POPULARITY
11 episodes with ctfs
6 episodes with ctfs
4 episodes with ctfs
4 episodes with ctfs
7 episodes with ctfs
3 episodes with ctfs
![Day[0] - Zero Days for Day Zero](https://ivyfm.s3.amazonaws.com/i320/820071.jpg)
4 episodes with ctfs
4 episodes with ctfs
2 episodes with ctfs
Money Box investigates fees being charged of teenagers who are struggling to access their child trust funds. We speak to an 18 year old who agreed to pay a claims management firm 25% of his fund plus VAT, not realising he could do it for free. Lord David Blunkett was in government when Child Trust Funds were created in 2002, he tells Money Box that the unclaimed public money sitting in CTFs should be going to young people not firms looking to cash in. Gold has seen rising prices this week in response to global markets turmoil. The precious metal is traditionally seen as a safe investment during times of economic turbulence. We look at the pros and cons of investing in gold and the different ways to do it. Bank branches continue to close and in some remaining branches hours or services are being reduced. We hear from a Money Box listener who struggled to make a face to face appointment at his local bank branch. Presenter: Paul Lewis Reporter: Sarah Rogers Researchers: Eimear Devlin and Jo Krasner Editor: Beatrice Pickup(First broadcast at 12pm Saturday 19th April 2025)
Zijn we weer! Deze week wat minder heffingen en wat meer bitcoin. We hebben het bijvoorbeeld over een nieuw onderzoek rondom mining pool centralisatie, Mining bedrijven die hun aandelen verwateren, de speech van Jerome Powell en de Annual Letter van Stripe. Daarnaast natuurlijk een marktupdate, waar we kijken waar we staan na een week heffingen. Veel luisterplezier!Probeer Bitcoin Alpha 2 weken gratis!Satoshi Radio wordt mede mogelijk gemaakt door: Amdax, Watson Law, HVK Stevens en onze hoofdsponsor Bitvavo.Timestamps(00:00:00) Welkom en Podcast Introductie(00:10:00) China boekentips van luisteraars(00:16:00) Bookmark van Bart: Moet Saylor zijn bitcoin verkopen?(00:23:40) Bookmark van Bert: The 2024 Annual Letter from Stripe on stablecoins(00:30:00) Bookmark van Peter: Nieuwe modellen van OpenAI(00:44:00) Bookmark van Peter: Powell graaft zich in(00:56:00) Bookmark van Bart: Bitcoin Mining pool centralisation update(01:17:00) Marktupdate(02:17:44) EindeBookmarksBert:The 2024 Annual Letter from Stripe on stablecoins“Coming to bitcoin and Lightning very soon”Tether Is Coming to Bitcoin and LightningBart:Ark update: waarom CTV en CTFS nodig zijnArk transactions on mainnetBitcoin Mining pool centralisation updateShare dilutions van minersMoet Saylor zijn bitcoin verkopen?Peter:Powell graaft zich in
All Aboard the Innovation Express: RSAC 2025 On Track for Cybersecurity's FutureLet's face it—RSAC isn't just a conference anymore. It's a movement. A ritual. A block party for cybersecurity. And this year, it's pulling into the station with more tracks than ever before—figuratively and literally.In this On Location episode, we reconnect with Cecilia Murtagh Marinier, Vice President of Innovation and Scholars at RSAC, to dive into what makes the 2025 edition a can't-miss experience. And as always, Sean and Marco kick things off with a bit of improvisation, some travel jokes, and a whole lot of heart.From the 20th Anniversary of the Innovation Sandbox (with a massive $50M investment boost from Crosspoint Capital) to the growing Early Stage Expo, LaunchPad's Shark-Tank-style sessions, and the new Investor & Entrepreneur track, RSAC continues to set the stage for cybersecurity's next big thing.And this year, they're going bigger—literally. The expansion into the Yerba Buena Center for the Arts brings with it a mind-blowing immersive experience: DARPA's AI Cyber City, a physically interactive train ride through smart city scenarios, designed to show how cybersecurity touches everything—from water plants to hospitals, satellites to firmware.Add in eight hands-on villages, security scholars programs, coffee-fueled networking zones, and a renewed focus on inclusion, mentorship, and accessibility, and you've got something that feels less like an event and more like a living, breathing community.Cecilia also reminds us that RSAC is a place for everyone—from first-timers unsure where to begin to seasoned veterans ready to innovate and invest. It's about showing up, making a plan (or not), and being open to the unexpected conversations that happen in hallways, lounges, or over espresso in the sandbox village.And if you can't make it in person? RSAC has made sure that everything is accessible online—600 speakers, 600 vendors, and endless ways to engage, reflect, and be part of the global cybersecurity story.So whether you're hopping in the car, boarding a flight, or—who knows—riding a miniature DARPA train through Northridge City, one thing's for sure: RSAC 2025 is going full speed ahead—and we're bringing you along for the ride.⸻
Podcast: (CS)²AI Podcast Show: Control System Cyber SecurityEpisode: 124: Capture the Flag: Transforming Cybersecurity Training with Kenneth WarrenPub date: 2025-01-21Get Podcast Transcript →powered by Listen411 - fast audio-to-text and summarizationDerek Harp sits down with Kenneth Warren, Staff OT and Offensive Security Engineer at GRIMM Cyber, to discuss how gamification and Capture the Flag (CTF) competitions are revolutionizing cybersecurity training. Recorded live at Hack the Capitol 7.0, this conversation explores how CTFs and cyber ranges create safe, hands-on environments for learning offensive and defensive cybersecurity skills.Kenneth explains how CTFs offer opportunities to tackle real-world scenarios, from navigating complex networks to interacting with industrial control protocols. Whether you're an experienced professional or a newcomer to the field, CTFs provide a unique way to build and refine your skills. He also highlights how gamification reaches audiences that traditional training might miss, making learning engaging and accessible.This episode provides insights into the growing role of gamified learning in cybersecurity and how it's inspiring the next generation of professionals. Discover how these competitions foster collaboration, creativity, and innovation in a rapidly evolving industry.The podcast and artwork embedded on this page are from Derek Harp, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
Control System Cyber Security Association International: (CS)²AI
Derek Harp sits down with Kenneth Warren, Staff OT and Offensive Security Engineer at GRIMM Cyber, to discuss how gamification and Capture the Flag (CTF) competitions are revolutionizing cybersecurity training. Recorded live at Hack the Capitol 7.0, this conversation explores how CTFs and cyber ranges create safe, hands-on environments for learning offensive and defensive cybersecurity skills.Kenneth explains how CTFs offer opportunities to tackle real-world scenarios, from navigating complex networks to interacting with industrial control protocols. Whether you're an experienced professional or a newcomer to the field, CTFs provide a unique way to build and refine your skills. He also highlights how gamification reaches audiences that traditional training might miss, making learning engaging and accessible.This episode provides insights into the growing role of gamified learning in cybersecurity and how it's inspiring the next generation of professionals. Discover how these competitions foster collaboration, creativity, and innovation in a rapidly evolving industry.
In this episode of the mnemonic security podcast, Robby is joined by Eirik Nordbø and Marius Kotlarz from Equinor, as well as Haakon Staff from mnemonic.Together, they discuss the world of Capture the Flag (CTF) competitions, exploring their origins, structure, and benefits. CTFs, as they explain, are “hacking” contests featuring challenges such as cryptography and reverse engineering, where participants solve tasks to uncover "flags" and earn points.The discussion highlights the educational value of CTFs, particularly in helping developers, pentesters, and other IT professionals refine their skills and master advanced techniques. The group also addresses the logistical challenges of hosting a CTF—such as the Equinor CTF—from infrastructure setup to stress testing, while emphasizing the passion and expertise required to organize a successful event. Finally, they explore how CTFs can serve as a valuable recruitment tool for identifying and attracting top security talent.Send us a text
In dieser Folge tauchen wir mit Michał Błaszczak in die Welt von Not The Hidden Wiki ein – einer Plattform, die kostenloses Cybersecurity-Wissen bietet. Wir sprechen über den Einstieg in CTFs und Cybersecurity: Welche Herausforderungen gibt es, und warum sind Teamwork und kontinuierliches Lernen der Schlüssel zum Erfolg?
Curl and Python (and others) deal with bad vuln reports generated by LLMs, supply chain attack on Solana, comparing 5 genAI mistakes to OWASP's Top Ten for LLM Applications, a Rust survey, and more! Show Notes: https://securityweekly.com/asw-310
Curl and Python (and others) deal with bad vuln reports generated by LLMs, supply chain attack on Solana, comparing 5 genAI mistakes to OWASP's Top Ten for LLM Applications, a Rust survey, and more! Show Notes: https://securityweekly.com/asw-310
2024 has been a remarkable year for the Irish CTF, Capture the Flag, team, and doubly so for team Captain Cillian Collins. Fresh from leading the team to their highest ever finish in ENISA's European Cybersecurity Challenge, Collins became the first Irish player selected for Team Europe and was a leading figure in that team as they won the International Cybersecurity Challenge CTF this week in Santiago, Chile. The win was Team Europe's third in a row, facing challenges from teams representing Asia, Oceania, USA, Africa, Latin America and Canada, across two days of challenges. The team became the first to win each individual day of competition as well as the overall prize. The win came less than three weeks after Collins captained the Irish team to their highest finish of 16th at the European Cybersecurity Challenge in Turin, Italy, where the Irish competed against 31 teams from Europe plus six guest countries including the US, Singapore, Canada and Costa Rica. 16th place was a jump of nine places in 2023, by a team run by volunteers and one one of the smallest budgets in the competition, and represents huge progress by the team under manager Mark Lane and head coaches Emmet Leahy and Daniel Cahill, themselves both former Team Ireland captains. It's also been a remarkable personal journey for Collins who only started playing CTFs in 2021, "I was first introduced to CTFs when qualifying for the Irish team competing at ECSC Prague in 2021. After this I competed at ZeroDays CTF in Dublin where I won the Colleges category with my team in both 2022 and 2023," said Collins. "I've been involved in the Irish team ever since and was nominated by Mark Lane for Team Europe this year. After an intense selection process I was chosen to compete in Chile at the ICC where we competed against teams from North America, Asia, Africa, Oceania and Latin America - finishing in 1st place!". The improvement in the team has been marked this year. When asked what's behind the advances Collins explained that the knowledge sharing from more experienced players has helped accelerate the learning of newer players "We now have former players such as Daniel Cahill and Emmet Leahy who are team coaches and share what they have learned from past competitions." "Mark Lane has been instrumental in organising the team and putting together regular bootcamps at TU Dublin campus where the team have worked together in preparation for these competitions. And that hard work has paid off. It has been incredibly rewarding to see Ireland so high on the leaderboard! We had the largest improvement of any ECSC team this year and it is a testament to the hard work and dedication of players and coaches." Team manager Mark Lane was glowing in his praise of his team captain "Cillian has come on an incredible distance in the three years since he joined the team. His drive and desire to learn have been great to watch, and it's so rewarding to see his continued development as a player and as captain. I'd no hesitation nominating him to Team Europe and I wasn't surprised to see him becoming the first Irish player to be chosen. "He still has so much potential, and I could see him as a future captain of the European team. His engagement in the training with Team Europe has also been hugely beneficial to the Irish team as Cillian brings all that learning and experience back to our team as a coach," said Lane. Collins also speaks very highly of his experiences with Team Europe "It is a great honour to be able to play alongside such talented people. I learned a huge amount from being a part of the team and feel motivated to continue learning. The ICC this year was very competitive with some extremely strong players on the other teams so we were very pleased to come out on top." It's clear from both Collins and Lane that there is so much potential in the Irish CTF scene, and the future is bright, once the support is in place. Collins said "I think the CTF scene continues to grow and ther...
The cream of Ireland's young cyber-defenders head to Turin, Italy next month to compete against Europe's elite hackers and cybersecurity in an annual pan-European competition run by ENISA (the EU's cybersecurity body), The European Cyber Security Challenge (www.ecsc.eu) This flagship event has been running since 2016, when Team Ireland were one of ten countries competing. The event has grown every year since then and this year will feature teams of ten from 39 European countries, plus 7 guest countries from outside Europe. European Cyber Security Challenge Team Ireland consists of ten young people, aged from just 16 up to 25, with six of the team being aged 20 or younger. Selection for the team began back in March with the national cybersecurity competition ZeroDays CTF (www.zerodays.ie). This 'Capture-the-Flag' competition has been running since 2015, and saw 140 teams of four from schools, colleges and companies all over Ireland, converge on Croke Park for the annual competition to be crowned Ireland's champions. Teams compete across a range of cybersecurity domains in fun, novel challenges, including cryptography, coding, problem solving, reverse engineering and team challenges such as VR gaming, relay Mario Kart and lockpicking. Individuals who did well in this competition, and in similar more local events, were invited to try out more challenges at www.cybersecuritychallenge.ie, and eligible participants who show promise there were invited to join a squad of around 30 candidates to receive dedicated training, before a final team of ten was chosen at the end of August. This team of ten will now head to Turin to represent Ireland at the European Cyber Security Challenge, a competition that runs across four days of setup, competition and awards. The final team features players from all corners of the country, from Dublin to Belfast to Cork and Donegal, Wexford, Offaly, Galway, it is a very diverse team with different backgrounds and varying skillsets, all of which makes for a stronger team. Team manager Mark Lane, who lectures in cybersecurity at TU Dublin, where the team also trains, said "We've been competing in this competition since 2016, and it's amazing to see it continue to grow. We're up against some European powerhouses who have massive population bases and resourcing, but we've always managed to punch above our weight. I'm really proud of the hard work the team has put in over the last few months, and I'm confident we will do well and continue to improve, as well have some fun while doing it. This year we've had great support from the National Cyber Security Centre, who have awarded us a grant to continue to build on the work with the team, and from our amazing sponsors Cytidel and ReliaQuest, and without them we wouldn't be able to do what we are doing. CTF's have really taken off in the last few years and are, in my opinion, the best way for people to learn cybersecurity skills. It's a very hands-on, and gamified, way to learn, and the competitive side can really spur people on. It's also great to see these young talents develop their skills over time, and to see a real team spirit develop. Over the last couple of years, we have worked hard to make CTFs more mainstream, and we're seeing more schools, coder dojos and colleges taking part. We'd love to see every school in the country taking part. There's a huge skills gap worldwide, including in Ireland, and these events can highlight and encourage cybersecurity as an interesting, varied, and very well-paid career or college choice." Team Bios Cillian Collins, 22, is the Ireland Team Captain. He's a recent graduate from NUIG. Cillian also recently became the first Irish player to be chosen for Team Europe, which takes part in the pan-continental International Cybersecurity Challenge in Chile at the end of October 2024. Dean Brennan, 25, is the team's vice-Captain. Dean is a researcher with Cyber Skills at MTU Cork, where he is currently in the first year of a Ph...
Send us a Text Message.This month, we welcome Eric Gagnon, Team Lead of Adversary Simulation, Purple Teaming, and Tradecraft Development at Desjardins. The conversation covers a wide range of topics related to cybersecurity, including purple teaming, red teaming, blue teaming, and Eric's journey in cybersecurity. Eric shares insights on certifications, threat hunting, cloud security, and the importance of knowledge exchange between red and blue teams. He also discusses the use of AI in cybersecurity and the need to stay sharp in the field.TakeawaysPurple teaming involves collaborative operations to exchange ideas, evaluate security controls, and test out tactics, techniques, and procedures (TTPs) real threat actors use.Certifications in cybersecurity, such as Offensive Security Certified Professional (OSCP) and Offensive Security Certified Expert (OSCE), provide valuable knowledge and an edge in the field.Threat hunting involves looking for a granular activity that may indicate a compromise, filtering out the noise, and focusing on the suspicious behavior of threat actors.Cloud security requires automation, cyber hygiene, and visibility, focusing on prioritizing techniques and testing them against the enterprise's environment.Knowledge exchange between red and blue teams during a purple team engagement is essential and should include a common language, centralized documentation, and reporting against the MITRE ATT&CK framework.Staying sharp in cybersecurity involves continuous learning, participation in CTFs, engaging with passionate individuals, and challenging oneself through talks, podcasts, and specialized training.Chapters00:00Introduction to Purple Teaming and Cybersecurity Journey08:09Certifications and Insights in Cybersecurity15:08Threat Hunting and Granular Activity Detection35:02Knowledge Exchange in Purple Teaming: Red and Blue Collaboration39:57Staying Sharp in Cybersecurity: Continuous Learning and EngagementSecure applications from code to cloud.Prisma Cloud, the most complete cloud-native application protection platform (CNAPP).Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.
Iceman is a renowned figure in the world of RFID hacking, with expertise in NFC and EMV technologies. As one of the lead open-source developers for Proxmark3—a powerful platform for RFID hacking and analysis—Iceman has significantly enhanced its capabilities. He is known for overhauling the user interface and expanding the feature set to allow device owners to maximize their usage. His work in the open source community has been focused on making RFID technology more accessible and understandable, and he continues to contribute actively to the field.TIMESTAMPS:00:02:27 - Introduction of Iceman, RFID hacker and contributor to the Proxmark project00:07:23 - Explanation of Proxmark device capabilities and the development of the Iceman fork00:14:13 - Formation of the RFID research group and transitioning from a hobby to a public figure00:17:49 - Introduction of new RFID tools, concepts, and weaponizing RFID readers for unauthorized access00:20:40 - Effectiveness of RFID wallets and the cat-and-mouse game with weaponized readers00:24:06 - Development of magic cards for RFID hacking and the potential impact of AI on RFID research00:28:29 - Participation in RFID hacking competitions, CTFs, and the importance of forums and Discord for knowledge sharing00:34:42 - Flipper Zero as a well-made tool with an ecosystem for extending functionality00:35:57 - The future of RFID hacking, including secure communications, advanced crypto, and chip implants by Dangerous Things00:39:38 - Iceman's experience with metal detectors, TSA, and the exciting future of RFID for hackers and end users00:42:52 - The need for vendors to allow legal copying of items and the importance of disrupting tracking and logistics systems00:45:07 - Iceman's recommendations for following his work and joining relevant Discord serverSYMLINKSX: https://twitter.com/herrmann1001/YouTube: https://youtube.com/@iceman1001/Discord: https://discord.com/invite/QfPvGFRQxH/Proxmark3: https://proxmark.com/Iceman Fork: https://github.com/RfidResearchGroup/proxmark3/Dangerous Things: https://dangerousthings.com/Flipper Zero: https://flipperzero.one/IceDev: icedev.seDRINK INSTRUCTIONWildcard1 oz Cardamaro1 oz Genever1 oz CynarAdd all ingredients to a shaker filled with ice. Stir until chilled and properly diluted. Strain into a lowball glass filled with fresh ice. Optionally garnish with a sprig of rosemary or an orange peel.CONNECT WITH USwww.barcodesecurity.comBecome a SponsorFollow us on LinkedInTweet us at @BarCodeSecurityEmail us at info@barcodesecurity.com
Competitions and capture the flag events are some of the best ways for individuals to build cybersecurity skills. There are lots of options available to choose from like Hack the Box, CTF Time, and lots of local events. Join us with special guest, Bradley Wolfenden, Director of Cyber Sports with PlayCyber. Brad has led the US Cyber Games since it's inception and continues to educate others here and abroad on the importance of technical skill building through competitions. We will cover the following:- What is a CTF?- What are the different types of CTFs?- Why are CTFs important?- How can you get involved?- How to transition your CTFs to career opportunities.
Embark on an enlightening path as we meld the celebration of Black History Month with the dynamism of mobile forensics. This episode is a tribute not only to the past but a clarion call for the future, as we honor Annie Easley, the trailblazing NASA computer scientist, while also navigating the rapidly evolving landscape of digital investigation tools. As your guides, we unravel the intricacies of open-source forensics tools, and the necessity of test devices, ensuring your knowledge remains at the forefront of technological advancements.With a constant eye on professional growth, we're excited to share information about upcoming conferences, training and opportunities to sharpen your digital forensic skills. We share our experiences, opening doors for you to learn and grow right beside us. Our conversation takes a stimulating turn as we discuss the Rabbit R1, a new AI gadget that promises to redefine app interaction and its implications for data privacy. As we dissect the nuances of AI in fingerprint analysis, we invite you to journey with us through the maze of modern forensics, where even the uniqueness of fingerprints is called into question.As we wrap up, our passion for the subject matter shines through with the introduction of cutting-edge features in mobile forensics updates, and the vital role of resource management in our field. We laugh over the meme of the week but also reflect on the serious undertones it brings to the prioritization of forensic cases. Closing the session, we express our heartfelt gratitude for the engagement and support that fuels our podcast, leaving you with an anticipation for deeper discussions and discoveries in the episodes to come. Join us, and together, let's shape the narrative of digital forensics and its rich connection to history and innovation.Notes-Honoring Annie Easley-Black History Month Feb 2024https://elective.collegeboard.org/annie-easley-computer-science-pioneerTesting and Validationhttps://www.hexordia.com/blog-1-1/unlock-rooting-pixel6ahttps://blog.d204n6.com/2020/08/setting-up-testing-lab-of-ios-and.htmlParaben Forensic Innovation Conferencehttps://pfic-conference.com/Free Android Training from Belkasofthttps://belkasoft.com/android-forensics-trainingCellebrite Case to Closure Summit and Awards https://global-c2c-summit-2024.cventevents.com/event/ec371a30-107d-4ce4-8bad-44e331148339/summaryhttps://cellebrite.com/en/c2c-summit-digital-justice-awards/Magnet Virtual Summit/Capture the Flaghttps://magnetvirtualsummit.com/https://magnetvirtualsummit.com/capture-the-flag/Rabbit R1https://www.theverge.com/2024/1/9/24030667/rabbit-r1-ai-action-model-price-release-dateAI- Fingerprints Unique or Maybe Not?https://www.cnn.com/2024/01/12/world/fingerprints-ai-based-study-scn/index.htmlLayoffs Due to AIhttps://www.theverge.com/2024/1/14/24038397/google-layoffs-just-the-beginningHidden Gem in iOS 17https://www.linkedin.com/posts/luca-cadonici-41299b4b_ios-ipados-passcode-activity-7152770642168160257-VJ7CAndroid Auto Rebootshttps://www.bleepingcomputer.com/news/security/grapheneos-frequent-android-auto-reboots-block-firmware-exploits/The LEAPPShttps://github.com/abrignoni
Husam Shbib is currently working as a digital forensic consultant in Saudi Arabia. He has experience in different cybersecurity fields such as penetration testing, user access reviews, configurations reviews, IT and cybersecurity audit, risk assessment, and programming. He has a bachelor degree in computer science and holds multiple certifications in the cybersecurity field, such as ICMDE, 3CI, 3CE, CCE, eCDFP, etc. He likes playing CTFs with friends and solving online challenges regularly. He was keen on cybersecurity domain since the middle school and decided to approach this career.Originally Aired on: Jan 11, 2024
Victoria and Will interview Rishi Malik, the Founder of Backstop.it and VP of Engineering at Varo Bank. They talk about Rishi's recent adventure at DEF CON, the renowned annual security conference that he's attended for six years, and describes how it has transformed from a mere learning experience into a thrilling competition for him and his team. The conference = their playground for tackling an array of security challenges and brain-teasing puzzles, with a primary focus on cloud security competitions. They talk about the significance of community in such events and how problem-solving through interaction adds value. Rishi shares his background, tracing his path from firmware development through various tech companies to his current roles in security and engineering management. The vital topic of security in the fintech and banking sector highlights the initial concerns people had when online banking emerged. Rishi navigates through the technical intricacies of security measures, liability protection, and the regulatory framework that safeguards online banking for consumers. He also highlights the evolving landscape, where technological advancements and convenience have bolstered consumer confidence in online banking. Rishi shares his unique approach to leadership and decision-making, and pearls of wisdom for budding engineers starting their careers. His advice revolves around nurturing curiosity and relentlessly seeking to understand the "why" behind systems and processes. __ Backstop.it (https://backstop.it/) Follow Backstop.it on X (https://twitter.com/wearebackstop). Varo Bank (https://www.varomoney.com/) Follow Varo Bank on Instagram (https://www.instagram.com/varobank/), Facebook (https://www.facebook.com/varomoney/), X (https://twitter.com/varobank), YouTube (https://www.youtube.com/varomoney), or LinkedIn (https://www.linkedin.com/company/varobank/). Follow Rishi Malik on LinkedIn (https://www.linkedin.com/in/rishilmalik/). Follow thoughtbot on X (https://twitter.com/thoughtbot) or LinkedIn (https://www.linkedin.com/company/150727/). Become a Sponsor (https://thoughtbot.com/sponsorship) of Giant Robots! Transcript: VICTORIA: This is the Giant Robots Smashing Into Other Giant Robots podcast, where we explore the design, development, and business of great products. I'm your host, Victoria Guido. WILL: And I'm your other host, Will Larry. And with us today is Rishi Malik, Founder of Backstop.it and VP of Engineering at Varo Bank. Rishi, thank you for joining us. RISHI: Thanks for having me. I'm excited to be here. VICTORIA: Yes, Rishi. I'm so excited to talk with you today about your security background and get into your role at Varo and Backstop IT. But first, I wanted to hear a little bit more about your recent experience attending DEF CON. How was that? RISHI: It was awesome. I do have quite the background in security at this point. And one of the things I started doing early on, as I was getting up to speed and learning more about the security-specific side of things, was beginning to attend DEF CON itself. So, I've now gone six years straight. And it started out as just kind of experiencing the conference and security and meeting folks. But it's progressed to where I now bring a team of people where we go and we compete. We have a good time. But we do get to kind of bring the security side of things into the software engineering and engineering leadership stuff that we all do on a day-to-day basis. VICTORIA: Yeah. And what kind of puzzles do you solve with your team when you attend DEF CON? RISHI: There's definitely a lot of variety there, which I think is part of the fun. So, DEF CON frequently has electronic badges, you know, with random puzzles on there that you have to solve. Some of it are cryptographic. Some of them are kind of random cultural things. Sometimes there's music challenges based around it. Sometimes, it's social and interactive. And you have to go find the right type of badge or the right person behind it to unlock something. So, all of those, you know, typically exist and are a ton of fun. Primarily, in the last few years, we've been focusing more on the cloud CTF. So, in this case, it's our team competing against other teams and really focused on cloud security. So, it's, you know, figuring out vulnerabilities in, you know, specially designed puzzles around AWS and GCP, the application side of things as well, and competing to see how well you can do. Three years ago, the last couple of years, we've not won it, but we've been pretty competitive. And the great thing is the field is expanding as more and more people get into CTF themselves but, more importantly, into cloud infrastructure and cloud knowledge there. So, it's just great to see that expansion and see what people are into, what people are learning, and how challenging some of these things can be. VICTORIA: I love the idea of having a puzzle at a conference where you have to find a specific person to solve it. And yeah, I'm always interested in ways where we can have these events where you're getting together and building community and growing expertise in a field but in a way that makes it fun [laughs] and isn't just life-draining long, like, talks about random stuff. RISHI: [laughs] I think what you're touching on there is crucial. And you said the word community, and, to me, that is, you know, a big part of what DEF CON and, you know, hacking and security culture is. But it is, I think, one of the things that kind of outside of this, we tend to miss it more, you know, specifically, like, focused conferences. It is more about kind of the content, you know, the hallway track is always a thing. But it's less intentional than I personally, at this stage, really prefer, you know. So, I do like those things where it is encouraging interaction. For me, I'd rather go to happy hour with some people who are really well versed in the subject that they're in rather than even necessarily listening to a talk from them on what they're doing. Simply because I think the community aspect, the social aspect, actually gets you more of the information that is more relevant to what you're doing on a day-to-day basis than just consuming it passively. VICTORIA: I agree because consuming it passively or even intentionally remotely, there are things that you didn't even think to think about [laughs] that aren't going to come up just on your own. You have to have another person there who's...Actually, I have a good friend who's co-working with me this week who's at Ticketmaster. And so, just hearing about some of the problems they have and issues there has been entertaining for me. So yeah, I love that about DEF CON, and I love hearing about community stories and fun ways that companies can get a benefit out of coming together and just putting good content out there. RISHI: Absolutely. I think problem-solving is where you get the most value out of it as a company and as a business. VICTORIA: Yeah, maybe that's a good segue to tell me a little bit more about your background and how you came to be where you are today. RISHI: Yeah. For me growing up, I was always that problem-solver type of person. So, I think that's what kind of naturally gravitated me towards tech and, you know, hardware and software engineering. You know, so, for me, I go back quite a while. I'd been doing a lot of development, you know, in the early days of my career. I started out doing firmware development back in the days of large tape libraries, right? So, if you think about, like, big businesses back before cloud was a big thing and even back before SSDs were a thing, you know, it was all spinning disks. It was all tape. And that's kind of the area that I started in. So, I was working on robots that actually move tapes around these giant tape libraries that are, you know, taller than I am that you can walk inside of because they're so big, for big corporations to be able to backup their data on an overnight basis. You have to do that kind of stuff. Then I started going into smaller and smaller companies, into web tech, into startups, then into venture-backed startups. And then, eventually, I started my own company and did that for a while. All of this is really just kind of, you know, software engineering in a nutshell, lots of different languages, lots of different technologies. But really, from the standpoint of, here's a whole bunch of hard problems that need to be solved. Let's figure out how we can do that and how we can make some money by solving some of these problems. That eventually kind of led me down the security path as well and the engineering management side of things, which is what I do now, both at Backstop...is a security consulting business and being VP of Engineering at Varo Bank. WILL: How was your journey? Because you started as an intern in 2003. RISHI: [laughs] WILL: And then, you know, 20 years later. So, how was your journey through all of that? [laughs] RISHI: [laughs] You know, I hadn't actually put it together that it has been 20 years this year until you said that. So, that's awesome. It's been a blast, you know. I can honestly say it's been wildly different than what I imagined 20 years ago and interesting in different ways. I think I'm very fortunate to be able to say that. When I started out as an intern in 2003, technologies were very different. I was doing some intern shifts with the federal government, you know, so the pace was wildly different. And when I think of where technology has come now, and where the industry has gone, and what I get to do on a day-to-day basis, I'm kind of just almost speechless at just how far we've come in 20 years, how easy some things are, how remarkably hard some other things are that should honestly be easy at this point, but just the things that we can do. I'm old enough that I remember cell phones being a thing and then smartphones coming out and playing with them and being like, yeah, this is kind of mediocre. I don't really know why people would want this. And the iPhone coming out and just changing the game and being like, okay, now I get it. You know, to the experience of the internet and, you know, mobile data and everywhere. It's just phenomenal the advances that we've had in the last 20 years. And it makes me excited for the next 20 years to see what we can do as we go forward. VICTORIA: I'm going to take personal offense to someone knowing that technology being too old [laughs], but, yeah, because it really wasn't that long ago. And I think one thing I always think about having a background in civic tech and in financial tech as well is that the future is here; it's just not evenly distributed. So, now, if you're building a new company, of course, the default is to go straight to the cloud. But many companies and organizations that have been around for 60-80 years and using the internet right when it first came out are still in really old technologies that just simply work. And maybe they're not totally sure why, and change is difficult and slow. So, I wonder if you have any experience that you can take from the banking or fintech industry on how to make the most out of modern security and compliance platforms. RISHI: Yeah, you know, I think most people in tech especially...and the gray hairs on me are saying the younger folks in tech especially don't realize just how much older technologies still exist and will exist for quite some time. When you think of banking itself, you know, most of the major companies that you can think of, you know, in the U.S. especially but kind of across the world that are the top tier names of banks, and networks, and stuff like that, still run mainframes. When you swipe your credit card, there's a very good chance that is processed on a mainframe. And that's not a bad thing. But it's just, you know when you talk to younger engineers, it's not something that kind of crosses their mind. They feel like it is old-tech. The bulk of businesses don't actually run on the cloud. Having been through it, I've racked and stacked servers and had to figure out how to physically take hardware across, you know, country borders and things like those lines. And now, when I do want to spin up a server somewhere else, it's just a different AWS region. So, it's remarkably easy, at this point, to solve a lot of those problems. But once you're up and live and you have customers, you know, where downtime is impactful or, you know, the cost of moving to the cloud or modernizing your technology is substantial, things tend to move a lot slower. And I think you see that, especially when it comes to security, because we have more modern movements like DevOps bringing security into it. And with a lot of the, you know, the modern security and compliance platforms that exist, they work very, very well for what they do, especially when you're a startup or your whole tech stack is modernized. The biggest challenges, I think, seem to come in when you have that hybrid aspect of it. You do have some cloud infrastructure you have to secure. You do have some physical data centers you have to secure. You have something that is, you know, on-premise in your office. You have something that is co [inaudible 10:01] somewhere else. Or you also have to deal with stuff like, you know, much less modern tech, you know, when it comes to mainframes and security and kind of being responsible for all of that. And I think that is a big challenge because security is one of those things where it's, you know, if you think of your house, you can have the strongest locks on your door and everything else like that. But if you have one weak point, you have a window that's left open, that's all it takes. And so, it has to be all-inclusive and holistic. And I think that is remarkably hard to do well, even despite where technology has come to these days. WILL: Speaking of securities, I remember when the Internet banking started a couple of years ago. And some of the biggest, I guess, fears were, like, the security around it, the safety. Because, you know, your money, you're putting your money in it, and you can't go to a physical location to talk to anyone or anything. And the more and more you learn about it...at first, I was terrified of it because you couldn't go talk to someone. But the more and more I learned about it, I was like, oh, there's so much security around it. In your role, what does that look like for you? Because you have such a huge impact with people's money. So, how do you overcome that fear that people have? RISHI: There's, I think, a number of steps that kind of go into it. And, you know, in 2023, it's certainly a little bit easier than it used to be. But, you know, very similar, I've had the same questions, you know, and concerns that you're describing. And I remember using one of the first banks that was essentially all digital and kind of wondering, you know, where is my money going? What happens if something goes wrong? And all of those types of things. And so, I think there is kind of a number of different aspects that go into it. One is, you know, obviously, the technical aspects of security, you know, when you put your credit card number in on the internet, you know, is it encrypted? You know, is it over, you know, TLS? What's happening there? You know, how safe and secure is all that kind of thing? You know, at this point, pretty much everyone, at least in the U.S., has been affected by credit card breaches, huge companies like Home Depot and Target that got cards accessed or, you know, just even the smaller companies when you're buying something random from maybe something...a smaller website on the internet. You know, that's all a little bit better now. So, I think what you have there was just kind of a little bit of becoming comfortable with what exists now. The other aspect, though, I think, then comes into, well, what happens when something goes wrong? And I think there's a number of aspects that are super helpful for that. I think the liability aspect of credit card, you know, companies saying, you know, and the banks "You're not liable for a fraudulent transaction," I think that was a very big and important step that really helps with that. And on top of that, then I think when you have stuff like the FDIC, you know, and insurance in the U.S., you know, that is government-backed that says, you know what? Even if this is an online-only digital bank, you're safe. You're protected. The government's got your back in that regard. And we're going to make sure that's covered. At Varo, that's one of the key things that we think about a lot because we are a bank. Now, most FinTechs, actually, aren't banks, right? They partner with other third-party banks to provide their financial services. Whereas at Varo, we are federally regulated. And so, we have the full FDIC protection. We get the benefits of that. But it also means that we deal with the regulation aspects and being able to prove that we are safe and secure and show the regulators that we're doing the right things for our customers. And I think that's huge and important because, obviously, it's safety for customers. But then it changes how you begin to think about how you're designing products, and how you're [inaudible 13:34] them, and, you know, how you're marketing them. Are we making a mobile app that shows that we're safe, and secure, and stable? Or are we doing this [inaudible 13:42] thing of moving too fast and breaking things? When it's people's money, you have to be very, very dialed into that. You still have to be able to move fast, but you have to show the protection and the safety that people have because it is impactful to their lives. And so, I think from the FinTech perspective, that's a shift that's been happening over the last couple of years to continue that. The last thing I'll say, too, is that part of it has just come from technology itself and the comfort there. It used to be that people who were buying, you know, items on the internet were more the exception rather than the rule. And now with Amazon, with Shopify, with all the other stuff that's out there, like, it's much more than a norm. And so, all of that just adds that level of comfort that says, I know I'm doing the right things as a consumer, that I'm protected. If I, you know, do have problems, my bank's got my back. The government is watching out for what's happening and trying to do what they can do to regulate all of that. So, I think all of that has combined to get to that point where we can do much more of our banking online and safely. And I think that's a pretty fantastic thing when it comes to what customers get from that. I am old enough that I remember having to figure out times to get to the bank because they're open nine to five, and, you know, I have to deposit my paycheck. And, you know, I work nine to five, and maybe more hours pass, and I had no idea when I can go get that submitted. And now, when I have to deposit something, I can just take a picture with my phone, and it safely makes it to my account. So, I think the convenience that we have now is really amazing, but it has certainly taken some time. And I think a number of different industry and commercial players kind of come together and make that happen. MID-ROLL AD: Now that you have funding, it's time to design, build, and ship the most impactful MVP that wows customers now and can scale in the future. thoughtbot Liftoff brings you the most reliable cross-functional team of product experts to mitigate risk and set you up for long-term success. As your trusted, experienced technical partner, we'll help launch your new product and guide you into a future-forward business that takes advantage of today's new technologies and agile best practices. Make the right decisions for tomorrow today. Get in touch at thoughtbot.com/liftoff. VICTORIA: I appreciate that perspective on approaching security from the user experience of wanting safety. And I'm curious if we can talk in contrast from that experience to the developer experience with security. And how do you, as a new leader in this financial product company, prioritize security and introduce it from a, like, building a safety culture perspective? RISHI: I think you just said that very eloquently. It is a safety culture. And cultural changes are hard. And I think for quite some time in the developer industry, security was either an afterthought or somebody else's problem. You know, it's the security team that has to think about it. It's, you know, and even these days, it's the red team that's going to go, you know, find these answers or whatever I'm shipping as a developer. My only thing to focus on is how fast I can ship, or, you know, what I'm shipping, rather than how secure is what I'm shipping. And so, I think to really be effective at that, it is a cultural shift. You have to think and talk about security from the outset. And you have to bake those processes into how you build product. Those security conversations really do need to start at the design phase. And, you know, thinking about a mobile app for a bank as an example, you know, it starts when you're just thinking about the different screens on a mobile app that people are going to go through. How are people interpreting this? You know, what is the [inaudible 17:23], and the feeling, and the emotions, that we're building towards? You know, is that safe and secure or, you know, is it not? But then it starts getting to the architecture and the design of the systems themselves to say, well, here's how they're going to enter information, here's how we're passing this back and forth. And especially in a world where a lot of software isn't just 100% in-house, but we're calling other partners for that, you know, be it, you know, infrastructure or risk, you know, or compliance, or whatever else it may be, how are we protecting people's data? How are we making sure our third parties are protecting people's data? You know, how are we encrypting it? How are we thinking about their safety all the way through? Again, even all the way down to the individual developer that's writing code, how are we verifying they're writing good, high-quality, secure code? Part of it is training, part of it is culture, part of it is using good tooling around that to be able to make sure and say, when humans make mistakes because we are all human and we all will make mistakes, how are we catching that? What are the layers do we have to make sure that if a mistake does happen, we either catch it before it happens or, you know, we have defense in depth such that that mistake in and of itself isn't enough to cause a, you know, compromise or a problem for our customers? So, I think it starts right from the start. And then, every kind of step along the way for delivering value for customers, also let's add that security and privacy and compliance perspective in there as well. VICTORIA: Yes, I agree. And I don't want to work for a company where if I make a small human mistake, I'm going to potentially cost someone tens or however many thousands of dollars. [laughs] WILL: I have a question around that. How, as a leader, how does that affect you day to day? Because I feel like there's some companies, maybe thoughtbot, maybe other companies, that a decision is not as critical as working as a bank. So, you, as a leader, how do you handle that? RISHI: There's a couple of things I try and consider in any given big or important decision I have to make, the aspects around, like, you know, the context, what the decision is, and that type of stuff. But from a higher level, there's kind of two things I try and keep in mind. And when I say keep in mind, like, when it's a big, impactful decision, I will actually go through the steps of, you know, writing it down or talking this out loud, sometimes by myself, sometimes with others, just, again, to make sure we are actually getting to the meat of it. But the first thing I'm trying to think of is kind of the Amazon idea of one-way versus two-way doors. If we make this decision and this is the wrong decision, what are the ramifications of that? You know, is it super easy to undo and there's very little risk with it? Or is it once we've made this decision or the negative outcome of this decision has happened, is it unfixable to a certain degree? You know, and that is a good reminder in my head to make sure that, you know, A, I am considering it deeply. And that, B, if it is something where the ramifications, you know, are super huge, that you do take the time, and you do the legwork necessary to make sure you're making a good, valid decision, you know, based on the data, based on the risks involved and that there's a deep understanding of the problem there. The second thing I try to think of is our customers. So, at Varo, our customers aren't who most banks target. A lot of banks want you to take all your money, put it in there, and they're going to loan that money out to make their money. And Varo is not that type of bank, and we focus on a pretty different segment of the market. What that means is our customers need their money. They need it safely and reliably, and it needs to be accurate when they have it. And what I mean by that is, you know, frequently, our customers may not have, you know, hundreds or a thousand dollars worth of float in their bank accounts. So, if they're going and they're buying groceries and they can't because there's an error on our side because we're down, and because the transactions haven't settled, then that is very, very impactful to them, you know, as an individual. And I think about that with most of these decisions because being in software and being in engineering I am fortunate enough that I'm not necessarily experiencing the same economic struggles that our customers may have. And so, that reminder helps me to think about it from their perspective. In addition, I also like to try and think of it from the perspective...from my mom, actually, who, you know, she is retired age. She's a teacher. She's non-technical. And so, I think about her because I'd say, okay, when we're making a product or a design decision, how easy is it for her to understand? And my biases when I think about that, really kind of come into focus when I think about how she would interpret things. Because, you know, again, for me, I'm in tech. I think about things, you know, very analytically. And I just have a ton of experience across the industry, which she doesn't have. So, even something as simple as a little bit of copy for a page that makes a ton of sense to me, when I think about how she would interpret it, it's frequently wildly different. And so, all of those things, I think, kind of come together to help make a very strong and informed decision in these types of situations where the negative outcomes really do matter. But you are, you know, as Varo is, you're a startup. And you do need to be able to build more products quickly because our customers have needs that aren't being met by the existing banking industry. And so, we need to provide value to them so that their lives are a bit better. VICTORIA: I love that focus on a specific market segment and their needs and solving for that problem. And we know that if you're at a certain income level, it's more expensive [laughs] because of the overdraft fees and other things that can cause you problems. So, I really appreciate that that's the mission at Varo, and that's who you're focusing on to create a better banking product that makes more sense. I'm curious if there were any surprises and challenges that you could share from that discovery process and finding out, you know, exactly what were those things where your mom was, like, uh, actually, I need something completely different. [laughs] RISHI: Yeah, so, [chuckles] I'm chuckling because, you know, it's not, like, a single kind of time or event. It's, you know, definitely an ongoing process. But, you know, as actually, we were talking, you know, about earlier in terms of being kind of comfortable with doing things digital and online, that in and of itself is something that even in 2023, my mom isn't as comfortable or as confident as, you know, say, maybe the three of us are. As an example, when sending money, you know, kind of like a peer-to-peer basis, like, if I'm sending my mom a little bit of money, or she's sending me something, you're kind of within the family. Things that I would think would be kind of very easy and straightforward actually do cause her a little bit more concern. Okay, I'm entering my debit card number into this so that it can get, you know, the cash transferred into my bank account. You know, again, for me, it didn't even cross my mind, actually, that that would be something uncomfortable. But for my mom, that was something where she actually had some concerns about it and was messaging me. Her kind of personal point of view on that was, I would rather use a credit card for this and get the money on a credit card instead of a debit card because the debit card is linked to a bank account, and the security around that needs to be, you know, much tighter. And so, it made her more uncomfortable entering that on her phone. Whereas even a credit card it would have given her a little bit more peace of mind simply because it wasn't directly tied to her bank account. So, that's just, you know, the most recent example. I mean, honestly, that was earlier today, but it's something I hadn't thought of. And, again, for most of our customers, maybe that's not the case and how they think. But for folks that are at that retirement age, you know, in a world where there are constant barrages of scam, you know, emails, and phone calls, and text messages going around, the concern was definitely there. VICTORIA: That happened to me. Last week, I was on vacation with my family, and we needed to pay my mom for the house we'd rented. And I had to teach her how to use Zelle and set up Zelle. [laughter] It was a week-long process. But we got there, and it works [laughs] now. But yeah, it's interesting what concerns they have. And the funny part about it was that my sister-in-law happens to be, like, a lawyer who prevents class action lawsuits at a major bank. And she reassured us that it was, in fact, secure. [laughs] I think it's interesting thinking about that user experience for security. And I'm curious, again, like, compare again with the developer experience and using security toolings. And I wonder if you had any top recommendations on tools that make the developer experience a little more comfortable and feeling like you're deploying with security in mind. RISHI: That, in particular, is a bit of a hard question to answer. I try and stay away from specific vendors when it comes to that because I think a lot of it is contextual. But I could definitely talk through, like, some of the tools that I use and the way I like to think about it, especially from the developer perspective. I think, first off, consider what aspect of the software development, you know, lifecycle you're in. If you are an engineer writing, you know, mostly application code and dealing with building product and features and stuff like that, start from that angle. I could even take a step back and say security as an industry is very, very wide at this point. There is somebody trying to sell you a tool for basically every step in the SDLC process, and honestly, before and after to [inaudible 26:23]. I would even almost say it's, to some extent, kind of information and vendor overload in a lot of ways. So, I think what's important is to think about what your particular aspect of that is. Again, as an application engineer, or if you're building cloud infrastructure, or if you're an SRE, you know, or a platform team, kind of depending on what you are, your tooling will be different. The concepts are all kind of similar ideas, but how you go about what you build will be different. In general, I like to say, from the app side of things, A, start with considering the code you're writing. And that's a little bit cultural, but it's also kind of more training. Are you writing code with a security mindset? are you designing systems with a security mindset? These aren't things that are typically taught, you know, in school if you go get a CS degree, or even in a lot of companies in terms of the things that you should be thinking about. So, A, start from there. And if you don't feel like you think about, you know, is this design secure? Have we done, you know, threat modeling on it? Are we considering all of the error paths or the negative ways people can break the system? Then, start from that and start going through some of the security training that exists out there. And there's a lot of different aspects or avenues by which you can get that to be able to say, like, okay, I know I'm at least thinking about the code I write with a security mindset, even if you haven't actually changed anything about the code you're writing yet. What I actually think is really helpful for a lot of engineers is to have them try and break things. It's why I like to compete in CTFs, but it's also why I like to have my engineers do the same types of things. Trying to break software is both really insightful from the aspect that you don't get when you're just writing code and shipping it because it's not something you have time to do, but it's also a great way to build up some of the skills that you need to then protect against. And there's a lot of good, you know, cyber ranges out there. There's lots of good, just intentionally vulnerable applications that you can find on GitHub but that you can just run, you know, locally even on your machine and say, okay, now I have a little web app stood up. I know this is vulnerable. What do I do? How do I go and break it? Because then all of a sudden, the code that you're writing you start to think about a little bit differently. It's not just about how am I solving this product problem or this development problem? But it's, how am I doing this in a way that is safe and secure? Again, as an application side of things, you know, just make sure you know the OWASP Top 10 inside and out. Those are the most basic things a lot of engineers miss. And it only takes, again, one miss for it to be critical. So, start reviewing it. And then, you start to think about the tooling aspect of it. People are human. We're going to make mistakes. So, how do we use the power of technology to be able to stop this? You know, and there is static scanning tools. Like, there's a whole bunch of different ones out there. You know, Semgrep is a great one that's open source just to get started with that can help you find the vulnerable code that may exist there. Consider the SQL queries that you're writing, and most importantly, how you're writing them. You know, are you taking user input and just chucking it in there, or are you sanitizing it? When I ask these questions, for a lot of engineers, it's not usually yes or no. It's much more of an, well, I don't know. Because in software, we do a really good job of writing abstraction layers. But that also means, you know, to some extent, there may be a little bit of magic in there, or a lack thereof of magic that you don't necessarily know about. And so, you have to be able to dive into the libraries. You have to know what you're doing to even be able to say something like, oh no, this SQL query is safe from this user input because we have sanitized it. We have, you know, done a prepared statement, whatever it may be. Or, no, actually, we are just doing something here that's been vulnerable, and we didn't realize we were, and so now that's something we have to address. So, I think, like, that aspect in and of itself, which isn't, you know, a crazy ton of things. It's not spending a ton of money on different tools. But it's just internalizing the fact that you start to think a little bit differently. It provides a ton of value. The last thing on that, too, is to be able to say, especially if you're coming from a development side, or even just from a founder or a startup side of things, what are my big risks? What do I need to take care of first? What are the giant holes or flaws? You know, and what is my threat model around that? Obviously, as a bank, you have to care very deeply right from the start. You know, if you're not a bank, if you're not dealing with financial transactions, or PII, or anything like that, there are some things that you can deal with a little bit later. So, you have to know your industry, and you have to know what people are trying to do and the threat models and the threat vectors that can exist based on where you are. WILL: That's amazing. You know, earlier, we talked about you being an engineer for 20 years, different areas, and stuff like that. Do you have any advice for engineers that are starting out right now? And, you know, from probably year one to year, you know, anything under ten years of experience, do you have any advice that you usually give engineers when you're chatting with them? RISHI: The advice I tend to give people who are just starting out is be the type of person that asks, "How does this work?" Or "Why does this work?" And then do the work to figure out the answer. Maybe it is talking to someone; maybe it's diving into the details; maybe it's reading a book in some aspect that you haven't had much exposure to. When I look at my career and when I look at the careers of folks around me and the people that I've seen be most successful, both in engineering but also on the business side, that desire to know why something is the case is I think, one of the biggest things that determines success. And then the ability to answer that question by putting in the right types of work, the right types of scientific method and processes and such, are the other factor. So, to me, that's what I try and get across to people. I say that mostly to junior folks because I think when you're getting started, it's really difficult. There's a ton out there. And we've, again, as software engineers, and hardware engineers, and cloud, and all this kind of stuff, done a pretty good job of building a ton of abstraction layers. All of our abstraction layers [inaudible 32:28] to some degree. You know, so as you start, you know, writing a bunch of code, you start finding a bunch of bugs that you don't necessarily know how to solve and that don't make any sense in the avenue that you've been exposed to. But as soon as you get into the next layer, you understand how that works begin to make a lot more sense. So, I think being comfortable with saying, "I have no idea why this is the case, but I'm going to go find out," makes the biggest difference for people just starting out their career. WILL: I love that advice. Not too long ago, my manager encouraged me to write a blog post on something that I thought that I really knew. And when I started writing that blog post, I was like, oh boy, I have no idea. I know how to do it, but I don't know the why behind it. And so, I was very thankful that he encouraged me to write a blog post on it. Because once you start explaining it to other people, I feel you really have to know the whys. And so, I love that advice. That's really good advice. VICTORIA: Me too. And it makes sense with what we see statistically as well in the DORA research. The DevOps Research Association publishes a survey every year, the State of DevOps Report. And one of the biggest findings I remember from last year's was that the most secure and reliable systems have the most open communication and high trust among the teams. And so, being able to have that curiosity as a junior developer, you need to be in an environment where you can feel comfortable asking questions [laughs], and you can approach different people, and you're encouraged to make those connections and write blog posts like Will was saying. RISHI: Absolutely, absolutely. I think you touched on something very important there as well. The psychological safety really makes a big difference. And I think that's critical for, again, like, folks especially earlier in their career or have recently transitioned to tech, or whatever the case may be. Because asking "Why?" should be something that excites people, and there are companies where that's not necessarily the case, right? Where you asking why, it seems to be viewed as a sign that you don't know something, and therefore, you're not as good as what you should be, you know, the level you should be at or for whatever they expect. But I do think that's the wrong attitude. I think the more people ask why, the more people are able and comfortable to be able to say, "I don't know, but I'm going to go find out," and then being able to be successful with that makes way better systems. It makes way safer and more secure systems. And, honestly, I think it makes humans, in general, better humans because we can do that. VICTORIA: I think that's a great note to start to wrap up on. Is there any questions that you have for me or Will? RISHI: Yeah. I would love to hear from both of you as to what you see; with the experiences that you have and what you do, the biggest impediments or speed bumps are when it comes to developers being able to write and ship secure code. VICTORIA: When we're talking with new clients, it depends on where they are in really the adoption of their product and the maturity of their organization. Some early founders really have no technology experience. They have never managed an IT organization. You know, setting up basic employee account access and IDs is some of the initial steps you have to take to really get to where you can do identity management, and permissions management, and all the things that are really table stakes for security. And then others have some progress, and they have a fair amount of data. And maybe it's in that situation, like you said before, where it's really a trade-off between the cost and benefit of making those changes to a more secure, more best practice in the cloud or in their CI/CD pipeline or wherever it may be. And then, when you're a larger organization, and you have to make the trade-offs between all of that, and how it's impacting your developer experience, and how long are those deployed times now. And you might get fewer rates of errors and fewer rates of security vulnerabilities. But if it's taking three hours for your deployments to go out [laughs] because there's so many people, and there's so many checks to go through, then you have to consider where you can make some cuts and where there might be more efficiencies to be gained. So, it's really interesting. Everyone's on a different point in their journey. And starting with the basics, like you said, I love that you brought up the OWASP Top 10. We've been adopting the CIS Controls and just doing a basic internal security audit ourselves to get more ready and to be in a position where... What I'm familiar with as well from working in federal agencies, consulting, maintaining some of the older security frameworks can be a really high cost, not only in terms of auditing fees but what it impacts to your organization to, like, maintain those things [laughs] and the documentation required. And how do you do that in an agile way, in a way that really focuses on addressing the actual purpose of the requirements over needing to check a box? And how do we replicate that for our clients as well? RISHI: That is super helpful. And I think the checkbox aspect that you just discussed I think is key. It's a difficult position to be in when there are boxes that you have to check and don't necessarily actually add value when it comes to security or compliance or, you know, a decrease in risk for the company. And I think that one of the challenges industry-wide has always been that security and compliance in and of itself tends to move a little bit slower from a blue team or a protection perspective than the rest of the industry. And so, I mean, I can think of, you know, audits that I've been in where, you know, just even the fact that things were cloud-hosted just didn't make sense to the auditors. And it was a struggle to get them to understand that, you know, there is shared responsibility, and this kind of stuff exists, and AWS is taking care of some things, and we're taking care of some other things when they've just been developed with this on-premise kind of mentality. That is one of the big challenges that still exists kind of across the board is making sure that the security work that you're doing adds security value, adds business value. It isn't just checking the box for the sake of checking the box, even when that's sometimes necessary. VICTORIA: I am a pro box checker. RISHI: [laughs] VICTORIA: Like, I'll get the box checked. I'll use Trello and Confluence and any other tool besides Excel to do it, too. We'll make it happen with less pain, but I'd rather not do it [laughs] if we don't have to. RISHI: [laughs] VICTORIA: Let's make it easy. No, I love it. Is there anything else that you want to promote? RISHI: No, I don't think there's anything else I want to promote other than I'm going to go back to what I said just earlier, like, that culture. And if, you know, folks are out there and you have junior engineers, you have engineers that are asking "Why?", you have people that just want to do the right thing and get better, lean into that. Double down on those types of folks. Those are the ones that are going to make big differences in what you do as a business, and do what you can to help them out. I think that is something we don't see enough of in the industry still. And I would love for that to change. VICTORIA: I love that. Thank you so much, Rishi, for joining us. RISHI: Thanks for having me. This was a great conversation. I appreciate the time. VICTORIA: You can subscribe to the show and find notes along with a complete transcript for this episode at giantrobots.fm. If you have questions or comments, email us at hosts@giantrobots.fm. And you can find me on Twitter @victori_ousg. WILL: And you could find me on Twitter @will23larry. This podcast is brought to you by thoughtbot and produced and edited by Mandy Moore. Thanks for listening. See you next time. ANNOUNCER: This podcast is brought to you by thoughtbot, your expert strategy, design, development, and product management partner. We bring digital products from idea to success and teach you how because we care. Learn more at thoughtbot.com. Special Guest: Rishi Malik.
Youtube Video of podcast Shownotes and Links In this episode of CTF Radiooo adamd and Zardus chat with anciety, atum, mmmxny, and crazyman of r3kapig: one half of the CTF team P1G BuT S4D! We talk about how the members got into CTFs, how the team gets new members, what is the culture of the team, why do we play CTFs, can we keep playing CTFs?, what makes a good CTF challenge, and (what else) pwn.college! Visit https://r3kapig.com/ to learn more about the team. Links Tweet re: CTF team mergers r3kapig website Joint team C4T BuT S4D website
RCE in ssh-agent forwarding, finding zero-days in CTFs, Node's vm2 can't be secured, NPM packaging ambiguities, privilege escalation in Google's Cloud Build, putting satellite security into low-earth analysis, FCC proposes a trust mark, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-248
RCE in ssh-agent forwarding, finding zero-days in CTFs, Node's vm2 can't be secured, NPM packaging ambiguities, privilege escalation in Google's Cloud Build, putting satellite security into low-earth analysis, FCC proposes a trust mark, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-248
Jane Lo, Singapore Correspondent speaks with Dagmawi Mulugeta, Threat researcher with Netskope Threat Labs.Dagmawi has his OSCP and has previously worked at Cyrisk (a subsidiary of 4A Security), Sift Security (acquired by Netskope), and ECFMG as a researcher, security engineer, and developer. He has innate interests in public CTFs, exploit development, and abuse of cloud apps. He has his MSc in Cybersecurity from Drexel University.In this interview, Dagmawi shared the behavioural insights found for employees preparing to leave, and how these indicators could enable organizations to protect their data more effectively.He noted the concern that many organisations have with “flight risk” users – that is, employees that are getting ready to leave – taking corporate data with them.A common question to address this concern, is how to efficiently identify such risks - without sifting through hundreds of alerts and spending hundreds of man-hours.Dagmawi shared how they approached this problem by analysing anonymized data of over 4 million users from more than 200 different organizations worldwide., and some interesting key revelations: (i) 15% of leavers used personal cloud apps (e.g. Google drive, Gmail) to take data with them (ii) 2% were violating corporate policy (exfiltrating sensitive corporate information) (iii) majority of the data movement happens 50 days before leaving.Dagmawi highlighted how they identified three key signals to filter out alerts with potential flight risks:a) volume – identifying whether the data being moved is anomalous for the individual in the organisationb) nature of data – whether the data being moved is sensitivec) direction – whether the cloud application is outside of the organisation's management (e.g. google drive).Wrapping up, Dagmawi recommended that encoding the three signals into the detection systems could help reduce the size for reviews by 43x – that is, for every 50 alerts, the signals could help to filter out the 1 or 2 concerning ones.Recorded 11th May 2023, 3.30pm, Black Hat Asia 2023, Singapore Marina Bay Sands.#bhasia#mysecuritytv #insiderthreat
In this episode, Brian and John dive into the world of Capture the Flag competitions in the realm of cybersecurity. Our special guest, Rachael Tubbs from IoT Village, discusses the rise of CTFs and how they are becoming a popular feature at cybersecurity conferences like Defcon. We explore how IoT Village is leading the way in making these conferences more accessible, exhibiting a range of innovative devices, and even holding a free virtual conference. We also discuss the challenges of developing security life cycles for IoT development and how the limited security mindset of small companies is a concerning trend across the 50 billion devices in use. Tune in for an exciting and informative look into the rapidly evolving world of cybersecurity.Topics covered in this episode include:Introduction to Capture the Flags (CTFs) and their importance in securityBackground of IoT VillageDefcon CTF and its valueIoT Village's response to pandemicRachel Tubbs is a psychology graduate who developed an interest in understanding human motivation. She started working as a contractor for the US Government's Defense Counterintelligence Security Agency, where she was introduced to the world of cybersecurity. However, she found that the private sector was more suited to her, and she eventually found a position at IoT Village, a security consulting and research firm founded by Independent Security Evaluators. Rachel has been with IoT Village for almost three years now. Let's get into Things on the IoT Security Podcast!Follow Brian Contos on LinkedIn at https://www.linkedin.com/in/briancontosAnd you can follow John Vecchi at https://www.linkedin.com/in/johnvecchiThe IoT Security Podcast is powered by Phosphorus Cybersecurity. Join the conversation for the IoT Security Podcast — where xIoT meets Security. Learn more at https://phosphorus.io/podcast
The approach of cybersecurity workforce development and how someone with such technical background come to designing a degree program with non-traditional approach. What it takes to keep it going? Segment Resources: https://go.boisestate.edu/ucore https://go.boisestate.edu/gcore In the Security News: Rorschach, QNAP and sudo, why bother signing things, why bother having a password, why bother updating firmware, smart screenshotting, TP-Link oh my, music with Grub2, byte arrays and UTF-8, what is my wifi password, Debian and systemd, opening garage doors, downgrade your firmware to be more secure, exploit databases, this is like a movie, unsolved CTFs, and Near-Ultrasound Inaudible Trojans! All that and more on this episode of Paul's Security Weekly! Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw779
The approach of cybersecurity workforce development and how someone with such technical background come to designing a degree program with non-traditional approach. What it takes to keep it going? Segment Resources: https://go.boisestate.edu/ucore https://go.boisestate.edu/gcore In the Security News: Rorschach, QNAP and sudo, why bother signing things, why bother having a password, why bother updating firmware, smart screenshotting, TP-Link oh my, music with Grub2, byte arrays and UTF-8, what is my wifi password, Debian and systemd, opening garage doors, downgrade your firmware to be more secure, exploit databases, this is like a movie, unsolved CTFs, and Near-Ultrasound Inaudible Trojans! All that and more on this episode of Paul's Security Weekly! Visit https://www.securityweekly.com/psw for all the latest episodes! Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly Show Notes: https://securityweekly.com/psw779
In the Security News: Rorschach, QNAP and sudo, why bother signing things, why bother having a password, why bother updating firmware, smart screenshotting, TP-Link oh my, music with Grub2, byte arrays and UTF-8, what is my wifi password, Debian and systemd, opening garage doors, downgrade your firmware to be more secure, exploit databases, this is like a movie, unsolved CTFs, and Near-Ultrasound Inaudible Trojans! All that and more on this episode of Paul's Security Weekly! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw779
In the Security News: Rorschach, QNAP and sudo, why bother signing things, why bother having a password, why bother updating firmware, smart screenshotting, TP-Link oh my, music with Grub2, byte arrays and UTF-8, what is my wifi password, Debian and systemd, opening garage doors, downgrade your firmware to be more secure, exploit databases, this is like a movie, unsolved CTFs, and Near-Ultrasound Inaudible Trojans! All that and more on this episode of Paul's Security Weekly! Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw779
Newest Approaches In Security Careers. ESPORTS CTFs and New Career Fairs. Topics: newest approaches in security careers, epsorts approaches in security careers, newest job fairs for cyber security careers, understanding skills gap in security, esports in cyber security, gap in security job market, gaps in security job market, examples of skills gap in cyber security, skills and gender gaps in security, gender gap in cyber security, how to fix gender gap in cyber security, skills gap in cyber security, how to fix skills gap in security, innovative ways to gain experience, esports in cyber security and more.VIDEO EPISODE: https://youtu.be/ytY6hhRGj0A ->Think Tank info:https://www.linkedin.com/company/tortora-brayda-institute ->JOIN the THINK TANK https://www.tortorabrayda.org/membership-application-form ->Workshops we discussed are on this page: https://www.tortorabrayda.org/events >New scholarship program to cover or help offset the costs of people entering the cybersecurity field. A portion of every sponsorship and donation we receive goes into the scholarship fund. Donation link for Scholarship https://tinyurl.com/DONATETBI Connect with Jill Wideman: https://www.linkedin.com/in/jill-wideman/ ->US Cyber Game: https://www.uscybergames.com/ Registration for Season III is open, and recruitment is underway for athletes, coaches and sponsors. - >International Cybersecurity Championship & Conference (IC3): https://www.ic3.games/ Connect with Brad: https://www.linkedin.com/in/bradleywolfenden/ --> US Cyber Games: https://www.linkedin.com/showcase/us-cyber-games/ --> PlayCyber: https://www.linkedin.com/showcase/play-cyber/ Twitter Jay: @pwnsolvewin US Cyber Games: @USCyberGames PlayCyber: @KatzcyPlayCyber Join Talent Gap Task Force reach out to us at: committee@tortorabrayda.org or to Jill personally at: jill.wideman@tortorabrayda.org
What if DEF CON CTFs were televised? What if you could see their screens and have interviews with the players in the moment? Turns out, you can. Jordan Wiens, from Vector 35, maker of Binary Ninja, is no stranger to CTFs. He's played in ten final DEF CON CTFs, was a part of DARPA's Cyber Grand Challenge, and recently he's moderated the live broadcast of the annual Hack-A-Sat competition. So if anyone can pull off turning CTFs into an eSport, it's probably Jordan.
https://www.yourcyberpath.com/89/ In this episode our host, Jason, interviews Ayub (@WhiteCyberDuck) about how he got into the Cybersecurity industry This time we go over a very common case where people tend to study something in college that does not relate to Cybersecurity and then shift over to the Cyber world after graduation. Ayub mentions that you are going to have to deal with a lot of silence and rejections when applying for your first job and that it took him 134 applications to get only 5 interviews. A CTF or Capture the Flag is a special kind of information security competition. There are three common types of CTFs: Jeopardy, Attack-Defence and mixed. Those can be really useful to hone your practical skills as well as your teamwork abilities and can show your future employer that you are able of working alone as well as in a team Jason and Ayub go over resumes and how you should go about creating a master resume and then tailoring this template to suit each job application. You should always make sure to do a lot of networking and show interest in the community to be able to build a network of people who could be future employers or simply just help you throughout your cybersecurity careers. Ayub also mentions that a lot of people make the mistake of paying lots of money for very expensive boot camps when they could easily learn these skills on youtube or other free platforms. In the end You should always remember to not get frustrated especially when trying to get your first job, because it always gets easier as you progress your experience. What You'll Learn ● What kind of CTFs should you do? ● Should you use the same resume for all your job applications? ● How can you make a name for yourself in the Cybersecurity world? ● What are some examples for low cost training? Relevant Websites For This Episode ● https://ctftime.org/ ● https://www.antisyphontraining.com/soc-core-skills-w-john-strand/ ● https://www.meetup.com/topics/cybersecurity/ Other Relevant Episodes ● Episode 61 - Skills-based Certification and Training with John Strand ● Episode 64 - How I Got My First Cybersecurity Analyst Job with Sebastian Whiting
CTF, or Capture The Flag, is a great way to expand your learning and understanding of various information security topics. It can also be great fun and a great way to meet people in the industry. In this episode Spencer and Darrius talk about the benefit of using CTFs to keep your pentesting skills sharp over the holiday "break."Blog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://twitter.com/cyberthreatpovWork with Us: https://securit360.com
Following on their "unsupervised" discussion, this week Si and Desi focus on training and certification, including: Steps and missteps in commercial and government efforts to close the cyber skills gap through training and professional development The value of perspectives from different fields to digital forensics and incident response The shortcomings of certifications as measures of proficiency, and the need to teach a foundation of how to learn, not just pass certification exams Alternatives to certifications, such as chartered professionals, CTFs and coursework with practical elements The need for mentors to help develop professionals CyberCX Academy announcement: https://news-events.cybercx.com.au/cybercx-academy-launched-to-help-solve-cyber-skills-crisis Marketing fail: UK government criticised for ‘crass' ad advising ballerina to retrain in IT: https://www.netimperative.com/2020/10/13/marketing-fail-uk-government-criticised-for-crass-ad-advising-ballerina-to-retrain-in-it/ Distant Traces and Their Use in Crime Scene Investigation: https://www.forensicfocus.com/webinars/distant-traces-and-their-use-in-crime-scene-investigation/ Australian Cyber Collaboration Centre: https://www.cybercollaboration.org.au/ dfrws.org
Cybersecurity is the only technical, professional occupation I know of where practitioners routinely sharpen their skills through open competitions. The contests are based on the classic capture the flag game - except the flags are all virtual and capturing them involves hacking computers. Also unlike most other technical careers, cybersecurity is a high-paying profession that doesn't require a university degree or formal training. There are literally hundreds of thousands of unfilled cybersecurity jobs right now. You can also just dabble in cybersecurity, making money from bug bounty programs. Or you can just hack for the fun of it - in a completely safe and legal environment. Jordan will tell you all about it in today's show! Jordan Wiens has been a reverse engineer, vulnerability researcher, network security engineer, three-time DEF CON CTF winner, even a technical magazine writer but now he's mostly a has-been CTF player who loves to talk about them. He has been the CTF expert for the first three years of HackASat and he was one of the founders of Vector 35, the company that makes Binary Ninja. Interview Links Hack-A-Sat 3: https://hackasat.com/ Satellite hacked using $25 hardware: https://threatpost.com/starlink-hack/180389/ Decommissioned satellite hacked to broadcast movie: https://www.independent.co.uk/tech/hack-satellite-hijack-def-con-b2147595.html Student Rick-Rolls school: https://www.malwarebytes.com/blog/news/2021/10/high-school-student-rickrolls-entire-school-district-and-gets-praised Hack-A-Sat 2 interview: https://podcast.firewallsdontstopdragons.com/2021/06/21/hacking-satellites-for-fun-profit/ Plaid CTF: https://plaidctf.com/ CTFTime.org: https://ctftime.org/ Pwnable.kr: https://pwnable.kr/ Pwnable.tw: https://pwnable.tw/ Reversing.kr: http://reversing.kr/ Shodan: https://www.shodan.io/Burp Suite: https://portswigger.net/burp Wireshark: https://www.wireshark.org/ Binary Ninja: https://binary.ninja/ Metasploit: https://www.metasploit.com/ Nmap: https://nmap.org/ Live Overflow: https://liveoverflow.com/ TryHackMe: https://tryhackme.com/ Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887 Support my work! https://firewallsdontstopdragons.com/support/ Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequestGenerate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:03: Interview setup0:04:25: What is Hack-A-Sat?0:08:44: How has the Hack-A-Sat program evolved?0:12:58: How did CTF's start out and when did they become popular?0:17:37: Why do we have so many unfilled cybersecurity jobs?0:21:15: Do you need a college degree to work in cybersecurity?0:29:39: What's a black hat hacker vs white hat? What's a red team or blue team?0:32:15: How do CTF's actually work? What is a flag and how do I capture it?0:38:05: Are they beginner CTFs that are free to try?0:44:38: What sorts of tools do hackers use in CTFs and in real hacking?0:51:57: How do hackers chain together multiple exploits?0:56:26: What's your advice to someone who would like to try a CTF?1:00:36: What's next for Hack-A-Sat?1:02:25: interview wrapup1:04:07: What is Rick-Rolling?1:05:23: Try a CTF, go to a hacker con!
Join us and our guest, Jayesh Singh Chauhan, takes us through all that this year's village has to offer.About the Cloud VillageCloud village is an open space to meet folks interested in offensive and defensive aspects of cloud security. The village is home to various activities like talks, workshops, CTFs and discussions targeted around cloud services.If you are a professional who is looking to gain knowledge on securely maintaining the cloud stack and loves to be around like-minded security folks who share the similar zeal towards the community, Cloud Village is the perfect place for you.Be sure to catch all of our conversations from Black Hat and DEF CON 2022 at https://www.itspm.ag/bhdc22____________________________GuestJayesh Singh ChauhanFounder, Cloud Village [@cloudvillage_dc]On LinkedIn | https://www.linkedin.com/in/jayeshschOn Twitter | https://twitter.com/jayeshschOn Facebook | https://facebook.com/jayeshsch____________________________This Episode's SponsorsCrowdSec | https://itspm.ag/crowdsec-b1vpEdgescan | https://itspm.ag/itspegwebPentera | https://itspm.ag/pentera-tyuw____________________________ResourcesCloud Village DEF CON Schedule: Cloud Village CTF Portal: https://ctf.cloud-village.org/Cloud Village website: https://cloud-village.org/On YouTube | https://www.youtube.com/cloudvillage_dcAt DEF CON: https://forum.defcon.org/node/239788____________________________For more Black Hat and DEF CON Event Coverage podcast and video episodes visit: https://www.itspmagazine.com/black-hat-2022-and-def-con-hacker-summer-camp-las-vegas-usa-cybersecurity-event-and-conference-coverageAre you interested in telling your story in connection with Black Hat and DEF CON by sponsoring our coverage?
Join us and our guest, Jayesh Singh Chauhan, takes us through all that this year's village has to offer.About the Cloud VillageCloud village is an open space to meet folks interested in offensive and defensive aspects of cloud security. The village is home to various activities like talks, workshops, CTFs and discussions targeted around cloud services.If you are a professional who is looking to gain knowledge on securely maintaining the cloud stack and loves to be around like-minded security folks who share the similar zeal towards the community, Cloud Village is the perfect place for you.Be sure to catch all of our conversations from Black Hat and DEF CON 2022 at https://www.itspm.ag/bhdc22____________________________GuestJayesh Singh ChauhanFounder, Cloud Village [@cloudvillage_dc]On LinkedIn | https://www.linkedin.com/in/jayeshschOn Twitter | https://twitter.com/jayeshschOn Facebook | https://facebook.com/jayeshsch____________________________This Episode's SponsorsCrowdSec | https://itspm.ag/crowdsec-b1vpEdgescan | https://itspm.ag/itspegwebPentera | https://itspm.ag/pentera-tyuw____________________________ResourcesCloud Village CTF Portal: https://ctf.cloud-village.org/Cloud Village website: https://cloud-village.org/On YouTube | https://www.youtube.com/cloudvillage_dcAt DEF CON: https://forum.defcon.org/node/239788____________________________For more Black Hat and DEF CON Event Coverage podcast and video episodes visit: https://www.itspmagazine.com/black-hat-2022-and-def-con-hacker-summer-camp-las-vegas-usa-cybersecurity-event-and-conference-coverageAre you interested in telling your story in connection with Black Hat and DEF CON by sponsoring our coverage?
In this episode, hacker and content creator LiveOverflow joins us for an awesome AMA! How did he start his cybersecurity journey and what was his first vulnerability found? What are his tips for CTFs and content creation? Find out! Join us on Discord and follow us on social media for more HTB updates! discord.gg/hackthebox
SecAura is an amateur YouTuber whose post I came across caught my attention. SecAura creates free educational videos for ethical hacking and does so while going the extra mile to hand-craft many of the animations used in the videos. All of this is done outside of the 9-5 job SecAura has as a penetration tester. Realizing that the technical subjects needed diagrams and that these elements were a core part of the videos being created, SecAura decided to hand-craft the animations for each of the subjects being prepared, teaching himself all that was required to do so while constantly trying to improve with each video released.SecAura aims to have every video released be at the top of its game in terms of teaching someone who knows very little about a subject and getting them to a great foundational and applicable position just from watching his videos. He also hopes to extend the community and help to create the next generation of cybersecurity professionals by providing them with real, practical skills, backed by the theory!About SecAura [from Twitter]By day I work as a pentester, and in the evening, I compete in CTFs/cyber things. I have always loved teaching, and wanted to give back to the cyber community the best I can, so I made my YouTube Channel.It was a treat speaking with SecAura, learning about the creativity, passion, and production that goes into the making each of these videos, and how they can be used by those looking to enter the field of information security, preparing for a job interview, looking to grow their skills as they aspire to take on new roles or perhaps even get promoted at their job.So many uses cases — lots of great content — all from a super cool human.____________________________GuestSecAuraEthical Hacking Content CreatorOn Twitter | https://twitter.com/secaura_On LinkedIn | https://www.linkedin.com/in/sec-aura-57736422a/On YouTube | https://www.youtube.com/channel/UCx89Lz24SEPZpExl6OfQ0Gg____________________________This Episode's SponsorsImperva: https://itspm.ag/imperva277117988Asgardeo by WSO2: https://itspm.ag/asgardeo-by-wso2-u8vc____________________________ResourcesMore information about SecAura: https://twitter.com/secaura_/status/1518241710412808192The new SQLi video discussed during the conversation: UNLEASH THE POWER OF SQL INJECTION | A beginners guide: https://www.youtube.com/watch?v=_Y4MpvB6o7sVIDEO: Web Fundamentals for Cyber Security | HTTP for Hackers | 0x01 (Animated): https://www.youtube.com/watch?v=ro-5AjgoPc4____________________________To see and hear more Redefining Security content on ITSPmagazine, visit:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in sponsoring an ITSPmagazine Channel?
SecAura is an amateur YouTuber whose post I came across caught my attention. SecAura creates free educational videos for ethical hacking and does so while going the extra mile to hand-craft many of the animations used in the videos. All of this is done outside of the 9-5 job SecAura has as a penetration tester. Realizing that the technical subjects needed diagrams and that these elements were a core part of the videos being created, SecAura decided to hand-craft the animations for each of the subjects being prepared, teaching himself all that was required to do so while constantly trying to improve with each video released.SecAura aims to have every video released be at the top of its game in terms of teaching someone who knows very little about a subject and getting them to a great foundational and applicable position just from watching his videos. He also hopes to extend the community and help to create the next generation of cybersecurity professionals by providing them with real, practical skills, backed by the theory!About SecAura [from Twitter]By day I work as a pentester, and in the evening, I compete in CTFs/cyber things. I have always loved teaching, and wanted to give back to the cyber community the best I can, so I made my YouTube Channel.It was a treat speaking with SecAura, learning about the creativity, passion, and production that goes into the making each of these videos, and how they can be used by those looking to enter the field of information security, preparing for a job interview, looking to grow their skills as they aspire to take on new roles or perhaps even get promoted at their job.So many uses cases — lots of great content — all from a super cool human.____________________________GuestSecAuraEthical Hacking Content CreatorOn Twitter | https://twitter.com/secaura_On LinkedIn | https://www.linkedin.com/in/sec-aura-57736422a/On YouTube | https://www.youtube.com/channel/UCx89Lz24SEPZpExl6OfQ0Gg____________________________This Episode's SponsorsAsgardeo by WSO2: https://itspm.ag/asgardeo-by-wso2-u8vcImperva: https://itspm.ag/imperva277117988____________________________ResourcesMore information about SecAura: https://twitter.com/secaura_/status/1518241710412808192The new SQLi video discussed during the conversation: UNLEASH THE POWER OF SQL INJECTION | A beginners guide: https://www.youtube.com/watch?v=_Y4MpvB6o7sVIDEO: Web Fundamentals for Cyber Security | HTTP for Hackers | 0x01 (Animated): https://www.youtube.com/watch?v=ro-5AjgoPc4____________________________To see and hear more Redefining Security content on ITSPmagazine, visit:https://www.itspmagazine.com/redefining-cybersecurityAre you interested in sponsoring an ITSPmagazine Channel?
Featured Voices in this Episode:Trent BrunsonTrent Brunson is a Principal Security Engineer and Research Practice Manager at Trail of Bits. He has worked in computer security since 2012 as a researcher and engineer at Assured Information Security in Rome, NY, and at the Georgia Tech Research Institute, where he served as the Threat Intelligence Branch Chief and the Associate Division Chief of Threat Intelligence & Analytics. Dan GuidoDan Guido is the CEO of Trail of Bits, a cybersecurity firm he co-founded in 2012 to address software security challenges with cutting-edge research. In his tenure leading Trail of Bits, Dan has grown the team to more than 80 engineers, led the team to compete in the DARPA Cyber Grand Challenge, built an industry-leading blockchain security practice, and refined open-source tools for the endpoint security market. In addition to his work at Trail of Bits, he runs Empire Hacking, a 1,500-member meetup group focused on NYC-area cybersecurity professionals. His latest hobby coding project, AlgoVPN, is the Internet's most recommended self-hosted VPN.Suha HussainSuha Hussain is a software security engineer who specializes in machine learning assurance. Her work also involves data privacy, program analysis, and applied cryptography. She's currently an intern at Trail of Bits, where she's worked on projects such as PrivacyRaven and Fickling. She's also pursuing a BS in Computer Science at Georgia Tech.Sam AlwsSam Alws is a computer science student at Vanderbilt University, hoping to take part in shaping the future of tech. He was a Trail of Bits wintern and also previously interned at Bloomberg LP. He serves as a volunteer software developer for Change++, writing code for charities, and spent two years with Project Spark, designing a programming curriculum for schools in India.Nick Selby (Host)An accomplished information and physical security professional, Nick leads the Software Assurance practice at Trail of Bits, giving customers at some of the world's most targeted companies a comprehensive understanding of their security landscape. He is the creator of the Trail of Bits podcast, and does everything from writing scripts to conducting interviews to audio engineering to Foley (e.g. biting into pickles). Prior to Trail of Bits, Nick was Director of Cyber Intelligence and Investigations at the NYPD; the CSO of a blockchain startup; and VP of Operations at an industry analysis firm. Production StaffStory Editor: Chris JulinAssociate Editor: Emily HaavikExecutive Producer: Nick SelbyExecutive Producer: Dan GuidoRecordingRecorded at Rocky Hill Studios, Ghent, NY - Nick Selby, Engineer22Springroad Tonstudio, Übersee, Germany - Volker Lesch, EngineerRemote recordings: New York, NY; Brooklyn, NY; Virginia; Atlanta, GA (Emily Haavik); Silver Spring, MD (Jason An). Trail of Bits supports and adheres to the Tape Syncers United Fair Rates Card.Edited by Emily Haavik and Chris JulinMastered by Chris Julin Special ThanksDominik CzarnotaJosselin FeistMusicTRAIL OF BITS THEME: DISPATCHES FROM TECHNOLOGY'S FUTURE, Chris JulinELEMENT, Frank BentleyFOUR AM, Curtis ColeDRIVING SOLO, Ben FoxOPEN WINGS, Liron MeyuhasSHAKE YOUR STYLE, Stefano MastronardiTHE QUEEN, Jasmine J. WalkerILL PICKLE, Phil DavidPIRATE BLUES, Leon LaudenbackSCAPES, Gray NorthReproductionWith the exception of any Copyrighted music herein, Trail of Bits Season 1 Episode 2; Internships and Winternships © 2022 by Trail of Bits is licensed under Attribution-NonCommercial-NoDerivatives 4.0 International. This license allows reuse: reusers may copy and distribute the material in any medium or format in unadapted form and for noncommercial purposes only (noncommercial means not primarily intended for or directed towards commercial advantage or monetary compensation), provided that reusers give credit to Trail of Bits as the creator. No derivatives or adaptations of this work are permitted. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/4.0/. Referenced in this Episode:Learn more about the work done by Trail of Bits interns over the years on the company blog.Apply for an internship or winternship at https://www.trailofbits.com/careersSuha Hussain and lead engineer Evan Sultanik describe the Fickling project: Never a Dill Moment: Exploiting Machine Learning Pickle Files. The Python manual refers specifically to the security issues discussed in this episode: "The pickle module is not secure. Only unpickle data you trust... It is possible to construct malicious pickle data which will execute arbitrary code during unpickling. Never unpickle data that could have come from an untrusted source, or that could have been tampered with."Read more about PrivacyRaven and watch Suha's video introducing the project: PrivacyRaven Has Left the NestSam Alws describes his journey to speed up Echidna: Optimizing a Smart Contract FuzzerFor those interested in CTFs, especially for those who seek to start their own, Trail of Bits has posted a CTF Field Guide in the company github repository. It contains details on past CTF challenges, guidance to help you design and create your own toolkits, and case studies of attacker behavior – both in the real world, and in past CTF competitions. Each lesson is supplemented by links to supporting reference materials.Check out the AngstromCTF site here: angstromctf.comAnd here's the Montgomery Blair High School Cybersecurity Club's github repository: github.com/blairsecThe Blair students you met in this podcast were Jason An, Clarence Lam, Harikesh Kailad and Patrick Zhang. Meet the Team:Chris JulinChris Julin has spent years telling audio stories and helping other people tell theirs. These days he works as a story editor and producer for news outlets like APM Reports, West Virginia Public Broadcasting, and Marketplace. He has also taught and mentored hundreds of young journalists as a professor. For the Trail of Bits podcast, he serves as story and music editor, sound designer, and mixing and mastering engineer.Emily HaavikFor the past 10 years Emily Haavik has worked as a broadcast journalist in radio, television, and digital media. She's spent time writing, reporting, covering courts, producing investigative podcasts, and serving as an editorial manager. She now works as an audio producer for several production shops including Us & Them from West Virginia Public Broadcasting and PRX, and APM Reports. For the Trail of Bits podcast, she helps with scripting, interviews, story concepts, and audio production.
Guest: Dave Herrald @ Principal Security Strategist, Google Cloud Topics: What are some tenets of good SOC training? How does this depend on the SOC model (traditional L1/L2/L3, virtual, etc)? How do you make SOC training realistic? Should training be about the toolset or should it be about the analyst's skills? Should you primarily train for engineering skills or analysis skills? Do you need to code to succeed in a modern SOC? Are competitive events like CTFs effective for SOC training? What role does SOC training play in bringing new, perhaps under-represented people into security operations and promoting inclusivity? Resources: Chris Sanders SOC classes SANS Holiday Hack Challenges SEC450: Blue Team Fundamentals: Security Operations and Analysis SANS NetWars “Autonomic Security Operations: 10X Transformation of the Security Operations Center” paper Boss of the SOC (BOTS) Dataset
Today we're joined by Roelof Temmingh. Roelof is the creator of OSINT tools you've certainly heard of such as Maltego and Vortimo. Roelof recently got to test Vortimo in the context of a Trace Labs CTF and his team placed very well. In this episode we discuss the history/inception of these tools as well as CTFs vs Real World investigations. Vortimo: https://www.vortimo.com/Blog post about competing in the CTF: https://www.vortimo.com/competing-in-the-tracelabs-ctf-26-march-2022/Want to learn more about Open Source Intelligence?Follow us on Twitter: @TraceLabsJoin our Discord server: https://tracelabs.org/discordCheck out the site: https://tracelabs.org
Jasmine Jackson is an experienced cybersecurity professional who got her start through self-teaching. So listen on for her advice on breaking the entry-level barrier in infosec and how she learned using CTFs and write-ups.
Today, most of us take the internet - and access to the internet - for granted. It's ubiquitous. However, the current war in Ukraine has (hopefully) made us realize that things can change dramatically overnight. While we can always hope for the best, we should be at least minimally prepared for the worst. I'm not suggesting we all prepare for military invasion, but there are much more likely scenarios that might lead to power and communications infrastructure problems like bad storms, natural disasters, and even radical political shifts in democratic countries. Understanding the fundamentals of how our digital world works can help us be more resilient in the face of emergencies. Today I'll be speaking with a lead cybersecurity instructor from the Tech Learning Collective about some lessons we can learn from the current Russia-Ukraine conflict and be better prepared for digital disruption. Further Info Tech Learning Collective: https://techlearningcollective.com/ How to Prepare for a Power Outage: https://firewallsdontstopdragons.com/how-to-prepare-for-power-outage/ Download Wikipedia: https://wiki.kiwix.org/wiki/Content_in_all_languages VulnHub downloadable, free CTFs: https://www.vulnhub.com/ Black Hills Infosec: https://www.blackhillsinfosec.com/ Crypto-Gram by Bruce Schneier: https://www.schneier.com/crypto-gram/ Code: The Hidden Language of Computer Hardware and Software: https://www.amazon.com/Code-Language-Computer-Hardware-Software/dp/0735611319 The Art of Exploitation: https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441 Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/
What images come to mind when you see or hear the word 'Cybersecurity?' That word probably evokes mental images of people hunched over keyboards launching cyberattacks at each other. Or maybe you picture someone picking a lock or stealing a badge to slip into a building. In other words, most people picture the battle... or what some might think of as "the fun parts." But, here's the thing. Not everyone gets to participate in these aspects of cybersecurity and, in many cases, finding safe and legal ways to practice these skills can be challenging. So where can curious minds turn? That's where gamification can really help. There are a ton of really fun and engaging ways to learn these skills without fear of being arrested or breaking something. These are also great ways to level-up cybersecurity skills and help bring new people into the field. In this episode, we explore the "fun and games" of cybersecurity: lock picking, (CTFs) capture the flag competitions, simulations, and even pickpocketing and magical (sleight of hand and misdirection) thinking. Perry's guests are Alethe Denis (social engineer and DefCon 2019 Social Engineering CTF winner), Deviant Ollam (penetration tester, lock picking guru, and Board Member of The Open Organization of Lockpickers), Chris Kirsch (Co-Founder and CEO of Rumble, DefCon 2017 Social Engineering CTF winner) , and Gerald Auger (Founder of Simply Cyber, Director of Cybersecurity Education & Cybersecurity Program Manager at ThreatGEN). Guests: Alethe Denis (LinkedIn) (Twitter) (Website) Deviant Ollam (Twitter) (YouTube) (Website) Chris Kirsch (LinkedIn) (Twitter) Gerald Auger (LinkedIn) (Twitter) (YouTube) Resources & Books: What is Gamification? Lockpicking Resources from Deviant Ollam Keys to the Kingdom: Impressioning, Privilege Escalation, Bumping, and Other Key-Based Attacks Against Physical Locks, by Deviant Ollam Practical Lock Picking: A Physical Penetration Tester's Training Guide, by Deviant Ollam TOOOL US -- The Open Organization of Lockpickers TOOOL US instructional videos on YouTube The Official TOOOL Slides The Lockpicking Lawyer on YouTube Bump Keys in the News - San Francisco #3 -- YouTube clip TraceLabs OSINT Capture the Flags 50 CTF (Capture the Flag) & Pentesting Websites to Practice Your Hacking & Cybersecurity Skills in 2021 Hands-on Hacking Demo | CTF - Capture the Flag in 15 Minutes!, YouTube video by ITProTV Capture the Flag? Change Your Life, YouTube video by John Hammond Don't Wait for the Perfect Time for a Tabletop Exercise, National Law Review ThreatGEN's Red & Blue Game Gerald Auger's Simply Cyber Discord Server Chris Krisch's pickpocketing talk at Layer8 Security Conference Production Credits: Music and Sound Effects by Blue Dot Sessions, Envato Elements, & Storyblocks. Artwork by Chris Machowski @ https://www.RansomWear.net/ and Mia Rune @ https://www.MiaRune.com. 8th Layer Insights theme music composed and performed by Marcos Moscat @ https://www.GameMusicTown.com/ Want to get in touch with Perry? Here's how: LinkedIn Twitter Instagram Email: hello [at] 8thLayerInsights [dot] com
2022 Cybersecurity roadmap: How to get started? How do you get started in Cybersecurity in 2022? John Hammond shows us the way. // MENU // 0:00 ▶️ Introduction 0:48 ▶️ First thing to learn 3:55 ▶️ Do something else before that? 5:10 ▶️ Any recommended resources 6:34 ▶️ Still recommend CTFs? 9:30 ▶️ Degrees and certs required in cyber 12:04 ▶️ Recommended certs 16:10 ▶️ This sounds scary... any other certs first 18:10 ▶️ Difficult to answer 19:05 ▶️ Don't forget this! 20:00 ▶️ David pushing John for a path 21:20 ▶️ What John wishes he knew when he started 22:40 ▶️ Do what you love John Hammond Playlist: https://davidbombal.wiki/johnhammond // Connect with David // Discord: https://discord.com/invite/usKSyzb Twitter: https://www.twitter.com/davidbombal Instagram: https://www.instagram.com/davidbombal LinkedIn: https://www.linkedin.com/in/davidbombal Facebook: https://www.facebook.com/davidbombal.co TikTok: http://tiktok.com/@davidbombal YouTube: https://www.youtube.com/davidbombal // Connect with John // YouTube: https://www.youtube.com/johnhammond010 Twitter: https://twitter.com/_johnhammond LinkedIn: https://www.linkedin.com/in/johnhammo... // OSCP from Offensive Security // https://www.offensive-security.com/ // GO by example // https://gobyexample.com/ // Hack The Box // HTB Academy: https://davidbombal.wiki/htbacademy HTB: https://davidbombal.wiki/htb // Try Hack Me // https://tryhackme.com/ // Pico CTF // https://picoctf.org/ // MY STUFF // Monitor: https://amzn.to/3yyF74Y More stuff: https://www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com cybersecurity cybersecurity jobs hacking ethical hacking hacking jobs john hammond hack the box try hack me pico ctf htb thm cyber security career cybersecurity cybersecurity careers ceh oscp ine elearn security ejpt oscp oscp certification ctf for beginners first job cybersecurity job kali kali linux Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! #kalilinux #hacking #cybersecurity
Cybersecurity is so hot companies can't hire fast enough. What's the blocker? Experience. But how can recent grads and those in school get it? CTF expert Akshay Rohatgi explains how to get involved.One of the most common questions we get is: how can I get experience if I can't get that first job? Even entry-level cyber roles often require 1-3 years of experience. Early stage cyber experts can practice and hone their skills by participating in bug bounty programs, open-source projects, and internships. Another great way to get experience and build your network are Capture the Flag (or CTF) competitions.Conversation highlights:What a capture the flag contest isThe difference between Jeopardy v. Attack/Defense competitionsWhat to expect during an eventHow much experience you need to join oneLearn about the Air Force Association's CyberPatriot National Youth Cyber Education ProgramThe craziest thing that happened to Akshay during competitionHow you can get involved________________________________GuestAkshay RohatgiOn LinkedIn | https://www.linkedin.com/in/akshay-rohatgi-1564521b2/On Twitter | ________________________________HostsLimor KessemOn ITSPmagazine
WeOpenTech is a global community of marginalized genders who work in security and tech.“You are welcome to join us if you are of a marginalized gender (even if you are unsure at this time), including non-men and/or non-cis individuals, and other genders which have been systematically oppressed. We welcome members across all nationalities, races, religions, ages, or other characteristics that make each of us unique.”Note that WeOpenTech does not tolerate intolerance of other marginalized groups.Karl Popper's Paradox of Tolerance shall provide you with more details on the matter.
To help more people become penetration testers, Kim Crawley and Phillip L. Wylie wrote The Pentester BluePrint: Starting A Career As An Ethical Hacker. In this episode of The Hacker Mind, Kim talks about the practical steps anyone can take to gain the skills and confidence necessary to become a successful pentester -- from gaining certifications, to building your own lab, to participating in bug bounties and even CTFs.
Capture the Flag is a game, a community, and a really cool hacker culture. But will we one day stream CTFs like we do World of Warcraft or League of Legends? Whether it's designing or just playing CTFs, John Hammond knows a lot about the gamification of infosec. He even has his own YouTube channel where he shares what he's learned from different challenges. In this episode of The Hacker Mind John shares his experiences building and executing his own CTFs.
© 2020-2025 Ivy Podcast Discovery LLC
