Creativity, Community, and Bug Bounties with STÖK

Joseph Carson:
Hello everyone. Welcome to another episode of 401 Access Denied. I'm your host, Joseph Carson. It's a pleasure to be here, and I'm really excited about today's episode. This guy I've been kind of watching and learning from for many years, and it's so awesome to have him on the show today. So welcome STÖK. It's awesome. So amazing to meet you, and tell us a little bit about yourself.

STÖK:
Wow, thanks. That was a good introduction though. You've been learning from me for years.

Joseph Carson:
Absolutely.

STÖK:
I like that. Thank you. Hi, my name is Fredrik Alexandersson but most people know me by my hacker handle, STÖK, and I'm a hacker creative. I've been working in the IT industry for the last 25 years. I got way too much time invested in troubleshooting and securing active directory, and I started to move into the offensive realm on a professional level, back in 2014. And been heavily invested into the bug bounty space and that community. So yeah, fun times.

Joseph Carson:
Yeah, absolutely. So one of the things, is that, how did you get into it? What was the transition? What were you doing before? Kind of, what was kind of your dedication focus? And then kind of, how did you transition more into kind of bug bounty and into the offensive side of things? What was that transition like?

STÖK:
Sure. Absolutely. I mean, I started like most geeks do, getting interested into computers and dabbling and poking and stuff and whatever, and that turned into a profession. And I think I started in this industry in early... Mid 1990s, early 1990s, and started at a company where I was building computers. Back in the days, there was all these ACEs motherboards and EMD processes and everything. And you were building computers and installing Windows on them and whatever. And that kind of led me down the whole path of being a troubleshooter, solving things for people. Because I realized I had a knack for that, learning things extremely fast, and then were able to troubleshoot shit.

STÖK:
And eventually, when you're in the situation where you're at that stage, you get curious, more curious. Okay then, ... came out. And then suddenly it were Windows and work groups, and all these other things started happening. And I started getting interested into the enterprise kind of game, and been using Windows ever since. And being the call guy, I've been working as a consultant most of my life. And at that stage, I was the guy you would call when you need to troubleshoot something.

Joseph Carson:
Yeah.

STÖK:
You need to figure something out. Systems down, nothing's working, like DNS again. And you go there, you eventually solve it, right? And you were also the one that would be the advisor when new things are being added to projects and such. And I realized I was so good at identifying things that were broken, or misconfigurations, that eventually, that turned into my offensive side, because I knew where CIS admins cheated. I know where consultants were lax about things, and that made it easier for me to help organizations securing them.

STÖK:
And somewhere around... I was at Defcon in 2017, and that's when bounties came on my radar. This cool event, by a company called Hacker One, where a bunch of hackers and my friends were sitting there, hacking these companies. And I'm like, "Wow, can you do that?" And, "Yeah, we get mad paid too." So we're having a good time. I social engineer myself into the bar, because I was interested in getting free drinks. I wasn't there for hacking. I wanted to take photos and have a good time and hang out with my friends. But it was really interesting. I'm like, wow, I want to do that. I went by, and in 2018, I decided to start to dabble with it. And I really never left. It's a great hobby.

Joseph Carson:
It is. And that's always a challenge, is that when it becomes... Because, I'm the same. Very similar background. And I struggle a difference between doing work and my hobby. And it's great, actually. It's really great when your hobby becomes your work, and that's what you get paid to do. Because at large, you kind of really enjoy every day and the activities you do, and you continue learning. There's always things, of course... There's a portion of your job that becomes... That you have to do the administrative side of things. That's always there. But when the majority of it is having fun, it really makes a big difference in your life.

Joseph Carson:
And I think one of the things that... When you mentioned, around 2017, when you talk about bug bounties starting then. Because I remember, even before then, it was all about vulnerability disclosures. Because we had a session a long time ago, one of our early episodes, with CJ and Katie, and we talked about vulnerability disclosures. And this is what I really enjoyed, was the difference between when bug bounties started to come much more, and organizations started providing illegal means of getting paid to actually find vulnerabilities and disclose them accordingly, versus vulnerability disclosures, which meant that you find them beforehand. Can you tell us a little bit about the difference between some of those, and what types of kind of bug bounties do organizations kind of offer, versus the more vulnerability disclosure path?

STÖK:
First off, I'm not an expert in this field. I'm a user of the systems, and the opinions that I have, reflect my own and none else. Right?

Joseph Carson:
Sure.

STÖK:
And I say that, there's different ways of doing this. If you have an organization and you want to make sure that you have a safe way to people to report findings to you, can have a vulnerable disclosure program, where people can have a way to submit things to you. Usually, that's the security app kind of email, where someone sends in an abuse or something. But maybe you want... Maybe you realize that, that email box is getting flooded. You can't deal with all the things that coming in, so you reach out to some of the organizations that deal with that. I would say the three biggest ones are Hacker One, Bug Crowd and Integrity.

Joseph Carson:
Yep.

STÖK:
And you'll get some kind of deal with them, where they will take care of your inbox, so to say, and triage things, to verify that the findings are valid or not. And if they are valid, they'll pass it on to your team, and you can solve it and you have some tracking and stuff. There's different ways to do this. So it's either, then you have... Somebody can just report things to you. Or you can have a private program, where you'll invite certain researchers to be a part of your organizations. And then you can have a defined set of, say scope. Maybe you want mobile.your application.com to be the one that people are looking at. And if they look at that, they will get paid if they find bugs. You will define a payment model from low to critical, or to exceptional, whatever. Or P1 to P5. And that's the range of what you're willing to pay for findings, right?

STÖK:
And then it's the public one, where anyone can just look that you have a public program, you can submit things. I personally, only... This is the thing, bug bounty is my hobby. I've done it full time for fun, and to see if it worked out, but it was very lonely for me. And I love working with people, and I want to be able to have sick days and do all that stuff. That's good for a person like me and my family. But if you're in this situation where you want to poke at stuff, and I usually want to get paid for my time. That's how it works. I know it's a hobby.

STÖK:
Yeah, you shouldn't really get paid to investing in learning things, but I tend to do. I love the whole idea of me being able to... Let's say if I have one of my favorite applications, for instance, or eCommerce site or something, when I'm buying stuff there anyway, and I have the possibility to sneak in a little bit of a secret injection there, or maybe sign up for another user and see if I can access my own payment details. I'm allowed to do that. And if I find one vulnerability, I have the chance to send that in and earn everything from $50 to, I think it's $50,000 now, on the cap levels.

Joseph Carson:
Yeah.

STÖK:
And if you're into crypto, those guys pay mad money.

Joseph Carson:
Yeah. No, that's really cool. I think that's a great approach, for ticking... Giving the balance, and also kind of going after the things that you enjoy doing. And making sure that, if you're doing day to day stuff, is overlapping it with, basically checking to see if you can actually go and look at the source code of the webpage and see if you can do SQL injections, or see if you can do eye doors, ... stuff like that. So really looking and saying what possibilities are, as you're actually just doing it day to day, and the sites... And if they have bug bounties, even better.

STÖK:
Right.

Joseph Carson:
One of things as well, I'll link it... One of things is, I love creativity and content. I love, basically, all the different setups. And I invest a lot here in my own lab. One of the things I've really enjoyed, is your creativity and the setup that you have, and when you're sharing a lot of it. For me, I think that goes into a lot, is when you invest in the creativity side of things, because that's what... Many of us are users, and there's others who are creators. And I think what you set up, is... Can you tell us a little bit about your setup, and kind of how it works, and what's important for you?

STÖK:
We're talking about this.

Joseph Carson:
Yes. Absolutely.

STÖK:
Okay, cool. So I understand what kind of setup we're talking about. Yeah. For me, I wanted to be able to have a space where I had the possibility to create content or share things that I found interesting, because that's all what it is, for me. If I find something and I nerd into that, I want to be able to leave some kind of legacy. I'm okay at writing blog posts, I'm semi okay at doing write-ups, but I'm really good at communicating. And I love talking. I love the sound of my voice. See how that sounds, right? But the thing is, that I need to talk to think. That's kind of how my brain works.

Joseph Carson:
Yeah.

STÖK:
I work best when I talk and I communicate. And it's always better, if I wanted to... If I want to educate you on something, if I'm really invested in the subject and I'm able to explain it to you in a simple way, then I fully understand it. Otherwise, it's just me throwing weird words around and looking cool. So I wanted to find a way to do that, and I wanted to have a space where I could go. And just with a flick of a button, go from nothing, to a fully ready situation, where I wanted to just press record and go. That was my main goal. Keep it simple, stupid.

Joseph Carson:
Yeah.

STÖK:
One way, easy production. I didn't want to move things around, and I wanted to have a basic setup. So what I have here, is I have a basic DSLR camera that's connected to a lot of fancy stuff and soundboards and things, so I can route my traffic and I can add on things and I can add ... Yep. Absolutely. And I wanted it to be a way where I seamlessly can record straight from my camera, straight into my hard drive, edit it directly, just push it out if I felt like it. No more taking out the memory card, syncing audio and that kind of stuff.

Joseph Carson:
Yeah.

STÖK:
So simplicity was my game. And I was lucky enough to purchase this place, which is in downtown Gothenberg, where I live, and I have that as a studio. And have a creative space where I go, and I get into that mood, and I do stuff. So basically, that's what is. And bounty kind of paying for this, so thank you bounty. And now I have a creative workspace, so that's what-

Joseph Carson:
Oh, that's awesome, because I had the same thing. I used to... I mean, I used to have an office and I used to work from home for a long time, and what I needed, was a space where it was all ready to go. And what you said, is automation side of things. Absolutely. It's so critical to have something. And for me, if I was to reverse the camera, what I see in front of me is just crazy. We've got several monitors, several workstations, lights, and I just... Something that kind of really makes it so simple to set up, and so simple just to kind of... It's a plug and play, and you're ready to go. And for that, makes a big difference. And also investing in the audio quality as well. The one thing I haven't really done here, because this is an old Soviet building, is the lighting side. So that's one kind of, I've always been looking at, is the lighting. So I was watching your video on the lighting side. I think you were using the Phillips hue bulbs for the background lights.

STÖK:
Yep.

Joseph Carson:
Yeah. And it's really cool, because I think getting that kind of ambience is so important, depending on what type of work you're doing. So, absolutely.

STÖK:
Easy too. I mean, that is a simple step stone into getting good lighting. I mean, of course you would like to have the aperture, extra everything, with all the movie set lights, where they don't even react to whatever kind of shutter speed you're using. This is dialed into 25 frames per second, 50 Hertz, with a shutter of one through 50, because that's my setup. That's what I like. And then I need to tune the lights to there, so I don't get rolling shutters or flickering and that, or other annoying stuff. It's very easy that, that happens. With extra low budget lights, that's going to happen for you. And if you dim it down, that's the reason what's going to happen. So I wanted something that would work okay for me, but would be not super expensive, but most bang for the buck. So Phillips hue lights works okay.

Joseph Carson:
Yeah. No, I think they... Function wise, they do enough for what's needed, and they create that environment, create that atmosphere, in order to do the creativity. And absolutely, when you talk about speaking and talking, for me, I end up... I've got a whiteboard back here, and when I... The whiteboard, that's me. You give me a whiteboard marker on a whiteboard, and just let me dump my brain in that thing. That's where I just get creative. It's just nonstop. Yeah, absolutely.

STÖK:
All the time. All time.

Joseph Carson:
I still do retro old school, so even the whiteboard. But for me, it just-

STÖK:
Do you carry that with you though?

Joseph Carson:
I don't. Yeah, I don't carry it with me. I end up going to pen and paper sometimes, even. I'm always sitting with a pen, and writing my thoughts down. And that's the way to stay creative and just keep your memory going. Because at my age, my memory is starting to fail a bit. So just putting things down, allows me to keep kind of going back to the things that I need to go back to, and be creative and take notes. So, absolutely. But yeah, for me, it's talking and it's sharing and getting that feedback from others. Surrounding yourself. Because I'm a very social person also, and surrounding myself... I always try to surround myself with very smart people, who make sure that they challenge me into my thought process. So one thing I was just interested about, some of the platforms. I've seen the likes of IPSec and Mayhem going off and starting to do things like Twitch. What platforms are you starting to use for your... I think you're still permanently doing YouTube.

STÖK:
I'm primarily, only doing YouTube.

Joseph Carson:
Only doing YouTube.

STÖK:
Got mad respect for everyone that likes to diversify and do things over at Twitch. I don't have an audience to do Twitch, so I rather... If I want to do something live, I have a live show on Thursdays... Not every Thursday. Bounty Thursdays. And I do that live now. I used to do it five to 10 minutes shows every week, and just getting the nuggets out. Now we do it in another format, where we have more the classic radio calling show, where people can call in on Twitter spaces, and we'll broadcast live at the same time, over at YouTube. So I use Twitter heavily, and I use YouTube.

Joseph Carson:
Yeah.

STÖK:
Those are the two platforms that I use. I did dabble with some Twitch in the beginning, but I'm not in the mood to be sitting in front of four to five people, talking about whatever my kind of day is. I rather just go on YouTube and do something more. The big difference is also that, on YouTube, you need to provide more of a production value. That's kind of how it works. On Twitch, you can do whatever. You sit there and you communicate, you chat and have that community. I have mad respect for that, but I want it to be a way that I can create content that's long-term, and that people can go back to, and find over time.

Joseph Carson:
Yeah. That's easily accessible as well, because Twitch provides... It's a bit more challenging, going through all the hoops and the subscriptions and the kind of the... It's a little bit harder to kind of get more people, because you kind of have to lure them in. But YouTube is a little bit more easier to find content and search-

STÖK:
For sure.

Joseph Carson:
Absolutely. So question, also. One of the things I enjoy, is that sometimes, on Twitter, you share a lot of your kind of personal design time side of things. And this is always... I think in our industry, there's a lot of challenges in things burnout, stress. People really kind of... Sometimes, you can get stuck in things for hours and days at a time. What's the thing.... What way do you find balance between that? How do you make sure that you get enough of life? And living life, versus getting stuck in technology?

STÖK:
I never stop learning, and my brain usually never rests. Those are two things that I have to accept and deal with. I got ADHD, so my brain is just wired that way. That's how it is. It's always curious. I need to learn new things. And I like to learn into about 60%, and then I get bored and move onto the next one. That's how my life works. I accept that. So what I need to do, is that I need to find things that keep me interested. And that can't just be one thing. If I end up in a mundane situation, doing the same thing over and over again, I'll get bored. And I need to diversify my mental streams, so I do... That's why I'm working at this great consultancy company. I do YouTube videos, I have a fashion company, I have a sustainable social brand.

Joseph Carson:
The glasses you're wearing, are part of the fashion, isn't it?

STÖK:
Yeah, yeah. I create, I design stuff. I do a lot of things, because that's where I soothen myself. I need to go from one thing to another, otherwise I'll get bored and burnout. And when I'm saying burnout, it's in the sense of me getting bored, to the extent where I can't do it anymore. I'm like, I just can't do this. And when that happens, and I start getting into that state... Because it's way different than when you are depressed and you can't get up in the morning, and you're sick, because that's another thing.

STÖK:
What I'm talking about is this boredom kind of burnout, where you don't feel like doing it anymore. It can be that you work too many hours. It can be that you invested too much time in a project. It can be something else. So what I do, is that I try to do things in sets. It started back in days, in somewhere around 2012, I think, where I decided that I wanted to work full-time for an employer, for three days a week, because I didn't like the balance of me working five days, getting two. I thought that was an unfair-

Joseph Carson:
It is unfair.

STÖK:
It's like, okay, so you're going to have 65 years of my life? You're going to take four, I'm going to get two? That's a bad equation. I want to do it differently. I'm going to give you, and society and whatever, three days. Four days are mine. And so I adapted my life according to that principle. And of course, it turned into, I work seven days a week, because I do a lot of different projects and I do a lot of different things. But having that mindset, of just scheduling downtime. I have time scheduled, that I don't work. I go outside. I do things...

Joseph Carson:
In Sweden, the typical countryside, the summer days and getting out in the fresh air and getting out into nature. Because here in Estonia, it's very similar. I think culture wise, in Sweden, Finland, Estonia, have very similar-

STÖK:
I mean, they can always throw a stone at you.

Joseph Carson:
Yeah. And it's very... I mean, it's the same as, you need to have that downtime. And I sometimes hear, I complain in the summertime, when I go into the forest to chop wood. And I complain about it. But at the same time, after I've finished, I've enjoyed it, because it allows you to switch your mind off from the things that... In our work, in this industry, you can be so in... Your mind gets so focused, that it's hard to shut off. It's hard to switch off from thinking about the SQL injections, thinking about vulnerabilities, thinking about the latest log for J or spring for J, whatever it is. Your mind can get stuck and nonstop thinking about it, and you need ways to switch it off. And for me, going into nature, getting an axe and chopping some wood, and stacking it, allows you to do that. So it's a great way.

STÖK:
It gives you physical satisfaction as well.

Joseph Carson:
Absolutely.

STÖK:
I mean, I'm a nerd. I got T-Rex arms. Those are tiny. But I chop a lot of wood, and it helps me to exercise my body. And it's like you said, it cleanses the mind. And when you do that... There is this thing called shower moments. Let's say that you've been hacking or something, or you've been pondering a project for a while, and then you just let it go. You do something else. And you're standing in the shower, and then the ah-ha moment comes, when you're like, "Dang. Yes." And you go to the computer and you're like... And there it is, and you solve it.

Joseph Carson:
Yeah. So I mean, one of the things that... Since we're both creators all the time, and we're always thinking about kind of projects and activities and so forth, do you get in the situation when you get some writers block type of thing? When you get into content, you're like, "Oh, I don't know how to progress it." How do you deal with that scenario?

STÖK:
I do the work.

Joseph Carson:
You do the work.

STÖK:
That's how it works, because there's...

Joseph Carson:
Okay.

STÖK:
If you listen to people like Seth Godin, and really, really smart marketing people. He wrote, I don't know how many blog posts every day. He did that. Or you can look at creators like IPSec, that smashes out a huge amount of epic videos, right? And they do that over and over again.

Joseph Carson:
Unbelievable how much he does.

STÖK:
So yeah, when I enter that state, both those guys have something called a routine. They just sit down and do the work. And whenI'm starting to enter that state, when I feel like, nah, I don't feel like doing it. If you skip it once, it's like... If you go into... I don't know. If you start... Let's say you start running in the mornings, right? You get up in the morning. The first thing you do when you wake up, is that you put on a kettle with your morning coffee. You're prepping that. Maybe you do a bit of French press. You're prepping that shit, and you say, "Okay. When I get home, I'm going to have that." Put on your running shoes, and you run for 20 minutes. You do that every day for, I don't know, 21 days, because it usually takes 21 days to create a new habit. The 22nd, 23rd days, it's naturally part of your routine. You wake up, you brush your teeth, you eat food, you do that kind of stuff.

Joseph Carson:
Yeah.

STÖK:
But when you get sick and you're not doing it for a while, then you're not doing it. And then you wake up in the morning and you're feeling good. You're not sick anymore. Maybe I should go running. You're like, "Nah. Nah, not today." And then, "Nah, not tomorrow either." And then that hill of you being able to do it, just gets bigger and bigger and bigger, until you just decide that, screw your brain. I'm going to do my things for me, which means I'm going to do the work. I'm going to run and I'm going to do it now. And you do it, and then you back into it again.

Joseph Carson:
Yeah.

STÖK:
It's all about committing.

Joseph Carson:
Yeah. And getting into the habits. I mean, ultimately... One of the books I loved, is Atomic Habits. Was a great book, and to really-

STÖK:
Sure.

Joseph Carson:
How to do it on small scale, and really phrase it. I mean, even myself, I'm recently recovered from COVID. And I do a lot of sports. I mean, I'm always basically playing football, multiple times a week. And the first time getting back, my body was just telling me, enough. You need to slow down.

STÖK:
Exactly.

Joseph Carson:
But kind of important to kind of progress it. Giving enough time, and getting back into it and getting into that habit and routine. And it's the same way. I mean, I'm always laughing, because even when I'm going through and doing some of the capture the flag side of things, I have... When I'm doing capture the flag, doing some type of pen testing, I have the same habit that I have with playing chess. I am such an aggressive, noisy... I start flying things all at the same time. So I'm just running multiple scripts, and I'm a noisy pen tester. When I'm doing it in engagement, sometimes I kind of step back a bit and do things more manually.

Joseph Carson:
But you're absolutely right, you get into those routines. And just like when you're getting a bug bounty, you kind of go through... If you're doing web application tests, you're going to kind of go through, and you're going to go through your routine habits that you're kind of used to, and that are mostly for... You'll get results out of taking those steps. So I guess, kind of getting your life and balance, just like you have the steps and processes. And make sure that, as you... Sometimes you keep failing at something, you might tweak it a little bit until you get a better result.

STÖK:
Yeah, sure. I mean, that's the whole thing. Life is about failing. If you haven't realized yet, then it's time to start realizing that right now. Because if we always try to succeed continuously, we're going to set ourself down for failure. But if we have accept the concept about, okay, I'm just going to experiment with this, see where this goes. And then if you succeed with it, it's cool. And if you didn't, you learn something. And you can try it the other way around. And I went through my whole life being too hard on myself, in a way where I wanted to be the best at the things that I did. I want to learn the fastest, I want to do whatever. And I realized that's not really what life is about for me. Life is about learning new things and having fun. And then if I'm good at it, I want to share that experience with others. That's my life.

Joseph Carson:
That so reminds me. One of the things that... Crossing point of my career was... And this goes back years. This goes back to 2002. I was working for... And I was a perfectionist. I will always look for perfection. And I was working on a project, and it always reminds me, it was the grc.com DDoS attack. You look at Steve Gibson, GRC DDoS kind of paper. So the company I was working for was a second victim. I was working on the project as well, into kind of how to defend against DDoS attacks.

STÖK:
Yeah.

Joseph Carson:
And as I was going through that project, I wasn't sharing with anyone. I was keeping it a secret. I was keeping it hidden. And I wanted it... When I released it and made it available, it had to be perfect. There had to be no errors. It had to be amazing. It was like waiting for the Mona Lisa type of art to be produced. And my boss at the time said, "Hey, Joe. That's not how you're going to be successful." And my boss at the time, was Brian Honan, who's kind of well known in the security industry now. And he is amazing. He's always been my mentor, since. And he said to me, "In order to make it perfect, you have to share it. You have to get other people's feedback."

Joseph Carson:
And that changed. That was that moment in my career, that changed me, where I actually realized that in order for it to get perfect, I had to involve other people. I had to involve the people around me, the social sphere, who can provide... Because as your point, I might not be the expert in that specific area, but I can get somebody who knows much more about it than me, in order to provide that input. And it really made me realize that the most important thing, is when you're doing that, is to surround yourself with people. I'm not an expert in everything. There's certain things I'm good at, but I'm not an expert in everything. But knowing who that person to go to, is so critical to get their input. And I think that's such critical, in order to make sure that we are able to get validation, to improve, to learn. And also, this industry is a very much a community industry.

STÖK:
Yes.

Joseph Carson:
Your point, you can't do things solo. I mean, I've struggled. I don't know about yourself, being based in Gothenburg, is that when you're away from the heart of the hacking community, you're so far away, and there's so few of you around in that area. It's going to events and staying social online, in activities. And that's one of the things that I really enjoy about the podcast, because a lot of it is part of that social interaction as well. I mean, how do you stay socially, being based in Gothenburg? Is there a big hacking community there? I know in Sweden, there was quite a few well known in the industry there. But how do you stay connected with everyone? How do you stay... How do you keep the learning process?

STÖK:
Let's see here. First off, yeah I don't have any local hacking friends. It's not that I sit face to face with someone, and hack and do stuff. That doesn't happen. I'm blessed to be working at a company with a lot of smart hackers. So every other week, I meet those people, right? In Stockholm. But other than that, the easiest way for me to communicate with people... And the thing that I do... Most of my friends are hacking friends from around the world, that I met doing bug bounties, right?

STÖK:
I was blessed enough to be able to travel, I think it's 13 live hacking events around the world. And you travel to these places, and you end up with 30 to 40 other people that has been invited to hack there. And you spend a week together, more or less. You start having breakfast with people and you interact, and with social happenings. I'm a social creature, so I thrive in those situations. So for me, being able to you hang out with people, everything from just having a nice breakfast, to popping a beer, or just hacking and comparing stuff and having conversations, was something that I loved doing. So I was really depressed when that scene stopped, due to COVID.

Joseph Carson:
Yeah.

STÖK:
So when COVID happened, and I realized that I needed to find a way to just stay connected with people. I do phone calls with people. I text people on iMessage or WhatsApp. Or I do telegrams or Signal, whatever, whatever platform you're having. And I talk to people. I hang out in Slack. I usually don't do Discord, because I'm old as fuck, and Discord isn't my thing. I think it's too noisy. But I love to just talk to people.

Joseph Carson:
Yeah.

STÖK:
Like this. I get on calls with people. It's like, "Hey. Hey. How are you doing? Let's talk for a few minutes." And then just being... I'm pretty active on social media, and that's where I have a lot of people that I found. And I find interesting projects, and I collaborate with people as a creator. That's how I-

Joseph Carson:
I think it's the best way, especially when you're in the industry and you're in an area where there's few others that's in the same industry. So it's always difficult to... But one of the videos, one of the sessions you did, that I always remember, was with Tom Nuno. That was a fun one, because for me-

STÖK:
That's the one in the hotel bar.

Joseph Carson:
Yeah. The hotel bar. And watching that session, and just even... I learned so much. Even just piping to tea, was something that I hadn't done before. I was like, oh, that's curious. That's interesting. And even watching-

Joseph Carson:
So those little things can enhance your learning and knowledge so much. So you answered. You're doing a lot of the bug bounties, traveling to events. What's some of your favorite events to go and socialize at? I think I watched recently, you were talking about Nullcon coming back again.

STÖK:
Yeah.

Joseph Carson:
Which is really cool.

STÖK:
Big fan.

Joseph Carson:
I've never been, myself. I've always been to the more traditional big trade shows. But what's some of the niche ones, or some of the ones that you love going to?

STÖK:
BSides Las Vegas. I like that.

Joseph Carson:
Oh, yeah. Usually, it's the same time as RSA. Usually, it's either the weekend before-

STÖK:
Oh, yeah. Yeah, yeah. No. Yeah, yeah. Maybe it's BSides San Francisco then. But BSides Las Vegas is during Defcon. It's a part of hacker summer camp.

Joseph Carson:
Yep.

STÖK:
So I love that. And then, again, going to Defcon, of course. I really don't like Vegas. It's hard to say that, because I understand the whole idea about it. And it's easy to be swooned by the whole experience of being in this huge town, but it's extremely draining. And if you're there five days or seven days hacking, with massive jet lag usually, it drains me emotionally. And that city is designed to do that. And then, again... So I would say my favorite thing, here in Sweden, absolutely, Security Fest here in Gothenburg. Pretty biased, because it's my home town, right? I love that too. I've never been to CCC, but I would love to go. I would love to go to Disobey. I've never been either.

Joseph Carson:
Disobey, that's in Helsinki?

STÖK:
Yeah.

Joseph Carson:
Yeah. That's almost kind of... It's usually in January, so maybe sometime when it's... I think it was back in person this year, so hopefully I'll get to go myself as well, at some points. So I do remember one.

STÖK:
It's on my thing, that I need to do.

Joseph Carson:
Yeah. I think was Jason Street was one. He was over last. I think he was doing Disobey, and he was basically taking pictures of Helsinki. And I think we crossed paths.

STÖK:
That's great.

Joseph Carson:
Yeah, it's pretty cool. Hopefully, at some point, I'll get to go. It's just cross the water from me.

STÖK:
Yeah. But I would say, also Nullcon. Why do I like these conferences? And BSides super, super tiny conference in the Northern part of India. I was blessed to be there and just hang out with people. And then you're talking with the ones that are... They are deeply into bounties. They're into hacking. And it's a thriving community, where you can see the passion in people's eyes, and you don't really see that at RSA.

Joseph Carson:
Yeah.

STÖK:
And so I love these smaller community ones, where the bubble is, where you're pushing arms with somebody else, or you're breaking bread over your laptop, sharing ideas, and just having cool things. The bounty space is a bit different than the CTF space and the research space, because of course there's money involved. So I had this conversation with IPSec the other day, and he thinks the community is toxic. And I had to agree. It is, somewhat, because as soon as you add money into the pot, there's always going to be this kind of huddle thing. Why would I share my secrets? And to be fair, if you had a money making machine that made you, I don't know, everything from two grand, to 20 grand every month, why would you share that with someone else? And then risk getting duplicates on that, and not getting paid any money.

STÖK:
So of course, there's this holding back. I understand that, but that does... That's a tiny spec of it all. The rest of it is... And most people that I know about, do this... Not all do it full time, but some people like you and I, we're probably like, okay, so instead of you doing this capital flag or doing this hack box... I have mad respect for you guys that do that. I don't, because I rather invest time in a bounty program that I know pay well. And if I'm going to... If I want to learn something, I want to learn the development cycles. I want to know how they push code. I want to know how they think. I want to have their newsletter, know about new features. I want to engage with that, because if I'm invested in that, I'm going to be way better at breaking down their stuff than somebody that just does a flyover, and gets content back.

Joseph Carson:
Having that product life cycle development background and knowledge, is so critical to knowing... To thinking about how the systems created in the background, that you don't see.

STÖK:
Yeah.

Joseph Carson:
And I think that's a lot of... A lot of people spend the time going into... Doing a lot of the academies, a lot of the... Kind of trying to break down the front door, without knowing how things are configured in the background. So one of the things that... Even in my lab here, I go and try to set... I try to set it up myself, to understand about how it's working in the background, and understand how the configurations... And then try to understand about how those default configurations might be, because that might be where the mistakes are made, if people don't do them correctly.

STÖK:
Right?

Joseph Carson:
So going through and understanding about how those defaults are, what the credentials are, how to deploy, and then trying to see what it would be like in the background, in that development cycle. And if you get into that knowledge, then it allows you to actually... When you're looking at that front door, it might reveal the secrets that allows you to get in, rather than... I think most people will try to brute force, and basically use a lot of automation, use a lot of scans, without really understanding. I think that's one of the great things. I think people like IPSec go through, and explain it in its entirety. Explain how it's working in the background, and the multiple paths you could take. I think that's a big difference.

STÖK:
Well again, it's vulnerable boxes. We really can't do that. Even if I wanted to do a full walkthrough or live hack target, I can't, because what happens if I leak something during that live stream? Or if I leak something, information there? I would be breaching some kind of agreement, and that's not possible.

Joseph Carson:
Yeah. And that's the thing, is a lot of... For me, I think I first got stuck in a lot of... It was back in 2007, 2008, when I was doing a lot of... It was instant response type of things, I was getting involved into. When companies became breached, then of course, going through. Or it was to do with zero day vulnerabilities, and you start looking at the path process. I ended up getting a lot of NDA processes, and I think that's one of the challenges. And one of my favorite events I like going to, is here in Estonia. We have an event which is called a symposium, which is all about... Basically, it's all the certs from around the world, who come together. And it's basically under Chatham House rules, meaning that, you can go in and you can talk about things, without it ever being made publicly available.

Joseph Carson:
And that's when you really get to hear the real stories about what happened, how things happened, the successes and the failures. And I think for me, that's something that... One, is that, I think we as an industry, lose from that, because these strict NDAs prevent us from sharing. I know that some of the ones I was under, was five and 10 years long, which meant that, what was the value of releasing it 10 years later? So I don't know if you're.. You know what I mean? What's your experience with things, with restrictions and limitations? Especially when you find things that are significant, and could impact large amount of people.

STÖK:
Well, you kind of need to understand that, as soon as you send something into a bounty program, it's under some sort of agreement, and you can't really communicate about it. So there's always the... If you get paid, they buy your silence, in a way. So, unless they are very open on disclosing that... Hacker One, per se, their self, are defaulted disclosure, which is cool. And I think Shopify does that too. They're very prone on just disclosing the things, because that gives people the possibility to understand how things work, and do better.

STÖK:
I mean, it's a good way to do it, but most of... If you're entering a competition or if you're invited to do specific kind of bug bounty program, usually you have to sign some kind of code of conduct or NDA, where say that you would not talk about this customer. But it's normal. I mean, that's what we do all the time. I work in cyber, right? The company that I work, we do amazing incident response. And we do all these super cool cyber red teams, like base red teams on banks and shit. We can't talk about anything of it, because you are on strict NDA. And even though you find cool stuff, you want to talk at a conference, you can't.

Joseph Carson:
Yep. And that's always the challenge... And I think it's one of the things that our industry... That if we were able to even white label a lot of things, without disclosing it by who, where, when, whatever, and I think if we were given the ability to share more, I think we can... Other companies can learn how to not become victims. And I think we need to find a way to have better intelligence sharing, anonymously, where you can have some type of agreement. Because the NDAs I've seen, are very kind of, let's say... You can't talk about anything. But I think there has to be a bit more flexibility. Because as I mentioned, that event that I go to, which is talking about the successes and failures, that's where you learn so much from. Even though you can't disclose, it's-

STÖK:
It's a show and tell kind of experience.

Joseph Carson:
It's a show and tell, yeah. You get to hear and see the exact steps. And therefore, when you leave it, you can actually go and check those. Other indicators are compromised, you can go check the different things.

STÖK:
And your brain just, wow. New patterns.

Joseph Carson:
Exactly.

STÖK:
Never thought about that. Interesting. And then you'll start down this trail of...

Joseph Carson:
Yeah. Maybe we have more events like that, that can allow those types of things. But I think one of the things, is transparency and sharing is so critical in our industry, and collaborating.

STÖK:
Yeah. Love to see that more.

Joseph Carson:
Yeah, absolutely. What tools do you enjoy using? What's some of your favorite tools that you have, that's kind of your go-to tools?

STÖK:
It depends on what we're talking about. If we're talking about hacking, I would say primarily some kind of browser and a proxy. And my proxy of choice, is Burp, and I use that every day, more or less. But then I do... When it comes to me running VPSs and such, I rely heavily on Bidme's or Prize Axiom.

Joseph Carson:
Okay.

STÖK:
To spin up virtual instances droplets inthe ocean. I do automation stuff from. I love everything that Project Discovery puts out, more or less.

Joseph Carson:
Okay.

STÖK:
If they put something out, it's going to be great. I like HX. I love that DSX. I love a mass. I love Nuclei, and I love writing Nuclei templates that are custom for me. There's so many ways to create automation and find stuff through using tools. I love Zeb and I love Greb, so I would say those are my go-to things. And I'm a Nano user. Blame it on me.

Joseph Carson:
I'm the same. So what I typically will go to is, usually it's either VSCodium, or something from a programming perspective. And then if that doesn't work, then I work my way back to Nano. And then if Nano doesn't exist, then I go back to VIM. My last resort is VI. That's always the last one I go to-

STÖK:
That's when I throw it out of the window, when it says that this is not able to exit. I can't shut this off, so I unplug the cables and throw it out. That's usually-

Joseph Carson:
There's so many issues, and especially when you're through a shell, that if you don't have the right, basically, scaling columns and row set, it can just destroy it. And I always find that, Nano, you can probably be okay, because it will auto kind of scaling. But then when you get into VIM and then VI, you can basically get yourself in a bit of a pickle, where you kick get out of it.

STÖK:
Yep.

Joseph Carson:
And none of the key strokes will work, and you end up having to find out, well, okay... You end up having to create another shell. But I'm the same. I go backwards, until my last resort, is then I will go through and try to get a proper shell before I touch VI, otherwise I can get stuck in there.

STÖK:
Perfect.

Joseph Carson:
Quick question though. When you're using Burp suite, what's your kind of... Do you prefer to use the in browser, Burp's browser?

STÖK:
Yeah.

Joseph Carson:
Or do you kind of go... Okay. I find it much easier, rather than having to go and se up Burp proxy and have redirects, and configure the ports. Because then I end up having two browsers running side by side.

STÖK:
Yeah.

Joseph Carson:
And using the built in browser, because it automatically proxys back through Burp. And it also allows me to keep the traffic separate as well, than doing some searching. It's going directly, while in front of through the proxy.

STÖK:
Yeah, I do that. I mean, I'm one of those Firefox users. That's the driver that I like to use. But when I'm doing hacking, I prefer Chrome dev tools, so I'm using that for certain things. So yeah, absolutely. I use the internal chromium based in Burp, because its easy to set up. And I use multiple profiles, especially if I do some other integration or eye door testing, then I heavily rely on tools that do that for me. I'm not patient enough to do it manually anymore. So I'll do authorized, or similar. Maybe out responder certain things that I want to change or push in. So I'll do that kind of stuff.

Joseph Carson:
Yeah, definitely.

STÖK:
And I love the repeater. I love intruder. I'm an intruder kind of guy. Most people aren't. I love turbo intruder for doing race conditions and massive lists. No, it's my go-to tool.

Joseph Carson:
Yeah. Definitely, it's mine too as well. I think for most of it's, we kind of prefer. It's the proven... It works, and there's so much flexibility. Even doing decoding within Burp suite, is fantastic, because you can do that... I know a lot of people kind of go into chef, and do it that way. But when you can do it right in Burp, why copy paste out? Unless you're going to do multiple codings and decodings it gets a bit more complex, so you have things that's in chef, that's not in Burp. But most places, I can find it and can get it whether it be A64 or you do your own coding, you can do it right within the browser.

Joseph Carson:
So, absolutely. So question for anyone who's listening to the show, what's your recommendations about people, if they're going down this path and getting into bug bounties? Maybe they're coming from a support background. Maybe they're just at university and thinking about going down this path. What's some of the best starting places? What do you recommend? Because there's a lot of... Let's say, there's a lot of platforms out there. Where would you recommend people getting started?

STÖK:
I would say the best, currently, and the free one, should be the creator of Burps's web vocation academy. It's free and it's very easy to use. And it would give you a good insight to the OWASP top 10, more or less, with labs that you can go through. Then you have PentesterLab, you have Hackedbox, you have TryHackMe, you got all these haves, specific labs or academy parts, where you can learn things. But I didn't do any of those. I hadn't used Burp at all. Maybe I dabbled with it, with some early... The predecessor to Collie, right? And I dabbled around with it a bit, but it wasn't really my main thing. I didn't know why, because I was into wireless hacking and doing other stuff. But when I started using Burp, I realized that I just had to get used to the momentum of seeing handshakes happening between websites, and what they were calling, and how things were working. Oh, shit, you enter this page, you have 45 different JavaScripts loaded. Why did that happen? I didn't see that.

STÖK:
And then you'll see all these response getting back, and you're starting to play around with the traffic. And I would suggest anyone do that. Turn off all the active things in Burp. Just passively observe stuff. Maybe even install some plugins that would... Burp bounty or something, that would use these known wordless to find identifications. You can use a plugin called hunt, by Jason Haddocks, and similar people, that will look parameters that would look shady, in theory, and then would be a good injection point for you. Okay, this a live potential, or this could be a direct and such. And then you just walk websites. Take the normal website you use every day, the one that you're buying your food from or whatever, and look at the traffic, and you can see, okay, so apparently, I have ID 465789.

Joseph Carson:
Yeah, if I put a seven afterwards.

STÖK:
What happens? And then, oh, why did I get the cart of my neighbor? Weird. And then you'll start thinking about what's happening, because you need to get into the hackers mindset. And the hacker's mindset, is during my curiosity.

Joseph Carson:
Absolutely.

STÖK:
What happens if I do this?

Joseph Carson:
Yeah. If I change this one thing, what happens? Even just, I always enjoy looking through the cookies and just seeing exactly, what is this setting? What value is it putting in there? Is there something that is basically just a raw text? Or is it actually some type of encrypting .... coding, whatever it is. And trying to understand about, why did it do that? If I change it, what happens? And I think, even when I was going through Naham's new Udemy course is pretty good as well.

STÖK:
Yeah.

Joseph Carson:
Because he actually did a pretty good kind of walk through, into understanding all of the top... And I think Udemy, some of the courses are quite reasonably priced for most people, when there's discounts on. But for me, I think it was the OWASP juice shop, was the one that I enjoyed doing. And you're actually right. You can go to OWASP top 10, and they'll have the academy there, and they'll walk you through each step. Kind of give people the lessons. And it is very, very educational, because it does tell you, here's the misconfiguration. Here's what went wrong, and here's how you can fix it as well.

STÖK:
Yeah.

Joseph Carson:
Absolutely. I think it's great advice.

STÖK:
But then again, seeing is believing. People will usually ask, okay, so I've been doing all these labs, I've been doing all this stuff. I mean, if you've gone through all the ports for your academy labs, without hints.

Joseph Carson:
Yep.

STÖK:
Go get some bounties. You're well then overqualified.

Joseph Carson:
You're going to find definitely. You're going to be successful, if people went through them without actually getting tips.

STÖK:
Do not worry. You got this. Because if you've gone through all that, then you've shown the curiosity and the willingness to learn. So I would say that's about it. Start doing that. But the biggest hurdle, is probably for people just to get started. Get started.

Joseph Carson:
It's just getting started, just go and start it. Try it and give it a go. Absolutely.

Joseph Carson:
You don't want to go down that path that I said earlier, the perfectionist. You don't want to go down that path. If you find something that you're good at, just kind of go and start in that area. You don't have to be good at everything. Just basically find some things that you're curious about, that you can take to the next step. And just go and get started. Dive right in. Because if you wait for that perfectionist, it will never happen. Because by the time you get to that point, you've already increased your perfectionist bar, and you're basically going to keep moving and moving that bar up and up, until you never get started. So you're absolutely right. I think once you kind of... If you're going through that port trigger, and you get through a few of them, even just go ahead and get started and test yourself.

STÖK:
Yeah. Do one. Have fun. I've got a question for you, a followup question on that though.

Joseph Carson:
Sure.

STÖK:
How do you become a good photographer?

Joseph Carson:
A good photographer? So, okay. Me and my wife are always having this debate. So for me, I think we are two very different types. Because I love photography. Photography is something I enjoy getting out to. I invest a lot in cameras. For me, I think there's two different aspects of things. There's those who can get the frame, initially. I'm a person, I take pictures and then I do a lot of post editing. So I say that I'm a good technologist, and not a great photographer. Someone who's a great photographer, can take a picture that requires the least amount of editing afterwards.

Joseph Carson:
I think that's when you start kind of getting somebody who knows the frame to take, and requires little editing afterwards. I think that's when you get the good photographer. So me and my wife... So for me, I'm great at technology. I'm great at post editing. I know how to handle a camera. My frames are not the greatest. But my wife, absolutely, she gets the frame spot on, and will have to do minimal edits to that picture afterwards, if even. So I think that's where photographer... Where you start knowing the difference between somebody who's great with technology, and somebody who's great with photography.

STÖK:
I agree. But the first step to becoming a good photographer, is to pick up a camera.

Joseph Carson:
Yeah. Actually use it.

STÖK:
Because that's the thing, you need to go out and take pictures. You need to try to do it at dusk, in dawn, in daytime, in shadow, in clear light. You need to understand, because that's going to be an extension of your eye, of your creativity. So the first step to be good at something, is start doing it.

Joseph Carson:
Yeah.

STÖK:
Without any expectations, but for the fun of it. Then eventually, you'll add more stuff as you go. Because you can spend hours and hours and hours looking at photography tutorials on YouTube, and never pick up a camera. And you can know everything about shutter speeds in your head, in the theory, but you shit at taking pictures.

Joseph Carson:
Yeah.

Joseph Carson:
You can't be a good photographer without having a camera in your hand.

STÖK:
Exactly. That's why you need to pick up the camera, and go out to take some shots.

Joseph Carson:
Yep. And that's actually... I mean, when you think about it, you're absolutely spot on. What's the point in being a good photography, if you don't have a camera in your hand? The best photographer is somebody who's actually out taking pictures, irrespective of the result. It's been awesome having you on. I've really enjoyed. And so hopefully, at some point... I mean, we're not too far away. So at some point, I'm pretty sure we'll cross paths. If not, I'll see you probably at Defcon, if everything goes to plan. You've been awesome. And I think for the audience, they're definitely going to learn a lot from this episode today. At some point, it'd be great to have you back on. And again, my thanks. Any last words for the audience? Anything you would like to leave them with?

STÖK:
I would love to leave them with the concept of staying curious. Be curious about life. Be curious about everything that you encounter, and realize that every person that you end up having a conversation to, if you listen to what they're saying, there's a big thing you have something to learn.

Joseph Carson:
That's very wise words. So STÖK, you've been awesome. Many thanks for being on the show. For the audience, this is another episode of 401 Access Denied. We've had an awesome episode. Very educational, lot of great content. Again, subscribe every two weeks, and definitely check out... I'll make sure that all of the ways to get in contact with STÖK, will be in the show notes. So awesome, and thank you. Stay safe.