Fun and Games: Lock Picking, Capture the Flag Contests, Simulations, and More
Perry Carpenter: Hi. I'm Perry Carpenter, and you're listening to "8th Layer Insights." OK, I've got a question for you. What pops into your mind when I say the word cybersecurity? If you're like most people, your mind almost immediately conjures up images of shadowy figures hunched over keyboards, launching attacks, or maybe you thought of a crowd of people frantically responding to an event in a situation room. If you're more human-focused, you may have pictured someone picking a lock or tailgating through a door or stealing someone's badge without them noticing. In all of these situations, your mind considered the word cybersecurity and immediately jumped to images that had to do with the arms race, the battle, the excitement. You know, what most of us think of as the fun part. But if you're a cybersecurity professional, you know that, yeah, that's the battle. But that's not the everyday, hour-to-hour reality for most people, and you probably wouldn't even want it to be. Not too many people can deal with back-to-back days of war rooms, multiple sleepless nights or the anxiety that can come with multiple days of physical penetration tests. And those parts of cybersecurity that I mentioned earlier aren't even universal across all roles. There are tons of jobs in cybersecurity that are completely unrelated to the pictures that we tend to conjure up.
Perry Carpenter: But let's think about this for a minute. There are some pretty cool skills that most people think about when it comes to cybersecurity, and many of those skills could actually get you arrested if you used them in the wrong context. So how can people learn these skills in a safe way? How can they play with these skills? And how can we harness the excitement behind these aspects of cybersecurity in a way that satisfies curiosity and can bring new people into the field, while also helping them understand the realities of the daily job? That's what this episode is about. We'll be talking about locksport, Capture the Flag competitions, simulations and even pickpocketing and magical thinking. And to do so, I've invited four guests. You'll hear from Alethe Denis, Chris Kirsch, Deviant Ollam and Gerald Auger. Let's dive in.
Gerald Auger: If you're not really into something, if you're not engaged, then learning is a chore.
Alethe Denis: I'm most well-known for winning the Social Engineering Capture the Flag contest at DEF CON in 2019.
Gerald Auger: Gamification looks at the fact that so many people enjoy playing games. People lose hours and hours of time on it. But why? Because it's enjoyable.
Deviant Ollam: The lock itself is not an impenetrable steel wall. As a defender, it buys you time.
Chris Kirsch: Pickpocketing I got into because my dad got pickpocketed on the metro in Paris right next to me.
Alethe Denis: You have to figure out how to play the game.
Deviant Ollam: What does every building have? They have locks and other doors. What do they use? They have keys. Where do you put all the keys?
Gerald Auger: So if you can blend those concepts of enjoyable activity with educational development, you've got a secret sauce.
Chris Kirsch: Magic has a lot of parallels to security. For example, you can play with expectations that people have. Then you can use that to trick them.
Alethe Denis: Developing that critical thinking component will do many, many wonderful things for you in so many different careers.
Perry Carpenter: On today's show, we explore how to use gamification and play to uplevel our cybersecurity skill sets, and we learn the value of creating spaces that allow us to play virtual war games safely and legally. Welcome to "8th Layer Insights." This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything, from why we think the things that we think to why we do the things that we do and how we can all make better decisions every day. This is "8th Layer Insights," Season 2, Episode 8. I'm Perry Carpenter. We'll be right back after this message.
Perry Carpenter: If you listened to Season 1, Episode 1 of this podcast, you might remember one of my guests, Rob McCollum. On that episode, he mentioned a story format called Save the Cat. It's a basic three-act structure that would be very familiar to us in Western culture. It's the basis of many, many movies and blockbusters and novels. If I were to summarize it, it's basically, there's a cat. That's the thing that's in jeopardy. There's a cat. The cat gets into trouble. A hero or groups set out to save the cat. There's lots of trials, adventures and setbacks. And then ultimately, the hero or the group prevail. They save the cat. The hero wins.
Perry Carpenter: So you're probably thinking to yourself, OK, that's interesting. Why mention that? Here's why. In Act 2 of that system, there's a section called fun and games, and that's really where the author or the scriptwriter or the TV or movie producer set out to deliver on all the promises of the genre that they are writing for. If it's a spy movie, that's where the gadgets start getting used. If it's a mystery, that's where you see the brilliant detective and the diabolical villain decoding clues and laying false trails. If it's an action movie, that's where car chases happen or where the hero gets to show off their amazing fighting skills. You get the picture. That's where the story is really delivering on what's called the promise of the premise, those elements that are naturally expected by any audience familiar with that specific genre.
Perry Carpenter: And in a way, I think that there's a promise of the premise in cybersecurity. We know that we're protecting things. We have an adversary, whether that's our own human nature or whether that's an unseen foe just waiting for us to slip up. But not everybody gets to do the fun and exciting battle parts of the job, and even those that do need safe ways to level up their skills or just have fun. Because if cybersecurity were a movie, that fun and games section would be things like hacking and counter-hacking and breaking into buildings and tricking people into giving away critical information or even things like pickpocketing and sleight of hand. That's where gamification comes in, and it's something that cybersecurity has a long history with. It's an area where, year after year, there continue to be exciting new developments.
Perry Carpenter: OK, I just used a term that begs a question. What is gamification? That's a word that gets thrown around a lot, and there are a few meanings that people tend to assign to it. Let me go ahead and read a definition from gamify.com. It says gamification is the application of game design elements and game principles in non-game contexts. It can also be defined as a set of activities and processes to solve problems by using or applying the characteristics of game elements. Game and game-like elements have been used to educate, entertain and engage for thousands of years. Some classic game elements are points, badges and leaderboards. There's a lot of value in treating skills acquisition and training as a game. It makes things less intimidating, and we just engage with it in a different way. We get a bit competitive and we have fun. And most importantly, we start to view the world a bit differently as we assimilate that new skill.
Perry Carpenter: One method I like to use to help illustrate some fundamental concepts of security is lockpicking. It's a great way to illustrate the concept of vulnerabilities and exploits. Everybody has locks, and lockpicking is this visceral act. You're using physical tools on a physical object, and that moment when you successfully pick the lock, when you hear and you feel that click or you see the cylinder rotate, that's magical.
Deviant Ollam: Hi. I'm Deviant Ollam. I am casually known as a physical penetration specialist, although also professionally known as that since that is my job. My job is to get into places where I am not ostensibly supposed to be. I like to think that 9 times out of 10, it's because I've been invited and hired and there's legal paperwork backing me up. But that's the gig. I am also a locksmith, a safe technician, a safe and vault inspector.
Perry Carpenter: Deviant is a member of the board of directors of the U.S. Division of TOOOL. That's T-O-O-O-L. And that stands for the Open Organization of Lockpickers. He's also authored two books on lockpicking - "Practical Lock Picking: A Physical Penetration Tester's Training Guide" and "Keys to the Kingdom: Impression, Privilege Escalation, Bumping, and Other Key-Based Attacks Against Physical Locks."
Perry Carpenter: Deviant, for you, what is it that you most love about this practice of physical penetration testing and finding vulnerabilities in locks?
Deviant Ollam: It's a really fun career. I'm very happy that I have fallen into it the way I did. It's very rewarding, especially - not just because you get to feel cool breaking into places, but remediating the problems that someone like I will find is not a dealbreaker and a bank breaker. You know, we all kind of have that digital network side, at least in our awareness, if not our career. A lot of people in this field are very closely tied to network penetration specialists and the like. Well, if you tell someone, well, your network is vulnerable or we did an AppSec review, and your web app is full of holes, that could be tens, if not hundreds, of thousands in remediation. I can knock a building dead, and then I sit down with the execs and I say, so you might be into it for a few hundred dollars to fix the way those doors - those door hinges are installed. And it's great. It's great that I get to show something shocking, but also shock people with how easy it is to fix most of the things I find.
Perry Carpenter: What makes lockpicking and all the things that revolve around that such a valuable skill to understand?
Deviant Ollam: I've always enjoyed the fact that lock-picking is a very low-difficulty on-ramp to security mindset and security thinking. I'm very grateful with the graciousness and space that a lot of larger security events, many digitally focused security events, have given a spot for lock-picking for a very long time. And the - so the Lockpick Village is what we've been calling it...
Perry Carpenter: Yeah.
Deviant Ollam: ...Ever since I took it over. There was lock-picking at DEFCON and other events back in the day. I never like to lay claim to founding any of this. Lock-picking and hackers have gone hand in hand for a long time, but it was very underground. I was invited by Dark Tangent and Rust and some others at the early days of DEFCON to really use a dedicated space for it. Others had just kind of been by the pool with some locks, or they'd have a little slot in the hallway with a table that they kind of guerrilla...
Perry Carpenter: Yeah.
Deviant Ollam: ...Together. And this was when DEFCON was at the Riviera, the Old Riviera Casino. They said, hey; we're getting to move to the Riviera. And they have these things called skyboxes that overlook the con floor. We don't know what we're going to put up there. Can you think of something with locks? And I said, yeah. Well, let's start something called the Lockpick Village. Let's have a - all under one room - the motto of the teaching villages at - gosh. Now DEFCON has - what? - over 20 of these villages. The motto started with learn, touch, do - three simple words. Not only can you hear someone teach you about it, but you can immediately go hands-on with what was just being described and not in a show-and-tell sort of way but, like, here. Actually use the tools. Do the thing I just told you. You can do it, too.
Deviant Ollam: And it demystifies the idea that not all security and not all security products have the same purpose. Something I love is people make fun of things like - let's say you have an apartment building with a fence around it, right?
Perry Carpenter: Yeah.
Deviant Ollam: And people would literally send me videos like, look at my building. They don't understand security. And it's - we'll call it a five-foot-tall fence. You could jump over it, I guess. But there's a little gate on that fence, and there's, like, a latch. OK. Well, you put your code in or your fob. But look at my - it's worthless. I can reach my hand over it and pull the handle on the inside. That makes for good TikTok kind of fodder, but that lock is doing a job. It's just not doing the job you think it's doing. That lock and that fence aren't acting as an impenetrable barrier. But they are demarcating your property, and they are removing what is, I would call, the oops excuse.
Deviant Ollam: There is such a thing in this world as a symbolic lock, and that is something that people don't understand until you show them how weak certain locks are. They go, why would anyone use this? And I say, well, it's perfect on that apartment fence because what's that doing? It's preventing someone who is on premises, sniffing around, maybe doing something they shouldn't be doing. If there's no fence at all, the person can go, oops, I was looking for a different address.
Deviant Ollam: Well, literally, if you reached over a fence and you reached the inside handle, you know you did that. There's no, oops, this isn't shop class. That's enough sometimes. It's enough for that outer layer. The problem is when we start using those cheap hardware store locks on real sensitive spaces and assets because people - until you go hands-on and show them, look; this is not a high-security lock, people don't understand that. And demystifying that distinction is something that we're always very proud to do.
Perry Carpenter: So my first time at DEFCON was at the Riviera, and I immediately went to the Lockpick Village. And it was the most fun thing that I had done in that entire time. So I skipped all the talks, spent a ton of time there...
Deviant Ollam: Right on.
Perry Carpenter: ...And loved it. And for me - and when I show people in my family, it's like, all right. Here's a low-level Master Lock and just a simple rake, and I can open this thing in, like, less than a second. It's really eye-opening. What is the parallel for you when it comes to the way that locks are engineered and some of the inherent flaws in the manufacturing process? What are the parallels to you sort of from that physical environment to a digital environment?
Deviant Ollam: So I'll get into my STS degree here - my science, technology and society degree.
Perry Carpenter: Sure.
Deviant Ollam: There is a lot of what is known as determinism - right? - technological determinism and momentum. There's a mindset in the marketplace that, well, we've always done it this way. And it's - that's - sales have been good. Why change it? And I'm not calling out any manufacturer in particular. I'm sure some people are thinking I'm throwing shade at some of the big names. And in a sense, maybe. We all know the big names you see at hardware stores. Well, they've been making a very pretty penny doing the same thing for almost 100 years. And if there's no market pressure for them to change, why would they?
Deviant Ollam: In the software and digital space, thankfully, there has been a great deal of market pressure. You can't just have a simple system with a username and an eight-character-limited password and no login brute force checks or anything, no repeat login checks. The market has said, hey; this is really vulnerable. This looks bad. We have to do better. The fact that that doesn't happen in parallel in the physical world shows the real value of educating people of, look; this is bad. I'm not considering any company a bad company if they aren't responding to market pressure, right? Like...
Perry Carpenter: Yeah.
Deviant Ollam: If customers keep buying your $5 lock even though you make a $50 lock, that's not your fault. The sales units keep going off the shelf. It's our job to educate the public the way we did with digital security, saying, hey, turn on encryption - hey, turn on multifactor login authentication. The public now kind of demands that of many of their digital software service providers, and that's why the industry had to answer. I want to see the public continue to demand that. We saw this in little ways. Let's go back a decade or more now about bump keys, right?
Perry Carpenter: Yeah.
Deviant Ollam: The use of a bump key was known to locksmiths, but it wasn't widespread in terms of general public knowledge. Our friends, especially in the Netherlands, really publicized this in white papers and in the news media.
(SOUNDBITE OF ARCHIVED RECORDING)
Unidentified Person #1: This is CBS 5 Eyewitness News.
(SOUNDBITE OF KNOCKING)
Unidentified Person #2: Hello. I'm with Channel 5. I want to break into your house.
Unidentified Person #3: But real burglars don't ask. And with a special key touted on the internet, they can easily...
Deviant Ollam: And now you see anti-klomp or anti-bump, you know, as a feature on tons of locks. You see American brands even responding - well, we have bump halt, and we have this anti-bump feature. The market responded only through public education.
Perry Carpenter: OK. So lock-picking is a great way to help people understand that vulnerabilities and exploits exist everywhere. And everyone has locks, so this literally hits close to home. It's a great analog to what's going on in our digital reality. And let's be honest - lock-picking is just plain fun.
Perry Carpenter: But now let's move on to some areas that are more digital. Let's think about how we can gamify our understanding of the data that we leak every day. That's where OSINT and capture-the-flag competitions come in. OSINT, if you're not familiar with that acronym, is OSINT, and it stands for open-source intelligence. It's really the gathering aspect of all the data that's out there and freely available. Capture-the-flag competitions have emerged as something really important within the cybersecurity field because not only do they help us level up some of our very specific skills related to cybersecurity, but they also serve as a fantastic on-ramp for people that are interested in the field that are looking to understand a little bit more. And to help us think through this topic, let me bring in another expert - meet Alethe Denis.
Alethe Denis: I am a senior consultant at Critical Insight. I focus predominantly on adversarial simulation of things like phishing and vishing, as well as helping my pen testers to gain access through social engineering. I also dabble in more blue-team-focused things. So I get to work on both sides of the security landscape, helping to both defend and attack, which is kind of neat 'cause I get to paint myself purple and call myself a good guy (laughter), which is fantastic. But yeah, that's pretty much me in a nutshell.
Perry Carpenter: Alethe ranked first place in the social engineering capture-the-flag competition at DefCon back in 2019. That's a competition where the contestants capture flags by successfully tricking an organization's employees into giving away information that would be helpful to a cyberattacker. And successfully prepping for that competition requires gathering a lot of open-source intelligence on the target organization.
Perry Carpenter: You talked a little bit about the fact that you're in a completely different industry, completely different skill set. Somehow, it clicked that you realized that you would be good at this social engineering stuff. Describe that journey a little bit 'cause it is interesting. There's been a couple other folks who have made these really big career leaps, like you and Rachel Tobac and a couple of others that I'm aware of, that have changed the entire focus of their life. How did you get in that room in the first place, coming from a different background?
Alethe Denis: So it's kind of a weird thing. Tracy, who is also @infosecsherpa on Twitter, she was a librarian, and she is now in information security. And I think that that is just the most crazy, amazing story to share because, you know, you have people that are coming in from so many different roles in completely different industries that you would think were never well-suited for information security, and I think that what we're seeing now is that people have these very easily transferable skills that they've collected over the course of their career, which spans maybe a decade or two or three, and they're able to repurpose those skills within information security and not necessarily have to be, you know, technical geniuses when it comes to what we think of as elite hacking or pen testing and coding and development and things like that.
Perry Carpenter: So how did your previous life or career fit into all of this?
Alethe Denis: I had been working in marketing and, like, was Google AdWords certified, and so this kind of sparked my interest because I'm like, I've been trying to get people to click on links for years. And so I was like - you know, I learned about the SECTF, the Social Engineering Capture the Flag competition and just - all I knew at that point was they get people to sit in a booth and call a company and try to elicit information from them. And I thought, oh, my God, that's insane. I could never do anything like that. That's nuts. I'm literally the type of person who will send 158 emails before picking up the phone just to avoid talking to people (laughter). And so I was like, this is fascinating. So I managed to watch a lot of the calls.
Alethe Denis: And that was the year that they had gaming companies as the targets, so they were targeting all of, like, the video game and toy manufacturing companies. And there were a few people that - you know, it was clear that this was not easy because there were people that would go in and call their numbers and just get voicemail, voicemail, voicemail, and they were done. Their 20 minutes was up, and it was time to get out of the booth, and it was like heartbreaking. I decided - between that year and the next year, I was like, I want to compete. And I was like, am I ready for this? And so I kind of, like, took - I took a minute to kind of, you know, think it over. And I was like, you know what? I'm going to apply. You know, I'll look cool because I submitted an application. I get to be like, oh, I raised my hand, but they didn't accept me. And then they accepted me. So that kind of sucked me in to the whole social engineering thing, and it's kind of all downhill from there.
Perry Carpenter: You sign up to do this. They essentially lock you into a mostly soundproof booth, though I think you probably still...
Alethe Denis: Right.
Perry Carpenter: ...Hear some of that crowd noise come through, and that's probably nerve-wracking as well.
Alethe Denis: You do (laughter).
Perry Carpenter: But describe what's going through your head at that moment.
Alethe Denis: It has, like, the felted, like, carpeted exterior with the windows is the best way I can describe it. So you have a window right in front of you, and then you've got a window to your side that's in the door where you can see the contest runner who's dialing the numbers for you. But it feels really, really helpless, but you also feel like you are under a microscope. Because yes, you're sitting in a box. Like, you're safe because it's essentially like a coffin (laughter). You're safe. And it's kind of like, you know, you've got a giant microphone in front of your face, you've got headphones on, and you're sitting on a stool. And then you've got, like, a GoPro in the corner of the box that's pointed right at you. And that is being streamed out to these giant projected screens on either side of the room. So everybody in the room can see you and watch every twitch (laughter). So, you know, I was - I had my list of numbers, and I had some notes about my pretext, and I had, like, a list of the flags that I was trying to get the information that I needed to elicit. That was it. That's all I had with me - and, like, a pencil (laughter). I don't know why I brought a pencil, but I did.
Alethe Denis: And so I just remember feeling like there were just 20,000 eyes on me. And that is really nerve-wracking, especially for somebody who's pretty much an introvert. I'm not really used to being on a stage. I never competed in sports in school. Like, I just kind of slunk to the back of the room and was an observer of a lot of things. So this was the first time I was in - like, honestly, this was the first time I was in this kind of situation since, like, doing an oral report in high school where you to stand in front of the class and present something. And it was like all those nerves just, like, came back.
Alethe Denis: But as soon as they're like, OK, go, and they start the timer, it's like you just have to let all those anxieties and fears drop away and just kind of make everything around you black so that you can focus on what you're supposed to do. And you just, you know, call, you know, numbered number one and spoof numbered number two, and you go. And you just can't think about anything else. And I think having that insanely high-pressure situation almost kind of helps you block out all the other factors because you go into, like, fight-or-flight mode, and you've got to fight. I overthought it to death, but I also completely screwed up my strategy as far as amassing the highest volume of points in the shortest amount of time. So after that, I was like, this is now my mission.
Alethe Denis: I'm going to do better next year. And now that I know how the points work, I'm not going to spend three weeks getting ready for this in completely the wrong way. So then I competed the following year in 2019, and I just did one very well-crafted pretext, and I targeted remote regional sales people for this company. And this was before work from home was cool (laughter). And it went off without a hitch. There was zero people that pushed back. Everybody was cooperative, and it was like everything that I learned from the first experience, plus devoting a significant amount of my time in the years between competitions to just learning everything that I could about human behavior, applied psychology, social engineering, social engineering in the context of things like marketing, acting and, like, everything that I could get my hands on was really what put things over the top.
Alethe Denis: I decided, well, I'll get some points on the board, and then I'll move on to something else. But what's the something else? And I did a lot of digging on their glass Glassdoor and found out they had regional salespeople that kind of turned over pretty frequently, as salespeople do. And these people were responsible for going out to the retail locations that sold the products that this company made and, you know, like, stocking the shelves, selling more products, that kind of stuff. So they had company laptop, company cell phone, company car, all kinds of cool stuff. And they were salespeople. So they're used to getting called after hours, especially because a lot of these locations are like, you know, quick, 24-hour mart type joints. And so I was like, I wonder if they'll pick up the phone more consistently than trying to target headquarters. So I try to get headquarter numbers. Every single one of them went to voicemail after hours. And I was like, bummer.
Alethe Denis: So I'm like, I'm going to have to get a little bit more creative. So I used a OSINT tool that I have to get the cellphone numbers, company cellphone numbers for all of these salespeople. And then I compiled a list of all the salespeople. And I decided, I'm going to call these people on the day that I'm competing - Thursday - after 5:30 p.m., time of the - like, the headquarter company, which is in Eastern Time, and see if they answer the phone. And so I would call. Every Thursday, I'd call all of them for the weeks leading up to the competition and call all of them. And I'd grade them. Like, did they answer the phone? Did they sound friendly? Did they sound helpful? That was, like, a 10. If I got voicemail, it was a zero. If I got somebody that was like, hello? (Laughter) It was, like, a two or a three because they're probably not going to be eager to help me. And so I graded them all through these, you know, several phone calls that I made to each person. And then I tallied up the scores, and the ones with the highest scores were the ones I was going to call first. And so that's how I figured out the order of people I was going to call.
Alethe Denis: And so I called the first salesperson, and he was, like, the most energetic, positive-sounding person that I had contacted because we were allowed to call - you had to remain on mute. You couldn't engage with these people at all prior to the competition, but you could just listen to them answer the phone and hang up. And I'd been spoofing, like, a number that if they put it into Google, it would show as, like, a scammer, like, fraud, suspected spam call number for the area that they were in. So I went kind of a little nuts on this, but I took it to 11, and it worked out because every single person I called that was one of those regional salespeople were extremely cooperative, and they answered all my questions because I told them, hey, I'm Bethany. I'm calling from the headquarters located in the town the headquarters is in (laughter). I'm helping IT, and it looks like your computer hasn't connected to the VPN in a while. So I just wanted to make sure that before we ship out replacement laptops - 'cause we're getting ready to replace all the laptops for our sales fleet for our remote employees - that we have the right software and everything installed for you before I ship this thing out. And so we would just go down the list. What type of computer do you have? Is it this one? Yes. Do you have this type of operating system? Yes. Do you have this type of mail client? Yes. Because I knew all this stuff from my OSINT, and it was just a matter of them saying confirm, confirm, confirm, confirm, rather than having to think about it and tell me and answer.
Alethe Denis: So what it ended up looking like was, hi, I'm me. Can I ask you a few questions? Sure. Flag, flag, flag, flag, flag, flag, flag (laughter) - for every single one of these calls. And I would just - yeah, that's great. All right. Do you prefer FedEx or UPS? Flag. And I'll talk to you later. Bye (laughter). And with the last person, I ended up skipping one. I was like, no, I don't want to call that one. I'll call five instead of four, whatever it was. And I don't know why I thought that. I just thought the guy that I planned not to call sounded a little more egotistical and, you know, like a jerk. So I called the next one, and the guy picks up the phone, and he's, like, confused as to why I'm calling him, and I could hear it in his voice. But I was like, oh, gosh. And he goes, I am actually not working right now because I am three months into my four months of paternity leave. And I was like, oh, crap. So I thought, you know, he's going to shoot me down, so I might as well just apologize profusely, get off the phone and try the next one. Well, he goes, let me go get my computer (laughter).
Perry Carpenter: Oh, nice.
Alethe Denis: And I was like, oh, my gosh. Like, I was like, I'm so sorry. And he's like, no, let me go get my computer, and I'll help you out. I'm like, what? And so he goes and gets the computer, and like, while he's, you know, busy opening it and turning it on, I'm like, so I assume you have this computer, this make and model. It'll just be on the lid. He's like, yep. And so I just went into it. I was like, that's so crazy. I just had a baby, too. And I, like, looked at my daughter in the audience.
Alethe Denis: And the whole crowd is just freaking dying. But yeah, so I finished that call, and the audience just lost their minds.
Perry Carpenter: We'll be right back after the break.
Perry Carpenter: Welcome back.
Perry Carpenter: So these types of competitions are useful in a few different ways. Over the past few years, we've seen that they're very useful in helping to encourage people to try out new skills and actually move into security from nonsecurity careers. Rachel Tobac, who was a guest last season, is a great example of that. And for Alethe, winning this competition allowed her to do a hard pivot from the marketing world to being a full-time social engineer and penetration testing consultant. Another way these types of competitions are useful is that they're safe, legal sandboxes for security professionals to learn new skills. They allow curious and motivated people to learn and test skills in ways that are legal and have guardrails. In other words, that means they can learn and test their skills in ways that won't get them arrested or break someone's system. And that's a great segue for us to spend a few minutes talking about simulations.
Perry Carpenter: Let's say that someone wants to learn about ethical hacking or how to defend against hackers. What's the best way to do that?
Perry Carpenter: Well, one way might be to read about the techniques and obtain the different tools and then wait until they need to use those skills in real life. Or they could go spend hours or days setting up lab environments and trying to simulate things from an attacker's perspective or a defender's perspective, or they could rent or subscribe to someone else's virtual lab. But there's one other option that's kind of like having a lab environment, though it's not quite as robust or real-world. That's a virtual system replicating specific systems, applications and vulnerabilities to let you test certain skills from an attacker or defender's perspective. Some of these are fully blackbox environments where you just go in trying to find all the flags. You can think of this as something similar to an escape room, where there's a game master who's laid out the environment, they've left clues. You might find a clue by learning about a web application and then viewing the source on that web page. And maybe then when you view the source, you find another clue like a hardcoded password in the comments or a reference to another website. And successfully exploiting one system then unlocks clues that lead you to the next and the next and the next, and so on.
Perry Carpenter: And then there are other games that are more like Battleship, where you're playing against another human opponent or you and a team or playing against another team. And that way you get the thrill and the frustration of battling an adversary that is thinking and reacting based on your every move.
Gerald Auger: Like, if you're not really into something, if you're not engaged, then learning is a chore.
Perry Carpenter: That's Gerald Auger.
Gerald Auger: I'm a cybersecurity practitioner for about 17 years. Love the field so much that I went to higher ed and got a couple of degrees in it, including a Ph.D. in cyber operations from Dakota State. And I also run a YouTube channel called SimplyCyber, which is - it was originally designed to be a YouTube channel for people looking to make or take a cybersecurity career further or faster. And over the last couple of years, it's really evolved into its own living breathing community, with thousands of members who are actively participating and contributing, helping each other out. I also teach at the Citadel Military College in their cyber sciences department, shaping the minds of the cadets there as they think about the way that cybersecurity is relevant in today's society and in the military theater.
Perry Carpenter: I invited Gerald because he recently took a position at ThreatGEN. ThreatGEN is a cybersecurity gamification platform that's developed what they call the red versus blue game.
Gerald Auger: There's certain things that we learn because we either have to - right? If you've ever been going through elementary school and you, like - it's Tuesday morning, you don't want to get up and go to school because school is boring. You don't - it's not fun, right? Well, gamification looks at the fact that so many people enjoy playing games, whether it's Angry Birds on your phone or Candy Crush, one of those ones that people play on their phones or the more involved first-person shooters that my kids personally get really deep into. They can spend hours of time on it. But why? Because it's enjoyable.
Gerald Auger: So if you can blend those concepts of enjoyable activity with educational development, you've got a secret sauce where people are yearning to absorb that knowledge. And we've seen it across multiple capacities within the cyber security industry, which is fantastic, as far as, you know, simulating so many of the activities that we do, but kind of I almost want to say cherry-picking some of the juicier, sexier kind of scenarios in order to make that gamification fun. Because Perry, you know and I know, like, setting up a lab and dealing with dependencies and the wrong Python version and all these other things, they rob you of the joy of actually doing...
Perry Carpenter: Yeah.
Gerald Auger: ...What the game is. And a lot of these platforms are basically abstracting that level of set up for you, so you can just enjoy the good bits.
Perry Carpenter: Do you think - and I'm not trying to take you down a negative road here, but I'd like to get your thoughts on - if we're really just cutting to the fun parts, do you think that there's a downside to that? And by that, I mean is it possible that somehow we set people up to think that the cybersecurity career is just these fun parts?
Gerald Auger: So that's an interesting observation. And I would say on the red side of things, meaning the offensive security, if you are just cherry-picking, then it doesn't necessarily map to reality, right? So like a pen tester, for example, they're going to have to do appropriate recon and infiltrate or pop a box or get the crown jewels and then have to write a report and debrief the client. And with a lot of these gamification platforms, you don't do the report writing, you don't do the debrief, so you're not getting that full rich experience of, you know, like trade school, right?
Gerald Auger: But what I would argue to that point is a typical student may never pursue or look at or sniff anything cybersecurity because it's boring or it's I don't get technology or whatever. And by at least abstracting and giving them some on-ramp into the industry, they can get a taste and a feel, start exposing themselves to concepts and technologies, begin talking with other people, networking, developing a community. And then once the train's already moving, there's some inertia behind it. Well, then you've got something there. Well, you know, what is this other part? Well, it's not as fun. But, like, I see how it relates and ties into the overall picture. And if I want to get a job doing this cool thing...
Perry Carpenter: Right.
Gerald Auger: ...I really enjoy, then I should understand these other pieces. So I agree. It's not a one size fits all. You can't gamify the 9-to-5 grind, right?
Gerald Auger: I mean, if you could, you might have...
Perry Carpenter: Yeah.
Gerald Auger: ...A million-dollar idea, but you can make it as an on-ramp into the industry.
Perry Carpenter: And I'm wondering if there's a way to simulate - and I'm not saying inject boredom into the game 'cause that defeats the purpose, but if there's a way to simulate some of that. Say you're doing enumeration, you know, stuff that could take a long time or some of the other OSINT gathering pieces to where you can show kind of like the clock progressing as you're doing this. This thing that is now taking you two minutes might take somebody else three hours to do - and just to give that understanding to the person that's on the other side of the screen.
Gerald Auger: Yeah. That is interesting and super challenging, right? - because...
Perry Carpenter: Right.
Gerald Auger: ...Like all of these games and platforms, they want to keep you heads down, dialed into it. And introducing some of the ho-hum realities of the industry are definitely going to turn the people off. I'm not sure. I think at least a disclaimer or some kind of call-out would be sufficient. You know, one example that just comes to mind right away is, like, when you're running Nmap. Nmap is such, like, an entry-level onboarding tool that is included in almost every single getting orientated to cybersecurity course. And when you see it in a video, you hit go and the results come back instantly, right? And when you hit go...
Perry Carpenter: Yup.
Gerald Auger: ...On an Nmap reel, it could just sit there for minutes and minutes, and you don't even really have any feedback as to what's going on. So I definitely feel you there. I think there needs to be some type of balance with it. I will say that one game that comes to mind within the industry that I really think has made some efforts at capturing some of these nondirect experiences is Black Hills Information Security's Backdoors & Breaches. It's a card game produced by Black Hills Information Security. And it's effectively like Dungeons & Dragons, if you want to think of it that way. There is an incident master who is crafting this elaborate cyberattack. And then the players have cards that allow them to do things like do endpoint analysis or look at the SIM, do network traffic capture. You know, it's all the things that you would do as an incident responder.
Gerald Auger: They have these things called injection cards. And this is where I'm going with this - kind of the indirect elements of reality. So one such injection card that comes to mind is you throw it down. And it says, the legal team has entered the room and wants a debrief from your most senior incident responder on what is going on. Whoever the best player is of the party is no longer allowed to play the rest of the game. And it's interesting because this really does happen, where they take the most seasoned person who's kind of dominating the incident response anyways 'cause they got...
Perry Carpenter: Right.
Gerald Auger: ...The most experience. And the junior people are kind of just paying attention but maybe not developing as well. And when you pull that person out, you actually get to see that the other people whose voices were being kind of quelled now have to speak up, now have to think. They might identify some gaps in their own workflows because they were just being spoon-fed the answers. And it's just like reality because, again, like, legal is not going to ask the junior analyst to come in and brief him. The CEO isn't calling the junior analyst. They're calling the lead of the SecOps team and telling them, give us an update. We're freaking out over here. So that is one way...
Perry Carpenter: Nice.
Gerald Auger: ...To kind of integrate these indirect elements into a game.
Perry Carpenter: So with the Red vs. Blue game specifically, what is the technical benchmark that you need in order to be able to benefit from that game or to be able to play it the first time?
Gerald Auger: It's interesting. The platform was actually built for supporting different levels of experience. You know, I'm a senior practitioner. So I'll just fire up the game and dive right in and go live and start playing and doing all these other things. But if you are new to the field or a junior analyst and you're using the platform more to develop your skills, be able to get familiar with certain kind of incidents - that way when you see them in real life, you're not freaking out - the game has a bunch of built-in knowledge modules, meaning - like, so if it says, like, you know, whatever - like, say, you're playing the attacker and you have a drop malicious USB feature, right? That's...
Perry Carpenter: Yeah.
Gerald Auger: ...An action you can play in the game. You might not even know what a USB is honestly, right? Or you may not understand why you would drop it in the parking lot. So you can click on it. Just like anything in the game, you can click on it, and it'll pull up a full kind of educational Wikipedia almost, right? And it'll explain what it is that you're doing, what the action is, and then kind of the background and reasoning behind why you would do an attack like that. And it really helps inform twofold. One, it informs an end user on awareness. This is what this is. And then secondly, it'll help inform their decision making within the game. Does it make sense to perform this right now?
Perry Carpenter: In a lot of ways, I think that simulations like the Red vs. Blue game, self-contained capture the flag games and CTFs at conferences and even custom-made, team-based card games can be a key part of the future of training and recruiting for cybersecurity. I believe that these kind of environments are a great on-ramp for future cybersecurity professionals. That gamification aspect makes it fun, and above all, it's safe and legal. That's something that didn't really exist 10 or 20 years ago. And so now there's this entire generation of up-and-comers who can satisfy the curiosity of what it feels like to hack a system in ways that won't get them arrested. And yeah, that's a good thing because curiosity without a safe outlet has gotten a lot of people in trouble. And so now it's up to us within the field to find ways to nurture that curiosity and bring people into the profession.
Perry Carpenter: OK, before we end today, there's one more thing that I'd like to file under the fun-and-games category, and that's what I like to call magical thinking. And by that, I mean being able to look at situations in a way that a sleight-of-hand magician was, looking for ways to manage and manipulate other people's attention. I think this is really important because it has a natural linkage to social engineering. And like lock-picking, it's an analog. You can learn card tricks, coin tricks or other sleights to help you illustrate a point that may just give you a bit of insight into how people think and can be deceived. And it can also help you look for unexpected ways to interact with people and environments. Two of my favorite types of magical thinking are mentalism, which is really just simulated mind-reading using sleight of hand and other deceptive methods, and pickpocketing, which is all about attention management. We don't have a lot of time to get into this today, but I'm planning a future episode that I've tentatively titled The Theater of the Mind that will explore the connection between magical thinking and social engineering.
Perry Carpenter: But for now, I'll leave you with a few thoughts from Chris Kirsch. I interviewed Chris in Season 1, Episode 6, and the title of that episode was "Embrace an Attacker Mindset to Improve Security." Chris is the co-founder and CEO of Rumble. That's a cybersecurity company focused on network asset discovery, and he's also another Social Engineering Capture the Flag winner. Chris won that in 2015. Let's hear from Chris.
Chris Kirsch: Pickpocketing I got into because my dad got pickpocketed on the metro in Paris right next to me. And I - first of all, I wanted to understand, how do I protect against that? But then I quickly got into the other side of, hey, how do you actually pickpocket, and how does that work? So I went pretty deep on that and actually have a talk online that I gave at the Layer 8 Conference on how to pickpocket and how that works. And I did that from the perspective of red teaming.
Chris Kirsch: All right. So, Luke, can you tell me, like, have you ever been pickpocketed?
Luke: I have not.
Chris Kirsch: You have not. OK. So...
Chris Kirsch: And the whole pickpocketing thing also got me then back into magic because a lot of the pickpocketing resources were only available on magic sites, especially the stage pickpocketing. And magic has a lot of parallels to security. For example, you can play with expectations that people have, and if you know what expectations they have, then you can use that to trick them.
Chris Kirsch: So for example, if you have a card, and it shows the back of that card, people assume that there is a picture on the other side, like a seven of clubs or something like that. And magicians sometimes use what's called double backers, which have the back side on both sides to trick people and perform a trick. So if you think about that and takes that into a security and social engineering context, if you're walking into a building with an access card that's supposed to have a picture on one side and a name and a logo but you just have a blank card, people will just assume that your access badge is flipped, right? So you can actually walk into the building without even having the right picture on the card - for casual inspection, of course. If somebody who looks at the card closely, they will figure it out. But that's an example where you can play with people's expectations.
Chris Kirsch: Other areas are when you take what people think is good and secure, like a known, good routine, and you play with that. So for example, you can shuffle the deck, and you can, for example, do a false shuffle, where the motion looks exactly the same of a normal shuffle, and they assume that that's good. But you're actually not changing the order of the deck, or you're preserving the order on the top of the deck. Another interesting thing is if you take a fresh deck out of the package - right? - and it's in what we call new deck order. So it's sorted by numbers and by suits. How many times do you have to cut that to get to a fully random order? And I'll give two beats to the audience to think about that. Cutting the deck only changes the starting card, but it doesn't change the order of the card.
Chris Kirsch: If you think back, you know, some people might not remember this, but for people who remember what a Rolodex looks like, you have a Rolodex that has all of these cards, and they're all on a wheel, and you can spin around the wheel, and you have, basically, people's business cards on there. You can spin the wheel 20 times, 50 times, a hundred times. The order of the cards doesn't change. When you cut the deck, it's the same thing. You're only changing the starting point of where the deck is. So the answer is if you cut a deck in new deck order a hundred times, it'll still have the same order. And if you, for example, peek the bottom card, tilt the deck so that you can see the bottom card, now you can infer what the top card is.
Chris Kirsch: And so if you apply that same thing, like taking a known, good routine, and you apply it to hacking - there is one example that Kevin Mitnick did. It's from one of his books. I don't remember which one - where he basically phones somebody up, and he tells them, hey, don't tell me your password because that's not secure. Known, good routine, right? But I want to check out that your backup worked correctly, so can you do me a favor, and can you change your password to XYZ password for the next five minutes and then change it back after I check it? Right? So what he then did on the other end, of course, is he got access to the system using the password that he gave them and then, you know, maybe created another account or got persistent somewhere in a different way and then asked them to change it back. So now they were in a known, good state. They didn't break the known, good routine of not giving out their password. And they thought they were good. Those are really interesting things where you have parallels with magic, for example, with the shuffling or other things.
Perry Carpenter: Yeah. That playing with known, good routines and exploiting expectations is really powerful. Any other examples that you have for us?
Chris Kirsch: Yeah. So in mentalism or also some magic routines, there is this concept of a one-ahead routine, so where you are actually one step ahead of the audience because you already loaded something somewhere or you already peeked something somewhere, and they think you still need to perform the act, right? I think there is a parallel here with some of the spam messages that some people are getting where the message basically tells them, hey, you've been hacked, and like, we're going to leak all of your information and your dirty videos online unless you pay us. And as a proof, they say, here is proof that we hacked you and - because this is your password. So when people read that, they think, oh, my God, I've been hacked, and the proof is the password. But what actually happens is that their password got breached long ago on a third-party site, and it was published, and the hackers just took the dump of the email and password combinations and then used that to send out personalized email messages - so basically, a mail merge - to all of these people. And if people don't know that you can find one's password on the web associated with an email address, their mind will automatically assume that they've been hacked.
Perry Carpenter: Well, that's about all the time that we have for today. I'm going to give Alethe Denis the last word, and then I'll be back to wrap up with a few closing thoughts.
Alethe Denis: During the course of the competition, it's, like, me versus them, and that's kind of how the dynamic of the conversation is - is I'm trying to get the information out of you, and I win points if I get it. It's a different mindset when you're working for clients because we're all on the same team. Like, if they stop me, it's freaking awesome for them. And I like putting that in the report that they stopped me because I want to give them a report that makes them feel good about how well they've prepared to defend against these things and especially if I've done the training. Like, if I've done the security awareness training and I pwn them on my phishing calls or through, you know, emails and have them click on the links, then I did a terrible job training them. And that's a problem (laughter).
Perry Carpenter: And that's all for today's show. I hope this was able to help you have an appreciation for some of the fun and interesting ways that we can learn about cybersecurity, teach others some fundamental concepts and up-level our own skills. It's really encouraging to see some of the innovation going on in the space right now. New games and capture-the-flag competitions all continue to improve year over year. And as I said earlier in the show, I think all of this is really important because it gives people safe, legal and fun ways to learn and practice cybersecurity skills and also to bring new people into the profession.
Perry Carpenter: And with that, thanks so much for listening, and thank you to my guests - Alethe Denis, Chris Kirsch, Deviant Ollam and Gerald Auger. As usual, you can check the show notes for all the relevant links and references to the topics that we covered today.
Perry Carpenter: If you've been enjoying "8th Layer Insights" and you want to know how you can help make the show successful, I've got an easy ask for you. Just tell a friend to listen - seriously. That would be an amazing help for me as I continue to build the "8th Layer Insights" audience and community. So if you would, recommend the show to at least one other person this week. And of course, if you haven't yet, please go ahead and subscribe or follow wherever you like to get your podcasts. If you want to connect with me, feel free to do so. You can find my contact information at the very bottom of the show notes for this episode.
Perry Carpenter: This show was written, recorded, sound designed and edited by me, Perry Carpenter. Artwork for "8th Layer Insights" is designed by Chris Machowski at ransomwear.net - that's W-E-A-R - and Mia Rune at miarune.com. The "8th Layer Insights" theme song was composed and performed by Marcus Moscat. Until next time, I'm Perry Carpenter signing off.