What happens when a curious teenager gets hacked on AOL Instant Messenger and turns that experience into a thriving cybersecurity career? Join us as we sit down with Ron Edding from Hacker Valley Studios, who shares his journey from being a 13-year-old victim of hacking to becoming a professional at Booz Allen Hamilton by the age of 19. Along the way, he crossed paths with Marcus Carey, a pivotal mentor who recognized his potential and set him on the path to success.
Ron’s story underscores the importance of believing in young talent within the cybersecurity field. We explore how his initial dreams of joining federal law enforcement evolved into a passion for cybersecurity, driven by curiosity and determination. Learn how Ron faced skepticism head-on, proving that age is just a number when it comes to skill and dedication. His narrative is a testament to how setting intentions and vocalizing goals can help align opportunities, and how overcoming obstacles can fuel one's drive even further.
We also dive into Ron’s experiences working at Booz Allen, specifically on NSA contracts, and the unique process of obtaining security clearance. Discover the lessons learned during the "beach" period, the importance of becoming a subject matter expert, and the fine balance between meticulous documentation and creative problem-solving. Ron’s journey through various challenges and his emphasis on detailed documentation provide valuable insights into career progression and the significance of mentorship and referrals in landing roles at prestigious firms.
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: Ron, it's great to get you on the podcast.
00:00:02
You know we've been in communication for, you know,
00:00:04
probably a year or so, right?
00:00:06
Yep, we're trying to get you on for a while now, but I'm really
00:00:09
excited for our conversation.
00:00:11
Me too, glad to be on the show.
00:00:13
Thanks for having me.
00:00:13
Yeah, absolutely, you know, ron , before we go down, you know
00:00:20
the path of you creating Hacker Valley with Chris as well.
00:00:25
Tell me about how you got your start in security, in
00:00:29
cybersecurity overall.
00:00:31
Right, because it's not, it's not, it's.
00:00:34
I always think of it as a path that's kind of off the beaten
00:00:37
path, right of IT right.
00:00:39
When you think about going into IT, you think system engineering
00:00:42
, you think, network engineering , you think, maybe even
00:00:43
developer think network engineering, you think maybe
00:00:45
even developer right Security is typically like that distant
00:00:49
thought that no one really thinks about.
00:00:51
So how did you decide to go down this path?
00:00:54
Speaker 2: I had two starts in the space of security.
00:00:57
The first start was when I was probably around 13.
00:01:00
I got hacked on AOL Instant Messenger.
00:01:03
Someone sent me a direct message after talking crap in a
00:01:06
chat room.
00:01:07
I was probably talking about who's a better player, kobe or
00:01:10
Shaq.
00:01:10
Well, I said I must have said something to someone that they
00:01:13
did not like.
00:01:14
So they sent me a file.
00:01:15
All of a sudden my CD-ROM drive starts opening and closing and
00:01:20
my computer turns into like a matrix, like text.
00:01:23
You know I freak out a little bit because this is a family
00:01:26
computer.
00:01:26
So I'm like I need to figure out what happened.
00:01:28
One so I can get it to stop doing that, and then two so I
00:01:32
can figure out how to do that to all my friends.
00:01:33
Luckily the person, luckily and I'm kind of crazily enough the
00:01:37
person told me exactly how they did it.
00:01:39
They were using this program called ProRat.
00:01:41
Shout out to anybody that knows that tool.
00:01:46
That was my first somewhat of a start.
00:01:47
My first taste and then my real introduction to the space of
00:01:50
cybersecurity was I was working at a public access channel back
00:01:53
in Maryland, where I'm from, and I would go and film high school
00:01:58
games and nursing homes and do interviews with people in the
00:02:01
county and on Sundays we would have anyone that wanted to come
00:02:05
in to use the studio.
00:02:07
We would record film, produce and even air whatever they
00:02:11
wanted to record with us.
00:02:13
So there was this gentleman that walks in.
00:02:15
His name is Marcus Carey.
00:02:16
He walks in with these few other gentlemen and they see me
00:02:20
reading a book on computer network.
00:02:21
I'm reading a Cisco book and Marcus looks at me, says, hey,
00:02:26
cool, you want to be in computer networking.
00:02:28
And I told him no, I'm a hacker .
00:02:29
And he thought it was hilarious .
00:02:32
No, this 716 17 year old kid that you know thought he was a
00:02:36
hacker and definitely wasn't.
00:02:37
But he asked me a few Linux commands and you know I knew the
00:02:40
commands.
00:02:41
He was like hey, how do you change a directory?
00:02:42
How do you do ping?
00:02:43
What does ping do?
00:02:44
And he saw the potential.
00:02:46
He said hey, you, if you want to work in this space, you can,
00:02:56
and if you want to do it without a degree, here's exactly how
00:02:57
I'm extremely well with following instructions I feel
00:02:59
like you have to be in the game of cybersecurity.
00:03:00
So I took his, took his mentorship and at 19, got my
00:03:03
start at Booz Allen Hamilton, being contracted for the NSA wow
00:03:08
, that is I mean it.
00:03:12
Speaker 1: It almost sounds like that's going straight into the
00:03:15
deep end, right.
00:03:16
I mean, at 19 man I, I could not have handled anything close
00:03:23
to that.
00:03:24
Not anything close to that, no way.
00:03:26
How was that, you know, did you okay?
00:03:29
So, looking back on it, you obviously know like, hey, that's
00:03:33
a crazy situation for a 19-year-old to be in.
00:03:36
But you know, when you were in it, were you saying this is too
00:03:42
much, this is, you know, drinking from the fire hose
00:03:45
times 10?
00:03:46
Or were you just, you know, approaching it from a different
00:03:49
way?
00:03:49
What was your mentality with that?
00:03:52
Speaker 2: My parents are not, you know, college graduates, so
00:03:56
we didn't necessarily have like a mentality of like this is a
00:04:00
path.
00:04:01
You start here and then you go to school and then you do this
00:04:04
thing.
00:04:04
So I've been used to people saying things that I don't know
00:04:08
my entire life.
00:04:09
This is a path.
00:04:09
You start here and then you go to school and then you do this
00:04:11
thing.
00:04:12
So I've been used to people saying things that I don't know
00:04:15
my entire life.
00:04:15
You know, you start in school.
00:04:16
You don't know what all of these words or formulas or
00:04:17
acronyms mean.
00:04:19
When I got into cybersecurity it was the same thing.
00:04:20
People would speak at me and I would nod and smile and just
00:04:22
hope that I could figure out what they mean over time.
00:04:24
And when I first got started my professional career, you know,
00:04:29
working at Booz Allen, there was a lot of acronyms, especially
00:04:34
because I was working with military people or people that
00:04:36
was former military, and they had all the acronyms.
00:04:37
So I had the technology and cybersecurity acronyms but then
00:04:40
these other acronyms as well.
00:04:41
But I was just patient, it didn't really bother me.
00:04:45
I was excited because at Booz Allen I asked for I think I
00:04:50
asked for 40.
00:04:51
I was like, hey, you know, if I get 40,.
00:04:53
They looked at me and, you know , the recruiter smiled.
00:04:56
She said how about 65?
00:04:57
So you offer a 19-year-old $65, you're gonna do exactly
00:05:02
.
00:05:02
The 19 year old will do whatever.
00:05:08
You know.
00:05:08
Getting 20 an hour at 19 you know this was back in 2010.
00:05:11
Getting getting 19 20 hours back then was already gold, but
00:05:14
this was like 45 50 an hour.
00:05:16
Speaker 1: There was nothing that I wouldn't do yeah, yeah,
00:05:20
that's, uh, that's that like really hits home.
00:05:24
You know, I remember when someone like offered me 20 an
00:05:27
hour right In college this was probably 2011.
00:05:31
Right, and someone offered me 20 an hour to just like install
00:05:36
a couple of programs on a bunch of schools in Chicago, like what
00:05:40
you're going to?
00:05:40
Yeah, I guess I'll do it for that, you know he was like
00:05:45
apprehensive of offering me, you know, that low of a number.
00:05:48
Right, he was like, oh, this kid's going to ask for 40, 50 an
00:05:52
hour and I'm sitting here like 20,.
00:05:54
My God, I'm over here like making $7 in the school
00:05:57
bookstore a couple of years ago, like, yeah, let's do this.
00:06:00
It's a, it's a.
00:06:02
It's a fascinating mentality shift, you know.
00:06:05
And now it's like the total opposite for me.
00:06:09
Right, I went from being totally okay, complacent and
00:06:13
happy with $20 an hour.
00:06:14
Obviously, I have more expenses now.
00:06:18
And you know when companies, I guess, undershoot me or
00:06:23
under-offer me for a position that I know what the market is
00:06:26
for.
00:06:26
It's like almost insulting Yep for sure.
00:06:31
Speaker 2: And you know what I loved about Marcus and I had
00:06:35
another great mentor who helped get me this job at Booz Allen
00:06:39
Hamilton.
00:06:39
His name was Chad Price, marcus , chad and even the recruiter
00:06:42
there.
00:06:43
They all understood equity, not just like monetary equity, but
00:06:47
fairness, you know, providing a quality within the realm of
00:06:51
within the professional space, and I always remember, you know,
00:06:56
that kind gesture they could have.
00:06:57
They could have said, hey, here's 40, here's even 45.
00:07:01
But everyone on the team was probably making like 75 to a
00:07:05
hundred thousand that were in entry level.
00:07:08
So them to like look at me and say, hey, this kid, he's 19.
00:07:12
They knew it Cause it's on my job application, and to still
00:07:15
show love like that, it meant a lot.
00:07:18
Speaker 1: You know, do you think that that was unique to
00:07:22
that time period, even for you to get that opportunity?
00:07:25
Because I feel like I feel like today and maybe I'm completely
00:07:29
wrong, but I feel like today they wouldn't even, they
00:07:32
wouldn't even look at you really .
00:07:33
Speaker 2: I mean, like at 19, you have to basically like you
00:07:54
know, be convicted of hacking, right and sign some deal with
00:07:56
the the FBI for you to get your name out there, for them to even
00:07:58
look at you.
00:07:59
I feel Is that accurate or maybe not, but there was this
00:08:02
17-year-old that I met last year .
00:08:04
He reached out to me on LinkedIn.
00:08:05
His name was Sully Vickers.
00:08:07
He's probably you know.
00:08:08
If you look up Sully on LinkedIn, he's doing amazing
00:08:11
work.
00:08:11
He brought cybersecurity programs and a cybersecurity
00:08:14
club to his school.
00:08:15
But he reached out to me.
00:08:16
He said hey, let's sync up and I want to just pick your brain.
00:08:19
I see that you're very public on LinkedIn, this 17-year-old,
00:08:24
somehow his network is amazing.
00:08:27
He introduced me to someone that works at my company, now my
00:08:30
producer.
00:08:31
He met my producer because she was hosting a podcast for teens
00:08:35
that wanted to learn about cryptography and he said hey,
00:08:37
ron, after our meeting, I think there's someone that you should
00:08:40
meet and her name is Jennifer Langdon, and that changed
00:08:44
meeting.
00:08:45
Jennifer changed Hacker Valley for the better.
00:08:48
You know, she's a great producer.
00:08:49
She loves the space of cybersecurity.
00:08:52
If someone is 16, 17, 18, 19, doesn't matter how old, I think
00:08:57
we want to bet on the youth.
00:08:58
If you're not betting on the youth, you're not looking at
00:09:00
your future.
00:09:01
I think that you can break into cybersecurity at such a young
00:09:06
age, but you have to have that hunger has to exude out of you.
00:09:09
It has to almost be like I can't let this young person go
00:09:13
because I know that the impact that they'll make when you're
00:09:16
young.
00:09:16
You have no problem working on someone else's schedule, like
00:09:20
when I was being mentored by Marcus.
00:09:22
He said meet me at the coffee shop at this time on Saturday.
00:09:26
I don't got anything going on Like I can meet you.
00:09:29
You want me to meet 9am, as long as it's not six, cause you
00:09:32
know teens that they have the aptitude.
00:09:33
By being curious and showing your work, showing your ability
00:09:48
to learn, you can go so far.
00:09:50
Speaker 1: Yeah, that is so, that's so, that's so true, you
00:09:55
know it's uh, it's not always easy, it's not always going to
00:09:59
be like a direct, you know, straightforward path, right, but
00:10:02
you know when you really want something and you go after it.
00:10:06
I would say, most of the time you know you're going to hit it
00:10:10
right, you're going to get it, and if you don't, you're going
00:10:12
to get something so close, you know that it's going to.
00:10:16
It's going to, you know, make sense, right.
00:10:19
Like.
00:10:19
I'll give you an example for a long time I wanted to go into
00:10:23
federal law enforcement, right.
00:10:24
Like you just said that you did some contract work with the NSA
00:10:27
, the NSA in my 20s.
00:10:29
If they were to hit me up and be like, hey, we want to send you
00:10:32
to, like you know, the deepest, darkest hole of the earth and
00:10:36
you're going to be there for you know, a year, you're not going
00:10:38
to talk to anyone or anything like that.
00:10:40
Like, sign me up, man, exactly.
00:10:49
Like that.
00:10:49
Like, sign me up, man, exactly, tell me where I'm.
00:10:50
Like you don't even need to tell me where I'm going, right.
00:10:52
Like you don't even have to park the plane, fly over the
00:10:53
thing, kick me out, I'll be, I'll be fine.
00:10:54
You know that was that was, that was my dream.
00:10:54
You know that that was everything to me and I tried
00:10:56
that for years to get into any agency that would take me for
00:11:01
any, for some reason, right, and it just never worked out.
00:11:04
But I found my way into cybersecurity and not that I do
00:11:09
work with the government or anything like that.
00:11:11
I don't, um, not in any way right, it would be a lot cooler
00:11:15
if I did.
00:11:16
But I still get to have that mentality.
00:11:19
I still get to exercise that mentality Right, and I went down
00:11:22
a completely different path.
00:11:23
I shot for the stars.
00:11:24
I shot for that mentality, right, and I went down a
00:11:25
completely different path.
00:11:25
I shot for the stars.
00:11:25
I shot for one star right.
00:11:27
And I landed amongst the stars and now I'm able to, you know,
00:11:31
kind of talk to former people that were in the agency, like
00:11:35
yourself and you know explore these different topics, and it's
00:11:39
a really fascinating path that my life has taken right.
00:11:42
I feel like when I wanted to go into the agency I probably
00:11:47
wasn't ready for that level of maturity that I would have
00:11:49
needed.
00:11:49
Now that I am at that level of maturity, I am also mature
00:11:55
enough to say I don't think I want to risk my life.
00:11:58
I have a one-year-old at home, right, going to Afghanistan is
00:12:02
probably not a good idea for a white male.
00:12:04
You know that obviously looks like he's working for the agency
00:12:08
.
00:12:08
You know, like all that sort of stuff in my 20s, you want me to
00:12:12
go to Afghanistan?
00:12:13
Let's go, man.
00:12:13
We're going to party like Exactly.
00:12:16
Speaker 2: Yep, and you know what, when you want something
00:12:20
and you set an intention and you speak it out loud, the universe
00:12:23
will conspire and help you to get there.
00:12:25
So what I did was I exposed myself.
00:12:28
I told people what I wanted.
00:12:30
It was completely embarrassing.
00:12:31
Some people laughed at me, some people thought I was crazy, all
00:12:34
of my classmates.
00:12:35
They thought I was ridiculous for putting on my senior
00:12:40
yearbook that I wanted to work on information assurance.
00:12:43
What does that even mean?
00:12:45
I didn't even know what that meant.
00:12:46
But Marcus did it and I was like you know, I think that
00:12:48
Marcus is doing offensive operations.
00:12:50
I think he's breaking into systems.
00:12:52
So if he's doing that, that's what I'm doing and I just put it
00:12:56
out there.
00:12:57
And you know, even from day one , when I met him, he said do you
00:13:01
want to do computer networking?
00:13:02
And I told him my intention no, I'm a hacker.
00:13:06
I think that's so powerful.
00:13:07
Especially when you just have that conviction and that and you
00:13:10
speak it, things will start to happen.
00:13:14
Speaker 1: Yeah, you know, and I feel like the universe, you
00:13:17
know, gives you those little tests, right, it's kind of like
00:13:20
looking back, it's like those little minute tests along the
00:13:24
way where you said that some people like that actually
00:13:26
laughed at you.
00:13:27
I experienced that too.
00:13:30
I was in IT and I knew I wanted to get into security and I was
00:13:34
doing everything I possibly could to get into security just
00:13:38
a security dedicated role.
00:13:39
And you know, countless times I mean almost every day for a
00:13:45
year or two I would get on the call with someone and they'd
00:13:47
laugh at me Like, yeah, that's not going to happen.
00:13:50
You don't know enough of this.
00:13:50
You know networking.
00:13:52
You don't know enough of this system engineering stuff, right,
00:13:54
like you're too young, you're not going to make it All that
00:13:57
sort of stuff.
00:14:08
And what they, what they didn't realize is how my brain works.
00:14:09
You know, know, especially from being a wrestler right in high
00:14:11
school, I tell people like wrestling it just like
00:14:12
restructures your brain, especially when you're that
00:14:13
young, where it's like, if you give me a hint of a challenge,
00:14:18
you know, just just a hint of your, your own doubt in me, or a
00:14:23
hint of a challenge like that, it's game on.
00:14:26
Like I'm doing it, I, you, you don't understand.
00:14:29
You know the fire that you just lit in me and that's your own
00:14:32
fault, right, like I'm doing this thing.
00:14:35
You know it's a.
00:14:37
It's fascinating how that works out.
00:14:39
So you know, when you're at the , when you're at the agency,
00:14:43
when you're working for Booz Allen, what does what does your
00:14:52
specialty look like?
00:14:52
When you're at the at, when you're at the agency, when
00:14:53
you're working for booze allen, what does what does your
00:14:54
specialty look like when you're that young, when you're that I I
00:14:55
guess, inexperienced, even right, um, what does your
00:14:56
specialty look like?
00:14:56
Are you a jack of all trades?
00:14:56
Are they putting you through a rigorous training program?
00:14:59
What is that?
00:15:01
Speaker 2: yeah.
00:15:01
So when I was working at booze allen you know they bring people
00:15:05
in um, at least at that point I'm sure they still I think a
00:15:08
different company has a contract now, but we were brought in by
00:15:12
the NSA and it was really cool because when they first hired me
00:15:17
I didn't have my security clearance, so I had to go to the
00:15:21
beach is what they called it.
00:15:22
It was like where you go and wait for your security clearance
00:15:25
.
00:15:25
The beach is what they called it.
00:15:26
It was like where you go and wait for your security clearance
00:15:28
.
00:15:28
They had so many roles open that the government wanted them
00:15:32
to fill that they were willing to pay people to just sit around
00:15:34
and wait while they got their clearance.
00:15:35
So on average it would take about three months to a year.
00:15:38
For some people it took two years.
00:15:39
There were people sitting in this like office space for two
00:15:43
years and they could do whatever they want.
00:15:45
I did some research on certifications and I was like,
00:15:49
ok, I need to get a few more, obviously, so I could have an
00:15:55
opportunity to make more in the in the government space, because
00:15:57
they pay for give a degree if you have certain certs, and I
00:15:58
saw that the CompTIA certs were going to start to have an
00:16:02
expiration date.
00:16:03
So right before that cutoff I was like, ok, I'm going to get
00:16:05
all the Comp T as I could possibly get.
00:16:07
So I got the Network Plus, security Plus, convergence Plus
00:16:13
and got all those certs, got my CEH as well and really focused
00:16:19
on myself until I got my clearance.
00:16:20
After I got cleared they brought me into the NSA and I
00:16:25
got read on.
00:16:26
I got to my role was doing offensive ops, so I was supposed
00:16:30
to pretty much be APT for the United States government and
00:16:35
they hired me to be a subject matter expert and I don't know
00:16:40
if I was an expert.
00:16:41
You know there's a lot of people that have imposter syndrome.
00:16:44
I have a bone to pick with that terminology.
00:16:46
It's someone that pretends to be something or someone that
00:16:50
they're not.
00:16:50
They told me I'm an expert, so why would I fight that?
00:16:55
If they told me I'm an expert and they're happy with my
00:16:58
quality of work, then so be it.
00:17:00
You know there is definitely a certain level of humility that I
00:17:03
had, but I think that you know, imposter syndrome isn't
00:17:06
actually what people actually have.
00:17:08
They have humility, like I'm humbled to be around all these
00:17:12
very smart people.
00:17:13
And you know I'm a sponge.
00:17:15
I am also very good at following instructions I
00:17:18
mentioned that earlier so they told me exactly how to get good
00:17:21
at my job.
00:17:21
Here's how you train to get better at what you do.
00:17:24
So I just did those things and took my time and it was a lot of
00:17:28
fun.
00:17:28
It was probably not the best job to have as your first
00:17:33
professional gig.
00:17:34
You know, doing offensive ops, because that's something that
00:17:37
people dream of and I did dream of it.
00:17:39
But after about three and a half years I was like, okay, I
00:17:42
can only break into so many things before wanting to know
00:17:45
more about how to fix it and, you know, mitigate these types
00:17:49
of events.
00:17:50
Speaker 1: Yeah, you bring up two critical things.
00:17:53
You know that you were a sponge and that you know you're very
00:17:57
good at following directions, and those are two critical
00:18:01
things that I also was told and learned very early on in my
00:18:06
career and I I still tell everyone you know that wants to
00:18:10
break in, that asked me.
00:18:11
That's how you need to be.
00:18:13
You need to have that mentality of just being a sponge, just
00:18:16
being happy that you're hanging around these people that are so
00:18:20
much more you know, smarter and skilled than you, and try to
00:18:22
learn as much as you possibly can without getting in their way
00:18:23
too much.
00:18:24
You know smarter and skilled than you and try to learn as
00:18:25
much as you possibly can without getting in their way too much.
00:18:27
You know I'm following directions.
00:18:29
You know it's uh, it's interesting, right?
00:18:33
So when earlier on in my career when I was working for a
00:18:37
company, you know we had not too robust of troubleshooting guys
00:18:42
and upgrade guys and things like that, and I still to this day,
00:18:46
I have a knack for finding the most random issues that you can
00:18:51
imagine.
00:18:51
I mean, like like Google does not help you.
00:18:54
You know, with these issues, like I have to go talk to the
00:18:57
developer and the developer has to say, like it's not supposed
00:18:59
to work like that.
00:19:00
I mean you know the craziest stuff, right.
00:19:04
And I mean you know the craziest stuff, right.
00:19:05
And so I ended up creating really verbose documentation for
00:19:09
troubleshooting that's still actually used at that company
00:19:11
and I haven't worked there in almost 10 years, right.
00:19:15
And recently, right, I took on a new task, a developer-related
00:19:19
task, at my day job, and they said, oh yeah, everything's in
00:19:23
this document.
00:19:24
It's foolproof.
00:19:25
You can literally just read it and go through it, follow it
00:19:29
word for word, and you're good, like okay, well, I'm great at
00:19:32
following direction.
00:19:33
So if you literally tell me to do something, I'm going to do
00:19:36
exactly that.
00:19:37
You don't tell me to click somewhere, I'm not clicking it
00:19:41
because I don't know.
00:19:42
Like in that first learning position, right, if you made a
00:19:47
mistake, it wasn't like.
00:19:49
You know, we'll revert to a backup.
00:19:51
It was like a big, it was a big deal, like you were probably
00:19:55
going to get fired.
00:19:56
You know that's right.
00:19:57
And so I don't click things that I'm not not supposed to.
00:20:01
I don't hit enter when I'm not supposed to.
00:20:03
And I'm going through this document and I mean every
00:20:13
paragraph.
00:20:13
I'm finding like you guys missed seven steps here right
00:20:14
that I'm supposed to do and it took me.
00:20:15
It took me two weeks to do something that would have taken,
00:20:17
you know, anyone else on the team.
00:20:18
You know a day to do and you know, at the end of the two
00:20:22
weeks, like I, I didn't even complete it.
00:20:24
I just said to him look, this is too far behind.
00:20:27
Can someone else just do it?
00:20:28
It's probably 30 minutes for everyone else.
00:20:31
Me following this documentation is not working, and through
00:20:35
that they said maybe we need to rewrite this thing.
00:20:38
When I write documentation, it's always with the mindset of
00:20:43
if someone that knows nothing has to sit in this desk and do
00:20:47
this task.
00:20:48
What do they need to know?
00:20:49
You know absolutely everything every step of the way.
00:20:53
Actually, working with a federal agency earlier on in my
00:20:57
career, I went down this rabbit hole and I kind of saw it
00:21:00
firsthand for how they take notes, because they take notes
00:21:03
as if, like if the world blows up and there's one person left
00:21:07
that needs to set up this thing and they don't know anything
00:21:10
about it.
00:21:10
What do they need to know?
00:21:12
Right, and they took my.
00:21:14
Speaker 2: They took my you know 20 step upgrade guide and
00:21:18
turned that into 250 steps and I'm sitting here, like man, they
00:21:22
take notes at a totally different level right, yeah, and
00:21:25
it's important to you know be able to follow instructions in
00:21:28
cyber, and because today there is a lot of documentation and
00:21:32
there's something called best practices.
00:21:34
When we don't follow them, sometimes you get popped.
00:21:37
But at the same time, there also has to be a level of
00:21:39
creativity because, as you're mentioning, when you follow the
00:21:43
directions of someone or even documentation, it might not work
00:21:48
because we change, technology changes, you know their shifts
00:21:50
or better ways to do things.
00:21:52
So, even though I was very good at following instructions, I've
00:21:54
always had like a little bit of a creative side to figure out,
00:21:58
not only like is this the best way for me, but is there a
00:22:02
completely different way that I could do this that would make
00:22:05
this the best for other people as well?
00:22:07
Speaker 1: So when you're done at Booz Allen, where do you go
00:22:11
from there?
00:22:11
I mean, how do you scratch that itch after you started that
00:22:15
high of a level?
00:22:16
How do you scratch that itch going forward?
00:22:20
Speaker 2: I first off, you know we going back to the hiring
00:22:24
young people.
00:22:24
One thing I forgot to mention is I got a referral to work at
00:22:26
Booz Allen Hamilton by.
00:22:27
You know we going back to the hiring young people.
00:22:28
One thing I forgot to mention is I got a referral to work at
00:22:30
Booz Allen Hamilton by, you know , one of my mentors, Chad Price.
00:22:31
He was my college professor, so I did one like pretty much half
00:22:35
a semester at community college and I was taking this
00:22:39
information system security class and he was a consultant at
00:22:44
Booz Allen Hamilton security class and he was a consultant at
00:22:48
Booz Allen Hamilton.
00:22:49
So we always had this fun banter in class because books
00:22:50
get old very quickly, especially in cyber.
00:22:52
So there will be some times where we download an application
00:22:55
and it doesn't work and I would be like I already read this
00:22:59
part of the book.
00:22:59
Here's how we work through it so we don't have to like spend
00:23:03
the entire class troubleshooting and no one gets anywhere.
00:23:05
So the gentleman Chad Price referred me and through Booz
00:23:09
Allen like then it kind of like the thread started to be pulled
00:23:13
for more friends.
00:23:14
So I got introduced to someone at Booz Allen.
00:23:17
His name is Marco Figueroa, a very close friend, very pivotal
00:23:20
figure in my life and career.
00:23:22
He was working at McAfee.
00:23:24
He pivoted from Booz Allen and started working at McAfee.
00:23:27
He was a great reverse engineer and if I wasn't hacking, I
00:23:33
wanted to do like RE related things.
00:23:35
So Marco reached out and said hey, I got an opening at Booz
00:23:40
Allen.
00:23:40
Marco, is this New Yorker crazy swag also very demanding?
00:23:45
He said, ron, I need you to show up at this place at 1 pm
00:23:51
for your interview.
00:23:52
I'm going to tell you exactly what to do.
00:23:53
I'm going to tell you when to go inside and just be yourself.
00:23:57
But here's the parameters until you're supposed to be yourself.
00:24:02
And at this point I'm 22.
00:24:03
I did three years at Booz Allen and now I was interviewing for
00:24:07
McAfee.
00:24:07
Good, at this point I'm 22.
00:24:08
I did three years at Booz Allen and now I was interviewing for
00:24:11
McAfee.
00:24:11
Good at following instructions, good at being creative.
00:24:13
So I had an awesome, great opportunity to work at McAfee.
00:24:16
We were contracting for the government in some cases, but my
00:24:19
job was to be a security researcher, to find flaws in
00:24:23
whatever I could dream of.
00:24:24
So I started focusing on BGP, the protocol for internet
00:24:30
routing, and trying to find flaws there.
00:24:32
I didn't find anything and then I started looking at Android
00:24:35
applications and kind of like, got very addicted to that and
00:24:40
had some fun, you know, doing not necessarily reverse
00:24:43
engineering, but just like unpacking Android applications,
00:24:47
looking at the source code and seeing if I could find any
00:24:49
commonalities for how malicious Android apps have been behaving.
00:24:54
And I had a little bit of a taste of data science.
00:24:57
I got introduced to scikit-learn and I started and I
00:25:01
had access to some very powerful devices at McAfee,
00:25:05
because at this time McAfee was owned by Intel.
00:25:08
So we had all the samples that we would collect from telemetry
00:25:15
from people's devices and store them in a giant database.
00:25:18
So I had access to like every binary that I could ever think
00:25:22
of.
00:25:22
Whenever I go to VirusTotal, I would, you know, find a specific
00:25:26
artifact in research or on VirusTotal and I would type it
00:25:30
into the McAfee database.
00:25:31
There would always be that binary in the database.
00:25:33
So I had a lot of great access and, yeah, I got to just further
00:25:37
my skills at McAfee from there.
00:25:42
Speaker 1: Man, that is really fascinating.
00:25:45
You know, I guess that is probably the next logical jump,
00:25:50
right going from offensive sec to to r and d and kind of
00:25:55
reverse engineering.
00:25:56
You know the malware that you may have been launching right
00:26:00
previously, or the the holes that you were finding before.
00:26:03
Well, let's find out why those holes exist.
00:26:06
Speaker 2: Who else is doing them?
00:26:07
Who else are using those same tactics, techniques and protocol
00:26:11
and procedures?
00:26:15
Speaker 1: So that spurs the question, for me at least, when
00:26:19
you talk about who is using them .
00:26:21
How are you able to determine that them?
00:26:28
How are?
00:26:29
How are you able to determine that?
00:26:30
Right, because if they're using , you know the same piece of
00:26:32
malware that that we're using here in america.
00:26:33
Um, what would be different?
00:26:34
Is it the delivery of that malware?
00:26:37
Is it you know all of the other work that they do ahead of time
00:26:41
, that you're kind of fingerprinting to, to who it is
00:26:44
or what does that look like?
00:26:47
Speaker 2: I wish I had my adult brain back then, like my
00:26:50
current brain.
00:26:51
Because there's if you look at MITRE, att&ck, it's actually a
00:26:55
nice chain to follow, like there's a discovery first, then
00:27:00
there's trying to get initial access.
00:27:02
Trying to get initial access.
00:27:03
Looking at the work that I was doing at McAfee, I was looking
00:27:06
at after someone has an initial exploitation what kind of
00:27:10
discovery are they doing?
00:27:11
One of my tactics as an engineer in general if I'm
00:27:16
breaking into a physical building I'm doing things like
00:27:21
port scanning and I don't wanna get caught so I might not do TCP
00:27:25
.
00:27:25
I'm gonna to look at what UDP protocols can I start to
00:27:30
leverage?
00:27:30
Snmp, simple Networking Management Protocol is a big one
00:27:34
.
00:27:34
So what I did when I got to McAfee was like, hey, let me see
00:27:37
any Android apps that are using SNMP, because that's a telltale
00:27:42
sign.
00:27:42
Why is my Android device doing that, unless I'm using it as a
00:27:47
like?
00:27:47
I'm using a network management application.
00:27:49
So I was able to find some applications.
00:27:53
I was able to find some applications from like Eastern
00:27:57
Europe as well, and then I started to just pull the thread
00:28:00
like well, if they're doing this , then let me see what other
00:28:04
people are doing with those same tactics.
00:28:06
And I started to just like look for specific functions because
00:28:09
an Android app you can look at the source code.
00:28:11
So I started to see like, all right, the source code might be
00:28:16
obfuscated, but the functions are always going to be the same.
00:28:20
So if I have a variable, I might call it.
00:28:23
I might call it Ron IP address, and then it equals 192.
00:28:29
But you know the the string that I have, 192.1.1, or
00:28:34
whatever it may be has methods dot split, dot fine, dot strip.
00:28:40
So I will look for people using methods in a specific way and I
00:28:45
will start to catalog them.
00:28:46
And then I was able to find some similarities between
00:28:49
specific malware variants on Android by just looking at,
00:28:53
almost like doing source code audits.
00:28:57
Speaker 1: Wow, that's really fascinating.
00:28:59
That's way more down reverse engineering than I've ever gone
00:29:04
down myself, but it's really fascinating overall.
00:29:09
Just to see how it worked and how it was reverse engineered
00:29:22
has always fascinated me.
00:29:24
You know that's what kind of.
00:29:25
That's actually the book, that kind of like reinforced, like I
00:29:30
should go down the security route, right, like I.
00:29:33
I thought, you know, just looking at the cover and reading
00:29:36
the description of it, right I I thought this may be outside of
00:29:40
my realm.
00:29:40
Right, I'm probably going to get bored.
00:29:41
In 20 minutes I will have wasted $20, right On this book.
00:29:45
I'm never going to finish it, you know, but I kept coming back
00:29:49
for more.
00:29:50
I couldn't put the book down.
00:29:52
I was studying it even, and so I bring that up right, because
00:29:57
fast forward to when I'm getting my master's in cybersecurity
00:30:00
and we have a I think it was an offensive security class, right,
00:30:05
and one of the projects was you have to pick a vulnerability on
00:30:09
whatever platform you want.
00:30:11
It had to be a mobile platform and you have to exploit it and
00:30:14
get root on the device.
00:30:15
Right, the goal is root.
00:30:16
However you do it, it doesn't matter.
00:30:18
And I, I figured you know, okay , like, let's pick an iphone,
00:30:23
I'm using an iphone I've had terrible experience with
00:30:26
androids before because you know I'll download, you know, uh,
00:30:30
infected apps from the google play store and that would really
00:30:34
, you know, just just really grind my gears.
00:30:38
To no extent that I'm going to the Google Play Store, I'm going
00:30:41
to your own Play Store and I'm downloading malware from an app.
00:30:45
It's, it's Facebook, right, at least to me it looks like
00:30:49
Facebook.
00:30:50
And now I'm getting screwed because it's malware.
00:30:52
So I started with iPhone, you know, with a Bluetooth
00:30:55
vulnerability, could not get it.
00:30:57
After 26 hours of trying, I could not get it.
00:30:59
You know, trying, I could not get it.
00:31:00
You know the deadline is coming down, so like, okay, let's
00:31:04
quickly download this android emulator and try and deploy it
00:31:07
on there.
00:31:08
20 minutes later I'm done, you know.
00:31:11
And that that was like the most frustrating slash, eye opening.
00:31:16
You know thing that I that I've ever gone through is, you know,
00:31:21
when you're going through these like different offensive
00:31:24
security search, like OSCP and whatnot, they tell you just try
00:31:27
harder, right, and I was trying really hard on the iPhone and as
00:31:32
soon as I switched to Android, it was like no effort.
00:31:34
It was no effort whatsoever.
00:31:35
No, it was like no effort.
00:31:37
It was no effort whatsoever.
00:31:38
You know it was really interesting that difference in
00:31:41
difficulty.
00:31:42
Now I'm not saying iphones are, you know, completely secure and
00:31:46
like the most secure device out there or whatnot, but you know
00:31:50
it eliminates a lot of the variables.
00:31:52
I feel that's something that maybe you've noticed as well.
00:31:54
You know it's not.
00:31:55
It's not an open platform.
00:31:58
I can't roll my own iOS version and deploy it on my device.
00:32:04
That's not how that works With Android.
00:32:06
I can deploy whatever I want on there.
00:32:09
Speaker 2: A lot of people on Reddit, including myself, wish
00:32:13
that iPhones allowed for Chrome extensions and also PWAs.
00:32:18
These are portable web apps that you can like go to a
00:32:24
website and say hey, I want to install this Twitter app on my
00:32:26
phone without going to the App Store.
00:32:28
It sounds like a great idea, but when you think about it,
00:32:32
it's essentially turning your phone into the Google Play Store
00:32:34
.
00:32:34
If you go to the Chrome extension store.
00:32:36
It's the same thing.
00:32:38
You could one.
00:32:38
You could reverse engineer people's code, which is I don.
00:32:40
It's the same thing.
00:32:40
You could one.
00:32:40
You could reverse engineer people's code, which is, I don't
00:32:42
think the best.
00:32:43
Look, it's not a compiled language.
00:32:45
The Chrome extensions.
00:32:47
But we see the same thing on the Chrome extensions, where
00:32:50
someone buys a Chrome extension like a very popular one and then
00:32:55
they turn it into malware and Chrome doesn't know.
00:32:57
And it's also harder to know because no one's auditing the
00:33:01
code like they do in the App Store.
00:33:04
So I think that it's way easier to exploit Android.
00:33:08
It's just like Windows.
00:33:09
Windows is a lot more open and also a lot more used.
00:33:13
Until recently, I think Android was widely more used than
00:33:17
iPhone.
00:33:17
Naturally, attackers go for the biggest target, but now those
00:33:21
things are changing a bit.
00:33:22
You know, android is also becoming more secure.
00:33:24
We're starting to sandbox a lot more features of our phones and
00:33:28
computers.
00:33:29
But yeah, I think that having a closed ecosystem makes it a lot
00:33:33
harder.
00:33:33
It's having a black box.
00:33:34
It's a lot harder to break into a black box than having access
00:33:37
to the code.
00:33:39
Speaker 1: Right, yeah, when I started to dive into like the
00:33:42
just the os architecture, right of android versus iphone and I I
00:33:49
get into this argument all the time with the same people in my
00:33:51
friend group and it's it's so frustrating because it's like,
00:33:54
guys, I've, I've literally looked at the architecture like
00:33:57
I, I have tested this, you know.
00:33:59
But when you look at the architecture, they frame it in a
00:34:02
way to where we're going to protect the user from the user
00:34:05
as best as we possibly can Like.
00:34:07
There's a reason why when you go to you know an iOS root, uh,
00:34:12
you know service, not a service, but you know an application or
00:34:15
whatever it might be.
00:34:15
They say it has to be a very specific version, it has to be
00:34:20
on this version.
00:34:21
You cannot, potentially, sometimes you can't even like
00:34:24
roll back from these newer versions onto that version.
00:34:27
Um, and they, they have it like that for a very specific reason
00:34:31
because if you try to do it, you know on today's ios version,
00:34:35
right, that that safari extension exploit, let's just
00:34:38
say that there's an extension in safari that you can exploit.
00:34:40
That safari extension exploit, let's just say that there's an
00:34:40
extension in safari that you can exploit.
00:34:42
That safari extension exploit is probably sandbox now, but if
00:34:45
you go back two years ago it probably isn't.
00:34:48
You know, and as soon as apple saw it they released one of
00:34:51
those emergency, you know, security patches that like just
00:34:54
pushes to your phone immediately and you have no choice to but
00:34:59
to install it.
00:34:59
Like they really do a good job of protecting the user from the
00:35:04
user.
00:35:05
Speaker 2: Yeah, Sometimes we need to be protective from
00:35:07
ourselves.
00:35:07
When you think about who needs something jailbroken, it's like
00:35:11
you know what you're trying to do.
00:35:12
You're trying to do something that you probably shouldn't be
00:35:15
doing already.
00:35:16
So, like with iPhone, you have to really think twice, three
00:35:20
times, four times about am I really about to put in the
00:35:23
effort to do this action that I probably shouldn't be doing in
00:35:27
the first place?
00:35:28
Speaker 1: Yeah, yeah, that's a very valid, that's a very valid
00:35:31
point, and I've definitely gone down that rabbit hole myself,
00:35:35
you know.
00:35:35
So.
00:35:35
So, after after McAfee, I mean like it sounds like you started
00:35:41
like at the top right, where most security professionals like
00:35:45
want to end up.
00:35:46
You started there and then you somehow graduated into reverse
00:35:50
engineering, you know malware, different things like that right
00:35:53
.
00:35:53
Where do you go from there?
00:35:56
Speaker 2: So, yeah, the next place that I went from there was
00:35:59
Intel there.
00:36:03
So, yeah, the next place that I went from there was Intel.
00:36:05
I did a stint at McAfee working on like the endpoint protection
00:36:06
side and pivoted over to Intel doing corporate security.
00:36:09
So this is where I got my love for automation.
00:36:12
I was doing work on the endpoint protection side at
00:36:16
Intel.
00:36:17
I was a cyber fusion engineer and what this meant was hey, we
00:36:21
want you to take information from many different data sources
00:36:24
and combine it together to give us intelligence.
00:36:28
We want you to create cyber intelligence in the form of,
00:36:32
like our own IP and data sources , whether they be open, paid or
00:36:37
private.
00:36:38
And what I didn't realize what I was doing was I was working in
00:36:42
the SOAR space security, orchestration, automation and
00:36:44
response and I loved it.
00:36:48
Intel, though they don't pay that well, considering I moved
00:36:51
to San Jose, california Anyone that lives or has lived there it
00:36:55
is not cheap.
00:36:56
If you want a one bedroom apartment this was like 2017,
00:37:02
one bedroom apartment in a good area was going to probably cost
00:37:05
you like $2.
00:37:06
So that's not fun.
00:37:09
You know, I'm only making so much.
00:37:11
I think I was making about like $130 at the time.
00:37:14
So $2 a month plus you know all the other things that I'm
00:37:18
dreaming of.
00:37:19
I'm young, in my mid-20s.
00:37:21
I'm young, I want to buy stuff, I want to go out, I want to
00:37:24
travel.
00:37:24
So I told myself I was going to do a year there and figure out
00:37:30
where the big bucks are at.
00:37:31
I didn't move all the way to California just to work at Intel
00:37:35
and have a nice name.
00:37:36
It was nice to have it on my resume.
00:37:38
But I didn't move there for that.
00:37:40
I moved there to strike gold, because that's what you do in
00:37:42
Silicon Valley.
00:37:42
So I worked there for a year and then I had the idea to go to
00:37:48
Crunchbase.
00:37:49
It's a website.
00:37:51
I think it's owned by TechCrunch.
00:37:54
I went to Crunchbase and I don't know where I came up with this
00:37:56
idea, but I typed in I bought a $40 subscription it was $40 a
00:38:01
month at that time and I typed in who are the companies that
00:38:05
are in San Jose that have $30 million in funding, that have
00:38:08
less than 50 employees and that were founded within the past
00:38:11
three years?
00:38:12
And there was only like 10 companies that showed up and I
00:38:19
saw one of them that looked interesting was a company called
00:38:20
Domisto, and Domisto was doing exactly what I was doing at
00:38:23
Intel, but they were creating a cybersecurity product for it.
00:38:26
So I applied and they were caught off guard.
00:38:29
They were very young, in their stage I think they had around 25
00:38:34
employees.
00:38:34
They were like how did you find us?
00:38:36
You work at Intel, you should go apply for every other company
00:38:40
, but you applied here.
00:38:42
How'd you find us?
00:38:43
And I told the co founder how I found them.
00:38:45
He was shocked.
00:38:46
He was like hold on one second.
00:38:48
He left the room immediately.
00:38:48
He grabbed the CEO.
00:38:49
He said hey, tell, tell him what you just told me.
00:38:52
So I told him the story of how I found them and he was like All
00:38:55
right, you're our guy, you're hired Just for that level of
00:38:59
creative thinking.
00:38:59
You know you want people like that around you that are going
00:39:02
to think outside of the box.
00:39:03
So I then pivoted, worked at the MISO and this is where I got
00:39:07
connections and I got opportunities.
00:39:10
I got learnings because I had to pretty much do what I was
00:39:13
doing in Intel but do it for many different organizations
00:39:16
fintech, healthcare.
00:39:18
I even worked with Red Lobster.
00:39:20
I didn't know that they invested in security so hard,
00:39:23
but just had a lot of opportunity to meet some really
00:39:26
cool people across the country and work on some crazy projects
00:39:30
and try to automate things that typically don't work because
00:39:34
there aren't APIs, but still trying to figure out a way
00:39:37
around it.
00:39:37
Speaker 1: Yeah, you talk about the other side of security,
00:39:42
right, or the other side of IT that IT professionals very
00:39:47
rarely ever experience, right, and that's that vendor side.
00:39:51
You're halfway, you're almost always halfway selling.
00:39:56
You know either the solution, even if they already bought it,
00:40:00
right, Like you're reselling it to them almost in a way, while
00:40:04
you're also trying to solve problems that maybe your
00:40:08
solution doesn't meet right now and you have to.
00:40:11
You know, on the cuff right, Figure out how to solve those
00:40:16
situations, those issues.
00:40:17
And it's a very unique area to learn because, like you said,
00:40:23
you're making a significant amount of contacts.
00:40:25
I mean, probably every day you're on the phone with someone
00:40:28
new.
00:40:28
They're learning your name, you're learning their name.
00:40:31
By the end of the week maybe you had three calls with them
00:40:34
about different issues and they're picking your brain and
00:40:37
whatnot.
00:40:38
Speaker 2: And getting upset sometimes too.
00:40:39
That was something that really helped me mature as a person was
00:40:45
how to handle conflict.
00:40:46
People would be mad at the product so mad at the product
00:40:49
sometimes, especially during the early days, or if they just did
00:40:52
something the wrong way and made a big oopsie, they need to
00:40:56
cover it up because they don't want to lose their job.
00:40:58
Someone has to take the blame, and I learned how to be that not
00:41:02
necessarily the person that would take the blame, but the
00:41:04
person that would share the responsibility and that burden
00:41:08
and that's a very important skill for anyone to have is
00:41:11
learning how to share the burden of conflict.
00:41:14
We all deal with that, especially in security.
00:41:16
I think in security, a lot of times we'd like to be like, nope
00:41:20
, not my fault, it was this person, this engineer over here,
00:41:23
and then this stakeholder.
00:41:25
They didn't work together and that's why we had the breach.
00:41:27
But this, you know, helped me have a little bit of empathy and
00:41:31
, you know, be a little more impatient and meet people where
00:41:33
they're at.
00:41:33
Speaker 1: Yeah, you know, you kind of describe wordsmithing,
00:41:38
right, I don't think I came up with the term, right, but you
00:41:42
know, when I was on the vendor side, I would very, very often,
00:41:46
especially because I'm the technical SME, right, so when
00:41:50
I'm on the call, I'm the technical SME for our solution.
00:41:54
They never get a call with the engineers or the developers.
00:41:56
Of course, like those, you know , those people are not trained
00:41:59
how to talk to.
00:42:00
You know, customers, apparently , right, um, and there was,
00:42:05
there was many times when you would have to, you know.
00:42:10
I'll give you one example one company they were.
00:42:12
They were testing out our e911 solution, right, and when you
00:42:17
route it properly, you know, it gives exact information to the,
00:42:22
to the uh distribution point that sends out the police
00:42:26
officers, the ambulance or whatever, right, and they're
00:42:30
testing it out, but they were testing it out wrong.
00:42:32
And so the first, you know, a couple of times I told them you
00:42:35
know, hey, this is incorrect, you need to stop how you're
00:42:39
testing, you need to convert it to this other way and you won't
00:42:43
incur any charges, but you'll be able to test like you want to
00:42:46
test.
00:42:46
They did not listen to me at all and they kept on testing the
00:42:51
way that incurs a charge and this is a national charge, right
00:42:55
?
00:42:55
This isn't a charge from my company, just to charge.
00:42:59
This is a charge that we're getting hit with from a national
00:43:02
organization that anyone in the country, if they dialed this
00:43:06
number, would get charged.
00:43:07
And it's not a, it's a small charge if you do it once.
00:43:13
Most people just do it once and they're like my bad, you know.
00:43:16
Yes, it's a hundred dollars per this company did it like 50
00:43:21
times within an hour.
00:43:23
You know like they were testing and you know I was seeing it
00:43:28
live and literally they would test one and I would send them
00:43:31
an email.
00:43:31
They'd hit, you know, two more times because I couldn't like
00:43:34
get to it fast enough, and I'd send them another and I'm
00:43:37
calling them and everything Right.
00:43:38
And at the end of the month, when they're hit with the bill,
00:43:41
they're trying to get out of it.
00:43:42
They're trying to say that I didn't do my job, that I didn't
00:43:44
inform them properly and whatnot .
00:43:46
And this is where that wordsmithing comes in, because
00:43:49
it's like hey, you know, I'm not going to throw you under the
00:43:52
bus, but I'm kind of going to throw you under the bus.
00:43:54
It's where you show them, you know, the receipts and whatnot,
00:43:58
Right, but that's.
00:43:59
But that's a very valuable, it's a very valuable skill, it's a
00:44:03
very valuable experience, right, because you have to understand
00:44:07
how to, you know, hold your own right, how to, to do things
00:44:11
properly, how to communicate effectively, um, while also not,
00:44:16
you know, pushing them under the bus, right, it's kind of
00:44:20
just like the evidence of everything that already happened
00:44:23
kind of pushed you under the bus, so to speak.
00:44:25
Right, it's probably a little bit too graphic for someone in
00:44:30
the audience.
00:44:30
You know, like I, I said something similar to someone at
00:44:34
work and they were like that's a little bit too.
00:44:36
You know too.
00:44:37
I guess like picturesque for me to think about joe, like let's
00:44:40
use a different slogan.
00:44:42
I'm like, okay, let's say you don't come into work tomorrow.
00:44:45
You know, like what do we need a?
00:44:48
Speaker 2: good way to look at it is it is another graphic one,
00:44:51
but, like you said, thrown under the bus.
00:44:53
I'm not the one that could make a decision on what the company
00:44:58
spends, and neither is that person that probably did the
00:45:01
test.
00:45:01
So it's a it's a matter of helping escalate it, to lift
00:45:06
that bus off of you and say, hey , I need to, I need to bring in
00:45:10
the person that's going to be mad about these charges.
00:45:13
So let's bring them in, let's call your boss, let's call my
00:45:16
sales rep and let's get them on the phone together.
00:45:18
This is out of our hands, but what we can work on together is
00:45:21
fixing your testing flaw.
00:45:23
The testing flaw needs to change immediately, obviously,
00:45:26
and then we'll escalate and we'll get the right people
00:45:28
involved.
00:45:29
But I think, working at a vendor, I also learned my lane.
00:45:32
You know, I used to try to be rangy and try to do everything
00:45:35
in cyber.
00:45:36
Working at a vendor, I learned that if you give out your phone
00:45:42
number.
00:45:43
Someone's going to call it when they get a number, when they get
00:45:44
an issue.
00:45:44
So I never give out my phone number anymore unless it's to
00:45:47
like people that I have a personal connection with, just
00:45:49
because I've been in the space where you know it's a support,
00:45:54
it's a support portal.
00:45:56
Now, if you give out your number to someone that you work
00:45:58
with and that you're helping, even for, like a mentor, you
00:46:00
know, like as a mentor, I'm very careful giving out my number
00:46:04
because your job as a mentor is to help, advise and guide
00:46:08
someone and I don't want that on my personal.
00:46:11
I want my personal life and part of it at least personal and
00:46:15
professional to be at least somewhat separated.
00:46:17
So I always tell people the best way to contact me is
00:46:19
LinkedIn and email, and I would say the same for, like you know,
00:46:22
working at a vendor, if someone were to go down that path.
00:46:25
Be very careful with what you agree to and also be very
00:46:29
careful what you commit to, because that sets expectations.
00:46:32
But if there's no expectation set, then you always have a way
00:46:36
to alleviate issues yeah, I, I feel like you just described
00:46:41
customer obsession.
00:46:42
Speaker 1: you know, like, like it's one of the, it's one of
00:46:45
those amazon like buzzwords or you know the key principles,
00:46:50
right, um.
00:46:51
But I feel like if you're really good on the vendor side,
00:46:54
you understand customer obsession.
00:46:56
It pains me, it literally pains me, when a customer has an
00:47:03
issue and we're not solving it for X reason.
00:47:06
It truly bugs me to no extent.
00:47:10
And having that empathy, you know, to be able to hear them
00:47:17
out, to be able to, you know, feel the pain and the issues
00:47:21
that they're going through, right and try to be that
00:47:24
advocate, I mean, it takes, it takes a certain kind of person
00:47:28
to be able to do that and do that effectively as well.
00:47:31
Person to be able to do that and do that effectively as well,
00:47:33
right, to actually make the progress that you need within
00:47:35
the organization to not only, you know, deliver for this one
00:47:38
customer, but I guarantee you there's, you know there's a
00:47:41
thousand other customers out there or a thousand other
00:47:43
potential companies that you could say, oh, we already solved
00:47:46
this issue for you.
00:47:47
You know it's, um, it's a game changer really, in my opinion.
00:47:51
You know from Dom demisto, how do you start hacker valley.
00:47:56
Where do you like I?
00:47:58
I'm always fascinated, right where, when I bring on other
00:48:02
other podcasters which you have pivoted into a very, you know
00:48:06
even a unique area that I didn't even think of before, right,
00:48:11
it's like what made you want to go down this route.
00:48:14
Speaker 2: I've always loved being creative and you know, I
00:48:17
got my start in cyber because I was working at a public access
00:48:21
channel and I was doing some YouTube videos.
00:48:25
I had just met my wife around the time that I started to
00:48:30
create videos in general, and my wife she's a physical therapist
00:48:34
by trade and she has a company as well, doing physical therapy.
00:48:38
She was doing Instagram Lives for 30 days.
00:48:41
So she's like I'm doing this 30-day challenge and this was
00:48:43
right.
00:48:43
As we met, so I was like you know what I really like this
00:48:47
girl.
00:48:47
If she's out here doing 30-day challenges, so should I.
00:48:50
So I went live on YouTube for 30 days and this was like right
00:48:54
when the YouTube live streaming feature just came out.
00:48:57
So I started doing that.
00:48:59
And then Chris happened to jump on one of my lives Chris
00:49:02
Cochran, who's helped me, co-found Hacker Valley.
00:49:04
He jumped on one of the lives and he hit me up afterwards and
00:49:08
we used to work together.
00:49:09
He said, hey, like I really liked those live streams and
00:49:12
Chris was doing these workout videos on Instagram and I was
00:49:15
like I really like your Instagram videos.
00:49:18
A few months go by and he gets a job offer at Netflix and he has
00:49:22
to move to the Bay Area.
00:49:24
He moved to San Jose and he said hey, I'm going to be in San
00:49:27
Jose and my family you know my kids are going to finish up
00:49:30
their school year.
00:49:31
Can I stay with you until they finish?
00:49:33
I heard you have this hacker mansion on your live stream.
00:49:35
Me and my friend Marco, who was one of my mentors, we got a
00:49:40
hacker mansion.
00:49:40
We're like we're going to build , we set an intention, we're
00:49:43
like we're going to have a hacker house.
00:49:45
There's these programmers that have these programming houses,
00:49:48
but we're going to have a hacker house.
00:49:49
So we, we rented a like 5 square foot home in San Jose
00:49:54
just two guys.
00:49:55
And then boom, chris shows up.
00:49:57
He wants to move in for three months and during that time
00:50:02
we're all going through personal growth journeys.
00:50:05
It's very rare that three adult men live in a house together
00:50:10
without the specific circumstances bringing them
00:50:13
there.
00:50:14
Me and Chris you know I'm still doing my YouTube live streams
00:50:17
and then Chris says, hey, let's do one together.
00:50:20
And we jump on, and usually I was doing like tutorials.
00:50:23
We jumped on and we just had a conversation about cybersecurity
00:50:27
, alchemy, how to transform seemingly invaluable data to
00:50:32
valuable data, and that was little did I know.
00:50:35
I thought we were doing a YouTube channel.
00:50:37
Little did I know we were creating a podcast.
00:50:39
So we just kept doing it every week.
00:50:41
And then we decided to create a podcast page.
00:50:44
And then we were off to the races and started doing it and
00:50:49
we decided to start inviting other people because we wanted
00:50:52
to speak to cool people in the space.
00:50:53
So we started to bring on people that we never would have
00:50:58
had access to.
00:50:58
Vendors started to see that and say hold on, a second Hacker
00:51:02
Valley.
00:51:03
We saw that this person from Netflix was on your podcast as a
00:51:08
guest.
00:51:08
We want to put our brand on there.
00:51:10
Can we get an ad slot?
00:51:11
So we didn't know how to handle that.
00:51:19
And then one of our other friends who worked at Palo Alto
00:51:21
Networks with me after Demetra got bought by Palo Alto Networks
00:51:22
, he comes on.
00:51:23
He says I love working with young entrepreneurs and we were
00:51:26
like my gosh, we didn't even know we were building a business
00:51:29
.
00:51:29
So we immediately called up the bank and got an account or a
00:51:35
checking account, and then we were able to secure a sponsor
00:51:38
that reached out to us about sponsorship.
00:51:41
Chris has a gift.
00:51:43
He is low-key, one of the best salespeople I've ever met in the
00:51:48
cyberspace, especially because he makes sales not about selling
00:51:53
but about helping other people out.
00:51:55
That's Chris's motto, that's the name of the game and you
00:51:58
know like a little bit about me is also that customer obsession
00:52:01
attribute.
00:52:02
So together we just made like a powerhouse of doing cool content
00:52:06
on the podcast side and then we pivoted into being a full blown
00:52:10
creative media agency where we not only create podcasts but we
00:52:14
also create a wide variety of content, whether it be company
00:52:18
stories, commercials, internet series and anything that someone
00:52:24
could dream of.
00:52:25
But we bring in a unique spin.
00:52:27
Like, if you go and try to apply music to a lot of things,
00:52:32
the music is not going to sound good, it's going to sound like
00:52:34
elevator music or predictable stock music.
00:52:37
So one of my specialties, I would say, is like finding like
00:52:41
awesome music that fits a vibe and that really helps tell a
00:52:45
story in the way that you want to tell it.
00:52:47
So yeah, we just started as speaking on microphones and
00:52:52
talking to one another and then just kept iterating and we'll
00:52:56
see where it goes.
00:52:57
You know, right now it's creative media agency.
00:52:59
One day, I think it will be something different and I'm open
00:53:02
to the transformation as it comes.
00:53:05
Speaker 1: Yeah, it's interesting, you know, because I
00:53:08
always tell other people that I talk about with regard to my
00:53:13
podcast.
00:53:13
Right is that the big, the biggest benefit?
00:53:16
Right is that it opened the door for so many other
00:53:19
opportunities just by talking to different people right.
00:53:24
Opportunities that I never, ever would have had, never would
00:53:26
have known about, or anything like that.
00:53:29
You know, and that's that's the biggest thing you know when you
00:53:32
take that jump into something new, you don't need to know
00:53:36
everything right from the start right you mentioned.
00:53:39
You know, companies wanted to start, you know, taking out ad
00:53:43
space and whatnot.
00:53:43
You had no clue how to handle that.
00:53:46
Right.
00:53:46
And same thing with me, right, when I, when I got my first
00:53:51
sponsor, I had no clue how to handle that.
00:53:54
I had to ask them what they were talking about because I
00:53:57
couldn't process the word Like you're going to give me money
00:54:00
for what you know.
00:54:02
Like, what's the trick here?
00:54:04
You know, put yourself out there when you take that, maybe
00:54:10
that one little unknown task, and you start diving into it and
00:54:14
pressing in and you just take it day by day.
00:54:17
You know, something really special actually comes out of it
00:54:20
.
00:54:20
You know, and I don't think I've told you this before, but I
00:54:23
I've been watching, you know, hager Valley since the start.
00:54:27
Right, and you guys have really really encouraged me in ways
00:54:32
that are, you know, not not direct, but you, you have
00:54:35
encouraged me to keep going.
00:54:36
Like, I question if I should be doing this podcast.
00:54:40
Every once in a while I question it.
00:54:41
I'm like man, am I even, am I even making a difference?
00:54:44
Am I providing value?
00:54:46
And uh, you know, you guys have definitely encouraged me in
00:54:50
different ways to keep going, to keep pushing through right to
00:54:55
keep trying.
00:54:56
It's a fantastic journey, you know, and, ron, I know we're at
00:55:00
time.
00:55:00
I apologize for going a little bit over, but you know this has
00:55:05
been a fantastic conversation.
00:55:07
Speaker 2: I appreciate it.
00:55:08
Thanks for having me.
00:55:09
I would love to have you on my show and, yeah, it's been an
00:55:12
honor and a pleasure to you know , get to know you over this past
00:55:15
year or two.
00:55:16
Speaker 1: Yeah, absolutely, ron .
00:55:17
You know, whenever you want me on, I'm more than happy to make
00:55:21
it happen.
00:55:21
Ron, you know, before I let you go, how about you tell my
00:55:25
audience you know where they can find you if they want to reach
00:55:27
out and connect and where they could find Hacker Valley if
00:55:29
they've been living under a rock and they don't know?
00:55:31
Speaker 2: Yeah, so our website is hackervalleycom.
00:55:35
All of our podcasts are there.
00:55:36
The most, probably the best place to follow the content,
00:55:41
though, is YouTube.
00:55:41
It's just youtubecom.
00:55:43
Forward slash at Hacker Valley Media and LinkedIn.
00:55:47
Linkedin is a great way to stay in touch, not just from, like,
00:55:50
an external perspective, but if there's ever a piece of content
00:55:53
that you want to see HackerBotty produce or you just want to say
00:55:55
hi, that's the best place.
00:55:58
Speaker 1: Awesome.
00:55:59
Well, thanks, Ron, and thanks everyone for listening.
00:56:02
I hope you enjoyed this episode as much as I did.
00:56:05
Thanks everyone.