Dan Maloney
@guido.giunchi we're all pretty fluid. an individual will have a specific test but we all help one another if there's something an individual is specialized in
@Phabeon I can write some bash/python but just enough to be dangerous lol
Eric, I am totally fascinated by penetration testing be it software or hardware. And wanna get started with the domain. Is there a kind of todo list or something or getting started.
I'd check out the OSCp certification. it's tough but really well rounded
I have a pretty good experience in programming with C++ & python. But doesn't seem of much help as of now
it will when you're trying to fix an exploit, automate something, or do something at a large scale
i promise lol
a little sqlite3 is also handy
What do you find to be the most common security mistake businesses make? IOW, what one thing makes your job a piece of cake?
Well, I got MySQL at hand :P
@Dan Maloney single factor auth, reused password, unpatched hosts
@Eric how do you avoid burnout with the massive amount of info that you have to keep digesting/trying out/etc
@bprofitt working on an interesting project or deep diving into some research thing, or building tools, or just taking time off
So, regarding OSCP certifications, how much better or preferred a certification is as compared to some hands on experience? Shouldn't hands on be more helpful over theoretical knowledge in this kind of domain?
I'm going to punt and say both are important. However, I'd also add people skills in there too
Well, yeah. Social engineering is for sure a biggest upper hand. Coz humans are more vulnerable and exploitable than machines :P
I think the main goal of understanding something should be the ability to explain it to a standard human. I use my mom as an example. If i can explain an exploit, vulnerability or something to her I know i'm golden.
Yeah, absolutely.
What resources do you follow to stay updated with the latest security news?
@Rhythm Chopra I mean just the ability to communicate effectively. It will take you farther than any haxor skill
@Dhruv Mehta I love hackaday for the builds that have given me tool ideas, and I really like the podcast risky business
ars technica is great too
@Eric - anyone in the twitter space that you follow that helps you in your job, i.e. new ideas, hw, exploits? Btw, thanks for the awesome answers :)
Eric was studying to translate from construction workers to contractors and ended up translating from nerds to normal people lol
@Gabriel D'Espindula not wrong lol
Thanks, Eric for the awesome answer
It seems like you have to meet a minimum technical threshold. But at a point, additional technical chops hits the wall of diminishing returns and a pentester might be better served by focusing on their ability to interact with a wider body of less technical folks. Is that way off base Eric?
Eric, have you ever been hacked? If so, lesson learned?
bwa haha, If not is it because you are zero network connection dwelling?
@bprofitt gosh, sammy kamkar and justinsteven are great
@Phabeon not that I know of. Just watch phishing emails LOL
@matt thanks for the softball. you couldn't have said that any better
this justinsteven:
https://www.youtube.com/channel/UCCBmFvsR6sIPrmjSVVxY9ng
?
@matt yep that's the wizard!
So we're almost at the end of our hour - any last-minute questions for Eric?
Eric, you can't fix everthing right, nor are you hired to do so... so HOW often do you have to pick your battles?
I gotta think you have no choice but to sometimes omit stuff from reports since you can't change the world overnight right?
how does that weigh on you?
@Eric - so how much time to you spend writing reports and what do you use for compiling them?
@Phabeon I'm lucky i don't have to fix anything I just explain how i got in and what's broken
@bprofitt I spend more time then i'd like lol probably 1-2 days between qa and drafts
Eric thanks for taking the time to chat with us... looks like my hunch was RIGHT, OSCP is the way to go!!
here I come 2020 and 2021!!!
oNe
I also just use standard word for the reports
@Eric - thanks! Try harder is more than appropriate in this field ;)
yes yes it is
OK, looks like our time is up and we've got to let Eric get back to work. I want to thank him sincerely for this Hack Chat, especially for coming in on short notice. I really learned a ton today, and now I regret not going into netsec ;-)
Thank you so very much for this opportunity and your time. Thank you Eric. Thank you HackaDay. HackaDay rulz!
Thanks everyone this was great. If you need anything feel free to hit me up on LinkedIn or twitter. I'm not super active in posting, but you can at least DM me
@ericescobar
https://www.linkedin.com/in/eric-escobar/
@Dan Maloney Thank you for moderating/hosting.
Thanks Eric! And thanks to all for attending today. Next week we'll change gears and talk about animatronics with Will Cogley:
https://hackaday.io/event/171045-animatronics-hack-chat
Animatronics Hack Chat
Will Cogley will host the Hack Chat on Wednesday, May 20, 2020 at noon Pacific Time. Time zones got you down? Here's a handy time converter! Once the age of electronics came around, the springs that drove the early automatons and the cams that programmed their actions were replaced by motors and memory circuits.
Thanks Eric, it was great talking to you
thanks @Eric
Also, I'll be posting a transcript in a few minutes, in case you messed anything.
Thanks Eric.
Thanks @Dan Maloney and @Eric for taking the time!
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.