Hacker Valley Red

Hacker Valley Media

Exploring the nexus of cybersecurity defense and humanity with the mind of a hacker. read less

Start Here
Keeping It Open Source with Metasploit’s HD Moore
Jul 1 2022
Keeping It Open Source with Metasploit’s HD Moore
This season of Hacker Valley Red wraps up with another interview of an incredible offensive cybersecurity legend. Known first and foremost for his work founding Metasploit and his recent work co-founding Rumble, HD Moore joins the show this week to talk about his journey from spiteful hacker to successful founder. HD walks through the history of Metasploit, the motivation behind their coding decisions, his opinions on open source software, and the excitement of exploration and discovery. Timecoded Guide: [04:57] Catching up on HD’s career from his hacking exploits in the ‘90s through his founding of Metasploit to his recent activities with Rumble [11:41] Getting personal with the feelings and takeaways from a project as successful and impactful on the cyber industry as Metasploit [18:52] Explaining HD’s personal philosophies around accessible education and the risk of sharing vulnerable information publicly  [25:39] Diving deep into the technical stories of HD’s path of discovery and exploration during his time at Metasploit [31:14] Giving advice for future founders and hackers looking to make a legendary impact on the cybersecurity community   Sponsor Links: Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life! Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley   What were some of the trials, tribulations, and successes of Metasploit?  Although Metasploit has had a lasting impact on the cyber world, HD Moore is not afraid to admit that part of Metasploit existed out of spite for critics, employers, and gatekeepers in the cybersecurity industry. In terms of trials and tribulations, HD saw a great deal of criticism come from his peers and from professionals ahead of him in the industry, often displaying rudeness towards the quality of the exploits and Metasploit’s audience of young hackers. Later, HD says that a surprising and amusing side effect of his success with the project was watching employers and peers go from criticizing to lifting up his work with Metasploit and attributing success of many hacking professionals to its creation. “When we started the Metasploit project, we really wanted to open up to everybody. We wanted to make sure that, even if you barely knew how to program, you can still contribute something to Metasploit. So, we did our best to make it really easy for folks to get in touch with us, to submit code.”   Where does your philosophy land today on giving information freely? HD has heard the same opinions many professionals that teach and give information freely have heard: “You’re making it easier for people to use this information the wrong way.” Instead of considering the worst possible outcomes of making hacking accessible, HD chooses to acknowledge the importance of accessible education and publicly provided information. According to HD, if someone is creating and teaching content to the next generation of red teamers, that content is theirs to use. Whether they’re a physical pen tester teaching lock picking or a hacker disclosing a vulnerability, what they choose to share with others has to be based on personal moral code and what others do with that information is up to them.  “It comes down to: You do the work, you own the result. If you're teaching people how to do stuff, great, they can do what they want. You can decide to do that, you can decide not to do that, but it's your decision to spend your time training people or not training them.”   Is it possible to be a CEO, or a co-founder, and stay technical? The downside of success in the cybersecurity industry is often stereotyped as losing the opportunity to be a hands-on hacker. However, for HD, his success has allowed him to do the exact opposite and instead prioritize his time to be technical. HD believes strongly in the ability to make this happen through proper delegation of duties, incorporating new leaders and managers in your company or project, and acknowledging when you may need the help to bring what you’re working on to the next level. HD is proud of his success with Metasploit and Rumble, and is happy that he was able to hand off certain duties to other professionals that he knew would do better if they had a chance in the founder’s shoes.  “Don't let the growth of your company change what you enjoy about your work. That's really the big thing there, and there's lots of ways you can get there. You can hire folks to help out, you can promote your co-founder to CEO. You can bring on program managers or project managers to help with all the day to day stuff.”   What advice do you have for people looking to follow a similar cyber career path? Content is the name of the game, especially when you’re looking to get more eyes on what you do. HD is the first to admit that putting himself out there in a blog post, on a podcast, or at a stage show is not always a walk in the park, taking him out of his comfort zone and often away from the tech that he spends his time on. However, publicly displaying himself and his work has brought attention to Rumble and Metasploit, and HD knows he would not have achieved this level of success without putting his content out into the world, hearing feedback from his peers, and even receiving his fair share of criticism from industry professionals. “Not all of it is the most fun thing to do all the time, but it is crucially important, not just for growing yourself and getting out there and getting feedback from your peers, but for learning because you learn so much from the feedback you get from that effort.”  ----------- Stay in touch with HD Moore on LinkedIn, Twitter, and his website. Learn more about Rumble, Inc on LinkedIn and the Rumble website. Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter. Follow Ron Eddings on Twitter and LinkedIn Catch up with Chris Cochran on Twitter and LinkedIn Continue the conversation by joining our Discord
Keeping It Open Source with Metasploit’s HD Moore
Jul 1 2022
Keeping It Open Source with Metasploit’s HD Moore
This season of Hacker Valley Red wraps up with another interview of an incredible offensive cybersecurity legend. Known first and foremost for his work founding Metasploit and his recent work co-founding Rumble, HD Moore joins the show this week to talk about his journey from spiteful hacker to successful founder. HD walks through the history of Metasploit, the motivation behind their coding decisions, his opinions on open source software, and the excitement of exploration and discovery. Timecoded Guide: [04:57] Catching up on HD’s career from his hacking exploits in the ‘90s through his founding of Metasploit to his recent activities with Rumble [11:41] Getting personal with the feelings and takeaways from a project as successful and impactful on the cyber industry as Metasploit [18:52] Explaining HD’s personal philosophies around accessible education and the risk of sharing vulnerable information publicly  [25:39] Diving deep into the technical stories of HD’s path of discovery and exploration during his time at Metasploit [31:14] Giving advice for future founders and hackers looking to make a legendary impact on the cybersecurity community   Sponsor Links: Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life! Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley   What were some of the trials, tribulations, and successes of Metasploit?  Although Metasploit has had a lasting impact on the cyber world, HD Moore is not afraid to admit that part of Metasploit existed out of spite for critics, employers, and gatekeepers in the cybersecurity industry. In terms of trials and tribulations, HD saw a great deal of criticism come from his peers and from professionals ahead of him in the industry, often displaying rudeness towards the quality of the exploits and Metasploit’s audience of young hackers. Later, HD says that a surprising and amusing side effect of his success with the project was watching employers and peers go from criticizing to lifting up his work with Metasploit and attributing success of many hacking professionals to its creation. “When we started the Metasploit project, we really wanted to open up to everybody. We wanted to make sure that, even if you barely knew how to program, you can still contribute something to Metasploit. So, we did our best to make it really easy for folks to get in touch with us, to submit code.”   Where does your philosophy land today on giving information freely? HD has heard the same opinions many professionals that teach and give information freely have heard: “You’re making it easier for people to use this information the wrong way.” Instead of considering the worst possible outcomes of making hacking accessible, HD chooses to acknowledge the importance of accessible education and publicly provided information. According to HD, if someone is creating and teaching content to the next generation of red teamers, that content is theirs to use. Whether they’re a physical pen tester teaching lock picking or a hacker disclosing a vulnerability, what they choose to share with others has to be based on personal moral code and what others do with that information is up to them.  “It comes down to: You do the work, you own the result. If you're teaching people how to do stuff, great, they can do what they want. You can decide to do that, you can decide not to do that, but it's your decision to spend your time training people or not training them.”   Is it possible to be a CEO, or a co-founder, and stay technical? The downside of success in the cybersecurity industry is often stereotyped as losing the opportunity to be a hands-on hacker. However, for HD, his success has allowed him to do the exact opposite and instead prioritize his time to be technical. HD believes strongly in the ability to make this happen through proper delegation of duties, incorporating new leaders and managers in your company or project, and acknowledging when you may need the help to bring what you’re working on to the next level. HD is proud of his success with Metasploit and Rumble, and is happy that he was able to hand off certain duties to other professionals that he knew would do better if they had a chance in the founder’s shoes.  “Don't let the growth of your company change what you enjoy about your work. That's really the big thing there, and there's lots of ways you can get there. You can hire folks to help out, you can promote your co-founder to CEO. You can bring on program managers or project managers to help with all the day to day stuff.”   What advice do you have for people looking to follow a similar cyber career path? Content is the name of the game, especially when you’re looking to get more eyes on what you do. HD is the first to admit that putting himself out there in a blog post, on a podcast, or at a stage show is not always a walk in the park, taking him out of his comfort zone and often away from the tech that he spends his time on. However, publicly displaying himself and his work has brought attention to Rumble and Metasploit, and HD knows he would not have achieved this level of success without putting his content out into the world, hearing feedback from his peers, and even receiving his fair share of criticism from industry professionals. “Not all of it is the most fun thing to do all the time, but it is crucially important, not just for growing yourself and getting out there and getting feedback from your peers, but for learning because you learn so much from the feedback you get from that effort.”  ----------- Stay in touch with HD Moore on LinkedIn, Twitter, and his website. Learn more about Rumble, Inc on LinkedIn and the Rumble website. Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter. Follow Ron Eddings on Twitter and LinkedIn Catch up with Chris Cochran on Twitter and LinkedIn Continue the conversation by joining our Discord
From Black Hat to Bug Bounties [Pt. 2] with Thomas DeVoss
Jun 24 2022
From Black Hat to Bug Bounties [Pt. 2] with Thomas DeVoss
We’re joined again by the hacker’s hacker, Tommy DeVoss, aka dawgyg. Bug bounty hunter and reformed black hat, Tommy dives back into a great conversation with us about his journey in hacking and his advice to future red team offensive hackers. We cover everything we couldn’t get to from part 1 of our interview, including his struggles with burnout, his past hacking foreign countries on a bold quest to stop terrorism, and his future in Twitch streaming to teach you how to be a better bug bounty hunter.   Timecoded Guide: [02:57] Fixating on hacking because of the endless possibilities and iterations to learn, but understanding that burnout does happen, especially when hacking gets frustrating [09:54] Giving advice to the next generation of hackers, including patience for success, getting back up after a failure, and dedicating yourself to a hands-on learning experience [17:17] Contacting Tommy and keeping up with him on Twitter, and asking questions publicly so that others can learn from the answers he gives you [21:43] Planning a Twitch course to teach hackers about bug bounties using real bugs and real-world examples of how they work [24:57] Hacking in the early 2000s and understanding the freedom Tommy has to talk about any and all illegal hacking he’s done now that he’s gone to prison    Sponsor Links: Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life! Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley   Do you ever struggle with burnout when it comes to hacking? Hacking has maintained Tommy’s interest longer than anything else because of the constant changes in technology and the ever-evolving issues in the online world. However, just because hacking is his passion, doesn’t mean that burnout or frustration never happens. Currently, Tommy is taking more of a break with hacking, letting his current day job and his passion for gaming have a front seat. However, he’s still firmly in the industry, passionately developing learning opportunities for future hackers and answering questions from cyber professionals of all backgrounds. “I do get burned out sometimes…When it comes to bug bounty hunting, I try and make it so it averages out to where I make at least $1,000 an hour for my effort. It doesn't always work. Sometimes I'm more, sometimes I'm less, but I try and get it so it averages out to about that.”   What hacking advice would you give the younger version of yourself?  Although his black hat ways resulted in prison time for Tommy, he doesn’t regret his past and instead seeks to teach others the lessons he’s learned. When we asked Tommy for advice for new hackers, he was clear that success is a longer journey than people assume it is. Tommy’s success was not a fluke, it took years of hands-on learning and patience with failures in order to develop his bug bounty skills. Nothing is actually automatic or easy with hacking, especially as the technology continues to change and evolve. Tommy wants hackers to take every opportunity to try out their skills, even if it's a complete failure. “Don't expect success overnight. Also, don't let failure discourage you. When it comes to hacking, you're going to fail significantly more than you're going to succeed. And the people that are successful in bug bounties are the ones that don't let those failures discourage them.”   What do you think about the “media obsessed” stereotype many people have about black hat hackers? Wrapping up today, Tommy tells us that he’d be happy to be back in the Hacker Valley Studio again some time. Although the stereotype of a black hat hacker wanting attention from the media is disproven, Tommy believes that he definitely has craved that media attention for a large majority of his hacking career. Starting in the early 2000s, after 9/11, Tommy had one of his first brushes with fame in an interview with CNN about hacking Middle Eastern companies. Although his hacking and his politics have changed since then, Tommy enjoys having in-depth conversations about hacking and explaining the intricacies of what he does. “We loved the attention back then, and I still love the attention now, it's nice. The good thing about now is, because I already got in trouble for everything that I've done, I've done my prison time, I don't have anything that I did illegally on the computer anymore that I can't talk about, because I've already paid my debt to society.”   What are the best ways for people to keep up with what you’re doing? Considering Tommy’s success, it’s understandable that a lot of cyber professionals and amateurs have tons of questions for him. When it comes to getting in contact with Tommy, he recommends tweeting him on Twitter publicly so that he can not only answer your question, but help others with the exact same questions. Education is key, and Tommy is so dedicated to teaching other hackers that he’s currently developing a recurring Twitch stream centered around helping others learn about bug bounty hunting. “I don't know how successful we're going to be in finding the bugs, but I think it'll be fun to teach people [on Twitch] and do it that way, so that they can actually spend some time learning it. The best way to actually learn this stuff is to actually try and do the hacking.” ----------- Stay in touch with Thomas DeVoss on LinkedIn and Twitter Check out the Bug Bounty Hunter website Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter Follow Ron Eddings on Twitter and LinkedIn Catch up with Chris Cochran on Twitter and LinkedIn Continue the conversation by joining our Discord
From Black Hat to Bug Bounties [Pt. 1] with Tommy DeVoss
Jun 17 2022
From Black Hat to Bug Bounties [Pt. 1] with Tommy DeVoss
We’re joined by million-dollar hacker and bug bounty hunter, Thomas DeVoss, this week as we continue our season-long discussion of offensive cybersecurity legends. A legend in the making with a success story in bug bounty hunting that has to be heard to be believed, Tommy is an incredibly successful black hat hacker-turned-bug bounty hunter. He represents how misunderstood the hacking community can be and how positively impactful bug bounties can be. Who hacks the hackers? Look no further than Tommy DeVoss.   Timecoded Guide: [02:59] Becoming interested in hacking for the first time at a young age through internet chat rooms and finding a mentor through those rooms [08:26] Encountering unfriendly visits with the government and the FBI after his hacking skills progressed and being arrested in the 2000s [14:20] Seeking his first computer job after a couple visits to prison and finding a new position with someone that knew of his hacking skills  [25:21] Discussing with Yahoo the possibility of working with them due to his successful bug boundaries and understanding the limitation he would be under if he did that [30:56] Giving honest advice to hackers looking to break into the bug bounty scene and make the amount of money that he’s making   Sponsor Links: Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life! Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley   When did you get into hacking for the first time? At an early age, Thomas found his passion for hacking in an IRC chat room. Mentored by a man named Lewis and encouraged by fellow friends in the hacking world, popping shells and breaking into US systems using foreign IP addresses. Although Tommy became incredible at his craft from a young age, his early habits became serious black hat issues that ended up getting him in trouble with the US government. Just like the hacker in a big Hollywood blockbuster, the government caught up with Tommy and he faced 2 years in prison in his first sentence. “Instead of coming back to him and saying, "Hey, I'm done," I came back and I was actually asking him questions like, "Can you explain this?” And he saw that I was like, actually interested in this and I wasn't one of the people that was just expecting it to be handed to me and everything like that.”    After spending time in prison, were there barriers to getting involved in hacking again?  After being in and out of prison a couple times, Tommy found the worst part of coming home to be his ban from touching any sort of device with internet access. Despite it being a part of his probation, his passion for tech continued to bring him back to computers and gaming. After his final stint in prison after being falsely suspected of returning to his black hat ways, the FBI lifted Tommy’s indefinite ban on computer usage and immediately renewed his passion for working in tech.  “They had banned me indefinitely from touching a computer. So, when I came home on probation the first time, they upheld that and I still wasn't allowed to touch computers as part of my probation. For the first month or so, I didn't get on a computer when I came home from prison, but then it didn't take long before I got bored.”   How did your cyber career pivot to bug bounty hunting? With prison behind him and his ban on computers lifted, Tommy got a job working for a family friend in Richmond, Virginia for a modest salary of $30,000. Although this amount felt like a lot at the time, he quickly realized that there was money to be made in bug bounties. His first few experiments in attempting bug bounty programs had him earning $20,000 or $30,000 for hours of work, a huge increase from the salary he was currently making. Encountering success after success, Thomas quit his job in 2017 to become a full-time bug bounty hunter. “The first bug bounty program that jumped out at me was Yahoo. I had started hacking Yahoo in the mid 90s, I knew their systems in the 90s and early 2000s better than a lot of their system admins and stuff. And I figured, if there's any company that I should start out with, it should be them.”   What success have you seen since becoming a bug bounty hunter, especially with major corporations like Yahoo? Thomas has become a huge earner in the cybersecurity community, and has continued to see incredible results from his hacking and bug bounty projects. Most notably, after numerous high earning days, making up to $130K at once, with companies like Yahoo, he’s even been offered positions working with corporations he’s bug bountied for. However, Tommy is quick to point out that his success was definitely not overnight, and warns fellow hackers of getting too confident in their bug bounty abilities without the proper skill sets or amount of experience under their belts. “I think at this point, I've had days where I've made six-digit income in that single day, at least six or seven times. And it's almost always been from Yahoo.” ----------- Stay in touch with Thomas DeVoss on LinkedIn and Twitter. Check out the Bug Bounty Hunter website. Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter. Follow Ron Eddings on Twitter and LinkedIn Catch up with Chris Cochran on Twitter and LinkedIn Continue the conversation by joining our Discord
Unlocking Cyber Education with John Hammond
Jun 10 2022
Unlocking Cyber Education with John Hammond
John Hammond, Senior Security Researcher at Huntress Labs and self-described cybersecurity education enthusiast, joins us as we continue our discussion of red team legends. With a focus on content creation this week, John discusses his success with his YouTube channel, his passion for showcasing authentic and accessible educational materials online, and his advice for creating content safely and spreading awareness with not only a red team or blue team mindset, but with a purple team perspective. Timecode Guide:  [01:37] Understanding the impact of content creators in the cybersecurity community, especially when it comes to YouTube educational content [06:58] Becoming a successful YouTube creator through consistently posting hacking content and ignoring the stereotype of “overnight success” [13:28] Combining his role as a cybersecurity educator with his security research at Huntress to explore exploits and have real life experience with what he teaches [16:47] Focusing on the blue side of the house as someone with red team experience, and understanding how to use a tool like PlexTrac to create a collaborative purple team [21:13] Being mindful of the impact he has through sharing this knowledge and understanding the risk of cybersecurity educational materials falling into “the wrong hands” Sponsor Links:  Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life! Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley What is your origin story for wanting to educate other hackers? Like many of us, John started his journey Googling how to become a hacker. As he gained more knowledge about the specific skills involved in hacking, John never left the internet behind, always seeking out videos and articles explaining new and emerging content. Inspired by those who created that content in the first place, he started his own YouTube channel, simply titled John Hammond, as has spent years cultivating a consistent hacker audience.  “Along the way, creating content and helping educate others through YouTube is really my main stage platform and has been just a passion project, a labor of love, and something fun along the way.”   What feelings do you get looking back on the YouTube content you’ve created so far? John prioritizes clarity, transparency, and honesty in what he does, and he’s not afraid to show some humbleness, too. Overall, John is thankful for his YouTube success and the impact it had on the cybersecurity community. No matter what he’s showing in his videos, he prefers to keep things honest, to show where he’s made mistakes, and to accept criticism and advice from other hackers and offensive cybersecurity professionals that see his work.  “I'm showcasing just my computer screen, maybe you get a little face cam and a circle on the bottom right, but it's like you're looking over my shoulder. You're seeing me showcase something raw, live, genuine, and authentic…It’s not all sexy, there’s a lot of failure in hacking.”   Have you ever considered focusing on the blue team or the defensive side of cybersecurity? The majority of John's YouTube content and the work he does in his role at Huntress Labs heavily involves the red team and offensive side of cyber. However, John is a huge advocate for the blue team and the red team collaborating and communicating better. Through making more concepts in cybersecurity accessible through educational content like John’s own videos, he hopes we can continue to bridge the gap and achieve that perfectly mixed purple team. “We're all playing in concert. As one team sharpens their skills in the red team pen test, then it's up to the blue team to figure that out. What did they do? How can we better detect it? How can we stop and mitigate that security threat?”   What advice do you have for red team content creators that want to share content and spread awareness safely?  With the impact that he’s had and the content he’s put out onto the internet, John is no stranger to seeing the negative side of cybersecurity knowledge being more accessible than ever before. Still, he wants to make sure content creators understand the value of transparency and honesty in what they do. Instead of fearing what could be, cultivate a community around making this level of knowledge and security available to everyone. “Share, be transparent, be forthcoming. I know there are a lot of conversations about gatekeeping in cybersecurity, but there shouldn't be that. I understand there's grit and determination and hard work to do all the things that you're doing, but be friendly and be transparent and honest.”   Hacking the Vocabulary: Cybersecurity Capture the Flag (CTF): Competitions to demonstrate expertise in attacking computer resources. The “flag” is normally a file or code a team recovers and provides as proof of their successful penetration of defenses. Python Programming Language: A powerful, general-use programming language, often used in web development, data science, and creating software prototypes. The Onion Router (TOR): ​​A free and open-source software for enabling anonymous communication, with each “onion” network having layers of encryption.  Kaseya VSA Ransomware Incident: A ransomware attack in July of 2021. This paralyzed as many as 1,500 organizations by compromising tech-management software from a company called Kaseya. Log4j: A Java-based logging utility used by developers to keep track of what happens in their software applications or online services. Zero-Day Vulnerability: A vulnerability in a system or device that has been disclosed but is not yet patched.  ---------- Links: Check out our guest, John Hammond, on YouTube and LinkedIn. Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter. Follow Ron Eddings on Twitter and LinkedIn. Catch up with Chris Cochran on Twitter and LinkedIn. Continue the conversation by joining our Discord.
Purposeful Communication Through PlexTrac with Dan DeCloss
Jun 3 2022
Purposeful Communication Through PlexTrac with Dan DeCloss
We’re joined by sponsor and guest Dan DeCloss, CEO and Founder of PlexTrac, on the podcast today to talk about communication and collaboration between the red and blue side of cybersecurity and why security success depends on those two sides working together. On their mission to build stronger, more productive, and well-rounded security teams, PlexTrac provides incredible and insightful metric and messaging tools that change the game for the cybersecurity industry. Timecoded Guide: [05:36] Understanding PlexTrac’s history and mission for cybersecurity teams [09:58] Lack of empathy and understanding in red team and blue team communication [18:48] Breaking through the resentment and confusion within a team [24:45] Envisioning the future of PlexTrac’s community impact [27:52] Caring about your cybersecurity mission beyond yourself Sponsor: Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life! Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley   What is the function of PlexTrac that would help you the most as a pen tester? With prior hands-on experience on the red side, Dan found his journey to creating PlexTrac to be full of moments where he wanted to fix the same problems he encountered over and over with reporting and communicating. One of these problems was solved easily with the addition of a video feature, a simple function that has existed since PlexTrac first began but is instrumental and is a huge time-saver for visual learners. “As a pen tester, I hated finding that I had 20-odd screenshots if it's a pretty complex exploit. I think the adage for us is like, if a picture's worth 1,000 words, then a video is worth 1,000 pictures, right?” What do you think are some of the gaps in skills that organizations face when hiring these professionals to perform offensive operations? Communication is key— not just in life, but in this episode. While we’ve discussed skills gaps previously in cybersecurity, Dan is quick to point out that a consistent gap he sees in all areas of cybersecurity is effective communication. PlexTrac keeps this struggle to communicate in mind and creates easy, simple pathways and functions that encourage communication and facilitate collaborative problem solving. “If there's one area that I really emphasize with anybody that I'm mentoring or have hired in the past is, as a security person, whether you're red or blue, you really do need to be a good communicator and be able to communicate risk effectively within the right context.” What would you want to say to those folks that don't see eye-to-eye from the red or the blue side? We’re fighting the same fight, no matter if we’re on the red side or the blue side of cybersecurity. Dan’s message for our warring red and blue teams throughout the industry is to understand the importance of your mission and to not let relationships between red and blue feel clouded with misunderstanding or resentment. No one’s job is harder than anyone else’s, and each role on offensive and defensive plays a part in our collective victory. “I'm gonna just be point blank about it…Are you trying to just prove a point about your knowledge and your skills? Or, are you actually trying to make the world a safer place?” What would you want to say to all those folks out there [in cybersecurity]? As PlexTrac aims to make a huge impact on our community, Dan and his team acknowledge a need for a unified, focused, and collaborative cybersecurity industry, with hard workers on both the red and blue sides. With PlexTrac’s assistance in making reports, measurable results, and communication that much easier, our team at Hacker Valley is thankful to be a part of PlexTrac’s amazing network and can’t wait to share more tools like this with all of you. “I think keep fighting the good fight, for both sides, and recognizing that your mission is vital to the safety and security of your organization and the world at large, right? We are all in this battle together.” Hacking the Vocabulary: DOD: The United States Department of Defense. ---------- Additional resources to check out: Spend some time with our guest, Dan DeCloss, on LinkedIn, and the PlexTrac website  Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter. Follow Ron Eddings on Twitter and LinkedIn Catch up with Chris Cochran on Twitter and LinkedIn Continue the conversation by joining our Discord
Representation Without Technicalities with Mari Galloway
May 27 2022
Representation Without Technicalities with Mari Galloway
We’re breaking down the concept of difference makers this week and we couldn’t help but call upon Mari Galloway, CEO of the Women’s Society of Cyberjutsu, to be our guest during this conversation. As a black woman in cybersecurity who has dedicated a large portion of her career to helping women and girls become a part of the cyber community on both the technical and non-technical sides, Mari is a stunning example of making a difference and creating a path to expand cybersecurity beyond stereotypes.  Timecoded Guide:  - [01:29] Defining the difference makers and explaining the OODA loop - [13:52] Introducing Mari and the Women’s Society of Cyberjutsu  - [20:14] Finding her purpose in helping others find their purpose  - [25:06] Explaining the roles and paths available outside of strictly technical  - [30:31] Understanding imposter syndrome and forging a freedom-based career journey  Sponsor:  Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life!  Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone  PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley    What is that like to see people go from taking that original red pill all the way through starting their career in cybersecurity?  When we talk about making a difference, many of us don’t get to see our impact as clearly as the Women’s Society of Cyberjutsu sometimes gets to see. Mari tells us numerous stories of women throughout this episode, including herself, who became a part of this industry because of the instrumental work they do in outreach and education. For Mari, seeing women change their minds and majors to become a part of the tech industry shows how vital this work is.  “These are the moments we're waiting for, whether it's one person or 50 million people. We want you to feel confident enough to get the skills you need, get in the industry, continue to refine those skills, and be super successful.”    What would you equate your purpose to, and how does everything you do fit into it? Like many of us, Mari isn’t entirely sure what her purpose is, but she knows that she enjoys helping the next generation and making a difference in the landscape of cybersecurity. Working with a nonprofit is not an easy job, even if it is rewarding, and Mari still prioritizes her freedom alongside meeting her purpose. No matter what Mari’s future holds, she knows that this work and this purpose to help others will always find her.  “I think as I get older, as I start to take steps back to just kind of look at what's happened and the impact that I'm having and others around me are having on the next generation of folks coming up, I think my purpose is to help people. It's to help other people see their potential.”    How do you feel like creating that safe environment has affected others?  Helping others find their footing in the cybersecurity industry can be extremely rewarding, especially when Mari found herself in a situation of uncertainty when she first joined the Cyberjutsu Tribe. The community of cybersecurity and the stereotypes around hackers can feel incredibly uninviting from the outside. Offering people, especially women and young girls, an opportunity to step into a safe space where they can ask anything has been huge for Mari.  “We call it our Cyberjutsu Tribe, and we want to make sure that anybody that comes to us feels like they can reach out and touch us and ask us questions and get answers and just have a conversation with us.”    How do we invite more people in and let them know that there are opportunities in cyber outside of technical roles?  Whether you’re hacking, selling, managing, or marketing, there is a space for you in the cybersecurity world. You don’t have to code or to be extremely technical to fit in this industry anymore, and you don’t have to have a certain look. The Women’s Society of Cyberjutsu prioritizes educating people on every role involved in the industry and showing them that they don’t have to be a tech wizard or a computer guru to find a satisfying and profitable position.  “You don't have to look like this to be a hacker. You can look like me…That stereotype, I think, is dying, as we see the number of women coming in and men coming into the space that don't look like that anymore.”    Hacking the Vocabulary:  OODA Loop: Observe, Orient, Decide, Act. A four-step approach to decision-making that focuses on filtering available information, putting it in context and quickly making the most appropriate decision.  CISO: The chief information security officer, a senior-level executive responsible for developing and implementing an information security program Taking the red pill: The terms "red pill" and "blue pill" refer to a choice between the willingness to learn a potentially unsettling or life-changing truth by “taking the red pill,” or remaining in contented ignorance with the blue pill.  ---------  Additional resources to check out:  Spend some time with our guest, Mari Galloway, on LinkedIn, Twitter, her website, and the Women’s Society of Cyberjutsu website.  Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter. Follow Ron Eddings on Twitter and LinkedIn Catch up with Chris Cochan on Twitter and LinkedIn Continue the conversation by joining our Discord
Learning from Cybersecurity Legends with Davin Jackson
May 20 2022
Learning from Cybersecurity Legends with Davin Jackson
Those on the red team may not be household names to the everyday person, but they are absolute legends and icons in the world of cybersecurity and hacking. While we have our personal favorite hackers between the two of us, we also invite our guest, Davin Jackson, to share his favorite cybersecurity legends and the lessons he’s learned from them. Timecode Guide: [00:50] The importance of red teaming, especially during this season [02:17] Ron and Chris’ first experience working in a red team environment [11:23] Communication and collaboration between blue and red [16:53] Knowledge gained from Davin Jackson’s humble beginnings in tech [22:19] Gaining the blue perspective with Hacker Valley Blue   Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life! Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone PlexTrac, the proactive cybersecurity management platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley Legends, Icons, Teachers, and Friends From Marcus Carey to Johnny Long, we’re excited to share the legends that had an early influence and lasting impact on our careers in cybersecurity. While our two backgrounds in red teaming are different, we can attribute so much of our success and our ability to share our knowledge with all of you to the experts that were willing to invite us to join and learn the best hacking techniques alongside them. “I think that's the most important thing in red teaming, it’s passing that knowledge on to someone else.” - Chris Cochran   Communication, collaboration, and community instead of red vs blue It is not two teams with two separate fights when we’re talking about red teams and blue teams. Often, when cybersecurity is too focused on this split between offensive and defensive, we forget to collaborate and fall short of improving on issues we discovered. Communication between red and blue can be a costly struggle, which is why we’re happy to see our sponsor PlexTrac stepping in to develop communication technology for these teams. “There's this push and pull of collaboration. On one hand, you want the red team to work autonomously…but on the other hand, they do need insight if you’re going to go deeper and deeper.” - Ron Eddings   Legends met, lessons learned, tech loneliness understood In the latter half of our episode, we’re joined by Hacker Valley Blue host Davin Jackson, also known as DJax Alpha. Davin started his cybersecurity journey with no computer of his own. Working his way up from basic tech jobs at corporations like Circuit City, lessons Davin learned from the legends he looked up to include finding a mentor, focusing on networking (even when it feels like a dead end), and being always willing to share what you’ve learned. “It’s about consistency, and you have to have self control and discipline…It’s one thing to get it, but it’s another to maintain that success.” - Davin   Hacking the Vocabulary: Pen test — Pen test, or penetration testing, is a method of identifying and testing vulnerabilities and gaps in an IT security system that could be exploited. This can also be referred to as “ethical hacking”. Popping a shell — A slang term for when a hacker exploits a security vulnerability to make a program run a hacker code. Red team — A group within an organization made up of offensive security experts who try to attack an organization’s cybersecurity defenses. Blue team — A group of defensive security experts within the same organization that defends against and responds to the red team attack. Additional resources to check out: Marcus J Carey, Johnny Long/Hackers for Charity, United States Cyber Command, Booz Allen Hamilton ---------- Spend some time with our guest, Davin Jackson (DJax Alpha/Alpha Cyber Security) on his website, Twitter, Instagram, Facebook, and on the Hacker Valley Blue podcast. Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter. Follow Ron Eddings on Twitter and LinkedIn Catch up with Chris Cochan on Twitter and LinkedIn
Making Hacking Accessible with Deviant Ollam
May 13 2022
Making Hacking Accessible with Deviant Ollam
In this season of Hacker Valley Red, we focus on cybersecurity legends in offensive operations with a legend in physical pen testing and lockpicking: Deviant Ollam. As a pioneer in our industry and an author of two incredible books about lockpicking, Deviant shares his history from hobbyist to professional and all that he’s learned along the way. He also discusses making the secrets of the hacking world accessible to all. Timecoded Guide: [01:28] Defining the pioneers in cybersecurity[08:47] Deviant’s first explorations in lockpicking [16:03] Accessing and democratizing hacking secrets[18:58] Becoming an author to transfer his knowledge[23:12] Seeing the past, present, and future of hacking   Sponsor Links: Thank you to our sponsors Axonius and PlexTrac for bringing this season of HVR to life! Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley _________   What does it mean to be a pioneer in cybersecurity?  As our season focuses on legends, it’s important that we explain what makes these individuals such a vital part of our community. In the case of this episode, we explain that our guest Deviant is nothing short of a pioneer. Deviant has been willing to take on new challenges and revolutionize the industry throughout his career, influencing hundreds of individuals and leaving a lasting educational impact on the entire industry. “That ‘zero to one’ part can be the hardest part of any progression in any field, but especially in cybersecurity.” — Chris   When you reflect on changing this whole industry, how does that make you feel? Despite our guest’s legendary reputation, Deviant is humble about his achievements, caring more about how his work has impacted others than himself. What he focuses most on in his teaching, presentations, and writing is making lockpicking and penetration testing accessible and understandable. Instead of harboring secrets and perpetuating exclusionary policies, Deviant wants anyone to be able to master these skills and understand this knowledge. “I’m not the first one who ever did this. What I like to think of my contributions is that they have chiefly been making it accessible and democratizing this knowledge.” — Deviant    Do you think it's harder today to stand out than it was a couple of decades ago? For Deviant, our globalized internet and algorithm-focus social media sites are both a blessing and a curse. While knowledge can be found on every corner of the web and anyone can become familiar with the information that was once borderline inaccessible, Deviant also recognizes that younger hackers and lockpickers will have a very different rise to success than he did years ago, especially due to fragmented audiences and tricky algorithms.  “We have more avenues to put yourself on display, to put yourself out there than ever before, but that means the audience is fragmented and is spread so thin.” — Deviant   What piece of advice would you have for the folks that want to make an impact in security and technology and in our community today? Although success will look different for newer members of our cybersecurity community, Deviant is confident that the younger innovative minds of the future will be able to solve so many of the long-standing problems within our industry. However, he reminds our younger audience that they need to still respect the tenured members of the cybersecurity world and learn from them without oversimplifying the issues past professionals have faced.  “Start thinking about it in a way that doesn’t use ‘just,’ because every old head in the industry has heard that….We couldn’t ‘just’ do it, or we would’ve ‘just’ done it.” - Deviant   Hacking the Vocabulary: Physical pen-testing — A simulated real-world threat scenario where a malicious actor attempts to compromise a business’s physical barriers to gain access to infrastructure, buildings, systems, and employees. CVE— Common Vulnerabilities and Exposures (CVE) is a database of publicly disclosed information security issues.  Lockpick Village — A physical security demonstration and participation area where participants can learn about the vulnerabilities of various locking devices, techniques used to exploit these vulnerabilities, and practice on locks of various levels of difficulty. Additional resources to check out: Robert Morris, the Morris worm, TOOOL, the CORE group, Practical Lock Picking: A Physical Penetration Tester’s Training Guide by Deviant Ollam, Keys to the Kingdom by Deviant Ollam, DEF CON ________ Spend some time with our guest, Deviant Ollam, on his website, Twitter, Instagram, and Youtube channel.  Keep up with Hacker Valley on our website, LinkedIn, Instagram, and Twitter.  Follow Ron Eddings on Twitter and LinkedIn  Catch up with Chris Cochran on Twitter and LinkedIn Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord
CrowdStrike 2022 Global Threat Report: Cloud Security
Apr 15 2022
CrowdStrike 2022 Global Threat Report: Cloud Security
In this special mini series of Hacker Valley Red, hosts Ron and Chris are joined by the Senior Vice President of Intelligence at CrowdStrike, Adam Meyers, to review and highlight elements shared in CrowdStrike’s 2022 Global Threat Report.  In the final episode of this series Ron, Chris and Adam discuss threats to cloud infrastructure and how to better secure the gaps. Adam explores how the adoption of cloud technology has expanded our attack surface, how the digital transformation has placed significant strain on asset management and observability, and why identity protection and zero trust protocols might be your biggest defense against data breaches. He takes a deep dive into the Log4J vulnerability and its massive impact on cybersecurity teams all over the world. Finally, the trio examine the intersection of cloud and supply chain security and its implications on security operations.   Guest Bio: Adam Meyers is a recognized expert in the security and intelligence communities. With more than 15 years of experience in the security space, Adam has extensive experience building and leading intelligence practices in both the public and private sector. Adam is a founding employee and SVP on the executive team at CrowdStrike Inc., a global provider of security technology and services focused on identifying advanced threats and targeted attacks. A sought-after thought-leader, Adam conducts speaking engagements and training classes around the world on the topics of threat intelligence, reverse engineering, and data breach investigations.   Links: Stay in touch with Adam Meyers on LinkedIn and Twitter Follow CrowdStrike on LinkedIn and  Twitter and learn more about what CrowdStrike has to offer on their website Hacker Valley Studio: Swag | LinkedIn | Twitter | Instagram | Email Ron & Chris | Website Support Hacker Valley Studio on Patreon Continue the conversation on our Discord Thanks to our friends at CrowdStrike for sponsoring this episode!
CrowdStrike 2022 Global Threat Report: APTs
Apr 13 2022
CrowdStrike 2022 Global Threat Report: APTs
In this special mini series of Hacker Valley Red, hosts Ron and Chris are joined by the Senior Vice President of Intelligence at CrowdStrike, Adam Meyers, to review and highlight elements shared in CrowdStrike’s 2022 Global Threat Report.  In episode two of this series Ron, Chris and Adam take a deep dive into APTs – how it’s changed over the years and where we stand on the matter today. Adam uncovers the motivations behind nation-state attacks, how APTs are becoming more sophisticated in conducting espionage, and what we need to know about supply chain attacks. Lastly, he explores how APTs are utilizing the cloud and current events to further their operations.   Guest Bio: Adam Meyers is a recognized expert in the security and intelligence communities. With more than 15 years of experience in the security space, Adam has extensive experience building and leading intelligence practices in both the public and private sector. Adam is a founding employee and SVP on the executive team at CrowdStrike Inc., a global provider of security technology and services focused on identifying advanced threats and targeted attacks. A sought-after thought-leader, Adam conducts speaking engagements and training classes around the world on the topics of threat intelligence, reverse engineering, and data breach investigations.   Links: Stay in touch with Adam Meyers on LinkedIn and Twitter Follow CrowdStrike on LinkedIn and  Twitter and learn more about what CrowdStrike has to offer on their website Hacker Valley Studio: Swag | LinkedIn | Twitter | Instagram | Email Ron & Chris | Website Support Hacker Valley Studio on Patreon Continue the conversation on our Discord Thanks to our friends at CrowdStrike for sponsoring this episode!
CrowdStrike 2022 Global Threat Report: Ransomware
Apr 11 2022
CrowdStrike 2022 Global Threat Report: Ransomware
In this special mini series of Hacker Valley Red, hosts Ron and Chris are joined by the Senior Vice President of Intelligence at CrowdStrike, Adam Meyers, to review and highlight elements shared in CrowdStrike’s 2022 Global Threat Report.  In episode one of this series Ron, Chris and Adam take a deep dive into understanding the state of ransomware today and how it’s shaping the cybersecurity landscape as we know it. Adam explores the evolution of ransomware from a targeting and technical perspective, how data extortion has impacted day-to-day operations and services in our industry, and the risks cloud/SaaS environments present in today’s threat climate. Adams shares a glimpse into the creation of the Global Threat Report and how CrowdStrike is uniquely poised in providing actionable intel to help safeguard your data and operations. Lastly, he gives his advice on how to properly ingest the information provided in the report.   Guest Bio: Adam Meyers is a recognized expert in the security and intelligence communities. With more than 15 years of experience in the security space, Adam has extensive experience building and leading intelligence practices in both the public and private sector. Adam is a founding employee and SVP on the executive team at CrowdStrike Inc., a global provider of security technology and services focused on identifying advanced threats and targeted attacks. A sought-after thought-leader, Adam conducts speaking engagements and training classes around the world on the topics of threat intelligence, reverse engineering, and data breach investigations.   Links: Stay in touch with Adam Meyers on LinkedIn and Twitter Follow CrowdStrike on LinkedIn and Twitter and learn more about what CrowdStrike has to offer on their website Hacker Valley Studio: Swag | LinkedIn | Twitter | Instagram | Email Ron & Chris | Website Support Hacker Valley Studio on Patreon Continue the conversation on our Discord Thanks to our friends at CrowdStrike for sponsoring this episode!
Hacker Valley Season One Finale with Marco Figueroa
Oct 17 2021
Hacker Valley Season One Finale with Marco Figueroa
This episode of the Hacker Valley Studio podcast concludes the Hacker Valley Red series.  In this finale, Ron and Chris interview their friend - and formerly their shared roommate - Marco Figueroa.  Marco is a security researcher and cybersecurity speaker, and he is also a bug bounty enthusiast.  He and the hosts constant improvement, bug bounty, and more, while also looking back at the conversations thus far in the season.   -The episode features Marco Figueroa, and listeners are introduced to the content ahead. -What is Marco’s background, and what is he doing now? -Is there such a thing as an unhackable device? -The group talks about Marco’s philosophy in his protection work, the place of social engineering, and the value of building relationships. -What is the hacker mindset, and do you need coding experience to be a good hacker? -If interested in the red side of the field, what should someone do first? -Marco shares about what he sees on the horizon. -The group considers two major season takeaways: the value of mentorship and the need to put yourself out there and take the first shot. -Where is Marco planning to take his contact creation from here?   Links: Connect with Marco Figueroa on Twitter Connect with Marco on LinkedIn Follow Marco’s Livestream Learn more about Hacker Valley Studio Support Hacker Valley Studio on Patreon Follow Hacker Valley Studio on Twitter Follow Ronald Eddings on Twitter Follow Chris Cochran on Twitter Learn more about the season sponsor, RiskIQ