Host Tanya Janca learns what it's like to be a Bug bounty hunter, with Mehidia Afrin Tania.
This episode sponsored by Thread Fix!
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter! For corporate virtual training contact info@wehackpurple.com
Host Tanya Janca learns what it's like to be a Bug bounty hunter, with Mehidia Afrin Tania.
This episode sponsored by Thread Fix!
Buy Tanya's new book on Application Security: Alice and Bob learn Application Security https://www.amazon.com/Alice-Bob-Learn-Application-Security/dp/1119687357
Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/
Join our Cyber Security community: https://community.wehackpurple.com/
A Safe place to learn and share your knowledge with other professionals in the field.
Subscribe to our newsletter! For corporate virtual training contact info@wehackpurple.com
welcome to the we hack purple podcast
where each week
we meet different guests people who work
in information security
and do all sorts of different types of
jobs the we hack purple
academy started this podcast so that all
sorts of newcomers to our industry could
learn what it's like to do various jobs
and the type of qualifications they need
to get them
what types of experiences you want who
you might want to go meet
books you might not want to read for
people who are already
in the information security field this
is just
super curiosity i've always wondered
what it's like to do this or that job
and so i am your host tanya janca and
this week our guest
is mahidia
and so yes you have a tanya and tanya on
the show yeah that's right it's
happening
and we are sponsored by the amazing the
awesome
the supportive thread fix and so without
further ado
because i know what you actually want is
to see
the guest and meet her so without
further ado here we have
tanya hi welcome to the show
hello thank you how are you i am good
i'm uh
i'm pretty excited for the episode
tonight
yeah i'm so excited we have sent
messages on the internet before but
never
got to have a lot of interaction and so
i'm like yes getting to meet yet another
cool person because the podcast
a thing that podcast guests don't tell
everyone is that like
secretly it's awesome being the host
because you get to meet
so many cool people um
so tell so please introduce yourself and
tell us what your job title
is uh myself is
uh but people usually call me tanya
and right now i'm doing msc in cyber
security and project management in
ukraine at bedfordshire university and
also i'm doing a bug bounty hunter or
you can say that i'm doing full time
back bounty hunting
and yeah i love my hunting profession
because
it's so very flexible for me that is
awesome
i am looking forward to hearing your
perspective on this because everyone
was we've had one other person on and
her name is katie
katie paxton fear and i know yeah
so we both think katie's awesome um
spoiler alert we think she's amazing
um and so yeah i i love
i don't know i'm very curious so i'm
gonna ask you lots of questions
and my my first question is like can you
describe
what a bug hunter does like what does
that mean
actually typically each and everyone
knows that you
have so many website that you have to
hack those website yeah it's typically
we can say that you have to hack the
website but
uh back in if you talk about the back
side
backhand side it's like that you have to
learn
a lot a lot after that you can get to
know what is actually backbonding
backgrounding is pretty much
awesome it's like not only web
perspective we can say from networking
from mobile
you can pretty much do anything it's
like normally
those there's so many well-known
companies or also vinyl platform they
give you
the ethical permission to hack the west
side
and after that you can get a pretty much
nice bounty but yeah for this reason you
have to learn so many things
for do you have to actually when you
want to hunt
you when you want to dump their website
when you want to crack
yeah i love it okay that is awesome
so a question i ask a lot
is what is a day in the life
like being a bug hunter like
when people are like what's it like to
be a ceo i'm like i am a slave to email
i just answer email like half of every
day and i hate that part but then the
rest of my day is totally awesome
so what is it like being a bug hunter
are you a slave to email i hope not
uh the thing is that at first i mean i
started my to learning in
2016. in that time if i said
as a beginner in that time my day was
pretty much rough
because in that time i have to learn so
many things it's like i have to go for
web i have to go for network
i have to go for programming because if
you
really want to be a good bug bounty
hunter some people i get to know that
they said that there is no need you need
you don't need to learn about
programming no as a professional bug
bounty hunter i always always say to
people that you have to be good in
programming
because if good in programming language
that is pretty much
awesome and it your line gonna be smooth
so from at the beginning it was rough
for me
but now right now is pretty much like
little bit smoother for me
but when i get to hunt like api
or sometime i get to do something like
rc or
school yeah in that time i have to spend
a lot of time in my day
it's like sometimes it takes 10 hours
but i didn't get anything but
uh yeah sometime it gets so much rough
do you feel like if you plug away at
something for 10 straight hours and you
don't find a bug like what does that
feel like is it frustrating or are you
like i'm gonna get you tomorrow or
uh from my career i get to learn one
thing that you have to be patient
you have to be a lot of patients because
if you don't find anything
it's pretty much normal even though in
this stage
because early in 2012 to 2015 i can say
that
it was pretty much easier easier to find
any bug from any website
but right now for all the people like us
website is getting smarter because we
are making smarter the website
and so right now it's pretty much
become harder so don't get frustrated if
you don't get anything but
yeah there is no loss if you don't find
anything there's nothing lost because
you get to learn so many things in this
24 hours
and it will be pretty much good for you
next step
so don't get frustrated and usually i
don't get frustrated as you said yeah
tomorrow i'll get to you
so maximum to my intention get that yeah
tomorrow i'll find something more
i feel like that's a really good
attitude um
i definitely don't know if i would be as
good at you
as you at that i could be impatient
and i have to say like as a person
that's on the blue team like the
defender i'm like
yes i'm glad it's getting harder to find
bugs i'm glad that our industry's
improving but uh but i'm sorry it makes
your job harder
what what type of personality traits do
you think you need to be a good bug
hunter so first of all you said patience
that seems number one but like
whether types of things like attention
to detail maybe
uh i feel like at first you have to be a
good listener
always keep in your mind that you have
to be
you have you have to listen because at
the beginning
you are like a baby so you have to treat
yourself like i'm a newborn baby
so i have to get to learn so many things
in this world and each and every note
this world is vast
i mean this cyber security is like it's
not like that okay
i get i know the python i know bob sued
i know how to interact with browser with
uh
uh server it's not the main thing
each and everything you have to get
updated so keep in your mind that you
have to be a good listener whenever you
are reading something right up when you
are listening some senior from senior or
when you get to
uh watching some videos from mentors
try to be a good listener because i find
that
when i uh learn when i want to learn
something new
i have to become and i have to be a good
listener when i
follow these things i always get
benefited always always
so yeah you have to be a good person
that sounds
pretty important for yeah i have to say
i wish that everyone was a good listener
because i bet
all of everything would go better if we
all had more patience than listening but
yeah
i think yeah you make a good point
yeah because in this field you don't
have any option
you could say that okay i'm a smarter
but when you get to
like in your field job you start working
actually you have to know without
knowing anything you can't do anything
in this field
so this is the thing that is a very
very good point for those that are
tuning in
you can ask our guest tanya
a question if you want to you can also
click the thumbs up button you should
probably do that just in case
so i have more questions of course
um what types of technical skills do you
think
someone needs to be a bug hunter so you
said they probably
need to know programming would do they
need to know certain programming
languages or
like all of them or what do you think
uh or i can say from
a beginning perspective because maximum
time when people watch
podcast make some time i get i find that
more or less they're beginner
so as a beginner if someone watching me
then i was supposed to say that you
should learn at first python
because python is i can say backbone of
nowadays eating everything so many
tools that i'm using i can say i'm using
bob sure i can say i'm using
nmap or i can say i'm using workshop
there's so many tools that i'm using
but in the these tools you have to know
the basic thing of python because
if you know the basic thing of python
programming it's going to be so much
easier for you to
understand the common line you can
understand the http request
there's lots of easier for you and the
second thing is that
in my career i have found so many
excesses bug so
if you want to focus on this exercise
bug then you have to
know about javascript because in
javascript you have to use so many
payload
so many cheat sheet which g sheet are
created from javascript
so if you don't know the syntax of
javascript you can't
apply any random payload from any blank
space
it's like you are throwing any cheat
sheet in a blank space
and it's like you don't know anything
what you're doing
so if you don't know anything it's not
going to work
so it's like that there's so many
programming languages
sorry you don't need to like that learn
so many programming languages
but the sort of thing you have to really
really know python programming obviously
javascript obviously and obviously you
have to know the basic thing of
networking because i find that people
don't understand
how your tp how your
network ip is connected so people get
confused
where is the ip coming from why is the
ip or
which ip should i uh interact so which
ip should i follow
so if you don't know the basic thing of
networking then it gonna be a little bit
tougher for you so obviously
basic of networking basic of web
and programming python java yes for the
beginning it gonna work for you
no that's a really good list because
sometimes people will tell me like
oh it doesn't matter and it's good to
actually have a specific list that
people can look at
i actually don't know python i or i've
never programmed a thing in it i guess
i've read
a bit of python because i was looking
through something before but
i've always like like maybe i need an
excuse to learn it
and yeah
i have to say that when i start learning
python i get to
impress day by day and i was start to
regretting because
at first in my university i have to
learn c then i have to learn c
plus plus then i have to learn java so
in this three programming for that
under grade level it was a little bit
harder for me
and i was in that time i was not also
interested to learn programming i was
like oh my god program is not
type of me i should
take some excuse that you are saying but
after that when i started learning
python i said oh my god this is so easy
i mean see just making us crazy yes
she's hard it's so hard um there's a
question
in the chat so um someone is
uh matusa's asking uh is
mahidia's preference of python and
javascript a regional choice so she's in
bangladesh
and yes she is awake very late
and i appreciate her staying up to be on
the show
um but is is it that people use it more
in bangladesh or is it that's the whole
world
runs on javascript and python
it's not any really regional or
something like that
it's like day buddy when i get to
become a full-time bug boundary i feel
like that is your daily purpose needed
because you know each and every tool
right now you're using
it could be manual it could be automated
tool every tool are based on python
so is it in the near future it gonna be
beneficial for you it's not like that
only in my country people are only
focusing on this particular language no
it's not like something like that
and if you're talking about javascript
i'm talking about javascript particular
because
i get to find so many excesses bug so
xss bug is basically
a form of javascript in javascript we
have to write down so many t-shirt and
this t-shirt is a creator from
javascript that's i'm saying this
oh i i know but that's a really good
question thank you
um so i have a question is so um
so you speak bengali are there lots of
resources that are in bengali and is
there a specific resource that maybe we
could share
ah right now in our website that not
that much because we started only three
months
uh and if you're talking about other
resources
then you can be specific so that i can
say yeah you can get this disease
oh i was hoping you would tell us about
indie
skill db.com oh yeah
in in this skill in this in this case
just only three months is so you can say
also stealer is a newborn baby and we
have a little bit
breakdown because i just moved to my
country to london
so i in that my website basically i have
three more members they are also back
bounty hunters in my country
so we started thinking that we should do
something only for
our country because in our country i see
a
big massive growth of bug bounty uh
back in 2015-16 there was like
internationally there was like few
people
from my country but right now i'm so
happy to say that there's so many so
many good bug bounty hunters
they're coming and those who are
considered like that okay
we know a little bit of bug bounty and
they are
thinking that we can give them some
information
so we thinking that it's our
responsibility to do something for our
community
that is awesome i'm going to spell it
out for people that are listening
so just to be clear it's all written in
bengali so if you don't know bengali
it will be very confusing but it's indie
i
n d y skill s k
i l db like database.com
and if you speak at bengoli you could go
and learn a whole bunch of stuff so they
actually have a bunch of articles
already there
there are so many blogs on this planet
with just one post and you already have
four or five posts so i think you're
doing great for three months
thank you so um
so of course i have more questions so
let's say someone
is you know they're like this sounds
cool i wanna
i wanna take some training to try to
become a bounty hunter
can someone like go to university and
take a course to become a bounty hunter
uh honestly if i say from my experience
still not i didn't see any academical
university
no there is no uh and still not a
not still in near future it will always
consider like a freelancer
so if you want to be a freelancer in bug
bounty field
i feel like you should be a self-learner
because there are lots of lots of
resources right now in internet
if you are determined that okay i want
to be full-time but bounty hunter
you don't have to go for any academical
purpose or you don't need to go
any teacher it's like there's lots of
resources
because for me i get to learn naham say
there's a
we know everyone homesick jo zobert from
hackaron co-founder
and i also get to know katie and i also
get to know cyber mentor
this is all so much famous uh uh
youtuber
i i really follow them and i also get to
know so many things from them
and especially especially i always have
recommend the newcomer that please
follow the twitter
because when i start to follow twitter
it's like boom
i get to know so many things at a time
every time each and every day they are
posting so many technical advance so
many zero days report
so many new report i mean it's like
sometimes like your bucket is so much
full you get confused from which that
you should that
is awesome that's good to know there's
lots of free resources
um yeah there is an excellent question
in the chat from muhammad
so what do you think about
the future of artificial intelligence
and machine learning do you think it's
going to take the cyber security experts
place
are we in danger of losing our jobs
uh it's like a little bit diplomatic
answer for me
for if i talk about from a cyber
security aspect
no it's not gonna take like that much
that we think like dramatically
movie we say i feel like that usually
people when asked this type of question
they're so much fascinated with
a movie that movie they are watching
that yeah one day they're gonna take
each and everything and we're gonna be
lost oh my god robot gonna take
everything
no in real life it will take so much
time
it's not gonna work i have to say i find
artificial intelligence and machine
learning still seems pretty confused
like
for instance so this summer i wanted to
buy rain barrels so to collect
all the water that falls when it rains
so that then i can keep it for when it's
dry and then i can water
my garden and so i i looked up some and
then i picked the one i wanted
for three months they kept trying to
sell me rain barrels like i have four
rain barrels
why do you keep trying to sell it to me
like they're so dumb
and so i'll buy a dress and then they'll
try to sell me the same dress yes i know
i look great in that thank you
i already own it i should wear it today
you're right but i'm just like what are
they doing
like i think there's a lot still missing
with the artificial intelligence and
machine learning
yeah i feel like it's not like lots of
missing is i feel like
the most of the artificial intelligence
that work based on data
so your data must be matched
with this person or with this context
you are working
so uh sometimes i get that when i feel i
also i watch some robotic videos that
there's a robotic kitchen
in that kitchen if you just write down
sorry press the menu then the kitchen
robot hand will make it and everything
for you
so it's obviously based on your data
that in that person uh like that the
person what he like or should she like
and what she wants to eat
based on this space that they created
that her
handy grow board so i feel like is
basically based on your data you have to
collect a good pretty amount of data
yeah and it's it's hard to get high
quality data
and then training the model is very very
expensive and then there's just so many
anomalies
yeah when i've been watching like videos
about
like speakers talking about like hacking
machine learning
it's usually
yeah yeah they're
i just have i just have so many thoughts
um
but i have more i have more questions so
let's say
thank you for the question muhammad
thumbs up that's a great question
so what so like let's say someone they
want to become
a bounty hunter and they're following
some of the videos
online what types of work experience do
they need
to get their first bug bounty
contract or job do they need to have job
experience
how does that work uh it's not like that
typically you need some job that we seek
normally
from any side or any company it's like
you need the skill
rather than i can say the uh
quality i can say that you need the
skill because
as previously i said that if you have
the skill of programming if you have the
skill of web and networking
then it will be easier to find you the
bug
but for me it likes to
more than seven months i was like uh
hoping oh my god i wish i could buy
find a bug before my birthday because
when i start to work yeah
i was targeting my birthday okay before
my brother i should get a bounty
but it was the yeah in that time i was
sad but i was not disappointed because
in that time i didn't get any work
you didn't get one by your birthday i
don't know before in my
birthday i didn't get anything and
but after my birthday's two months i get
my first birthday and it was 250
a dollar and i was so that's happy
no it's not like that you need some
extra quality it's like you need
you have to build up your own skill
okay i like it we are approximately
halfway through the podcast so i am
going to thank our amazing sponsor
so this is we have purple podcast but we
are sponsored by threadfix powered
by denim group and they are the most
stupendous
vulnerability management system this
side of the
galaxy and there are a lot of
vulnerability management systems this
side of the galaxy so that is an
incredible claim and i have to say
i really like their product so thank you
threadfix for sponsoring us we really
appreciate it but i have more questions
for you tanya
so so let's say someone's watching this
and they're like okay
so i can follow some stuff online
what type of learning path do you think
someone could take to try to get into
your field like is there a specific
place that you feel that they should
start or specific
like priority maybe of order of things
to focus on so that they can
find bugs sooner
yeah obviously there is pretty much
thing that you have to follow
like when you start to learn we always
get to know the word of o w asp
so we always know that owsp that's the
top 10 bug
so uh when you start to learning back
boundary it's not like that within one
or two months you'll get to know each
and every bugs no it's not like that
and even though if you like okay you
know the first of all you know the
broken authentication
you know the exercise or you know the rc
you know the only basic thing
don't try to find out each and
everything at a time
it's like if you start to reading broken
authentication
so for me i followed that at first i
start to learn
excesses so for me at the pretty much
more than six or seven months i just
concentrate on
this exercise because i feel like when
you get
some skill or when your hand becomes
smooth with
particular bug you will find some
confidence from yourself
okay now i know exactly this this end
point
so i can get to know exactly in this
point
if i uh upload any payload i'll get the
response
so in that contest you will get some
confidence
don't go for a rush each and every bugs
at a time if you get to learn then just
at first for the beginning
only considering only one buck and try
to get polish on that box
then it will be easier for you that's
really good advice honestly when i was a
web app pen tester i thought i had to
know everything at the start
and so i was always disappointed myself
and yeah it's a really good point if
you're just like
are really the best at one type of bug
if you're a bug hunter then you can just
go around be like found some found some
found some
smart okay i like this so
in your um in your opinion does being a
bug hunter pay
well so some jobs in infosec pay lots
some don't
don't pay as much do you feel that bug
hunting
is a high-paying job
at this moment obviously i should say
it's a pretty
high because if i want to do any nine to
five in four six job
it could depend on my luck also on my
skill
also there's a official environment
so it depends so many uh options
but in my back body hunter and uh
profession is
like if you have a good skill
and if you're working more than two or
three years
it gonna be take you like a position in
that position if you
just open any website or if you start to
hacking any private site
you exactly get to i mean you exactly
know where
you are working and what type of bug you
could find
so you it's already your mind is already
set
so it's very easier for me i know that
how much money i can get
so sometimes it's also depend on me okay
if i get
if i find this book okay now i'm
planning that in this
four week i'll find this this is bug and
i know in this website
it's pretty much easier for me so in
that contest i can say
it's pretty much higher than others uh
pay at the 9-5 job
would you say that also because it
depends on which country you live in
so for instance i live in canada and the
american dollar
is worth more than the canadian dollar
and so when i do contracts for american
companies they pay me on american
dollars and i'm like
would you say that that also applies too
so like if
in bangladesh for instance i don't know
how much
their money is worth in the translation
but like
in my country american dollars are worth
more
so i always if i can want to be paid in
american dollars instead of canadian
dollars
is it like that for you so you said you
listen
yeah exactly the same situation in my
country because
i can say yeah my experience
uh well now right now i'm doing msc in
uk
and maximum tuition fees come from my
bounty
i'm being honest with you so maximum two
shoes that come from my mounties so only
for
this i can able to do this so when in my
country when i get like five hundred
dollar one thousand dollar
in my country's currency is much bigger
so yeah
it's pretty cool okay so that's awesome
yes um
do you feel like there's lots of
opportunities in the
like in the bug bounty field like
there's lots of jobs like if
if someone wants to try to do it are
there opportunities
yeah obviously because right now this
field i mean i feel like each and every
generation they have
a specific field which is become
a eye-catching field for every
generation so
i feel like in this our generation
infosec cyber security bug boundary is
almost most eye-catching field
it's not like there's someone thinking
that okay now you're doing freelancing
it's not so well-known job or what
should we gonna say you are freelance
and no no it's not
exactly it's not like that from bug
bounty i get to know
pretty much so many things about infosec
so when
i start to do something like nine to
five job
it will be the same qualification they
needed so i can put my qualification in
my cv
already which i'm doing so yeah it's
this is so much optional you can work
like if you want to be a want to work in
red team if you want to work in blue
team
or if you want to in trade intelligence
there's lots of
options you can work yeah and do you
feel
like the experience of being like
an experienced multi-year bug hunter
then
could potentially make you a really
amazing red team or a really amazing
security
like long-term security researcher or
perhaps like a really good penetration
tester
yeah obviously because uh before coming
in here
i was working as a red team researcher
in my country there's a company it's
called beetle cyber security
and this is the one of the most renewed
company in my country
so in that company i was working as a
red team researcher
so they only they just only took me
because i have a back boundary
experience only for this reason they
gave me that job and i
worked in that office more than two i
mean sorry more than one years
nice few so like i i don't know
that much about bangladesh but from the
outside it looks like the tech
industry is like exploding there like
that there's more and more tech
yeah okay so that's what it looks like
from the outside so that's what it looks
like from the inside too okay that's
good
i can say that you're in hacker run in
background even in scenic in cobalt
that is so much senior people from my
country
nice awesome okay so
now a super hard question what do you
like best
about bug hunting like what's your
favorite part
[Music]
uh i want to be a little bit funny that
when i get bounty it
makes me happy
whenever someone get bumped he is so
happy it makes them so happy
when i found my first vulnerability i
did a happy dance yes
[Laughter]
uh when i get my first bounty i scream i
i was screaming like a lot oh my god
do you still feel really happy every
time you get a bounty you're like yes
obviously because it always it likes
that it's my target
i want to fill up my target i always
feel like that is my target i want to
achieve this target
so i always feel like that and in my
say feel i can say that when you
start working you have to be a positive
attitude that you have to accomplish
this target
so it will always makes you happy never
take like that oh my god it's a burden
for me
i can do this no no never think like
that if you when you start thinking like
that it's become burdened for you
yours in that there you will literally
stop
loving your job don't do that always be
a positive
oh my gosh i i wish that you could give
that advice to everyone
when you think of like the duty of your
job as a burden
you're gonna start hating your job
that's such a that is very wise
yeah okay so
i asked what you like the best what is
the thing that you like the least
about your job
it's like that uh there's so many nights
i spend
finding nothing sometimes you're trusted
i have to be honest that sometimes you
get frustrated
sometimes i feel like that uh it's
nothing that day was
like i didn't get anything but at the
same time i said to myself that
uh even though i didn't find anything
but
the amount of time i spent in this
website in this contest i get to know so
many technical steps which i
didn't know previously it's like in my
office there was
uh there was a hector box program
because in my
bangladesh office you used to do cdf and
hack the box
because uh my boss think that it will
polish your skill
yeah i also believe that if you do as
much as
you do ctf and hack the box it will
literally increase your skill
so i still remember that my boss gave me
a problem from hector box
and it took me three days to find and to
upload a show
in that so i was
literally frustrated oh my god i am not
getting that i can't upload the show
but at the same time i also feeling the
anger
no i have to put the show i have to
inject that shield
so yeah after three days i get to do
that
nice that must feel just like so
satisfying you're like that's right i'm
the boss of you computer
i i feel that when i finally get the
thing working i'm like that's right
yeah obviously
so what what makes you feel the most
pride
about your job so like i
like i am a teacher right so like i
teach people how to make secure software
so when
someone really gets it or they tell me
oh i
use this thing i learned from you and
this awesome thing happened at work i'm
like
yes and so that makes me feel really
proud
what makes you feel proud like with bug
hunting
uh in my side it was pretty much a
little bit similar because
in my country now i become little bit
organized
senior because it's been more than three
years so
sometimes i get not sometimes sorry
maximum time i get so many messages so
many texas they want to know this they
don't
know that so still now i'm trying my
best to help them
and i still remember that there's a new
guy
he wants to know about http injection
and he don't know anything about http
so i get i provide him
the information and the links and the
practice that he can do
and still now i can remember that he got
a buck from hacker one and
it was maybe a 400 or something boundary
and i feel very happy for him
that finally he get to know this thing
and the second thing is that in my
country when i start
this bug boundary i was the only girl so
from my office they gave me so much
honor when i started working because
in my office there was 18 member
and i was the only girl in that red team
amazing that's awesome yeah
you may not be a role model for other
women
oh no not like that but i want to work
for my heart that
it must be i mean i want to be always
honest in my work
that's awesome so
okay so what advice would you give
someone
that wants to become about hunter
like male female or from bangladesh or
from somewhere else what
what advice do you think could help them
ah but the thing is recently i also got
some message
from my university there's a guy he also
wants to
learn back bounding i always always
prefer and i always say to the newcomer
that at least at first try to know what
is
actually bug boundary because still now
i get i'm getting the message that
people are confused
what is actually bug bounty people
always get too fascinated with so much
high bounties people think that oh my
god in this field you will get so much
higher bounties
and maybe it's so easier now don't go
with that bounties
at first try to understand what is
actually bug bounty and
and then don't ever think that bug
bounty is only for hacking
facebook or insta or gmail because i get
so many message
i get so many messages about this don't
think like that
and obviously try to be a good listener
and at first at first try to learn
something based on programming
because if you have the good and basic
strong
of programming it will be so much easier
for you
and after that obviously if you want to
be a web security expert then go for web
if you want to be networking then go for
network
yeah do you do you have people write you
and say
hey could you hack this person for me
could could you like hack into my
ex boyfriend or ex-girlfriend's account
because like i was like
[Laughter]
like you know the guy he takes me that
uh in my university he was pretty much
like something
that he said that i want to crack the
gmail
and instagram id from people and also in
my countries i got so many texas
that uh please could you please hack my
girlfriend id could you please hack my
boyfriend
and i always said that please don't talk
with this stupid question with me
and a little maximum i get so much
angrier because
there people only think that bug bounty
or hacking is something only based on
facebook insta
no this is not yeah also we're
law abiding citizens and don't insult us
by asking us to commit crimes for you
it's not cool it's it's like rude right
like could you imagine if you're like
hey you're really limber will you break
into this person's house for me no
who asks that but it's like oh could you
hack into this person's accounts like no
and i also said the same uh one thing to
that people i said
do you think that facebook instra or
gmail
cyber security india they're so much
full that you can make them full
no man they are spending a lot of
million dollars
so how could you think that only i can
do something and they're already gonna
be hacked no
not like that yes okay so we have
another question in the chat but i also
want to ask everyone in the chat if
you're enjoying this conversation if you
could click the thumbs up button for me
and if you are listening to this
if you could give us a podcast review on
podcast reviews or pot there i think
there's something called podcast love
there's itunes there's all these
different places where you could review
us
that helps us know we're doing a good
job and if you send us a direct message
on twitter
we hack purple and send us your mailing
address we will mail you stickers yes
that's correct i am offering bribes for
reviews i don't pretend i'm doing
something else
so let's look at the question from
muhammad okay
so he says i have one more question
cyber security experts
usually rely on built in operating
system tools or sometimes you have to
develop
one for a specific situation
do you want me to read that again oh you
got it
no i get it yeah pretty much like that
because
there's so many automated tools but in
that automated tool you will get a rough
estimated result
but if you really want to do some
practical hacking
then you have to do it manually like i
do because
i never rely on the automated tool
sometimes
i want to see the rough estimated
like uh in my office i sometimes we use
nessus in nessus we get
some rough estimated result okay in this
website you will have some
might be rc some might be xql or
you can get some http problems
but they give you a rough rough
estimated but they don't give you the
specific problem
that you'll get to find out from
manually because in manual when i do
some brute force or sometimes when i do
like want to do upload any show i have
to do it manually i didn't rely on any
automated tool it even it does it
not gonna work like that that we because
in manually
there's so many tricks that which is
created by own
myself only i know how to trick them
only i can apply them yeah so which i
get to learn
from my experience which you can get
from automated tool
so if you're thinking like that okay i
will upload some automated tool and i'll
hack this website no it's not gonna work
like that
that is such a good way to put it too
because automated tools will always miss
lots of things yeah i mean it will just
give you a
normal result yeah rough result that
okay blah blah you'll get the 10 bucks
you'll get the 10 problems
but you will get to you'll never be a
pacific like i i need to know the
specific problem
which will give me actually the bounty
yes
yes so much yes there
um so i have two
more questions for you and then i have
to wrap up
so do you do
other or wait do you do other things
outside of information security
um that you want to share like for
instance
i guess we already know that you do
indieskilldb.com which i'm putting on
the screen underneath you
but is there anything else that you want
to share or raise awareness about that
matters to you
uh right now actually i'm doing my msc
so it little bit
messed up for me because it's just only
two months i moved in here
and right now i'm just focusing on my
study because at the same time i'm start
to living alone without my family
so it's a little bit messy for me oh my
gosh i must be so much
yes so
oh sorry yeah please no no please
my last question is probably something
that is on many people's mind
is if someone wants to know more about
you
so they can follow you on twitter at
m e h i d i a
a f r i n so yeah
media afrin but
on linkedin you have mahidia
so people want to follow her there you
can follow her that but add
tanya but what like
do you have upcoming talks or do you
have anything else that you want to
share with us of something that you've
worked on
and it's okay if you don't but like just
give everyone the option
uh honestly i really like to talk with
you because the way
is speaking and you feel me comfort
before starting this interview i was a
little bit
nervous i was thinking that okay what
should i say
and in my life it is the first postcards
that i'm doing
so i was a little bit nervous but thank
you you make me so much comfortable and
it was pretty good to talk with you
and you are doing really great i i was
thinking that i should
i i said that i was thinking that i
should buy your books
because they're really doing good oh
thank you so much and i should say to
your audience yeah
go for tania super books it's a pretty
good okay so speaking of my
book i was supposed to talk about my
book so i'm just putting it on the
screen for a second
i wrote the book called alice and bob
learn application