381 lines
33 KiB
Plaintext
381 lines
33 KiB
Plaintext
|
Episode: 472
|
||
|
|
Title: HPR0472: Interview with Ryan Dewhurst
|
||
|
|
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0472/hpr0472.mp3
|
||
|
|
Transcribed: 2025-10-07 21:17:52
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
music
|
||
|
|
Welcome polka out of the listeners to Hacker Public Radio. I'm your host for the show
|
||
|
|
of Phoenix and I'd like to welcome you one and all. I'm lucky enough to be joined by
|
||
|
|
another awesome guest, Ryan Jewhurst. Ryan, could you introduce yourself to the Hacker
|
||
|
|
Public Radio audience? Yes, certainly. Hello, Hacker Public Radio audience. My name is
|
||
|
|
Ryan Jewhurst. I'm an ethical hacking for computer-street student at Northumbria University.
|
||
|
|
I've worked on a few open source projects, probably the most popular one being Dambonville
|
||
|
|
Web App. I've done a little bit of open source work for Nick Tor, W3AF and another project
|
||
|
|
of mine called Screen Damb. Okay, first and foremost, Ryan, it's really, I'm really
|
||
|
|
grateful that you could top on the line with me here. I suppose the first question I have
|
||
|
|
for you is, you know, one is by you to start a project like Dambonville Web App and kind
|
||
|
|
of bolted on to that. Now, how would you best describe to the Hacker Public Radio audience
|
||
|
|
what actually is Dambonville Web App? Yeah, if before we start, would it be okay if I give
|
||
|
|
a quick disclaimer? Yeah, that would be okay. Yeah, that's fine. Go for it. Fantastic. I'd
|
||
|
|
just like to say that obviously my views are my own. They don't represent the views of
|
||
|
|
anyone else. For example, like my university's, yeah, that's all really. Okay, and carrying
|
||
|
|
on with the question. Yeah, it actually started last year. December last year, I wanted to
|
||
|
|
get started. I wanted to learn more about Web Application Security. I had the books and
|
||
|
|
everything, just not the practical knowledge. So I thought the best way to learn Web Application
|
||
|
|
Security was to actually build on myself. And in the process, I made it insecure and secure
|
||
|
|
at the same time, which would sort of taught me how to make a secure application. I think the best
|
||
|
|
way to learn is to sort of hands on practical and it also makes it legal as well. You know, you
|
||
|
|
do it on your own machine, local host, not getting into trouble at all. So basically it's, as the
|
||
|
|
name suggests, it's a Web Application that's really vulnerable. Not only that it has lots of
|
||
|
|
features in there for people to teach Web Application Security or people to learn Web Application
|
||
|
|
Security features such as we have the security level and let's go off from lower medium to high
|
||
|
|
levels. Lower being no security, medium being bad security and high being should be unhackable
|
||
|
|
in theory. Not always the case. And there's other features. It's got PHP IDS installed on there,
|
||
|
|
which can enable and disable and lots of other things as well. So really the idea of, really,
|
||
|
|
the inspiration for Damvenable Web App was something legal for you to practice your skills on.
|
||
|
|
Exactly. I think at the time I was messing around with Python, building brute force scripts,
|
||
|
|
brute force HTML forms. I had nothing to test my scripts on legally, so I'd pop Damvenable
|
||
|
|
Web App together so then I could test my tools and improve them. And then I thought, well, I
|
||
|
|
could extend this and sort of practice my SGO injection skills. So I put an SGO injection on there
|
||
|
|
and it sort of went from there. Okay. I mean, but who is Damvenable Web App aimed for?
|
||
|
|
I'm sorry, could you feed the question? Yes, sorry. Who would you say Damvenable Web App
|
||
|
|
is aimed towards them? I'd say mainly it's aimed towards the students. People want to learn
|
||
|
|
Web Application Security. It can be as easy or as hard as you want it to be with the security
|
||
|
|
levels. There's also helps and tips throughout the application. But I'd say it's definitely
|
||
|
|
for the newcomers to Web Application Security to test out their skills on and get better.
|
||
|
|
It's not so much finding the vulnerabilities, it's more the exploitation of the vulnerabilities,
|
||
|
|
maybe also combining the different vulnerabilities to, you know, to put on a box, if you will.
|
||
|
|
I mean, it's really good, it is enabling you to produce, you know, use different vulnerability
|
||
|
|
scanners per se and actually use to build your skill up using tools to find those
|
||
|
|
similar vulnerabilities that you've deployed within Damvenable Web App. Yeah, you know,
|
||
|
|
I mean, carry on, sorry. Sorry, that's the good thing about you. Not only can you practice your
|
||
|
|
skills on there, you can fire tools against it, see how they compare, see what they miss, tweak
|
||
|
|
them, see if they pick up anything better, or just to learn how the actual tool works itself.
|
||
|
|
I mean, it seems to me that almost it's an evolving project that, you know, what you started off
|
||
|
|
with by default will get bigger and bigger and bigger as more people start throwing more tools
|
||
|
|
and more ideas and more hacks at it. Am I right in thinking that? Has this project grown quite a
|
||
|
|
lot since your first start of the day? Definitely, yeah. I mean, I started off in December last
|
||
|
|
year. I'd say I kept it for myself for a few months before releasing it. I didn't think
|
||
|
|
maybe no one else would find it useful apart from myself, but I put it out there anyway and I got
|
||
|
|
loads of good feedback. So I thought, well, you know, this may be a project's worth expanding. So
|
||
|
|
I did a lot more work on it. I got to version zero, one zero four, pretty much on my own with
|
||
|
|
your suggestions. And then from one zero four, I managed to get a lot of talented people involved
|
||
|
|
as well. That's when the community really grew and we managed to get one zero five out, which is
|
||
|
|
the latest version, which is out now, which is, it's come a long way from that first better version
|
||
|
|
back in December. So you have an open source community kind of behind you and obviously you're
|
||
|
|
working with them as well. So you already have a community behind you working with you as well,
|
||
|
|
that's kind of really awesome, right? I mean, it's that it's that sort of the benefits you
|
||
|
|
were looking at by making down the available web app open. So I'm writing thinking that it's
|
||
|
|
released on the GPL version two or is it three or if I got that completely wrong?
|
||
|
|
Version three of the top of my head without having to look, I'm not too sure whether it's two or
|
||
|
|
three to be honest, but I think it's three. Yeah, that was a general idea. So get it out there,
|
||
|
|
get people contributing. They're getting, you know, their names out there because I've got their
|
||
|
|
links on damn vulnerable web app. They're getting to better their skills and, you know, it's just
|
||
|
|
great to get involved and build a community up. I mean, what was, I suppose it's kind of a hard
|
||
|
|
question to ask you, but what was the biggest lesson that you learned from starting the damn
|
||
|
|
vulnerable web app project? The biggest lesson that I learned. Let me try and think about this one.
|
||
|
|
I think I learned the best thing I learned was was the actual security itself.
|
||
|
|
So maybe PHP in itself isn't insecure, but the code is insecure. That's probably the biggest
|
||
|
|
thing that I learned. It's not PHP itself, but it's how the developers use it, which makes it
|
||
|
|
insecure. Also, in kind of like your opinion with web applications then, is it fair to say that
|
||
|
|
maybe the developers need to start testing their skills using damn vulnerable web app?
|
||
|
|
Definitely, yeah. I mean, one of the main developers apart from myself that I had
|
||
|
|
working on damn vulnerable web app is actually a web application developer himself.
|
||
|
|
So yeah, so he definitely learned a lot about security from me and I learned a lot about, you know,
|
||
|
|
developing from himself with PHP. So it's definitely developers can learn from it and learn to
|
||
|
|
secure their applications. There's a view source button where you can compare the law security,
|
||
|
|
medium and high security source code. So you can see exactly what's making the application
|
||
|
|
secure and what's making it insecure. So it's very easy to sort of, you know, see what's going on
|
||
|
|
there. I mean, I've played around with it a little bit and I've, you know, first and foremost,
|
||
|
|
I think it's a really good, good project and anyone who's interested in either learning how to
|
||
|
|
use tools like NASAs and so on and so forth should definitely download a copy of it. But I've also
|
||
|
|
sat there and thought that this would be a really good project for developers to be shown
|
||
|
|
in some ways what not to do. You know, I mean, in some ways, you know, if you were looking at doing
|
||
|
|
this, this is maybe a viable solution here. Because I'm all right in thinking that the high
|
||
|
|
security stuff is actually more to do with, you know, using any third party programs or anything
|
||
|
|
like that is to do with how the code was rewritten almost. Yeah, it's not even rewriting the code.
|
||
|
|
It's just adding code in there to make it secure. It's just sort of like sanitizing the user
|
||
|
|
input, which is a big, you know, security flow within web applications. So it's just sort of
|
||
|
|
sanitizing that input, sanitizing the output. But you can, yeah, you can use the code on there
|
||
|
|
as examples and then you can definitely use those within your own applications. I mean,
|
||
|
|
it's been tested daily by, you know, hundreds of students. So if they can get past it,
|
||
|
|
they'll let me know that I've fixed the bug. So it's probably very secure.
|
||
|
|
It's an interesting concept that what your bugs are is actually secure, is being secure. You know,
|
||
|
|
it's a great concept. I mean, if you, if you would kind of,
|
||
|
|
is there anything that you would change about how you would do the project? If you, you know,
|
||
|
|
with the experience that you've picked up now and what, what you've learned, if you were approached
|
||
|
|
and said, right, we want you to do damverable web up too. We want you to take all the lessons
|
||
|
|
that you learned from damverable web up and apply it to this project. Is there anything,
|
||
|
|
anything that screams out to you that you would do differently?
|
||
|
|
I would probably get the application more mature before releasing it to the community. I'm not sure if
|
||
|
|
from looking back, that probably would have been a benefit to me because when it matured,
|
||
|
|
that's when I got the most people involved in it. They took it more seriously.
|
||
|
|
But I'm not sure looking back, it seems like a benefit if I would have released it more mature,
|
||
|
|
but because it's the only one I've really released myself, I wouldn't be sure if that would be
|
||
|
|
a benefit or not. Yeah, I mean, I haven't found myself shooting myself in a foot because I gave
|
||
|
|
you a swerve ball there because I was interested in, and you know, it seems in some ways that it's
|
||
|
|
a young project, but it seems that it's starting to grow fast, you know, mature and learn lessons
|
||
|
|
very, very quickly. I mean, I was shocked when you told me earlier on that project itself isn't
|
||
|
|
really that old. You know, when did you say December last year?
|
||
|
|
Yep, December last year, I started it just for myself, really. And then,
|
||
|
|
I must have been, sorry, I released it in December, so I must have started it a few months before.
|
||
|
|
So yeah, still a young project. I mean, it's under a year, 12 months old. It's come along with
|
||
|
|
since then and hopefully will go a long way in the next 12 months. I'm currently taking a,
|
||
|
|
I released 105 on the third of September, so not so long ago after three months work on it.
|
||
|
|
So I'm currently taking a month away from it to get settled into university and then
|
||
|
|
I'm going to get bang into it again and get the next version out there.
|
||
|
|
Now, we can, we're can people, we're, we're going to have to probably radio guys go and find
|
||
|
|
down vulnerable web out of them. Yeah, we have it. We're, has it's on on website, which is,
|
||
|
|
which is quite new, I released it about a month ago. It's a dvwa.co.uk or you can go on the source,
|
||
|
|
source for projects page, which is, here's ttps, sourceforge.net,
|
||
|
|
projects, for us, dvwa. And on there, you can, you can get the sbn and download the
|
||
|
|
unstable version, you know, the production version. On the website, we've got forums on there,
|
||
|
|
we've got blogs and getting involved in the community and so maybe give feedback ideas and
|
||
|
|
stuff like that. Talking about that, I mean, as, as well documented, my love for the
|
||
|
|
open source community and the, the, the, the great things that can be achieved by the, the,
|
||
|
|
letting something free and letting, letting people run with ideas. How can people, how can,
|
||
|
|
see the average show listening to us today? How can they get involved with the
|
||
|
|
downloadable web app project? Yeah, I mean, anyone's welcome to getting involved, no matter
|
||
|
|
what your, your skillset or your knowledge is. The best way really is just to download it.
|
||
|
|
I have a player with it, if you have any suggestions, maybe some features you'd like
|
||
|
|
add in, maybe you've found a, a bug that shouldn't be a bug in there. What you can do is,
|
||
|
|
you can go on the dvda.co.uk forums, put a post in there, let us know about it. And if,
|
||
|
|
if you're serious, you want to contribute lots of code to the project, we'll give you SBN access.
|
||
|
|
And you can, and you can start contributing code to it as well.
|
||
|
|
Sorry, Bala. The, is, is, is the scope for people who, maybe not so technical in nature,
|
||
|
|
but, you know, maybe much let myself where, where, you know, be happy to sit down and work
|
||
|
|
with the downloadable web app and maybe produce documentation, like how two guides and set up guides
|
||
|
|
and stuff like that is, have you got lots of documentation there, or are you needing hunts
|
||
|
|
with that as well? Definitely, yeah, I mean, at dvda.co.uk a young project, the documentation,
|
||
|
|
we have had some people do bits and bobs here in there, but we don't have a definite sort of
|
||
|
|
documentation guide put together at the moment. So yes, if there's anyone out there, you know,
|
||
|
|
who wants to put some documentation together, maybe document the different vulnerabilities,
|
||
|
|
how they work, how to exploit them, and stuff like that, that, yeah, that would be great.
|
||
|
|
You'll get past, do you know something from the community?
|
||
|
|
Yeah, definitely something we need to look into, yeah.
|
||
|
|
I've often said this before, and as I suppose I know that the authors of projects tend to shy away
|
||
|
|
when you call them developers and chief developers and so on and so forth, because they're parts of
|
||
|
|
teams and they don't want to take, they don't want to take cute or so away from other people as well,
|
||
|
|
but a question that I've often thought and I've said quite a lot as I've talked to people about how
|
||
|
|
they can contribute to open source projects before, and one of the things I've said to my kind of
|
||
|
|
friends that speak lots of different languages, new languages, not their first given language,
|
||
|
|
they're actually translating an open source project's documentation into another language,
|
||
|
|
it's probably a great asset because what enables you to say you had your project translated
|
||
|
|
into Russian or Polish or something like that, that you'd be able to get those developers
|
||
|
|
and those people interested who are able to read your document involved in that community and
|
||
|
|
bring in their experience and their ideas and what's your thought? Definitely.
|
||
|
|
I mean definitely, I mean the part of it being open source is that it's not restricted
|
||
|
|
to the UK where it was built for anyone around the world can contribute with so many different
|
||
|
|
types of expertise or knowledge. Surprisingly enough we do have a big
|
||
|
|
Asian following from China, Japan we get a lot of downloads from there, not so much feedback or
|
||
|
|
contributions but there seems to download it quite often, so you have to get them involved and
|
||
|
|
writing documentation or giving it some feedback will definitely be a benefit to the project.
|
||
|
|
Awesome. So as far as downloadable web art is concerned, download it.
|
||
|
|
Now I've heard you say this before and I know you've been echo it right now,
|
||
|
|
do not install this on an internet facing machine.
|
||
|
|
Definitely. And last you've been drinking tequila and want to shoot yourself in the head afterwards.
|
||
|
|
Yeah, exactly. Yeah, it's surprising. I mean I've put warnings wherever a warning will fit
|
||
|
|
on the application to warn people not to put it on an internet facing. You've been surprised
|
||
|
|
how often it does happen. Some people even email me that they're IP address with
|
||
|
|
downloadable web art installed on it. It's probably not the brightest thing in the world to do.
|
||
|
|
Just in case listeners don't get what we're saying is that this is an incredibly vulnerable web
|
||
|
|
application. If you put it on internet facing, this is a good likelihood that you'll coin the
|
||
|
|
term here. Your box is going to get popped. Definitely. I mean it's a certainty. It's not even a
|
||
|
|
maybe or could be. It's going to get hacked. You leave this up on, even if you've got it up for
|
||
|
|
half an hour an hour, I wouldn't advise it at all. Just don't do it. It's got, I've taken some
|
||
|
|
measures to stop people doing that. Obviously some people do take those measures out for whatever.
|
||
|
|
That's really reasons they have. It's a very responsible approach there, I mean. It's probably
|
||
|
|
friend a lot of other developers in that kind of area would go up at the wardings up and if you're
|
||
|
|
stupid enough not to read the warnings, then you're thus you should get what you deserve. It seems
|
||
|
|
like you've appreciated that that's a real life problem. Sometimes we have to take ownership
|
||
|
|
ourselves to ensure that this doesn't happen. My recommendations, I know your recommendations
|
||
|
|
to use is the XAMP. Great recommendation. Definitely. I use XAMP. I miss self. I stuck it in a
|
||
|
|
virtual box and I used a program from there's an organization called Turnkey Linux and they do
|
||
|
|
a very nice Ubuntu based lamp server. It's like 120 meg or something like that. It stores really
|
||
|
|
fast. I stock that into a virtual box and then put your application on it and then I can snapshot
|
||
|
|
it and then whatever happens then doesn't matter. Obviously the same with XAMP as well is the
|
||
|
|
theory. If you put it on a real life web server, you may have to pay the price at some point
|
||
|
|
to the fiddler that's for sure. Definitely. One thing we have been considering is put in
|
||
|
|
DVWA on a live CD anyway. So as well as having the raw PHP code and download and setting up
|
||
|
|
the web server itself, having a live CD with a web server already set up and DVWA already installed.
|
||
|
|
As a signal I have a damn vulnerable web app already set up on a straight up onto lamp server,
|
||
|
|
nothing else and Turnkey gives you the ability to turn that into a live CD. So I could probably
|
||
|
|
talk to you after this call and see if we can jittery poke and make a live CD because like I say,
|
||
|
|
I think you're right, if you put it onto a live CD. It's much more secure for the user as well.
|
||
|
|
Any, so as a quick crash course, wouldn't be your recommendation to a new user wanting to play
|
||
|
|
with your application and learn a little bit, you know, I mean by that, you know, what sort of tools
|
||
|
|
would you recommend that they use and try? Yeah, well, it's damn vulnerable web app is,
|
||
|
|
it doesn't require any prior knowledge, basically. It's there to teach you. So we're not expecting
|
||
|
|
you. We've made it as easy as possible for the beginner to use. On each vulnerability page,
|
||
|
|
you'll notice if, whenever on anyone downloads it, there's more info at the bottom with links
|
||
|
|
to give more information on those vulnerabilities. I mean, that's probably enough for anyone to get
|
||
|
|
a test to install, exploiting these vulnerabilities. But what I would really recommend is a book called
|
||
|
|
the, what's it called? The web application hackers handbook. I don't know if you've read that
|
||
|
|
yourself. It's an amazing book. It covers lots of stuff in there. It's easy to read and
|
||
|
|
it's like my Bible for web application security. It's got the pride place on the bookshelf. Awesome.
|
||
|
|
And now I think we've talked about the project. I'm also incredibly desperate to speak to you
|
||
|
|
about your university degree as some of the HPR listeners will know and some of them won't know.
|
||
|
|
I also have studied an ethical hacking degree at another part in the UK and
|
||
|
|
Ryan and myself, where we're part of this new breed of British academic organizations
|
||
|
|
realising that there's an absolute need for degree qualified ethical hackers to be placed into
|
||
|
|
the workplace. So I'd love to pick your brains about that for a little bit, if that's okay with
|
||
|
|
your body. Yes, certainly, yeah. So what I'm doing is I'm doing ethical hacking for computer security.
|
||
|
|
It's a bachelor of science degree on his degree at Northumbria University in Newcastle.
|
||
|
|
Basically it's a four-year course, a sandwich course, so you do two years of a classroom learning
|
||
|
|
as you would in any university, 30 years of placement. So you go out and actively find work,
|
||
|
|
get a job in the industry, get a valuable experience, and then you come back for the final year
|
||
|
|
and finish off your university degree. So what we learn is we do computer system fundamentals.
|
||
|
|
Which is your processor, your memory, how all that works. We do databases, we start up with
|
||
|
|
Oracle and we learn SQL. We did a computer crime investigation, network technology,
|
||
|
|
programming in C, and obviously ethical hacking. We also do consultancy projects with companies
|
||
|
|
outside the university to give us real-world experience as well. So yes, it's definitely a great
|
||
|
|
course and if you're interested in security and you want to make it into a career, I definitely
|
||
|
|
recommend going for an ethical hacking degree. And Northumbria is not the only place in the
|
||
|
|
UK, as you said, you was, I can never remember the name of the place, Aberdeen show, was it? Aberdeen,
|
||
|
|
if you're in the UK, bearing in mind that in the UK, we're not a list of universities and we
|
||
|
|
can't tell you where all of them are, but my understanding is that there is the University of
|
||
|
|
Aberdeen on D, which is University of Northumbria. Northumbria in Newcastle. I believe
|
||
|
|
Coventry University as well is doing an ethical hacking course. I think there's also
|
||
|
|
Sunderland, I think that it's not live yet, but they're starting to, which looks quite interesting.
|
||
|
|
And there's a few here in there popping up all the time, I think now it's catching on, really catching up.
|
||
|
|
University of Aberdeen on D as well, although I'm not at the university anymore, they've also
|
||
|
|
started a master's in ethical hacking and security as well because of how popular it's been
|
||
|
|
and the master's, I believe, is into its second GNL and numbers up and up and up and up.
|
||
|
|
ethical hacking at Aberdeen is just numbers keep on doubling each year. Imagine your lecturers,
|
||
|
|
your university are pretty much saying the same thing to you as well, that it's not a down to.
|
||
|
|
Yeah, definitely. We were the first students to ever do ethical hacking at Northumbria University,
|
||
|
|
so I only have the this year's students compared to and it's definitely doubled
|
||
|
|
from last year to this year. And so it looks very popular of course.
|
||
|
|
What was your favourite module then? I mean, I know you're going to say ethical hacking because
|
||
|
|
what other ethical students are not going to say that, but what did you start doing that
|
||
|
|
that you thought you made, you know, that you didn't think you'd like and you thought,
|
||
|
|
Jesus Christ, actually, I really did like this. There's any particular module that you
|
||
|
|
went in there thinking, this isn't for me, and life they're going, I really learned something
|
||
|
|
interesting now. I think I found networking that the hardest, I've always, I've never had the
|
||
|
|
chance with not being at university to play around with, you know, enterprise hardware.
|
||
|
|
And I've always set up networks, you know, just just the home network. So I've found networking
|
||
|
|
the most difficult at first until I got into it and I find that I learned the most from
|
||
|
|
from that module and I thoroughly enjoy it. That's definitely my favourite module at the moment
|
||
|
|
as well as ethical hacking of course. Unfortunately, the anticlimax that I went in,
|
||
|
|
expecting databases to be done and surprise, surprise, that's exactly what they were.
|
||
|
|
I didn't have to answer that either to be honest. Sorry for all your database people out there,
|
||
|
|
I mean, I'm sure that stuff just rocks your world, but yeah, as an ethical hacker, it's,
|
||
|
|
we just want to, as long as I can inject it. All we want to do is export the table or drop it
|
||
|
|
one over to, you know, we don't really, we're not really interested in much more.
|
||
|
|
What kind of modules of you, all you're going into your third year next year aren't you?
|
||
|
|
So you're going out on work placement, is that correct, yeah? I am, yeah. And if you, I am,
|
||
|
|
I'm still looking for a placement. So if there's any, any listeners wanting to take me on,
|
||
|
|
or if they're interested, if you can get in contact with me, that'd be brilliant.
|
||
|
|
So if there's anyone from the HPR audience in Newcastle area, isn't that,
|
||
|
|
because you're obviously not wanting to travel to America to do a newcastle preferably, yeah.
|
||
|
|
Newcastle or Vegas either or, yeah. Newcastle, so if you, any HPR listener in the Newcastle,
|
||
|
|
or know someone in the, the absolutely, you still there, buddy?
|
||
|
|
Yeah, I'm still here. It's just echoing a little bit.
|
||
|
|
All right. Anyone in Newcastle area or know someone in the Newcastle area that, you know,
|
||
|
|
can think that they can help right now do drop them a line.
|
||
|
|
The, you know, I've talked to people about this before, you can't ask for anything more than a
|
||
|
|
tamed geek apart from a tamed geek, ethical hacker. So, you know, definitely a great asset to have
|
||
|
|
for your business for a year. So I suppose the next question I want to speak to because, you know,
|
||
|
|
we share similar stories in a lot of ways around. Yeah. I was never part of kind of the,
|
||
|
|
the UK hacking scene. I was, I was a web developer that got, I was a self-taught web developer who
|
||
|
|
experienced the hacking event and that pushed me and drove me forward and one day I ended up,
|
||
|
|
going on to ethical hacking and from there on in which never looked back.
|
||
|
|
So I was never part of almost that Yahoo chat generation of hackers.
|
||
|
|
But, I mean, what do you think that the hacking scene in the UK is like at the moment?
|
||
|
|
I mean, it's obviously not as big as the American one. It's still, in my opinion anyway,
|
||
|
|
it's still maturing, which is great because it means that there's plenty of opportunity out there
|
||
|
|
within the community. So, yeah, I mean, there are conferences popping up here and there.
|
||
|
|
Some good conferences down in London. I think they get the Black Hat Europe, is that in London?
|
||
|
|
Oh, I'm not too sure. I know that I have the Europe, I feel the Europe one might have been in Amsterdam.
|
||
|
|
I had Infosac in London recently. Yeah. That's, I'll rest say, I think they have as well.
|
||
|
|
Yeah. I mean, my views are, with the university courses, what we're fighting as cities are now,
|
||
|
|
you know, where they aren't, where they may have still had the same number of hackers.
|
||
|
|
They're now quite happily to be able to say, oh, I'm a university studying ethical hacking.
|
||
|
|
And they're coming out of the woodwork. Yeah, the terms being bounded about more
|
||
|
|
and people are starting to understand. As an ethical hacking student, I'm going to ask you this
|
||
|
|
question and I almost know the answer. When you first meet someone, how do you tell them what
|
||
|
|
course you were on? Because whenever I first ever met someone and they said to me, oh, what are you
|
||
|
|
doing at university? I said, oh, I'm doing ethical hacking and countermeasures. And they look at you
|
||
|
|
and you have to repeat yourself again because they didn't understand what you said the first time.
|
||
|
|
And then do you get asked this question straight on the back of it? How could you be ethical?
|
||
|
|
Exactly. What I know, what I know only say is I've taken the ethical hacking out of it when
|
||
|
|
people ask me, I just say computer security. Yeah, I had the pleasure of showing potential
|
||
|
|
first years around the university every year and I used to explain the story to them. I always
|
||
|
|
used to grab me within about eight weeks of university and say, yeah, I tell everyone I do a
|
||
|
|
computer security course. And what I've started to do is at the end of the day, my art course
|
||
|
|
has slightly different titles. It was this ethical hacking and computer security. I might as well
|
||
|
|
have the hacking and countermeasures. Whenever I started to get asked, but how can ethical hacking
|
||
|
|
be ethical? And you say, well, it's actually more. But you've chosen to look at the first two words
|
||
|
|
of a three-line statement. Exactly. We're actually here for. I mean, I think, I think hacking
|
||
|
|
only has the bad stigma because of the media in the first place anyway. So it's just a perception
|
||
|
|
that people have and they just don't really understand the term itself. Yeah, I mean, I think what
|
||
|
|
people maybe don't understand is that how actually widespread hacking is. I don't think people
|
||
|
|
realize that it's happening every single day in front of them and they don't realize it's a
|
||
|
|
clear and present danger every single day out there. And we do need to produce
|
||
|
|
good quality computer graduates with a firm understanding of security. But upon that as well,
|
||
|
|
we need to produce good quality developers with a firm understanding of security concepts.
|
||
|
|
I don't want to pick on developers, but if between the ethical hackers and the developers,
|
||
|
|
if we work together, we could probably secure an awful lot of the internet.
|
||
|
|
Definitely, yeah. I agree. I mean, I think the third question I get asked right after
|
||
|
|
what course do you do is can you hack my boyfriend's email address?
|
||
|
|
That's not me, the next question that comes out right now. I mean, you're just a legend in my
|
||
|
|
lifetime because whenever I tell a girl I'm doing ethical hacking, I never see her again.
|
||
|
|
I mean, this is the whole bunch of male ethical hacking students out there that whenever a girl asks
|
||
|
|
them what they're doing, yeah, I'm a firefighter.
|
||
|
|
In the interest of trying to keep the show short and not to monopolize too much of your time,
|
||
|
|
what is your advice for someone wanting to get into ethical hacking?
|
||
|
|
I mean, what? I'm bearing in mind that the hacker public radio is a widespread audience and
|
||
|
|
sometimes going to university isn't an answer that if you want to get into something and not
|
||
|
|
about to jump into university, of course, tomorrow is to do it. What would be your advice for someone
|
||
|
|
who just wants to play an understanding ethical hacking and wants to just experience it a little
|
||
|
|
bit more? What would your suggestions be to them?
|
||
|
|
I mean, as you said, everyone is in a different stage in the life so university might not be the
|
||
|
|
best option for them as it was for me and you at the time. So, I mean, the first thing I'd say is
|
||
|
|
you've got to just read lots, get books, go online, meet online, listen to it to podcasts,
|
||
|
|
just get involved in the community and learn as much as you can, just never stop learning and I think
|
||
|
|
if you don't love security or ethical hacking then don't do it. If you don't have a passion for it,
|
||
|
|
then just don't even start. I mean, I have to echo exactly what you're saying there. I mean,
|
||
|
|
if you don't love this game, then don't play it. No, it's not for you. It's something that I love,
|
||
|
|
I have a passion for. I can't wait to get home and read what's the latest going on in the community,
|
||
|
|
what's the latest hack and the newest vulnerability. It's something that I love and I think if you don't
|
||
|
|
share that passion, it'd be very hard for you to learn definitely. So, I mean, for me, you touched
|
||
|
|
on some great points there. For me, the greatest skill that you need before you even consider
|
||
|
|
going into ethical hacking is the ability to research, is the ability to learn sometimes on your
|
||
|
|
own steam and sometimes by just using something like Google or whichever search engine you use.
|
||
|
|
I think you're just taking the initiative yourself to try out the things obviously in a legal way
|
||
|
|
on your local network. Just try things, see what happens, see what the responses are,
|
||
|
|
and the best way is to practice and read and just definitely the way forward.
|
||
|
|
Okay, this is, we're getting to this point in every podcast where we say, what's the shameless plug?
|
||
|
|
Is there something that you want to promote or something that you want to share with people?
|
||
|
|
Now's the time to jump in and go for it. Is there anything you want to tell the
|
||
|
|
radio audience? Yeah, there's a couple of things. I think I mentioned before that I'm looking for
|
||
|
|
a placement for next year. So, preferably Newcastle area, Northeastern area, but I am willing to
|
||
|
|
consider the anywhere in the UK. Another thing where, if you've downloaded that one,
|
||
|
|
or whatever, 105, you would have seen the image on there saying that we're looking for a sponsor.
|
||
|
|
So, if you'd like to sponsor that one, and have your logo on there, if you're getting contact
|
||
|
|
with me and we can arrange that. Awesome. Now, Ryan, how can people, if you've got a blog address that
|
||
|
|
we can give to people? Yep, it's www.ethicalhacker.co.uk. The last E is a 3. So, ethical hacker,
|
||
|
|
with the last E is a 3.co.uk, or you can find me on Twitter. I'm a regular
|
||
|
|
Twitter. You can find me on Twitter.com forward slash ethical hacker again. The last E is a 3.
|
||
|
|
If you want to learn more about the downloadable web app, it's dvwa.co.uk.
|
||
|
|
Okay, so that's ethical hacker and it's K3R, the last bit. That's correct. Awesome.
|
||
|
|
And you can be found it. Also, your project can be found on sourcewatch. Also on dvwa.co.uk.
|
||
|
|
Yeah. What's left for me to do now is to, once again, thank my guest, Ryan Duhurst, for taking the
|
||
|
|
time to come and talk about his project and on the show. It's absolutely awesome. Thank you
|
||
|
|
very much, Ryan. You're welcome. It's been a pleasure to come on the show and talk to you.
|
||
|
|
And your audience. So, all that's really left for me to do is to thank the Hacker Public Radio
|
||
|
|
audience. You guys are home for listening to us. Before I go, if you like to make a podcast and
|
||
|
|
be part of the Hacker Public Radio production team almost to say, it couldn't really be any easier.
|
||
|
|
You can record a show on anything that you want. We've had shows on lots of different
|
||
|
|
things from quitting smoking to brewing beer to hacking web applications. But if there's
|
||
|
|
anything that you want to share, if there's a project that you want to talk about or
|
||
|
|
how to guide that you want to produce an audio version of, then really get a recording done
|
||
|
|
and contact HPR and we can help you get that show out. HPR is all about people taking the time
|
||
|
|
and recording shows and making them available for everyone to download. HPR can't do a show every day
|
||
|
|
if people don't make shows for us. So, please, if you do have the time and you want to get involved,
|
||
|
|
that's a great way to help Hacker Public Radio and you can find the contact details on the Hacker
|
||
|
|
Public Radio site for that. All that's left for me to do is once again thank my guest, thank the
|
||
|
|
listeners and I look forward to speaking to you all again sometime soon. Thank you very much.
|