Interview - Christian (Reverse Engineer)
"I only ever knew them by handles, but the people I met had a pretty profound impact on how I developed professionally." - Christian
Christian has a bit of a different perspective compared to Josh. Their employment is also a bit different. In this interview we talk about stuff ranging from college to what the future holds, technology wise. Here is his linkedin profile if anyone would like to see it.
Cyrus: So i'm going to ask you some basic questions and branch off if the answers permit it, like I've mentioned. Before we get started do you have any questions for me?
Christian: Not at the moment.
Cyrus: Okay, so let's start this off with the basic of the basics - What's your interests in the sphere of IT?
Christian: My general interests in IT has always been the more offensive side. Reverse engineering is what I lean most heavily towards, but general pentesting is also fairly interesting.
Cyrus: What got you into these sorts of things? Is there any inciting experience that made you think "Dang, this is really interesting and this is something I want to get into"? Christian: So I started out when I was pretty young. My father worked for IBM so I was exposed to computers at a young age, about 4 or 5 years old. Computers were cool, but I was more interested in video games specifically. I really wanted to make video games for a living and spent a while when I was 8 or 9 learning how games were made. Eventually programming was what stuck and a curiosity of computer mixed with a desire to work with video games led to a stint of trying to develop game hacks. I messed around in the Counter-Strike and Half-Life Deathmatch Source scene for a while in the scripting and hacking scene and that's kinda where my passion for reverse engineering really grew. Cyrus: What personally got me into technology was the Artemis Fowl book series. I read it back in like 7th or 8th grade and I found the titular character's exploits to be interesting. For a good couple years I never actually delved into hacking, but I did get into programming and whatnot. It wasn't until last year that I really delved into things, but I got myself burnt out due to trying to learn too much too fast and the mental stress of comparing myself to others and some other things I was going through at the time. I've just been getting back into the swing of things. Obviously now the book series would be over the top and unrealistic, but I have that to thank for getting me into these topics in the first place. What sort of mediums did you use to teach yourself how to do things? How much would you say that other people have helped you, and do you have anyone within the hacking/penetration testing scene or technology in general that you look up to?
Christian: For programming, Google was an absolutely critical asset for me. W3Schools specifically got me started with HTML and CSS which led me into picking up more "realistic" languages such as Python and C++. I tried learning Python initially for about a month and dropped it as I didn't really understand how I would move forward. Bear in mind I was roughly 9 or 10 at the time so a lot of this was not obvious to me and I had no one I could turn to for guidance. I developed my affinity for C++ after prodding my parents for weeks to take me to Borders and Barnes & Noble to pick up C++ books like the C++ Cookbook by Herb Schildt.
Directly I had no help in the beginning as far as programming went. Although my father worked for IBM, he worked in server sales and maintenance so programming was out of his pay grade. It wasn't until I started meeting people in the video game hacking scene that I started to really learn from others. I only ever knew them by handles, but the people I met had a pretty profound impact on how I developed professionally. I didn't get any formal help from experts in the field until I began attending college. I joined a student run organization called Whitehatters and met some amazing people who really opened me up to the world of hacking on a much broader scale. As far as people I look up to, I would say some of the people I met from Whitehatters such as Brandon Ward from Raytheon SI. He's a very intelligent man who is willing to take time out of his busy schedule to help others really break into the cyber security scene professionally. Less locally, I really admire the work of some of the cyber security researchers on twitter like x0rz and industry savants like Dave Kennedy.
Cyrus: Fascinating. What sorts of classes did you take in college? What were you expecting before you went into college and how did it compare? For those who maybe can't afford college or don't like the environment, what do you believe someone who just opts for certifications is missing? Speaking of which, do you have any certifications? Are there any particular books or resources that you can recommend that have helped you thus far and have maybe made an impact on you personally?
Christian: So, I'm actually still in college currently. I attend the University of South Florida and I'm working towards a bachelors in Computer Science. Operating Systems and Hardware Security are by far my favorite classes that apply to hacking and IT in general.
Going into college was pretty weird for me. I lived on campus for my first two years which was a very freeing experience for me as a person. I ended up joining Theta Tau which is a professional Engineering fraternity as part of their Upsilon Gamma chapter. I was pretty shy coming into college and was actually really worried I wouldn't have any friends. My goal at the time was still to develop video games and I thought that maybe joining an Engineering fraternity could help me meet more like-minded people and give me a chance to socialize. I ended up being right on the last point as I made many friendships that I will always hold dear and I ended up breaking out of my shell and became a lot more open. A few years in I grew tired of some of the fraternity politics and that was when a fraternity brother recommend I join Whitehatters.
I firmly believe College is not the only route, it is simply the route I chose to take. I have seen people with far greater skill than me with not a single cert or degree to their name. What College ended up doing for me was give me the opportunity to make invaluable connections and hone in on what I truly wanted to do in an environment where that was possible. If someone chooses not to pursue College, I fear they may miss out on these opportunities, but there are many other ways of making up for that.
My work has recently been pushing for me to pursue Security+, but I actually already have my OSCP. My first job didn't want to pay the money for an intern to take such a certification so I saved the money and took it on my own time. I began in June of 2018 and received my certification in September.
The Youtube channel XoaX was a huge asset to me initially gaining ground with C++. Forcing myself to take the OSCP and participate in HackTheBox gave me a lot of practice in the Red Teaming / Pentesting side of Cyber Security. Various communities that I joined such as 0x00sec also gave me a chance to network and talk personally with other people interested in security. For a while I lurked HackForums which is where I found that the best way to solidify your experience in something is to help others.
Cyrus: OSCP is a pretty big name certification within the industry. I've had some extremely talented and skilled friends fail it a couple times before actually passing and obtaining the certification. What do you need to do to obtain the certification? Are there any misconceptions about it? Was there anything you've struggled with? Additionally, what helped you study for the certification? Any good resources you can point an OSCP hopeful towards? Christian: More literally, the exam consists of 5 boxes that you must compromise. Each is weighted with a different amount of points ranging from 25 to 20 to 10. A minimum of 70 points is required to pass and performing a writeup on the lab section will net you an additional 5 points. However, the OSCP is much more of a time investment and determination challenge. I spent a total of ~230 hours total in the lab over 60 days while doing summer classes and an internship with 40 hours per week. I was a rough experience and as much as I enjoyed the challenge I don't know if I would want to go through it a second time.
A large misconception I see is that the certification is nigh-insurmountable. This is simply not true as anyone willing to put enough time and energy into it can pass. I personally struggled with the initial learning curve. I had practiced with HackTheBox initially and going from a CTF boot to root challenge setup to a simulated corporate environment was quite jarring. I ended up over thinking a lot of things and found myself struggling on things a professional pentester would think to do first.
HackTheBox was still a great training ground for the OSCP so long as you bear in mind that it is more of a CTF layout with some pretty out-there attacks. FuzzySecurity, Abatchy's blog, and G0tM1lk's blog (who now works for Offensive Security) were incredibly helpful resources in my journey through the OSCP.
Cyrus: I'm personally of the mindset that anyone can do anything they want, as long as they put their mind to it. You've mentioned that your work has been pushing for you to pursue Sec+. What is your work and what does it consist of?
Christian: Without getting into specifics, I do a lot of reverse engineering professionally for CACI International. If you don't know, they're a government contractor and Security+ along with other compliant certifications are used as leverage for bidding on contracts.
Cyrus: What sorts of tools do you use on a daily basis? Do you program your own tools and scripts? If you do, how often and what sorts of things? What does an average day look like for you as well?
Christian: WinDBG, Radare, IDA, and SysInternals Suite are my gotos depending on the job. My current work doesn't have me doing a lot of programming, but I get enough of that in my personal time. An average day due to classes starts around 11:30AM until about 6:30PM. I meet with coworkers to discuss current projects and we analyze current projects for reverse engineering and any potential development that may be needed. Like I said, unfortunately I can't get too specific so I apologize for the vague answers here.
Cyrus: Yeah, I understand. Looping back to the first part of the interview, you said you got interested at a young age. How old are you now? How have your interests and goals shifted over the years? What sorts of things have you struggled with? If there was something current you could tell past you, what would it be? Is there anything you wish you knew sooner or things you wish you approached differently?
Christian: I am actually 22 right now and my interests shifted pretty hard during my teenage years. It was back and forth for a while on developing video games and professional hacking. At the time, the latter seemed more of a fantasy as during 2008-2010 hiring hackers was only something the government and really edgy companies did and the hacker stigma was much stronger than it is today. Personally, I struggled with this divide quite a bit as I knew early on I wanted to do something "cool" with my life and became sort of a workaholic at a young age. This led to a lot of stress and anxiety that I wasn't improving "fast enough" for my exceedingly high personal standards. If there was something I could tell my past self it would be to not stress as hard as I did. Teenage hormones most likely played a big part in the cementing of said stress, but the toxic mentality of: "grow, improve, be better" caused way more problems than I should have needed to deal with.
"If there was something I could tell my past self it would be to not stress as hard as I did" - Josh
In fact, stress is something I still deal with on a daily basis even today. Balancing hobbies, classes, and work is a difficult thing to do. As I sit here during this interview, I am smoking a cigar trying to relax. Its something I have learned to deal with better over time, but the damage done earlier in my life has made it hard to step back and do nothing.
Along with stress, I developed a form of Impostor Syndrome. Despite attempting to make games in high school when most of my class mates were off having a good time, I always felt that I was "pretending" and mentally compared myself to professionals many years older than myself working in the video game industry. This still rears its ugly head from time to time even now as I try to improve my skills constantly only to feel behind the curve in some areas. Cyrus: I can certainly relate to that. As someone with a bit of an impostor syndrome myself, there's been a decent amount of internalizing and introspection I've had to do to keep myself from going overboard with my own expectations and so I could stop comparing myself to those who have had years upon years of experience under their belt. I still have my moments where I doubt myself and consider if I should just give up, but I think overall I'm a lot healthier. How do you deal with the stress? Any productive ways that you channel that anxious energy into something that will help you?
On that note, where do you see yourself professionally within the next 5 years or so? What do your current goals and aspirations consist of? Additionally, how do you believe that the industry will change within that time period?
Christian: I've started playing video games with friends to help with stress a lot more recently. Along with that, I still find working on personal coding projects to be a decent stress relief. I don't have the same deadlines as with school or work and I have a lot of creative control over how I want something to happen and when. In 5 years I really hope to see X9 Security grow into a much bigger name. I don't plan on stopping working with the amazing people I do now any time soon and I believe with the right effort it could help a lot of people. I also hope to see my skills grow a lot more as there are certain sub-fields of reverse engineering I really want the opportunity to get better at like driver exploitation and kernel exploitation.
I feel like in the next 5 years we're going to see a continued demand for more skilled professionals. There is expected to be a massive deficit in the number of skilled cyber security professionals compared to the demand for security. IoT specifically is going to continue despite ravings from security professionals (myself included) about the dangers of putting unnecessary devices either on a local network or even completely attached to the internet via some over-arching API. Cyrus: The demand for cybersecurity professionals certainly isn't going to be going away anytime soon, with more technology being integrated within our lives. I have a transhumanist philosophy where I personally believe that the future of human evolution will be technologically based. Cybernetics, gene editing, more of an acceptance of GMOs as valid food, and whatnot. I personally believe in the amazing things that technology can do. But with that being said, I also understand that new technologies introduce new risks. The same technology and science that can be used to create clean energy for millions can be used to obliterate cities within an instant, after all. How do you believe the technological landscape will change? What sorts of things do you personally think we can expect in the near future, from your perspective? Are you as hopeful as I am? Christian: Personally, I am somewhat fearful for the future from a technical standpoint. Yes, very intelligent people will make some amazing scientific advances that we may not even be able to imagine right now. However, I worry that the desire for technological advancement and integration will surpass the desire to secure said technology. What good is a man's pacemaker, the very technological advancement that is keeping him alive far past his ancestors in the same position, if it can be taken out by a smart phone? How do we justify a world where we've introduced the ability to communicate anywhere instantly so much that we've built our entire society around it if it can be taken out in seconds? The world is a dangerous place and man is a selfish animal. Where there is advancement there will always be antagonists to turn the clock back. If we are to truly live in such a Utopian society the likes of which our forefathers could only dream of, we must learn that our neighbor is not always our friend. Cyrus: I believe that this is an important discussion to be had. Personally, I believe that we will be fine. There will just be new problems that we will need to solve. People freaked out at the invention of computers, people freaked out at the invention of the nuclear weapons, people freaked out at the invention of the car, people even freaked out at the widespread usage of people using paper. Granted, paper can't be used to kill someone or severely disrupt economies. But hey, we've made it a couple thousand years so far. Regardless of what happens, I am interested in seeing how the journey goes.
What sort of advice do you have for someone looking to get into this field professionally? Any protips or anything you think people should be made aware of? Also, what sort of mindset do you believe is the best one to be in when you are in this field? Christian: I recommend people try to soak up any information they can. I've found that personally, learning about things normally outside my field of work have come in clutch in many instances. Learning the basics of things like Networking and Operating Systems are critical for making it in the IT or Cyber Security field. For a mindset I feel that's a lot more job specific, for any kind of vulnerability research position you need to be really open to edge cases and learn to think outside the box. For more structured work like Networking I believe a systematic approach works best, but its ultimately whatever works for the individual. Cyrus: Well, I believe I have asked all the questions I have wanted to ask. Thank you for your time and insight. Are there any closing statements you would like to make or anything you wanted to say that you didn't get a chance to? Christian: I think that's all I've got for now, thank you for having me.