:43
And so walk us through how you got into tech or information security from the get go.
So it started with my dad, my dad saw that tech was going to be a thing and this is in the mid 80s. I was really young and he bought a car. Computer kit. Hmm. So it showed up in boxes. And I remember like sitting down and we put this whole thing together and it was an ADA Ada with 512 kilobytes of RAM. Right. And a one megabyte hard drive.
Ayman Elsawah 7:17
Yeah, like those those big as a brick probably right?
Oh, yeah. Yeah. And we were bawling. We're like, yeah, we're never gonna need anything more than this. Right? And, you know, putting that together, and then like, watching it come up, and thing happened. And I remember being little and just watching that being like, this is amazing. Mm hmm. And then didn't think anything of it. Like there was always a computer in my house. And it wasn't really, you know, I'd always been kind of into tech. And then the movie hackers came out and I know this sounds kind of contrived, but I asked my mom to go watch and she was like, no. So then I asked her watch a different movie, and she gave me the money and I just wouldn't watch actors anyways.
And I watched that I'm like, I want to do this thing. And I really started, like kind of learning and then getting into it, and then went to college for computer science, and then promptly dropped out.
Unknown Speaker 8:17
what made you drop out? Wow, they a bunch of different things. One was money. I didn't do well enough in high school for a couple of reasons. I got arrested in high school for computer crimes. Oh, okay. Yeah, I found an issue in the high schools computer network. So they got a huge grant and built this beautiful computer lab with a huge server and digitized all of the student and teachers records. And so I'm sitting here in computer class in this beautiful lab and bored because they're teaching us typing. And I'm like, I was already like, I had known a little Visual Basic, and I knew my way around a computer. I'm like, this is boring. So I was just playing around on the network. You know, I knew what a network was. I had been on bulletin boards at that point. And yeah, this was the very start of the internet. And I found that all of like, this network was completely flat. There's no segmentation, of course. Yeah. And if you knew the name of the server, you could just log into it. Right? And every username and password like worked. Wow. So like, I could log in and be like, Oh, look, here's my records. Here's my friend's records. And then I'm like, oh, here's the principal's records. Like, I know, I now know how much you guys make like this was not an okay thing. So I took it to my vice principal.
Ayman Elsawah 9:43
All that stuff was on there, huh?
Yeah, just everything. Okay. Yeah, all of their like w twos all have student records for as long as they had been in that school district. I mean, everything was kept in this new digital repository. And of course, this was the very Start of digitizing records like no one knew. And everyone's like, Ah, look, it's digital. We can access it from anywhere security. What's that? Yeah.
Ayman Elsawah 10:07
Security by security is was the name of the game.
Exactly. Yeah. And so I took it to my vice principal, and he was like, I don't believe you. And I'm like, airwatch. And I showed him and he's like, okay, Brandon, here, go sit over, you know, sit outside my office, I want to call somebody, you know, have them come in and look at this. I want Okay, cool. So I sat down and run our passes, and I popped my head and I'm like, he's like, no to sit down. I'm like, Okay, fine. And another hour passes. And it's just about the end of the day. And two gentlemen in suits walk in and they walk past me in the vice principal's office and come back out. And they're like, Mr. Prince, and I was like, yeah, and like, stand up and it's like, oh, okay, like,
Ayman Elsawah 10:47
man? And they like, turn me around and handcuff me. And they're like, Alright, we're taking you in. Wow. And yeah, by that time, of course, you know, the end of the day bell rings, so ever One in the entire school is on a Friday like is watching me get drugged out in handcuffs. It's crazy. And like the rumors were amazing. Wow. But luckily my dad is awesome. And he was corporate pilot for the corporation. He rushed down. So he brought their lawyer and his son had actually just passed the bar. So here comes these two lawyers in this town and they ended up I don't know what they said or did but you know, several hours later, like I got released, but I at that point had been charged with the Computer Fraud and Abuse Act. A few months later, eventually, everything got dropped. And I was a minor So
Ayman Elsawah 11:42
okay, I was gonna say were your minor like 15 I guess?
Yeah, yeah. Okay. So that was my first like, Introduction to like, Oh, don't tell anybody because you're, you know, gonna go to jail. Yeah. And that was really kind of my start with a lot of things was, oh, I can do these things. But just don't tell anybody.
Ayman Elsawah 12:01
Yeah. And then if you tell them they won't believe you so exactly how even in your job today, people still don't believe you. Yeah. Come in two years later. Yeah. Nothing's changed.
So then in college, like it was the same thing. And this is the first time I'd ever really met people. I grew up in this very rural town. Okay, and so I went to college, and now there's these other people who like thought, like I did, and could do these other things. And this was amazing, right? And we ended up there was five of us, we dropped out and started a little consultancy, that was like the absolute right idea. 10 years too early. Okay, and we'd got a couple of clients and things were going well, and a larger company came in and you know, we're 21 years old, we have no idea really how to run a business, or what goes into it, but we're trying like we're doing the best we can in this bigger company comes in says, Hey, we're gonna buy you, and we're like, awesome. Let's do This thing and so we sold. Cool. And after we signed all the papers, and we were like, Alright, cool, like, are we gonna go into your office? Or like you're gonna come in or and they're like, Oh no, we bought the company and we bought your client list and we bought your name. We didn't buy you guys, huh? Yeah. And so I got completely disheartened and left tech entirely. Oh, wow. Yeah, I was so mad. I was like No, like, I'm never going to work in tech again. I had this huge wad of money. That was way more than a 21 year old should ever have right? My dad just retired from being a pilot and opened up a small little motorcycle shop. And I was like, Hey, you know what? I'm gonna let my inner 10 year old make some choices for me. And I'm going to replace motorcycles nice. This is what I'm gonna do. Right? So I helped my dad and we opened this motorcycle shop and where your biker before that? Yeah, yeah, I had always written my dad always rode motorcycles. It was just like it was the thing that's like, cool. I don't ever have to wear a tie again. I can wear jeans, right? I got, you know, tattoos. In fact, I started my full sleeve tattoos and I started my my sleeves right after I left tech. So I was like, I'm never going to have to work in a place that wouldn't like my tattoos ever again. Right? And I did that. I started racing motorcycles. I ended up racing motorcycles professionally, are nice. And that took me to France and all over the world doing that. What's the top speed you've ever in a motorcycle? Just to touch over 200 miles an hour. Wow. And it's weird. So I get that question a lot. And I don't actually know because we don't have a speedometer on race bike. You have a tack. You don't have a speedo. Because you don't care how fast you're going. Right? Right. just care about like your
Ayman Elsawah 14:49
times. It's kind of cool. It's actually a little less distracting, I guess, in a way right? It
is 100%. Okay. Yeah. So I'm like 200 ish. That's awesome. Life like a 200 miles an hour. It's a lot like 120 mile an hour. Okay, because your brain can't really determine the difference between 121 30 or 200. It's all just real fast. Gotcha.
Ayman Elsawah 15:13
That's crazy. So you did the motorcycle thing for a while you raced. You had a shop I did with your dad must have been awesome.
It was It was great. Yeah. And I still loved tech, and I love to play with it. And I kept doing some, I mean, hacking, I still did some ETFs. And every time like I would buy something online, like I was throwing SQL injection into, like the coupon field, right? Because every once in a while you put, you know, or one equals one and it now applies every coupon and you get like 60% off and I was excited about that nice. And so I kind of kept my skills going but I let a lot of them just kind of lacks and then I had a fairly big accident on the track and got to the point where I was like, You know what, this is kind of for the bird I don't like standing all day and working with my hands and my hands hurt, my back hurts and my knees hurt. And I've never once had a computer try and kill me.
Ayman Elsawah 16:10
Yeah, it's not sustainable for the long run, basically, where you're saying,
Yeah, yeah, no, I also found out No one's ever gonna get rich running a motorcycle shop, you know, you're, you're gonna keep putting money into it. And eventually, it'll be self sustaining, but you're not going to make any sort of money at it. And I was young. And I needed to kind of think about my future. So about five years ago, I decided, you know, what I'm going to get is a little more than that. Now, about seven years ago, I decided I'm going to get back into tech. And, again, I was completely just put aback at how much things had changed. Yeah, where people actually cared about security now, and all of these things that I had screamed 20 years ago, people were actually kind of doing now.
Ayman Elsawah 17:00
And I was amazed. Yeah. Where there's actually departments that handle this and
yeah, right. Yeah. And it's not one sysadmin, who's overworked in a closet? Who's responsible for everything. You know, there was now an entire department separate from it that handled security. Yeah. Yeah, that was just
Ayman Elsawah 17:22
amazing. That's awesome. That's awesome. I actually did recently see a sysadmin sitting in the closet. I couldn't believe he was actually in a closet. It was it was really small. And he had like a hang in there cat poster, and it's quite hilarious. So now you're trying to transition back into tech and maybe into security. Did you try for security positions at the get go or just anything in tech?
I was really leveraging for security because that was always my passion was security, especially starting off, kind of with the crime early. You know, it really seemed like the natural progression, you know, It always made sense to me. And so I'm like, this is where I want to be right. And I'm old enough now that I don't want to do something that's not fun. I want to do something that I enjoy.
Ayman Elsawah 18:11
Right? That's worth your time. Absolutely.
And so I just started putting in and I got in at one place, and it was good. And then it went away. And then I started my own company again,
Ayman Elsawah 18:22
hold on. So when you were actually applying, did you have any difficulty? Did you have people say, Oh, you know, you don't have any relative experience, recent experience or some of the negative stuff. Oh,
yeah. And that was really the big reason that I started my own company, I got a stack of, I mean, I say a stack. They're all digital, but you know, a stack of rejection letters. And, you know, people always told me, I don't keep those right. I have a folder in my email. It's like rejection letters, and there's hundreds, hundreds in there. And I look at those and some of them I'm like, yep, I'm not a right fit for that company. Hmm. You know, and others are like, Okay, I'm going to work Maybe you're working for this company, but I'm not what they need yet, but I'll get there. So it was kind of motivation to keep me going. But yeah, the biggest thing was, you're a motorcycle mechanic. You know, you're a motorcycle racer, like, why should we hire you? Okay? And I'm like, Well, I did this thing a lot. And I continued to, like, keep my skills sharp. And I think one of the biggest things for me was I kept going to DEF CON. Okay. Even throughout those years when I was, you know, a motorcycle mechanic, right? Or a racer, I still went to DEF CON every year. In fact, this year was a big year for me because it was the first time where I had been to over 50% of them.
Ayman Elsawah 19:39
Nice. Your heart was still in it. You know, you're active. Relatively.
Yeah, it's my hacker family. Yeah, you know, and it was always the culture and the people that I'm like, yeah, these are my people, you know, everyone make in security. They make sense to me, because they're all kind of like me. Yeah.
Ayman Elsawah 19:57
And that was mentioned in the previous episode as well. You know, Tonya, she had the same thing. And so how did you persevere though, with all the rejection letters, you know, I mean, how did you do that? How do you persevere?
So the first time around, I kind of didn't. And so after all of these rejection letters kept going, kept going, kept going. I was like, You know what, okay, I need to show that I'm competent. Okay. And I was in a, I'm still in a fairly rural area that didn't have any real LIKE IT consulting or security consulting. So I'm like, Okay, I'm gonna start a little business, you know, and by this point, actually know how to run a business. Right? Which, you know, if I would have known that, you know, 10 years before, yeah, who knows where things would have gone but right. So I did I open this little consulting company, and my niche was small companies that couldn't really afford an IT department. Yeah. But because of the way things were going, you had to have an IT department. Right. You know, I mean, So I was like, cool, I'm going to be cheap. And I'm just gonna work my butt off for a while, and I'm gonna get my name out there. And I'm just gonna do whatever, like, No job is too small. Okay, whether it's going and hooking up, you know, an accountants printer, or securing a lawyers office, like, if it's there, and they're going to pay me, I'm going to do it nice. And I'm going to do it like to the absolute best of my ability. And I learned a ton doing that. And it kind of got me back to the basics of, you know, learning networking again, and learning how to set things up correctly and securely. And so I just kind of bust my way through that. And I kept kind of applying to places I'm like, Look, I have some relevant experience now. Like, this is great. And eventually I got picked up by a fairly large company. I mean, big, big company. And they were like, well, we don't have a pure security role, but we need a security person in our knock. Okay, I'm like, oh, Okay, cool. So I just said, Yeah, I'm like, I haven't done that before. Let's do that. And then they were like, Oh, we need someone who does this, you know, security like, and so I just kept getting these little projects coming my way. And, you know, I just constantly said, Yes.
Ayman Elsawah 22:14
Okay, so you were known as a security person from the get go, is that right?
Yeah, my resume was definitely like, Oh, look, I am a security person. I've got a screaming security. Yeah.
Ayman Elsawah 22:24
How did you spin some of the, you know, doctors offices and lawyer stuff. How did you spend that on a resume with a big company?
Well, so everything that touches like a doctor's office, there has to be security in it because of HIPAA. Right. Okay. Same thing with lawyers, they have to have the privacy of their clients spun into it. Yeah. And people like doctors and lawyers, like they understand that they have to have security. Right. And so I actually kind of went to those people was like, Hey, what are you doing? Like, I'm a guy I can help you. Okay. And, but then there was like, a heart Where store, they didn't care about security. You know, they're like, Oh, we have a credit card machine, but we don't like we didn't put it in, like someone came in and they plugged it in and it's fine. Right? You know, so I had to, like, tell these people and so on a resume, I could be like, Yeah, I was teaching security. Okay. And on my own, I was doing the security plus, on my own, I ended up doing this, eh, you know, on my own all of this out of my own pocket, and self studying, like, I didn't take a class or a workshop or anything. I was watching right, you know, videos on the internet and buying books. Yeah. And then living it,
Ayman Elsawah 23:36
you know, exactly. I mean, that's my preferred method. So study, but I know not everyone can do that. But yeah, definitely. That's
Yeah. And then on my resume, I very much put the language as, yes, I was doing networking, but I was doing networking while teaching secure practices. Mm hmm. You know, to small business owners. And so now you're in this knock. So now you're in this knock, and you're kind of like the go to prison for security. Yeah. And I just kept getting these little projects. And then I became the person that did research for patching. So all the patch notes would come out, we would actually get all of the patches early from Microsoft's we had a really good relationship with them. Right. And so I would spin up VMs with these weird custom VMs from these big companies, because they had this weird custom software that was built in 2002 that they were still using, unlike windows 2003 servers. And, you know, we were throwing custom patches into this stuff, because these companies were big enough that they had someone write it, but then we had to validate that it wasn't gonna break this weird app. Yeah. And they were like, Yeah, can you do this? This is kind of security stuff. And so I started doing that for one company, and then several, and then all of their patch research I was doing as well as knock stuff and yeah, there was many like six 13 hour days, seven days a week with that company. But it really was, I refused to say no. You know, if they had a project, and they're like, hey, do you want to try this? I'm like, Yeah, absolutely. Nice. Like, have you done this before? I'm like, No, but all right, sweet. And that said a lot, especially transferring from a kind of infrastructure or sysadmin into security. You know, because if they're like, yeah, we don't really know security, but you kind of seem to care. Try this thing. I'm like, Alright, cool. And I was seeing alerts in the knock, that the other knock analysts were like, Oh, this is like an infrastructure thing. And I'm like, No, no, no, this is a security incident. Something like, I was like, oh, wow, there's like 3000 connections to this one server, like, oh, man, you know, there must be, you know, a switch dying or something's being weird, and I'm like, No, this is website scraping. Yeah. And because I had that mindset, because I was just constantly in it, I was seeing it different than the other analysts. Mm hmm. And it's kind of like the, you know, when the only tool you have is a hammer, everything looks like a nail. Yeah. Well, when your mindset is that a sysadmin, everything, or an infrastructure administrator, everything looks like it's a system problem or an infrastructure problem. Right. And I guess you can kind of say that everything to me looks like a security issue.
Ayman Elsawah 26:29
Yeah, I mean, that's how I go about it. And it's draining, but like, you know, you're like, oh, what if this is compromised, and you go, and you spend the extra time to kind of verify that whether it is or not,
yeah, and anymore. It's better to spend that time to validate that it wasn't right. Exactly. Instead of going Oh, no, that's not it. And then having it turned out that it was Yeah, then you end up in newspapers.
Ayman Elsawah 26:52
Yeah. Crazy. Do you have a time where you caught an incident that almost got missed?
Yeah. So like that right there. There was almost Many, many incoming connections to OSI. And it turns out someone had figured out. And this was a bunch of years ago that they could kind of increment our website and pull different user data off of it. And it was just such a weird pattern and did it through an infrastructure ticket. And I looked at I'm like, No, this is not an infrastructure issue. And everyone else in the knock is like, no, absolutely. Like, it's just something's broken somewhere. Like, we'll go look, and we did some digging, and we're like, No, no, this is absolutely, you know, someone scraping a website and attempting to pull like customer data. Okay.
Ayman Elsawah 27:40
Wow, that's crazy. And so, at this point, you're still a knock person. You're kind of doing security stuff, but not really officially Yeah. When was it that you kind of what was the transition after that?
So after that, there was a unfortunate transition. So the the company I was working with brought in a new management team at like the sea level, okay, and they went, What do you mean you have 60% remote workers, either bring them into an office or let them go? Hmm. And I was technically working out of the oven office in Toronto, even though I was living in New Mexico. Gotcha. And so I couldn't immigrate to Canada. So they were like, We're sorry. Here's a severance. We really wish we could keep you by. And so I'm like, oh, okay, well, how hard can it be to find a new job? And I made the decision that I was going to get a security job, right, whether it be in a sock, or doing IR or doing something, right, but I wanted it to be a security job. And that actually lasted about nine months of me being unemployed. I'm still doing research and I'm still doing some odd jobs. But I was still for the most part. employed, okay. And sending out five or six resumes a day, right? To companies all over the country. Yeah. And I actually found a fun post exploitation technique with Windows using language packs. And I gave a talk at queer con. No, which is the LGBTQ side of DEF CON. Right. And someone in that talk, someone who saw that talk, you know, came and found me afterwards and was like, that's really kind of interesting. I had no idea that this worked that way. And you had said that you were looking for work. So it was actually the week before DEF CON that I found out that I was getting laid off. Okay. And so I'm like, Yeah, absolutely. Like, anyone who wants hire me, come hire me. He's like, we might have a position coming up soon. But you know, it's gonna be just a little bit out and I was like, Well, hey, right now I'm like, first come, first serve. Yeah. And I was putting in all of these resumes. So flash forward about eight months ago. Got a DM on Twitter from this guy? And he's like, hey, do you remember me? Like, yeah, yeah, I absolutely. Yeah. And I did, we actually met. So I had finished the talk and I walked back to the bar. And there was a guy with an old 80s like Moog style synthesizer. Oh, sitting at the bar, because it's DEF CON. And of course, you had one, right, of course. And I remember the guy came up, and we both kind of geeked out over this synth first. And then we started talking about my talk. And he was like, hey, so we have a position open. Like, send me your resume. He's like, it's for a pen tester. And I was like, okay, like, I've done some pen testing and some CTF but never like, full time and I'm like, in fact, I've never had an actual full time infosec job. And he's like, doesn't matter. Send me your resume. So I did, okay. And he gave it to the higher ups and it turns out, he was The, like deputy team lead for this team, and, like, recused himself from the interview, cuz it's usually the team leading that did all the interviews. Okay, and he was like nope. And yeah went through this three interview kind of interview process. And they're like, yeah, we would really like to have you come pentest for us. And I was like, Yeah, absolutely. Whoo, this will be great. And they're like, Yeah, but you need to move to Maryland. And I'm like, oh, okay, cool. Let's do this thing. Okay. And that was about 18 months ago. And yes, I've been out here
Ayman Elsawah 31:38
ever since. Gotcha. Is that your first quote unquote infosec job?
Yeah. My first full pure infosec job is here. Okay. Everything else had been infrastructure and security. Right. Okay. Or sysadmin and some security, okay, minus the company that I had started in 2000. So, I one thing I negotiated with My new job was DEF CON, where I was like, I don't care. Like, I don't care what happens. I'm going to DEF CON, and I negotiated that. You know, it's like everything is negotiable. And that was one thing that I made sure to do. I've been going to it for so long that I have to go to this. This is something I do.
Ayman Elsawah 32:20
Yeah, that's something I don't understand. You know, companies that don't send security their security people to conferences or to DEF CON. In particular, I think it is. I think it's just a must. I mean, I don't I'm very opinionated about that. But
it is and and I've made more connections at DEF CON, even like at the bar, and I'm not always going to tell my employer that but I've made so many really good connections. In fact, I have a crew that I run around with and we we do unofficial DEF CON badges DCC. And right you know, I've learned so much from them and like we had talked about earlier When I get stuck every once in a while, I can get on to our private chat and be like, Hey, I'm doing this thing. Has anyone else, like run into this problem where like, I'm doing this, but it's not working? Can you know? Does anyone have an idea? And lots of times within five minutes, I get 14 ideas and sometimes one works.
Ayman Elsawah 33:20
There's something to be said about the care and feeding of hackers. Yeah. Or, you know, security engineers. I just I don't I don't get it, you know, as as an employer you have responsibility to it's more than just, you know, PTO and not even training. But sending them to hacker summer camp is like, a way for them to recharge. Wait for us to recharge. Absolutely. It's It's so recharging. You're so like, you're just all year, you're beat down and you're trying to convince people that the security thing is wrong. You're just it's always an uphill battle. And here's like, one place we can go where everybody understands you. And you don't have to like keep battling. And you could talk about war stories confidentially or whatever, you know,
yeah. And there's, there's thousands of us everyone that you turn to, you can stop to someone at the bar and you see that they have a badge on, you be like you. You understand me. That's right. I was gonna say the same thing. And, and, you know, you can buy them a beer and they will tell you stories and you will both laugh and you will then have a friend and a, a network, you know, camera person,
Ayman Elsawah 34:34
although, although I found a lot of people still hesitant to like kind of even mentioned their name or whatever, they're still like, you know, putting up this fake wall. You know, it depends, you know, your mileage may vary, but yeah, you're right. Exactly. You know, you for the most part you I've met a lot of good friends. I've some of my really good friends are. I've met them from DEF CON so randomly,
yeah, and I i still, like even when I'm at DEF CON. I still do generally only go by syntax. And there are people that I see there that only know me as syntax. But we'll chat on Twitter or wherever. And it never fails. Like I run into them at DEF CON and it's hugs and beers. And, you know, fun is had, right? Mm hmm.
Ayman Elsawah 35:24
Very true. Very true. Yeah, I think those, that rant just felt good. Good. And now a message from our sponsor. Welcome to hacker daycare, where you can safely drop off your hacker and we do all the care and feeding for you. We have lots of things for your hacker to play with. From vulnerable websites to old computers to ATMs, we have everything your hacker can desire. We also have lots of IoT devices to keep your hacker busy with plenty of soldering irons to go around. Now featuring voting machines to we always have the latest one tronic EDM and nerdcore music playing in the background, of course, unlimited coffee and Matteo Ville, what all times our staff is trained in soothing your hacker when they get stuck hacking. Of course, it wouldn't be a hacker daycare without their friends. They're all here. So it's awesome. That's really cool. So even though you kept getting rejected, you held out. I mean, you probably had the luxury to hold on. Maybe not everybody has the luxury to hold out for nine months for a full time job. But you hold out you held your ground, you're like, I am getting a security job. None of this like infrastructure and or whatever. And security. Yeah,
yeah. And I mean, during that time, I worked part time as an Uber driver and I worked part time in a liquor store, okay, which was actually a lot of fun. But, you know, I was doing a lot of kind of part time things I also did a couple of like 1099 I did a 1099 pen test. I did some 1099 networking stuff. You know anything to keep me afloat. I also lived in New Mexico, which has one of the lowest costs of living in the country. So that helped. I had a really wonderful partner who was working full time, who really helped kind of support me both with rent, you know, and I was giving everything I could, and moral support being like, you can do this thing. And yeah, it was just that perseverance being like, no, and there were several times where I'm like, you know, I should just settle I can get, you know, a sysadmin job at a bank, like in a heartbeat. But it wasn't what I wanted to do, and I knew I would hate it. And, yeah, she kept telling me No, like, you would hate it and you'd be miserable. Like, hang on, follow this dream, you know, and I knew that my resume looked not the best because I had these weird holes of five years when I was younger because I was racing motorcycles, and owning a motorcycle shop. And then, at this point, it had been like six months of me not working, and nothing being pure security and working for myself, which come to find out. Some employers don't like to see that you own your own business on your resume. That is very true. And I asked one of them why. And they had told me that they don't like to hire entrepreneurs, because they just assume that you're going to work just long enough that you can start your own business again. And they don't want that competition. And they don't want that limited. Run. They want someone who's going to, you know, potentially work for them for 40 years and retire. And so that was hard to, I still recommend everyone. You know, if you're young, like work for yourself, you know, even if it's doing odd jobs on the side, you know, work for yourself, you learn so much having to do your own taxes and budgets and everything. You know, I learned about More about my clients, because I owned my own business. I knew that they had these, you know, their priority wasn't security, even though my priority was security, because that's what I do. Their priority isn't security security to them is a bill right now that they have to pay because it's the thing they have to do. Or else they'll end up on the news, or they'll end up losing a bunch of money. Like, you know, it's not what they want to do. And owning my own business for a while. I realized I'm like, oh, oh, now I understand. You know, that sometimes we're not the priority here, even though we should be my opinion. Right? Of course.
Ayman Elsawah 39:40
Yeah. That's really cool. So there's a lot to unpack there. So you, you persevered. And you know, you got some odd jobs. Really awesome that you had a supportive partner not only financially but actually emotionally and because I think frankly, the emotional part is even more important sometimes in the financial. Yeah, but yeah, we need to learn Of course, but you know the thing is you kept hacking. Yeah you kept applying kept researching that
Unknown Speaker 40:05
Ayman Elsawah 40:06
again and that's what really got you the job right. So you didn't like kind of just like sit back and wait for you know somebody to answer your resume calls right?
Yeah, I kept doing CTF. So now is it bug bounties? I wish bug bounties were way bigger when I was looking for for work because I would have done that, you know, do bug bounties. There's so many of them. There's so many good bug bounty programs out there. Yeah. And anyone can kind of get in and do these bug bounties and just showing you're like, hey, look, I got a paycheck from you know, Cenac, or hacker one or whatever. Even if it was $20. You know, that's something to be like, Look, I did a thing, huh. Like I did a thing on this thing. I can do this. And yeah, I think that is a really great way especially if you're wanting to look at Red Team stuff. to kind of break in, is do a bug bounty here. And you know, you'll learn a ton from the communities, you know, with hacker one and synack, which are the two that I'm kind of familiar with. Yeah, both of them have really good communities where you can actually talk to other bug bounty people. Well, that's cool. And yeah, I thought I really wish they were around back when I was kind of out of a job because I would have just sat in my corner for 16 hours a day doing bug bounties.
Ayman Elsawah 41:32
Yeah, it's become so much so democratized, you know, security is so much more accessible than, you know, back in the day for both of us. So it's just wildly amazing. I mean, you know, YouTube is a godsend, right? So anytime something is broken in my house, I go in anything I want to learn. I just go to YouTube first.
Yeah, I did that. This weekend with my car. I had an issue with my car and I'm like, YouTube, I fix this thing. Exactly. And there was like 14 videos. I'm like, Oh, that's How I do. That's easy.
Ayman Elsawah 42:01
Yeah, that's awesome. Cool. So any fun hacker stories that you could talk about, you know, from your travels,
Oh, man. And that's hard because a lot of the stuff that I do now I can't really talk about. Yeah. Let's see, I think I told you this one off air, but I'll tell it again. So this happened today. I get in this morning, and there's a bunch of people outside, there's conference room next to my office, and I kind of poke my head out. And I'm like, Hey, what's what's going on? And like, oh, there's this big training for this app. And I giggle and I'm like, Oh, I am abusing that app this week. And they just kind of look at me funny. And I giggle. And this lady walks up, and she's like, well, I'm really glad that you are and it's not someone else. Like, Oh, well, you know, that's a really good way to look at it. She's like, Oh, hi, my name is and she introduces herself. She's like, I'm the Cisco for this project. I'm like, oh, Hi. I'm just gonna roll back in here now, she was really good. And she was actually happy that we were doing it. She knew that it was going on. And she was happy to actually meet some of the testers too. But yeah, that was definitely like me putting my foot in my mouth.
Ayman Elsawah 43:16
Yeah, that's really good. And I also want to say that, so my partner who was very supportive to me, so, about three or four months ago, she decided that she wanted to kind of pivot into infosec. And so I was like, here, here's all these books do this thing, like, learn everything. And I'm super happy to say that Tuesday, because it's a weird short week. The Tuesday was her first day doing incident response for a company. So she has now pivoted into infosec for marketing Actually, it's amazing. And I was Yes, super happy. And it felt good to kind of like pay it forward, cuz she helped me so much. During this time when I was pivoting into it to, to help her get into
Ayman Elsawah 44:04
it, that's awesome. I'd love to have her on the show one day, get her journey from marketing to incident response. You don't see that often.
And it's social media marketing, which is a weird, weird animal in itself. Okay.
Ayman Elsawah 44:19
So you spend most of your time, you know, not only if you're hacking, but you have to kind of educate folks all the time, right?
Yeah, we do a lot of education kind of, through defending our findings, because there's a lot of like, Dev departments that come to us, and they're like, why is this an issue? Why do we need to encode special characters, you know, why do we need to do these things? Exactly. And we really have to spell out well, if you don't do this, then we can do this, which leads to this, which leads to this. And there's a lot of times where you can kind of hear over the phone that like jaw dropping have is that really how that works? And we've started including videos in our reports. Nice. So we write the report, but we also show a video of like, Look, I do this and then this and I type this in here. And I hit Enter. And owned sweet. And, you know, they say a picture's worth 1000 words, right? While this is 1000 words, or 30 pictures a second. Yeah, at 1000 words. That's a lot of words.
Ayman Elsawah 45:31
That's awesome. So what some parting advice for someone to get into the pentesting field, particularly like your juniors, for example? What's their background that you know, or like, what some parting advice for folks on getting in? So I think
the best advice that I can give is just stick with it. Like you absolutely have to have that perseverance, because people are gonna say, No, no, that first place that you apply is never the place that you start. Yeah. Mike said I will A folder full of hundreds of rejection letters that I kind of kept. Because that was motivation. I'm like, Well, I'm not a good fit for these guys, but maybe I'm a good fit for this one. Or this is why I got rejected. I'm gonna work on that thing. That and just keep doing it, you know, stay passionate. You know, I hack all day long for a living. But then I come home and I do a CTF nice, or I'm super excited since I've moved out east. There's a bar about 45 minutes for me that every other week they do hacker trivia. Really? Yeah, I go out there and I have a beer and I play hacker trivia and hang out with other people. And there are a lot of people who are like, Oh, yeah, I'm a sysadmin. But this sounded fun. So I'm going to come do this thing. And I've watched those people come to hacker trivia and just get better and better, and then get jobs in infosec. I think it really is. Stay passionate, you know, do the fun things. You know, do this CTF Yeah, do the hacker trivia go to conferences? Because that is I think one of the best things besides is super inexpensive and well worth every penny. And besides are everywhere, you know, go to conferences, just live it for a while. And you'll learn even when you think you're just having fun hanging out with friends at a conference doing a weird crypto challenge. You're still learning. And you're still making these connections. And yeah, just stick with it. You know, don't ever get disheartened. I know it's hard, especially getting rejection letter after rejection letter. Yeah. But yeah, stick with it. And, and it'll,
Ayman Elsawah 47:44
it'll come around. That's awesome. Well, Brandon, aka syntex Thank you so much. Yeah. Thank you so much for sharing your story. I think a lot of people can learn from it and I found it very inspiring myself, and I look forward to talking in sometime in the future.
Yeah, definitely. Thank you and I hope to catch some coffee with you at DEF CON coming up.
Ayman Elsawah 48:05
Absolutely. definitely looking forward to that. Cool. Thanks a lot, Brandon.
Thank you. Thank you. Bye Bye.
Ayman Elsawah 48:11
Thanks for listening. Hope you enjoyed that as much as I did. As always, if you liked the show, please thank my guests for their time and let others know about the show. They might thank you for it. Intro Music is Cascadia by trash at trashy calm. Check out the website getting into infosec comm for show notes, clickable timestamps, a preview of my book and more and stay in touch on Twitter for more getting into infosec reflections. Every week I let my guests pick their outro music this week. It's pure decking by patients euro link in the show notes. See you next time.
Transcribed by https://otter.ai