From Hacked Teen to Cybersecurity Pro: Ron Eddings' Journey to the NSA & Hacker Valley Studios

Show Notes

What happens when a curious teenager gets hacked on AOL Instant Messenger and turns that experience into a thriving cybersecurity career? Join us as we sit down with Ron Edding from Hacker Valley Studios, who shares his journey from being a 13-year-old victim of hacking to becoming a professional at Booz Allen Hamilton by the age of 19. Along the way, he crossed paths with Marcus Carey, a pivotal mentor who recognized his potential and set him on the path to success. 

Ron’s story underscores the importance of believing in young talent within the cybersecurity field. We explore how his initial dreams of joining federal law enforcement evolved into a passion for cybersecurity, driven by curiosity and determination. Learn how Ron faced skepticism head-on, proving that age is just a number when it comes to skill and dedication. His narrative is a testament to how setting intentions and vocalizing goals can help align opportunities, and how overcoming obstacles can fuel one's drive even further.

We also dive into Ron’s experiences working at Booz Allen, specifically on NSA contracts, and the unique process of obtaining security clearance. Discover the lessons learned during the "beach" period, the importance of becoming a subject matter expert, and the fine balance between meticulous documentation and creative problem-solving. Ron’s journey through various challenges and his emphasis on detailed documentation provide valuable insights into career progression and the significance of mentorship and referrals in landing roles at prestigious firms.

Support the Show.

Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Chapters

• 0:00: Cybersecurity Career Journey and Mentors
• 9:45: Navigating Cybersecurity Career Challenges
• 15:54: Learning From Early Career Challenges
• 21:32: Documenting Cybersecurity Best Practices

Transcript

Speaker 1: 0:53

Ron, it's great to get you on the podcast. You know we've been in communication for, you know, probably a year or so, right? Yep, we're trying to get you on for a while now, but I'm really excited for our conversation. Me too, glad to be on the show. Thanks for having me. Yeah, absolutely, you know, ron, before we go down, you know the path of you creating Hacker Valley with Chris as well. Tell me about how you got your start in security, in cybersecurity overall. Right, because it's not, it's not, it's. I always think of it as a path that's kind of off the beaten path, right of IT right.

Speaker 1: 1:32

When you think about going into IT, you think system engineering, you think, network engineering, you think, maybe even developer think network engineering, you think maybe even developer right Security is typically like that distant thought that no one really thinks about. So how did you decide to go down this path?

Speaker 2: 1:47

I had two starts in the space of security. The first start was when I was probably around 13. I got hacked on AOL Instant Messenger. Someone sent me a direct message after talking crap in a chat room. I was probably talking about who's a better player, kobe or Shaq. Well, I said I must have said something to someone that they did not like. So they sent me a file. All of a sudden my CD-ROM drive starts opening and closing and my computer turns into like a matrix, like text. You know I freak out a little bit because this is a family computer. So I'm like I need to figure out what happened. One so I can get it to stop doing that, and then two so I can figure out how to do that to all my friends. Luckily the person, luckily and I'm kind of crazily enough the person told me exactly how they did it. They were using this program called ProRat. Shout out to anybody that knows that tool. That was my first somewhat of a start.

Speaker 2: 2:40

My first taste and then my real introduction to the space of cybersecurity was I was working at a public access channel back in Maryland, where I'm from, and I would go and film high school games and nursing homes and do interviews with people in the county and on Sundays we would have anyone that wanted to come in to use the studio. We would record film, produce and even air whatever they wanted to record with us. So there was this gentleman that walks in. His name is Marcus Carey. He walks in with these few other gentlemen and they see me reading a book on computer network. I'm reading a Cisco book and Marcus looks at me, says, hey, cool, you want to be in computer networking. And I told him no, I'm a hacker. And he thought it was hilarious.

Speaker 2: 3:25

No, this 716 17 year old kid that you know thought he was a hacker and definitely wasn't. But he asked me a few Linux commands and you know I knew the commands. He was like hey, how do you change a directory? How do you do ping? What does ping do? And he saw the potential. He said hey, you, if you want to work in this space, you can, and if you want to do it without a degree, here's exactly how I'm extremely well with following instructions I feel like you have to be in the game of cybersecurity. So I took his, took his mentorship and at 19, got my start at Booz Allen Hamilton, being contracted for the NSA wow, that is I mean it.

Speaker 1: 4:05

It almost sounds like that's going straight into the deep end, right. I mean, at 19 man I, I could not have handled anything close to that.

Speaker 1: 4:17

Not anything close to that, no way. How was that, you know, did you okay? So, looking back on it, you obviously know like, hey, that's a crazy situation for a 19-year-old to be in. But you know, when you were in it, were you saying this is too much, this is, you know, drinking from the fire hose times 10? Or were you just, you know, approaching it from a different way? What was your mentality with that?

Speaker 2: 4:45

My parents are not, you know, college graduates, so we didn't necessarily have like a mentality of like this is a path. You start here and then you go to school and then you do this thing. So I've been used to people saying things that I don't know my entire life. This is a path. You start here and then you go to school and then you do this thing. So I've been used to people saying things that I don't know my entire life. You know, you start in school. You don't know what all of these words or formulas or acronyms mean.

Speaker 2: 5:12

When I got into cybersecurity it was the same thing. People would speak at me and I would nod and smile and just hope that I could figure out what they mean over time. And when I first got started my professional career, you know, working at Booz Allen, there was a lot of acronyms, especially because I was working with military people or people that was former military, and they had all the acronyms. So I had the technology and cybersecurity acronyms but then these other acronyms as well. But I was just patient, it didn't really bother me. I was excited because at Booz Allen I asked for I think I asked for 40,000. I was like, hey, you know, if I get 40,000,. They looked at me and, you know, the recruiter smiled. She said how about 65? So you offer a 19-year-old $65,000, you're gonna do exactly. The 19 year old will do whatever. You know. Getting 20 an hour at 19 you know this was back in 2010. Getting getting 19 20 hours back then was already gold, but this was like 45 50 an hour.

Speaker 1: 6:09

There was nothing that I wouldn't do yeah, yeah, that's, uh, that's that like really hits home. You know, I remember when someone like offered me 20 an hour right In college this was probably 2011. Right, and someone offered me 20 an hour to just like install a couple of programs on a bunch of schools in Chicago, like what you're going to? Yeah, I guess I'll do it for that, you know he was like apprehensive of offering me, you know, that low of a number.

Speaker 1: 6:41

Right, he was like, oh, this kid's going to ask for 40, 50 an hour and I'm sitting here like 20,. My God, I'm over here like making $7 in the school bookstore a couple of years ago, like, yeah, let's do this. It's a, it's a. It's a fascinating mentality shift, you know. And now it's like the total opposite for me. Right, I went from being totally okay, complacent and happy with $20 an hour. Obviously, I have more expenses now.

Speaker 1: 7:11

And you know when companies, I guess, undershoot me or under-offer me for a position that I know what the market is for. It's like almost insulting Yep for sure.

Speaker 2: 7:24

And you know what I loved about Marcus and I had another great mentor who helped get me this job at Booz Allen Hamilton. His name was Chad Price, marcus, chad and even the recruiter there. They all understood equity, not just like monetary equity, but fairness, you know, providing a quality within the realm of within the professional space, and I always remember, you know, that kind gesture they could have. They could have said, hey, here's 40,000, here's even 45. But everyone on the team was probably making like 75 to a hundred thousand that were in entry level. So them to like look at me and say, hey, this kid, he's 19. They knew it Cause it's on my job application, and to still show love like that, it meant a lot.

Speaker 1: 8:12

You know, do you think that that was unique to that time period, even for you to get that opportunity? Because I feel like I feel like today and maybe I'm completely wrong, but I feel like today they wouldn't even, they wouldn't even look at you really.

Speaker 2: 8:26

I mean, like at 19, you have to basically like you know, be convicted of hacking, right and sign some deal with the the FBI for you to get your name out there, for them to even look at you. I feel Is that accurate or maybe not, but there was this 17-year-old that I met last year. He reached out to me on LinkedIn. His name was Sully Vickers. He's probably you know. If you look up Sully on LinkedIn, he's doing amazing work. He brought cybersecurity programs and a cybersecurity club to his school. But he reached out to me. He said hey, let's sync up and I want to just pick your brain. I see that you're very public on LinkedIn, this 17-year-old, somehow his network is amazing. He introduced me to someone that works at my company, now my producer. He met my producer because she was hosting a podcast for teens that wanted to learn about cryptography and he said hey, ron, after our meeting, I think there's someone that you should meet and her name is Jennifer Langdon, and that changed meeting. Jennifer changed Hacker Valley for the better. You know, she's a great producer. She loves the space of cybersecurity.

Speaker 2: 9:45

If someone is 16, 17, 18, 19, doesn't matter how old, I think we want to bet on the youth. If you're not betting on the youth, you're not looking at your future. I think that you can break into cybersecurity at such a young age, but you have to have that hunger has to exude out of you. It has to almost be like I can't let this young person go because I know that the impact that they'll make when you're young. You have no problem working on someone else's schedule, like when I was being mentored by Marcus. He said meet me at the coffee shop at this time on Saturday. I don't got anything going on Like I can meet you. You want me to meet 9am, as long as it's not six, cause you know teens that they have the aptitude. By being curious and showing your work, showing your ability to learn, you can go so far.

Speaker 1: 10:43

Yeah, that is so, that's so, that's so true, you know it's uh, it's not always easy, it's not always going to be like a direct, you know, straightforward path, right, but you know when you really want something and you go after it. I would say, most of the time you know you're going to hit it right, you're going to get it, and if you don't, you're going to get something so close, you know that it's going to. It's going to, you know, make sense, right. Like. I'll give you an example for a long time I wanted to go into federal law enforcement, right. Like you just said that you did some contract work with the NSA, the NSA in my 20s.

Speaker 1: 11:23

If they were to hit me up and be like, hey, we want to send you to, like you know, the deepest, darkest hole of the earth and you're going to be there for you know, a year, you're not going to talk to anyone or anything like that. Like, sign me up, man, exactly. Like that. Like, sign me up, man, exactly, tell me where I'm. Like you don't even need to tell me where I'm going, right. Like you don't even have to park the plane, fly over the thing, kick me out, I'll be, I'll be fine.

Speaker 1: 11:47

You know that was that was, that was my dream. You know that that was everything to me and I tried that for years to get into any agency that would take me for any, for some reason, right, and it just never worked out. But I found my way into cybersecurity and not that I do work with the government or anything like that. I don't, um, not in any way right, it would be a lot cooler if I did. But I still get to have that mentality. I still get to exercise that mentality Right, and I went down a completely different path. I shot for the stars. I shot for that mentality, right, and I went down a completely different path. I shot for the stars. I shot for one star right.

Speaker 1: 12:20

And I landed amongst the stars and now I'm able to, you know, kind of talk to former people that were in the agency, like yourself and you know explore these different topics, and it's a really fascinating path that my life has taken right. I feel like when I wanted to go into the agency I probably wasn't ready for that level of maturity that I would have needed. Now that I am at that level of maturity, I am also mature enough to say I don't think I want to risk my life. I have a one-year-old at home, right, going to Afghanistan is probably not a good idea for a white male. You know that obviously looks like he's working for the agency. You know, like all that sort of stuff in my 20s, you want me to go to Afghanistan? Let's go, man. We're going to party like Exactly.

Speaker 2: 13:09

Yep, and you know what, when you want something and you set an intention and you speak it out loud, the universe will conspire and help you to get there. So what I did was I exposed myself. I told people what I wanted. It was completely embarrassing. Some people laughed at me, some people thought I was crazy, all of my classmates. They thought I was ridiculous for putting on my senior yearbook that I wanted to work on information assurance. What does that even mean? I didn't even know what that meant. But Marcus did it and I was like you know, I think that Marcus is doing offensive operations. I think he's breaking into systems. So if he's doing that, that's what I'm doing and I just put it out there. And you know, even from day one, when I met him, he said do you want to do computer networking? And I told him my intention no, I'm a hacker. I think that's so powerful. Especially when you just have that conviction and that and you speak it, things will start to happen.

Speaker 1: 14:07

Yeah, you know, and I feel like the universe, you know, gives you those little tests, right, it's kind of like looking back, it's like those little minute tests along the way where you said that some people like that actually laughed at you. I experienced that too. I was in IT and I knew I wanted to get into security and I was doing everything I possibly could to get into security just a security dedicated role. And you know, countless times I mean almost every day for a year or two I would get on the call with someone and they'd laugh at me Like, yeah, that's not going to happen. You don't know enough of this. You know networking. You don't know enough of this system engineering stuff, right, like you're too young, you're not going to make it All that sort of stuff.

Speaker 1: 15:01

And what they, what they didn't realize is how my brain works. You know, know, especially from being a wrestler right in high school, I tell people like wrestling it just like restructures your brain, especially when you're that young, where it's like, if you give me a hint of a challenge, you know, just just a hint of your, your own doubt in me, or a hint of a challenge like that, it's game on. Like I'm doing it, I, you, you don't understand. You know the fire that you just lit in me and that's your own fault, right, like I'm doing this thing. You know it's a.

Speaker 1: 15:30

It's fascinating how that works out. So you know, when you're at the, when you're at the agency, when you're working for Booz Allen, what does what does your specialty look like? When you're at the at, when you're at the agency, when you're working for booze allen, what does what does your specialty look like when you're that young, when you're that I I guess, inexperienced, even right, um, what does your specialty look like? Are you a jack of all trades? Are they putting you through a rigorous training program? What is that?

Speaker 2: 15:54

yeah. So when I was working at booze allen you know they bring people in um, at least at that point I'm sure they still I think a different company has a contract now, but we were brought in by the NSA and it was really cool because when they first hired me I didn't have my security clearance, so I had to go to the beach is what they called it. It was like where you go and wait for your security clearance. The beach is what they called it. It was like where you go and wait for your security clearance. They had so many roles open that the government wanted them to fill that they were willing to pay people to just sit around and wait while they got their clearance. So on average it would take about three months to a year. For some people it took two years. There were people sitting in this like office space for two years and they could do whatever they want. I did some research on certifications and I was like, ok, I need to get a few more, obviously, so I could have an opportunity to make more in the in the government space, because they pay for give a degree if you have certain certs, and I saw that the CompTIA certs were going to start to have an expiration date. So right before that cutoff I was like, ok, I'm going to get all the Comp T as I could possibly get. So I got the Network Plus, security Plus, convergence Plus and got all those certs, got my CEH as well and really focused on myself until I got my clearance. After I got cleared they brought me into the NSA and I got read on. I got to my role was doing offensive ops, so I was supposed to pretty much be APT for the United States government and they hired me to be a subject matter expert and I don't know if I was an expert.

Speaker 2: 17:34

You know there's a lot of people that have imposter syndrome. I have a bone to pick with that terminology. It's someone that pretends to be something or someone that they're not. They told me I'm an expert, so why would I fight that? If they told me I'm an expert and they're happy with my quality of work, then so be it.

Speaker 2: 17:53

You know there is definitely a certain level of humility that I had, but I think that you know, imposter syndrome isn't actually what people actually have. They have humility, like I'm humbled to be around all these very smart people. And you know I'm a sponge. I am also very good at following instructions I mentioned that earlier so they told me exactly how to get good at my job. Here's how you train to get better at what you do. So I just did those things and took my time and it was a lot of fun. It was probably not the best job to have as your first professional gig. You know, doing offensive ops, because that's something that people dream of and I did dream of it. But after about three and a half years I was like, okay, I can only break into so many things before wanting to know more about how to fix it and, you know, mitigate these types of events.

Speaker 1: 18:43

Yeah, you bring up two critical things. You know that you were a sponge and that you know you're very good at following directions, and those are two critical things that I also was told and learned very early on in my career and I I still tell everyone you know that wants to break in, that asked me. That's how you need to be. You need to have that mentality of just being a sponge, just being happy that you're hanging around these people that are so much more you know, smarter and skilled than you, and try to learn as much as you possibly can without getting in their way too much. You know smarter and skilled than you and try to learn as much as you possibly can without getting in their way too much. You know I'm following directions. You know it's uh, it's interesting, right? So when earlier on in my career when I was working for a company, you know we had not too robust of troubleshooting guys and upgrade guys and things like that, and I still to this day, I have a knack for finding the most random issues that you can imagine. I mean, like like Google does not help you. You know, with these issues, like I have to go talk to the developer and the developer has to say, like it's not supposed to work like that. I mean you know the craziest stuff, right. And I mean you know the craziest stuff, right. And so I ended up creating really verbose documentation for troubleshooting that's still actually used at that company and I haven't worked there in almost 10 years, right.

Speaker 1: 20:08

And recently, right, I took on a new task, a developer-related task, at my day job, and they said, oh yeah, everything's in this document. It's foolproof. You can literally just read it and go through it, follow it word for word, and you're good, like okay, well, I'm great at following direction. So if you literally tell me to do something, I'm going to do exactly that. You don't tell me to click somewhere, I'm not clicking it because I don't know. Like in that first learning position, right, if you made a mistake, it wasn't like. You know, we'll revert to a backup. It was like a big, it was a big deal, like you were probably going to get fired. You know that's right. And so I don't click things that I'm not not supposed to. I don't hit enter when I'm not supposed to. And I'm going through this document and I mean every paragraph. I'm finding like you guys missed seven steps here right that I'm supposed to do and it took me.

Speaker 1: 21:08

It took me two weeks to do something that would have taken, you know, anyone else on the team. You know a day to do and you know, at the end of the two weeks, like I, I didn't even complete it. I just said to him look, this is too far behind. Can someone else just do it? It's probably 30 minutes for everyone else. Me following this documentation is not working, and through that they said maybe we need to rewrite this thing. When I write documentation, it's always with the mindset of if someone that knows nothing has to sit in this desk and do this task. What do they need to know? You know absolutely everything every step of the way. Actually, working with a federal agency earlier on in my career, I went down this rabbit hole and I kind of saw it firsthand for how they take notes, because they take notes as if, like if the world blows up and there's one person left that needs to set up this thing and they don't know anything about it. What do they need to know? Right, and they took my.

Speaker 2: 22:07

They took my you know 20 step upgrade guide and turned that into 250 steps and I'm sitting here, like man, they take notes at a totally different level right, yeah, and it's important to you know be able to follow instructions in cyber, and because today there is a lot of documentation and there's something called best practices. When we don't follow them, sometimes you get popped. But at the same time, there also has to be a level of creativity because, as you're mentioning, when you follow the directions of someone or even documentation, it might not work because we change, technology changes, you know their shifts or better ways to do things. So, even though I was very good at following instructions, I've always had like a little bit of a creative side to figure out, not only like is this the best way for me, but is there a completely different way that I could do this that would make this the best for other people as well?

Speaker 1: 23:00

So when you're done at Booz Allen, where do you go from there? I mean, how do you scratch that itch after you started that high of a level? How do you scratch that itch going forward?

Speaker 2: 23:13

I first off, you know we going back to the hiring young people. One thing I forgot to mention is I got a referral to work at Booz Allen Hamilton by. You know we going back to the hiring young people. One thing I forgot to mention is I got a referral to work at Booz Allen Hamilton by, you know, one of my mentors, Chad Price. He was my college professor, so I did one like pretty much half a semester at community college and I was taking this information system security class and he was a consultant at Booz Allen Hamilton security class and he was a consultant at Booz Allen Hamilton. So we always had this fun banter in class because books get old very quickly, especially in cyber. So there will be some times where we download an application and it doesn't work and I would be like I already read this part of the book. Here's how we work through it so we don't have to like spend the entire class troubleshooting and no one gets anywhere. So the gentleman Chad Price referred me and through Booz Allen like then it kind of like the thread started to be pulled for more friends. So I got introduced to someone at Booz Allen. His name is Marco Figueroa, a very close friend, very pivotal figure in my life and career. He was working at McAfee. He pivoted from Booz Allen and started working at McAfee. He was a great reverse engineer and if I wasn't hacking, I wanted to do like RE related things. So Marco reached out and said hey, I got an opening at Booz Allen. Marco, is this New Yorker crazy swag also very demanding? He said, ron, I need you to show up at this place at 1 pm for your interview. I'm going to tell you exactly what to do. I'm going to tell you when to go inside and just be yourself. But here's the parameters until you're supposed to be yourself. And at this point I'm 22. I did three years at Booz Allen and now I was interviewing for McAfee. Good, at this point I'm 22. I did three years at Booz Allen and now I was interviewing for McAfee. Good at following instructions, good at being creative. So I had an awesome, great opportunity to work at McAfee. We were contracting for the government in some cases, but my job was to be a security researcher, to find flaws in whatever I could dream of. So I started focusing on BGP, the protocol for internet routing, and trying to find flaws there. I didn't find anything and then I started looking at Android applications and kind of like, got very addicted to that and had some fun, you know, doing not necessarily reverse engineering, but just like unpacking Android applications, looking at the source code and seeing if I could find any commonalities for how malicious Android apps have been behaving. And I had a little bit of a taste of data science. I got introduced to scikit-learn and I started and I had access to some very powerful devices at McAfee, because at this time McAfee was owned by Intel. So we had all the samples that we would collect from telemetry from people's devices and store them in a giant database. So I had access to like every binary that I could ever think of. Whenever I go to VirusTotal, I would, you know, find a specific artifact in research or on VirusTotal and I would type it into the McAfee database. There would always be that binary in the database. So I had a lot of great access and, yeah, I got to just further my skills at McAfee from there.

Speaker 1: 26:35

Man, that is really fascinating. You know, I guess that is probably the next logical jump, right going from offensive sec to to r and d and kind of reverse engineering. You know the malware that you may have been launching right previously, or the the holes that you were finding before. Well, let's find out why those holes exist.

Speaker 2: 26:59

Who else is doing them? Who else are using those same tactics, techniques and protocol and procedures?

Speaker 1: 27:08

So that spurs the question, for me at least, when you talk about who is using them. How are you able to determine that them? How are? How are you able to determine that? Right, because if they're using, you know the same piece of malware that that we're using here in america. Um, what would be different? Is it the delivery of that malware? Is it you know all of the other work that they do ahead of time, that you're kind of fingerprinting to, to who it is or what does that look like?

Speaker 2: 27:40

I wish I had my adult brain back then, like my current brain. Because there's if you look at MITRE, att&ck, it's actually a nice chain to follow, like there's a discovery first, then there's trying to get initial access. Trying to get initial access. Looking at the work that I was doing at McAfee, I was looking at after someone has an initial exploitation what kind of discovery are they doing? One of my tactics as an engineer in general if I'm breaking into a physical building I'm doing things like port scanning and I don't wanna get caught so I might not do TCP. I'm gonna to look at what UDP protocols can I start to leverage? Snmp, simple Networking Management Protocol is a big one.

Speaker 2: 28:28

So what I did when I got to McAfee was like, hey, let me see any Android apps that are using SNMP, because that's a telltale sign. Why is my Android device doing that, unless I'm using it as a like? I'm using a network management application. So I was able to find some applications. I was able to find some applications from like Eastern Europe as well, and then I started to just pull the thread like well, if they're doing this, then let me see what other people are doing with those same tactics.

Speaker 2: 28:59

And I started to just like look for specific functions because an Android app you can look at the source code. So I started to see like, all right, the source code might be obfuscated, but the functions are always going to be the same. So if I have a variable, I might call it. I might call it Ron IP address, and then it equals 192.168. But you know the the string that I have, 192.168.1.1, or whatever it may be has methods dot split, dot fine, dot strip. So I will look for people using methods in a specific way and I will start to catalog them. And then I was able to find some similarities between specific malware variants on Android by just looking at, almost like doing source code audits.

Speaker 1: 29:50

Wow, that's really fascinating. That's way more down reverse engineering than I've ever gone down myself, but it's really fascinating overall. Just to see how it worked and how it was reverse engineered has always fascinated me. You know that's what kind of. That's actually the book, that kind of like reinforced, like I should go down the security route, right, like I.

Speaker 1: 30:26

I thought, you know, just looking at the cover and reading the description of it, right I I thought this may be outside of my realm. Right, I'm probably going to get bored. In 20 minutes I will have wasted $20, right On this book. I'm never going to finish it, you know, but I kept coming back for more. I couldn't put the book down.

Speaker 1: 30:45

I was studying it even, and so I bring that up right, because fast forward to when I'm getting my master's in cybersecurity and we have a I think it was an offensive security class, right, and one of the projects was you have to pick a vulnerability on whatever platform you want. It had to be a mobile platform and you have to exploit it and get root on the device. Right, the goal is root. However you do it, it doesn't matter. And I, I figured you know, okay, like, let's pick an iphone, I'm using an iphone I've had terrible experience with androids before because you know I'll download, you know, uh, infected apps from the google play store and that would really, you know, just just really grind my gears. To no extent that I'm going to the Google Play Store, I'm going to your own Play Store and I'm downloading malware from an app. It's, it's Facebook, right, at least to me it looks like Facebook. And now I'm getting screwed because it's malware.

Speaker 1: 31:45

So I started with iPhone, you know, with a Bluetooth vulnerability, could not get it. After 26 hours of trying, I could not get it. You know, trying, I could not get it. You know the deadline is coming down, so like, okay, let's quickly download this android emulator and try and deploy it on there. 20 minutes later I'm done, you know.

Speaker 1: 32:04

And that that was like the most frustrating slash, eye opening. You know thing that I that I've ever gone through is, you know, when you're going through these like different offensive security search, like OSCP and whatnot, they tell you just try harder, right, and I was trying really hard on the iPhone and as soon as I switched to Android, it was like no effort. It was no effort whatsoever. No, it was like no effort. It was no effort whatsoever. You know it was really interesting that difference in difficulty. Now I'm not saying iphones are, you know, completely secure and like the most secure device out there or whatnot, but you know it eliminates a lot of the variables. I feel that's something that maybe you've noticed as well. You know it's not. It's not an open platform. I can't roll my own iOS version and deploy it on my device.

Speaker 1: 32:57

That's not how that works With Android. I can deploy whatever I want on there.

Speaker 2: 33:02

A lot of people on Reddit, including myself, wish that iPhones allowed for Chrome extensions and also PWAs. These are portable web apps that you can like go to a website and say hey, I want to install this Twitter app on my phone without going to the App Store. It sounds like a great idea, but when you think about it, it's essentially turning your phone into the Google Play Store. If you go to the Chrome extension store. It's the same thing. You could one. You could reverse engineer people's code, which is I don. It's the same thing. You could one. You could reverse engineer people's code, which is, I don't think the best. Look, it's not a compiled language. The Chrome extensions. But we see the same thing on the Chrome extensions, where someone buys a Chrome extension like a very popular one and then they turn it into malware and Chrome doesn't know. And it's also harder to know because no one's auditing the code like they do in the App Store.

Speaker 2: 33:57

So I think that it's way easier to exploit Android. It's just like Windows. Windows is a lot more open and also a lot more used. Until recently, I think Android was widely more used than iPhone. Naturally, attackers go for the biggest target, but now those things are changing a bit. You know, android is also becoming more secure. We're starting to sandbox a lot more features of our phones and computers. But yeah, I think that having a closed ecosystem makes it a lot harder. It's having a black box. It's a lot harder to break into a black box than having access to the code.

Speaker 1: 34:32

Right, yeah, when I started to dive into like the just the os architecture, right of android versus iphone and I I get into this argument all the time with the same people in my friend group and it's it's so frustrating because it's like, guys, I've, I've literally looked at the architecture like I, I have tested this, you know. But when you look at the architecture, they frame it in a way to where we're going to protect the user from the user as best as we possibly can Like. There's a reason why when you go to you know an iOS root, uh, you know service, not a service, but you know an application or whatever it might be. They say it has to be a very specific version, it has to be on this version. You cannot, potentially, sometimes you can't even like roll back from these newer versions onto that version.

Speaker 1: 35:20

Um, and they, they have it like that for a very specific reason because if you try to do it, you know on today's ios version, right, that that safari extension exploit, let's just say that there's an extension in safari that you can exploit. That safari extension exploit, let's just say that there's an extension in safari that you can exploit. That safari extension exploit is probably sandbox now, but if you go back two years ago it probably isn't. You know, and as soon as apple saw it they released one of those emergency, you know, security patches that like just pushes to your phone immediately and you have no choice to but to install it. Like they really do a good job of protecting the user from the user.

Speaker 2: 35:58

Yeah, Sometimes we need to be protective from ourselves. When you think about who needs something jailbroken, it's like you know what you're trying to do. You're trying to do something that you probably shouldn't be doing already. So, like with iPhone, you have to really think twice, three times, four times about am I really about to put in the effort to do this action that I probably shouldn't be doing in the first place?

Speaker 1: 36:21

Yeah, yeah, that's a very valid, that's a very valid point, and I've definitely gone down that rabbit hole myself, you know. So. So, after after McAfee, I mean like it sounds like you started like at the top right, where most security professionals like want to end up. You started there and then you somehow graduated into reverse engineering, you know malware, different things like that right. Where do you go from there?

Speaker 2: 36:49

So, yeah, the next place that I went from there was Intel there. So, yeah, the next place that I went from there was Intel. I did a stint at McAfee working on like the endpoint protection side and pivoted over to Intel doing corporate security. So this is where I got my love for automation. I was doing work on the endpoint protection side at Intel. I was a cyber fusion engineer and what this meant was hey, we want you to take information from many different data sources and combine it together to give us intelligence. We want you to create cyber intelligence in the form of, like our own IP and data sources, whether they be open, paid or private. And what I didn't realize what I was doing was I was working in the SOAR space security, orchestration, automation and response and I loved it.

Speaker 2: 37:41

Intel, though they don't pay that well, considering I moved to San Jose, california Anyone that lives or has lived there it is not cheap. If you want a one bedroom apartment this was like 2017, one bedroom apartment in a good area was going to probably cost you like $2,000. So that's not fun. You know, I'm only making so much. I think I was making about like $130 at the time. So $2,000 a month plus you know all the other things that I'm dreaming of. I'm young, in my mid-20s. I'm young, I want to buy stuff, I want to go out, I want to travel. So I told myself I was going to do a year there and figure out where the big bucks are at. I didn't move all the way to California just to work at Intel and have a nice name. It was nice to have it on my resume. But I didn't move there for that. I moved there to strike gold, because that's what you do in Silicon Valley. So I worked there for a year and then I had the idea to go to Crunchbase. It's a website. I think it's owned by TechCrunch.

Speaker 2: 38:47

I went to Crunchbase and I don't know where I came up with this idea, but I typed in I bought a $40 subscription it was $40 a month at that time and I typed in who are the companies that are in San Jose that have $30 million in funding, that have less than 50 employees and that were founded within the past three years? And there was only like 10 companies that showed up and I saw one of them that looked interesting was a company called Domisto, and Domisto was doing exactly what I was doing at Intel, but they were creating a cybersecurity product for it. So I applied and they were caught off guard. They were very young, in their stage I think they had around 25 employees. They were like how did you find us? You work at Intel, you should go apply for every other company, but you applied here. How'd you find us?

Speaker 2: 39:36

And I told the co founder how I found them. He was shocked. He was like hold on one second. He left the room immediately. He grabbed the CEO. He said hey, tell, tell him what you just told me. So I told him the story of how I found them and he was like All right, you're our guy, you're hired Just for that level of creative thinking. You know you want people like that around you that are going to think outside of the box. So I then pivoted, worked at the MISO and this is where I got connections and I got opportunities. I got learnings because I had to pretty much do what I was doing in Intel but do it for many different organizations fintech, healthcare. I even worked with Red Lobster. I didn't know that they invested in security so hard, but just had a lot of opportunity to meet some really cool people across the country and work on some crazy projects and try to automate things that typically don't work because there aren't APIs, but still trying to figure out a way around it.

Speaker 1: 40:30

Yeah, you talk about the other side of security, right, or the other side of IT that IT professionals very rarely ever experience, right, and that's that vendor side. You're halfway, you're almost always halfway selling. You know either the solution, even if they already bought it, right, Like you're reselling it to them almost in a way, while you're also trying to solve problems that maybe your solution doesn't meet right now and you have to. You know, on the cuff right, Figure out how to solve those situations, those issues. And it's a very unique area to learn because, like you said, you're making a significant amount of contacts. I mean, probably every day you're on the phone with someone new. They're learning your name, you're learning their name. By the end of the week maybe you had three calls with them about different issues and they're picking your brain and whatnot.

Speaker 2: 41:31

And getting upset sometimes too. That was something that really helped me mature as a person was how to handle conflict. People would be mad at the product so mad at the product sometimes, especially during the early days, or if they just did something the wrong way and made a big oopsie, they need to cover it up because they don't want to lose their job. Someone has to take the blame, and I learned how to be that not necessarily the person that would take the blame, but the person that would share the responsibility and that burden and that's a very important skill for anyone to have is learning how to share the burden of conflict. We all deal with that, especially in security. I think in security, a lot of times we'd like to be like, nope, not my fault, it was this person, this engineer over here, and then this stakeholder. They didn't work together and that's why we had the breach. But this, you know, helped me have a little bit of empathy and, you know, be a little more impatient and meet people where they're at.

Speaker 1: 42:27

Yeah, you know, you kind of describe wordsmithing, right, I don't think I came up with the term, right, but you know, when I was on the vendor side, I would very, very often, especially because I'm the technical SME, right, so when I'm on the call, I'm the technical SME for our solution. They never get a call with the engineers or the developers. Of course, like those, you know, those people are not trained how to talk to. You know, customers, apparently, right, um, and there was, there was many times when you would have to, you know.

Speaker 1: 43:03

I'll give you one example one company they were. They were testing out our e911 solution, right, and when you route it properly, you know, it gives exact information to the, to the uh distribution point that sends out the police officers, the ambulance or whatever, right, and they're testing it out, but they were testing it out wrong. And so the first, you know, a couple of times I told them you know, hey, this is incorrect, you need to stop how you're testing, you need to convert it to this other way and you won't incur any charges, but you'll be able to test like you want to test. They did not listen to me at all and they kept on testing the way that incurs a charge and this is a national charge, right? This isn't a charge from my company, just to charge.

Speaker 1: 43:52

This is a charge that we're getting hit with from a national organization that anyone in the country, if they dialed this number, would get charged. And it's not a, it's a small charge if you do it once. Most people just do it once and they're like my bad, you know. Yes, it's a hundred dollars per this company did it like 50 times within an hour.

Speaker 1: 44:16

You know like they were testing and you know I was seeing it live and literally they would test one and I would send them an email. They'd hit, you know, two more times because I couldn't like get to it fast enough, and I'd send them another and I'm calling them and everything Right. And at the end of the month, when they're hit with the bill, they're trying to get out of it. They're trying to say that I didn't do my job, that I didn't inform them properly and whatnot. And this is where that wordsmithing comes in, because it's like hey, you know, I'm not going to throw you under the bus, but I'm kind of going to throw you under the bus. It's where you show them, you know, the receipts and whatnot, Right, but that's.

Speaker 1: 44:52

But that's a very valuable, it's a very valuable skill, it's a very valuable experience, right, because you have to understand how to, you know, hold your own right, how to, to do things properly, how to communicate effectively, um, while also not, you know, pushing them under the bus, right, it's kind of just like the evidence of everything that already happened kind of pushed you under the bus, so to speak. Right, it's probably a little bit too graphic for someone in the audience. You know, like I, I said something similar to someone at work and they were like that's a little bit too. You know too. I guess like picturesque for me to think about joe, like let's use a different slogan. I'm like, okay, let's say you don't come into work tomorrow. You know, like what do we need a?

Speaker 2: 45:41

good way to look at it is it is another graphic one, but, like you said, thrown under the bus. I'm not the one that could make a decision on what the company spends, and neither is that person that probably did the test. So it's a it's a matter of helping escalate it, to lift that bus off of you and say, hey, I need to, I need to bring in the person that's going to be mad about these charges. So let's bring them in, let's call your boss, let's call my sales rep and let's get them on the phone together. This is out of our hands, but what we can work on together is fixing your testing flaw. The testing flaw needs to change immediately, obviously, and then we'll escalate and we'll get the right people involved. But I think, working at a vendor, I also learned my lane. You know, I used to try to be rangy and try to do everything in cyber. Working at a vendor, I learned that if you give out your phone number.

Speaker 2: 46:36

Someone's going to call it when they get a number, when they get an issue.

Speaker 2: 46:37

So I never give out my phone number anymore unless it's to like people that I have a personal connection with, just because I've been in the space where you know it's a support, it's a support portal. Now, if you give out your number to someone that you work with and that you're helping, even for, like a mentor, you know, like as a mentor, I'm very careful giving out my number because your job as a mentor is to help, advise and guide someone and I don't want that on my personal. I want my personal life and part of it at least personal and professional to be at least somewhat separated. So I always tell people the best way to contact me is LinkedIn and email, and I would say the same for, like you know, working at a vendor, if someone were to go down that path. Be very careful with what you agree to and also be very careful what you commit to, because that sets expectations. But if there's no expectation set, then you always have a way to alleviate issues yeah, I, I feel like you just described customer obsession.

Speaker 1: 47:35

you know, like, like it's one of the, it's one of those amazon like buzzwords or you know the key principles, right, um. But I feel like if you're really good on the vendor side, you understand customer obsession. It pains me, it literally pains me, when a customer has an issue and we're not solving it for X reason. It truly bugs me to no extent. And having that empathy, you know, to be able to hear them out, to be able to, you know, feel the pain and the issues that they're going through, right and try to be that advocate, I mean, it takes, it takes a certain kind of person to be able to do that and do that effectively as well.

Speaker 1: 48:24

Person to be able to do that and do that effectively as well, right, to actually make the progress that you need within the organization to not only, you know, deliver for this one customer, but I guarantee you there's, you know there's a thousand other customers out there or a thousand other potential companies that you could say, oh, we already solved this issue for you. You know it's, um, it's a game changer really, in my opinion. You know from Dom demisto, how do you start hacker valley. Where do you like I? I'm always fascinated, right where, when I bring on other other podcasters which you have pivoted into a very, you know even a unique area that I didn't even think of before, right, it's like what made you want to go down this route.

Speaker 2: 49:07

I've always loved being creative and you know, I got my start in cyber because I was working at a public access channel and I was doing some YouTube videos. I had just met my wife around the time that I started to create videos in general, and my wife she's a physical therapist by trade and she has a company as well, doing physical therapy. She was doing Instagram Lives for 30 days. So she's like I'm doing this 30-day challenge and this was right. As we met, so I was like you know what I really like this girl. If she's out here doing 30-day challenges, so should I. So I went live on YouTube for 30 days and this was like right when the YouTube live streaming feature just came out. So I started doing that. And then Chris happened to jump on one of my lives Chris Cochran, who's helped me, co-found Hacker Valley. He jumped on one of the lives and he hit me up afterwards and we used to work together. He said, hey, like I really liked those live streams and Chris was doing these workout videos on Instagram and I was like I really like your Instagram videos.

Speaker 2: 50:11

A few months go by and he gets a job offer at Netflix and he has to move to the Bay Area. He moved to San Jose and he said hey, I'm going to be in San Jose and my family you know my kids are going to finish up their school year. Can I stay with you until they finish? I heard you have this hacker mansion on your live stream. Me and my friend Marco, who was one of my mentors, we got a hacker mansion. We're like we're going to build, we set an intention, we're like we're going to have a hacker house. There's these programmers that have these programming houses, but we're going to have a hacker house. So we, we rented a like 5,000 square foot home in San Jose just two guys. And then boom, chris shows up. He wants to move in for three months and during that time we're all going through personal growth journeys. It's very rare that three adult men live in a house together without the specific circumstances bringing them there.

Speaker 2: 51:07

Me and Chris you know I'm still doing my YouTube live streams and then Chris says, hey, let's do one together. And we jump on, and usually I was doing like tutorials. We jumped on and we just had a conversation about cybersecurity, alchemy, how to transform seemingly invaluable data to valuable data, and that was little did I know. I thought we were doing a YouTube channel. Little did I know we were creating a podcast. So we just kept doing it every week.

Speaker 2: 51:34

And then we decided to create a podcast page. And then we were off to the races and started doing it and we decided to start inviting other people because we wanted to speak to cool people in the space. So we started to bring on people that we never would have had access to. Vendors started to see that and say hold on, a second Hacker Valley. We saw that this person from Netflix was on your podcast as a guest. We want to put our brand on there. Can we get an ad slot? So we didn't know how to handle that.

Speaker 2: 52:12

And then one of our other friends who worked at Palo Alto Networks with me after Demetra got bought by Palo Alto Networks, he comes on. He says I love working with young entrepreneurs and we were like my gosh, we didn't even know we were building a business. So we immediately called up the bank and got an account or a checking account, and then we were able to secure a sponsor that reached out to us about sponsorship. Chris has a gift. He is low-key, one of the best salespeople I've ever met in the cyberspace, especially because he makes sales not about selling but about helping other people out. That's Chris's motto, that's the name of the game and you know like a little bit about me is also that customer obsession attribute.

Speaker 2: 52:55

So together we just made like a powerhouse of doing cool content on the podcast side and then we pivoted into being a full blown creative media agency where we not only create podcasts but we also create a wide variety of content, whether it be company stories, commercials, internet series and anything that someone could dream of. But we bring in a unique spin. Like, if you go and try to apply music to a lot of things, the music is not going to sound good, it's going to sound like elevator music or predictable stock music. So one of my specialties, I would say, is like finding like awesome music that fits a vibe and that really helps tell a story in the way that you want to tell it. So yeah, we just started as speaking on microphones and talking to one another and then just kept iterating and we'll see where it goes. You know, right now it's creative media agency. One day, I think it will be something different and I'm open to the transformation as it comes.

Speaker 1: 53:58

Yeah, it's interesting, you know, because I always tell other people that I talk about with regard to my podcast. Right is that the big, the biggest benefit? Right is that it opened the door for so many other opportunities just by talking to different people right. Opportunities that I never, ever would have had, never would have known about, or anything like that. You know, and that's that's the biggest thing you know when you take that jump into something new, you don't need to know everything right from the start right you mentioned.

Speaker 1: 54:32

You know, companies wanted to start, you know, taking out ad space and whatnot. You had no clue how to handle that. Right. And same thing with me, right, when I, when I got my first sponsor, I had no clue how to handle that. I had to ask them what they were talking about because I couldn't process the word Like you're going to give me money for what you know.

Speaker 1: 54:55

Like, what's the trick here? You know, put yourself out there when you take that, maybe that one little unknown task, and you start diving into it and pressing in and you just take it day by day. You know, something really special actually comes out of it. You know, and I don't think I've told you this before, but I I've been watching, you know, hager Valley since the start. Right, and you guys have really really encouraged me in ways that are, you know, not not direct, but you, you have encouraged me to keep going. Like, I question if I should be doing this podcast. Every once in a while I question it. I'm like man, am I even, am I even making a difference? Am I providing value? And uh, you know, you guys have definitely encouraged me in different ways to keep going, to keep pushing through right to keep trying. It's a fantastic journey, you know, and, ron, I know we're at time. I apologize for going a little bit over, but you know this has been a fantastic conversation.

Speaker 2: 56:00

I appreciate it. Thanks for having me. I would love to have you on my show and, yeah, it's been an honor and a pleasure to you know, get to know you over this past year or two.

Speaker 1: 56:09

Yeah, absolutely, ron. You know, whenever you want me on, I'm more than happy to make it happen. Ron, you know, before I let you go, how about you tell my audience you know where they can find you if they want to reach out and connect and where they could find Hacker Valley if they've been living under a rock and they don't know?

Speaker 2: 56:24

Yeah, so our website is hackervalleycom. All of our podcasts are there. The most, probably the best place to follow the content, though, is YouTube. It's just youtubecom. Forward slash at Hacker Valley Media and LinkedIn. Linkedin is a great way to stay in touch, not just from, like, an external perspective, but if there's ever a piece of content that you want to see HackerBotty produce or you just want to say hi, that's the best place.

Speaker 1: 56:51

Awesome. Well, thanks, Ron, and thanks everyone for listening. I hope you enjoyed this episode as much as I did. Thanks everyone.