We Hack Purple Podcast

We Hack Purple Podcast 18 with Mehidia Afrin Tania

December 27, 2020 We Hack Purple! Season 1 Episode 18
We Hack Purple Podcast
We Hack Purple Podcast 18 with Mehidia Afrin Tania
Chapters
We Hack Purple Podcast
We Hack Purple Podcast 18 with Mehidia Afrin Tania
Dec 27, 2020 Season 1 Episode 18
We Hack Purple!

Host Tanya Janca learns what it's like to be a Bug bounty hunter, with Mehidia Afrin Tania.

This episode sponsored by Thread Fix!

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357

Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter! For corporate virtual training contact [email protected] 

Show Notes Transcript

Host Tanya Janca learns what it's like to be a Bug bounty hunter, with Mehidia Afrin Tania.

This episode sponsored by Thread Fix!

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357

Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter! For corporate virtual training contact [email protected] 

 welcome to the we hack purple podcast 

 where each week 

 we meet different guests people who work 

 in information security 

 and do all sorts of different types of 

 jobs the we hack purple 

 academy started this podcast so that all 

 sorts of newcomers to our industry could 

 learn what it's like to do various jobs 

 and the type of qualifications they need 

 to get them 

 what types of experiences you want who 

 you might want to go meet 

 books you might not want to read for 

 people who are already 

 in the information security field this 

 is just 

 super curiosity i've always wondered 

 what it's like to do this or that job 

 and so i am your host tanya janca and 

 this week our guest 

 is mahidia 

 and so yes you have a tanya and tanya on 

 the show yeah that's right it's 

 happening 

 and we are sponsored by the amazing the 

 awesome 

 the supportive thread fix and so without 

 further ado 

 because i know what you actually want is 

 to see 

 the guest and meet her so without 

 further ado here we have 

 tanya hi welcome to the show 

 hello thank you how are you i am good 

 i'm uh 

 i'm pretty excited for the episode 

 tonight 

 yeah i'm so excited we have sent 

 messages on the internet before but 

 never 

 got to have a lot of interaction and so 

 i'm like yes getting to meet yet another 

 cool person because the podcast 

 a thing that podcast guests don't tell 

 everyone is that like 

 secretly it's awesome being the host 

 because you get to meet 

 so many cool people um 

 so tell so please introduce yourself and 

 tell us what your job title 

 is uh myself is 

 uh but people usually call me tanya 

 and right now i'm doing msc in cyber 

 security and project management in 

 ukraine at bedfordshire university and 

 also i'm doing a bug bounty hunter or 

 you can say that i'm doing full time 

 back bounty hunting 

 and yeah i love my hunting profession 

 because 

 it's so very flexible for me that is 

 awesome 

 i am looking forward to hearing your 

 perspective on this because everyone 

 was we've had one other person on and 

 her name is katie 

 katie paxton fear and i know yeah 

 so we both think katie's awesome um 

 spoiler alert we think she's amazing 

 um and so yeah i i love 

 i don't know i'm very curious so i'm 

 gonna ask you lots of questions 

 and my my first question is like can you 

 describe 

 what a bug hunter does like what does 

 that mean 

 actually typically each and everyone 

 knows that you 

 have so many website that you have to 

 hack those website yeah it's typically 

 we can say that you have to hack the 

 website but 

 uh back in if you talk about the back 

 side 

 backhand side it's like that you have to 

 learn 

 a lot a lot after that you can get to 

 know what is actually backbonding 

 backgrounding is pretty much 

 awesome it's like not only web 

 perspective we can say from networking 

 from mobile 

 you can pretty much do anything it's 

 like normally 

 those there's so many well-known 

 companies or also vinyl platform they 

 give you 

 the ethical permission to hack the west 

 side 

 and after that you can get a pretty much 

 nice bounty but yeah for this reason you 

 have to learn so many things 

 for do you have to actually when you 

 want to hunt 

 you when you want to dump their website 

 when you want to crack 

 yeah i love it okay that is awesome 

 so a question i ask a lot 

 is what is a day in the life 

 like being a bug hunter like 

 when people are like what's it like to 

 be a ceo i'm like i am a slave to email 

 i just answer email like half of every 

 day and i hate that part but then the 

 rest of my day is totally awesome 

 so what is it like being a bug hunter 

 are you a slave to email i hope not 

 uh the thing is that at first i mean i 

 started my to learning in 

 2016. in that time if i said 

 as a beginner in that time my day was 

 pretty much rough 

 because in that time i have to learn so 

 many things it's like i have to go for 

 web i have to go for network 

 i have to go for programming because if 

 you 

 really want to be a good bug bounty 

 hunter some people i get to know that 

 they said that there is no need you need 

 you don't need to learn about 

 programming no as a professional bug 

 bounty hunter i always always say to 

 people that you have to be good in 

 programming 

 because if good in programming language 

 that is pretty much 

 awesome and it your line gonna be smooth 

 so from at the beginning it was rough 

 for me 

 but now right now is pretty much like 

 little bit smoother for me 

 but when i get to hunt like api 

 or sometime i get to do something like 

 rc or 

 school yeah in that time i have to spend 

 a lot of time in my day 

 it's like sometimes it takes 10 hours 

 but i didn't get anything but 

 uh yeah sometime it gets so much rough 

 do you feel like if you plug away at 

 something for 10 straight hours and you 

 don't find a bug like what does that 

 feel like is it frustrating or are you 

 like i'm gonna get you tomorrow or 

 uh from my career i get to learn one 

 thing that you have to be patient 

 you have to be a lot of patients because 

 if you don't find anything 

 it's pretty much normal even though in 

 this stage 

 because early in 2012 to 2015 i can say 

 that 

 it was pretty much easier easier to find 

 any bug from any website 

 but right now for all the people like us 

 website is getting smarter because we 

 are making smarter the website 

 and so right now it's pretty much 

 become harder so don't get frustrated if 

 you don't get anything but 

 yeah there is no loss if you don't find 

 anything there's nothing lost because 

 you get to learn so many things in this 

 24 hours 

 and it will be pretty much good for you 

 next step 

 so don't get frustrated and usually i 

 don't get frustrated as you said yeah 

 tomorrow i'll get to you 

 so maximum to my intention get that yeah 

 tomorrow i'll find something more 

 i feel like that's a really good 

 attitude um 

 i definitely don't know if i would be as 

 good at you 

 as you at that i could be impatient 

 and i have to say like as a person 

 that's on the blue team like the 

 defender i'm like 

 yes i'm glad it's getting harder to find 

 bugs i'm glad that our industry's 

 improving but uh but i'm sorry it makes 

 your job harder 

 what what type of personality traits do 

 you think you need to be a good bug 

 hunter so first of all you said patience 

 that seems number one but like 

 whether types of things like attention 

 to detail maybe 

 uh i feel like at first you have to be a 

 good listener 

 always keep in your mind that you have 

 to be 

 you have you have to listen because at 

 the beginning 

 you are like a baby so you have to treat 

 yourself like i'm a newborn baby 

 so i have to get to learn so many things 

 in this world and each and every note 

 this world is vast 

 i mean this cyber security is like it's 

 not like that okay 

 i get i know the python i know bob sued 

 i know how to interact with browser with 

 uh 

 uh server it's not the main thing 

 each and everything you have to get 

 updated so keep in your mind that you 

 have to be a good listener whenever you 

 are reading something right up when you 

 are listening some senior from senior or 

 when you get to 

 uh watching some videos from mentors 

 try to be a good listener because i find 

 that 

 when i uh learn when i want to learn 

 something new 

 i have to become and i have to be a good 

 listener when i 

 follow these things i always get 

 benefited always always 

 so yeah you have to be a good person 

 that sounds 

 pretty important for yeah i have to say 

 i wish that everyone was a good listener 

 because i bet 

 all of everything would go better if we 

 all had more patience than listening but 

 yeah 

 i think yeah you make a good point 

 yeah because in this field you don't 

 have any option 

 you could say that okay i'm a smarter 

 but when you get to 

 like in your field job you start working 

 actually you have to know without 

 knowing anything you can't do anything 

 in this field 

 so this is the thing that is a very 

 very good point for those that are 

 tuning in 

 you can ask our guest tanya 

 a question if you want to you can also 

 click the thumbs up button you should 

 probably do that just in case 

 so i have more questions of course 

 um what types of technical skills do you 

 think 

 someone needs to be a bug hunter so you 

 said they probably 

 need to know programming would do they 

 need to know certain programming 

 languages or 

 like all of them or what do you think 

 uh or i can say from 

 a beginning perspective because maximum 

 time when people watch 

 podcast make some time i get i find that 

 more or less they're beginner 

 so as a beginner if someone watching me 

 then i was supposed to say that you 

 should learn at first python 

 because python is i can say backbone of 

 nowadays eating everything so many 

 tools that i'm using i can say i'm using 

 bob sure i can say i'm using 

 nmap or i can say i'm using workshop 

 there's so many tools that i'm using 

 but in the these tools you have to know 

 the basic thing of python because 

 if you know the basic thing of python 

 programming it's going to be so much 

 easier for you to 

 understand the common line you can 

 understand the http request 

 there's lots of easier for you and the 

 second thing is that 

 in my career i have found so many 

 excesses bug so 

 if you want to focus on this exercise 

 bug then you have to 

 know about javascript because in 

 javascript you have to use so many 

 payload 

 so many cheat sheet which g sheet are 

 created from javascript 

 so if you don't know the syntax of 

 javascript you can't 

 apply any random payload from any blank 

 space 

 it's like you are throwing any cheat 

 sheet in a blank space 

 and it's like you don't know anything 

 what you're doing 

 so if you don't know anything it's not 

 going to work 

 so it's like that there's so many 

 programming languages 

 sorry you don't need to like that learn 

 so many programming languages 

 but the sort of thing you have to really 

 really know python programming obviously 

 javascript obviously and obviously you 

 have to know the basic thing of 

 networking because i find that people 

 don't understand 

 how your tp how your 

 network ip is connected so people get 

 confused 

 where is the ip coming from why is the 

 ip or 

 which ip should i uh interact so which 

 ip should i follow 

 so if you don't know the basic thing of 

 networking then it gonna be a little bit 

 tougher for you so obviously 

 basic of networking basic of web 

 and programming python java yes for the 

 beginning it gonna work for you 

 no that's a really good list because 

 sometimes people will tell me like 

 oh it doesn't matter and it's good to 

 actually have a specific list that 

 people can look at 

 i actually don't know python i or i've 

 never programmed a thing in it i guess 

 i've read 

 a bit of python because i was looking 

 through something before but 

 i've always like like maybe i need an 

 excuse to learn it 

 and yeah 

 i have to say that when i start learning 

 python i get to 

 impress day by day and i was start to 

 regretting because 

 at first in my university i have to 

 learn c then i have to learn c 

 plus plus then i have to learn java so 

 in this three programming for that 

 under grade level it was a little bit 

 harder for me 

 and i was in that time i was not also 

 interested to learn programming i was 

 like oh my god program is not 

 type of me i should 

 take some excuse that you are saying but 

 after that when i started learning 

 python i said oh my god this is so easy 

 i mean see just making us crazy yes 

 she's hard it's so hard um there's a 

 question 

 in the chat so um someone is 

 uh matusa's asking uh is 

 mahidia's preference of python and 

 javascript a regional choice so she's in 

 bangladesh 

 and yes she is awake very late 

 and i appreciate her staying up to be on 

 the show 

 um but is is it that people use it more 

 in bangladesh or is it that's the whole 

 world 

 runs on javascript and python 

 it's not any really regional or 

 something like that 

 it's like day buddy when i get to 

 become a full-time bug boundary i feel 

 like that is your daily purpose needed 

 because you know each and every tool 

 right now you're using 

 it could be manual it could be automated 

 tool every tool are based on python 

 so is it in the near future it gonna be 

 beneficial for you it's not like that 

 only in my country people are only 

 focusing on this particular language no 

 it's not like something like that 

 and if you're talking about javascript 

 i'm talking about javascript particular 

 because 

 i get to find so many excesses bug so 

 xss bug is basically 

 a form of javascript in javascript we 

 have to write down so many t-shirt and 

 this t-shirt is a creator from 

 javascript that's i'm saying this 

 oh i i know but that's a really good 

 question thank you 

 um so i have a question is so um 

 so you speak bengali are there lots of 

 resources that are in bengali and is 

 there a specific resource that maybe we 

 could share 

 ah right now in our website that not 

 that much because we started only three 

 months 

 uh and if you're talking about other 

 resources 

 then you can be specific so that i can 

 say yeah you can get this disease 

 oh i was hoping you would tell us about 

 indie 

 skill db.com oh yeah 

 in in this skill in this in this case 

 just only three months is so you can say 

 also stealer is a newborn baby and we 

 have a little bit 

 breakdown because i just moved to my 

 country to london 

 so i in that my website basically i have 

 three more members they are also back 

 bounty hunters in my country 

 so we started thinking that we should do 

 something only for 

 our country because in our country i see 

 a 

 big massive growth of bug bounty uh 

 back in 2015-16 there was like 

 internationally there was like few 

 people 

 from my country but right now i'm so 

 happy to say that there's so many so 

 many good bug bounty hunters 

 they're coming and those who are 

 considered like that okay 

 we know a little bit of bug bounty and 

 they are 

 thinking that we can give them some 

 information 

 so we thinking that it's our 

 responsibility to do something for our 

 community 

 that is awesome i'm going to spell it 

 out for people that are listening 

 so just to be clear it's all written in 

 bengali so if you don't know bengali 

 it will be very confusing but it's indie 

 i 

 n d y skill s k 

 i l db like database.com 

 and if you speak at bengoli you could go 

 and learn a whole bunch of stuff so they 

 actually have a bunch of articles 

 already there 

 there are so many blogs on this planet 

 with just one post and you already have 

 four or five posts so i think you're 

 doing great for three months 

 thank you so um 

 so of course i have more questions so 

 let's say someone 

 is you know they're like this sounds 

 cool i wanna 

 i wanna take some training to try to 

 become a bounty hunter 

 can someone like go to university and 

 take a course to become a bounty hunter 

 uh honestly if i say from my experience 

 still not i didn't see any academical 

 university 

 no there is no uh and still not a 

 not still in near future it will always 

 consider like a freelancer 

 so if you want to be a freelancer in bug 

 bounty field 

 i feel like you should be a self-learner 

 because there are lots of lots of 

 resources right now in internet 

 if you are determined that okay i want 

 to be full-time but bounty hunter 

 you don't have to go for any academical 

 purpose or you don't need to go 

 any teacher it's like there's lots of 

 resources 

 because for me i get to learn naham say 

 there's a 

 we know everyone homesick jo zobert from 

 hackaron co-founder 

 and i also get to know katie and i also 

 get to know cyber mentor 

 this is all so much famous uh uh 

 youtuber 

 i i really follow them and i also get to 

 know so many things from them 

 and especially especially i always have 

 recommend the newcomer that please 

 follow the twitter 

 because when i start to follow twitter 

 it's like boom 

 i get to know so many things at a time 

 every time each and every day they are 

 posting so many technical advance so 

 many zero days report 

 so many new report i mean it's like 

 sometimes like your bucket is so much 

 full you get confused from which that 

 you should that 

 is awesome that's good to know there's 

 lots of free resources 

 um yeah there is an excellent question 

 in the chat from muhammad 

 so what do you think about 

 the future of artificial intelligence 

 and machine learning do you think it's 

 going to take the cyber security experts 

 place 

 are we in danger of losing our jobs 

 uh it's like a little bit diplomatic 

 answer for me 

 for if i talk about from a cyber 

 security aspect 

 no it's not gonna take like that much 

 that we think like dramatically 

 movie we say i feel like that usually 

 people when asked this type of question 

 they're so much fascinated with 

 a movie that movie they are watching 

 that yeah one day they're gonna take 

 each and everything and we're gonna be 

 lost oh my god robot gonna take 

 everything 

 no in real life it will take so much 

 time 

 it's not gonna work i have to say i find 

 artificial intelligence and machine 

 learning still seems pretty confused 

 like 

 for instance so this summer i wanted to 

 buy rain barrels so to collect 

 all the water that falls when it rains 

 so that then i can keep it for when it's 

 dry and then i can water 

 my garden and so i i looked up some and 

 then i picked the one i wanted 

 for three months they kept trying to 

 sell me rain barrels like i have four 

 rain barrels 

 why do you keep trying to sell it to me 

 like they're so dumb 

 and so i'll buy a dress and then they'll 

 try to sell me the same dress yes i know 

 i look great in that thank you 

 i already own it i should wear it today 

 you're right but i'm just like what are 

 they doing 

 like i think there's a lot still missing 

 with the artificial intelligence and 

 machine learning 

 yeah i feel like it's not like lots of 

 missing is i feel like 

 the most of the artificial intelligence 

 that work based on data 

 so your data must be matched 

 with this person or with this context 

 you are working 

 so uh sometimes i get that when i feel i 

 also i watch some robotic videos that 

 there's a robotic kitchen 

 in that kitchen if you just write down 

 sorry press the menu then the kitchen 

 robot hand will make it and everything 

 for you 

 so it's obviously based on your data 

 that in that person uh like that the 

 person what he like or should she like 

 and what she wants to eat 

 based on this space that they created 

 that her 

 handy grow board so i feel like is 

 basically based on your data you have to 

 collect a good pretty amount of data 

 yeah and it's it's hard to get high 

 quality data 

 and then training the model is very very 

 expensive and then there's just so many 

 anomalies 

 yeah when i've been watching like videos 

 about 

 like speakers talking about like hacking 

 machine learning 

 it's usually 

 yeah yeah they're 

 i just have i just have so many thoughts 

 um 

 but i have more i have more questions so 

 let's say 

 thank you for the question muhammad 

 thumbs up that's a great question 

 so what so like let's say someone they 

 want to become 

 a bounty hunter and they're following 

 some of the videos 

 online what types of work experience do 

 they need 

 to get their first bug bounty 

 contract or job do they need to have job 

 experience 

 how does that work uh it's not like that 

 typically you need some job that we seek 

 normally 

 from any side or any company it's like 

 you need the skill 

 rather than i can say the uh 

 quality i can say that you need the 

 skill because 

 as previously i said that if you have 

 the skill of programming if you have the 

 skill of web and networking 

 then it will be easier to find you the 

 bug 

 but for me it likes to 

 more than seven months i was like uh 

 hoping oh my god i wish i could buy 

 find a bug before my birthday because 

 when i start to work yeah 

 i was targeting my birthday okay before 

 my brother i should get a bounty 

 but it was the yeah in that time i was 

 sad but i was not disappointed because 

 in that time i didn't get any work 

 you didn't get one by your birthday i 

 don't know before in my 

 birthday i didn't get anything and 

 but after my birthday's two months i get 

 my first birthday and it was 250 

 a dollar and i was so that's happy 

 no it's not like that you need some 

 extra quality it's like you need 

 you have to build up your own skill 

 okay i like it we are approximately 

 halfway through the podcast so i am 

 going to thank our amazing sponsor 

 so this is we have purple podcast but we 

 are sponsored by threadfix powered 

 by denim group and they are the most 

 stupendous 

 vulnerability management system this 

 side of the 

 galaxy and there are a lot of 

 vulnerability management systems this 

 side of the galaxy so that is an 

 incredible claim and i have to say 

 i really like their product so thank you 

 threadfix for sponsoring us we really 

 appreciate it but i have more questions 

 for you tanya 

 so so let's say someone's watching this 

 and they're like okay 

 so i can follow some stuff online 

 what type of learning path do you think 

 someone could take to try to get into 

 your field like is there a specific 

 place that you feel that they should 

 start or specific 

 like priority maybe of order of things 

 to focus on so that they can 

 find bugs sooner 

 yeah obviously there is pretty much 

 thing that you have to follow 

 like when you start to learn we always 

 get to know the word of o w asp 

 so we always know that owsp that's the 

 top 10 bug 

 so uh when you start to learning back 

 boundary it's not like that within one 

 or two months you'll get to know each 

 and every bugs no it's not like that 

 and even though if you like okay you 

 know the first of all you know the 

 broken authentication 

 you know the exercise or you know the rc 

 you know the only basic thing 

 don't try to find out each and 

 everything at a time 

 it's like if you start to reading broken 

 authentication 

 so for me i followed that at first i 

 start to learn 

 excesses so for me at the pretty much 

 more than six or seven months i just 

 concentrate on 

 this exercise because i feel like when 

 you get 

 some skill or when your hand becomes 

 smooth with 

 particular bug you will find some 

 confidence from yourself 

 okay now i know exactly this this end 

 point 

 so i can get to know exactly in this 

 point 

 if i uh upload any payload i'll get the 

 response 

 so in that contest you will get some 

 confidence 

 don't go for a rush each and every bugs 

 at a time if you get to learn then just 

 at first for the beginning 

 only considering only one buck and try 

 to get polish on that box 

 then it will be easier for you that's 

 really good advice honestly when i was a 

 web app pen tester i thought i had to 

 know everything at the start 

 and so i was always disappointed myself 

 and yeah it's a really good point if 

 you're just like 

 are really the best at one type of bug 

 if you're a bug hunter then you can just 

 go around be like found some found some 

 found some 

 smart okay i like this so 

 in your um in your opinion does being a 

 bug hunter pay 

 well so some jobs in infosec pay lots 

 some don't 

 don't pay as much do you feel that bug 

 hunting 

 is a high-paying job 

 at this moment obviously i should say 

 it's a pretty 

 high because if i want to do any nine to 

 five in four six job 

 it could depend on my luck also on my 

 skill 

 also there's a official environment 

 so it depends so many uh options 

 but in my back body hunter and uh 

 profession is 

 like if you have a good skill 

 and if you're working more than two or 

 three years 

 it gonna be take you like a position in 

 that position if you 

 just open any website or if you start to 

 hacking any private site 

 you exactly get to i mean you exactly 

 know where 

 you are working and what type of bug you 

 could find 

 so you it's already your mind is already 

 set 

 so it's very easier for me i know that 

 how much money i can get 

 so sometimes it's also depend on me okay 

 if i get 

 if i find this book okay now i'm 

 planning that in this 

 four week i'll find this this is bug and 

 i know in this website 

 it's pretty much easier for me so in 

 that contest i can say 

 it's pretty much higher than others uh 

 pay at the 9-5 job 

 would you say that also because it 

 depends on which country you live in 

 so for instance i live in canada and the 

 american dollar 

 is worth more than the canadian dollar 

 and so when i do contracts for american 

 companies they pay me on american 

 dollars and i'm like 

 would you say that that also applies too 

 so like if 

 in bangladesh for instance i don't know 

 how much 

 their money is worth in the translation 

 but like 

 in my country american dollars are worth 

 more 

 so i always if i can want to be paid in 

 american dollars instead of canadian 

 dollars 

 is it like that for you so you said you 

 listen 

 yeah exactly the same situation in my 

 country because 

 i can say yeah my experience 

 uh well now right now i'm doing msc in 

 uk 

 and maximum tuition fees come from my 

 bounty 

 i'm being honest with you so maximum two 

 shoes that come from my mounties so only 

 for 

 this i can able to do this so when in my 

 country when i get like five hundred 

 dollar one thousand dollar 

 in my country's currency is much bigger 

 so yeah 

 it's pretty cool okay so that's awesome 

 yes um 

 do you feel like there's lots of 

 opportunities in the 

 like in the bug bounty field like 

 there's lots of jobs like if 

 if someone wants to try to do it are 

 there opportunities 

 yeah obviously because right now this 

 field i mean i feel like each and every 

 generation they have 

 a specific field which is become 

 a eye-catching field for every 

 generation so 

 i feel like in this our generation 

 infosec cyber security bug boundary is 

 almost most eye-catching field 

 it's not like there's someone thinking 

 that okay now you're doing freelancing 

 it's not so well-known job or what 

 should we gonna say you are freelance 

 and no no it's not 

 exactly it's not like that from bug 

 bounty i get to know 

 pretty much so many things about infosec 

 so when 

 i start to do something like nine to 

 five job 

 it will be the same qualification they 

 needed so i can put my qualification in 

 my cv 

 already which i'm doing so yeah it's 

 this is so much optional you can work 

 like if you want to be a want to work in 

 red team if you want to work in blue 

 team 

 or if you want to in trade intelligence 

 there's lots of 

 options you can work yeah and do you 

 feel 

 like the experience of being like 

 an experienced multi-year bug hunter 

 then 

 could potentially make you a really 

 amazing red team or a really amazing 

 security 

 like long-term security researcher or 

 perhaps like a really good penetration 

 tester 

 yeah obviously because uh before coming 

 in here 

 i was working as a red team researcher 

 in my country there's a company it's 

 called beetle cyber security 

 and this is the one of the most renewed 

 company in my country 

 so in that company i was working as a 

 red team researcher 

 so they only they just only took me 

 because i have a back boundary 

 experience only for this reason they 

 gave me that job and i 

 worked in that office more than two i 

 mean sorry more than one years 

 nice few so like i i don't know 

 that much about bangladesh but from the 

 outside it looks like the tech 

 industry is like exploding there like 

 that there's more and more tech 

 yeah okay so that's what it looks like 

 from the outside so that's what it looks 

 like from the inside too okay that's 

 good 

 i can say that you're in hacker run in 

 background even in scenic in cobalt 

 that is so much senior people from my 

 country 

 nice awesome okay so 

 now a super hard question what do you 

 like best 

 about bug hunting like what's your 

 favorite part 

 [Music] 

 uh i want to be a little bit funny that 

 when i get bounty it 

 makes me happy 

 whenever someone get bumped he is so 

 happy it makes them so happy 

 when i found my first vulnerability i 

 did a happy dance yes 

 [Laughter] 

 uh when i get my first bounty i scream i 

 i was screaming like a lot oh my god 

 do you still feel really happy every 

 time you get a bounty you're like yes 

 obviously because it always it likes 

 that it's my target 

 i want to fill up my target i always 

 feel like that is my target i want to 

 achieve this target 

 so i always feel like that and in my 

 say feel i can say that when you 

 start working you have to be a positive 

 attitude that you have to accomplish 

 this target 

 so it will always makes you happy never 

 take like that oh my god it's a burden 

 for me 

 i can do this no no never think like 

 that if you when you start thinking like 

 that it's become burdened for you 

 yours in that there you will literally 

 stop 

 loving your job don't do that always be 

 a positive 

 oh my gosh i i wish that you could give 

 that advice to everyone 

 when you think of like the duty of your 

 job as a burden 

 you're gonna start hating your job 

 that's such a that is very wise 

 yeah okay so 

 i asked what you like the best what is 

 the thing that you like the least 

 about your job 

 it's like that uh there's so many nights 

 i spend 

 finding nothing sometimes you're trusted 

 i have to be honest that sometimes you 

 get frustrated 

 sometimes i feel like that uh it's 

 nothing that day was 

 like i didn't get anything but at the 

 same time i said to myself that 

 uh even though i didn't find anything 

 but 

 the amount of time i spent in this 

 website in this contest i get to know so 

 many technical steps which i 

 didn't know previously it's like in my 

 office there was 

 uh there was a hector box program 

 because in my 

 bangladesh office you used to do cdf and 

 hack the box 

 because uh my boss think that it will 

 polish your skill 

 yeah i also believe that if you do as 

 much as 

 you do ctf and hack the box it will 

 literally increase your skill 

 so i still remember that my boss gave me 

 a problem from hector box 

 and it took me three days to find and to 

 upload a show 

 in that so i was 

 literally frustrated oh my god i am not 

 getting that i can't upload the show 

 but at the same time i also feeling the 

 anger 

 no i have to put the show i have to 

 inject that shield 

 so yeah after three days i get to do 

 that 

 nice that must feel just like so 

 satisfying you're like that's right i'm 

 the boss of you computer 

 i i feel that when i finally get the 

 thing working i'm like that's right 

 yeah obviously 

 so what what makes you feel the most 

 pride 

 about your job so like i 

 like i am a teacher right so like i 

 teach people how to make secure software 

 so when 

 someone really gets it or they tell me 

 oh i 

 use this thing i learned from you and 

 this awesome thing happened at work i'm 

 like 

 yes and so that makes me feel really 

 proud 

 what makes you feel proud like with bug 

 hunting 

 uh in my side it was pretty much a 

 little bit similar because 

 in my country now i become little bit 

 organized 

 senior because it's been more than three 

 years so 

 sometimes i get not sometimes sorry 

 maximum time i get so many messages so 

 many texas they want to know this they 

 don't 

 know that so still now i'm trying my 

 best to help them 

 and i still remember that there's a new 

 guy 

 he wants to know about http injection 

 and he don't know anything about http 

 so i get i provide him 

 the information and the links and the 

 practice that he can do 

 and still now i can remember that he got 

 a buck from hacker one and 

 it was maybe a 400 or something boundary 

 and i feel very happy for him 

 that finally he get to know this thing 

 and the second thing is that in my 

 country when i start 

 this bug boundary i was the only girl so 

 from my office they gave me so much 

 honor when i started working because 

 in my office there was 18 member 

 and i was the only girl in that red team 

 amazing that's awesome yeah 

 you may not be a role model for other 

 women 

 oh no not like that but i want to work 

 for my heart that 

 it must be i mean i want to be always 

 honest in my work 

 that's awesome so 

 okay so what advice would you give 

 someone 

 that wants to become about hunter 

 like male female or from bangladesh or 

 from somewhere else what 

 what advice do you think could help them 

 ah but the thing is recently i also got 

 some message 

 from my university there's a guy he also 

 wants to 

 learn back bounding i always always 

 prefer and i always say to the newcomer 

 that at least at first try to know what 

 is 

 actually bug boundary because still now 

 i get i'm getting the message that 

 people are confused 

 what is actually bug bounty people 

 always get too fascinated with so much 

 high bounties people think that oh my 

 god in this field you will get so much 

 higher bounties 

 and maybe it's so easier now don't go 

 with that bounties 

 at first try to understand what is 

 actually bug bounty and 

 and then don't ever think that bug 

 bounty is only for hacking 

 facebook or insta or gmail because i get 

 so many message 

 i get so many messages about this don't 

 think like that 

 and obviously try to be a good listener 

 and at first at first try to learn 

 something based on programming 

 because if you have the good and basic 

 strong 

 of programming it will be so much easier 

 for you 

 and after that obviously if you want to 

 be a web security expert then go for web 

 if you want to be networking then go for 

 network 

 yeah do you do you have people write you 

 and say 

 hey could you hack this person for me 

 could could you like hack into my 

 ex boyfriend or ex-girlfriend's account 

 because like i was like 

 [Laughter] 

 like you know the guy he takes me that 

 uh in my university he was pretty much 

 like something 

 that he said that i want to crack the 

 gmail 

 and instagram id from people and also in 

 my countries i got so many texas 

 that uh please could you please hack my 

 girlfriend id could you please hack my 

 boyfriend 

 and i always said that please don't talk 

 with this stupid question with me 

 and a little maximum i get so much 

 angrier because 

 there people only think that bug bounty 

 or hacking is something only based on 

 facebook insta 

 no this is not yeah also we're 

 law abiding citizens and don't insult us 

 by asking us to commit crimes for you 

 it's not cool it's it's like rude right 

 like could you imagine if you're like 

 hey you're really limber will you break 

 into this person's house for me no 

 who asks that but it's like oh could you 

 hack into this person's accounts like no 

 and i also said the same uh one thing to 

 that people i said 

 do you think that facebook instra or 

 gmail 

 cyber security india they're so much 

 full that you can make them full 

 no man they are spending a lot of 

 million dollars 

 so how could you think that only i can 

 do something and they're already gonna 

 be hacked no 

 not like that yes okay so we have 

 another question in the chat but i also 

 want to ask everyone in the chat if 

 you're enjoying this conversation if you 

 could click the thumbs up button for me 

 and if you are listening to this 

 if you could give us a podcast review on 

 podcast reviews or pot there i think 

 there's something called podcast love 

 there's itunes there's all these 

 different places where you could review 

 us 

 that helps us know we're doing a good 

 job and if you send us a direct message 

 on twitter 

 we hack purple and send us your mailing 

 address we will mail you stickers yes 

 that's correct i am offering bribes for 

 reviews i don't pretend i'm doing 

 something else 

 so let's look at the question from 

 muhammad okay 

 so he says i have one more question 

 cyber security experts 

 usually rely on built in operating 

 system tools or sometimes you have to 

 develop 

 one for a specific situation 

 do you want me to read that again oh you 

 got it 

 no i get it yeah pretty much like that 

 because 

 there's so many automated tools but in 

 that automated tool you will get a rough 

 estimated result 

 but if you really want to do some 

 practical hacking 

 then you have to do it manually like i 

 do because 

 i never rely on the automated tool 

 sometimes 

 i want to see the rough estimated 

 like uh in my office i sometimes we use 

 nessus in nessus we get 

 some rough estimated result okay in this 

 website you will have some 

 might be rc some might be xql or 

 you can get some http problems 

 but they give you a rough rough 

 estimated but they don't give you the 

 specific problem 

 that you'll get to find out from 

 manually because in manual when i do 

 some brute force or sometimes when i do 

 like want to do upload any show i have 

 to do it manually i didn't rely on any 

 automated tool it even it does it 

 not gonna work like that that we because 

 in manually 

 there's so many tricks that which is 

 created by own 

 myself only i know how to trick them 

 only i can apply them yeah so which i 

 get to learn 

 from my experience which you can get 

 from automated tool 

 so if you're thinking like that okay i 

 will upload some automated tool and i'll 

 hack this website no it's not gonna work 

 like that 

 that is such a good way to put it too 

 because automated tools will always miss 

 lots of things yeah i mean it will just 

 give you a 

 normal result yeah rough result that 

 okay blah blah you'll get the 10 bucks 

 you'll get the 10 problems 

 but you will get to you'll never be a 

 pacific like i i need to know the 

 specific problem 

 which will give me actually the bounty 

 yes 

 yes so much yes there 

 um so i have two 

 more questions for you and then i have 

 to wrap up 

 so do you do 

 other or wait do you do other things 

 outside of information security 

 um that you want to share like for 

 instance 

 i guess we already know that you do 

 indieskilldb.com which i'm putting on 

 the screen underneath you 

 but is there anything else that you want 

 to share or raise awareness about that 

 matters to you 

 uh right now actually i'm doing my msc 

 so it little bit 

 messed up for me because it's just only 

 two months i moved in here 

 and right now i'm just focusing on my 

 study because at the same time i'm start 

 to living alone without my family 

 so it's a little bit messy for me oh my 

 gosh i must be so much 

 yes so 

 oh sorry yeah please no no please 

 my last question is probably something 

 that is on many people's mind 

 is if someone wants to know more about 

 you 

 so they can follow you on twitter at 

 m e h i d i a 

 a f r i n so yeah 

 media afrin but 

 on linkedin you have mahidia 

 so people want to follow her there you 

 can follow her that but add 

 tanya but what like 

 do you have upcoming talks or do you 

 have anything else that you want to 

 share with us of something that you've 

 worked on 

 and it's okay if you don't but like just 

 give everyone the option 

 uh honestly i really like to talk with 

 you because the way 

 is speaking and you feel me comfort 

 before starting this interview i was a 

 little bit 

 nervous i was thinking that okay what 

 should i say 

 and in my life it is the first postcards 

 that i'm doing 

 so i was a little bit nervous but thank 

 you you make me so much comfortable and 

 it was pretty good to talk with you 

 and you are doing really great i i was 

 thinking that i should 

 i i said that i was thinking that i 

 should buy your books 

 because they're really doing good oh 

 thank you so much and i should say to 

 your audience yeah 

 go for tania super books it's a pretty 

 good okay so speaking of my 

 book i was supposed to talk about my 

 book so i'm just putting it on the 

 screen for a second 

 i wrote the book called alice and bob 

 learn application