We Hack Purple Podcast

We Hack Purple Podcast Episode 47 with Deviant Ollam

July 22, 2021 Tanya Janca / Deviant Ollam Season 1 Episode 47
We Hack Purple Podcast
We Hack Purple Podcast Episode 47 with Deviant Ollam
Show Notes Transcript

 Host Tanya Janca  learns what it’s like to be a physical penetration tester, with guest Deviant Ollam. Famous for hacking banks, elevators and basically any physical security device, he will share how he got to where he is today! Check out his Twitter while you’re at it!

Thank you to our sponsor 10Security

NEW Secure coding Course here!

Buy Tanya's new book on Application Security: Alice and Bob learn Application Security.

Don’t forget to check out  We Hack Purple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A fun and safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com

Find us on Apple Podcast, Overcast + Pod 

Welcome to the we had purple podcast, where each week we interview a new member of the information security industry to talk with them about what it's like to do their job and what it's like, I guess, to try to get to that position within our industry and all the things you need to learn and how it's possible for you at home to do this, we are sponsored this week by 10 security, just like we were last week and the week before, our friendly friends from... Well, who are the creators of defect dojo, what? Purple is an academy, a podcast and a community, and as of this week, our community is free, you go check it out at community, that we had purple dot com, but... Oh yes, and I'm Tanya. I am your host that I always forget to introduce myself, but you probably wanna meet our guest van of... So what? Stop waiting and let's just do this. Let's bring them up. Has everybody doing Well, how is everybody doing? Do people wanna say hi in the chat and tell us where they're from... Hi, Dave Hamar Question. Nowadays, when people say, Where are you from? We basically just say, our cats and our books live in Seattle, and that's about it, where we leave it, and then people ask us that... Well, I guess, I mean, where are you streaming in from, because if you're traveling, it's cool to know where you're at, and if you're not traveling, it's still cool. Oh, and we're doing a lot of messages, and that is good. Awesome sauce. So vent, or should I say die, which is better. Oh, do you... Saves time and confuses other people because they think you're saying either Dave or Steve, so helps me on the phone with social engineering. Which brings me to... Could you please tell us? So usually I say job title, but you run your own company... How would you introduce yourself and your job title? How about that? Yeah, when you run your own company, it's never glamorous, you're either a professional email answer or swear word SEER, but the people online who have ever heard of me probably know me with other titles that they sound equally made up, like physical penetration specialist, which was actually how it was built on a TV show once, and it bumped with legal because they thought I was trolling them. And I was like, No. It's an actual thing, now I've been this card. Yeah, those who've never heard of me, I am part of a covenant are team. I have been working with lock safe access control systems and the like for a very long time, both in terms of teaching people for the fun of it. With a non profit, there's a non profit called tool, for example, maybe people have seen the red logo with the 30st, so the open organization of lock pickers showing up at Hacker cons and educational events, and I've been on the board of that non profit forever. But in addition to doing it as a hobby, lock safe, some of the like are also my career, so I get to go around and I get to break into buildings, and I get to run teams of people through surveillance operations in fields, putting eyes on target and then coming up with a plan and faking access control credentials and the stealing alarm codes, you name it... Oh gosh. That sounds so fun. A few weeks ago, I accidentally locked myself on my patio, and then I opened the window and then kicked in the screen is that... It's not like that. Is it that It's pretty close is... It might not be perfectly non destructive entry, but if you can tie to it up and no one notices a council's covered entry. Oh yeah, yeah, I got in and I would say it was quiet, but it doesn't matter 'cause I was the only one home, 'cause otherwise I would just not on the door and be able to clue in, but everyone was out is like, I go just... Oh crap. I... People overdose goad, I'm sorry. Oh no, I was just thinking, maybe I'll just stay out here and eat dinner and just like, wait till people get home. I was like, No, no, you can do this. Did you have your dinner where you like... Was it as silly as like You went out the door to receive a delivery and then turned around in the door, headshot... No, no, as I was barbecuing and someone had locked the patio door and I was like, Oh, it's smoky, I'll close the door, and is like what I mean, I'm like, I have mistake. So am I in a bad place? Really? Exactly. Yeah, if the weather's nice. Just keep hanging. Can you tell us what it is like in the life of your job? 'cause I have to say of all the people that have been on the show, this might be the most interesting. It is simultaneously the most, at least interesting, as you know, as both a techno person and a business person, the business side is 90% of what we do, it's just sort of shepherding people through conversations and replying to email, and generally feeling busy and like you're never getting done while you're getting everything done all at once, I'll talk about people who wanna start a hacker based sort of business and how to be in tech, and most of it is just boring things like that, like Make sure you pay the lawyer, do the books correctly. But the fun part, the 10%, the action packed part of the job involves basically being like a sparring partner, people would go maybe watch a kung fu movie and they say, wow, let's look at that person, they're beating everyone up, and I wanna now be that person well, in truth, most of the best known names of martial arts, they don't think of themselves as people who just beat people up, they are known as and revered as people who know how to strategically and carefully throw punches and kicks at someone so that other person gets better, their goal is not just to cause pain, their goal is to cause improvement, and that's really... If someone is good at this kind of job, what they should be thinking about, it's not my goal to just drop my way through a facility and run like the best opal... Right. Of a person doing that could be a deliverable report for a lot of hacking people, right. Look at me, shells everywhere. I'd direct your facility. Alright, next job that doesn't really provide value to the client other than make them feel bad at everything that they're doing, our job is to emulate an adversary and do it in a way that is realistic, but digestible, and then to walk people through what we did, and hopefully, make it harder for us to do that next time, so if I pick your locks, hopefully you're going to understand why these weren't the right locks, if compromise your access control system, hopefully you'll understand, Oh, we should re configure all we have legacy credentials, let's turn them off. If we disable your alarm because we wish the sensors, you're going to install different sensors or is change how they're... Again, how their reporting window is, if, let's say we jam the frequency of using wireless, well, maybe you need a little heartbeat signal as it's called, so that every 60 seconds those sensors check in and if they don't check in, they register an error or an alarm condition so the next time we come back to that facility, all the things we tried, shouldn't work. Shouldn't work. How often is that true? Oh, it's a mixed bag. Some clients are absolute rock star clients and they really implement everything really well, but those are sometimes the clients that put their budget into the improvements and then they... They say, Alright, we're not gonna budget to have you back for a little while, the clients that just wanna kind of... Alright, let's bring that team back, that was really fun when they were here, we liked him. Well, they didn't put budget in anything else, so all the same stuff, we've literally found my favorite story, people talk about running an exploit and then you find your old payload still on a server if you do networking stuff, well, we're not ones and zeros as much as we are open and doors and open boxes, the idea of finding an old exploit, we actually found this records room in a client once, and it had all these filing cabinets, and we said, Okay, try and we have some... There's a whole key ring of common keys, I'm holding up, this is called... People call it the Devs key ring, now that I've mentioned, these keys are super reusable and maybe this is the key they're using for the filing cabinet, try it. Well, the common keys didn't work. We said, Okay, oh look. There's this key right here. Found it in a destro. Oh, awesome, open the filing cabinets. Probably could have picked it anyway, and we're finding HR records and company history and all these financials... Well, it was in our report, we mentioned it to the client to their credit, they tried to mitigate this, but what happened is they invited us to another facility in future and talk about finding the same one, they had literally freed all of the filing cabinets to another facility, but it really wasn't locked up very well, and they were still the same filing cabinets, and we said, Hey, do you just love that key from my last job, I said, Oh my God, this kid is saying, Hey, oh my God, it's the same record. This is the same final cabinets. Alright, do we Rocher Trying... We have a good question in the chat from Dave. So cool. Does the comp Tia pen test plus help us learn from a physical security ethical aspect, does it cover physical pen testing? To my knowledge, it doesn't speak much to what we do in granular detail, I know that Camp Tia and even cis physical is one of the domains that gets attention in text, and while in an ethical perspective, I'm very glad that he's mentioning how to do things ethically, because that doesn't get covered enough by many people in our industry that was at another talk that I gave at an event called awareness con, but the actual nitty gritty is focused in most standards we have seen more on the defenders sort of framework. You'll say, Okay, well, like door should have locks and sensitive area should have monitoring, and you should... Here's what you should do is very prescriptive, as far as I'm aware, none of the names most people have heard of before now focus on the adversarial side of it, and really what people like us and bad people like us on the ground are doing. It's actually part of the reason why our firm, the core group, and another partner firm who works with us extensively called Red Mesa, we combined along with a few other very notable people in the industry, Chris Nickerson is among the Christians and created the Pen Test Execution Standards we've created something called Red Team Alliance, and in addition to a lot of training, it is an actual practical hands on certification process, so if someone wants to actually say yes, I am certified to do this, it's kind of one of the first avenues that exist for that... That's very cool. And for those of you that are listening, only... Are there... As that goes back there, someone's commenting about Brasil, it's just about you. So They're not breast, they're actually cast iron because I touched them with a magnet recently, and it turns out there, these are my... These are my grandfathers, they were found in his possession, they were... I think he probably bought him overseas when he was in the Navy, he probably would have bought those Ilya... This wall is a... It's an ever growing array of odd things behind me, there's some people notice the fractured padlock in a frame, we were in our Virginia facility. And for anyone who is, I can't imagine someone hasn't heard of a very, very fun YouTube or a lock picking a lawyer. So he's also done that area, he's a little outside of DC, he's friend of ours, right, so he comes by the classroom every so often, and this was just... It was the last thing I did before the pandemic. He was sticking around for a class of ours, and he has this series of videos where he actually shoots essentially padlocks off of enclosures using a... Essentially, it's a very glorified nail gun, it's called a RAM set, and people are like, Oh my gosh, those rams... I love those destructive videos with the RAM sets even cooler than the picking, and he's like, Well, I have it in the car. So yeah, he went downstairs, he got the Rams and he was shooting locks off of this large wall and everyone can... Okay, ears. And this... The one he did, it was like What? Everything bad happens, they say it happened in slow motion, and sure enough, I watched this lock ricochet hard off the stairs and come intern right at us, and everyone kind of ducks and I just kinda sway my head out of the way and it would have been me right between the eyes, so it caught me right on the shoulder, I'm so right in the elbow right here, I don't think you can see it anymore, so I was bleeding and just kind of packing it and wrapping it while getting messages from Tara saying things like, Are you hang, I know that poker there tonight. Everyone's in town usually go out. It's bad things are out. Health reports are bad. Can you get on a plan? Can you change your flight... So I was like holding my elbow changing a flight, well, everyone's ears are ringing from this gun powder last... That was the last thing I did at pre pandemic. So we literally went out with a bank for the lockdown, Seattle was one of the first cities hit. So I was glad to be home. Oh, wow. So that's the E... That is a really good story. And again, moment, yeah, my last thing was going to RSA, and then I came back and I had a cough, and then I had to go into quarantine, and I was the first person on the land, I guess in my city to Go Into quarantine, would know what to do it to me, it's forever. And I was fine, I like your story better. Your stories, I feel like... A lot of times when people talk about different jobs and stuff, they act as though it's all the super glorious stuff that you see in movies, so the hacker clicks three lines of code and then he magically I was everything. And it's like, No, actually, when I did contesting, it was like me really cold and data centers swearing at my computer a fair bit and trying to carry so much heavy equipment as a tall, skinny Lady, and there's a lot of patients, and then eventually you find something and you're like, Yes, and then be like, When I have six more hours in this present cultural, what types of personality traits, I guess, does someone need to be good at your job,'cause I'm assuming the patient might be one of them. Yeah, patience, perseverance, Positive Mental Attitude, probably some traits that don't start with P, but... Yeah, you really nailed it in your description where you're sort of, every job I approach, I'm good at my job, my team is excellent, but every job... We're not trying to be negative Normans, but we're like, Oh, this one's gonna stink. No, this looks pretty hard and you have to overcome that, you have to do say... You could treat it like just a playground and a moist double may care and you just go Trump and around, well, that's a recipe for getting caught in the job... Ending quickly, if that's what the client. Some frameworks or some jobs are first interdiction that the test is terminated, so you have to show a lot of care, you have to demonstrate really cautious planning, and once you finally get, as you pointed out that first... Something to hang your hat on, something where you can say, Alright, alright, alright, I can go home saying, I did the one thing, right, and it's not a failure of a job, then interestingly that moment, at least for me, you start to overcome all other hesitation, you're like Alright, well, now that I know I'm okay, what else can I try? You get a little older, and fortune does time to favor the bold, the boulder you get, the bigger you go with the lie, in my case, the more you tend to have gains and the more you get into sensitive... So itself itself feeds, and by the end of the job, you're running around addition, waving at cameras, being like, I don't belong here, this is not right. And still not getting call, you're messaging the client, you're like, Alright, people stop and found us... Yeah, I want us to start doing stupid stuff... Yeah, we took a hit off the wall once and put it, rolled an office chair in front of the camera by the data center door and wrote big letters, we are breaking in or something like that, and just kind of left it there. And I guess people don't really monitor cameras, cameras are really for more for reconstruction. Wow. Okay, so sorry, I'm like, I'm supposed to ask more questions and not just laugh, I wanna take this moment to ask everyone to press the like button, if you are enjoying yourself, I know I have already pressed it, so I feel like maybe there's more skills too that you would need... Are there physical skills or technical skills? I would have to say that definitely for personalities, when you need some social social skills, like what happens when you get caught. So when you get caught, or we'll say when you get paused because being caught is kind of different... Right, being able to talk your way out of things, it comes up and we have absolutely had situations where if you're with a teammate and you're come to guards, because again, you've been setting off alarms, you're really trying to... This was an instance, I can recall it, but we were really trying to push it at this point, we said, Okay, let's open that door, that's gonna be a screamer of an alarm, let's just walk through it, it's normal, and then we're gonna go here, and then we're gonna pop this store, and sure enough, we start hitting, bam, bam, bam, and there are just... It's cacophony like, Man, no carbs yet. Well, they're gonna come eventually, so I'm literally on my knees and I'm riffing on this other server, go with an under door tool, and eventually for... We got two guards. That was a big warehouse. We finally robbers, these two guards walk up to us and Like, Oh, your sound appears to be cutting out all of a sudden... And we just lost you. Yeah, we can't hear you at all, but I am gonna put the good comment that he has a get out of jail training, and that seems really helpful, but you kind of pop on and off and then you go, Oh. I can hear you now, I actually... I... You about... Go ahead. My rookie. You sound good now. So did you hear me say the guards were arriving or not, not... My partner and I on that job, we had planned a course of progress, guaranteed to set off alarms, and we got in this door, this story's just gonna be a blazing screamer of an alarm and that we're gonna trip that door... Okay, so we're in this very cavernous warehouse space and it is loud and we're like, There's gotta be guards coming eventually, and eventually, sure enough, eventually these guards respond, and I'm literally on the ground at the foot of the door, like rein on the door handle with an under door tool, and Robert, the guy was with me on my team, he's like, Hey man, we got a company like, okay, finally we stand up and we're just expecting, this has gotta be it, we've gotta give this facility a win, finally, and these guards, Hey, hang on bank on them in fellows. Can you put that down for a second? What are you doing here? And the way Robert tells it, he's got his hand in his pocket on his Get Out of Jail Free letter that it's your authorizing letter that makes sure you don't line up in handcuffs, and he thinks, Well, we gotta be pulling these letters out And just as kind of a Hail Mary. I just look at these guards and just dead pan in owes It look like we're doing here, and it broke their brain, and when you think about it, if you found someone in your backyard and you said, Hey, what are you doing in my yard... And the person panicked and ran and jumped over a fence and lost a shoe in the process, you'd be like, Oh, that was a criminal, but if you found someone in your backyard, you said, What are you doing here? And they go, What do you think I'm doing? I'm a pretty private guy, I'm not even sure how I would respond. Right, that's clearly a person who thinks they belong married, if you don't think they've along there, so the gate looked at us, they looked at me, we got to these weird freaking tools, there's an alarm going off, but we had photo shops and badges because of telephoto photography of the badges and so... And he said, Well, you got batches, so you work here, but was that an alarm like, Oh yeah, that was the loud... Maybe... Should they come in that way, I guess, what do you think? And he's like, Yeah, we're gonna have to silence that, so next time if you need to get in the dog, just radio us for remote on the lock, and Robert describes it as his hand on his letter just went... Just kinda let that letter go in his pocket, took his hand out of his pocket, stood there, so... Yeah. Being able to overcome a challenge. And this is, I never missed the opportunity to kind of very much acknowledge the fact that I have the privilege to do this, because I look like a middle age semi derby white guy, I'm just a guy who vaguely belongs around a lot of spaces, and I get that allows me to just drift through life with a lot of low friction interactions with hotel IAS or police or whatever, if people experience a lot of friction because of a lack of privilege, it's a lot harder to bluff and do that. That's not to say we don't have people on our team that are very diverse and can do a lot of different things, but that helps me if, Hey, if I'm in overseas environments, sometimes if I'm in Asia, no one wants to question it, they... Well, I don't wanna tell that guy, he doesn't belong here, he might not rank what happens then he's probably visiting from another company, so you never know what's gonna get you out of a circumstance, but being able to think on your feet... Chris Nickerson, I mentioned it before, he tells a story where he's trying to get in a building, saying He's there from the local power company, he's literally wearing this shirt, this as dominion power, and somebody runs out of a data center with a problem, expecting a visitor. He goes, Are you the guy from liver? And he's like, Yeah. Okay. We'll get in here. Sure, why not? I'm your libertas, just roll with it. There's a really good question in the chat from Kellen, how do you document while you're doing a bunch of activity and interactions, how do you keep track and remember all the stuff? Yeah, so one of my favorite authors, his name is Bill Bryson, in a book about travel, he mentions this one thing where he pulls up to his house where he's staying with a family, but he talked about sitting in a driveway and finishing his notes before he goes and it's a long day long drive, you wanna go inside, you wanna have dinner, but the diligence to say, Alright, I've gotta pause. Pause point. Let me get some at least notes, that's one thing that helps us a lot, as you can probably already tell, I'm a real storyteller, and as long as I have a framework of what happened, I'm really good at re populating that and fleshing it out, so most jobs especially when we have a team, or even if it's just me talking to the client point of contact, there's usually a signal chat going on, and the fact that it's time stamped. It's roughly in order. I can use that after the job to be like, Hey, what was that thing you did with the... You took the badge reader off the wall and then the guy came up to you and you told him you were installing a new one when you clearly went and he's like, Oh yeah, that was building six. And I was like you said, that was in the chat, right, I was like, Oh, that was Thursday, so you did that before we even had the badges... Got it. And I'll write that up. So having any kind of running log, even in the most are notes helps me a lot, and you're always trying to take some photos of good things to show the client, if anyone does any of this in the future, and even if you're just a client hiring a team to do a covered entry sort of simulation, please try to build a day into the schedule where people don't have to be covert where they can just get credentials as guests walk through and do their documentation, so that your report, which is really what you're... For you're paying with the documentation, it's not a bunch of grain potato photos that are vertical, people get the nice camera and they stand back and they take a photo of the door and sit you, so yeah, being able to follow up your bad photos with much better ones... And that's where you deliver someone to the executives and such that it's all in phases, but for me, if I didn't have my notes and a few crappy photos on the job, it would be hard because you say it's all this amazing rush of adrenaline and it's all happening at once, so, yeah, write it down as much as you guys are coding... Comment while you go. You'll future. You well, thank you. Yes, future you... In a year from now, we'll be like, Oh my gosh, do you... What were you thinking? Oh, that's what I was thinking. Oh, that comment helps. Yeah, there is a question or a comment in the chat, there are some cheap voice recorders on websites that you can stuff in a pocket, good for capturing a running log even if the audio is sub par, that sounds like a good point, William. Yeah, yeah, voice recorders are even little tiny video recorders, clients can get Twitch about running recording, either video or even audio, I'm no lawyer, but whether you fall into wire tap law or not is fortunately not something we've ever had to face. Yeah, but absolutely. Having little recorders, one of the best things, we'll always try to steal radios when we can, so if we get into the guard shack and there's just like a bank of radios, will you take one of them out of the charger and then you just leave that leave that channel open and just start recording, not only are you recording what their day to day operations are, but maybe you start actually getting... We've got great footage on recording, unfortunately it's NDA, but it's things like where people started identifying something was wrong in the building... Why is that door? Alarming. Yeah, door 21 alarming again. I thought you just sent someone out there, what... Comcast is working in the building... I didn't know Comcast was working today. So it's like, Oh wow, that was us. That's kind of Neat. I've heard of some incident responders where they start a new Slack channel or a new team chat or whatever, and name it for that date, and just every single thing goes in there because they get so excited about the stuff. Right, and it's hard to keep track of it and yeah, when you're physically moving around, that seems like it could become complex at times, especially with multiple teammates, and then you'll have to have all of your stories into the same story and timeline, which I love writing. I honestly, love report writing, I love crafting the whole narrative and putting it all together. You could write such an amazing book, maybe give Me one day. That would be so cool. But okay, I have more questions, Tony's talking, but they do the questions. You can do this. Okay, so it feels like there's a lot of technical skills that someone needs to be good at this job, more than just picking locks, there's a lot of stuff... What types of things? Maybe people would need to know. So yes and no, I never wanna dissuade anyone from any career choice when they think they need more than they actually need... Right, so for instance, I don't really program, like I can kinda do some Python, and I've written stuff in our we sketch, and that's about the limits of my programming skill, I don't do much set beyond that, and yet I can attack an electronic access control system like an attack, a badge system. If someone doesn't think that they're good like, Oh man, I see those lock pickers on YouTube, I could never do this stump de does. Well, news flash either I can't do this stuff you think I do, 'cause I'm not nearly as good as the other friends of ours, so you've got possibly got Lockhart, fish picks, artichoke, all these cats. That's an amazing skill. It may be features incidentally, in what we do on a job, most of what we do, we are generalists, we are people who can pivot quickly and use a little bit of expertise in many different domains and recoil together a solution to every barrier that we have to get around. It's kind of a lot of McGivern, that's boy. How old am I with that reference? Right. But Richard Anders, this Canadian, I think, right? So there you got one for the North of the 40th. Yes, I very briefly have to take a brief moment to thank our sponsor, our sponsor for this episode and several episodes is 10 security thank you to security, that is that the people, the founders of defect dojo. So you can hire them to do consulting and they do awesome stuff, and they use all of their awesome technical skill basically to automate all the board and stuff, so that you can do the fun stuff. And so you can check them out at 10 security dot com. I also wanna remind all of you that that we have purple community is now free, so you can go to community that we had purple dot com, and my audio book is available for pre sale on Audible dot com and Libra FM, and all the places where people buy audio books because it's by reported books and they know what they're doing. So that's awesome, you can hear me read you as you fall asleep, and hopefully that sounds appealing and not scary, and I feel like that's enough marketing for now. Thank you. Oh yes, and also I'm supposed to also tell everyone about the as course, so if you are an OAS member, you get a sec foundations level one for free now from... We have purple, and so you can go to... We had purple dot com blogs with an S, and it is our most recent blog post, and you're just like click a link and then you sign up with your easel and Bob is your uncle, and also get free access to our course. So there's a lot of stuff like the three Bob on coal is just a bonus. Thank You Day for reminding me. Okay, let's go back to do... I'm gonna ask a super loaded question, what types of training does someone need to get into this job, what education could they get... And I know you run a training company and you're totally loved talking about it, but it just seems like you can't exactly go to a count in school and become an accountant in the same way that... It's not the same like that. In some ways, you're correct, there's a lot of experience that just comes into being cool under pressure, that's not an easy thing to teach in a classroom, it just comes with time, but you're not wrong at saying that giving people in education... There didn't use to be a pathway to just... In the sense that if you wanted to do network and digital pen testing... We have really good training. Right, we have certification. We have the SANS Institute, I have tons of respect for the SANS organization and their GCSE. They have a real turn key process to get people spun up for physical... That just didn't exist. Why... That's just, again, that's why Red Team alliance kind of exists, because we had a lot of people coming to us saying, We've taken... Or black hat, we were a black head a lot... We've run a black head class, we're running a class this year, in fact, that's always... And they would say, Well, we sent people to the Black Hat class, but it wasn't quite enough. Well, we just wanna hire you anyway, which... How many trainers at Black Hat really? I feel like a lot of people just use it as a marketing vehicle, my friend Caesar talks about how some Black Hat classes are just intentionally murky so that all you wind up doing is hiring the person at the front of the room. He says, Here's my impression of a Black Hat trainer. No, no, no, no. It's actually quite simple. Anyone who is me can do this. So the idea is we do it. Yeah, we wanted to actually turn out students who could do what we are doing, and we're able to at least be dropped in into a job situation and would be capable, so that is... Yeah, God is, but I don't like talking about this stuff. It's very sales y. Yeah, yeah, yeah, look at Red Team Alliance dot com on the web. If people wanna know that we have our own facility, it's not just a hotel meeting room, which you can only do so much in there, we have a building, we have a building with multiple rooms and offices and floors and all different locks on the doors, all different alarm systems, it's a practical training environment, and it's a small industry still, so people come through it and they say, This is great, who was gonna hire me? I'm like, Alright, we could pass your name around, there's only so many people doing this, but it keeps going up, it keeps increasing, and we see a lot of people now training, it's really popular to train internal teams, where if you're a big enough company, you don't wanna bring in outsiders to maybe see all the dirty laundry, I guess, so they'll send people to us and say, Well, can you train them to do what you did for us in the Colorado office, and then this people are gonna go see all our other offices around the world, so yeah, we'll do that for you. Yes, I've had other professors tell me they're like, You should go and train at the big conferences, Tanya, because then one of the students there will hire you to come in and train all of their software developers. And I'm like, Oh cool, that is a really good plan. 'cause they send a student to check it out and see if it's good, I'm like, Oh, okay, well, this sounds excellent also traveling fun. Like Suit. Yeah, the idea of making it so that your students can't succeed without you... That sounds crappy though. No, I want to build up Tech engineers, and that's what we've been doing. We have graduated hundreds now and... Yeah, I can't see it, so I don't mean to sound pumps, but I really don't feel like I'm worried about about graduating a ton of students and then not being able to find work because there's too many of them. I'm just not concerned. I want there to be this huge army of absent professionals that go and secure all the things, and that sounds like I wanna be able to buy so safely on the internet or lock pick as the case might be. Same, same ease. Students say that like, how are you training your competition or... It's like You're a fisherman, training other people to fish... Have you seen the ocean? It's huge. There's literally a phrase that says, there's a lot of fish in the sea, that's a Retina, there's a lot of words out there that needs to get done. Yeah, and I also feel like if you graduate tons of students who you've taught all of your special tricks to and your methodology and tried your best to make them kind of many use that then you get to go see that in the world, if that makes sense. 'cause I have seen APAC teams where I'm like, Oh, why are you so mean to all the Debs, it's like you walk around with the stick just hitting people telling them they suck. I saw a mom this week that said, Are you even good enough to have impostor syndrome, and I was like, Well, oh my gosh, that would be the type of thing that... So then I try to teach a different, more empathetic approach, and so then I get to see that out in industry, and so I'm sure that you don't want to be able to get into every building that you don't want to be able to... Not that you do, but it's nice to have security... The best job in recent memory was one that we were absolutely zapped on hard and quickly as the company just to add themselves together, the culture of security was very different than most clients. Oh, that's awesome, that is awesome. So I have more questions. So one... Well, I'm gonna ask the cheese question because I know Ben is probably working somewhere on the chat and he's gonna be like... Did you ask the cheese question yet? So the cheese question is, so to give you a brief amount of back, I should have told you before, but everyone's heard this story 50 times, but when I was a software developer and I went to the grocery store like a little while after being a dev, I was looking at two types of cheese and trying to figure out which one should I get, and I realized I now make enough money, I can just get both, and I don't actually have to count every single penny, I'm just totally gonna go to the... And I got this. For sure. And that freeing ness. And so then it's there becoming the cheese question, 'cause it's like, Can you buy as much Jesus you want? Does this type of work pay well? And is there enough work? I guess, and please don't quote exact numbers, we had someone that wanted to tell us exactly how much mindelense... Don't do that. Man. So I had not heard the question, and here I was thinking it was going to literally be like a cheese rank hierarchy, and I was gonna start laying it on you with like. If you wanna tell me about your favorite cheese, do really, really like cheese. Oh, for listeners who don't know, I'm an OG, tone your fan. When you would fill literally cheese party as colored... Oh, that's on my playlist. You better believe it. Yeah. Do you make enough to get by... Yes, we do very well. That is partly a function of how ground floor we were in this field, I'm not saying we've been doing it as long as some folk... A wonderful example of that would be someone like Johnny Long, who's a marvelous presenter, and everyone should listen to anything he's ever sat on a stage, he was working for a firm called CSC, almost a decade before anyone even talked about this publicly, so there are people who've been doing it longer, but being as prominent as we are, we get a good share of business for being a company that doesn't have a big sales arm, there are a number of firms now that just sort of mostly focus on network pen testing and network security, but they'll bolt on a physical to some jobs, and they just train their army of sales people how to just pitch that, and then there's people kind of doing... So they come like social engineering and they call it a physical on site, but no, we are unique and menial enough positions that I think we can buy all the cheese we need in multiple varieties, someone who is just starting out is likely to... A starting salary is you're going to be a uniquely skilled individual, and if you are fortunate enough to land a job doing this... Yes, the keys to cheese are then handed to you, but you are probably, I think a lot of people, because it's such a niche type of physical securities, in niche industry, having any kind of other pen testing experience understanding, kind of colli, understanding, Medicaid, you're most likely going to be served well by that because a lot of firms who might hire you to do physical, probably do a lot of other business in the network space, and if you have any of that as well... It's probably a help. Yeah. Oh yeah, I've seen a lot of people that are just general Anteaters. And then once in a blue moon, we'll do a physical pen test, and I'm like, I'm not sure if they're gonna be as good at as you are, but it's way better than if I came and did it because I would just be like, Hi, can I come in You expressed to work... I have had that work a lot, actually, I went to see this band, I really like a book, 65 months, and I just talked my way in. And they're like, Oh, do you have a ticket? I'm like, No, I saw them last night in Montreal, but I liked it so much, I thought I would come tonight. You don't have a ticket. I'm like, Yeah, but I'm awesome. So you're gonna let me in. And after 15 minutes, they let me in and then they let me just take tickets, and then they gave me merge... It was awesome. I am a big fan. A wonderful... That's... Yeah, it's very... He's Canadians, it's very Canadian about. So anyway, so that's such a great answer, and I love that it's an honest answer, because I feel like a lot of people think, Well, I'm gonna get this job and then money is just gonna... Or I'm gonna get this training, drops will just rain upon me and I will magically have a lot of money. I feel like with security, the hardest part is finding that first job in getting some resume experience. Right, do you have any tips for that, which I realize is putting you on the spot and that's hard. It's all right. But again, I just... There's a talk for everything, so there's a talk... I have a whole section on my website, I just... I added a page, deviating dot net human, which is just about soft skills, and it's not human hacking, this isn't social engineering, it's literally about career things, and I had a whole presentation about the... What qualities you need to think about looking for a career in this field, and how you present yourself, and frankly, my illustrious and far more capable spouse is the person she's the expert on that reboot... Women in tech is not just for women, it is for all people looking for a job, seeking advice and how you negotiate and how you put yourself out there, and I can never do the things I do justice to everything she says in that, but it has literally served me well. I have that book. And she signed it. Very, very awesome. And for everyone listening, it's deviating, dot NET, deviating net. Oh. Oh, we have a good question. So speaking of your significant other, has Terra ever been a part of your engagements? So one auto correct Alger, it's Tara with an age. She's the issues, the unique... Not many people spell it that way, but at least you pronounced it, Tara, many people will say Tara, 'cause they're there being premier by he's taroom. Thank you for that part. And the only engagement that Tara has been a part of with me has involved wearing of rings, so no, we have not brought her in one... A paying job. I feel like that was the best one for her to be a part of the really... It's working out. Yeah, I love it. Okay, so now I have super difficult questions that they're not... So what do you like the best about the type of work that you do, and then what to do like the least about the type of work that you do, so I'm always good for the one liner... Right. So the funny answer, what do I like the best? Sleeping till 0 10 AM. What do I like? The least days I can't sleep till 0 10 AM. But the truth... So we can broaden that out though, right. What I like is not really being beholden to any other firm, because when I'm in saying my work, most people think that I'm asking a question about my career on the ground with clients, I define my work as building and owning companies, and then there's a part of that that's really like I really get to truly digest and feel inside when we deliver value, it's not just a pat on the back, a good job, it's Wow, I'm really... I'm seeing, I'm hearing from people days, months, weeks, years later, this is so great, thank you. This is blah, blah, blah, so that I have a real ownership in that emotionally, but not being beholden to others, being able to just say, No, you know what, we're gonna do it this way now, or we really start focusing on this, that's having that freedom is great. Having the freedom to... Well, frankly, like when the team and I started the training center, like you can't just take off a week out of every couple of months, if you work a nine to five and be like, No, we're doing this other thing, it's gonna have real ramifications. Trust me. So having that freedom to do new things and to have new projects, having the ability to... In my YouTube channel is a silly side show in my life, but I probably would get heat for it from most... Like if I had a boss and be like, How much time your spending on that far less than you think because it's a really low effort channel, but not answering you someone who's great. The flip side, of course, is that there's... You don't just get to go camping and you can kind of be not working, but there's still the chance that someone's gonna call and be like, Hey, there's this thing is on fire, can you get on the phone for a minute, can you drive into town and get better signal to jump on a zoom, so you're never 100% not working. Yeah, I'm okay with that. I think I can balance it pretty well is evinced by my affinity for sleeping till 10 AM, if You really like it, on days where if there's no meeting the night before, I'm like, I'm just gonna book it and guess what, I'm just gonna wake up whenever I wake up yet. Like working really late. It's hotter. Does it... So we kind of... My candle is more human now, but I just like working when I can have eight hours of uninterrupted, no calls, no emails, just silence. Yeah. Oh my gosh. That's the best. Yeah, I agree so much. Okay, so now I have another question that's slightly different, what gives you the most pride in the work that you do, what do you feel the most proud of When seeing something to completion, which I describe as getting it out of the world in a way that it has its own wings and flies. This is kind of the reason that I actually maintain that YouTube channel and GitHub and everything else is if I get hit by a bus tomorrow... Or I'm an American, right? So if I get hit by a bullet tomorrow, everything that I put out in the world, I can just... Alright, I left it all out there. I didn't leave a drawer full of half finished projects and stuff that all this sunk cost that other people have to then do double work. I'm a really big fan of just sort of Pareto optimal 80% just ping ship it, ship it and improve it later, because getting it out there, I mean, someone else is running with it, it's kind of the reason that half the stuff we sell on our equipment shop, if it's like the decoder card and there's other adjust full of all the design files, I'd rather just be out in the world and something like you're giving away your products... Well, no, I mean, people know how to brewer, but Core is still is making money, so people still buy stuff from our web shop, even though I'm just giving it away, because I'd rather the information behind it just be out there so that someone else can pick it up and do the next cool thing with it that I'm gonna buy from them. I love it. Okay, so now the advice question, if you could give someone actionable advice to try to make some moves towards following somewhere career path to you. What types of advice would you like to give? Interesting, so it's so curious, I get this kind of question or versions of it a lot in email, that's what I call the... What you do is cool, I wanna do it to a question so much so that I have a blog post I put up... Maybe if you have show notes, we'll throw in the lands, the show is right. And I haven't read that blog post in a couple of years, so many what... It's mostly just a story of me, I'm actually just throwing it in your private chat here... Yeah, it was a test. It's like links to some of the videos I've been discussing and so forth, but really it comes down to small bites of training and self improvement, I can say that even as the owner of a company who does... I still do a lot of field work. I still go neutralizes the sanitized language of the safe... Cracking world neutralizing. I neutralized government safes on Army bases, right. I still do that, the field, but even though I still go down to... I'll go to lock masters and take a training class once a year just to do something new, I will go and I will take a SANS class or I wish I could take a black at class sometimes I'm always teaching during Black Hat, right. But I'm always looking for something new, something to keep your brain elastic so that you never get just stuck in a rut. If you're not learning a new skill, your employer, if you are a worker for someone else, sees you as kind of like a one trick person, they kind of type cast you as the person who does that thing, and even if you work for yourself... If all you do is what you already know, then you just become that person who only does that few things and there's a bunch of email, so adding new skills. Even if you think, Oh, there's no way I'm gonna use this. Am I gonna use this? Keeping your brain as elastic as possible by taking... Take one training a year, if you're an employee, and if you're an employer who really cares about your people, send them to one training a year, that's like one titles... The best way I can give you that. No, no, I love it. I definitely agree. I basically can see a ridiculous amount of audio books per month, and then I have a pile of physical books like sitting all around me with high lighters where I'm like, Oh yeah. 'cause you take that knowledge and it ends up going into all these other things that you do that make you better, even if it's a better at the thing that you're the expert at the suceava, and when you see famous people sometimes take heat because Like that person's how can they be Governor of that state? Do you know they're economist, but there are... What... Are they owned a construction firm? How are they mare? Well, all those different skills, they inform like, Yeah, the mayors, not out there swinging a crane around, but they probably learned a lot of things in that field of that discipline that they're applying, and if you... Again, if you take training, it opens up new ways of thinking and approaching problems... Yeah, it's gonna sound where by as a software developer ended up getting to learn a lot about whoever I was making the software for, so I did software for industrial... Not industrial control systems, but bills and materials and things like that, and then for scientists and then for people managing top sire evidence, etcetera, etcetera. And I ended up learning a lot of little bits of a whole bunch of things, and I am not a brand of knowledge up here. I think we had one more question that kind of blew bias there. What was that about? So someone as they're talking a lot about waking up in the morning, we're talking a lot about when they like to wake up early or not wake up early, and then William talked about... I learned many years ago to send myself on training out of pocket each year, and that is actually the reason I started speaking at conferences because I couldn't afford to get in to all the ones I wanted to go to, so I was like, Well, I have lots of spare time, so I will just write conference talks and apply to every conference I wish I could go to, and then some of them started saying Dean, I was just like, Oh crap, I'm getting into this cuff. This is amazing. And that is part of why I still apply to specific conferences, 'cause I wanna go and learn from all those people. Yeah. Okay, so the last question, because we're supposed to wrap up theoretically Blah, blah, blah, podcast under an hour, get more play, I don't know why, but... So if people wanna know more about you, 'cause I'm assuming they're going to hell, all the places I should send them, so we should send them to your Twitter, so I'm just gonna put that on the screen for a second, so at deviance of... But it's spelled so at... And then deviant, like you would think, D E V I A N T, But Olaf is the way you say it. It's spelled O L L A M, And that's all one word. It is Celtic, so if you can spell it right, once you can spell it right, everywhere I was that first hurdle, getting over that, people can do that with the Olam, then they can find me similarly spelled on that old YouTube where I have no rhyme or reason to the channel and the viewers are like, You should sort of circulate for stoke, there's no X, and I'm like, You don't understand the purpose of this channel for me, not to you brothers Instagram, which I mostly just use for liking and affirming other friends life choices about cats and food there he choices. Oh yeah, highly. Way better than anything technical, there's a... GitHub doesn't have much on it, but you know, any projects I have that I care about, I'm actually probably gonna push something up there for Monday's video having to do with these Leahy lock pick if I can get that up there. Were soon, I gotta be somewhere else in the internet, right? There's enter the core dot NET. That's true. That is the company of which I am at the helm with another guy named Bob of Java, so if you want to pay us money, I guess, and we can tell you how things look on your facility, by all means, come find us if you'd rather have other people pay you money to that kind of job, there is of course, Red Team Alliance dot com, come in the classroom and then do what I do, but probably better and better looking than me. I don't know, we'll see about that. Thank you so much for on the show, this is really great. I feel like you give such good advice in regard to how people can learn and a lot about like how you have to have patience and all of those other things, I think that sometimes people look at stuff they see in movies and they're like, I could totally do that, and it's like, No, it's not at all like the TV show Archer. It's very different that I would be done the first 10 seconds of every single thing they go into a living accurate about Archer is the prolific use of whiskey. Yes, I agree. To a right there as Theresienstadt Is another amazing physical penetration person, she did give me this sticker for my coffee mug, is that draws... It's not what you know to... Is actually Here. I respect that, I respect that that would be a big cup for whiskey, but... No judgment here. Thank you so much for being on the show. This was really fun. And for everyone who likes deviant, follow him on all of the stuff, go check out. Is you too, because there are a lot of fun videos, like where he breaks into an elevator where she breaks it to a bank, where he breaks into a walk where you get the... There's a trend there, and people really like the sticker, so thank you so much again for being on the show, and we will see all of you next week for the... We had purple podcast this week, our guest, dvina was amazing, he talked all about physical penetration testing and also about your training company and how we offer training in that, and that's awesome. So sharing the knowledge, we were sponsored this week again by 10 security. Thank you so much. Defect dojo creators, you guys are so great. We really appreciate you. I wanna tell you one more time that Allison Bob learn application security is now an audio book format in all the places where they sell those things, you can pre order it now, and it actually goes live on the 27th of July, so you only have to wait around six more days and visit of Devi and stuff. There's more stuff. Oh yes, we had... Purple has a partnership now with the OAS Foundation, and we are giving away our application security foundations level on to people with an O dot org email address, which means you are a member, so go check it out on our blog. And the secure coding course is still available, it is full price now at 249 and people are still buying it... Thank you very much. If you wanna learn secure coding in an agnostic way, so we're not teaching specific languages, we're teaching good rules for every language, and then we're gonna deep dive into different languages. Please go check it out at Academy that we have purple dot com. And last announcement, I swear, community that we have purple dot com is now for... The best way to get in is to have someone refer you, so if you have a friend that's in there, ask them to invite you, but if not, you just go, you click the join button, you answer the questions, and then I kinda sniff you out and see if you don't seem like a group and then we let you in... I hope to see you there. I am Tanya Jaco and I am your host, and I'm so glad you joined me. Thank you very much. See you next time.