Episode: 3666
Title: HPR3666: One Weird Trick
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3666/hpr3666.mp3
Transcribed: 2025-10-25 03:06:44

---

This is Hacker Public Radio Episode 3666 from Monday the 22nd of August 2022.
Today's show is entitled, One Weird Trick.
It is part of the series' privacy insecurity.
It is the tenth show of lurking prion, and is about 17 minutes long.
It carries an explicit flag.
The summary is I talk about getting into or advancing in cybersecurity, and how keyboards
could trick malware.
Hey, good evening.
I wanted to take this chance to come to you and answer a few questions that I've had
throughout the past.
Now, one of the first things people are always asking me is how you can get into cybersecurity.
Well, the answer to that is yes, there are many, many different ways to get into cybersecurity.
Basically, you have to keep your eyes open, and you have to look for a position.
They're not going to come looking for you the majority of the times.
So you need to put yourself out there that you're actually looking for this.
You need to make connections, and you need to be willing to maybe sit in as maybe just
shadowing someone for a while, saying, hey, look, I know you guys do InfoSack, or I know
you guys do pen testing, I'm really interested in it.
Can I do like an internship where I can sit behind you, or maybe I can come in after work
and do some stuff with you guys?
But you're going to have to show some initiative to get into a position.
The other thing to keep in mind is all of IT is generally in some way shape or form impacted
by cybersecurity.
So getting yourself into an IPIT position is not necessarily a bad way to get into it.
Now here's something else.
What if you don't have a background in cybersecurity?
What if your background isn't something else?
Like, oh, I don't know, English, psychology, accounting, programming, well guess what?
You are absolutely 100% needed in cybersecurity.
You might be sitting here saying, wait, what do I have to bring to the table?
Perspective.
100% different perspective.
That is what we need in the cybersecurity community.
We need people asking different questions from a different perspective, looking at things
in a different box outside of that box, and helping us identify ways that we can do
things better.
When people have a very common background, a very common skill set, and a very common
set of problems that they are used to solving, everything starts to look the same.
And you tend to approach every problem the way you approach the last problem.
Whereas people from the outside can come in and look at something with a fresh set of
eyes and say, huh, well this is different.
What about this?
Have you considered this?
And while they may look at you and say, well, what do you know about security?
Hey, look, the thing is, we all learn, we all start somewhere.
And keep in mind, policy has a huge amount to play with cybersecurity.
And yes, we need people with something other than a cybersecurity background up there in
those places where we are helping influence policy and the decisions of our business leaders.
Now the next thing that I would say is, if you are in the field of cybersecurity or you
are moving that way, look, if you wanted to get associates or a bachelor's degree in
cybersecurity, I 100% am buffed behind you on that.
I think that is great.
Understanding certifications, absolutely, positively, 100% get those certifications.
Unfortunately, certifications are no longer a demonstration that you have actually mastered
information.
Instead, now they're like entry-level credentials to get in.
It's pretty much the driver's license of cybersecurity.
Oh my gosh, do you have these certifications yet?
No, I have no experience.
Oh, well, you can't get in if you don't have the certifications.
Well, how do I get the certifications without experiencing anything?
That's a good old catch, 22.
Suck it up, buttercup, get the certifications and hop on in.
Come on in, the water's fine, it'll be okay.
Just study and learn the material.
We have more than enough people in cybersecurity that memorized a test dump.
We don't need any more of those people in cybersecurity.
We need people that actually paid attention and understand the concepts and the fundamentals.
We need people that are actually security conscious.
Now, when you're going for your master's degree, and I catch a lot of flack for this,
but I'm going to die on this hill, do not 100% get anything other than an MBA.
That master's of business administration is the degree that is worth its weight and
gold, and if you want to move in to a leadership position, the MBA is the gold standard.
Yes, you can have a master's in cybersecurity or cyber fill in the blank, but at the end
of the day, some point of hair boss is looking at two resumes.
You've got somebody just out of college with the master's of business administration that
they understand.
They know that this person knows business and how to make money for the business.
This person in cyber something or other, they might know geek stuff, but they probably
don't know how to make money for the business.
They're going to get passed over every single time.
It will be passed over every time there's a promotion.
Suck it up, get the MBA, get a minor in cybersecurity or info sector, whatever you want to do.
We need more people with MBAs that understand cybersecurity and the principles so that we
can move up into those leadership positions and make better life choices for the organizations
that we work for.
And yes, I've had students who have come through my classes and they're like, hey, should
I change my major?
Well, here's the thing, are you going to teach?
If the answer is yes, then go ahead and get that master's in cyber something or other.
If you're not going to teach, then hell yes, change your major.
GTFO, go find your counselor, get that MBA, get that minor in cyber something or other and
move forward.
Trust me.
I have yet to have a single solitary person come back to me and tell me that that was
a bad life choice.
I have had plenty of other people get a master's in cyber something or other and guess what?
Every single one of them came back to me and said, oh, I should have listened to you.
Well, duh, hey, I'm going to tell you a big secret about cybersecurity.
You can go very far in the field of cybersecurity if you do nothing other than learn from the
mistakes of other people.
Just learning from what other people did wrong is the best way that you could excel above
99% of the other people out there in the field.
The problem is bad things happen.
We learn about them.
But instead of going and saying, oh, my gosh, here's this breach report from this organization.
Let's dive into it and see if there's anything here that we can learn from this that we
can implement so that we don't fall victim to the same mistake.
Hey, here's a court case that just had a ruling on this person's user acceptance policy.
So hey, what was the acceptable use policy and where did it fail?
What can we learn from this?
Let's go sit down with legal and see if our acceptable use policy is up to snuff or if
we need to reword it.
So we also don't fall victim to this in court.
There is a lot that you can learn by simply learning from other people's mistakes.
But you know what?
That takes work.
It takes dedication.
The other thing I'm going to tell you is if you're moving into the field of cybersecurity,
you absolutely positively 100% have to have a desire to learn and you have to be able
to demonstrate that willingness to learn because I'm going to give you a dirty little secret.
And most people are looking for new people in InfoSec.
Skills are kind of important.
Certifications are kind of nice.
Degrees?
Yeah, that's nice.
But here's the thing.
All of the knowledge, all of the tools that we use, all of the processes and procedures
that we follow, all of that can be learned, what can't be learned, and what cannot be put
into someone else is that genuine, die hard willingness to learn, that natural curiosity
that drives you to go and go above and beyond to learn about this stuff.
So if you can sit there and you can build yourself a home lab and you are working on this
stuff, after work, you're playing with it and you go in for a job interview and they're
like, okay, well, tell me about your experience and you're like, well, hey, look, I don't
have a lot of experience over the college, but here's what I do have, and going geek
out on what you're doing in your lab, tell them about all the cool stuff you're doing
with GNS3, tell them about all the cool VMs you've got up and running, tell them what
you're doing, tell them the kind of pen testing you're playing around with vulnerability scanning,
whatever happens to be app development, geek out on it and show them that you have a
passion for this, because I'm going to tell you right now that is something that
an employer really, really wants to see.
Yes, the rest of the stuff is nice, but at the end of the day, I want someone who's
going to sit in that seat and be willing to learn.
It was going to be eager about keeping up to date on what's going on, because Evil
Steve doesn't sit on his laurels and say, oh, good enough for government work.
No, Evil Steve is always out there learning, looking for new ways to exploit, new ways
to victimize, new ways to take advantage of people, new ways to get money out of people,
new ways to find a low hanging fruit, new ways to get in to corporations and sit there
for the long haul.
Evil Steve is not sitting on his laurels because Evil Steve is making money off of it.
Evil Steve has a huge motivation to stay on top of things, because if they slack off,
then things go really sideways.
And look, in the world of Evil Steve, when you get fired, you know, it's not always a
pink slip.
So just keep that in mind, motivation.
And depending up on what country you're hiding in, well, that could have a huge impact
on what your departure from your current job position may or may not look like.
We, on the other hand, as cyber security professionals, tend to have far less motivation
than Evil Steve.
And we don't want to stop to consider it.
We don't want to stop to think about the fact that there are people out there so motivated
to take advantage of us.
We just take it for granted.
We're just like, oh, somebody out there finds something and then they share it.
No, no, there is a whole active community.
They are crowdsourcing their knowledge.
They are working with each other.
They have criminal platforms that are now doing bug bounties to find ways to make their
stuff more effective.
Yes, Evil Steve is running bug bounties now.
Roll that through your head for a minute.
So when it comes to the world of cyber security, what do we need?
We need dedicated people who have a security mindset, a genuine interest and a willingness
to learn and those people who want to move up into a management position, you need to
get that MBA.
We need more people and less being counters, sitting up there, giving advice to those
sea level executives so that our organizations are making better life choices and not becoming
the next headline, at least with not a lot of work from Evil Steve.
So hey, think about these things and if you have these questions about how do you get
into cyber security, look, I'm going to tell you right now, if you're really interested
in getting into cyber security, the very first thing you need to do is find someone who's
in cyber security that will mentor you.
Somebody that will help you out, show you the ropes, tell you what to expect and give
you pointers.
They're not going to drag you into it.
It's going to take work on your part, a mentor is there to give advice, a mentor is not
there to hold your hand.
So keep that in mind.
So if you're looking for a mentor, hey, hop out there, look for someone, say hey, I'm really
interested in this, would you be interesting in being my mentor and you're going to find
that a lot of times people will say yes, but don't just say hey, will you be my mentor
and then they say yes and then you just disappear and never show up again.
When you come back later, they're going to be like yeah, I've heard from this dude before
or this gal before, yeah, thanks but no thanks.
So if you want to hop in, hop in, you can't be kind of halfway about this.
You need to hop all the way in.
Now speaking of evil steves and the countries they work in, doesn't it make sense that
if you're an evil steve working in a country and that country is giving you safe harbor
from other countries on this great planet earth, wouldn't it make sense that you would
not want to be attacking the country and those allied countries that are giving you protection?
Yeah, it kind of does.
So if you're a hacker sitting in Russia, the last thing you want to do is be attacking
Russia.
That's not going to turn out too well for you.
Being the US, great Britain, France, you get the idea.
No problem, Comrade.
But attacking Mother Russia?
No.
No, you don't talk to Mother Russia, Mother Russia hacks you, usually with a bullet.
You don't do that.
So Crab's on security had this cool article a few months ago.
I'm going to go ahead and link it in the show notes and it's called this one neat trick.
One of the things that hackers do whenever they are running malware on a system is a very
simple check to see what keyboards are installed on the system.
Doesn't it make sense that if there's a Russian keyboard installed on the system that
it's probably a Russian system that you're on and wouldn't it also make sense to maybe
not detonate the payload and look for one that does not have that keyboard?
Same if you're North Korean.
Probably looking for that and saying, hmm, probably shouldn't be attacking this.
Let's go find someone that doesn't have this.
Is this foolproof?
No.
No, it's not.
But is it one thing that can make you a less likely victim?
Yeah.
Absolutely.
What does it hurt you to install additional keyboards on your computer?
Nothing.
Nothing whatsoever.
Unless you switch over to it and start using it, it's not going to matter at all.
And if you switch a keyboard, well, you can always Google on another device how to fix
your keyboard and get it back.
Not all that big a deal.
So check it out, I'll put a link in the show notes.
So for tonight, that's all I've got.
It's a quick, sweet, short show.
My friend Brady, he's off doing family stuff, but I didn't want to leave you all hanging
out there.
So again, for those of you who are interested in getting a cybersecurity, those of you who
are in and want to move up, the name of the game is fine to mentor.
Those of you who are going to school, get an MBA, and hey, check out the article from
Crabzon Installing, different keyboards on your computer to maybe trick Evil Steve
into thinking that this might be a victim of friendly fire.
So that's all I have for tonight.
May Evil Steve rot in a sweltering heat of digital despair.
And may you all have a great and glorious evening.
You have been listening to Hacker Public Radio at HackerPublicRadio.org.
Today's show was contributed by a HBR listener like yourself.
If you ever thought of recording podcasts, then click on our contribute link to find
out how easy it leads.
Hosting for HBR has been kindly provided by an onsthost.com, the internet archive and
rsync.net.
On this advice status, today's show is released under Creative Commons, Attribution 4.0 International
License.