Corporate Strategy

118. Interview with an Ethical Hacker

April 29, 2024 The Corporate Strategy Group Season 4 Episode 12
118. Interview with an Ethical Hacker
Corporate Strategy
More Info
Corporate Strategy
118. Interview with an Ethical Hacker
Apr 29, 2024 Season 4 Episode 12
The Corporate Strategy Group

Ever wondered if your digital fortress can withstand a full-scale cyber siege? Buckle up as Squidboi, our corporate fam discord's virtuoso of virtual vulnerabilities, takes us on a rollercoaster ride through the landscape of offensive security. This episode promises to arm you with the know-how of ethical hacking that's essential for keeping corporate networks safe. We kick things off with a casual chat about the upcoming summer and the peculiar world of 'ghost jobs', setting the stage for a deep-dive into Squidboi's daily grind as a cybersecurity consultant.

As the conversation progresses, we peel back the layers of penetration testing and cybersecurity consulting, exposing the skills that transcend coding prowess and the persistence needed when scouring systems for elusive security gaps. Squidboi regales us with tales from the trenches—where creativity is king, and late-night excursions into digital defenses are just another Monday. Plus, we get the scoop on how cybersecurity professionals stay nimble in a landscape peppered with ever-evolving threats and custom integrations.

Don't miss the electrifying discussion on bug bounties and the tools of the trade, including the nifty Flipper Zero, which could give Q from James Bond a run for his money. Squidboi casts a light on the paradoxical pressures of offensive security consulting, where boasting an impenetrable defense is practically an invitation for trouble. By the time we wrap up, you'll have a hearty dose of insights and inspiration, whether you're a seasoned pro or just curious about what it takes to join the ranks of ethical hackers safeguarding our digital domain.

Everything Corporate Strategy:
All the links!

Elevator Music by Julian Avila
Promoted by MrSnooze

Don't forget ⭐⭐⭐⭐⭐ it helps!

Show Notes Transcript Chapter Markers

Ever wondered if your digital fortress can withstand a full-scale cyber siege? Buckle up as Squidboi, our corporate fam discord's virtuoso of virtual vulnerabilities, takes us on a rollercoaster ride through the landscape of offensive security. This episode promises to arm you with the know-how of ethical hacking that's essential for keeping corporate networks safe. We kick things off with a casual chat about the upcoming summer and the peculiar world of 'ghost jobs', setting the stage for a deep-dive into Squidboi's daily grind as a cybersecurity consultant.

As the conversation progresses, we peel back the layers of penetration testing and cybersecurity consulting, exposing the skills that transcend coding prowess and the persistence needed when scouring systems for elusive security gaps. Squidboi regales us with tales from the trenches—where creativity is king, and late-night excursions into digital defenses are just another Monday. Plus, we get the scoop on how cybersecurity professionals stay nimble in a landscape peppered with ever-evolving threats and custom integrations.

Don't miss the electrifying discussion on bug bounties and the tools of the trade, including the nifty Flipper Zero, which could give Q from James Bond a run for his money. Squidboi casts a light on the paradoxical pressures of offensive security consulting, where boasting an impenetrable defense is practically an invitation for trouble. By the time we wrap up, you'll have a hearty dose of insights and inspiration, whether you're a seasoned pro or just curious about what it takes to join the ranks of ethical hackers safeguarding our digital domain.

Everything Corporate Strategy:
All the links!

Elevator Music by Julian Avila
Promoted by MrSnooze

Don't forget ⭐⭐⭐⭐⭐ it helps!

Speaker 1:

There he is, chills.

Speaker 2:

Every time.

Speaker 3:

Every time.

Speaker 2:

Love it now recording.

Speaker 1:

Yeah, actually people don't hear that on the podcast right?

Speaker 3:

No, no one gets to hear Craig speak.

Speaker 1:

Squidboy is one of the first Alex and Squidboy get to hear Craig.

Speaker 3:

That's right. Everyone else has to wonder what does that little beaver sound like? Welcome back to Corporate Strategy, the podcast. That could have been an email. I'm Bruce and I'm Clark and, as you may have heard in our pre-show ramblings, Squidboy's with us. Constant contributor on the corporate fam discord. Squidboy, Say hello to the people.

Speaker 2:

Hey guys, just finally on the podcast.

Speaker 3:

Yeah, finally, it's been too long and we're super glad to have you here. You've joined us because our other frequent podcast correspondent, capitalist correspondent Alex Restrepo, submitted a topic that we wanted to discuss with you today because you are the expert in this field. Before we get to that, how are things going? Let's do a vibe check real quick. Clark, how are you feeling this week?

Speaker 1:

I think this weekend I have like totally forgotten I've just burned it from my memory what happened last week. Like I'm just blanking as you ask me this. I'm like I have no idea what even happened. Was last week a thing thing?

Speaker 1:

we're recording on a sunday, so you know the weekend, all of saturday, just to purge the week from my mind. Yeah, yeah, you know I think this week was, it was, it was busy, but man, I don't, I don't know what's gotten into me. I'm just like ready, like it feels like school again, where I'm just like I'm ready for summer, like when is?

Speaker 3:

summer happening you'll get a summer break as an adult, unfortunately.

Speaker 1:

Uh, I know I do have some vacation plan, though, so I am looking forward to that. So I think that's my mindset. I'm like I'm waiting for summer vacation. You know, come on, bring it. How about?

Speaker 3:

you. Well, let's, let's ask squid boy, because I don't really matter it's good boy what's your vibes like this week?

Speaker 2:

I mean, uh, I'm kind of in the same boat as clark. So, you know, just waiting for summer things are just because things are a little bit more ramping up, you know like q1's a little slow and then q2, just kind of you know, gets hammered in. I feel like q2 and q4 are kind of the big um busy days.

Speaker 1:

So ready for summer boy, howdy that is actually a really good point, because it's like, yeah, q1, you kind of, you know, get off the holidays, you're kind of ramping up on your goals for the year and then at the end of q1, you usually have that realization wow, we're not close to what our goals were for this year. So it's like, let's pick this up and make sure we're gonna, you know, sprint through q2 in in marketing.

Speaker 3:

Uh, q2, q3 or events season. So this is the nightmare sprint for me. I, like you know we we talked about this a little bit before we started recording I'm going on a nice little vacay this week, just taking some time off with the wife for our 10-year anniversary, but, uh, going from that vacay directly into rsa, the security conference, which is appropriate for today's topic. But after RSA it's nightmare after nightmare, let's go, let's go, let's go. Events, events, events. So I'm just doing my absolute best to stay in the moment and not think about all of the crap that I have to do pre, during and post the event season showing up.

Speaker 1:

Well, first of all, congrats on 10 years. That is awesome. That is such a huge milestone.

Speaker 3:

It is, it is. It's been a good 10 years too, no complaints. I can't believe it's been 10 years.

Speaker 1:

That is wild. It is wild you know I actually think. Knowing your wife, I think she would really enjoy going to RSA with you.

Speaker 3:

Oh, the sarcasm there.

Speaker 1:

Actually we should. We should vlog it and have her there doing the vlog and just like what is going on here the whole entire time.

Speaker 3:

I mean I'm going to be miserable. I can't imagine both of us being miserable together. That would be fantastic. I love it. Fun fact about my marriage and Clark Clark's family was at my wedding, but he was not.

Speaker 1:

Yeah, isn't that weird? It's weird. Oh, I always think back to that and I, you know, I just, I think I've had dreams about your wedding because my family, like you know, told me all about it and I was like wow, this sounds incredible. So I know all about it, I just wasn't there.

Speaker 3:

Yeah.

Speaker 1:

You're gonna have to Photoshop me to some pictures, or something.

Speaker 3:

We should. There's some people I think we'd like to replace, so we need to do that.

Speaker 1:

There we go. I can at least step in. Can we do any news? You want to do news before we?

Speaker 3:

jump in. Do any of y'all have news?

Speaker 1:

I'm so unpre ridiculous news and it's not really even news, it's just. It's just stupidity that's happening in the world right now. Why are people interviewing like seven times for jobs and then getting denied? Did you see the Restrepo post in the district?

Speaker 3:

Yeah, exactly.

Speaker 1:

That's what I saw and I was just like this is insane and it seems to be getting worse. Like I've been in seven round interviews and I was kind of commenting to some of the stuff that Alex threw on there, but it just feels like people are getting rejected. Like I keep on seeing posts on Reddit just about people getting like the seventh interview and then getting rejected. Like that is so terrible. They go through that many interviews just to get rejected.

Speaker 2:

I don't know if you guys notice the ghost jobs that are going around. That's becoming like more and more prevalent now. So people are just interviewing, to interview and there's actually not a job at the end of the whole process.

Speaker 1:

So the companies are posting it and like they're, they really don't have a job, they're just like actively recruiting and meeting people on yeah.

Speaker 2:

So basically to see what's out there for the company. So people are applying to these jobs that don't have, um, any jobs associated with the company. It's just, oh, maybe we need this in the future. So, you know, start that interview process now and maybe three months down the road, or six months or whatever it is, they might be able to reach out to that person, say, hey, we got you a job.

Speaker 3:

I don't like that at all.

Speaker 1:

Do they realize like people's lives are dependent on this? Like that's the thing that I hate about corporate is just like?

Speaker 3:

okay, I get it.

Speaker 1:

Always recruiting. You always want to have like a pipeline and a bench to be like oh yeah, what about this person or this person? But kind of dangling the carrot just for nothing when it's like, yeah, my livelihood depends on this and you're wasting someone's time who might be in a really bad situation. That's awful.

Speaker 3:

I think it takes a special kind of special to be in recruiting specifically Because I mean, there's just a part of you. You have to cut out your soul to be in that job, right, like as a recruiter. You have to eliminate your feelings for your fellow man and woman and humanity in general. I, I would love to have a recruiter on the pod in the future and just be like yo. How do you live?

Speaker 1:

You know how do you sleep at night? Oh, knowing the things you do from these and I don't blame them.

Speaker 1:

I just want to be really clear on that and I think you're saying the same Right's compartmentalization it's got yeah, it's like that's their job, that's their livelihood, but the hiring managers they have to work with and like squid boys explaining, like they have to go against kind of probably their morals and ethics to be like, okay, there's nothing here, but I gotta have a call with this person to explain to them the job. Like that is probably the worst feeling.

Speaker 3:

The. The most interviews I've ever done was three. You're lucky. You are lucky Apparently. Looking at, looking at the posts in there, apparently I'm very lucky. What, what about you?

Speaker 1:

It's good boy.

Speaker 2:

You want to go first. I think the most I've done is five, but I'm looking at Alex's 10 or 12. It's just, I'm good, I would give up. I think five is my limit and it's not worth the job after that.

Speaker 1:

No it's literally like a full day that you've got to dedicate just to like back to back interviews. Yeah, the most I've had, if you include, like the HR calls like to, you know, do the initial screening and all that eight, probably eight interviews. Yeah, because it was like hr call just to kind of like pre-qualify, make sure the salary is in range, and then it was like a series of five that were an hour each and it happened over like four weeks and basically just had to be like prep for those. And there was another conversation with hr to like talk about you know what the next steps are. And then it was like a committee to be like okay, well, let's try to find you a team.

Speaker 1:

And I was like, okay, at this point, like everybody interviewed didn't make me excited for this at all. This really actually sucked and it was for a thing and I was like, even though I could do it, like everybody I interviewed just felt like they were trying to prove something and didn't get me excited at all to work here. It was rough. Do you think that job was a ghost job? No, I think it was real, Cause I think there were some actual jobs behind it. It just like after all that, after the offer, after kind of like the people that I talked to, I was just like I'm just not interested. This actually seems way worse, and so I just basically wasted, like you know, a whole day's worth of my time interviewing over. I think it was like a two month period. It was terrible.

Speaker 3:

Do you think you could have short-circuited it like four interviews in be like nah, this isn't for me. I can tell already probably.

Speaker 1:

I kept on like holding out hope because I was like man, it'd be really cool to work here. So I was like it's got to get better, right, like I'll talk to someone who's excited about doing what they're doing, and all of them were just worse after worse.

Speaker 3:

Jeez. So I mean, now that we've brought up the idea of the ghost job, I almost wonder if the long interview process is to help fulfill that right, like if we just keep pushing this down the line, keep scheduling more interviews four weeks, eight weeks out, you know, eventually there'll be a role. We'll get the budget. We'll clear it up Because I mean eight weeks, that you know eventually there'll be a role, we'll get the budget. We'll clear it up Because I mean eight weeks. That's more than two thirds of a quarter right there. Yeah, you can easily push someone into next quarter for an application just by doing that Very well could be the worst part about all these interviews too.

Speaker 1:

It's like, okay, you've got, like you know, I think it was like a six month period to like find a team and then we'll formally extend you an offer and all that, and I was just like, so I could be like looking for a team for six months and doing more of these Like this is insane. So it just didn't make any sense to me.

Speaker 3:

And they probably make you work too, where you have to like, do stuff prior to the interview, even though you're not being paid by them to present to them.

Speaker 1:

I'm guessing.

Speaker 2:

Yeah, so stupid. It is ridiculous the most corporate thing ever.

Speaker 3:

Don't like that news. Well, something great to look forward to in the future as you pursue new venues and new ventures. The ghost job Putting that on the list of things I hate. Let's talk about our topic today. So this is something I know nothing about and it came from alex. He posted it in the pod topics channel and squid boy happily jumped in, said he'd be down to talk. So let's just first define what it is offensive security. What is that squid boy?

Speaker 2:

yeah. So offensive security is kind of what it's named you know. It's kind of like you're attacking networks, okay right. So this is uh, all right. I mean, it's not even just networks. It could also be like social engineering, which you know we can get to later or, um, wireless attacks, things of that nature, so anything cyber related. Now, this is super important for corporate networks because they're dealing with like millions and millions of dollars and they want that stuff secured even for like a small business with just maybe even hundreds of thousands of dollars. So whenever you're working in offensive security, you simulate these attacks and then you write a report on it. Obviously you're not taking down anything, but it's one of the cooler jobs in corporate, I would say, when you're working in offensive security and I can go through each of the different branches as well.

Speaker 3:

So what would the role be called of someone who does this kind of thing? What would the role?

Speaker 2:

be called of someone who does this kind of thing. Yeah, so technically what I do is pen testing, pen testing, okay, yeah, so you can be a pen tester. Most people put cybersecurity consultant because typically you're doing a lot of the pen testing or remediation.

Speaker 2:

Or we like to also say GRC policy. So governance, risk and compliance, and those are just policies that people have to follow. There is another one which is obviously there's offensive security, then there's defensive, which is all the blue team stuff. People are basically managing firewalls, rotating passwords, looking at different ports that are open and what have you, but I only work on the other side of the spectrum.

Speaker 1:

Got it. So you would say it's almost like you're actually trying to find vulnerabilities. So you're trying to understand where are the gaps, expose them, write the reports on them and then I'm assuming somebody's going to have the responsibility from there to actually, you know, mitigate them in some way, you know, put in a new piece of technology or patch the gap, something along those lines.

Speaker 2:

Exactly. So that's kind of it's. It's a really cool job, I'm not going to lie. So I mean it's like, uh, you get to hack, you know corporate networks, you know with legal restraints, but I mean it's like you get to hack, you know corporate networks, you know with legal restraints, but I mean it's, you know you're hacking for a living, it's hacking like without malicious intent, because it's like you can't.

Speaker 1:

You're not actually trying to hurt the company you work for, but you're just trying to find where the gaps are, expose them and then get them fixed, which does sound like a lot of fun.

Speaker 2:

Yeah, it's, they call it ethical, ethical hacking. So I think there's actually, um, there's a couple certs, uh, one of them I don't recommend this search, which is called the ceh certified ethical hacker but um, that one's just a multiple choice. I mean, in this field you really have to get real technical. By the way, I mean, a multiple choice question is not going to really help you in this field.

Speaker 1:

I would say I'm sorry.

Speaker 3:

Bruce, you go ahead. Oh no, I was going to say, you know, for the people who might be listening to this, who are very either young in their career or haven't figured out their career, how do you even find something like this, or find that you like it? I, you know, I have a computer science degree in background, but I am not a security person, because that's a next level of intelligence that I'm too stupid for. Like, how do you know when? Oh yeah, I'm gonna go the route of offensive security, I'm gonna become an ethical hacker, like, were there signs or or things that our listeners might need to be aware of that could encourage them down this path?

Speaker 2:

Well, so I'll give two answers to that. So there's two websites that I really recommend. One of them is Hack the Box, as well as TryHackMe. So if you go through those and you're like, hey, this is my jam, you know, totally, go for that. I mean, the certs are like two 300 bucks and people are looking for pen tests.

Speaker 2:

I mean they have to do, they have to stay in compliance. So every corporate, any corporation, needs to stay in compliance and they need a third party pen test. So they have to go to a consulting firm and be like, hey, we need a pen test this year and you come in for about four to five weeks, conduct the pen test and then you're is it contractual? Yeah, it's a contractual. So I work for a consulting firm and we have different clients. So it's really cool because you get to see different networks. So you have kind of a wide range of like oh, you have to adapt to this network or that network, or how do they set this up? Do they have a cisco palo alto? Things of that nature have you ever?

Speaker 1:

and obviously don't disclose anything confidential but, have you ever like gotten to one of these clients and just be like, oh wow, like test zero, just like setting up foundation? We found a gap. This is going to be rough uh, yeah, I mean it's.

Speaker 2:

it's crazy because, um, because I've worked with some people that did you know, server room stuff and the way they said they have like a set of passwords that are like password one, password one, two, three password, password, exclamation point. And I don't blame them because they have like maybe 30, 40 servers to re-rack and do this whole change order or what have you, and it's like I don't want to remember every single password you know for this specific server. Now there is password managers that you can make it a little bit better, but when you're just there overnight and you're trying to get it done, I can see where that you know, man, labor takes a lot out of that right.

Speaker 1:

What would you say like a day in the life looks like for you in this role?

Speaker 2:

Honestly just spending on VMs learning as much as I can. When there's a client, I mean, they get my full attention for the most part and yeah, and it's really weird hours. So if you, for any of the listeners here, if they want to get into this, just know that a lot of the pen testing activities are going to be done at night. So it's kind of like the typical yeah, it's like the typical hacker, like you're in the night, you know you're in your bedroom at night trying to figure this stuff out. But you know it's kind of true because you know a lot of the clients would say, hey, we need this at 8 PM to 5 AM. That's your testing window. So at 5 AM I can't test on their network because you know they're running business hours so they don't want anything to break during that time.

Speaker 3:

Interesting, so you gotta be a night owl for this job.

Speaker 2:

Uh, you kind of cause. Some clients want it on business hours, um, but for the most part you have to be a night owl and I mean I would say most like you're going against things that are like you know I mentioned cisco you know those that are like, yeah, they do mess up on security sometimes, but you're looking for that one like it's a needle in a haystack, essentially right it's probably like like the integrations, like the integrations between their like custom things that they do, where you probably find that would be my assumption anyways you probably find the most gaps, not like on the cisco, you know machine itself, but however they're integrating into stuff or in other systems and they've connected everything.

Speaker 1:

That's probably why where you, where I would assume you would find the most.

Speaker 2:

Yep, that's actually or like. I remember this one thing they were sending out clear text passwords through their LDAP. So they had the, basically, they had a Citrix, you know the video caller and every time those endpoints would log into the corporate network they would send their username and password out in the Clearweb through LDAP ports. So I could see that being internally in their network. So having everyone's credentials, it didn't matter how complex it was, I could see it.

Speaker 1:

Yeah, so your day kind of looks like you mentioned VMs like virtual machines, just for anybody out there. That's a fresher. So it's kind of like you're spinning those up, connected in their ecosystem, like on their servers or something like that, and then essentially you're probably like writing scripts, or you have predefined scripts to find certain vulnerabilities and generate reports, something along those lines.

Speaker 2:

Well, it's not really generating scripts. So I would say, in this role, like people have this common misconception where you need to be like some advanced coder to be, you know, breaking into cybersecurity I mean, I mean it helps, but it's not like a big requirement. You just need to know how to use the tools, because they're already written for you. Or, if you need to, yeah, if you need to edit a script, you need to learn how to read that code and then be able to edit to your need, because some of them are POCs, you know, proof of concept for this environment or that environment Interesting, yeah. So I teach cybersecurity on the side and I always get that question do I need to know how to code? And the answer is like, not really, but you need to know the logic.

Speaker 1:

Right. That's my curiosity.

Speaker 3:

Yeah. So it seems like when you approach one of these type of situations where you give a new client, you're going to be kind of looking at what they're doing and what they're doing wrong, how much creativity is required, like, and then you know again, this is because I'm not I'm not that smart when it comes to technology, but like in my mind, I'm almost thinking, like you're playing where's waldo, like trying to find the cracks in the system, but like you have your, your set of tools that you're used to. And then is there an additional skill or mindset you have to have to kind of actually go in and figure out what's broken.

Speaker 2:

Yeah, so. So Kali Linux is kind of like the operating system that most pen testers use and their motto was try harder. Most pen test reviews and their motto was try harder. So, uh, they, they had to take that down for legal reasons because people were like physically trying to. You know, it was kind of taking towards their mental health. So I don't know what their motto is now. Um, but that's kind of the mentality like if you're persistent and you're willing to find something, I mean, I'm not gonna lie, there's been a couple of pen tests where I was like there's literally nothing I could find and I spent maybe 80 hours on this looking wow that's what I was wondering yeah, yeah, it's not like I'm.

Speaker 2:

You know, you're not going to be able to find everything, because sometimes there is nothing, um, and sometimes it's the client's fault and sometimes it's like I just couldn't find anything, um. But it's more of that persistency in this field because you might not be able to find something.

Speaker 1:

Right, man, that's so interesting.

Speaker 1:

If you guys remember, there used to be something called Bug Bounty Hunter or something like that, where literally a group of people would just try to hack corporations and then get paid to be like, hey, we found this vulnerability, we exposed it, we'll take it down if you pay us.

Speaker 1:

But one of the things they were trying to do was just trying to like find vulnerabilities and help other companies out. And I think for a while, like there was a whole like Reddit forum about how people were getting jobs from it, because they were like, oh, we should hire these people because they obviously know what they're doing. Because they were like, oh, we should hire these people because they obviously know what they're doing. So and then there was like even times when, like I don't know if you guys have toll roads, you know where people would put like SQL on their license plate and like drop tables that were giving out tolls, like there's so many of those things that were just blatantly obvious, and so all of this just reminds me of those things that happened probably, you know, 20 years ago.

Speaker 2:

It's actually funny because I'm on bug crowds so I've done a couple of those bug bounties as well. I've only gotten paid like $300, but some people make six figures. No way, yeah, just doing bug bounties. They don't work for anybody and they work for themselves, but they have a whole system rigged up. One of my friends does that and his server he has a miniature server room and his like uh, little condo and I'm like I don't know how you do this the electrical bill must be insane.

Speaker 2:

Yeah, yeah but he makes a, he makes a sizable income. Um and tesla, if you find, yeah, they have um categories I know, besides, what test was going through right now but they have categories where, like, if you find this class of vulnerabilities here, then you they would pay out like 50k just for that one bug interesting, but obviously that bug is pretty hard to find.

Speaker 3:

Right, so this is something that, like they've seen before but they can't replicate. Basically, yep, interesting, like this is a whole yeah, this is like a whole underworld that I've never really. And what's funny is I'm going to a security conference literally in like a week.

Speaker 1:

I was about to say isn't that what RSA is? It's in the name, it's in the it's, that's what.

Speaker 3:

RSA is. It's in the name. It's in the name, but I don't. I'm in storage. So like I don't think about security beyond securing the storage box. Like this is like network and like consumer grade. Like finding a bug in a Tesla is such an interesting concept because we don't think about cars as something that need cybersecurity. We think they need impact security, right. So like this is just all very cool to think about.

Speaker 1:

Yeah, it's actually oh sorry. No, no, you go ahead.

Speaker 2:

I was going to say cybersecurity is not just about tech. There's also things called social engineering. I don't know if you guys remember the MGM attack. That was just through a phone call through help desk no way attack. That was just through a phone call through help desk. Um, there's also yeah, so there's a famous video from um I think it was defcon where the lady calls with this like an audio play with a baby and able to get into this guy's bank account and lock him out with just one phone call.

Speaker 3:

Wow wild I didn't realize it was a phone call that took them down. Uh, I, I did. You know, I think we I can't remember we talked about it on the podcast or if I talked about it in a different venue, but the the recent bank heist that happened in uh, I want to say it was china was through a zoom and it was basically just the ceo and the cro were being impersonated via ai and basically told the guy who could wire money to wire them $10 million, and they got it through impersonation digital impersonation, but still, like social engineering, is wild and it's. It's probably going to get worse.

Speaker 1:

It's absolutely, with AI and everything, and you know the ability, even on your iPhone, now you can basically replicate your voice for accessibility reasons. You know, speak a couple hundred words and now they can basically say anything using your voice. So it is absolutely going to get worse. So how do?

Speaker 3:

you go ahead.

Speaker 2:

I was gonna say there's another section of cybersecurity which is physical pen test, and that's, personally, my favorite. Clients don't request it at all because it's not in compliance, but that's almost like um lock picking as well as like flippers. Yeah, there's also the uh, have you guys heard of the flipper zero?

Speaker 2:

yeah, I don't know yes, I, I want one, they're cool yeah, there's a lot of cool tricks, or like there's also. My manager actually has one of these, uh, mini computers that is a um extension cord, so like if you're plugging your phone and you're plugging into a computer, or like it's like you can just connect to the wi-fi or whatever, but it looks like an extension cord, um, so that's pretty cool. But yeah, that's definitely my favorite because you know replicating, you know your pop key or your identification card and things like that seems like movie stuff, you know, but it's real life for for those that haven't seen the flipper zero.

Speaker 1:

Someone explain that. I think now it's coming back to me. I think I've seen it it's so cool.

Speaker 3:

I like it. Firstly, it's called flipper because it's got like a little dolphin on the little display, but it's this hand sized. I mean it's like it's smaller than it's smaller than a phone, but it's like white sized. I mean it's like it's smaller than it's smaller than a phone, but it's this like white plastic, like three button. It almost looks like a Tamagotchi like or a Digivice, but it's it uses. It's basically just like the ultimate hacking tool for getting into different signals and frequencies and you can program it to replicate your car keys or you can use it to get into other people's cars Like. It does a lot of things, but it literally looks like a children's toy. Screen Boy explain it way better than I can.

Speaker 2:

Yeah, it's basically. It's kind of like a Raspberry Pi or like just a mini computer with a bunch of scripts. That's essentially what it is. It does have readers. One of the coolest things I've seen with Flipper Zero is where they actually I think the city actually fixed this bug I forget what city it was, but someone put an extender on it and basically they would go to every stoplight and just change it green for them, so all the other stoplights would be red and they would just go. Or, like one of my other favorites, some guy went to Walmart and they changed the announcements to whatever he want the announcements to be Like. It's a fun little toy, but it does hit that gray area where it's like you can buy it for, like you know, research or educational purposes and things of that nature. But you can definitely do some damage with it, Right?

Speaker 1:

Man, this sounds like such an interesting thing to get into a YouTube rabbit hole with. I've got to look this up and try to find some ridiculous videos to post.

Speaker 3:

I'm surprised you haven't seen it yet, Clark, because this definitely seems like something you would buy and become obsessed over. You better watch out.

Speaker 1:

We don't live too far from each other Only $169. Oh, you shouldn't have told me this.

Speaker 3:

I'm going to wreak havoc on our local tri-state area, clark is not far from me. I am now worried for my own safety. You will be hacked. Prepare yourself.

Speaker 2:

It's the coolest thing, squidboy, do you get to play with this at all for your work or is this just for fun? Uh, it's a little bit of both. So you know, definitely we do offer a physical pen test if a client asks for it, but it's typically not in their compliance. You know it's not in the corporate compliance requirement. So I'm open to doing one if, uh, any, you know any of our, any of your guys listeners are looking to do a physical pen test. But, um, yeah, uh, it's not really required.

Speaker 1:

You know, that's a good shout out do this, don't do this to corporate strategy technology, because there are going to be loopholes. I know because I built it, so please don't hack us, don't hack us.

Speaker 3:

but if you need an ethical hacker, uh, the easiest way to do it is go to our discord, which you can get to through our link tree, which is in our show notes. Super easy, but, squidboy, obviously you know if you need clients and they're listeners, that's how you get in touch with them.

Speaker 1:

That's awesome. So, Squidboy, I'm curious. I have probably one or two more questions, but what's like the biggest challenge to your kind of work that you run into?

Speaker 2:

yeah, so you know I mentioned that most people is on side. You know their cyber security consultants. When they do this type of work, um, the biggest challenge is that you're the subject matter expert, right? So it's kind of like other consulting um challenges. It's like if you a client, they expect you to know every single. You know nook and cranny and you know, quite frankly, you, you can't, you know. No one knows everything. So kind of playing that you know, okay, I need to learn this, this and this, and it's okay. I mean it's like you're not going to know everything, but it's about like learning as quickly as you can for that specific client. Yeah, so that's kind of the biggest challenge in this field is learning as much as you can right before you go to a client facing call.

Speaker 1:

Right, Because you kind of have to know everything about their setup, their infrastructure, their technology, so you know it's hopping in like right away. You got to know how do I find those contacts who can tell me this information so that I can be effective at what I need to do.

Speaker 2:

Yeah, I mean that kind of generally applies to any consulting gig, because you're only there for a couple of weeks, right? So to be expected to know the infrastructure itself like someone that's been there for 20 plus years is near impossible. So you have to learn very fast, or actually just kind of you know, piece together things very quickly have you ever upset anybody with your findings?

Speaker 2:

yeah, so that's uh. That's another funny thing, because I I have, I've had some clients that was like, oh no, we're so secure. And it's like, oh, I don't think so. Those are the clients that I know are not secure, when they said, oh, we have everything locked down.

Speaker 1:

If they said that you know you're rubbing your hands together to be like this is going to be fun.

Speaker 2:

It's funny that you say that, because it's like you know, the people that think they have the most security actually have the least security. Yeah, and I think because they don't have an open dialogue about it, because I think they've always been told oh yes, we do. You know, it's like yes, men, versus somebody else coming in and saying, oh wait, no, actually this is not that great Wow.

Speaker 1:

That's super funny.

Speaker 3:

I'm not surprised, though. Like the hubris of technologists is always their undoing Always Like name it In science fiction and reality. Name a time when someone was like, oh yes, this will never go wrong and it doesn't Titanic. Is that what you're referencing?

Speaker 2:

Since the dawn of time. I don't know if you guys know they're actually making a reenactment of the Titanic. Not a reenactment but kind of a replica, I think. I don't know if you guys saw that.

Speaker 1:

No, is this at a theme park? How are they?

Speaker 2:

doing this. I think it's at a theme park. Someone told me about it. Oh my goodness. Yeah, it's unfinished. That's hilarious. Hold on, guys, I'm going to hop on this billionaire thinks.

Speaker 3:

So Excuse me. Um, that's hilarious. All right, hold on, guys, I gotta I'm gonna hop on to this billionaire thinks though, excuse me, hop on aboard the titanic guys.

Speaker 3:

It's gonna be a great time my wife and I did a titanic dinner experience once and it was like really fun until the crash and then it was really sad and depressing and I I'm like man, you know like this is. It's exactly what you'd expect it to be, but it was good. I do recommend, if you're ever in Florida, do the Titanic dinner experience. It's emotional, oh, interesting Okay.

Speaker 1:

This is good. Now we know.

Speaker 3:

We're coming up on over 30 minutes here. I I feel like I've learned so much squidway. Are there any like final closing thoughts you want to give the audience just in regards to your job and you know what what people should think about as they think about offensive security yeah, I mean it's uh, you know, obviously be security aware but honestly, just ask questions If you guys really wanted to work in this field.

Speaker 2:

I mean, I am in the discord, I was going to give a personal thing, you know. And another question was like cause my bachelor's.

Speaker 2:

I have two of them, which is in physics and math. And, yeah, when I, when I graduated, I was like, oh man, there's no, like I can be a teacher, or I could be a teacher. So I ended up doing a master's in cyber security and that's when I came across this career field and I just kind of took it and ran with it. Um, and I think it's really cool what I do in corporate um, and I think if you guys are interested, just just you know, head into the Discord and just you know, personal message me and I can give you resources and see if it's your jam.

Speaker 1:

That is awesome I love it. Yeah, I think we owe you, squidboy. I mean, we just want to say thank you for being an awesome part of the community, being willing to come on and, you know, talk about this. We'll certainly have to have you, you know, come back on at a future point, but everything you're just saying is something that I love about our community it's the openness, the willingness to help each other.

Speaker 2:

So thank you so much for being an awesome member of Corporate Strategy. Not a problem, and that's actually the echoes of the ethical hacking community. We're pretty open. We usually help people out a lot.

Speaker 3:

I love it, I love it, I love it. This has been a great episode. So thank you again for joining us, squidboy, and please, if you're listening and you need an ethical hacker or you're interested in getting into it or you just want to have a conversation, join our Discord. Meet Squidboy, meet all the cool people. We have a lot of cool people on our Discord. A lot of different walks of life, a lot of different walks of life, a lot of different career paths. If you need advice or you're looking for a job or a client or what have you, it's the best way to connect, not just with us, but with everybody. There's a lot of good people in there. So I I cannot recommend this enough, and it's how we met squid boy. So thank you again for joining us today. It's been amazing getting to talk to you about this, and now I feel like I've got some more nerdy hobbies to go kind of scratch my brain with.

Speaker 1:

And if you said it so well. I'm like I know I want to go buy this thing and like play around with ethical hacking Like this, just as an engineer, this just piqued my, my interest, and like I got to go mess around with this, get my hands dirty.

Speaker 3:

It just became that much harder for me to schedule Clark to get on these things. So thank you, squid boy Just what I need.

Speaker 1:

One more hobby, thanks no problem.

Speaker 3:

And if you guys want to join the discord again, super easy. All you gotta do open up your podcast, look at the show notes. There's all the links. You click on that. That'll take you to our link tree and from there you can get into the discord. You can donate because right now this is a completely host funded podcast, which means I'm the host that's paying for it. So if you want to help us out, you can buy us a coffee and you can find all of this in that link tree. And if you like what you heard today, why not share with your friends? Give us a nice review and let people know about the good work the corporate strategy is doing in your life and in the world around you. We appreciate your listenership and, as always, remember double click those action items. I'm Bruce.

Speaker 1:

And I'm Clark Gross, you're on mute.

Speaker 3:

We'll see you next week and thanks again for joining us, Squid Boy.

Corporate Strategy Podcast Vibe Check
Introduction to Offensive Security
Penetration Testing and Cybersecurity Insights
Cybersecurity Challenges and Ethical Hacking
Challenges of Offensive Security Consulting