septembre 21, 2023
EP 36 – The Evolution of an Ethical Hacker
Our guest today is Phillip Wylie, an offensive security professional and evangelist, author and podcast host who recently added director of services and training at Scythe to his extensive CV. Wylie talks with host David Puner about the critical need for ethical hacking in cybersecurity, identity security revelations from years of penetration testing, and his fascinating career arc, which began in professional wrestling.
Considering a cybersecurity career? You won’t want to miss this episode – Wylie’s passion for cybersecurity education and mentorship is contagious. Plus, you’ll discover many unexpected parallels between pro wrestling and red teaming – and how they can help strengthen your organization’s digital defenses.
You’re listening to the Trust Issues podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security.
[00:00:23.090] – David Puner
Many presume a hacker has technical skills and taps into computers and networks for nefarious purposes. But those who hack are not just threat actors with bad intentions. Hacks, by definition, are workarounds or shortcuts, and could be applied to almost anything. A television remote control, at one point in time, was a hack that enabled its inventors to change channels without having to walk across a room and turn a dial. Hacks are everywhere, flipping conventional approaches and tackling problems in new ways. That’s what white hat or ethical hackers do, while using their deep technical skills to stay out in front of the bad guys, to use another broad stroke playground term.
[00:01:08.880] – David Puner
Our guest today is Phillip Wylie, whose new day job is Director of Services and Training at Scythe. He’s got more than 25 years of IT and Cybersecurity experience under his belt, and is well-known and highly regarded in the hacker community. An offensive security professional and evangelist, ethical hacker, author, and podcast host are just some of the things he’s known for. Before he made the switch to offensive security, he was, yes, a pro-wrestler. And spoiler alert, he wrestled a bear once.
[00:01:42.930] – David Puner
Our talk dives into hacking for good, how identity figures into penetration testing, and how his job can feel a lot like bear wrestling, or something like that. Here’s my conversation with Phillip Wylie. Welcome to Trust Issues, Phillip Wylie, newly minted Director of Services and Training at Scythe.
[00:02:03.550] – Phillip Wylie
Thanks for having me.
[00:02:04.390] – David Puner
Yeah, absolutely. By way of background, you’re an offensive security professional and evangelist, an ethical hacker, a bestselling author, a podcast host. You’ve got your own podcast called The Phillip Wylie Show. That’s probably not a surprise to you that you’ve got that. You’ve taught at the college level. You’ve been and done a lot of other things along the way, and I encourage listeners to take a look at your LinkedIn. There’s a lot to take in there. To get back to where you are now, could you take us through a quick tour of your career journey? I don’t use the word journey lightly because I know it’s somewhat overused, but in the case of your career, it seems like a fitting word.
[00:02:48.040] – Phillip Wylie
Yeah, I started out as a sysadmin. First six years of my career, I moved over from CAD drafting. CAD drafting is where I found out about IT, taught myself how to build computers, took a Novell network operating system course. It was the de facto network operating system of choice back in the ’90s, barely into the early 2000s. Once Microsoft came out with active directory, then they pretty much took over the market share. I don’t even know that Novell even exists anymore.
[00:03:21.370] – Phillip Wylie
But I worked in that for about six years as a sysadmin, and I got interested in security. I took the CISSP exam, passed it. Really got interested in the security side of things from one of my former coworkers. He was going that direction, sharing information with me. I thought this sounds like a cool area to go into. I was a sysadmin for six years, went into being a network security analyst in January of 2004. There I worked for about a year and a half. The company hired a new CISO. He had a more modern idea and approach to security teams.
[00:03:58.080] – Phillip Wylie
At first we were all doing the same thing. We’re all doing firewall, intrusion detection, some vulnerability scans, some risk assessments. When this new CISO came in, he divided us up into groups and he put me on the AppSec team. There I got to manage third-party pen tests with vendors that were doing the pen test for us, as well as run some vulnerability scans. I really got interested in pen testing from that. I took a couple of courses.
[00:04:24.950] – Phillip Wylie
Then in 2012, I got laid off, and I applied for a role at Verizon in their security consulting division as a pen tester. That’s where I got my start. I spent the first five years as a consultant doing network pen tests, wireless pen tests, application pen tests. Then I got tired of all the travel because back then… This was around 2017, I think, when I made the move out of consulting. But back then, people really weren’t sending out Dropboxes to do internal tests. It was all usually on site. Some of the consulting companies had more of the old school mentality of someone needs to be on site, you need a representative of the company to be there. But that’s shifted.
[00:05:03.840] – Phillip Wylie
I went to work for US Bank, worked there for a while, and for Kimberly-Clark as a red team lead. I managed a red team there. I spent a year just teaching for a couple different companies, offering offensive security training, and then got back into pen testing. Then last year, I made the shift to the vendor side. I worked for a couple of Israeli companies, and that’s when I got an evangelist role dealing more with marketing.
[00:05:33.530] – Phillip Wylie
My current role now, I help out with marketing, but more of it is the services side, managing the services for our customers, as well as training our internal staff, as well as training customers on our product. We do a lot of purple team workshops, just show people the strengths and advantage of purple teaming. That’s where I came from.
[00:05:52.720] – David Puner
Yeah, thank you for that tour, and you gave us the IT Cybersecurity tour there. But there is a portion of your career that came before that. Actually, when we asked Andy Thompson, who’s CyberArk Labs’ offensive security research evangelist and friend of the show, when he suggested you as a guest, he also mentioned that at one point, you pursued a professional wrestling career, which then may or may not have parlayed into joining the power lifting pro circuit. But needless to say, this caught our attention. How did all that come to be? How did you eventually find your way from that into offensive security?
[00:06:31.470] – Phillip Wylie
Sure. Actually, it was the powerlifting that led me into pro wrestling, because whenever I graduated high school, I didn’t know what I wanted to do. I graduated in 1984, so we had computers in school, but it wasn’t something that a lot of students took those classes. They had an IBM lab and then some Apple computers in the art lab. It’s one of the things I didn’t have experience with back then. I didn’t have the advantage of that.
[00:06:57.560] – Phillip Wylie
But when I graduated high school, I didn’t know what I wanted to do. My friends, since I was a big guy and powerlifter, they said, « You should go into pro wrestling. » That sounded really interesting to me, so I went to wrestling school and wrestled for a couple of years. I spent probably about three or four years in it, going to wrestling school and then getting into it. But during that time, I was working as a bouncer in a nightclub because I didn’t make enough money wrestling. I wasn’t wrestling full-time. I was lucky to wrestle once a week at one of the local circuits here in Dallas, the WCCW. Some people have heard of the Von Erichs, the Von Erich family was very popular here. I wrestled there.
[00:07:37.250] – Phillip Wylie
Like I said, I didn’t make enough money doing that, so I had to have a day job, or actually a night job, because I was working as a bouncer in a nightclub. One of the stories I like to share, and I like to share this background because people wanting to get into cybersecurity may think, « I can’t do this, » but when you see someone as this former meathead, powerlifter pro wrestler turn pen tester, I like to prove to others it can be done. That’s the heart of what I do to try to encourage people.
[00:08:04.480] – Phillip Wylie
On my slide deck, when I’m doing anything related to getting into pen testing, I share a slide with one of my wrestling pictures and also me wrestling a bear, because when I worked in the nightclub, they had an event where they brought in this wrestling bear. Since I was a part-time pro wrestler, they used me to market the event, and so I actually wrestled the bear.
[00:08:24.470] – David Puner
I’ve seen the picture, and I can’t believe you’re alive to tell the story. Did you have any hesitation about potentially wrestling a bear? What was the actual experience like compared to what you were envisioning going into it.
[00:08:37.560] – Phillip Wylie
Yes. I really wasn’t apprehensive about it. The bear was tame. He was just like a big dog. When I got in there, I just didn’t realize how difficult it was going to be. Because when I was trying to wrestle this bear… I was fortunate that I was the one that went last, so I was able to learn from the others’ mistakes. They were standing upright trying to wrestle the bear. They would lock up with the bear, grabbing a hold of the bear, trying to take the bear down, and the bear would grab their legs and take it out from under them.
[00:09:06.590] – Phillip Wylie
In the picture, you can see that I’m in a type of defensive lineman stance or wrestling stance. Got my feet out so my center of gravity would be more advantageous for me and make it more difficult for the bear to take me down. Because my legs were too far out with those short limbs, he had to reach out to try to grab me, and he wasn’t able to take me down. It was an interesting experience. I mean, it was amazing. It was like trying to move a parked car. It was just really hard to get that bear to go down.
[00:09:36.360] – Phillip Wylie
But in hindsight, it’s probably a good thing because at that point, no one had ever taken that bear down. So what happens to the first person that takes that bear down? Even though it’s tame, it’s not like your domesticated cats and dogs. This has been years or centuries of domestication, and they don’t freak out like that. But this animal was probably the first domesticated bear in his family line, and so it would probably revert to its animal instincts. If I would have taken it down, it might have freaked out and I could have been injured. So fortunately, that didn’t happen.
[00:10:11.170] – David Puner
Well, needless to say, you’re the first Trust Issues guest that we know of who has previously professionally wrestled and wrestled a bear. Other than it being a fascinating story, I think one of the reasons why I’m asking you about it is because it’s interesting that you’ve made that transition from that kind of a career to where you are now. Are there any connections that you’ve seen between wrestling and offensive security?
[00:10:38.570] – Phillip Wylie
Yeah. Some of the things that would help from wrestling and offensive security is the acting piece. Because, as everyone knows now, wrestling is… I don’t really like to use the word fake, because some of the things that happened there, you’re getting thrown around and some of the things that you can get injured. But it’s a staged ending, so they know who’s going to win. But one of the things I would say that would help, I didn’t really get to do that enough because I was on the losing end.
[00:11:04.960] – Phillip Wylie
When you’re starting out, you’re what they refer to as a job boy or a jobber. You know you’re going to get beat. You’re going in to make the star look good, because in these matches, they’ll have several of these smaller matches and they build up the stars where they go in and just beat the tar out of whoever they’re wrestling and that’s it. You make them look good. Then you got the main events where you got two of the stars actually wrestling.
[00:11:29.950] – Phillip Wylie
If I would have had more experience in the area, the acting piece would have probably helped more with social engineering. Because with social engineering, you’re having to act. You got a pretext, you’re trying to emulate some other type of person. It could be help desk, it could be a manager, it could be a third party that’s doing business with that company. That acting part would have helped in being used to a crowd and stuff like that. Your nerves should be a little more calm in that type of situation.
[00:12:01.910] – David Puner
Really, really interesting. More current day Phillip Wylie. As mentioned earlier, you’re an ethical hacker. The word hacker is somewhat fraught in that there are a lot of preconceived notions or negative connotations that are often attached to it. Within your definition of hacking, how do you define a hacker and what does hacking mean to you?
[00:12:24.050] – Phillip Wylie
One of the things that I feel like we’d be doing injustice to the title of hacker if we didn’t go back and mention the history. Originally, this was people that were tinkerers, they were technical people. Think back to Apple, the forming of Apple and Dell computers. Some of these type of products were born out of someone’s garage, someone building products, or people learning how to extend the functionality of products.
[00:12:53.190] – Phillip Wylie
The media was really the one that coined the term hacker as far as breaking into computers. The media gave it that term and it’s stuck. When you think about it, the media has such a great reach. You’re in television, printed media. You’ve got such a big reach. A lot more than the [inaudible 00:13:12] protect the name of the hacker. But a lot of us in the industry have embraced it. It can be used for good or bad.
[00:13:19.630] – Phillip Wylie
It’s funny that a lot of times when someone asks me what I do for a living—the professional term is pen tester or penetration tester—I will usually tell them I’m an ethical hacker, thinking that’s a more understandable term for it. But I’ve had many people ask me, « Is there such a thing as an ethical hacker? » But one of the things you got to look at too is there’s locksmiths. They could pick locks, they could break into safes. They could use it for bad, but most of them don’t.
[00:13:45.780] – Phillip Wylie
It’s the same thing with ethical hackers. The term ethical hacker is the function of trying to hack into something in an ethical manner. You’re trying to break into it. You’ve got permission to try to hack into that target. Ethical hacking is something used during a penetration test, so they’re not actually equals. Ethical hacking is the function of actually hacking into the target. Penetration testing is you’re going in, you’re following a certain methodology. You’re documenting that in a report. It’s usually wider in scope than just ethical hacking.
[00:14:21.190] – Phillip Wylie
Ethical hacking is the action in penetration testing. Other terminology good to use with that is we’re emulating threat actors, real world threat actors, bad guys, that we’re emulating that. On a pen test, you’re not exactly emulating specific threat actors. You’re using those different types of skills to try to test the security of something. There are assessments that are red team operations or adversary emulation, where you’re actually trying to emulate an actual threat act, or you’re trying to go undetected. On a pen test, you’re so limited for time, you don’t have that luxury.
[00:14:56.270] – David Puner
With penetration testing or pen testing, how are identities used and what identities are used the most?
[00:15:03.650] – Phillip Wylie
If you’re doing like a assume breach, or sometimes referred to as white box testing, where you have access to an environment, sometimes you’ll have a low-level or normal user account that you’re performing the testing with, up to an admin account. Usually you see that in web app pen testing. You want an account for each level of access. With an assumed breach where you’re testing a network, you’re just getting an average user. You’re going in, seeing if they can elevate privileges, do lateral movement with that account.
[00:15:35.420] – Phillip Wylie
Because sometimes your endpoints are really hardened, you’re really secure. The only way someone may be able to break in is with an assumed breach type scenario. Some companies, they miss out on the opportunity, because someone may not be able to just break in unless they find credentials. Sometimes they need some kind of access. With the different access levels, you have to consider we have insider threats. We have nation state implants within organizations.
[00:16:01.960] – Phillip Wylie
When I used to work at this one company, we had a threat intelligence company we got threat intelligence, some other services from, and they shared a story with a computer hardware company that China had actually implanted someone in their organization, and this was to steal intellectual property. Sometimes people always think it’s from the outside, but there’s a lot of times it’s nation state implants. It could be disgruntled employees, sometimes employees that aren’t paid enough. They may sell their VPN creds to some malicious organization, some threat actor.
[00:16:33.640] – Phillip Wylie
Sometimes they’ll sell these credentials because they’re disgruntled with the company, or either they’re just desperate for money. Also, as a pen tester or threat actor, a lot of times they’re trying to gain privileged accounts, sometimes like domain admin, admin, or root on a Linux or Unix system.
[00:16:51.970] – David Puner
How has pen testing changed in the last 10 years when it comes to identity?
[00:16:57.190] – Phillip Wylie
Yeah, the way it’s changed is one of the things that people are really relying heavily on, because some of the environments have gotten more secure and it’s harder to get a foothold. What a lot of pen testers do, and threat actors, is they try to harvest credentials, see what they can find. Sometimes you have developers that have a spreadsheet with different accounts that they use for testing. It could be different level accounts, it could be user or admin level accounts. Or they have it in a shared drive or cloud storage.
[00:17:31.250] – Phillip Wylie
A lot of the very successful pen testers I know, they’ll go through looking for these credentials because they’re not safely stored, and use them to gain access to the environment. People think some of these hacks are these really elite-level hackers. Sometimes it’s just a matter of, they’re not that highly skilled, they looked in the right places. If you’re not practicing good hygiene, these are opportunities for someone. It doesn’t always take someone to be this really elite-level hacker to get in.
[00:17:58.840] – David Puner
How do non-human identities figure into the whole equation?
[00:18:02.740] – Phillip Wylie
If you’re talking about something like YubiKeys or something to access passwordless type of authentication, something in that realm could be used, because that way, now you can have these really long passwords. Someone’s got a YubiKey or some type of hardware device, they can access the system.
[00:18:19.310] – Phillip Wylie
This is one of the things too, just even going back thinking to my sysadmin days, to seeing how security has evolved, is the management of privileged access accounts, different accounts. Back in the day, we called them Firefighter IDs and we had a locker in the data center that we had a key for that had a username and password that we would go in. If we needed domain admin access, we would go access that. That’s how they had it, and it would routinely be turned over. But nowadays, you need something like privileged access management to be able to control those passwords.
[00:18:54.810] – Phillip Wylie
Also, not giving people admin access. You’ve got admin accounts using things like sudo in the Linux and Unix world, or run as in the Windows world, where you can use these elevated accounts instead of using them full time. Because if you click on something as domain admin or root, then it’s executing at that level. That threat actor has access at that level. They didn’t have to crack a password or anything to get that. They just were able to get you to click on something, and now they’re running at your access.
[00:19:26.720] – Phillip Wylie
You run into this on web servers, because some cases, a web app or web server is the only way to get into an environment because it’s really secure. But the service account that’s running on that system, if you’re able to use some default creds for that system account and get access, now you’re running at whatever level. Some of the big mistakes I’ve seen companies do is it’s running it as NT system authority, admin, maybe even domain admin or root, and that just eliminates the need for privilege escalation for a threat actor. They’re accessing that system at the highest level.
[00:20:00.670] – David Puner
You told me prior to today’s conversation that offensive security is one of the most misunderstood areas of cybersecurity. How do you define offensive security and what are the different areas within offensive security, and why is it so misunderstood?
[00:20:17.350] – Phillip Wylie
Offensive security uses threat actor, TTPs, and tools to assess the security of a system, because if you’re just running a vulnerability scan, you see the vulnerabilities from the outside, but you don’t know what’s possible unless you have access to that system. During a penetration test, you’re trying to gain a foothold.
[00:20:36.260] – Phillip Wylie
Once you gain that foothold, you’re seeing if you can do lateral movement at the same level, access other systems in that environment. Or do privilege escalation, where you’re able to elevate your privileges to another higher level, and other post-exploitation type of activities is just seeing what kind of data you can access. Because as I mentioned before, not all these hacks and breaches are elite-level hackers. Someone with zero skills can go on the Internet poking around and find sensitive data or gain access to a system.
[00:21:07.030] – Phillip Wylie
With offensive security, you’re using these different type of techniques. With a penetration test, you’re going in, finding all the vulnerabilities and trying to exploit all the vulnerabilities. With an adversary emulation or red team, you’re going in trying to go undetected, you’re testing the endpoint systems, you’re testing the reaction of the technology and the security staff.
[00:21:29.470] – Phillip Wylie
That’s part of the test, not just the technology. It’s not just the technical weakness. You’re also looking for the reactions from the people as the capabilities to block. This is something good to be done with the pen test. Along with the pen test, you just wouldn’t really rely on just an adversary emulation because you’re missing out a lot of vulnerabilities. It’s something that needs to be done together.
[00:21:51.270] – Phillip Wylie
There’s another type of assessment called a security vulnerability assessment. This is where you’re running vulnerability scanners and then validating those findings and seeing if there’s exploits for it, but you’re not actually exploiting. It’s like a penetration test minus the hacking piece. There’s some instances where that’s important. If you’ve got like a hospital…
[00:22:10.940] – Phillip Wylie
I did a pen test one time for a hospital, a WiFi pen test. When I was doing my scans, I saw all these medical devices in the ER that were connected. When I saw this, just really was an epiphany to me, and I went back to the CISO and I said, « We really need to reevaluate this. I’m seeing these medical devices connected to the network. » They were just really wanting to see if someone could get on there. I was easily able to access that.
[00:22:36.230] – Phillip Wylie
But I went back to him and I said, « We should do a vulnerability assessment and do a configuration review of the wireless controllers and access points. » We go back and do a configuration review, test the security there, make sure that’s hardened, and just do whatever we can without actually interacting with the systems. Because someone’s connected to it, it could be a matter of life or death, and no one wants that on their hands, so there’s cases when you should do a vulnerability assessment instead of a penetration test.
[00:23:03.520] – Phillip Wylie
Part of the reason it’s misunderstood is not everyone goes in that route. Not everyone’s worked in offensive security. For me, I started out blue team, moved into offensive security, but if I hadn’t worked in offensive security, I really wouldn’t have thoroughly understood the threat actor mindset, or just seeing how easily these things can be hacked into and realizing the importance.
[00:23:25.990] – Phillip Wylie
That’s the reason it’s one of the most misunderstood areas, is the lack of experience. There’s a lot of experienced professionals, but as a whole, most people that are working in security or IT have no experience in that area. That’s one of the reasons it’s misunderstood. I think we just really need to bring that out there, because as far as people that are hiring consultants or contractors or even hiring staff, considering these, you need to be an educated consumer.
[00:23:51.230] – Phillip Wylie
You really need to learn about these different types of assessments, at least at a high level knowing what each one does and being able to set goals that’s going to benefit your organization. For that pen test, if you just go do something for compliance, you may be missing out on opportunities for other goals that you need to be focusing on to get the most out of your pen test.
[00:24:12.830] – David Puner
We’re recording this at the end of August, and as it turns out, you’re actually right in the middle of week one at Skype. What are you doing over there?
[00:24:21.040] – Phillip Wylie
Yeah. I’m the Director of Services and Training. Our services, we’re working with customers on purple team engagements, red team engagements, that type of thing. The product is where you can just get the product itself and run it on your own, or you can have our services to come in and we work with you on the exercises.
[00:24:41.690] – Phillip Wylie
One of the big values that we have that’s impressive to me and something I’ve spoke about… I do a talk on building effective attack service management programs. Some of the areas that are kind of newer in the industry that I think are advantageous for people to use is purple teaming. Because purple teaming, you’re testing different type of hacker tools, different TTPs that a threat actor would use, and tuning the system to detect and prevent that. You could have the best in world security tools, but if there’s too much noise and you’re not able to detect actual attacks, then you’re failing.
[00:25:16.290] – Phillip Wylie
I’ve performed pen tests before with companies where it’s a black box approach. No one knew the pen test was going on. I was gained access into the building, slipped into the building, performing a pen test, was there like 12 hours. Well, I was there and they didn’t detect me until 12 hours later. I got a password hash, cracked it, gained access to system, created a user account, was on there running all sorts of noisy tools because we were getting low on time.
[00:25:43.230] – Phillip Wylie
Because Nessus is not something you’d normally use during an adversary emulation or black box pen test, because you’re not wanting to go detected. We were so short on time, we were running out of time, I was running all these noisy tools that normally you should hear, and they weren’t detected. They didn’t know we were there until 12 hours later.
[00:25:59.960] – Phillip Wylie
If we had been an actual threat actor, we could have stole all sorts of intellectual property, different sensitive information, and escaped with it. They didn’t detect us until later on, because the person I was working with owned the consulting company and he called his cell phone from one of the phones in a conference room to possibly use for some social engineering later on, some phishing calls. He did that, and so they found his name. They knew him from the local community. He was part of the Dallas hackers community like myself.
[00:26:31.760] – Phillip Wylie
They saw his caller ID, and then they figured out who was, because when I created the user account, I just created Phil because I wanted it to be easy for someone to go back and clean up afterwards. I didn’t want it to look like a legit account that someone might miss and it’s laying out there unused that someone could take advantage of. They put two and two together knowing that I was part of the community. They knew me and saw that.
[00:26:53.970] – Phillip Wylie
But like I said, it’s 12 hours later before they detected that. Doing things like purple teaming to tune your endpoints is a big improvement, because otherwise you’ve got all this expensive tech and staff that’s missing some potential attacks.
[00:27:08.780] – David Puner
You’re a sought-after speaker and travel all over the world. I presume people come up to you all the time asking you for advice, how to get into the industry, maybe from an offensive security standpoint. What is some of the most poignant advice you give these folks? What are you asked most often?
[00:27:29.090] – Phillip Wylie
I get asked a lot of questions, but the best advice I could give to someone that’s wanting to get in—and this is any part of security or IT—is network. I would focus on networking virtually and in person. You meet people online, you get to meet them in person, so conferences and the different security meetup groups. There’s a lot of hackers associations around, as well as Defcon groups, OWASP chapters. You get more into the more corporate management style, the ISSA meetings that are more blue team centric, and then the ISACA groups. All these different groups are really good to network in.
[00:28:08.040] – Phillip Wylie
And expand your network. Don’t just focus on one. One of the things that I try to do and been making an effort, because I gravitate towards the offensive side… The Defcon group meetings and the hacker associations are the ones that I like to attend, but I make sure to try to make some ISSA meetings to meet with other people outside of the area that I work in, because that’s one way to evangelize offensive security and a good way to network. Because some cases, a hiring manager at an organization may not be going to Dallas Hackers Association, but maybe they go to ISSA meetings.
[00:28:44.380] – David Puner
I’m glad you mentioned the Dallas Hackers Association. You and Andy Thompson are both active in the Dallas Hackers Association, and Andy tells me that the hacking community in Texas is different from other hacking communities. What is it about the Dallas-Fort Worth area or this particular hacking community that’s so special to infosec and hacking?
[00:29:07.060] – Phillip Wylie
I would say we have a very inclusive environment. We’re very welcoming to people, all types and as well as all levels. There are some organizations that if you go to their meetings, you attend the first time. After that, when you come back, you got to be prepared to speak. That puts a lot of pressure on a new person.
[00:29:23.620] – Phillip Wylie
Because one of the organizations that Dallas Hackers was modeled after was that way. The founder of Waterfall had attended these meetings. I’ve talked to people who went there. They went the first time and they’re just… If they’re introverted, or a lot of people, you got to go speak and you’re new to the industry, you’re trying to break in, that can be difficult.
[00:29:43.660] – Phillip Wylie
With us or with the Dallas Hackers Association, they encourage everyone to speak and it’s a friendly environment. Some environments may not be so friendly to beginners. I’d say really how well they encourage the beginners. There’s been a lot of people that have launched their speaking careers. Andy, myself, Tinkersec, which was used to be part of our community, but he’s relocated. A lot of people have got their start there and it’s a real welcoming community and no one’s really judgy.
[00:30:14.920] – Phillip Wylie
Really it’s interesting, because in my opinion, it’s probably the one group that has brought more awareness and brought a lot of people into security. Because for me, I didn’t know we had a local Defcon group until I started attending Dallas Hackers and I found out about DC214 and attended that. Other people coming into these different meetings, they find out about these different groups, they find out about the North Texas ISSA and they attend those meetings.
[00:30:42.270] – Phillip Wylie
There, for a while, I’m not sure about now, but pre-pandemic we had two or three meetings per week in the Dallas-Fort Worth area of different types. We had Hack Fort Worth, Dallas Hackers Association. I was running a group called Pone School, which I rebranded my meetings in Denton as Defcon940. We had all these meetings and now, there’s probably not quite as many, but there’s still almost something once a week on security meetups.
[00:31:07.420] – David Puner
The talks, do they run the gamut or are they fairly focused?
[00:31:12.070] – Phillip Wylie
They can run the gamut. We had someone talking about how they create a block or security system for their gun safe using a Raspberry Pi. There has been people-
[00:31:25.210] – David Puner
What? How does that work?
[00:31:26.280] – Phillip Wylie
I forget exactly how it worked, but somehow or another, it controlled the locking mechanism or something, or monitored the gun safe using a Raspberry Pi. We have all sorts of maker type talks and blue team and red team, offensive and defensive type security, different hacking talks. Some people do talks on coding and stuff, just how to write code and different types of development. It’s pretty broad focused, although I’d say probably most of it is more oriented around hacking.
[00:31:57.420] – Phillip Wylie
But then you get into the ISSA groups, you don’t see as much of the offensive security element there. It’s more of the defensive side and management. But the Dallas Hackers Association, DC214 and DC940, they have a good mix of offensive security as well as blue team stuff.
[00:32:16.410] – David Puner
Back to that Raspberry Pi hack for a moment. Was the Raspberry itself part of the hack or could it have been any kind of Pi?
[00:32:24.120] – Phillip Wylie
Yeah, it was just part of the system. It could have been any Raspberry Pi set up to control the gun safe. I really don’t remember if it was just monitor or controlled the locking mechanism. But that’s just some of the things.
[00:32:35.670] – Phillip Wylie
There’s another guy that goes there that he created some device because his neighbor’s dog kept barking, so he made this device using Raspberry Pi and all this other stuff. If this dog did that… I’m not sure what the outcome was. I think at one point, he was getting it to deauth their WiFi, so whenever their dog would bark and wouldn’t shut up, they would lose their WiFi. I know that was probably the plan at first, but I forget what he did exactly. But just different little projects like this have come out of that.
[00:33:08.620] – David Puner
What can we do with a peach cobbler?
[00:33:15.070] – Phillip Wylie
We actually had a guy one time do a talk on pirates. He did a talk on pirates in this one area. Just the history of these pirates in a certain region, how they operated. That was just one of the talks. So it’s not always even security-related.
[00:33:30.670] – David Puner
Sounds like a lively crew, and I’m guessing a lot of MacGyver fans in that crowd.
[00:33:35.560] – Phillip Wylie
Probably so.
[00:33:38.950] – David Puner
Phillip, you’ve got a lot going on. We could probably talk to you any which way for many more hours, and I think testament to that is probably your podcast, The Phillip Wylie Show. How often does that come out and where can folks find it, and is there anything else you’ve got coming up you’d want to plug?
[00:33:58.660] – Phillip Wylie
As far as my podcast, it’s Phillip Wylie Show. You can find it on all major platforms, including YouTube. It’s available in video on YouTube and Spotify. I’ve got it distributed to just about every platform out there, at least the most popular ones. I’m even on iHeartRadio and Pandora. It’s very easy to access. I have a good mixture of people that are kind of sharing technology, and then some of it is people’s background stories on how they got started.
[00:34:28.570] – Phillip Wylie
One of the things I think is very important and one of the things I saw with my previous podcast, The Hacker Factory, is sharing these stories of people getting into the industry help encourage other people. That’s the big thing we need, is to encourage others. Sometimes people have a lot of self-doubt, and when they see others similar to them doing it, then it encourages them. You can find that under The Phillip Wylie Show.
[00:34:51.280] – Phillip Wylie
Then also coming up, I’m speaking at Texas Cyber Summit, 28th, 29th, and 30th of September. Then I’m speaking in October at BSides Ottawa. I’m doing a keynote there. Bsides Albuquerque, I’m keynoting there. Keynoting at Black Hat Middle East and Africa at Riyadh, Saudi Arabia in November. That’s most of what I got going on.
[00:35:15.060] – David Puner
Phillip Wylie, thank you so much for coming onto the podcast. It’s been a pleasure. Have a great fall and we’ll talk to you sometime down the road.
[00:35:22.780] – Phillip Wylie
Yeah, thanks. It was an honor to be on. I appreciate it.
[00:35:34.650] – David Puner
Thanks for listening to Trust Issues. If you like this episode, please check out our back catalog for more conversations with cyber defenders and protectors. Don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. Drop us a line if you feel so inclined. Questions, comments, suggestions. Which, come to think of it, are like comments. Our email address is trustissues@cyberark.com. See you next time.