NahamSec interview Filedescriptor

PROFILE

• Bachelors degree computer science

• Works at X as a pentester

• Started bug bounties in 2014

• First bug was N/A

• 2015 take a look at Twitter

• Didn’t take long to find an issue but thought it wasn’t one

• Received $700 bounty = “simple” bug

JOURNEY

• Elementary school

• Didn’t have a mentor

• Doesn’t want to owe anyone

• Finds it hard to ask for help

• Wants to do it on his own

• Ditched this mindset

• It’s the community that matters

• You take stuff and give back

• Cannot keep up on your own

CERTIFICATION

• Doesn’t have cert

• Doesn’t think cert is necessary

PROGRAMMING

• Useful in the long run

• Required for more advanced bugs

• Sometimes you have to make your own script/tool for a unique use-case

• Javascript is recommended

• Electron

• Node.js

• Postmessage

Not required for

• IDOR

• Logical flaws

• Authentication bypass

TOOLS

• Not a fan of tools

• Likes to do things manual and get a deep understanding

• Uses fiddler

RECONLESS

• filedescriptor, Ron Chan, and EdOverflow

• Wasn’t a lot of reconless content out there for bug bounty

• Original HackerOne videos were boring

• Felt he was ready to make educational content

• Clickjacking blog post got a lot of upvotes on HackerNews

• https://www.youtube.com/channel/UCCp25j1Zh9vc_WFm-nB9fhQ

BUG BOUNTIES

• Doesn’t do bug bounties a lot unless it’s a live event

• Highly competitive

• Repetitive as his job is pen testing

• Enjoys collaboration as he can focus solely on the hacking part

MINDSET

• Never give up

• wrong: if you fail a lot you start thinking that you cannot find any bugs

• Imposter syndrome

• He deals with it a lot

• Want to prove yourself

• Start comparing yourself to people that post write-ups of difficult bugs

• Burn out

• Still burned out

• Enjoys technical aspect, bypasses etc.

• Proponent of hack to learn

• During the process you learn the most