Cyber Security and Pentesting with Zaid Sabih of zSecurity

Download MP3
Zaid Sabih, the founder of zSecurity, talks with Bret about cyber security, pentesting, ethical hacking, and career choices.

You're listening to DevOps and Docker Talk, and I'm your host, Bret Fisher.

These are edited audio only versions of my YouTube
Live show that you can join every Thursday bret.live.

This podcast is sponsored by my Patreon members.

I'd like to thank all the paid supporters that make this show possible.

You can get more info and follow my updates on all the content
and open source I'm creating at patreon.com/bretfisher.

And as a reminder, all the links for this show, the topics we discuss.

As well as the links I've already mentioned are available
on the podcast website at podcast.bretfisher.com.

All right.

We're back this week with another show from the 2020
archive with a friend of mine, Zaid Sabih of zSecurity.

So if you go Googling around it, look for zSecurity with no space.

And he's got a great website.

All this is in the show notes.

Around security, pentesting, vulnerabilities, all sorts of really interesting
security topics and also has a fantastic YouTube channel that is very popular.

Of course, he's got courses on Udemy.

At this point, I think he's got over 700,000 students, he's quite popular
on the internet for all of his fantastic ethical hacking courses and videos.

We go on a deep dive about all the content he's creating, what you can find out there.

And then we just get into a bunch of topics from Q and a that people are asking questions about.

And we're a little bit all over the board, but I found it really interesting.

I learned a bunch and hopefully you learn some stuff too about.

Security topics in IT, ethical hacking.

And a whole bunch more.

What's up.

Zaid how are you?

Good.

I'm glad to have you finally, on this show

like tell people who you are.

So my name is Zaid, like you said.

Right now I run zSecurity, so it's a cybersecurity company.

And we do a number of things at the moment.

So we teach courses, we teach ethical hacking.

So mainly we do everything related to cybersecurity.

We teach courses, we provide a lot of free resources as well.

So on the YouTube channel and on our channel, lots of free articles,
I started basically just providing free stuff on the internet.

That's something I enjoyed.

So kind

of brought that back recently, not recently

two years ago.

Other than that we provide other ethical hacking and cybersecurity services.

So we provide consultancy pentesting, code review.

We also have our own VPN company and we're working on our own bug bounty platform at the moment.

We're doing competitions as well.

So places for people to practice hacking legally and they win prizes.

If they, if they managed to hack the companies or whatever
obviously not real companies the targets that they get.

So yeah, lots of different services, all revolve around cybersecurity and ethical hacking.

That's a lot, I forgot about the VPN and I didn't know.

I mean, you've got so much stuff going on.

It's really cool to see you and the team, like all the ideas coming out of there.

Yeah, definitely check them out on Z security, Twitter over here, I'm putting
some of the links in chat and And the YouTube channel I've put up there.

So definitely go check that out.

Especially if you want to kind of understand some of the internals of what's going on
underneath your systems and how to break them and figure out how they work and stuff like that.

That's what hacking's all about.

So definitely look

up why hacking is legal because lots of people look at Hikos as criminals.

So yeah, if you think they are check out that video.

We have lots of topics.

We could go down rabbit holes for hours and we have, so this is all about community here,

some of you

are from DevOps, some of

you from security, we've got this nice mismatch today.

So let's talk about where they intersect.

Okay.

For a lot of us in DevOps, our job is to take code that the developers
are making, maybe we're the developer, maybe there's someone else
making the code and then we've got to get it in front of customers.

So that means we've got to figure out how to test it, make sure it works properly.

Maybe scan it for CVE vulnerabilities something like that.

And then we've got to get it on servers that might be in a
data center on the internet, or maybe just in our own house.

So a lot of us, when we think about security, it's such a huge topic.

The first thing for containers we tend to do nowadays, because I container
allows us to have this single object of a tarball that we can do a security scan.

So it's become really easy in the DevOps space to just take
the tarball of your application and all its dependencies.

So if it's a Python.

It's your app plus Python and all the PIP libraries and all the things that you need.

And you can scan that as its own entity and basically dump
out a nice CVE list, which we didn't really have before.

Like before containers, we had to scan servers and then that was very dependent upon the server.

It was on.

But now we can just really focus on the container itself.

So beyond that though, a lot of times, I don't know
what advice to give people on how they can check.

I mean, pentesting is a word, but what does that, what are we really talking about?

I can install the app on the server and I can run it, but then how do I even
know what a hacker might do or what attempts they might make in my system?

I don't even know where to start from there.

Yeah.

So that's why even now, when we, when we're building something for building our own,
for example, whatever platform, like we're building a bacmanti platform right now.

So what we usually separate the development and the testing from the security testing.

Like you said, you can do all these tests and get pulled a list of all the CVEs and all that.

But we usually, once we're done with every, so as we're developing, we're trying to make sure, we're
following everything to make sure that it is as secure as possible and all that, but we don't pay
too much attention of how, what would the hacker do if he has this platform right in front of him?

So will you wait until the end until we're happy with everything we've done?

And we actually just literally try to hack the website
again, the same way that a hacker would do because.

Follow different methods than what you're thinking of.

Cause usually when you're thinking, if you're developing something you're kind of stuck
within the function or the method or the goal of your code at the moment, and you can't
really think outside the box or think if there is another function in your website or
in your whatever platform you're building that could be combined with this function.

And both of them would actually result in weakness.

So we always wait for everything is done.

Everything is ready basically to give to the client or ready to go public if it's our own platform.

And then you go ahead and try to hike it.

Even if you don't know the code, because most of the time hackers can't really see your code.

If you develop this in house, unless you're using ready program, like a WordPress or something else.

You kind of pretend that you don't even know the
code, you simply start by using the actual platform.

So what it is, is it a social network?

Is it just a video website?

What is it?

So you start using it semi the same way that the users use it.

If it can, if you can sign up through it, we're going to sign up.

If you can upload pictures, we're going to upload pictures, you test every single functionality
of it and see if any of these functionalities or any of these features can be exploited in
any ways to gain any kind of access or even get information that you're not supposed to get.

Sometimes you get tiny little pieces of information and they might
seem insignificant, but then combined with other stuff on other
information, they actually add up to something that could be very useful.

Wow.

That's a really great explanation.

Yeah.

When you're not working with professionals like yourself every day, cause a lot of companies.

Don't hire people like you, right?

Like they don't, they don't bring in these whether it's inserting or right.

Which is like, when they don't.

It's kind of like the whole the cryptos situation with oh my goodness.

When they encrypt your data and then they ask for money.

Oh yeah.

The

human rights.

Ransomware.

Thank you.

Oh, we got ransomware.

Can you get rid of it?

Well, they use the very strong encryption right here.

Yeah.

Well, we

have back, we have backups that we can restore.

. Well, yeah, but it'll take like three days.

Maybe we should have asked that question before the ransomware.

So that's the same problem.

I think with a lot of security stuff is it's not a problem.

And it's just like, to me, I mean, ops has a little bit of that challenge
too, because I come from that sysadmin background of managing servers.

And if you do really well out of the gate and your servers never go down, then no
one thinks ops operations and monitoring, an auto failure recovery or is important.

But then when it goes down, no one knows how to bring it back up.

No one even knew it went down.

Cause the monitoring kind of sucks.

You're, you're, you're doing layer eight monitoring where it's
basically the customer that tells you that things are down.

Then that's when the company suddenly cares about it and they want to spend some money.

Yeah.

Yeah.

It's, it's because it's hard to measure the benefit out of getting a pentest
done because, if you spend, for example, for companies, they know if they
spend a thousand dollars on marketing, they'll get, for example, 1,500.

That's why they scaled that up to hundreds and thousands
because they know how much they're getting back.

Whereas with a pentest.

Yeah.

Like you said, you might actually have a very secure application and I might come in and
do a pentest and discover nothing, or I could discover stuff that will save you millions.

So there's no way for you to measure what's the value of the spent test.

And when I asked for a high price, you'll be like, Hmm, do I need to
spend that much money on whatever company or whatever platform do I have?

And what's the value that is added into the company because at the
end of the day, everybody's is just trying to maximize their profits.

So yeah, that can play a big role in it.

That's a great point of view too, because Tech is business, right?

Every company might be a tech company nowadays, as the saying goes, but it's still a
business and they still they're still gonna minimize the cost and increase the profit.

All right.

So we already got some great questions in the chat.

Can you tell us whether it's a bounty is a bounty job,
is doing bounties better or is it having a job better?

But what's your opinion.

What's your take on that?

It depends on what kind of a job that you're doing chasing bounties
is fun and is good if you're really good at it, but you could be
chasing a bounty for about three months and it turns out to be nothing.

But then at the end of the day, it might actually be a valid one and you
get paid like 30 or 40 K, which will set you up for another six months.

So it's, in my opinion, it's a bit risky because you could like potentially you could go for
a little bit without discovering anything, or you might be heading in the right direction.

And someone else is actually.

After that bog and he just discovers it a day before
you, and then, your three months worth of work are gone.

So it is a bit, you're not really.

Yeah.

You're not guaranteed in a job, obviously you might be paid less, but it's it's more secure.

You could go for bounties while you're in jobs.

A lot of the time, a lot of jobs don't ask you to not work with bounty.

So you could do both at the same time if you wanted to.

And this is more of a personal choice spot.

I think if you, if you're asking, can you do bug bounty full-time yes.

You can't.

There's lots of people doing it and they're actually earned ingredient.

Good income.

It's possible, but it's a personal choice.

Do you want to do it or not?

That's up to you.

Yeah.

Yeah.

I it's also like your risk tolerance is a part of this, right?

Because I, as us owning our own businesses, our risk tolerance
is a lot higher than someone who might be comfortable in a job.

But I would also say, look at your own evidence.

If you have never successfully finished a bounty and got
the money, then you probably shouldn't try that full time.

Right.

Like a good idea.

Like if you're

Part-time and see how it goes and then ready to guard.

Yeah.

Yeah.

That makes sense.

It might

be harder than you think it is.

There's a reason these things are paid so much money.

It's not because it's because most people can't can't find them.

Wired, wired had a really great article recently, by the way, on there some of
their like OSTP hacking teams or whatever, like the I don't know if you saw that.

Yeah, I gotta bring that up just because I thought it was pretty cool.

, I'll look it up later while you're talking on something, but that's a good article.

I wanna, throw out there cause it, it, I learned a lot from them
just talking about the people, the people that are doing this, right?

The people that are hired to do this and, and working full-time and company.

Just trying to find vulnerabilities and some of the big
companies can do this, so most companies can't pay for it.

All right.

Next question.

We would love to hear , about your journey from
student to pro hacker and establishing such a company.

Okay.

That could take some time.

Should I?

I should possible.

So it all started when you were a baby?

I actually was pretty young when I was interested in it.

I think I mentioned this now a few times.

I get asked that question a lot so, yeah.

Um, Was younger.

First class, they call it here first class.

So you'd be, I think about 13 years old, I was 12 years old and challenged between me
and my friend back in the Yahoo messenger days to hack into each other's Yahoo messenger.

I hacked into his enjoyed it.

I felt it was really cool.

So I started learning more about it.

And then I discovered you can actually do this for a living.

So I was like, okay, that's all I want to do for living.

And yeah.

So from there I was involved into lots of hacking communities, so contributing pretty
much for free all the time and all that, but that helped me build up a name for myself.

So eventually I started working in an, in a cybersecurity company even before going to college.

So even before I started in computer science, I was actually
working as a pentester, which is what I wanted to do.

But I went to college because I felt I learned more and I'll have this
as a backup plan in case I, my income wasn't great or something happened.

I can always just go back and work in whatever degree I get.

I studied computer science.

Cause I felt that would be very relevant to ethical hacking and cyber security.

And actually it turned out to be very relevant.

So even though we didn't do a lot of security topics in there, it helped me understand
how lots of systems are designed and how they work and how things integrate.

We integrate with each other.

Obviously learn more about programming and all that more about networks.

So things really clicked like a puzzle much, much better after that.

And as throughout college, throughout the four years, I continued working with ice security
as a pentester and I actually published two courses throughout that time as well teaching.

So by the time I graduated, I got offered a job with fidelity.

I don't know if you, you should look it up.

It's, it's a big company.

As a pentester dream job, that's all I wanted to do.

But I felt like I can take care of risk at the time because I , just graduated from college.

I'm used to having low income.

So even if I go for a year with pretty much no, or very low
income, just from the income I make for my security, it was fine.

And I thought in 10 years when I'm 30 or 35, nearly 30 now, but when
I'm 30 or 35 it will be harder to take that risk because obviously
I'll have more bills and I'll have more responsibilities at the time.

I decided to actually take the risks then, because even if my own
company or whatever idea I had, if it doesn't work, it's fine.

I can survive for a year and then go apply for a job.

So I said no to the fidelity jobs, started my own business and it did well.

So here we are.

.
That's actually a pretty cool story.

I didn't know all of that, so that that helped me to real quick, there's some questions in chat.

Definitely.

Some people know you on Udemy, cause they're asking about stuff on Udemy.

You can also get him on his website, but you know, he has a half a million
students, people that's crazy and everything about ethical hacking Python.

It's just a ton of stuff here.

So one of the questions in chat was what language must
we take after taking your Python programming course?

Are you as Python?

The only language you're teaching on here, programming?

Yeah.

Yeah.

So

Learning languages and I think I'm interested to see what's your opinion in this as well.

But in my opinion, there's no point of just tacking up different programming languages.

If you know how to program properly in one language, you should be able to learn
other languages quickly and pick it up and build whatever you want to build.

And in my opinion, each language excels in a certain field or in a certain goal.

So depending on what on your goal pick up a language that
helps you do your goal, and then just learn it as you go.

If you learn Python now from one of my courses, you really don't need
to go and take more programming courses, unless you actually need to
learn that language for a specific goal that you're trying to achieve.

A lot of people ask me about like, what's the best language.

And I was like, well, you can go for the most popular language if
you're trying to look for a job and you're trying to, and you're you
want to be the most marketable, but that's probably going to be Java.

So that may not be the thing that you, want to do.

It might be the most useful thing.

But the, each one of these tools, the more you learn a language,
the more likely another language is going to be easier to learn.

Anyway.

I find that, after 25 years of doing this, learning something new, like that, it's more about
learning the ecosystem than it is just the curly brackets and where the square brackets go.

And how do you do a, for each statement?

And like, those are the things that you learn, but that's pretty quick to learn.

It's really about the, you know, when I went to node for
the first time and I was going from C sharp to node.js.

I had to learn like NPM and what NPM packages were good and how
w which ones I should use and how that whole ecosystem worked.

And that spent, I spent more time on that than learning JavaScript, I think, because it,

and what conditional statements are and all that, basics, that's it.

So you're done with that.

So once you learn that once you've learned it,

yeah.

Like I might be able to read Python all day long, but I don't know how to
build a properly secure web server on Python, because I don't know what
the right packages are, which ones are up, which are Windsor up to date.

What extra things we always need on top of that.

That's that's, to me, the nebulous, that's why you take a course,
in my opinion, like you can learn a language pretty quick.

It's not the very quickly now that, because you know, programming and, you
know, you've built it in other languages, you know, you know what to look for.

So even like you said, you don't know what package is, but then you get
now go and Google latest Python, whatever package, and then you'll see the

result.

Yeah.

, and I would say, because this, I get this question a lot in DevOps.

Because people that are in the middle there where , they're
a little bit of operations, a little bit of development.

They often think they need to know languages really well, which in most cases they actually don't.

They just, they need to be able to read code, but they, but in a DevOps role, or
specifically in someone who's taking code and turning it into production quality systems,
you usually need to know package managers much more than you need to know the code itself.

So you need to know how do I, how do I install the dependencies?

How do I properly, what permissions do I need to set on these
directories and files to make the PR the dependencies work.

And so for a lot of them, I always tell them, learn one language.

And then once you get into a job, you'll probably know like the team will be using languages
and you'll know that you need to learn that one probably to help them with their stuff.

So that'll be,

we can probably go to, and you'll be, you'll be of it.

Yeah.

You definitely don't have to be an expert to be able to
just to work in a DevOps or a field or something like that.

Yep.

All right.

Yeah.

The average payment of a pentest.

That's an interesting question.

I don't know.

I'm sure that there's all prices

put a pentester for an actual pen

test.

I think I'm going to guess an actual pentest.

Yeah.

It depends on the size of the company are.

Yeah.

Yeah.

And what they want.

How many systems?

What we were talking about earlier, I want to make sure I get this in there.

Cause I ever remembering, so there's a wired article Maddie stone.

So she's a.

She's a, a bug hunting engineer at Google and it's it's kind of, it's just a profile
piece on her living out in California, working for Google hacking stuff for a living.

And it, the article is really cool.

Cause it kind of goes into breaking down the, the stereotype
of what a hacker is and what a bug bug hunter might be.

And then it doesn't have to be like this, this guy in a hoodie that
sits in a dark room and doesn't see the sun with the green terminal.

Yeah.

I mean, there, there are those, but anyone can do it.

It doesn't, the background and who you are as a person,
doesn't define whether or not this is an option for you.

Which is good because I think there's a lot of people that are
interested in this stuff, but don't know how to get into it.

And I thought that was a pretty cool piece.

Yeah.

Yeah.

I mean, a lot of there's lots of stuff about hacking word.

Like people think you have to be a genius or like super
intelligent to be a hiker, but it's not, it's a skill.

Like you go, you learn it.

And if you put enough time and effort, you're going to learn it and you'll be good at it.

It's just like picking up any other skill.

What is the hardest thing you ever, you guys faced when you got started?

The hardest thing

business-related or I guess this is a business question, isn't it?

No, well, I was assuming it was, it was career, but it could
be either like you, you, do you, what, what do you think?

I think it was because I had to start everything.

There was a lot of the time I had to make decisions.

Like I had to improvise and I had nobody to go and ask because, if you're working in a company,
you always have, your team leader and then the team leader has the CEO and how's whatever.

Whereas there was lots of in my, in my case, like I was in
terms of the skills, I was happy with the skills that I have.

But then again, there's so much more than just knowing what you're doing.

If you want to start a successful business and these were
the, that was the trickiest part still is the trickiest part.

Sometimes I'm sitting here and I'm not really sure
what's the next move or how to react to a certain event.

But yeah, it's, it's part of the fun.

That's not always the same, so I'm happy with it.

Yeah.

How does stay update updated in the field of cyber security and hacking?

He just follow all the, you know, news websites and conferences.

Yeah.

You have Blackhat and defcon and album that they always publish all the talks, even
though if you couldn't make it, usually there's lots of, lots of good stuff in there.

Yeah, just follow with whatever websites that keep posting
about that stuff follows zSecurity we'll keep you updated.

It's funny.

Cause I I'm thinking, well, it would, the, the decade
that you ask that question would, would change the answer.

So I got I'm a little old, so you can, you all out there that haven't
been on this channel before you can say I got a little gray beard on me.

Back in the nineties and I got my first computer, late eighties around 1990.

And back then, this was it like hacking was not a common vernacular and the 2,600 magazine, which
you could, they didn't have a website because we barely had the internet available to consumers.

So you could, you have to go to like a comic book shop or something like that.

And they might have it's a little magazine.

And they're still around.

They're still kicking it 30 years later.

Yeah.

It's where I learned about freaking for the first time.

And how to, captain crunch and like all the celebrities of the eighties and
nineties that were hacking phone systems, which was really kind of like,
that was the internet before it was internet was figuring how to hack the
phone system and get free long distance and make phone calls and all that.

So this thing is still around

website there.

It was called now, now it's well, it's been awhile that it's gone.

It's called, it was called Milw0rm . It's very similar team.

It doesn't work anymore.

It's gone.

Oh yeah.

You have Exploit-DB now.

So it used to share all like the new exploits and vulnerabilities and some, some papers and stuff.

So that's my back in the day kind of thing.

What's crazy is they still make a magazine.

This is like, how cool they are.

They still have.

Yeah.

It's always been known as the hacker quarterly.

So if you like paper and you are tired of reading the internet every day, all
day I would highly recommend just supporting them, getting a subscription.

You can, you can get something in the mail.

That's not a bill or spam or or whatever.

So it would be it's, it's kind of fun to go retro and have
a, a real thing in the mail that you can sit around and read.

I forget the last time I actually saw them in the real world,
because I, stopped subscribing to magazines, many, many years ago.

And I don't, you used to go to like a Barnes and noble or some sort of bookstore, and
they would be since they were smaller than all the magazines, they'd have to get hidden
in the back of they'd be thrown with the comics . The people that were created were
running the retail, didn't even know what this thing was, what is a hacker quarterly?

So they didn't know if it was comic or if it was what it is.

So they would always put it in the wrong place.

It was it was kind of crazy back then, but I think I learned my
first set of like programming and it was like a lot of DOS stuff.

Cause this was back in like early windows days, pre windows 95.

So you would, you would see stuff about DOS or stuff like that.

It was left fun.

Anyway, I'm showing my age.

Let's get back to some questions.

I'm a fresh graduate who just graduated from information technology degree.

May I know how to find a good path to get a job related to cyber safety.

I bet you get that question.

Every time you're live on the internet,

I do get it often.

I actually have a video how to become a hacker.

And it basically says, which what should you do in different stages?

So whether you're just graduated or if you're still in school or
if you're actually working in it and you want to work as a hacker.

But anyway, the, the, the answer to someone who just
graduated in my opinion is to get a graduate position.

So that would have been similar to what I got offered infidelity.

So you'll actually work as a pentester.

You will get paid.

An entry position, but you will be paid and it's usually not bad.

At the same time they will train you and they'll even pay for you to go and get
certificates like the OCP and other CCNA and other good certificates and the field.

So if you just graduated, I think this is the best thing to do because you're
also with all of these products, you're also getting into the industry.

So you're already now at a junior position as a pentester.

So the next step is a more senior position.

Yeah.

You've got such a great amount of stuff on your YouTube channel I
had a feeling that you were going to say, I got a video on that.

Cause if you just kind of scroll through I

usually make videos on the questions I get asked the most, because it makes sense.

And sometimes it's hard to, it's better to answer a question
in a video, especially if people ask about it a lot.

So it's even easier to tell them to go watch the
video because they'll actually get an answer as well.

A 15 or 20 minute answer or something instead of a two minute answer.

Yeah.

Well I had a burning question, so I'm going to be selfish for a minute and, and change the
topic because we've got some great questions we'll get into, we'll get to them in a little bit.

But as someone who's helping companies deploy software I'm kind of
curious about where, where uh, you know, I understand how all the
security knobs on Docker and containers and like where I need now.

Maybe not all of them, but I, I feel like I know it pretty well.

In fact, I've got for those of you that have not been on this channel and
you're interested in things like Docker and Kubernetes and container security.

I have a, I have a URL bret.show/securityfirst.

And this actually goes to a question.

I get a lot about how do I lock down Docker?

How do I keep it secure?

How do, what do all the things I should turn.

And, and the way that I approach really any system security, assuming you've got
a program that's running on a server somewhere, I'm not going to focus on desktop.

None of that stuff on mobile, just my world is servers on the internet or
servers and data centers, usually Linux, but not always sometimes windows.

And so I always look, I always go down.

My, my mental framing of this answer is about the biggest bang for the buck and the easiest.

So there's two factors to me, how, how what's the likelihood that this will actually improve
real-world security versus theoretical security, because I know a lot of things are like, you
can turn that knob, but it's not really, it's very rare that that's ever going to be exploited.

And then how easy is it for me to implement in the
team or on the systems and the caveats of all that.

So I, so for those of you watching, I put it in the chat that I, as a refined
list that people keep coming at me with and we just go, it used to be a top 10.

Now it's like a top 15.

And it's really focusing specifically on Docker and containers and
Linux and the, and basically the top one is the one you approach first.

And then by the time you get to the bottom, you're dealing with like full
pipeline Shaw hashing of code to guarantee that nothing's changed in production.

We call that sick content trust and secure pipelines to make sure that what's running
on the server is actually what you committed in your git a code and all that stuff.

So it gets really complicated down at the bottom.

We talk about rootless stuff in there about not
running as root cause Docker by default runs its root.

So once I've done that, and I, so assuming that I understand my system, the real question
that I was wanting to talk about was like you as a pentester, if you're coming into my company
and I'm going to set up an imaginary scenario, like I've got a, it's a typical web solution.

So it's got a web front end a way, a web API.

It's probably got a database backend.

Maybe something that's like a queue system.

So I've got some ports open, but they're probably going to be HTTP primarily.

If I'm bad at this, I probably have accidentally opened up some database boards.

I'm assuming this is on inside a private cloud or inside of a data center.

What would you from the outside?

Like if you're, if you have no access to my systems, I didn't give you a, an account.

How would you , do you have a top three things that you'd probably be looking at to
see if they're like the common, the common ways that people would exploit my system?

Yes.

Yeah.

I actually sometimes get asked a lot of the time as well.

They're saying, oh, in your course, you don't cover Docker.

So it's not like the latest, it doesn't matter.

Okay, well it's mater is like Docker and other technologies.

They do have their own weaknesses and their own vulnerabilities, but in real life, and you know,
this, if you're deploying or if you're running an actual proper platform or website or service,
you always will make sure you have the latest version of whatever software that you need.

So whether it's Docker, whether you're on a patch, you're on web server, you're on Linux.

You will, the least you could do is make sure that you're up to date.

Therefore this makes the whole kind of what it's running.

Kind of irrelevant because unless you have your own private vulnerability, or if
you're able to actually dig into Docker and discover an actual zero day exploit
that nobody has discovered before its era, the event that is running Docker.

Because to be honest with you, I don't think if I can discover
an actual vulnerability in Docker that nobody has discovered yet.

And even if I can it'll take me way too long, then a depend test would take me.

So when I'm going on a pentest, I'm not going to try to discover vulnerabilities
in Docker, because if I can do that, I can submit it to them and just get a
bounty for it, or even go sell it on the dark net and make a lot of money.

So that's.

I'm going to see what you have installed on your Docker and therefore whether its
installed on a Docker or a normal Linux, really not going to make a difference.

So you're going to have some kind of a web server installed.

There, you sit on HTTP.

I'm gonna see what web server it is.

I'm assuming it's going to be up-to-date because that's, what does the least you could do again?

So I'll still just check what it is, make sure that there's no weaknesses in it.

There won't be.

And then I'm going to go on the web applications installed on this web server.

And usually this is where you find most vulnerabilities because their attack surface
expands depending on whatever your developers have developed and because your developers.

It goes through a number of things.

They could be behind deadlines, they could miss things, they could overlook things.

There is a very high chance of me discovering a weakness in there.

And then I would use that weakness too.

It depends on what it is if it, if it's an SQL injection or if it's
a privileged, just whatever it is that allows me to gain whatever
access I can and see if I can escalate this access to higher access.

If it lets me find any kind of user information or if I can get the admin password
or if I can change the password can I change this with a social engineering attack?

So I might not actually find a vulnerability that lets me get the password for the
admin, for example, but I might be able to chain it with some attacks that will make
me steal the admin cookies and then log in with admins, cookies, stuff like that.

Yeah.

That's kind of, I'm glad you're saying all of this.

To a certain extent, like once you've done your due diligence on understanding the proper security
knobs in a system, I I've been under the assumption that, lot of it's just relating to your app.

Like it's, it's, and that the reality is like me
being in there in the real world, unless you're hot.

When you hire a pentesting company, typically it's kind of like before a financial audit, right?

Like you're not going to ask for that and pay for that and not have updated your stuff.

Typically yeah, yeah, yeah.

So it's going to be the most secure before you've paid
for a pentest or a financial audit or any type of audit.

So my experience in the real world is it's a shit show out there and nobody's really up to date.

Like no one is current, every application is at least one patch level old.

I feel like a lot of companies and it's hard.

I mean, I'm, I have sympathy because.

In the business is still trying to move forward and usually
to update things for most companies requires downtime.

Like most people are not still on the five nines internet,
always up a vulnerable, type of, type of workload.

Most people are still very traditional outage windows, multi hour windows to kind of things.

And even if you had the late kernel patches on Linux and then the latest Docker release,
and then the latest version of Apache, you're probably on an outdated version of PHP and
Apache or old version of the PHP add in that you're using like to keep all these things.

I mean, and in an average sized team that I'm working with, it's maybe 20 people,
there are hundreds of dependency packages that they don't even right, between the
kernel and the web server and the language and the packages and this dependencies.

If you're in no JS.

For example, my typical company's probably got a gigabyte worth of
JavaScript dependency libraries, usually 50 to a hundred of them.

And how could any.

We're setting ourselves up, essentially, this internet thing of ours may not actually turn out
to be a good, a great idea because we're setting ourselves up for any system can be hacked.

It's just a matter of time.

It's just,

you know, it doesn't matter.

Or what I meant also by the latest update, isn't the latest, latest update that they released.

But I mean the latest update that does not have any critical vulnerabilities, because
I noticed that people are actually like lots of companies, at least the good ones.

At the latest update that doesn't have anything critical.

So anything that would let me know gain access to you like this, because there are
like you every now and then you do get vulnerabilities that, literally I need a
few commands and I'm in, and you don't really find these a lot in the real world.

You find them in CTFs and, capture the flag competitions.

But in the real world, you don't find them that much, at least with big companies.

Now you do find that a lot with like smaller stuff.

If you're searching there's a thing, they call it dorking where
you basically just go in and search for vulnerable servers.

You will find lots of vulnerable servers, but like finding it in your target.

It's it's the chances get much

lower.

Yeah.

Yeah.

I'd say that.

Obviously if your, if your job is to find vulnerabilities, it's probably going to
be harder than if you're just randomly looking for the weakest link on something.

Yeah.

So I'd say that those of you, I mean, there's, we've probably
got two, at least two sets of audiences here in the chat.

Those people that are, that are here to defend.

And they're from a, maybe from a DevOps perspective and they're, they're managing
systems and their job is to protect those systems and protect the code on it.

And then there's probably people that are in the security industry that
are maybe their job is to point out flaws to find flaws, stuff like that.

And the reality is it's hard on both sides.

And it is, it is especially hard for the defenders because in my world, the
velocity of software change is basically everything we do now isn't fast enough.

No matter how, if you can, if you can update every day.

Yeah.

I mean, you're constantly being pressured to go faster and faster to release more often.

And that always requires a compromise of some sort,
and it typically requires a compromise and security.

However at the same time, I feel like we're, we know now that we have these, we have better tooling.

If people are new to this channel, you can go back.

We had, we've had Snyk on this channel, S N Y K.

They're a security company that helps you scan code this concept that we call shift, left security,
where you're, you're basically trying to put the security tools in the hands of developers.

So there's a great tool, for example, for VS Code the Visual Studio code editor.

That's open source that will actually in node.js, look at all your dependencies
in real time while you're in the editor and tell you how many critical CVEs there
are for that version of the dependency that you may have pulled down from the
internet, and it'll show you in your editor so that the developer knows, oh, wow.

I'm about, I don't want to submit this code.

It's probably gonna, it's going to be flagged by.

True, but see, yeah.

That's that's that's good.

But then, then again, the developer can still make mistakes that will make your application.

Yeah.

So that's, that's the other problem other than the CV E
the CVE does solve a lot, but it doesn't solve everything.

Yeah.

It, it, it is actionable intelligence though.

And I think that's one of the challenges I have.

You being working in security, from my point of view,
there's a lot of security theater in the marketplace, right?

Like, the scare tactics of like, you got to buy our tool, you're, there's so many companies
out there that are on the fear, uncertainty and doubt pipeline of, of selling their goods.

Yeah.

And there's lots of companies that would market their software as, get this and it'll
automatically scan everything and you don't need a pentest, but then again, they're going to
scan the CVEs and all that, but they're not really going to mimic what an actual hiker will do.

The hiker will not use one of these tools.

Yeah.

He might use them if he was lazy or just as a double-check.

At the moment.

I don't think our AI is as smart as the humans that we have.

I think we can all agree or an actual human test in your software will
always be better than all of these tools because the human might also,
and we'll also be using other tools that will enhance his skills.

So the human will always be better right now until somebody comes in with

proper AI.

Yeah, the, I mean, when you look at a lot of these big, these big hacks when it comes
to a lot of this stuff, it is, I've just being social engineering and a lot of cases.

And the, the, the automated tools seem to be pretty
good at essentially just finding unpatched systems.

And then, and explointing those

and CVEs and all that

yet.

Yeah.

So when you, when you do a pentest or some sort of an audit
and evaluation of a, a team, if you're, if you're focused on.

People like myself, which is largely what people that show up in this channel are
people that are responsible for deploying software onto servers that run for customers.

Do you have a top five defensive that these are the things you probably
should have, should you have an antivirus scanner on every server?

Should you have a continual sort of CVE scanning thing or, there's
like other tools like that in the, in the ecosystem that you kind of.

As

there are lots of tools actually, that would yeah, they, they, you can schedule them and
you can program them in a way that they will always scan your system every X amount of days.

And there's ones that would scan it, every update.

So in case, you know, you push some new future, whatever they'll automate, it'll
automatically trigger whatever scans you have and you can configure them to scan like
specific parts of your code and even run specific attacks we can manually you know, if
you have a certain input and you can actually manually program it to test that input.

So whenever you update what the value entered into input, how
that value is handled you can have that test automatically run.

So there's, yeah, there's all sorts of tools like this, but then again, in my opinion,
These are good to maintain whatever system you have, but at the start you need to
have your pentest and then maintain it this way or maintain it with a bug bounty.

A lot of, a lot of the time people think, oh, I'll have a bug bounty.

And I want you to pentest.

No, a bug bounty is good to maintain what you have, what you need to start
with a good pentest, at least, at least like at the start, that's the minimum

you could do kind of a baseline, right?

Like this is where we're going to start from.

Yeah.

Yeah.

I like it.

Well, we've got a ton of questions in chat.

Do you think bug bounty hunting or having security issues gets harder and more rare because
most frameworks and tools are getting more mature or will new vulnerabilities always be.

Yeah,

I think new vulnerabilities will always be introduced the bigger, because like you
said, there's always a push for having more features and faster systems and all that,
but these also introduce other problems and other vulnerabilities that could happen.

I think it became harder to find the vulnerabilities,
but it didn't become the vulnerabilities didn't decrease.

It's just harder to find them and harder to test for them.

But then again, there is better tools that we have right now as hackers to
automate a lot of the tasks and, to do different types of fuzzing and all that.

The both teams, like you said, they actually called them red team and blue team.

When it comes to hacking, I don't like that term.

We don't like to use it.

I'd like to call it hacker security because, I, I feel like the red
team term came up because of the luck that the word hacker gets.

Yeah, I think, yeah.

I, yeah, in my world, red, red and blue is a common term as well.

And I, I've never really settled on any one thing for myself.

It's just every, I find every team has their own
terminology and I'm just, I'll just adopt as the consultant.

I just adopt whatever they

out there.

Yeah.

Yeah.

You have an interesting we all love stories about real world stuff.

I love to talk about my biggest failures.

Like the things that I broke the most, like the day that I broke the the Netflix
blog, you know, stuff like that, that I was in charge of that I made mistakes on.

Cause we all make mistakes in, in tech.

And I think talking about our mistakes and so do you have a memorable story
that I mean around, maybe I'm assuming that a vampire is talking about.

Well, pentesting possibly or something like that.

Do you have a cool story?

You can tell

her, but I can talk about, because you know, a lot of the
time, you're not really supposed to talk about what it is

or maybe a bug bounty that you've seen or was involved
with in any way or something that maybe wasn't under NDA.

Nothing does that.

Interesting.

Like it's yeah, there was pentests where we found what we
were supposed to find and it was cool to get in, but yeah.

Nothing, nothing that you would see in movies or whatever.

There's no enhance and the

challenges where people were.

I think the story that I told there was a story of a friend.

He didn't know that I, I, that, that was before I started the
company or worked as a hacker, I was still a college student.

And he was bragging about how secure his, whatever platform he built recently.

And he got hackers and I was like, okay, well, what if I hack it?

And it was like, well, I'll pay you a thousand bucks.

I was like, okay, cool.

Give me the URL.

Next day, I sent him a video of me in the database
and he was like, I was like, oh, I forgot about it.

It's fine.

But yeah, these kind of stories are fun.

Well, yeah.

Yeah.

Thousand

dollars in beer, please.

I take my payment in beer

I, Yeah, I always, when I asked, like, did you have, do
you, have you ever dropped the hydro behind the firewall?

I don't know if you know that quote from swordfish, which is an old movie.

I know Swordfish.

Yeah.

You know that movie, he's like, there's a cube.

I don't know.

He's trying to do to the coupon once he solves the CUPE hacks into this.

Yeah.

All I know is is that every time he refers to, he refers to a T3, like it's super fast.

And those of us that networking know that a T3 is basically 50 megabits.

If I remember correctly, I could be wrong.

I'm actually a little outdated on that.

And nowadays, when w when you're lucky enough like me to get gigabit Verizon
files in your house, and you're like that, why don't I have the setup?

He has, I need eight monitors.

But then the reality is, is his monitors were like 15 inches, so that he needed
eight monitors to make the same size monitor that we had that movie didn't age.

Well,

good movie, but hacking parts of it are not realistic at all.

Yeah.

What are there, I think this is the question of what
are the, what certifications are there in the field?

Of like, I guess October, we're talking about security and pentesting What
are some of the, what are some of those ones that people need to look at?

If they're, if they're looking to certify up and sort of add onto it.

Yeah.

Credentials,

certifications depends on what level and what you're going for.

Lots of people look at CEH the entry level.

I don't really think it's worth the time, even though you will get jobs with it
because the HR looks for it, but it doesn't really teach you any useful skills.

OSCP . In my opinion would be the first entry level cert that you need to think of.

Cause it will get you through the HR buyer and it will actually teach you skills.

And then there is like, you know, you can stack up on it as much as you need.

I did the, the advice that I always give to people again, similar to the language
is don't take this as a task of stacking up as much certificates as you need.

See what you have, what kind of experience do you have and what degrees do you have right now?

You might actually not need any certificates to get an entry position.

Like I said, that that might be enough to just keep you in
the field without having to get any of these certificates.

So really it depends on you.

OSCP, is already a really good one though, that will teach you the skills.

And we'll also get you open up a lot of doors for you.

Nice.

We get the certification question a lot in DevOps.

And the problem is I'm going to guess it's similar to security
where there are so many types of job roles that it's hard to define.

It almost is like, well, what exactly is the job you're looking for?

And then let's go after the certifications that are specifically
around, you know, some certifications around tooling, like a
specific tool that you need to know a different company's product.

And some are more industry generics.

And I tend to, I tend to go toward the industry stuff
like you're talking about that is more broader than that.

And then once you get in the role, or if you're like, I want to work at Google and I want to work
on this team, you, you're going out to the job you want and you're specifically targeting something.

Then you kind of can know what tooling certs, or, what cloud you need
to certify in or what, whatever the tool is you might care about.

Competitive coding.

That's an interesting question.

Is competitive coding necessary for cybersecurity?

I don't.

What is competitive coding?

Competing to write better, more, better code.

I'm not sure what that means.

Yeah.

Yeah, a lot of people looking for the best thing, the best
university, the best course, the best, sir, at the best.

Go to zSecurity.org, the best everything.

Is there

everything.

So it'd be, everybody's screw up in chat.

Look for the Z security.org.

Okay.

Can cloud really help organization getting hacked a lot?

.
So I feel like cloud is another, I, I, you know what, I need to make a video of me ranting about
all of these new, not new terms, but some, some of the terms that I don't like cloud is one of them.

Then blue team is the other

.
Like what is cloud?

We had cloud before cloud became a thing.

It was an apple that the first people that started
calling things cloud, I think it was apple it's Apple's

fault.

Honestly, you know, I don't know who,

who, who even likes calling servers on the internet

club?

Amazon, as far as I know, I mean that my memory is that, yeah.

AWS came out in 2007, they were the first, they were the first internet provider to actually kind
of automate the task of setting up a server for you, giving you a dedicated OS and all that stuff.

I know cloud, I don't know if they did.

I don't know if they did.

We'd have to look at somebody.

Somebody in chat is probably going to look that up and tell us

anyway.

Yeah, my answer is cloud doesn't really change anything.

A cloud existed for very long cloud is when we have
a server on the internet and everybody can access it.

So having a vulnerable application on the cloud doesn't make it more or less secure.

It's the same application accessible on the internet.

Yeah,

I mean, from my point of view, as someone who is responsible for servers and putting
them in networks and getting customers access to them through firewalls, I would say.

It largely depends on the expertise of your team.

So if you have old apps on old servers and an old data center and nobody's
updating them and nobody's updating it, putting that on the cloud may or may not
help, it actually kind of depends because are you good at Amazon web services?

AWS has cloud.

If you're good at that, and then you take that stuff in the data center,
and then you improve the security by putting in proper firewalling on AWS
and, and modernizing the infrastructure by using newer versions of Linux.

And you, you sure you can improve it, but cloud is just a tool.

Cloud is like every other tool you can, you can use it for good.

You can use it for bad.

You can make it insecure.

You can make it better, secure a little bit tighter security.

You can enable things that will protect it a little bit
better and you can break them and you can break it yeah.

So it I've seen setups where , people have data centers.

The data centers are the worst, right?

Like they have a private data center, but they probably would be better because that if they put it
in the cloud, only because they don't have the expertise or the staff to run their own data center.

Yeah.

And the cloud, maybe assuming they had the same level of knowledge, the cloud would be easier
because they're not having to install their own switches and maintain their own hardware racks.

And, like swap power supplies when they break.

Like they, they can take all their staff and apply it to turning all the security knobs in AWS.

But you know, know, there are companies like apple.

I know.

I talked to someone at apple a couple of years ago and they are like a lot of these big companies.

They're very heavily invested in their own private data centers.

And you don't hear about apple getting hacked a lot.

So we might assume that from that, that you could just take away data centers are the safer.

But you've also got companies like Netflix and that runs an entire global enterprise with,
hundreds of millions of accounts and they don't get regularly hacked that we know of.

And they're running almost exclusively in Amazon.

So you, you can look and you can make a use case for any one of these scenarios.

I think I don't, I don't think that any one tool how

you run it and

configure it and yeah.

Yeah.

So I hope that helps.

Well I already lost it in chat.

I've already lost two that wasn't yet.

Whoever you are let's see what else we got.

Ooh.

It looks like a system exploited, look at it up.

The notion of network computing dates back to 1960s of network based computers, 1960s.

But when you believe the first use of cloud computing
in its modern context occurred on August 9th, 2006.

So that's probably that's around the time that Amazon came
out with their cloud because they beat Microsoft to the punch.

This is way before Google cloud.

We had had servers on the internet before then, but it was like Bluehost or Rackspace,
a lot of those companies and he was just, you were using jails or Z Solera zone.

You were using some sort of restricted user space thing and you really didn't get a full OS anyway.

Yeah.

Paul, Paul's remembering ECS to use that term.

Amazon's ECS too.

Yeah.

That's that was my memory too.

And now, I mean, a lot of these terms in the industry get once a term becomes
like a zeitgeists in popular culture thing, like hacking or cloud yeah.

Th th everyone misuses it.

Everyone uses it for everything.

It means nothing anymore.

An interview is most companies ask me how much I expect to get paid.

I have no industry experience, but what is the normal range salary for a junior pentester position?

Depends

on the country that you're in.

And yeah, I can tell you what it is in Ireland, which is about the 30 to 40 K.

But for junior we said entry level.

But I know it depends.

It really depends on the country.

Yeah.

Even in America, it depends on the, it depends on the city, a lot of places in
America, if you're to get a job in San Francisco, you get paid a lot more than where
I'm living in a smaller area because San Francisco, the cost of living is different.

So companies will do adjustments, especially large companies they'll do regional based stuff.

Yeah.

Their salary websites, I'd say, just . Go and look at those.

Which one do you, yeah, Glassdoor is the last one.

I mean, I haven't had to, I haven't had a full-time job in a decade, so
the last time I worked for someone else I did, I think it was Glassdoor.

Now, I mean like questions like this, theirs are silly.

I'm never going to ask Diane if he's ever done an
illegal hack, why would he ever, why wouldn't you I'm in

this for so long?

I read it like a thousand times now.

He's trolling.

Yeah, this is yeah.

Have you ever done any illegal hack?

Okay.

First off, go watch his video on how hacking is is can be legal.

Yeah.

This question on should organizations move to VMs to mitigate against ABTS.

I'm assuming you mean apt gets, I'm not sure like an apt package manager.

I'm not sure what ABTs are.

Do you?

Cause that's something that means

something to you, but I don't know why he's that something to mitigate against you're the ops guy.

Is that, is that.

For what is, what a thing?

App apt git . Yeah.

Is

that a problem would be a problem?

I don't see it as a

process.

Yeah.

It's just a package.

I mean, if you're on a VM, the presumably it's, if it's a, you're going
to be using apt or yum, if you're on Linux or, APK, if you're on Alpine.

Yeah.

But I can't

see it being a

problem.

Oh, here's is it information, security degree worth it?

I'll, I'll take this one.

I do degree is worth it.

If you have the time and the money and the patience, and you're going after the type of job
that wants a degree, I have never had a degree and I've had a very successful career and there
are plenty of people that I work with that have had degrees that have successful careers.

So

I didn't know that you don't have a degree, but now I have another example
because I have a friend who is very successful and he doesn't have a degree.

I always use him as an example, but I have two examples.

Yeah.

Degrees are free here.

You don't always need to have money to get them depending

on the country that you're in.

That's true.

That's true.

And excellent point about how , another strike against America.

, home of the really expensive education actually very expensive.

Yeah, I mean,

I like me personally.

Yeah.

I do have a degree, but I actually don't use anything that I learned.

Yeah.

I think it helped while I don't really use anything
that I don't in whatever I'm doing at the moment.

Yeah.

And I have to, I have to admit, I mean, I, I went to the U S Navy,
so I had six years of Navy experience doing exactly what I do now.

Just like the nineties version of it.

So I didn't go into the industry with no experience, no
certifications or no, experience is the most important.

You don't get paid a lot, but you know, you can leave and then have that experience.

And I, before I left, I went, got some certifications, actually did them while I was in Italy.

So like doing it on an Italian keyboard, it was a little hard because I D I'd actually go
to Rome and do the , the Microsoft certifications and the Cisco certifications and things.

Um, No, no uh, just a few.

I mean, I knew how to order food and drink

it.

No,

no, no.

I learned, I learned like focaccia and when you grew up, yeah, I learned that

the accent is so good.

Oh, I had so much fun.

I mean, I love that place.

And I looked, I looked forward to going back.

I haven't been there in 25 years or 20 years, but yeah, I got to go back.

It's a good place.

I love a Dublin too.

So yeah, that's also one of my favorite places.

Yeah.

. All right.

If you start following a Z security stuff, you'll see when he goes live and other chances
to interact and chat, he also has some online, exclusive, exclusive security communities.

In case you go check that out at zsecurity.org, by the way so
one of these, my, my best questions here, cause I'm a huge Mr.

Robot fan.

How realistic is Mr.

Robot hacks?

They're actually a period logistics.

So I think it's, I can't think of other shows that showed actually the matrix.

I think at the start they have nmap cancer.

That was realistic even though the whole movie is fictional or is it the rest of the Mr.

Robot?

Pretty much everything they show is very realistic.

The only thing is they do a lot of word list attacks.

Like a lot of the time he's oh, this password that was very easy.

Or I write in a word list and I got the password and in real life getting passwords is
not that easy, like running stuff, through word list attacks, but everything he does
is like even the hardware that he used actually exists and you can buy it and run it.

So yeah, it's pretty cool.

I, I'm pretty sure one of the writers is.

Can't remember his second name.

I don't know if it's a coincidence that it's the same name
as a very famous hacker or if it's actually that hacker.

So that would explain why it's so accurate in terms of the attacks

shown.

Yeah, I mean, I, I w w I always appreciate the level of detail they went
into to get, I mean, cause it's hard to make hacking interesting, right?

Like real, like if you take a real exploit at a real hack and you actually
made a movie out of it, nobody would watch it other than us super nerds.

Cause it'd be super boring.

It'd be hours of failures and trying things.

And of course in the show, it's the montage of him.

I mean, before that, I can remember going back 20 years in 1999 in the
movie matrix re actually it wasn't 99 is like 2002 or something I think.

And the movie matrix returns there.

He.

I think it was the second one matrix matrix

matrix like 50 times.

So don't get anything wrong.

Matrix,

revolutions, revolutions

back towards me, which was second or third, third, these revolutions.

Okay.

Second one.

The second is reloaded.

Reloaded, not returns.

Thank you.

So in reloaded, when they were at the power plant and
she dropped, she did like an SSH remote attack, I think.

Yeah.

And I just remember at the time that it, it was at least the possible, and
it was like one of the first times we'd ever heard in a movie of a real, I
mean, this was in the era of drop the hydro behind the firewall kind of crap.

And so I was so excited just because they took, they, they actually took the effort to do that.

Yeah.

I do like all the details.

I love how he pulls out his CDs out of his you know, all of his CDs in his CD wallet.

Cause I, those of us who've been around long time we have CD wallets.

Probably some of us

still have, even though.

Yeah, yeah.

Cool.

One time I had one stolen out of my car and it had like a hundred CDs in it.

All music, not data like this

was

back then, but that they stopped production and you wipe them and lick them
and do all sorts of crazy stuff when it works for some reason after that.

Yup.

I had cleaning cloths, like, spray.

Oh boy.

All right, so we're going to wrap it up.

Thank you everyone for showing up.

So many great questions.

I have a rep, by the way, for those you ask about raspberry pies.

I have a raspberry PI 4 it is my retro pie gaming machine.

I love it.

It, it works with Bluetooth USB, great wifi, great H HD video.

And it's like a hundred bucks with the whole kit, right?

Like it's a.

Pretty great raspberry PI.

So I highly recommend them if you want to think to play with.

But okay.

Let's talk about where people can find you on the internet.

So in case they, it sounds like everybody's showing up because they already know
who you are, so they probably don't need this stuff, but let's let's review.

All right.

So we got Z security on Twitter.

We got Z security on YouTube.

We have Z security, the website, and one of the things that we were talking about
you were teaching me about the other day is you actually have , the VIP membership.

This is what I want to talk about.

So this is a new thing you're doing, so tell me a little bit about that.

This is just a place for the people that are really interested into hacking and cybersecurity.

So it's more of a, like a smaller community.

Like I'm very happy about the followers that we have.

We have lots of followers, like you see in the backyard, half a million students.

And then I actually opened this up for a week for everybody.

But when we did, we had more 1,500 people in the discord within a week.

So this would have grown for, to a really big number.

If we let them go in and the whole idea was to keep it small, keep
it intimate, keep it to the people that are interested the most.

So it had, we had to charge a certain amount for that membership.

Cause then they also get, closer, more intimate access.

So that, that was the whole idea.

So right now we have that discord channel where we do all the benefits that you see here we go live.

We instantly are there most of the time updated with the resources
we have, we run our own kind of smaller competitions as well.

So there's the competitions that we see.

And sometimes I give competitions of stuff that we're
working on or like challenges that we're seeing.

They're they get exclusive offers.

They get access to the community.

They make more friends.

And yeah, the idea is for the people that are really interested in this, instead of
having, a discord with, cause there are lots of discord channels about cybersecurity.

I don't want to make another one.

If you want one, you can go to the other ones.

I don't want this to be a place where people ask, how do I have Facebook?

How do I hack Instagram?

My girlfriend cheated on me.

How do I access her?

This is not what we're here for.

So yeah, this is a place for the people that are really interested in this are
taking this seriously or like really like it and that property interested in it.

Yeah.

More intimate, more direct access to everybody in there
to me, the team and then other similar minded people.

And also like you said lives, we did the competitions and all that.

Yeah.

Yeah.

That's that's a really cool thing that you're doing because it, it takes
a lot of effort to maintain a community like this, especially one that's.

You know that you're, you're basically saying we're gonna, we're going to be there for you.

Like if you want to, if you will.

You want to talk about things we're not, we're not going to ghost you and just disappear,

You know, just sharing jokes.

And there, sometimes we do that too.

Like it's, it's more of a, just a community of like-minded people because it's, it
depends, I think in the states that are bigger hacker communities, for example, for
me in Ireland, there aren't that many and in other countries I'd say it's similar.

So it's nice to see, you know, just be connected with similar
minded people and get a few extra things as well with it.

Yeah.

Yeah.

We do on DevOps, we do a similar thing.

And by the way, those of you that are patrons of this channel thank you so much for being patrons.

We do a similar thing where we do a monthly zoom call and it's just kind of like
DevOps professionals, server admins, developers that want to just hang out and talk
about stuff on what, like kind of like a water cooler, like hanging out at lunchtime.

And yeah, so we do that and we, as it's like maybe it's
12, 20 people, maybe 10 people just depends on the month.

Well, thank you so much for what you do for the community.

Your courses , are all on Udemy, tons of free content,
tons of stuff on your website, YouTube videos all the time.

And as someone who creates a lot of open source content is what I call it, I really appreciate
, your effort because I think the world and the community is a better place because of you.

And so thank you for , your volunteering to do all of this.

Thank you for your time

and thanks for having me here.

.
And so for those of you where can they, cause we know Twitter, we
know YouTube, you sometimes go live in your discord, is that right?

I'm trying to

remember if you had to, I do go on this live once a month.

Mainly, and then sometimes we like, so we have a one live
that is scheduled and we talk about hacking and all that.

And it's more, face-to-face like we're doing here, but then every now and
then sometimes I go live out of nowhere, like when I'm driving or just
chilling at home, like you said, just kind of pick it up and go live.

Yeah.

Yeah.

That's cool.

Thank you so much.

And you can find him on Z security everywhere.

. Thanks

for having me see you around.

Thanks.

Thanks so much for listening and I'll see you in the next episode.

Creators and Guests

Bret Fisher
Host
Bret Fisher
Cloud native DevOps Dude. Course creator, YouTuber, Podcaster. Docker Captain and CNCF Ambassador. People person who spends too much time in front of a computer.
Beth Fisher
Producer
Beth Fisher
Producer of DevOps and Docker Talk podcast since 2019. Assistant producer on Bret Fisher Live show on YouTube. Business and proposal writer by trade.
Cristi Cotovan
Editor
Cristi Cotovan
Video editor and educational content producer. Descript and Camtasia coach.
Cyber Security and Pentesting with Zaid Sabih of zSecurity
Broadcast by