Hacking the Penetration Test with FC (aka Freaky Clown)

Joseph Carson:

Hello everyone. Welcome back to another episode of 401 Access Denied. I'm your host of the episode Joseph Carson. And it's a pleasure to be here today with you. I've got another awesome guest for today's show. So I'm actually joined by the awesome well known ethical hacker FC. So FC, welcome to the today's episode. Tell us a little bit about yourself and what you do.

FC:
Thank you very much. It's a pleasure to be here. So my name's FC, I'm a ethical hacker, but I'm the co-founder and co CEO of a cybersecurity company called Cygenta.

Joseph Carson:
Awesome. So tell me, we've met many times over the past and I've listened to a lot of your talks, how did you get into hacking in the first place? What was your journey into getting into this industry?

FC:
Oh man, it's a very different journey to what most people would probably think of nowadays. There was no classes on this, there wasn't really very much around when I was getting into this. So I'm a lot older than I seem and I've been doing this for a long time. When I got into it, the worldwide web didn't exist. There were no such things as hyperlinks. You couldn't click anything. It was all billboard systems and dial-up modems.

Joseph Carson:
Dial-up modems.

FC:
Exactly. So I got into computers really as an escape from a very terrible childhood. They were not an industry. They were just a play thing really. And I got into hacking by being a sysadmin. So I got a role as sysadmin for a while and it was very clear that no one was doing security. So I had to do that security for that company. That meant I had to learn all the techniques, which was fine because I was doing that anyway. And then actually that just became more fun to do. And so I'm really lucky in the fact that the industry that we are in grew up around what essentially was my hobby. I don't know what I could have done if... I trained to be a scientist originally. I wasn't going to go into computers because there was nothing in it, but it became very clear to me very quickly that I didn't want to be stuck in the lab. I wanted to be doing stuff. So I'm stuck at a desk with computers instead.

Joseph Carson:
No, absolutely. I think similar to my path was literally two choices. I was like after leaving school from my path was either I could choose to go down the path of art. I used to be an artist. So a lot of people don't know that portion of my life, but the other side again was the same, was going down computer science because very early I was into gaming. Most of my social life was basically playing games and computer games.

Joseph Carson:
And actually one of the things I always remember was I made a pretty good earning at school because one thing that I loved doing at the system administrator there, I would go into school and we had these old Apple classics, and literally what I would do is I knew where the system administrator kept the password. I would go and basically get into the administrator, install games, charge my classmates to also install the games in their computers. We play games all day long and then the system administrator could come that evening and go, "Who the hell did all these games in these computers?" And then start uninstalling them. So the next day you come back in again and make the money. So for me my tell two it was very curiosity. It was a lot of curiosity and I made a pretty decent financial living at school from doing that. But the same thing as well, is that there was no dedicated course for security.

Joseph Carson:
Security was something you did in addition to your job. And I was a help desk worker and did system administrator and it was always something you did in addition to your job, it was a task. It was something you did in addition to. I think the great thing though, is that the opportunity we had was we learned a lot, a broader skill set. We learned a lot about hardware. We learned a lot about the software and how to build things, which I think sometimes it's a good thing because we learn how everything gets connected. I think one of the things I see today is that a lot of people go very narrow focused into specific fields and really don't get that intersection side of things.

FC:
When we grew up the commuters I had back then were ridiculous. I had the Acorn Electron, I had an Amstrad CPC.

Joseph Carson:
Awesome computer.

FC:
I upgraded to a Commodor 64, the BBC Micro. When you get a computer like that and they don't come with an operating system installed, et cetera, you get a massive book, a thick book of how everything works and you had to tell it everything that it was to do. Other than the actual basic compilation part. If you wanted it to do something, even load a game, you had to basically write it out. I remember sitting there reading through magazines and typing out all the programs by hand.

Joseph Carson:
By hand basic and to find out...

FC:
Hundreds and hundreds of rows of code, it's ridiculous.

Joseph Carson:
Imagine our childhoods, we were sitting late evenings after school typing in basic code into a computer. And then you go to compile it and it'll compile and all of a sudden you'd be error at line 100 and something and you'd be like, huh. And then it wouldn't... That's where I really get into my fixing skills. And because then you would read in the magazine the next month they would do a reprint and they'd say, oh, we made a mistake in last month's code and here's the corrected code. And you was like, oh no. But it was great because it really meant that you forced troubleshoot things. You were forced to learn how things were built. And really got into that curiosity troubleshooting mindset. And I think lot of us, a lot of the industry came from that background.

Joseph Carson:
And I think a lot of people I follow, we all came from similar backgrounds, but I do think that it's great that there's that background of skillset knowledge, but as an industry we do need to diversify, we do need to get a lot of... Because it's no longer just about the security of systems, but it's everything. It's the human aspect of thing. It's the physical security. And also one of the things that you did, one of the talks you give at conferences is that you also do a lot of physical security as well. So did you start with software security or did you move more into the physical side first or how did that evolve into the physical side?

FC:
So back when I started this, there wasn't really a physical security industry, just trying to feel our way through it all. And how it started for me was I was doing a lot of pen tests on site. I was going to clients and breaking into their computer systems within their network rather than the web stuff. And whilst I was there, I would spot little security issues. And so what I started doing was just noting them down. So at the end of my pen test report, there'll be a little note saying, hey, this is nothing to do with this, but you should be aware of this security issue. Those lists started to get bigger and bigger. And eventually some of our clients were like, "Hang on. That is actually quite useful. Can you do more of that?" And I was like, yeah, we can. And so it slowly moved into or evolved into creating a separate report on that side. And then it became an entirely separate service and it was like, okay, look, you have to pay for this particular thing, because I'm not now doing it for free whilst we're doing pen tests as well. So that's really how it just eased into that for me.

Joseph Carson:
For me, I was always surprised when a lot of the data centers I was going into, it was the physical security was always impressive side, security guards, machine guns at the front entrance and you would have, there was moats around some of the data centers that I went to and when you're going in, you have to go through this figure check-in verification process with your identity and you had to be on the list and register to be allowed in and need to get inside the data center. And all of a sudden that you were only allowed in specific cages that was basically specific for companies. So I always remember from going through the physical side.

Joseph Carson:
There's other companies you go into and the physical was horrendous. You walk in and breach the door and you'd walk in. But a lot of the data center side, I remember the physical was always impressive. But then I would go home and sit the office at home and basically all of a sudden, just VPN in with administrator domain credentials, and you'd be looking, well, you've got this impressive physical side, but literally your software side the door was completely open. But what was kind of from... Because I think a lot of... They were usually very separate roles and very separate backgrounds of people who would do physical penetration testing versus software. And I think they really converged very much in today industry. What was the balance... How did you balance between them because they are sometimes very different skill sets?

FC:
They are incredibly different skill sets actually. I've actually found throughout the years how the trends have changed on this. And like you said, when we started out physical security was the biggest thing. So back then banks were impenetrable. Data centers were impenetrable and software was just awful. Nowadays more and more budget is being spent on the software side and they're getting really good at that. Because we are learning a lot of stuff. And what that meant is the physical side has kind of got left behind a little bit. And so one of the reasons we started, my wife and I started Cygenta was to bring back a bit of clarity to that. We wanted to show up this... There are three sections to security really, there's physical, there's the human side and then there is digital. And if you don't have those three areas working together, you don't have security. And you've just shown that with that story. It's like physical's great, but software is terrible so you can get in. Or physical and software are great, but people are not-

Joseph Carson:
Human side is...

FC:
... trained well. So it's lacking, you get in. And I've actually spotted a shift in that, in the physical is now really, really weak. So all of these data centers that you spoke about. They're okay but you can still get in. All of those systems that you mentioned, they have bypasses and we can get through them. I've been doing this for many, many, many years. I've broken into thousands and thousands of sites. I have 100% success rate at doing that. Now, do you think that is because I'm some super alien awesome breaker-inner or do you see something more endemic in that?

Joseph Carson:
So I actually went to... Years ago, one of my last penetration test was on a power station. And I remember going through, and for me, I was hoping I was going to delegate it to someone else. Because I normally is the person that does the recon side of things. And I do the passive assessment, and then I pass it to someone else to do it. But at the time there wasn't somebody available to do it and I thought, okay, I'll just do it myself. And it was really interesting because it's all about... I think when you look at it, if you actually do enough understanding, enough reconnaissance, enough observations, eventually you'll find a way in.

FC:
And always 100%.

Joseph Carson:
What I find was that when I did the attack path, I was looking at one of the physical... I was looking at this power station and you think about a power station, you're thinking about same scenario. You've got even sand around so they can actually see if there's been footprints going up to the gates, they've got cameras everywhere. And when I went through the whole process, my path was going through the supply chain, was finding a company that either was delivering food or actually was doing maintenance or services or even cleaning and looking for ways in order to go through basically through the human side of things that would give me authorization to walk in there because basically, I had the badge, I had the jacket, I had the clothes and you look like you should to be there. Is that something that you find... What do you mean? What's your method that you tend to find the most successful?

FC:
So that's really interesting. It really depends on your target and how you adapt to that target. Because what will work really, really well for say a power station will not work for a trading bank. So you have to pick and choose what you're going after.

Joseph Carson:
I would've preferred the trading bank, to be honest. It was a lot of stress.

FC:
So what works for me is really just really trying it. Right. So not being afraid of what might happen because you're there to help the client. And so there's no real way of failing a social engineering test. And that's why in the last few years, I've really moved away from doing social engineering tests because I don't really think they give much value to the client. So like you said, you will always find a way in. And there's always going to be a way in because well, people have to get in and out. And there's always going to be flaws in those security systems. And you're always going to find some method of getting into whatever organization. And like I say, done this for many years, 100% success rate because of that recon stage highlight some issues.

FC:
So I don't really think that social engineering really has too much of a place now, or maybe it's put on too much of a pedestal now. It's about giving the client the best value for money. And so we do security assessments, physical assessments now where we walk around with our client and we assess all of their security and be like, okay, is this actually worthwhile doing? We've spent many times going into banks or whoever and being like, "Why have you spent 60,000 pounds on a door that you can circumvent another way?" It's not working. And the reason they've done that is because they've had a social engineering test and they've got through that door. So they upgrade that piece of security and don't worry about the rest of it. So I've moved away from that more into the assessment side and that's what Cygenta do more now.

Joseph Carson:
More walk through the observation side and then highlight it.

FC:
Exactly.

Joseph Carson:
I think that's a more effective way. It's much more because what you're doing, you're able to highlight multiple things together rather than just highlighting one specific thing of... Because I think...

FC:
Exactly,

Joseph Carson:
I always remember the mistake that I made when I was doing that particular penetration test was that when I eventually in the end I ended up finding a piece of paper with credentials and sitting on a desk and for me, I thought that was the keys to the kingdom and that... and I think my mistake that I always remember was I stopped the pen test at that point because I thought I'd already I'd succeeded. And I always regret not continuing and looking for more things. And I think that method that you're proposing and suggesting is definitely a way to keep progressing and going through and checking. Because we didn't get into a lot of physical side. It's a lot of things are feel open because health and safety is the priority. And that a lot of times health and safety is that weakness sometimes because it's the way in order to force things to work in your favor.

FC:
Yeah. It, it's really interesting. Health and safety always breaks all security, right. Because yep. There's actually a chapter in my upcoming book about how that happens and why that happens. You know, there's a lot of ways that I've got into buildings because of the health and safety factor. It it's really interesting to see how people really focus on a social engineering, a assessment and they go, okay, we want you to try and get into this building via this method using this. And it all becomes very micro focused. Whereas the assessments we do, you know, I'm, I'm literally updating this morning a checklist of stuff that I go round and check now a social engineering test will maybe test one entrance way, right. Or it'll at least highlight that there's an issue with that one entrance because it could also be most

Joseph Carson:
Be momentarily. It can also be at that point in time. Yeah. This person it's a, it's a, it's a temperature reading at a specific length of time. It's no guarantee that the same thing that you do next week would be successful.

FC:
Exactly. And, and that's part of the recon phase is finding those temporal moments where it's accessible. And so the client gets a report says, right, we got in via this method this time, right. The checks we do now, you know, the last time I checked it's 420 ish checks that we do in a walk around. There's no way that a social engineering test will highlight those 420 issues. Right. You're going to get a good idea of what your security posture is of that site from that versus Hey, manage to climb down a lift shaft and get into your data.

Joseph Carson:
Yeah. Cause I think you, your point is that, you know, that you're showing all the issues and making it clear rather than just that one successful, that was successful at that point in time, which doesn't make anybody for a company to go and say, this was the success at that time, but we're not going to go through and check everything. Yeah. And I think it's really important to highlight all of those.

FC:
And we as an industry do get caught up in that a little bit of time. It's like I want to break in because I want to show how awesome I am and people forget that you are not there to make yourself look awesome. And it's the same with when you're doing a pen test versus say a bug bounty. So with a bug bounty, you stop as soon as you find something cool. And you go, okay, now I'm going to report that. Whereas with a pen test, you could never get away with that. If I just scanned until I found the one issue and then when I go that's the pen test, that's not going to fly. You have to give everything, you have to say here are all of the flaws.

Joseph Carson:
That's exactly my point when I find the credentials for the systems yeah. For me, I thought I've won, I've been successful. I've got the credentials.

FC:
That you've won.

Joseph Carson:
And I stopped doing the pen test at that point. And I always regret not going through and continuing and trying to find other things because that's what my job was there to find was actually to find all of the risks, not just the big one that I assumed was the one that was basically showing success for me. I always remember that's the point when I think about past things. And I think that what's educational is that always complete what you're there to do. Never just assume that when you get this one big thing that it's finished, you want to look for all of the risks.

FC:
There's so many times when I've seen people on Twitter or something is like, "Hey, got domain app in the first hour." It's like, great. But what are all the other issues that you found?

Joseph Carson:
What's the ones that's going to be the impact? What's the ones that's going to bring the business down? And what's the ones that will allow the attackers to be stealthy? I think for me, one of the things I have now prioritized in my techniques is I have this stealth rating thing that I do. So I'll go through and I'll I'll plan all the different attack paths. And my stealth rating will determine each of those different paths. What's the noise that I will create? So it's almost like that goggle counter type of thing where... Or it's looking for basically which one will be that... It might be not the most successful path, but it's the one that creates the least amount of noise and will go undetected.

Joseph Carson:
Because one of the things I always find is when you're doing a pen test as well, is that you'll find is that once you make too much noise at the beginning too early, it can be almost game over because all of a sudden the defenders know you're coming and they'll basically they'll be more cautious, they'll be more vigilant. They'll be increasing their sensors. They'll be looking for you. But going through my basically stealth meter is I prefer to go through these little poking the hole very, very cautiously at the beginning so that you stay undetected, you stay hidden. And it's those ones, I think those are the ones that organizations need to be aware of because it's the ones that most attackers will follow.

FC:
And that hogs back to what we were saying earlier about how you have to change per client and per target, because you can do all the really stealthy stuff and takes three weeks to get in and never be detected by the network thing. But maybe your client doesn't have that budget. Maybe your client doesn't even have a team for monitoring that in real time. And so maybe they just want you to scan everything as quickly as possible and get out.

Joseph Carson:
Just give the report at the end.

FC:
Exactly. We try and avoid those sorts of clients that just want a tick box exercise.

Joseph Carson:
So question, because for me, absolutely I completely agree that from the human aspects, the technology and physical side of getting it all working together because it only takes one of those to fail, for the entire thing to fail. So what are you finding... Are you finding that more people are starting to become more hygiene aware? Are you seeing that your clients are getting more support from the executive boards into investing in these? What's your observations that you're saying in these areas, from the human side and the executive support side?

FC:
So that really changes from client to client. So our new clients, they're always not great, that's why they're coming to us. They've maybe gone to other companies and they've had these tick box exercises and video awareness or whatever. And they've not really improved. And they're kind of like, "Okay, maybe we should go with someone that is slightly more expensive, but they clearly know what they're doing." Then you've got the clients that we've worked with for years and years. And we've seen marked increase in buy-in from the board, et cetera, because we do things for the board. We show them what we're doing. We show them why it's important. We get them to have that buy-in and we've taken several clients from that stage where the board just will not accept that they need to do anything through to them championing some of the education that we are trying to push in. So it's really great to see that sort of growth, especially over three, five years, we see that sort of growth in companies. It's really nice.

Joseph Carson:
I think we've had probably similar length in our careers and in this industry. And I think when I remember in the early days, if a system or application or something was down, didn't have a big impact, the business can continue. You would find if email wasn't working, what would you do? You get the telephone and you call up the person you speak to them directly. So certain things back then if systems fails, if it's an IT problem, an IT could fix it. But it didn't mean that the business was stopped. It didn't mean that the business impacted. So it was still an IT issue.

Joseph Carson:
And then later probably in the 2000 side of things where systems became a bit more, let's say critical to the business, but still they were segmented. They didn't have this cascading effect. So you might have one application down which might limit the business service, but the business would still function maybe at a degraded capability. So it became still an IT problem, maybe isolated business problem, but the business could continue. You fast to today and it's if systems go down, the business stops. And I think this is where we start seeing is that... I always say that we've moved where it's no longer IT, it's no longer security. And we had to get to the point where we had to realize that this becomes a business impact and it's a business response and we always have to move beyond it. We can't just kick it over to IT and say, here's an incident, you go fix the issue because the business actually... Because all these systems are dependent on each other. Are you seeing that type of impact where the criticality of, and that's why the clients are really prioritizing this as something to really focus on.

FC:
Yeah. We've seen massive changes over the industry over the years. I remember back in, oh many years ago, like you say, a small company running a Microsoft SBS that everything's in that one server. And if that one server goes down, then they don't get the emails coming through, they don't get... Maybe they've got a website, e-commerce page...

Joseph Carson:
But they remember the telephone.

FC:
But they remember the telephone.

Joseph Carson:
Now I can't remember anyone's number.

FC:
And it's like nowadays everything is computerized even the telephone system. If the power goes out, everything stops you. It's very bizarre to have seen that change of where everything is now, so independent. And especially when a lot of stuff is moving to cloud, we saw a lot of resistance from clients pre COVID to move to the cloud. And we are like, no, it's a really good thing. You should be embracing that. Then COVID happens and then they're like, "Oh my God, maybe we should move to the cloud."

Joseph Carson:
We should.

FC:
Maybe you should have done that five years ago when we told you, just thinking outside the box there. So it's fascinating to see all the changes that have happened in the years.

Joseph Carson:
So the question is, well, are you saying is it one time engagements that companies are coming to you for? Are they looking for more of a long term service? Because I think this is one of the biggest differences. And for me, I think most organizations should really go to a retainership of expertise and have them always in hand rather than just these one time checkbox, as going back to this temperature moments, you're reading the temperature rather than getting understanding about how your posture is continuously. So what type of organizations are you seeing from that perspective?

FC:
So we have a lot of companies that come to us via recommendations. We don't really do much selling, we do basically no marketing, the odd podcasts like this, but this isn't really selling either. So a lot of our work comes through word of mouth, recommendations. We had one this morning, 30,000 employee company came to us through a recommendation, another massive company. Yeah. So that's how most of our business comes in and they generally come in, they want loads of stuff, but they test us with a few little things first to see how we get on. And we have had some clients where we haven't felt we're a good fit for them. So we say, okay, look, that was nice but see you later. We fire our clients if we don't work well with them, which is a good thing to do. It's good for your mental well being as well as financial.

Joseph Carson:
As it keeps you focused on the things that you want to be doing as well.

FC:
Exactly. And so a lot of companies come to us for just a few things and then they stay with us because they love the way we work and we communicate with them. Some of the services that we offer are because we worked with clients before and they said, do you know what? This would be really cool if we have this. So now we have vulnerability and analysis that has pretty much continuous updates. And it goes into their own little portal where they can go in and they can see all the vulnerabilities there and manage it all themselves rather than using a crappy Excel document. Yeah. So that was brought about because a client really wanted that. And we were like, okay, we don't have that. We'll build it. So we work really closely with our clients to make sure we are giving them everything that they need.

Joseph Carson:
And so it becomes a long term engagement. You almost become extension to their business. And I think it's really important because you get to know the business more because I think knowing the business is also important aspect of this.

FC:
And we also get to know the people. We have really great friends with a lot of our clients. Because on that personal level, we understand what they're going through. They understand what we are going through. We all sit down, we can... Pre COVID, we would go out to dinner, et cetera, and we'd have a good chat and there would never be any real hard sale on that. It would be like, okay, what are your pain points this week and how can we help? Or they would come to us and be like, "Do you know anyone that could do this?" And if we don't do it then either, is it something we want to be doing or maybe we know someone that will do it. And we sort of refer out a lot of clients to other people that we know they're really good at this. And we trust them with that.

Joseph Carson:
Absolutely. It definitely is a community approach to this. And so it was important to make sure you get the right people to help organizations be able to become more resilient. One of the things I've always been fascinated with both through what yourself and Jessica do is definitely from the kids side of things and schools and knowledge sharing. Can tell us a little bit about some of the things you've done with Cheltenham days and what... Because I think for me, we need to get the next generation prepared for this. And what you've been doing in this I think is amazing.

FC:
So we've done a lot of outreach. It's really massive tailed off because of COVID, couldn't go into any places. We've changed the way that we work a little bit on that. We are not trying to take on too much. We're honoring agreements that we have already, but we're stepping back from that because we do have clients that are first. But we were committed to doing a lot of outreach especially with Cheltenham Science Festival was a big thing for us, where we saw 10,000 kids in a week and trying to encourage them into cybersecurity. It's a big thing for us because of, I had a really terrible childhood. I didn't have anyone around. And so offering all of that advice free was something that we felt really passionate about. It is something, unfortunately we have had to step away from a little bit, but we try and do blog posts, we try and do YouTube channels so that people can see some of this stuff and maybe get the bug for doing what we do.

Joseph Carson:
And did you learn a lot from the kids when you were doing this? Because the one thing I remember when I was doing... In Estonia, I did a project that was called back to school. It was basically people in the industry just going to school and teaching a lesson. And I originally thought that I was going to teach the kids. I thought I'm going to go in and go teach all these kids about cybersecurity. And all of a sudden, I think it was the first time I come out and I was like, I learned more from the kids that I probably even give knowledge back to them. What was your kind of... Did you learn a lot about their type of social interaction? What types of credentials they were using and devices and apps?

FC:
I think the biggest thing that I have learned from kids all the way through to young adults at university that level is they're way smarter than you think they are, way, way smarter. That the biggest turning point for me on that was when we would doing a talk about social media and being careful sharing those credentials, et cetera. And one kid was like, "Hang on. Do you mean for which account?" I'm like what do you mean which account? And so these kids, these are seven, eight, 10 year olds that shouldn't really be on social media, but they do, they keep different groups separate. So they have one account for their friends. They have one account for their family. They have one account for something else. And it's just like, what? I didn't even realize you were that knowledgeable about that sort of stuff. But it's absolutely fascinating.

Joseph Carson:
You're right. I find when I started getting into going and doing the types of going back to school, I started with the older kids. I thought that's where I can make a difference. And I started, it was around 12 to maybe 15 year olds. I find that it was already way too late, because I thought the same, I thought that's when kids will be getting their social media accounts, that's when a lot of the law says that you're meant to be 13 or above to get these accounts, but all the kids find ways around it. And I actually find that yes, the younger I had to get to was about seven years old in order to actually be making a difference and stopping some of the bad habits and getting an understanding about one of the things, some of the things that we're doing, which you're absolutely right. I think you sometime assume just because the laws and just some of the app says that it's this age and above, but when you get into reality, it's a whole different story.

FC:
It's like anything with security. Once you see what there should be and you see what there is. And that dissonance is just like, oh my God. But it's really important for us to educate our clients and adults as well. And we get a lot of help for universities as well because the universities are really struggling because there's still a distance between university courses and the industry. We're trying to help all over the shop and now we are really... We focused on the clients then we went to kids now we're back to clients again. So we keep jumping between them. But our focus nowadays is really very much with adults and trying to make sure that they're safe because whilst it's nice doing that, there are people that are way better at doing that than we are. And we can concentrate on what we're being paid for really.

Joseph Carson:
No, I completely agree. I will always remind as well as I think when I realized that I was going in teaching the kids, then I realized actually I need to teach the parents and I need to teach the teachers. And it became a kind of realization that the kids are learning from them and their habits and hygiene was not where should be. So it was always a thing. But as an industry, I think that's going to be the big challenge going forward is how do we make sure that, one is we get the right... Because I will say security is not something that I can make myself as secure as I possibly can, but I realize that my boundaries is always my social sphere. It's the social network around me where security starts. So the more that I can spread that around, the more I can get the people that I network with to be a bit more secure, has a big impact to me as well. And I think businesses as well should probably take that approach to realizing that it's not just for employees, it's this entire social sphere that those businesses have, suppliers and contractors.

FC:
When we do any work with a client where it focuses on executive assurance rather, not insurance, assurance, and we do all the OSINT reports on the high net worth individuals, we are always looking at that sphere around them, their kids, their parents, their siblings, their cousins, nephews, all sorts of stuff, because that really does feed into it. I think the best story that I know of that shows that is I did a panel last year, I think it was, with Sir John Sawyer, who was the ex head of MI5. So the guy who is represented by M in Bond for those that don't know. When he took over the role, the MI5, up until that point, his role was very much secret. No one knew who that person was that was kept under wraps. He was found out to be the new head of MI5 because of a picture that his wife posted on Facebook of him in a pair of Speedos on a beach. So it shows that even at that high level, that sphere of influence around you is really your security bubble. It's not you.

Joseph Carson:
Especially when you get a lot of those roles, there's no pictures and no names, there is no surnames. You can still have first name, but there is no surnames that's hard to remember. And it was really about... They had the no bio, just a name or a letter M-R, or FC... Which really keeps, exactly, keeps that knowledge down as much as you possibly can. So questions, one of the things I always find is balancing the time for me to stay up to date and keep my skills, because this industry changes. What we learned today may be completely different next year. And how do you stay up to date? What ways do you balance keeping that knowledge and learning? How do you keep yourself fresh?

FC:
That's a really good question because it's not like I just have a nine to five job. It's not like I'm just a random pen taster for a company. I run the company that I also work for. So I'm doing the nine to five stuff, but I'm also doing all the admin, I'm helping with the finance, I'm doing all the marketing and the tweets.

Joseph Carson:
And the blogs.

FC:
My wife helps out... And the blog post. We have to run a company. So I have to find time to run a company. Then I have to find time to be employed by the company. And then I have to time for me as personal. So I have to carve out moments where I can improve my skills. So I do a lot of CTFs. I don't really do bug bounties. What I tend to do is I use bug bounties as ways to testing our tools. So it's rather than using our clients for testing stuff, you go to a bug bounty bar and you sign up to it, you get a list of valid targets that you can scan or whatever, as long as you keep within their rules of engagement and their scope, then it's great because you've got free targets on the internet that you can try out new tools on, you can try out new tool chains on and then you can test that way.

FC:
So that's always a nice way, but I do a lot of... I watch a lot of YouTube videos and try and keep up to date with stuff. And it's hard when you have a holiday for a week or even a weekend or an even an hour off. The world can change massively. So you have to just constantly keep up with it. I think it's important to really enjoy it. I've been doing this my whole life. I'll never do anything else.

Joseph Carson:
And I think it's...

FC:
I'm not going to quit the job and become a baker or whatever. I love doing it.

Joseph Carson:
This is a hobby. We're doing our hobby for a job, which is always great.

FC:
Exactly that throwback to what I was saying right at the beginning was like, this was a hobby before it became a job. And now I'm really, really stupendously lucky that I get paid very well to do my hobby. And so what do I do outside of work? Well, I do more of the stuff, more of the same. I try and do a little bit of gaming. I've just got into sim racing now. That's my new thing.

Joseph Carson:
My bad habit, you can probably see in the back of the camera for those who was looking at the video is I've got my RetroPies and I've got my 8BitDo arcade sticks, which I....

FC:
Nice.

Joseph Carson:
So I don't get the time to do it properly. Maybe I get to turn it on. I just saw even Monkey Island is bringing up a new version. So I was excited about that.

FC:
Very excited about that. So very, very excited.

Joseph Carson:
So gaming is a great way to escape, but it's always a challenge. So do you dedicate time to your blocks of things? Because even myself, I've got my one day administrative, which is Mondays where I block a bit of time. This is my admin tasks, nothing disturbs me at point. Then I have allocated time to doing some catch of the flag or some online even watching some videos and stuff. Do you allocate the time or just kind of go how you feel at the time?

FC:
No, I would love to be able to do that, but my personality doesn't allow me to do that. I can't compartmentalize things like that. I'm very much reactive when it comes to stuff like, this is a problem. I need to deal with this now. And then I'll get really into that and then I'll go up and do something else. The only time I really compartmentalize like that is if I'm on a client job, it's like-

Joseph Carson:
A project...

FC:
... between these hours that is all I am doing because obviously they're paying us for that time and they deserve to have that time. I'm not going to sit there watching YouTube videos and scrolling through blog posts when I should be doing that. So that's the only time I ever really get really hyper focused on something. Otherwise it's just like, we'll just work more hours. So this morning I was up at what, 6:30 this morning writing chapters in my book, then I did some accounting stuff. And then got into the day and it's 8:30. And I'm like, now I need to start work.

Joseph Carson:
So question, so you're now competing with Jessica in getting your own book as well now, is...

FC:
She's got two books and another on the way.

Joseph Carson:
What's the book about then? Are you able to share or what's the timeline?

FC:
Yeah, I can do. So I signed a contract with Wiley. So Wiley going to be publishing the book and it's called how I rob banks. And it is a collection of stories of physical assessments that I've then done. So all of the funny parts, all the educational parts, there's going to be some stuff in it about how do you do this and this, so that a few little tips and tricks and techniques that I've used in the past. So that it's just going to be a nice little collection of all of that. Hopefully will entertain and educate.

Joseph Carson:
It's almost good is when you do this story, I always like to take things rather than just to kind of is to add the context around it in a story that really takes people in a journey. And I think it's always important. And when you can entertain and at the same time add education, it's the best combination. So what timelines are we looking at?

FC:
Well, the contract says that I have to be finished by Christmas. So I'm desperately writing every day to make sure that I hit those deadlines. I'm slightly ahead, which is nice.

Joseph Carson:
Well, that's a good thing.

FC:
I can't say anything about where or when it's going to be released, but it'll be early next year.

Joseph Carson:
Fantastic. I'm looking forward to it for sure. But it's been awesome having you on the show and just to catch up and to chat with you and hear some of the kind of what you're doing is great. Any words of wisdom that you would leave the audience with, you'd recommend?

FC:
Just seek some mental help, find something that makes you happy and lean into it. So with the gaming thing that we said earlier, I like to dabble in games every now and again, whenever I could. And my wife and my therapist have both said lean into it because you need something to release yourself. So find the thing that makes you happy, find something that you enjoy and really lean into it. Because the worst case is maybe you don't like it as much as you thought, but you'll never know until you try.

Joseph Carson:
Give it a try. It's always important. I think it's wise words for everyone, for the audiences listening in, it's always important to do the things you enjoy doing and you can't take care of anyone else until you take care of yourself first. And that's always important thing is that you always make sure that you do the things... Take care of yourself first, and then that gives you the ability to then help others. So very wise words.

FC:
I was going to say, just remember at best you get 99 summers. Enjoy the summers that you have.

Joseph Carson:
Hopefully we'll get a lot more. We can find some science, maybe we can get the science that makes us live for a lot longer.

FC:
That'll be nice.

Joseph Carson:
Will be looking forward to that. You're absolutely right. At best 99 summers. Many of us won't make those, but I'm hoping I will. But FC, it's been awesome having you on the show, many thanks. Look forward to -- hopefully we get to catch up at some point soon.

FC:
I hope so.

Joseph Carson:
Because the pandemic it's kept a lot of us in a bit of isolation. Especially those that's a bit further away than others. But next time let's make sure we find time. So for the audience...

FC:
I'll definitely be at InfoSec, I think this year.

Joseph Carson:
I'll be there.

FC:
So that'll be nice. Here we go. Then we'll meet up and we'll catch up.

Joseph Carson:
Absolutely, looking forward to it. So again, many thanks. Audience, again, another episode of 401 Access Denied with FC, has been an amazing and really great and lots of knowledge. Make sure you subscribe every two weeks, get the latest episode, go and look at the previous ones. And again, look forward to the next one and stay safe. Thank you.