Intro by Ethan: Sierra came up with the idea to interview me for this blog. I thought it was a great idea and after watching Rick and Gail’s dynamic on the video they created the other day, I thought it could be really fun too.
Our attempts at recording video failed. Our attempts at recording audio mostly failed. We got an audio recording that was akin to talking through these:
So instead you will find the transcript of our conversation.
S: Hi Ethan, how are you?
E: Hi, I’m doing great. How are you, Sierra?
S: Good! So BHIS has been around since 2008, and you started right at the beginning right?
E: Yeah, pretty close.
S: And how did you end up connecting with John and getting involved at that starting point?
E: So BHIS, as you know is based in the Black Hills. I went to school in a city that is right in the middle of the Black Hills called Rapid City and there was a poster, just a one page ad for an internship hanging on a bulletin board at my school. It was my mom who actually noticed it and pointed it out. I think it said something like, “Do you like to break things? All you can drink Mountain Dew!” I called the number on the flyer, John answered and he said nobody had called him in about six months and he didn’t even think the flyer was there anymore. But here I am. He asked me a few questions on the phone and then he decided to meet me. He lives about an hour away so we set up a time and he took me to sushi. It was the first time I’d ever had sushi.
E: So that was our interview, and he hired me on as an intern while I was going to college.
S: Cool. Well I kind of love that your mom saw it and got you your “first job.”
E: (laughing) Yeah, she likes to bring that up too.
S: What were you going to school for at that point?
E: I started as a computer engineer, but switched to computer science, which is what I graduated with.
S: Why did you make the switch?
E: A couple of different reasons. I decided I liked to program better, mainly since there’s a lot more immediate gratification versus tinkering with hardware and electronics.
S: Okay, yeah that makes sense. And so did you know anything about pentesting when you started working with John?
E: No, no I didn’t. So when I first called John he kind of described what he did and I remember asking him, “Is this legal? Do you have permission to do this kind of stuff?” I think he liked that I asked that question. But no I didn’t know this kind of job existed before I met John.
S: Awesome. I guess 2008 doesn’t really seem that long ago but eight years has made a big difference in just how much the general public knows about hacking and computer stuff
E: Definitely. The last few years it’s been all over the news; the media likes to bring up.
S: It’s one of those things that’s really scary and nobody understands it, so kind of perfect news.
E: True, I can understand why the news likes it.
S: So then you were an intern working with John. Was it just John by himself at that point? Or were there other people working at BHIS?
E: I think there were other people who were kind of coming and going, also interns. So BHIS at the beginning was kind of a black box, at least to me. I met John about two times in as many years. I would correspond with him through email and I learned to be concise pretty quickly. I would send him page long emails about what I’d been doing and asking for feedback and he’d send back – if I was lucky – a sentence, but sometimes just a couple of words.
S: “Good! Keep going!”
S: Yeah, it’s definitely kind of the same thing for me when I started. John throws you in and you learn to swim.
E: But back to your question. I saw other people copied on emails randomly, but it was never a thing where John told me, “Hey you’re going to be working with this person.” or, “Hey, I’ve got this other person and I’d like you to work with them.” I was just kind of in my own little world. And then at one point during summer break I did a full-time internship with BHIS.
S: What year were you when you started?
E: I was just a freshman.
S: So you started working with him right at the beginning of school then?
E: Yeah, and I think the internship was between my junior and senior years of college – the full-time internship – and I got to see John a lot more in person during that time.
S: That helps.
S: And then after you graduated were you still an intern? Or did you go full-time at that point?
E: After I graduated I actually went to Seattle for a summer and I did another internship there for a different company and immediately after that was hired on full-time for BHIS.
S: Great. And compared to when you started what is it like to work with BHIS now?
E: I feel like there’s parallels watching a child grow; raising a child. I’ve never done so myself, but right at the beginning it’s always kind of in the moment and then they grow and they grow and eventually they’re old and maybe someone who you haven’t seen in a while comes back and they say, “Oh my gosh, your child has gotten so big!” but the parents are just like “This is my child.”
S: It’s hard to see the difference.
E: Yeah, it’s hard to tell unless I really step back. Back at the beginning when I was hired on, there was one other full-time person, who had been hired a few months before me, Tim Tomes. And so we worked together and, pretty much everyone at BHIS is remote and definitely everyone at the beginning was remote. We worked together and emailed back and forth and had online conversations, but it was a year of working before I actually finally met Tim in person. That was kind of strange. Besides John, I didn’t meet my sole co-worker in person for a year.
S: It’s definitely different. So do you like working at home? How would you describe your experience working at home?
E: It definitely has its ups and downs. There are some benefits of working in an office. But that being said I don’t think I’d ever go back to working in an office full-time. I really enjoy being able to work from home, being able to have my own space and pace and think without too many other people to distract me.
S: It’s more fun to work in an office. But there might be more fun and a little less work.
S: So when you’re working, can you describe a typical week or typical day? Without getting into too much detail what are some of the things you work on and do or what is your routine?
E: I don’t think I’ve had a typical week since I’ve started (laughs) but I’ll try my best to kind of summarize. As I said, things have changed quite a bit, both at BHIS and my role has also changed quite a bit. I still do testing but I’ve transitioned more to doing development recently. So I wake up, have breakfast, get ready, start up my computer and log in. I try to avoid checking email first thing in the morning because otherwise that tends to be a black hole for me and before I know it half the day’s gone and I don’t know what I’ve done!
E: So I usually try to figure out the night before what I need to get done, and work on that before I open up the floodgates of email.
S: Good plan. Do you feel like, you’re better – so nobody can multi task, we’re just flipping between mini tasks and not really getting anything done – but you’re saying that you try to have one focused project that you start the day with and you work on that.
E: Yeah, that’s what my approach has been lately. You talk about multi tasking, I used to think I could multi task (laughs) as we mentioned it doesn’t work so well. I finally have learned that.
S: Yeah, I’m learning that more and more, to not have 10 million web tabs open and just have one thing that I’m doing. So what are the hours you usually keep?
E: It changes so much, I’m not really good about getting up in the morning. I’m typically a night owl. I also really don’t like waking up to an alarm. So unless I have something specific I need to be up for I try to just wake up naturally. We have meetings and appointments that we have to manage within the company but outside of that we kind of set our own hours. If I have something I have to do in the afternoon I can go do that and then come back and finish later that night and continue working.
S: I do like the flexibility. So, you mentioned that you’re involved in the R&D on the development team. How did you fall into doing that?
E: I think it was just what I wanted to do. I really liked doing pentesting and I really like doing development. Something I learned working for BHIS and internships is that I flourish the best when I can switch between the two. Not necessarily multitasking but if I can do one for a while, like a few months or a half a year and then switch to the other one it helps me to come at it with a new enthusiasm and not get too bogged down doing the same thing.
S: Yeah not get burned out or overloaded. And it seems like maybe the dev comes from your experience pentesting? Would you say that’s accurate?
E: Yeah, I definitely have insights about what would be useful as a pentesting tool and where to focus my dev efforts to what would be most useful.
S: So it’s kind of really great that you like doing both of those things – you can kind of stay in touch with the ways people are attacking and the things happening in info sec and go back and develop it more.
E: Well, it’s what I prefer so I’m glad other people think it’s good that I like to do both.
S: Well, I think it makes a lot of sense. And from talking to some of the other testers that’s one of the things that you really like about your jobs is that it’s always different and always changing and that you’re never, even for the people that are doing straight pentesting, it’s different even from job to job even within the same industry because each job has different needs; it’s never too routine. What would you say your least favorite part of R&D is?
E: I think for every programmer the least favorite part is debugging. Probably the most favorite part is after you’re debugged and you’ve actually solved something and figured out what was going wrong.
S: A big endorphin rush!
E: And it’s the same thing with pentesting too. It’s really frustrating to beat your head against an application or a network over and over again but you know once you find that chink and you weasel your way in it’s a pretty good feeling.
S: Yeah well, if it wasn’t hard it wouldn’t be fun.
E: That’s true actually, there’s a lot to be said for that.
S: So for someone just wanting to get into this field, the pentesting field, do you have any advice you’d give them? Look for random posters?
E: (Laughs) Yeah, keep an eye out for opportunities. That’s good advice all around. But I think if they want to make themselves stand out probably the best thing to do is to get out there and try things. Get experience. If that means finding local groups that you can be a part of just to get your fingers on the pulse of the community, that’s good experience. You just sort of absorb the mentality of the security mindset. Or it can be competing in CTFs (capture the flag) competitions; those are good. Even if you don’t have those available there’s all sorts of hackable tests sites or test programs that you can find online that are specifically meant to teach you security concepts. So just trying them. You’re going to learn the most by actually doing it. As you’re doing it you’re trying to figure out why doesn’t this work, and by the time you’ve figured out how it works and why it works you’ve done all this research and you understand the issue and you can actually do it and you can replicate it. It’s one thing to read a blog post and say, “oh that makes sense,” but it’s a completely different thing to actually go through it and replicate it on your own. You’re going to learn so much more and you’re going to have a handle on the details then.
S: That sounds like great advice. And so that would be for someone entering the industry. But from your perspective as a pentester what then would you have to say to maybe someone that is running a company or is on the IT staff of the company what can they do to make their company a little less vulnerable to attacks from pen testers but also from real bad guys?
E: Okay so yeah, companies that I’ve found to be the most successful or the most secure, the one thing they all really have in common is that they really care about security. The mindset of the company is like, security is a priority to them. A lot of companies will try to do double duty and they’ll give it to their IT people, they’re having them do security on the side essentially. And that might be a necessity due to budgets and just not having the skill-set available. But to really thrive you kind of need some dedicated staff and you need the rest of the company no not have the mindset that they’re adversarial. The rest of the company shouldn’t view the security people as they’re just there to make your lives harder.
S: “So we need your passwords to be 40 characters long.”
E: (laughs) They should try to understand the importance of security – try to cultivate why security is important. And as we mentioned earlier, the media constantly streaming that out into the open, I think that helps. Plus, it gives companies incentive to make security important.
S: Well I mean, if I were running say, a hospital, seeing that hospitals are having $17,000 ransomware catastrophe that definitely makes me more aware of it. There’s times when we like to rag on the media, but it definitely helps bring that to the public forefront. So is there anything else you’d like to mention or talk about? I feel like we got a good a glimpse into your experience and job.
E: There is one more questions on the list, “What do you really enjoy about working a BHIS?” and I’d like to take a shot at that.
S: Oh, do, do!
E: My favorite part of working here is just the people we have working together. It’s hard working remotely. You don’t get to interact with your co-workers as much as if you worked in an office. And it’s just, it’s not the same as face to face interaction. But one thing I really like is when we get together – we usually get together at security conferences once a year or so, or sometimes there will be a bunch of on a test together – that’s my favorite part. Just being with people who are like-minded, who care about security, who you can say something completely technical out of the blue that your friends and family would think you’re talking jibberish, but they actually understand it and respond in kind. That’s my favorite part. We’ve got some really great people at BHIS.
S: I pretty much love it! And you said it was nice to have like-minded people, but I feel like I’ve worked in a lot of different industries myself, and you can have like-minded people that still don’t gel and one of the things that’s really special about BHIS is that more than just having our job in common I feel like – I’m not a pentester so I don’t have your job in common – but that we all have so much fun when we get together just I feel like John has done a good job of bringing people together that gel and work well together, on top of having our, or you guys’s, technical skill in common.
S: Well thanks for talking to me Ethan, it’s been awesome. I feel like I learned a lot about you and I hope everybody listening feels the same way. So thanks for the time.
E: All right, take care.