There are many paths you can take to become a security professional. In this episode, host Laura Kankaala talks with Tom Hudson (aka @TomNomNom) about his learning journey with computers and hacking which began with him taking it all apart. Tom’s tinkering obsession introduced him to the world of hacking and bug bounty competitions. Besides chasing bugs, Tom is also passionate about passing on knowledge through his particular teaching style, and he discusses some of the common struggles of people who are just getting started with security, but also what are the kinds of questions are the good questions to ask along the way. Even though they are security experts, Tom and Laura still experience imposter syndrome, and together they exchange their best practices on how to manage and embrace the feelings of doubt to stay motivated.
Tom’s Youtube channel
Laura Kankaala (00:12):
Welcome to Undetected. In this podcast, we dive deep into the world of web security. My name is Laura and I'm a security researcher myself. I'm on a mission to make the internet a tiny bit safer place. This podcast is brought to you by Detectify. Getting started with anything can be super easy, but staying motivated is the tricky part. Take, for example, web security. There are so many things to learn all the time and security really is a moving target altogether, and so is security research around that.
Laura Kankaala (00:47):
Today, I have the pleasure of having Tom Hudson here with me. Tom has a long history, in terms of learning, and also teaching and training people when it comes to programming and training. I want to pick Tom's brain and learn how he thinks about learning, and what are some things that helps him stay motivated? So, welcome, Tom.
Tom Hudson (01:14):
Thanks for having me.
Laura Kankaala (01:16):
Tom, you also go by the handle of TomNomNom in Twitter and in GitHub, for example. In GitHub, I've seen some of your projects, for example Gron, and I've actually used a lot of your tools that you've made available in GitHub, for example. Gron... makes JSON more greppable, in a greppable format, and httprobe, which helps you list out domains and in your words, probe for working HTTP and HTTPS servers, and also assetfinder, for finding subdomains and other assets related to a domain. I've used some of your tools for recon and for parsing through information that I've collected, so they are very, very useful. I think a lot of our listeners can attest to that, they have used your tools and found them very useful. You also work at Detectify and your title right now is security research tech lead. So, can you tell me what does a Security Research Tech Lead do?
Tom Hudson (02:23):
That's a really good question. So, firstly, thank you for using my tools. I'm glad you found them useful. I think that's one of the things that makes me the most happy is when people get use out of them. Security Research Tech Lead... So, I lead a team of effectively security researchers engineers, who build modules for our scanning systems based on the submissions that we get from Crowdsource researchers. I also do some of my own security research... I always try to get help where I can and join in with what other people are doing, but I do my own bits of security research, as well, to see how we can improve the way our scanners work, see if there's new types of vulnerabilities that we're not detecting yet that we can detect, and how we can automate new classes of vulnerabilities that we can't automate so well right now.
Laura Kankaala (03:21):
Yeah, that is very cool. There's a lot of things to cover when it comes to web security and new things to be found all the time. Tom, you're not a new person in security or in IT. Can you tell me a little bit about how you got started with working with computers, overall?
Tom Hudson (03:43):
Sure. I've been fascinated by computers for basically as long as I can remember. We got our sort of first family computer sometime in the Nineties. I, like many kids who were interested in computers, broke it pretty much straight away. Because it was a very expensive thing, I would have been in a lot of trouble if my parents had found out that it was broken, so I had to quickly learn how to fix it as well, which meant I had to read a lot of the books that came with it. Back in those days, you got really thick manuals that told you way more information about how the computer actually worked, and what all the components were, and how the software was configured and things. I remember there was a manual for DOS that must've been about maybe 400 or 500 pages that came with the thing. So, I had to learn to fix it before I was found out and would be in trouble, because I would be banned from the computer and I wouldn't be allowed to use it.
Laura Kankaala (04:44):
That's a good motivation.
Tom Hudson (04:46):
Tom Hudson (05:40):
Back at school, I had used sort of the challenge websites and things like trytohack.nl, where they would challenge you to find the password or get past the login prompt or whatever. I'd been okay at those sorts of things. I remember reading... I used to get .NET magazine when I could convince my parents to buy it for me. I remember reading about DEFCON back sometime in the late Nineties and thinking, "That sounds like the most amazing thing ever. I hope I can go there maybe one day." So, I spent a bunch of time as a Software Engineer and a DevOps-y sort of a person, spent some time as a Lead Software Engineer. Then, the company I was working for launched a bug bounty program. They were relatively enlightened, so they decided staff can find bugs, and submit them on the program, and get rewarded. I turned out to be quite good at it, at least compared to the people who were around me maybe. I made myself a little bit of money and that got me hooked.
Tom Hudson (06:48):
At some point, found myself on the Hackerone leaderboards without really realizing it. I got myself an invite to a live event in Vegas and got to go to DEFCON like 17 years later or whatever it was. I finally got to go. it wasn't quite as my young teenage brain had made it out to be, but it was still a fantastic experience, but mostly I got to meet so many great people. Before that, I wasn't in the community, and after that I was suddenly in a community.
Laura Kankaala (07:24):
Yeah. I want to go back to what you said about hacking things back together, so that basically you try to unhack yourself. Do you think that that experience in terms of like fixing stuff and programming, that it has helped you to be a better hacker, as well?
Tom Hudson (07:43):
Definitely. Definitely. My main goal for things like that, apart from when I had to fix them before my parents found out, was to figure out how things work. Before we had a computer, I had spent much of my childhood taking things apart and often getting into trouble for taking things apart. But it got to the point where every time I went to visit my grandparents, my grandfather would have found something that he kept for me to take apart that he thought might be interesting because he knew that I would take something apart I wasn't supposed to. Also, he had a very scientific mind throughout his entire life really, but that emphasis on figuring out how things work really gave me enough of a better understanding of how to break things, if that makes sense. Something I've said before is, if you want to break something, the first step is to make it do the thing it's supposed to do. Otherwise, how can you know when it's not doing it properly, or when something's different, or something's gone awry?
Laura Kankaala (08:54):
Absolutely. I can totally agree with you on that, that if you want to learn how to make a toaster make coffee, for example, you need to know first how that toaster works before you can try to make it do something else. For me, as well, I think that like working as a sysadmin, and doing a little bit of coding as well, has helped me also to realize how the systems are supposed to work. If you think about, for example, black-box or white-box testing, that means like, "Do you have access to source code or do you not have access to source code while doing a testing?" I think in a lot of cases, for example, doing a white-box testing, that you have a full access through the source code, you can also get a tiny bit of better results.
Tom Hudson (09:44):
Yeah, definitely. I've spent a fair amount of time in my sort of bounty career, as it were, doing white-box testing, both on sort of open source code and proprietary code that I happen to have access to. Having spent that time as a software engineer and building software, it made that job so much easier. Even with the black-box side of things, as well, you have built things, you have a better idea of what's likely to be true under the hood. If you're looking at a filtering function, you think, "Well, I've written my own filtering functions. What did I do? What would I have done in the situation?" And it's almost trying to build a mental model of what the code probably looks like under the hood.
Laura Kankaala (10:28):
Yeah. That goes for all kinds of functionalities in a program, or even processes around web security, like how is code being made or who is programming it? How is it being programmed? Everything, as you said, the overall mindset, but I want to tap a tiny bit deeper into a... You didn't mention this yet yourself, but you've told me that you have also done training in the past or you've trained... was it graduate students in programming and also in security? Yeah. So, what do you think are some of the common things that people struggle with when they start out, for example, with programming or with learning about security?
Tom Hudson (11:16):
Oh, that's a really good question. I spent a couple of years as a technical trainer teaching, like say programming, and some little bits of security, and that sort of thing, as well. Certainly, in the early stages, I think a lot of people struggle with not having a mental model for how like a program should work, if that makes sense. I think when I'm writing code, I'm thinking about components, and pieces of code, and pieces of functionality that I can join together in a particular order, in a particular structure to make them do what I want. But if you don't have that model yet, and you don't have that awareness of what it's even possible, I think it's incredibly hard to do.
Tom Hudson (12:07):
Another thing that I think a lot of people struggle with when they're first starting out is just how precise you have to be. I think a lot of people are used to computers as being like almost magic in a way, and they kind of figure out what it is you mean, and in programming that they really, really don't, and you have to be super explicit about things like types of data. I find the key there is really finding the right analogy for people, and what that analogy is really depends on what their background
Laura Kankaala (12:42):
Do you have any good analogies that you could share with us right now?
Tom Hudson (12:47):
Yeah, I can try. So, I have a few things that I sort of fall back on for programming, in general. One of which is it's like writing a recipe, right? So, you have a list of instructions, which is your method for the recipe, and you also have a list of ingredients, which is almost sort of like your data. So, when describing a function calls, for example, you might say in a recipe that you were to fry some onions, and fry would be the function, and the onions would be the argument. It's like verbs and nouns in that way.
Tom Hudson (13:21):
In terms of how specific and how literal you have to be, I described a scenario of teaching one of my young children to set the table. For example, you can't tell a child, "Go and set the table," or at least not a young child who's not done it before. You have to literally say, "Go to the drawer, open the drawer, take out four forks, go to the table, put them down in this place." You have to be really specific, but once you've done it the first time and you've described it, you can refer to it by name and you can say, "Please set the table," and it's like defining your own function. Not everyone has kids, but mostly they can imagine that scenario, at least. I find that that works quite well.
Laura Kankaala (14:10):
Definitely. I agree that understanding this basic functionality of computers is the main ingredient in knowing how to break stuff, as well. About breaking stuff and security, what would be some... doesn't need to be technical, but some other learning methods that you, for example, yourself have?
Tom Hudson (14:33):
So, I think my main approach to that sort of thing is firstly, to try and be quite broadly read. I try and read around a lot of different subjects, still, usually within technology for me, because that's what interests me the most. I verge into electronics and science and that sort of thing, despite not being a scientist even slightly, it still interests me, especially if I can find an article that's written in an accessible way. That broad knowledge really is a basis for this thing that I've taken to calling Just-in-Time Learning.
Tom Hudson (15:10):
I find it quite difficult to learn something in depth if I don't have a practical application for it right now. I struggle with like writing the toy, and demo applications, and things as a way to learn because I need a problem to solve basically, but you need to be broadly read and have an awareness of subjects, and techniques, and things, and what they're capable of, and maybe some of the situations in which they can be applied so that when I encounter a situation where I need that knowledge, that's the point that I can go and lend it properly. That's where the legit learning comes in.
Laura Kankaala (15:48):
Yeah. It's basically going to the area of kind of like the known unknown. You know that this kind of thing exists and it has some kind of interesting aspect to it, or that it can have potentially a vulnerability in it, or that there is some kind of dimension to it that you are aware of, but you don't actually grasp the precise knowledge of how to do something around that.
Tom Hudson (16:14):
Yeah, that's exactly it.
Laura Kankaala (16:14):
Yeah. Personally, I love reading, as well, and I love reading stuff, not finish reading stuff. I start reading a lot of things, and I just like graze it through, and kind of like just to grasp new ideas or new concepts, but I totally agree with you. I thought that, for example, for myself, I guess I'm really bad at doing those hello world kind of software, like getting started and those tutorials or demos. I felt like, "Okay, maybe I'm doing something wrong. Maybe I should dig deeper into this," but hearing you also saying that you don't do those that much, it's kind of reassuring that it's like... I don't know, someone else is doing the same, I suppose.
Tom Hudson (16:59):
Just having a problem to solve is such a powerful guide from my perspective, because it drives you to ask more questions, because you need to know the answer. It's not a case of want anymore. If you want to solve this problem, you're going to have to do it. For me personally, it means I have to stranger things that are maybe a little bit more difficult, and a little bit more out of my comfort zone than ordinarily I would do if I was just trying to learn for the sake of it.
Laura Kankaala (17:28):
What would you say right now are some of your fortes, things that you've definitely dug deeper into and had to learn by heart?
Tom Hudson (17:38):
I've been spending quite a bit of time recently looking at driving Headless Chrome using Go, which is these things are always going to be quite niche. Something I've been using for some work projects recently... Again, it's something I've been meaning to experiment with for a long time, but I never get round to experimenting with things. I only actually seem to get things done when I have like a problem to solve right now. What else I've been looking at recently? I think that's probably the main thing, like the most recent one that springs to mind.
Laura Kankaala (18:18):
Yeah. It's interesting. I remember when I started all with security, like back when I was in university, and before that, I was more interested in like programming and stuff like that, so when I did my first like hacking courses, for example, I thought that basically I needed to know everything. If I didn't know everything, then I would be a failure, and I wouldn't be good at this, like whatever I'm doing. But, grasping the notion of how big overall web security is, or overall like web security's niche of overall of cybersecurity industry, so even in this niche of web security, there are so many niches. Understanding that, at least for personally, when I understood that I need to do what I want to do and do what I really will want to do at that minute, and not worry so much about knowing everything, because there's just no way that anyone could ever learn everything... absolutely everything when it comes to web security.
Tom Hudson (19:24):
For sure. I personally still struggle with that Imposter syndrome. So, what advice do you have to try and get over that feeling of, "Everyone else knows more than me. I don't know enough. I'm not supposed to be here"?
Laura Kankaala (19:44):
I don't think that I have gotten over it. It's just something that you kind of try to embrace in yourself. At least for me, that I tried to accept my own limits that I cannot know everything, and I can contribute to some things that I know of, or I can give some kind of advice, or there's like background knowledge that I can use to make sophisticated guesses, for example. But, I don't know. I think it's just... It's very hard sometimes to kind of wrap your head around that, that you are not the... you're never going to be the best, especially if you want to be the best of the... well, not even be the best, but you want your work to be the best, and put out hundred percent into everything you do. But what about you? Do you have any ideas on how to cope with imposter syndrome?
Laura Kankaala (20:36):
Actually, right now, I want to open this term a tiny bit for our listeners. So, imposter syndrome basically is a term used for... and Tom, please help me if I miss out on something, but is the term used to describe people, especially in a field of IT, that feel that they are never good enough and that they got super lucky to be where they are, or that however much they put effort into something that they are just not good enough, and they will never make it.
Tom Hudson (21:11):
I like that you even checked, "Correct me if I'm wrong about imposter syndrome," just, "Oh, I can't possibly be right about that." It really is that pervasive that can make us doubt ourselves. I don't have a great deal of concrete advice other than to listen to other people talk about their own imposter syndrome. That will help you realize just how common it is and that it affects everybody. I've even heard some people suggest that if you don't have imposter syndrome, you're the weird one, there's something wrong with you. If you think you know enough, then you're probably wrong.
Laura Kankaala (21:56):
Yeah, definitely. I think in our industry, it's also our biggest... There are so many bright-minded individuals all around us all the time that have awesome research to showcase, that are going to conferences, and talking about their research, or otherwise, you feel that you're constantly bombarded with new stuff, and new information, and new things to learn. So, I think it kind of like twists our perceptions of ourselves, as well, and our own expertise, even though it doesn't have to be that way.
Tom Hudson (22:29):
Yeah, definitely. I think there's one specific instance thats springs to mind for me. It was an interview with one of the all time great programmers. I think it was Brian Conaghan, but don't quote me on that. He was talking about functional programming languages, which is something I've always really struggled with. I don't get on with them. In this interview, he's saying how basically the exact same thing that I was feeling, "I've tried and I can just about get by with it, but it doesn't really match with the way I think about things. I don't get them," and having someone of that caliber be experiencing the same feelings as me, made me really realize maybe that's true for me, as well. One of the things that I always suffer with quite a bit is I think, "If I know something, it must be common knowledge, therefore, it's not interesting, so nobody will want to hear about it," but the more I talk to people, the more I find out that that's not true. Talk to people about it is probably my best advice.
Laura Kankaala (23:46):
Definitely, and I think... Well, you have done training before as we lightly touched upon, but you can just become a trainer or teach people without knowledge, or you can, but you probably won't be really good at it. It's like... I don't know. I suppose like doing training and teaching other people also like makes you wonder sometimes like, "Am I actually good enough? Am I... Do I know everything? Do I know stuff? Do I know these things broadly enough to talk about these things?" Because that's at least something that I feel when I go out to give lectures or when I go out to have a talk or anything.
Tom Hudson (24:29):
Yeah, definitely. I don't know about you, but the first time I was asked a question I didn't know the answer to when I was teaching was terrifying. Actually, after it happened, I felt a tremendous sense of relief because I handled it okay.
Laura Kankaala (24:49):
What did you do in that situation?
Tom Hudson (24:56):
So, first thing to do was to admit that I didn't know, and I think that's a really important from an educator's perspective, because growing up through school, not all but many of the teachers that I had never directly claimed to know everything, but when they were faced with a question they didn't know the answer to, they would usually either make something up in the worst case, or usually they would tell you to be quiet and get on with your work and just dodge the question in that way. The odd teacher, especially in the sciences and technology disciplines, at least it seemed to me, would handle things a little bit better. I think that's probably part of the reason that people have this imposter syndrome, is that growing up as a child, it seems like every adult always has the answer, because they don't want to admit that they're wrong, and it's a self perpetuating problem.
Tom Hudson (25:55):
I tried to make a point of explicitly stating, "I don't know, but here is how I would find out." I was on a laptop connected to a projector at the front of the room at the time, and I did my first bit of Googling in front of students, and sort of talked through which of the results I was looking at and why, and which ones I trusted and why, and part of that is from experience. If you go and read, if you click the experts exchange link a few times, you will eventually learn. Maybe it's not the best one, and maybe you should go for Stack Overflow or something instead, maybe she'd go for Mozilla Developer Network over W3Schools, for example. All of these things can be really good resources, but these sort of rules of thumb do you get with.
Tom Hudson (26:46):
But that first time of being confronted with a question that I didn't know the answer to, once it was done with, I think I was almost instantly a better trainer. I was more confident and actually began to relish those questions, because those are the times that I get to learn, too. For me, that really became a catalyst for learning a great deal of things that I otherwise wouldn't have done. It has been teaching things and also learning them in more depth, as well. What have your experiences been like, especially with teaching beginners, if that's something you've done?
Laura Kankaala (27:26):
Yeah. I mean, when it comes to admitting stuff that you don't know, I think that's also something that I had to learn after giving talks, and after going out there. For me personally, I want to be very precise when I say something, and I don't want to lie or try to avoid spreading information if I don't know that that information is originating from a legitimate source or it's basically true. So, I'm typically quite... I try not to say anything like that, that I doubt to be false, for example. The first time I remember when I had to, during a talk or after a talk, someone asked me a question about the topic that I was talking about. It was about cloud security. It was like three years ago, I think, four years ago. I was doing some research and I was talking at a local community event. I felt so intimidated. I was like, "Why are they asking me this question?" Especially when I realized that I don't really know the answer.
Laura Kankaala (28:39):
Then, I don't quite remember the words that I used, but something along the lines that, "Oh, ... I cannot give a good answer with my knowledge right now. I can only give a sophisticated guess or something." It was interesting. I do personally think, as well, that admitting when you don't know something is really a super power, and you should really exercise that if you don't know something. Also, don't like sell yourself short, so if you are not sure about something, then try to... I don't know, still say something, but don't like silence yourself because you are not sure if you're correct or you're not.
Tom Hudson (29:22):
Yeah, definitely. Something that I've taken to doing in meetings from time to time when I can see someone not understanding something, even if I already know what they're talking about, I sometimes stop and ask, "What is that thing you're talking about," or, "Sorry, I don't know anything about this. Can you please explain it to me in simple terms?" So often, you hear multiple sighs of relief around the room from all of the other people who also went following along. I guess that's the other side of being someone who will learn a lot about a subject is you immerse yourself into it, into the terminology, and the law even, and then when you come out of that and try and talk to other people about it, you have to reset all of your expectations about what everybody else knows about that subject, and what terminology you can use, and that sort of thing.
Laura Kankaala (30:20):
Definitely. I think that's super nice of you to ask those questions, even if you sometimes may know the answer, because those can be the times when people also open up themselves and be like, "Okay, well, this is a safe space. I can ask questions." I think, at least personally for me, the most efficient learning happens for me if I can ask questions, or if there's someone that I can bounce off ideas with, instead of trying to go at it solo, and try to go through a stack, or a flow, or go through pages of Google, and try to figure out what is wrong with something.
Tom Hudson (30:58):
Yeah, definitely. I think in terms of asking questions is a really good subject to cover from a learning perspective. Because I get a lot of questions myself online from people looking to learn security stuff, and I try to answer them when I can, but I think getting good at asking questions is probably one of the best things that you can do. Not every person that you ask questions of will be receptive to what I consider to be the really good questions. Especially for me, when I'm trying to really understand something and figure out how something works, I tend to ask questions about edge cases, because they're the ones that really show how a system really works fundamentally rather than working off sort of rules of thumb.
Tom Hudson (31:56):
I think like insecurity, especially the attitude of asking questions about the edge cases, you say, "Well, what happens when this obscure scenario happens," and the response is often, "Well, it will never happen, so it doesn't matter." I think if you really understand how something works, you should at least be able to have a go answering those questions, but those are the points that bugs happen, right? That's where the vulnerabilities are, is in those edge cases that people weren't asking about. I think they're kind of doubly useful in that way, those kinds of questions.
Laura Kankaala (32:31):
Definitely. I think that's a huge takeaway from this episode as well, that it's never a bad thing to ask questions. If there's something that, whether it's someone like talking to someone just one on one or in a conference or in a community, if you doubt that you don't understand something, or if something is not explained properly, then there should be an answer that is given to whoever is asking the question. You said that people come to you and ask you how to get started with hacking. I think that goes... or that sends us off the last section of this podcast quite nicely, which would be your tips on how to get started with security. Now you can just say, for example, any resource you want to share. Is there any YouTube video, any course material to read, or do you have anything to help our listeners to get started?
Tom Hudson (33:36):
Yeah, definitely. I think in terms of learning the actual mechanics of doing hacking and sort of bug bounty type activities, my friend Ben Nahamsec has a great YouTube channel. A couple of other people has just launched a repo on GitHub with links to resources on how to get started. That stuff all looks really good. Hacker101, as well, which is HackerOne's sort of CTF training platform and associated videos that a lot of which were done by my good friend, Cody. They are all fantastic, also. There's a video on there by me and my friends STÖK as well, which I'm quite proud of. I think it might even be the most viewed one there now. That's my own little shameless plug. Really, to get good at it, early on especially, be curious, learn how things work, which is really vague advice.
Tom Hudson (34:43):
If you can build something, especially like a web app or something like that, and try and break it yourself, that experience will be invaluable, but just keep looking at things and try and spot things that are weird or different. Then, try and figure out why they're weird or why they're different. My approach to hacking, and bug bounty, and that sort of thing is mostly try and spot something that's different, and figure out how it works. I'm not necessarily looking for a vulnerability of a specific class or sometimes even looking for a vulnerability at all... I'm just looking for information. How does this thing work? If I put this value in, what does it do? If you shake it hard enough, sometimes the bugs fall out. I think other people have different approaches, but for me, hacking is almost like a secondary thing to finding out how things work in a lot of ways.
Tom Hudson (35:46):
Other resources for me, I usually Twitter honestly. Find some smart people on Twitter and follow them, see what they tweet. A lot of people post writeups of varying quality, but there's some really, really good ones out there about how people found specific bugs, and how they exploited them, how they escalated them. Some will even cover the things that they looked at that didn't pan out, which is especially valuable, I think. One of those things that's really hard to gain any other way than experience is knowing when to move on. You're looking at an end point for hours on end when it's never going to be vulnerable. That one of those things that comes with lots of trying.
Laura Kankaala (36:33):
Yeah, definitely. That you don't reinvent the wheel, as well, if there's something that's already been discovered, or if there's a tool that you can use, then you don't have to bend over backwards to make that happen yourself. With that being said of Twitter accounts, that you should definitely follow, TomNomNom is one, definitely. Also, @Detectify if you want to follow what's going on in the Detectify world. When it comes to Detectify, we also have a blog and we have a lab blog, as well, where we share research when it comes to web security. So, that's definitely also one resource to look for and keep tabs on. Thank you so much, Tom, for having this discussion with me. It was super enlightening, and at least I learned something, and I hope that our listeners learned something too.
Tom Hudson (37:27):
Thanks for having me. It's been an absolute pleasure.
Laura Kankaala (37:30):
Thank you. That's it for today. I hope you enjoyed this episode and you can leave a comment. You can send us an email to firstname.lastname@example.org, or you can find us on Twitter @Detectify. Thank you for tuning in. See you next time.