‘Soft skills are the most under-researched area of the bug bounty industry’ – ‘Reconless’ YouTubers on filling a gap in infosec education

One year after the launch of their ethical hacking video channel, Ron Chan, ‘FileDescriptor’, and ‘EdOverflow’ tell The Daily Swig about their approach towards inspiring and educating the hacker community

YouTube has seen an explosion of hacking tutorials and infosec research breakdowns in recent years, covering everything from web application security to binary exploitation.

One popular recent arrival on the burgeoning scene is ‘Reconless’, a channel that is approaching 8,000 subscribers just a year after its launch.

Inspired by Fireship’s application development-focused YouTube channel, the three close friends behind Reconless told The Daily Swig that they set out to create bite-size, lightly edited videos that would serve as an introduction to, refresher for, or catalyst to spark interest in various hacking topics.

In doing so, the trio had many years of eclectic infosec experience to draw on; Ron Chan is senior application security engineer at GitLab (right hand image, above); ‘FileDescriptor’, a pen tester at Berlin-based Cure 53, prolific bug hunter, and architect of a series of XSS challenges (left-hand side); and Edwin Foudil (aka ‘EdOverflow’), author of security.txt and the Bug Bounty Guide, and the name behind number seven of Portswigger’s best web hacking techniques of 2019 (central image).

Read about the latest hacking techniques and related news

Keen to share their expertise with the infosec community, the Reconless team alighted on video as a medium in part because of EdOverflow’s background in video editing and cinematography (although he has only directed the content so far).

The infosec influencers told The Daily Swig that they favor narrowly-focused topics over broad subjects, with 17 videos so far including one on cross-domain referrer leakage, a multi-part series on hacking 1Password, and advice on honing your hacking skills with Chrome DevTools.

Asked which other hacker channels they enjoy consuming, they cited LiveOverflow, Nahamsec, STÖK, InsiderPhD (created by another of our interviewees), Samy Kamkar, TomNomNom, Hakluke, and Farah Hawa.

However, despite being impressed with the quality and quantity of hacker videos currently available, the infosec trio spotted a gap in the market for content focused on soft skills such as writing engaging vulnerability reports.

They said they plan to fulfil this need with a video series covering topics including how to write a security blog and how to present at security conferences – a segue to the next question pitched to the Reconless team.

It’s interesting that you’ve noticed a shortage of advice centered on soft skills in this highly technical discipline…

EdOverflow: I view mental health and soft skills as the most under-researched areas of the bug bounty industry. @NathOnSecurity’s write-up titled ‘Bug Bounties and Mental Health’ is a recommended read.

What are the key attributes you need to be a successful hacker?

Filedescriptor: I would say, do not just look at why successful hackers are successful. In fact, I would almost go as far as to say try to determine what makes unsuccessful hackers unsuccessful.

EdOverflow: In my opinion, hacking is a philomathic endeavor and therefore enjoying the process of learning plays an important part in this industry.

Which security vulnerability are you most proud of discovering and why? And was this reflected in the payout you received?

Ron Chan: A remote code execution vulnerability that could be triggered via a -based CSRF flaw. It is my biggest single payout to date.

I discovered this flaw through source code review. I am proud of this finding because I learnt how to review source code to find security flaws after joining GitLab.

Filedescriptor: A race condition in OAuth. It involved a lot of testing to confirm it was indeed vulnerable and I spent quite some time making the attack feasible. I was awarded the maximum bounty.

EdOverflow: My proudest discoveries were not security vulnerabilities that I uncovered but rather those where I aided someone else. I get more satisfaction out of knowing that someone was able to progress in this industry thanks to my small nudge.

Is anyone currently working on something they’d like to flag?

EdOverflow: For the past two years, I have been volunteering, doing free, in-person cybersecurity workshops for students in Switzerland and the United Kingdom. I aid students in developing a career in the cybersecurity industry and foster collaboration among a diverse group of students.

The workshops focus on helping students build their confidence presenting on stage, improve their technical writing, practice networking, and boost their CVs. The workshops have helped guide students in what can feel at times like a daunting field that encompasses a wide range of topics.

READ MORE ‘I thought it was a complete fluke’ – Katie Paxton-Fear on her bug bounty baptism and why AI will never fully replace security researchers

Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here