In this episode, Phillip Wylie talks about his journey from pro wrestling to pentesting and what motivated him to start teaching, mentoring and giving back to the infosec community. It's an inspirational story for veterans in the field and newbies alike. Phillip not only talks about his work helping others get started in ethical hacking, but the value of truly understanding the mind of the adversary.
In this episode, Phillip Wylie talks about his journey from pro wrestling to pentesting and what motivated him to start teaching, mentoring and giving back to the infosec community. It's an inspirational story for veterans in the field and newbies alike. Phillip not only talks about his work helping others get started in ethical hacking, but the value of truly understanding the mind of the adversary.
-------
Why you should listen:
* Phllip's story is both educational and inspirational -- worthwhile for anyone interested or involved in cybersecurity.
* Learn something from one of the most prolific cybersecurity speakers and educators.
* Get a better understanding of ethical hacking and the value of offensive security testing.
-------
Key quotes:
* "Once you learn how to pentest, your whole world changes."
* "For people that have been in the industry for a while, listen to the new folks. I learned a lot from my students."
* "If you can help people succeed, that's even more rewarding than personal success."
-------
Links:
* https://twitter.com/PhillipWylie
* https://www.youtube.com/c/ThePwnSchoolProject
* https://www.itspmagazine.com/the-hacker-factory-podcast
[00:00:00] Jeremiah Roe:welcome to the show, Philip. Thank you so much for joining Bella. How are you doing?
[00:00:39] Bella DeShantz: Not too bad. I'm really excited for this conversation. I've heard a little bit about what you do fill up, so I'm excited to.
[00:00:47] Jeremiah Roe: So Phil, I'm just gonna jump right into it. Um, you've been in the cybersecurity business for quite a while now. Um, I'm, I'm just gonna kind of throw it out there because I know a little bit about your background. I'm curious about how many [00:01:00] people know that you were a powerlifter and pro wrestler in the past.
[00:01:05] Phillip Wylie: Yeah. Most people that know, know of me typically know that.
[00:01:08] Jeremiah Roe: Do they really that's, that's something that, that I never knew about. Um, maybe, maybe you could speak about that bear. So by the way, for any of the listeners that have not worked up, Phillip Wiley, please go and do that right now. And while you're at it, look up the bear wrestling photo. That's a real bear, by the way.
[00:01:30] Phillip Wylie: Yeah, it was a 750 pound brown bear. I believe that was back during my pro wrestling career. I worked at a nightclub as a bouncer of my hometown of Denton, Texas. Uh, you know, I was working one wrestling once a week, so I really wasn't making a living off of it. So my, my main job was working as a bouncer and the nightclub I worked at, uh, they normally had bands like Thursday and Friday, Saturday.
But usually it wasn't worth the money to spend that on Sundays. So they had other types of events to try [00:02:00] to bring in crowds. And since I was a bouncer, a hometown guy and a pro wrestler, they thought we got this wrestling bear coming in. So we have field wrestling. [00:02:21] Jeremiah Roe: so, so I've got a, I've got a photo of the bear right now. I'm looking at it and it's, and it's, and it's the one where the bears kind of the bear and you are like locked in this embrace and the bear kind of looks like he's just hanging out there, like maybe giving you a hug and you look like you're trying to move an 18 Wheeler.
How, how how's that work?
[00:02:40] Phillip Wylie: That's what it felt like. I mean, the way I described to people is trying to move that bear is like trying to move a parked car. You know, you can, if it's park, you can move it just a little bit, but that's about all you're going to do with that. [00:03:11] Jeremiah Roe: Phillip you've been in the cybersecurity industry for a while, how did you, how did you initially get into pro wrestling and what transition from pro wrestling to cybersecurity?
[00:03:29] Phillip Wylie:
So not only if I've been in cyber security a long time, I've been on this earth for a long time. So when I graduated high school back in 1984, we had computers in our school. Really, it really wasn't a career path that people really thought of back then. And only the smart kids took the computer classes.
I never took classes back then and computers. [00:04:00] And when I graduated high school, I had no clue what I wanted to do, but being a powerless, Darien, being a bigger muscular guy, my friend said you should be a pro wrestler.
And so as something I never thought of, and it sounded pretty cool, you know, it was one of a career that would take advantage of my love for working out and stuff. So I went to wrestling school and wrestle for a couple of years and I got married. And needed a more stable lifestyle because wrestling is not conducive to marriage is a lot of traveling and stuff.
And you know, so, uh, I tried all sorts of other careers. I worked in retail cells. I worked in manual labor and going through all these other jobs, I just really didn't like what I was doing. And I have to, like, what I'm doing is a job where I just, it can't hold my interest in all this. So I went to, so I went to CAD school.
Learned AutoCAD and did CAD drafting for a few years and was doing AutoCAD prior to that, I had no experience with computers and [00:05:00] I realized that I had a better knack for the it side of things. Some of these companies I worked for were too small to have a it staff. So whenever we had computer problems, I'd figure out how to fix them.
I got interested in learned how to build computers, took a Novell NetWare CNE certification course, and then got my first job on a NetWare 4, 1 11 and windows 95 rollout. So I spent my first six years of my technology career as a CIS admin. And then in 2004, I moved into to network security.
[00:05:31] Jeremiah Roe: Oh, wow. So a windows 95. Was one of the first computers I've ever had, actually, that was probably my first computer. And, um, uh, they, they were huge, bulky things back in the day. Um, and that's, that's, that's really interesting. So you've had tons of experience up until that point. Um, when I was just even, you know, thinking about computers very first one, um, [00:06:00] Today you help actually educate others and, um, getting them introduced into cybersecurity and newcomers.
Um, how does, how does your previous experience in pro-wrestling and then it factor into what you do today and helping others, um, get into the cyberspace.
[00:06:22] Phillip Wylie: Yeah, I really don't know what we're really the pro-wrestling. Comes into play. And why I like to share that story is I really didn't have much confidence and my mental abilities. I really didn't think I was that smart. I never thought I'd use my mind to make a living. And so I think it's a way to show people want to get in.
If this powerlifter former meathead pro wrestler can get into cybersecurity, then you can too. So. And when I share that story, it does kind of let people think because you know, some people think football players are this, you know, there's this stigma that they think that they're these mindless [00:07:00] drones or whatever.
And. And it just kind of helped encourages people. So that's one of the things that I like to share, and it actually has encouraged some people they thought, wow, I didn't realize you came from that background because you see some of these guys in the industry like take for, for instance, harm joy from speck drops.
I mean, the guy has a computer science degree and just really sharp, super smart person. That's usually what people think about in cyber security that they have to be that level to be in cybersecurity. You don't necessarily have to start out there. You know, people start out in all different areas.
[00:07:31] Jeremiah Roe: So, um, can you tell us a little bit about, uh, something that you started called the the poem school.
[00:07:38] Phillip Wylie: Y back in 2018, uh, January, 2018, I started teaching at Dallas. They were starting an ethical hacking class and they needed instructor. My wife was going through their digital forensics program and recommended me to her instructors. So I went to work there teaching and towards the end of the first semester I had students asking, where do they go [00:08:00] next?
What do they do next to learn more about offensive security? Because the college only offered one ethical hacking class and that was it. And then I had a couple other students. At the time, you know, they were credit students, they were trying to get into my class and they couldn't get transferred in time.
And so I thought I want to start something where people can get a cyber security education and they don't have to worry about not having the money or any kind of a registration hurdles. The try to get over to, to be able to take advantage of this education. [00:09:34] Bella DeShantz: So it sounds like beyond just the post-school you spend a lot of your time educating others in this space. Um, you know, you've written a book, you do a Twitch stream, you have a podcast, uh, th that's that's a lot of educating. What inspires you or drives you to educate others in the space?
And why do you think it's so.
[00:09:57] Phillip Wylie: one of the, just kind of inspirations [00:10:00] to even make me interested in doing that as I was got to look at. Yeah.
After I'd been in the career, as long as I have, I looked at my complements, I had certifications and I really started looking at my legacy. What do I have to leave behind? You know, what, you know, what, what do I have to leave behind?
You know, I was looking at my wife. She has, has an ESL program. She was teaching, uh, non-native English, speakers, English, you know, Spanish speakers. And she went in as far as learning Spanish to be able to teach them. And it really inspired me. And I saw, you know, The story. She had, how rewarding it was for her.
And for me to teach just like jobs or working has to be something I'm passionate about. So pen testing, I love to talk about it and I love to teach it. And just really, after I started doing it, the reward from helping people was what kept me pushing me to go further. And one things I've found too is if you can help people succeed, that's even more rewarding than personal success to help someone else, you
[00:11:46] Bella DeShantz: I consider myself an ex pen tester. My, my previous job was as a pen tester. Um, had any amount of career in the [00:12:00] security space. I find that a lot of folks reach out to me about learning resources, uh, just guidance in this field in general. And you know, I, I don't have a lot to compare it to because I haven't switched careers.
This is my only career path that I've been in. Um, but it kinda seems wild to me. How, how much of a, like, it seems like there's a huge demand for folks. Looking for guidance and learning in this field. Um, why do you think that is with cyberspace?
[00:12:32] Phillip Wylie: if you want to go to school to be a lawyer, that's something people have been doing for so long it's. So well-known, it's easier to find resources. You know, what we all do as security professionals is a little more specialized.
So finding someone to do that, You know, someone has an uncle or aunt that's done some specific trade that they can go to. And I think there's just since it's [00:13:00] really, you know, cybersecurity has been around for a while, but compared to a lot of other trades, it's kind of newer, even in the it space altogether.
Because whenever I get started as assist admin, you know, a couple years into my career, a company I worked for, I was working for a. Institution, they had a bank and a chain of mortgage companies and they didn't have a dedicated security team. So I think it's still kind of relatively new. I think that's why there's so much, you know, the lack of people to talk, to be in such a specialized, a new field.
I think that's why that there's such a need for the help. And it's so high in demand. I think people see that, that there's a lot of jobs out there. So they want to, you know, get that guidance to help them, you know, be successful in finding.
[00:13:44] Bella DeShantz: you presented at Def con this past August, uh, your talk was called the way of the adversary. Um, as you mentioned in [00:14:00] your talk, there's a lot of time devoted to understanding the psychology of victims who are targeted by attacks, uh, like the end users in social engineering, things like that.
But why do you think, why is it key to understand the psychology of the threat actors? The people actually actually perpetrating the attacks.
[00:14:19] Phillip Wylie: it's important for offensive security professionals pentesters and red teamers, to be able to successfully do that role and emulate. Uh, techniques, pen testing, not as much, but the more you get into adversary emulation, the more you need to understand it. And I think also too, that is very important for defenders to be able to defend against things.
You're going through pen tests, you know, maybe you're doing red team engagements and purple teaming exercises, but I think it's really important to understand the attacker mindset because, you know, as you all know, from experience with pen testing, once you learn how to pentest, Your whole world changes.
When you see a USB stick laying on the [00:15:00] floor at an airport, what's the first thing you think, you know, or you see things related to the field. Yeah,
[00:15:07] Jeremiah Roe: I don't know.
[00:15:08] Phillip Wylie: of course. I just like anything, you know, the ECL things can be exploited. You recognize social engineering things or how you feel like people are social engineering.
You had time. So just understand that. That I think is very important. And I think it's kind of important for individuals to be able to protect themselves from being fished and, uh, you know, scammers and that sort of thing. But it really kind of, once you understand social engineering, you kind of get mad at salespeople too, because you realize that they're trying to social engineer, you, you know.
[00:15:43] Bella DeShantz: Yeah. Like once you've like, you've, you've taken a look behind the curtain, then you can't look at anything else. The same way. I, like, I was talking with my friend the other day and, um, I, I, you know, you're a pen tester. When, when you have friends that get like S like spam or scammy emails, [00:16:00] you tell them to send you the link so that you can open it in your, you know, locked down virtualized environment and figure out what it is.
I think a lot of people don't really think about how important it can be to understand the adversarial side so that you know how to defend against it. Um, so what are some of the common threads that you observe when analyzing attacker mindsets and how do you think those could relate to some of the attacks that they carry out?
[00:16:30] Phillip Wylie: I think it's just kind of idea identifying the type of attacker, you know, if it's a script kitty or hacktivist, or like a nation state, to be able to understand those type of attacks and what type of attacks they might use, you know, leveraging something like a MITRE attack framework to, you know, check out? certain ABTS that may be common to your industry.
That would be a good place to start there to kind of understand the type of attacks that you may see and just things that are popular in general. And then some of those things too, you know, uh, when you look at some of [00:17:00] these ransomware attacks, if you look at some of the AP Ts there, you can understand some of the attacks that ransomware might use and, you know, whenever you can remediate those things and to protect against those types of ABTS, then you know, it should give you some level of protection against possible ransomware.
[00:17:31] Jeremiah Roe: And when we say apt, we can, can you expand upon that?
[00:17:34] Phillip Wylie: Yeah, advanced persistent threat or apt groups. So like, it could be like some nation state from. Country could be not necessarily a nation state. It could be like a cyber crime group or something like that,
[00:21:02] Jeremiah Roe: How do you define that attacker mindset?
[00:21:21] Phillip Wylie: Yeah, the attacker mindset is to be able to think like a threat actor or malicious, a malicious hacker. And one of the things I would say to that mindset as far as like, uh, someone that's an inspiring pen tester, one of the things, I guess, it's, I've, you know, when I wrote the book, I mentioned something about the hacker mindset and kind of the way you develop it is kind of the way I would say someone develops troubleshooting skills.
So you, you install windows and windows server and it goes perfectly. And next time you go to install it. Something doesn't have work, right? Something breaks, you can't get it to work and you got to [00:22:00] troubleshoot it. And so that's one of the things, because when I was starting out as a CIS admin, my first year was just doing installs.
So I went to work for a company that was a very unstable environment. Things were constantly crashing. There were like two or three of us on call. And it's like, you were on call seemed like all the time. And things broke so much. And I really come close to quitting that job because it was really a tough job because things breaking all the time, pretty high stress job, but I knew, okay, I spent a year of an intense install, can install my sleep, but I thought, you know, I really need this troubleshooting.
So I kind of developing the hacker. Mindset's the same way. Just like I mentioned while ago, if you find a USB stick on the ground, Developing that attacker mindset. And so with the hacker mindset, it's just learning how you see certain things.[00:23:34] Jeremiah Roe: do you think we, as an industry understand enough about how the adversary's motivations and attack methods are changing across the industry?
[00:23:52] Phillip Wylie: I think there's good information out there, but you know, possibly not everyone is staying up to speed as quickly. And a lot of [00:24:00] pentesters just see what's working out. They're not keeping up with it. A lot of us as professionals, we're not keeping up with the threat intelligence and, and that sort of thing.
So it's not real common in the news big story, then people are overlooking some of those things.
[00:24:16] Jeremiah Roe: Why do you think that is, is it, is it, is it because the organizations, you know, don't have enough, um, manpower or is it because they're lacking or deficient in some area to be able to, to keep up with, with these things?
[00:24:32] Phillip Wylie: think it'd be a combination of things. And I think training, in some cases, in some sources, you know, some people and some organizations may be, you know, this may be your first cybersecurity job. You may not have a good idea of resources to use. And that changes over. You know, when I was getting started out years ago and like it and stuff, you went to blogs and articles and stuff, and now you see like, Twitter is a good place.
If someone is come out with a POC for a certain vulnerability, a [00:25:00] lot of times you're going to see it on a Twitter before you see it somewhere else, a lot of researchers on there. So I think it's kind of knowing where to look and being a diverse in your research. [00:25:23] Jeremiah Roe: Are there any specific resources or training materials that, that you feel like are your go-to places, things like you follow specifically on Twitter or anything that you would like to.
[00:25:35] Phillip Wylie: yeah. people. I like to fall on Twitter. Of course, spec drops. They come out with some really cool tools and especially like in the red team space and stuff around active directory for a web application, pen testing related stuff. I follow a lot of bug bounty people. 'cause they, you know, they're paid per bug, you know, as pentesters we get paid regardless, we find anything.
And so it's kinda like you, if you're [00:26:00] a Fisher for pleasure, compared to Fisher, that has the feed themselves, you're going to be a lot better if you have to feed yourself. And so, uh, you know, some of these people really specialize in certain types of attacks and so falling is different. Pentesters I mean, different, uh, bug bounty people is helpful.
That's kind of how I've found Jason Haddix and learned some different tricks about web app pen
[00:26:22] Jeremiah Roe: developed some great material, um, chasing had ex uh, there's there's, you know, a bunch of folks out there. Um, uh, Alissa Miller there's there's, um, Jason at Jason street. Um, they've done some really cool stuff that they focused on the discover channel. [00:26:48] Phillip Wylie: Yeah,
I think it's really good to, to, to, you know, diversify those resources because there's some people that don't really follow the people that they see more in the [00:27:00] conference space, like Jason street, Ilissa Miller, Alyssa Knight, those sort of sort of folks they may not be aware of, or maybe they don't know of Dave Kennedy.
So they really need to get out and research. You know people, because the funny thing is that it doesn't take someone. That's been the industry a long time. There's some people that, that come out they're new that are finding some really cool stuff. So that's one of the things that for people that have been in the industry for awhile, listen to the new folks, because I learned a lot from my students come into class because one of the things with new people, you've got a fresh set eyes.
They're doing this all from scratch. When we came through it, these certain resources didn't exist and maybe they ran across them and they got stuff that they can share.
[00:27:41] Bella DeShantz: it's interesting to me how much, [00:28:00] uh, you know, information is shared on sites like Twitter and random blogs.
Um, and I've heard people talk about how, like, that's, uh, that's, that's bad. We shouldn't be talking about these vulnerabilities on Twitter and like, we're just giving information to the hackers. And I think this is an argument that comes up a lot of like, For us as researchers who are on the good side of things, we want to improve the overall security of, you know, the world.
Uh, it's so important for us to share information and the best way to do that is online. But also the reality is any information we share. We're also making accessible to folks with bad intent. Um, you know, my personal opinion is that it's better, that we all collectively have the information, regardless of those consequences.
But I'm curious about your.
[00:28:44] Phillip Wylie: Oh, I definitely think we should share because it's, if we don't only the bad guys are going. Then it's going to, it'll get out there on the dark web. I think in some cases it's probably helped prevent some people from going over to the dark side. You know, there's some people that are writing code and if you make it to where [00:29:00] it's illegal to write these tools and post them out there, some of these people want to do that and they feed the need.
Maybe they'll do it. Uh, you know, more for bad purposes. Maybe they're selling these exploits and stuff to people to do bad things or just to the highest bidder. So I think it's good that we share because just try. Ignore it, it's not, it's just, you're just ignoring it otherwise. I mean, because people are, researchers are going to share this stuff.
You're not going to make that stop. And you know, there's so many things out there that really limit what people do. Now. You take people to do bug bounty. They're really worried about if they disclose a vulnerability that they're going to get in trouble. And so I think we need to work more towards making that more open and be able to, to deal with disclosing.
In a way that researchers aren't worried about, you know, any kind of legal repercussion.
[00:29:49] Jeremiah Roe: So you mentioned responsible disclosure and around, uh, legal repercussions. there's a [00:30:00] bill that helps to protect, uh, researchers out there called the safe. Um, and this goes directly to that point, but I think there's another interesting, um, negative information there that directly pertains to something that Bella just touched on, which is a direct reference to again, responsible disclosure.
And what happens when a company doesn't fix something when a researcher or, you know, a, a good, a good entity or, you know, a good faith submission doesn't get taken care of.
[00:30:33] Phillip Wylie: Yeah, I think too many times that, you know, there's some cases you've heard of researchers that companies had a bug bounty program and they tried to find some kind of loophole to go after that person because they really didn't want things to be disclosed. Companies really need to take these seriously and, and listen to these folks.
And if they don't have. A bug bounty program, or they need to, if they're not doing it theirself, they need to outsource it, but they really need to look into doing that and take it seriously [00:31:00] because you don't know how many times, you know, I've worked for companies before that a couple different companies and that people have come up and say, here here's this bug, and this is something that wasn't found.
And, and you really don't want people worried about trying to disclose those because some people would rather just, you know, be quiet and stay out of. trouble, opposed to help.
[00:31:21] Jeremiah Roe: I am. I previously worked for, um, somebody who was of that mindset very much. Closed off. Doesn't want to share with anybody and doesn't want anybody to know that they're curious about certain vulnerabilities because just the act of them being curious about it might directly relate to the fact that they do have them and they don't want people to know that they do have them because they don't have the resources to fix them.
And so they just kind of leave them there. And try to obtain that security through obscurity mindset. When in fact, um, you know, the malicious entities that are out there, if it's externally [00:32:00] facing, they already know it's there for the most part, they know it's possible. If they don't know it's there and if they know it's possible, I think the, one of the only benefits we have as, you know, good guys or defenders or people who are trying to close the gaps, The only benefit we have on top of those pervasive, um, entities are the fact that we can knowledge share, and the fact that we do let others know and that we can, um, share this information to educate as many people as possible.
And as quickly as.
[00:32:34] Phillip Wylie: Yeah. It's really important to, you know, some companies don't have the budget in the more we're able to share like that, the more you're able to help some of those companies out, you know, maybe some nonprofits or companies that just don't have the budget. So sharing, like that's definitely going to help them.
[00:32:51] Jeremiah Roe: uh, there's there's uh, speaking of malicious. Things that are currently going on in the industry. There's been a lot of focus lately on ransomware and [00:33:00] supply chain attacks. And so what do you think that organization should do right now to help prevent those sorts of attacks from perpetrating?
[00:33:08] Phillip Wylie: Yeah, I think one of the things that really need to take, uh, more seriously is their, their security assessments because you see too much of companies worrying about compliance that we're writing about being PCI. Because your compliance not going to keep you from getting breached. So your number one priority needs to
[00:33:26] Jeremiah Roe: but I checked my box.
[00:33:28] Phillip Wylie: priority needs to be your secure. Yeah. The attacker's not, oh, they're PCI compliant. We should go on. They're not gonna secure. And those are the worst kind, you know, you should compliance should be part of it, but your priority should be to secure things. So I think really companies need to look at that and, you know, going through your pen tests, doing your remediation, you know, cause a lot of companies will file a risk exception.
And not remediate the item you need to remediate those things. I did an external web app pen test once got command line injec command line access through SQL [00:34:00] injection. The company filed a risk exception because it was a development box.
[00:34:06] Bella DeShantz: Yikes. So you mentioned like, you know, being, you know, got guiding this effort through security testing and not compliance testing. Um, I'm wondering, can you talk about like what the difference is and why it's important to focus on security testing? Uh, either more or at least in addition to compliance.
[00:34:25] Phillip Wylie: So one of the big things I think is scope because for PCI, if you're only testing Watson scope, you could be missing a lot. And you know, when you're doing PCI testing, if you don't have proper network segmentation, then the whole enterprise is in scope for PCI. Companies are, are better about, you know, their segmentation because they don't have to have the whole thing, you know, in scope.
So I think a lot of it's a scope, making sure that you're testing things outside of scope, you know, because maybe externally, maybe what you have is not in scope for PCI, but make sure you're [00:35:00] doing those. Uh, not only testing the applications, make sure you're testing the infrastructure and, you know, going beyond that, doing physical penetration tests too, because if someone gets hands on keyboard, you know, there's all sorts of things they can do.
So you need to be testing physical and social engineering as well. [00:35:38] Jeremiah Roe: there's a, there's a slide that I've done previously for a talk that mentioned some of the common risks in an organization. And I start with users and I list several things and then I list users. Just because of that fact users are the biggest risks to any organization and, you know, what's central around that is training and helping to understand.
And [00:36:00] I mean, you know, it's, it's a difficult problem. Uh that's that's out there for sure. Um, when you talk about criticalities, uh, in relation to organizations, um, speaking about criticalities, uh, what's, what's sort of a critical, a critical type of attack or security risk that you think is going unnoticed.
[00:36:47] Phillip Wylie: One of the things I have to say. Is like for applications like the, the, uh, password requirements, as some of the things they do, that they make it easier for end users because, you know, it's your [00:37:00] company you've got to have, you're probably got stricter passwords, multi-factor authentication, but our customers, we don't want to make it too difficult for them.
So I think that's one of the biggest areas that we miss out on. We don't need to do.
[00:37:14] Jeremiah Roe: Well, I keep mine in a sticky pad, right. I don't know if that's
[00:37:19] Phillip Wylie: Yeah, that's pretty funny because I remember people back in the day, having their sticky note under their keyboard or on their, on like their little, uh, sticker or their little board on their desks with all their notes and stuff.
[00:37:35] Jeremiah Roe: some people still do it.
[00:37:36] Phillip Wylie: And I've seen notebooks out there too, that there's like a password notebook for people to put their password.
[00:37:42] Jeremiah Roe: so with the password complexity and, and, and focusing on those things in the organization, you were, you were saying
[00:37:48] Phillip Wylie: Yeah, I think that just, they make it easier. I mean, you know, even some of these banks, some of their password complexity is not that complex. And, and some, you know, some different [00:38:00] applications multi-factor is an option. It ought to be enforced and you should be using strict password. You know, maybe you need, if you need to then provide some education or information to your end users, instead of making it easier for, for them to use it, you know, why not make them more secure because you know, there's password reuse.
And if their account gets breached somewhere else, they may be using it against your application. Okay.
[00:38:26] Bella DeShantz: I think we should start a tally on this podcast of how many episodes, uh, MFA comes up in. Cause it might be every single one. That's like that's, if I answered this question, my, my, my biggest, like, why isn't anyone paying attention to this is like, just do MFA, just do it everywhere.
[00:38:42] Jeremiah Roe: that's Bella's blood boil moment.
[00:38:44] Bella DeShantz: Yeah.
[00:38:46] Jeremiah Roe: That's great.
[00:38:49] Bella DeShantz: Uh, so we talked a little bit earlier about, um, you know, companies needing to be kind of more, I don't want to say, like, I don't know if welcoming is the word I want, but, uh, open [00:39:00] to listening to hackers attackers who are observing, uh, vulnerabilities on their sites. Um, which brings me to my next question.
Uh, you've been active in promoting a group called hacking is not a crime. Can you tell us a little bit more about what that is and what are the goals of that organized.
[00:39:16] Phillip Wylie: sure. Part of the, one of the big goals. It was interesting because Brian inch, one of the co-founders started hacking is not a crime right before Def con in 2018. And in part it was just a sticker campaign. He had these stickers hacking is not a. You know, a catchy slogan and a neat sticker just to kind of bring awareness.
And then last year, uh, he partnered with coy, miss doggy, and they got involved in more of some of the, uh, legal matters, you know, try to talk different local governments. And when a step further than just stating on social media, that hacking is not just used for criminal activities, you know, they've actually, uh, you know, talk to different media sources.
[00:40:00] If they see a certain company. Or a news organization using hacker negatively, you know, they'll, you know, not skull them in public, but send them an email, say, you know, we're trying to help bring awareness because you know, hacking skills are not only used for bad. It's used for good and trying to bring awareness to that because you know, the media years ago and they always, you know, a story sounds better whenever you say, you know, a hack or a post.
Using the right terminology. They need to get it a little bit closer, but it's one of the things that's, that's happened over the years. It's really kind of hard to kind of undo because you know, just the terminology, if you know, a hacker breaks into a bank application is still a hacker, but they got their threat actor and got malicious intent and the intense, not always, uh, shared or noble.
But then a lot of people are realized you can do it for good, because I've told people before, because when you tell people you're a penetration test or a pen tester, they look at you really strange. So it's easier to say I'm an [00:41:00] ethical hacker. And, uh, I've had people ask me, is there such a thing as an ethical hacker?
[00:41:09] Jeremiah Roe: Yeah.
[00:41:10] Phillip Wylie: So it's.
[00:41:10] Bella DeShantz: Yeah, I've gotten that question too. I've gotten people ask me like, don't you feel bad being a pen tester? And it's like, no, I feel great. This is great work. Uh, why do you think though, that, that stereotype, like where do you think that stereotype even came from? Why is hackers such a negative.
[00:41:27] Phillip Wylie: the media is just a way to really, you know, it's there, they're trying to sell stories and the more drama you can bring to it, the more. You know, it's like a S a story, you know, or a movie you're going to go see the movie that looks the most intriguing and interesting. So it's just a term that you used.
And I don't think I'll, you know, they came out with, they start using the term negatively because it was even before it was used related to pen testing, because you had you look at the hackathons. It's not even anything to do with pen testing. [00:42:00] Usually it's people writing code, because it really came more from the maker side of things.
The inventor. Space and that sort of things, your, some of your early, uh, creators of computers like apple, you know, you know, Steve jobs and, uh, Steve wisely and Wazniak, and these folks, uh, is where it came from. And just somehow or another, the media used that term and it just got popular. Then movies, you know, have movies about hackers and stuff.
And usually it's criminal type activity. And that's just kind of the way it's just like a lot of other stereotypes.
[00:42:37] Bella DeShantz: How can we change that stereotype and sort of remove that negative connotation? Like when people ask you, is there such thing as an ethical hacker, how do you explain that? How do we, how do we reclaim this
[00:42:48] Phillip Wylie: Yeah. The way I, one of the ways I explain it as someone that knows how to pick locks, locksmiths jobs are perfectly legal. As long as they got permission, if you're going. Picking locks to get into, uh, [00:43:00] someplace without permission, then that's wrong. And that's just like using a gun, you know, uh, you have a gun for protection, whether I don't know what, whether people, you know, is their right to have guns or their thoughts, that's their opinion.
But you know, guns can be used responsibly. And the same thing with these skills, it's like martial arts too, or any kind of MMA self-defense type stuff, you know, you could people use it for self-defense. And you can also use it for bad if you want to. So, you know, it's just all skills, any skill pretty much can be used for.
[00:43:36] Jeremiah Roe: I would agree with that. Um, I think one of the biggest, uh, to your point about, you know, some of the background with, with where the term hacker came from, You know, um, at a, at a, the MIT labs and working in, in those industries, when you would get the coders together and the makers together, and they would take these products and they would say, all right, we need to build, you know, X and we [00:44:00] want to put it together to function for Y how do we do that?
Well, We've got some old, uh, leftover components from say, you know, a model train and then this, um, old, old processing unit over here and this old, you know, whatever. And they take these, these, these hardware components compile them together into a cobbled mess and then they develop code around it and it happens to function for the thing that they wanted.
And that's where, that's where the term hack sorta sorta came from. Fast forward, you know, before. Penetration testing was really a thing. And before, uh, cybersecurity was really thought of, um, what ends up happening is you have this whole subset of, of a community, um, who is trying to circumvent controls around things to your lockpick point.
They're trying to break into things and trying to, um, take care of all of this, uh, uh, [00:45:00] subculture. Type stuff during the time, which, which was coined hacker. And that's where sort of that, that dissemination from, from the, from the negative connotation began to erupt. And it was such a new thing for. This, this, this population that knew nothing about cybersecurity at the time and every, you know, at the time the internet was just the wild, wild west.
I'm sure you remember, back in the day when Telnet Telnet freely open out on the internet, um, things weren't secured, traffic wasn't encrypted, um, you know, you go to a website database. There, you can go to it. He, it's not even password protected. And so that's, that's where this negative connotation started coming up because it was all over the place.
And nobody really knew about security. They just kind of thought it was inherent. And so I think you made a great point, uh, Phil, that, that when it comes to changing the perspectives of what hackers are, it's all in the intent. [00:46:00] Um, to that point, you are also working with. And the innocent lives foundation.
Um, that's something I've got to, I've got a really good friend of mine who, who works with, with that organization? What is it? What is it that they do? And how do you.
[00:46:17] Phillip Wylie: Yes, innocent lives foundation helps unmask child predators. And so what they do is they've got people from different areas of cybersecurity or it that use their own sense skills to help track down these child predators. So they can build a case against them to turn over to law enforces. And hopefully law enforcement will be able to apprehend and prosecute these individuals.
And so what I do for them, it's been a, I'm an ambassador now, but I started. Doing fundraisers for them. I would do a post school fundraisers because, you know, I wasn't looking to make a profit, but I thought if I could go through one of these t-shirt websites that, uh, creates t-shirts [00:47:00] for fundraisers, that that would be a way to, to create t-shirts from our organization for post-school and then bring awareness to innocent lives foundation.
And that's one of the things too. That's important. Anyone that wants to help innocent life. Awareness is a big thing alone. I mean, towards the first of the year, I was kind of bummed out because the pandemic last year, I wasn't able to raise as much money as I had in previous years. But then there was someone that had, uh, someone in their family pass away and got left a large sum of money and part of, uh, them getting the money, they had to find a non-profit organization to do.
To which ended up being like over a hundred thousand dollar donation to innocent lives foundation. I had no clue and I was bummed out about this and this guy had sent me a direct message on Twitter and said, Hey, I just want to let you know, you know, because of your t-shirt fundraisers, I found out about the innocent lives foundation.
And so, um, we're making this [00:48:00] donation. So sometimes it's just awareness because the more people know about it, the more they can donate to it. And, you know, during the pandemic kids are on their computers a lot more because they're not able to get out and, and play with other kids due to low lock down or just, you know, social distancing.
So they're online even more. And that's just the way for predators to, you know, they may think it's another kid online and, you know, use some of these. You know, nefarious skills like social engineering for bad and, and, you know, possibly actually abduct these children. So, uh, that's one of the reasons it's needed.
And Chris had an Aggie, a very well-known social engineer runs the social engineer village at Devcon is the founder of the organization. And there's a lot of high-level people actually like Robin Dreek from, uh, former FBI behavioral, uh, unit lead that's involved with the organization. So, and there's a lot of talent, a lot of talented [00:49:00] people out there that go through the help track down, uh, these predators.
[00:49:05] Jeremiah Roe: that's, that's such a amazing thing that they do. I, I can't even begin to fathom, you know, uh, the atrocities that are out there, honestly, and I think anybody, uh, again, innocent lives foundation, anybody that can. Um, they should get involved. And if they, by any means, have the means, um, please utilize those to help the innocent lives foundation.
[00:51:15] Bella DeShantz: Awesome. So we have exactly one final question to close it out. Uh, this is a question that we ask everyone at the end of the show. Uh, what is one thing that people wouldn't know about you just from looking at your LinkedIn or other online social media presences.
[00:51:30] Phillip Wylie: Yeah. Let me think. Cause there's a lot of stuff. I don't, I don't hide a lot, but, uh, one of the things I say,
[00:51:36] Jeremiah Roe: Phil?
[00:51:37] Phillip Wylie: well, what,
[00:51:39] Bella DeShantz: Wait, I read it differently than that.
[00:51:41] Phillip Wylie: Well, one thing I, I could share that.
a lot, a lot of people know is back in the early nineties. I think it was back in 91 or 92. Uh, I tried out to be a contestant on American gladiator.
[00:51:54] Jeremiah Roe: oh, I love that show. Did you make it [00:52:00] a bomber man? I would've. I would've loved to seen that. Uh, that would have been so fun. Um, I did get to watch some of your pro wrestling videos by the way, those are for. So cool.
[00:52:13] Phillip Wylie: Yup.
[00:52:14] Jeremiah Roe: Um, Phillip, thank you so much for joining the show. Uh, we it's been a pleasure having you and, um, as Bella said, uh, you know, uh, thank you so much for everything.
[00:52:24] Phillip Wylie: thanks for having me. Great to see a Jeremiah and great to meet.
[00:52:27] Bella DeShantz: Yeah, it was great meeting you. This was a great conversation. Thank you so much. And it's again, I think I said this earlier, but it's really, really cool to hear about more people and, uh, organizations. To spread knowledge in this industry. So really, really awesome to talk to you.
[00:52:42] Phillip Wylie: thank you.