Hacking It Live with NahamSec

Hello from Cybrary and Delinea, and welcome to the show. If you've been enjoying the Cybrary Podcast or 401 Access Denied, make sure to like, follow and, subscribe so that you don't miss any future episodes. We'd love to hear from you. Join the discussion by leaving us a comment or a view on your platform of choice or emailing us at Podcast@Cybrary.it. From all of us at Cybrary and Delinea, thank you and enjoy the show.

Joseph Carson:

Hello, everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm Joe Carson, I'm the host of the episode, and I'm the chief security scientist and advisory CISO at Delinea, based in Tallinn, Estonia, so I'm really excited about today's episode. It's been a long time waiting, and I'm really excited to have Ben join me for today's episode. We have a special guest, Ben, also known as NahamSec. And Ben, welcome to the show. Just tell us about yourself, how you got into hacking, and what you enjoy doing and some of the things you get up to.

Ben Sadeghipour:

Yeah. Thanks for having me. Thank you so much for reaching out and having me on the podcast. I'm Ben. Most online know me as NahamSec. I don't have an official title any more. I don't have a title to give you. I make content now, and I'm getting into the whole mentorship thing full-time. I've got into the content creation game. Right before COVID hit, I think COVID was one of the things that pushed my career to the next level because of how much free time I had, and we were all cooped up in the house, and everyone was in the house, they wanted content and entertainment, and it gave me the platform to do what I want.

I got into hacking around when I was not even a teenager. I was a lot younger. I didn't even know it was hacking, to be honest. I have an older brother. I always give him props for it. It was his computer, being the older brother. He would always put passwords on it. First it was the Windows password, then it was you can lock the hardware. And then I just found ways to bruteforce it at first. And then later on I would read the documentation of the hardware to see the default passwords on it. I still didn't know this was a thing. And then later on I was just exposed to online chat rooms. I was about 11 or 12, then I learned about hacking. People were hacking emails, and Sub7 back then, and learned about those kinds of things.

And then get into web hosting a little bit. My web servers got hacked, and then that's when it all took off. I just wanted to learn how to close off those vulnerabilities. And then I was just like, no, it's more fun to know about the vulnerabilities. And then I quit. I became a teenager, went to school, went to college, didn't think there was anything to do with hacking, and then bug bounty showed up, and gave it..

Joseph Carson:

What did you do at college? What did you primarily study?

Ben Sadeghipour:

I did a lot of... So I was into computer science, but I loved, loved, loved digital marketing. So previous to becoming a bug bounty hunter, a hacker, content creator, I did a lot of digital marketing with friends. A couple of my friends' businesses I helped them to get off the ground, restaurants, that kind of stuff. I just never thought of it anything. And then I got into bug bounties, and the bug bounty story's a good one, we can talk about it later. But just with content creation, it came a time where I could use my digital marketing experience mixed with hacking and build something that I've enjoyed doing based on my skills and experiences of the last 10, 12 years.

Joseph Carson:

Yeah. Sounds very much like STÖK as well. STÖK has similar... He was very much into the video creation and production, and to use that definitely, from adding that to his content streaming as well. And so from yourself, having knowledge in digital marketing definitely really helps getting the visibility for sure. Because for me, I think one of the great things, one of the reasons I definitely wanted to have you on the show, is that there's a whole... I come from the old school content creation, blogs and speaking, the old retro style. And I'm fascinated with the whole new evolution that we're having of streamers and those whose... I even think it's going to turn into an esports at some point. I even do see the hacking esports happening and starting to build up.

So for me, I think we definitely need new ideas and new ways to get the information across to everybody, to really help educate and provide knowledge. So when I look at what you're doing, what STÖK's doing, Ippsec, amazing, and John Hammond, I think all of that is fantastic in regards to really changing how we get information out there, because it's so important.

Ben Sadeghipour:

Yeah. And the streaming was a new thing for me, when I got into streaming. How do you stream hacking? And then figuring that out was a big game changer with bug bounties. But I think there's still value in writing blogs, what you call the old school way, the retro way. I did a poll a while ago on Twitter and I asked, would you rather read a write-up or would you rather listen and watch? And everyone wanted to read it, because you digest those technical content better when it's written versus when it's visual. But each of them are a different target audience, but at the end of the day, you're absolutely right. The digital marketing was a big part of it.

I don't have any video editing experience. I have someone that edits my videos, made my life easier. But just being able to say, those years of digital marketing didn't go to waste, and I can use that experience to build myself a brand, build a community, build something that people want to be a part of, was a huge plus. And it didn't click until later, a couple years ago, when I was like, holy crap, the stuff that I used to do is being really valuable to me right now.

Joseph Carson:

That's fantastic. And so one of the things... You started off getting into bug bounty. Is that where you started, switching into and taking that path? Because you wrote a lot of CVEs as well. You wrote a lot of vulnerabilities. How did all of that start? What was the motivation? What was the challenges? And how did you start into that path of bug bounty?

Ben Sadeghipour:

The bug bounty thing was by accident, I want to call it. So I had a friend, someone that I knew through school. He pretty much said, "Why don't you go look into bug..." No, first he said, "Why don't you make money from hacking?" And I was like, "Dude, that's illegal. It's not easy to do that, especially my background." And he's like, "No, no, no. Go look up bug bounty." And I think back then was Google, Facebook, and Yahoo was just getting out of the whole thing about $12 gift cards or whatever it was that there were t-shirts they were attacking them about it. And as a kid, I used Yahoo Messenger a lot. Yahoo Services were really the thing that we used. It's like, I can bet you I can find vulnerabilities in Yahoo. That shouldn't be a problem.

So I pretty much said, screw it with school. I didn't show up for classes. I pretty much started... I had a deal with most of my professors when I was like, "I'll show up for your quiz. I will show up for your test. You let me get by however I want." Now, it obviously wasn't the way... That's not how it worked. But the gist of it was, I will pass the course without coming to your class. My deal was, I would go to YouTube the week before finals and midterms, learn everything, and skip class so I can hack. Or I would go to class and have my laptop open, just hacking on Yahoo, running scans and that sort of stuff.

But I found bug bounties, and I just dedicated pretty much everything to it. And I went on probation eventually at school when they were like, "Get it together or we're going to kick you out." And it was either get booted, leave school, not finish my degree, and go pursue bug bounties, or really get it together and finish school and just get it out of the way. Because at the time I was also an intern at HackerOne, and they really wanted me to go work for them full time. So I said, last year, give it all you got, 16, 17 unit semester, get it out of the way. I got it out of the way, and once that was on, I was gone. I told myself I could do it now or never. And I pretty much dedicated the next couple years to bug bounties. I learned as much as I could, and I gave back as much as I could, because if it wasn't for the write-ups and the blog posts that were out there, I wouldn't have a career.

Joseph Carson:

Yeah, absolutely. I think from what I'm hearing is there was perfect timing for what you were passionate about. And also, around the 2012, 2013 time, that was all around when it was getting into responsible disclosure. And that's of course when Katie and Casey and everyone was all trying to get these large organizations to work with the hacking community, in order to make sure that there's a way that they can actually get early disclosures of bug vulnerabilities and have a mechanism. So it sounds like perfect timing for your passion, and also being able to make a career out of it. So that sounds like the timing was right at that point. Is there a specific area that you... You focus on web application bug bounties. Is there anything that you expanded to, or is that the area that you prefer to do?

Ben Sadeghipour:

It is mostly web applications. You can throw the fancy keywords of attack surface management for recon. But honestly, recon and bug bounty are the two things that I mostly work on. They go hand in hand. If I want to find more applications to hack on, I need to do some recon and find more assets. If people aren't familiar with recon, reconnaissance, it's just like you're in the army, you look for different areas that your enemy owns, which the companies aren't my enemy, but the target is a company. What other applications do they have online? So I do reconnaissance a lot, and web is a big part of it, just because I think with how today's society is online, everything is a website now. No longer...

Joseph Carson:

Everything's a website or an API.

Ben Sadeghipour:

Everything is handled through a website API. Exactly. People aren't manually saving things in a database. Everything's online. You want to sign up for whatever, you have to do it online. Even some restaurants now, they don't take your orders. You have to do it online.

Joseph Carson:

There's no menus any more in restaurants. There's a QR code on the table you have to scan in order to get the menu.

Ben Sadeghipour:

Yeah. Exactly.

Joseph Carson:

And then when you do the order in person, you have to actually order it, or even book. So everything becomes a QR code or a URL or an API call or application integrations. And you have to do very little in regards to actually read something or talk to the person at the restaurant.

Ben Sadeghipour:

Yeah. And the other thing is, this is not an attack on red teamers, this is not me arguing with red teamers. What you do is completely valuable. I'm not dismissing it in any way. But I don't need phishing as much any more. I don't need to be on a local network to be able to get into a company's infrastructure. You do in a lot of cases, like if you want to hack a new company, phishing is a big part of it, but you also don't have to rely on those things any more, because everything is online.

Joseph Carson:

Absolutely. Everything's publicly facing.

Ben Sadeghipour:

Yeah. You can find server-side vulnerabilities that give you the same access as being in a network, with the same way you can get someone's credentials, bypass MFA of some sort and get into the internal network. You have those too, but I get to do it from the leisure of my house without spamming anybody, versus you have to go drop some USB sticks, go steal a badge or whatever that is. Again, I'm not saying you shouldn't do those things for your company security. I'm just saying my work is, can I get into this company like most of the adversaries do from other parts of the world? And I can do that with bug bounties. And that's partially why I've done a lot of web. I can do a lot of active directory stuff, I can get into network internals, but web is pretty much the thing that I realized is the most fun.

Joseph Carson:

Okay. And so going back, one of the things that you mentioned, which I think is important, when we talk about the old school blogs, is that step by step process, and you're reading and following it through instructions, just like I would've done and you would've done with the manuals of the hardware. You're going through and it gives you the instructions. I think the big difference between them and streaming is that, in the online blog I can go through step by step in my own time. In the streaming, you have to stop and start sometimes. If you're watching it live, you have to... But I think the difference is, you're getting to understand the mindset. You're understanding the thought process.

And I think one of the big changes for me, I remember even when the pandemic started, which is one of the reasons why we even started this podcast as well, was I wanted to keep communicating. Because I'm based in Estonia, and not somewhere where it's easy to get to the hacking community. The hacking community here is quite small, surprisingly, even though Estonia's got a lot of history in security. But one of the things I find, it was Kernelcon a few years ago, when they did their conference online, and the conference that they did was impressive, because they had different basically hackers, they gave them different tasks, and basically they had to do a task, and you got to see their thought process. When they were looking at challenges and it was the first time they're seeing it, you got to see about what they were thinking about and listening to that. And I think that's one of the biggest things, because you start getting into the mindset. You start getting into, when you see something, what is it telling you? So that's where I got fascinated.

I think one of the ones where... I think it was when STÖK met up with you when you were doing the Lyft one, I think hacking it… and I remember watching that a while back, and I was like, wow, that's fascinating, just the mindset and thinking about it. So how do you think about that side of things, where you're starting to get into understanding about, when you see something, what does it mean? And listening to the thought process. I think that's where the streaming part becomes really valuable, especially when you're listening to streamers like yourself and Ippsec and John, you start getting into what you're thinking about when you see something.

Ben Sadeghipour:

Yeah. To be honest, when I first started streaming, I didn't even think about the outcome for others. It was just more of a entertainment for me, of people seeing me get into it, people seeing me frustrated when I do a CTF. I was looking at some of my old videos, people telling me, "You're going to struggle," and me finding a solution within a few seconds, and clapping back at them like you would in a video game. But then it wasn't until later on, when I had more and more people come on the show, because I do interviews, and people were telling me, "You're doing something where people get to look over your shoulder and gain experience." Even though I'm not looking, even when I wasn't finding vulnerabilities, I was calling out why I was looking at something, why I did something specifically that way, or how I ended up where I was.

And then later on, I don't want to drop any names, but there's a hacker that used to watch my streams, would DM me a lot, and I would always miss their DMs, and he's a top hacker on the platform now, on Hacker Buck Crowd. And I went to message him and I was like, holy crap, I follow this guy. I have all these messages from him from when he used to watch my streams. And it just blew my mind to understand... To me, there's been times when I want to delete those Twitch accounts, because I didn't see any positive outcome, because I'm just doing these for fun. But then I see these messages and I go, holy crap, somebody actually took these things that I was ranting about and built some automation with it, or is applying it to their bug bounty and making a name and money out of it. And those were the things that really blew my mind. And I was like, holy crap, there is value in people wanting to watch over you.

Because a stream is supposed to be more entertaining than educational, because that's what most of Twitch is. Twitch sells you the entertainment. You have people like Dr. Disrespect, who is just a complete character, not even real, they're just different characters, and it's entertainment, and I wanted to do entertainment, and then it turned out different.

Joseph Carson:

Yep. I did find that even earlier, a lot of the Twitch streams, even Heath Adams and others that were doing all of those streams, and sometimes there was a part of it that was entertaining. When you clued it with Discord and you clued it with the communication, and people are interacting, there was an entertainment aspect of it. But the things... And what I prefer is, when you're doing the live streams, is you get to see a lot of the mistakes as well. And when you go into the rabbit holes... Even when I'm doing capture the flag, I get stuck in rabbit holes and my head is against the table just pulling my hair, going, what do I need to do next?

I remember doing one in Hack The Box, and I'm pretty okay in the privilege elevation, escalation side of things. But at web application, I suck. Really on the website and getting in that initial access. I remember doing a box on Hack the Box, which was a server-side template injection, and I was just pulling my hair out. I just was struggling, I was going into every single rabbit hole. And one of the things I reached out to someone, a friend of mine who was good in that area, and basically he was just giving me pointers about, you need to look at this. And I think that's one of the things, is that I think that we definitely need... When I see a lot of streams, I think John was even talking on social media recently about, he had a bunch of videos that had him doing a lot of frustration and rabbit holes, and he was questioning whether to release them or not. And I think absolutely, because it's important that we see, when you do go round rabbit holes, how you can get stuck and lost. And it's about finding the time when you can come back out of it again, when you find, I'm not getting any further, when's the right moment in time that I need to stop, come back, look at the bigger picture, and move on?

So for me, I think some of the things that, when I'm watching yourself and Jason doing a lot of the live streams, I find that very, very... There is the entertainment aspect, but I think looking at when you're doing the rabbit holes and you're getting stuck, that's the most educational part of it, because that's where we all get stuck, and we want to find when's the right time to go back and take a look at the initial findings, or go back and take a look at the bigger picture, because that's where we all struggle on, is when we get lost. And it's about, how do we find it again, get back on track?

Ben Sadeghipour:

Yeah. The thing with streaming specifically was, one of the best things and worst things that could have happened to me from my career perspective. Worst thing was, a lot of people saw how inefficient I was. I was doing a lot of things in a very manual way. I tend to stay away from tools. I don't know how to use some commands. And people had this super hacker view of me where they thought I would do all these cool things, and I was like, no, I'm sitting here on a stream googling the most basic things. And I'll get to that a little bit.

And the best thing about it was, it made me more efficient, because people in my chat who were sysadmins or they were developers who were giving me pointers on how to do this faster, better command ways of doing things that I was doing, and so on. So that was the worst and the best case.

But going back to what you said about showing those rabbit holes, me googling things was one of the things that made it okay for people to feel comfortable about not knowing things. Here I am, a top whatever hacker on whatever platform, I'm sitting here googling, how do I look up X? I swear there was a time when I was writing a really quick Bash script, and I messed up a loop. And I was just googling on stream how to do a loop in Bash, oh it’s like, I'm missing a semicolon from my if statement. And I'm like, holy crap. And people are just dying laughing at it. And that's the reality of it. No-one's going to come out on Twitter and say, "I still look up commands. I'm looking up manual for the cd command sometimes." People don't say that.

Joseph Carson:

I've been doing this for a long time, and I even get to the point where I'm on a Windows box and I'm going, is it net localgroup or is it net localgroups? And I always, even today, I do so many typos as well. Because even my typing, I try to type fast, but I end up doing typos, missing a colon, using single quotes versus double quotes. And my mind's always thinking about... And I take a lot of notes. I document everything as much as possible, because I can't remember everything. And when I come up against something again, maybe... So absolutely, we all will do typos. We'll all make mistakes, and we'll all have to google something at some point in time, just to remember what the right syntax is.

Because right now syntax for different platforms, different tools, different commands, they are very similar, but they have slightly differences, and sometimes we get overlapping. One thing I'm interested... I absolutely love doing the manual method, because I learn first, and then later I might switch to the automated tools, because I want to learn first. So are you still doing the manual method all the time, or are you switching to automated tools back and forward? Because I think definitely manual is slower, but it definitely teaches you a lot more.

Ben Sadeghipour:

Depends on what. So the tedious tasks of... So let's say if I'm running a task more than three to five times a day, I'm running a task that relies on different bunch of command tools, I automate those. But exploitation of itself, if I'm exploiting vulnerabilities, zero automation is what I'm doing. Unless it's a commonly known vuln like a CVE or something like that I don’t automate it. But I'm not running a script saying type in site.com. This is the image that people have, top hackers are typing in site.com. This command runs out and does this and it's not like that, man. It's not. Reality is not that. I spend three hours going down rabbit holes of realizing...

I'll give you an example of a recent one. I was sat there for an hour or so trying to get API information out of this API. It turns out, guess what, I don't have to brute force anything. The leading slash was the reason why—all I had to do was take that out, and I was dumping all the... It was API/users, but the leading stash was screwing everything up for me. The trailing one, not the... The trailing slash...

Joseph Carson:

Yeah. The trail slashes at the end. Yep.

Ben Sadeghipour:

Yeah. And after an hour I accidentally removed it, and it dumps the list of all the users. I didn't have to automate that. You can probably automate that, but I get to do it manually, I've enjoyed the process of doing things manually, and I rely on tools for enumeration, that kind of thing that's very tedious and very time-consuming, I rely on tools. But even then, I went through a period of my life when I wanted to learn how to code, and I don't know how to code at all, to be honest.

Joseph Carson:

Yeah.

Ben Sadeghipour:

I wanted to understand… when I mean I don't know how to code at all, I mean I really don't. I can do Bash, I can do some Python, some Ruby, but I can't write a lot of scripts. I can just use Bash to automate things.

Joseph Carson:

But you mentioned you did a lot of web hosting, so you're probably... HTML, I'm assuming...

Ben Sadeghipour:

Yeah, but I'm saying I can't write... So I went through a phase when I wanted to learn how to code, so I was rewriting scripts, like how to enumerate subdomains, for example, or how to integrate folders and that kind of things, not because I wanted to be the next person that created those tools, but it was to understand why these tools work, so when I do use them... And I publish, I mean, code is absolute garbage. I should probably remove it from my GitHub. But it was to show that I wanted to understand, why do these things work, how do they work? So I understand what they're doing before I rely on them. And that's the one thing that I recommend to everybody.

Joseph Carson:

Absolutely. I want to make it clear to the audience, is that one thing is, to become a hacker and become a good hacker, is you don't need certifications. Basically it's something that I know some of the top people in the field, and those who even started in this industry, didn't have certifications. And the second one is...

Ben Sadeghipour:

I have none.

Joseph Carson:

You don't need to be a developer or programmer. I myself, I'm the same. I started off... I know some code, but today my usage of programming and coding is to read and understand what it's doing. I'm not the best at creating, but I have enough skills to read. I started off, I was a COBOL programmer back at university, and one of my first jobs was COBOL programming. And I did Perl, but honestly I've tried converting recently to writing more Python as well, but I suck at coding. But at least the good thing is that you don't need to be a developer to be a hacker. What you need to be able at some point in time is be able to read and understand some of the things it's doing, to a certain point. But absolutely, you don't need to be a certified hacker, and you don't need to be a certified programmer to hack. You just need to understand enough... You need a computer and internet connection. That's what you need. And access to your content.

Ben Sadeghipour:

Yeah, I mean...

Joseph Carson:

If you can read...

Ben Sadeghipour:

I don't have any certifications myself. I want to take the OSCP at some point just to say I did it, if I can get it actually. But on the topic of coding, you don't need to know how to code, but if you don't know HTML much or JavaScript, you can't really figure out what what a cross scripting is, because it doesn't make sense to you. You can copy-paste payloads, but it's not going to scale. I tell people, learn at least 10% to 20% of the basics of all the... They're all same. The 10%, 20% is almost the same. It's the same concept of loops, the same functions, everything is almost the same.

But then understanding how... If you want to become a web hacker, my recommendation is, understand what goes behind a website for a tool to work. For my case of a web hacker, understand what HTTP headers are, understand what a port is, understand how self-search work to a certain degree. Understand head posts, help requests. What happens? And how does that engine… how does Apache work? How's things being served to you? Those understandings are things that you should know. But for me it was just, either you have to understand those things, or you have to do what I did, spend enormous amount of times not understanding them, and then googling everything, I will literally google everything. Why is this working the way it is? Or how do I spend on this?

Joseph Carson:

So how much time do you spend learning? Because I think when I'm looking at my job that I do, a large portion of the time is just continuous learning. It never stops. And I could spend all day just consuming and learning information. But what about yourself, how much time are you dedicating to continuous learning and developing your own skills? And what area of focus are you working on now? What's the...

Ben Sadeghipour:

Right now, I don't do enough. I don't have enough time unfortunately to do a lot. But I just actually... Funny enough, now that I've doing content full time, I made a joke to my friends like, I don't have a job, I'm an entrepreneur. It's completely a joke. I have a lot of time, and there's a lot of things that I want to build. So I signed up for one of these platforms that teach you how to do full stack engineering. I'm not going to become a full stack developer, but it's just I want to build some things that I want to build on my own. Some web ops, you know, some labs that's going to help me get there.

So now that I'm having time, I'm dedicating a Monday or Tuesday when I learn things, or a couple hours a day when I learn new things, so that's my focus right now. I want to really get better at developing my own apps. But also the other thing that I wanted to do is, I'm doing a lot of attack surface management stuff, just because it's becoming a very big part of today's security, and I want to get better at it. And I have some expertise there, but I'm learning more and more things.

So I'm playing with a lot of DNS stuff. Hopefully I can get some content out for it. But I'm going back to learning more and more, just because I felt like for the past year and a half to two hours, I became a content creator and a trainer where I neglected my learning days, or my journey as someone I was continuously learning. And now I'm going back to , I have to have a balance of learning these things and applying them. Because especially with hacking, it's a never-ending journey. You cannot say I know everything right now. There's new techniques, new vulnerabilities, new things that come out every day.

Joseph Carson:

Absolutely. Spot on. We can never be experts in everything. It's such a broad industry that there's so many different specialty fields, whether it being cryptography and getting into certificates, getting into malware reverse engineering, to social engineering. This is such a broad industry that the way I see it is, I need to surround myself with really smarter people than me in those areas, and I go to them for help.

And I think that's one of the things that... I think what I am impressed about what you've done is, you have the ability to bring the community together. And I think that's really important, is that not just in the bug bounty community, but also just bringing hackers together and working together. Can you tell me a bit about how challenging is it, especially during the pandemic, to build communities, to bring people together? Because I think that's one of the most important things we need to keep doing. And we need to find ways to at least connect people with certain skills together to others, whether it being mentoring, whether it being helping point them in the right direction, or helping teach them something new. So how important is the community to you?

Ben Sadeghipour:

The community itself is very... I think if you're not a part of the community, it's just going to make it harder to learn things. Especially with our community, with hacking, everyone's very open to share things. There is select people that are elitist or they don't want to share, completely fine. You're not required to share. But I think the biggest thing for me is just, especially when I came in early on, it was just feeling that I wanted to belong to something. I wanted to feel like I was a part of something. And that's partially why I was doing the write-ups that I was doing. That was partially why I was disclosing bugs that I found. That's why I got on Twitter.

But honestly, building a community didn't happen as a thing for me. I didn't plan on building something. The way I explain to people is, when I joined bug bounties, and there wasn't a lot of resources on web hacking... There were write-ups, there was the Damn Vulnerable Web App, and Metasploitable, but there wasn't people telling you, "This is how I did it."

Joseph Carson:

True.

Ben Sadeghipour:

Yeah. There was no one saying, "This is how I found this bug," because it's about money. Everyone's making money. They don't want to give away their secrets, how to hack or was like, why are you telling everybody how you do all these things? You're just going to make competition for yourself. And I was just like, who cares? I understand the money aspect of it. I want to make money. But at the same time, I want to give back to people that were helping me at some point, that I want to pay it forward to the same people by publishing some of the work I've done.

So for me, it was just more of, A, feeling like I was a part of something, and B, who did I wish was out there when I was first getting into bug bounty and hacking? Could I be that person for a couple of people? Can I help them learn from me by showing them my experience, sharing my expertise, and the things that I've learned, I won't say expertise, but things that I've learned in the past seven, eight years, and see if I can make a difference?

Joseph Carson:

Absolutely. I think that's critical. And one of the things that you did recently, you had NahamSec Conference this year. Was that your first conference that you put together by yourself? Or was that something that you've been doing for a while? How difficult…?

Ben Sadeghipour:

NahamCon, this is the fourth year. We're actually doing one on December 17th for Europe. We're doing two a year now. That also happened because of the pandemic. So me, The Cyber Mentor, STÖK, and John Hammond got together, and we were going to host a virtual conference right before the pandemic. We didn't know the pandemic was going to happen, but we were just planning on it. So the way it worked was, me and Heath were partnering together to do something for a charity, for LLS, Leukemia & Lymphoma Society. And the pandemic ended up happening, it fell apart, but we had this event planned virtually for people to donate. And then when the pandemic happened, we were already... It was the first week of the pandemic and our conference was accidentally set for that day. We had no knowledge of the pandemic happening. So we got lucky that everybody was stuck at home, and we had about 3,000 people come up and just watch the stream. Google, Amazon, a bunch of big companies sponsored it, and we raised $55,000 that was all donated to LLS, Leukemia & Lymphoma Society.

Joseph Carson:

That's impressive. And that's why it's always... One thing is, not only can we share knowledge, but we can also do good for the people who need it as well. That's impressive.

Ben Sadeghipour:

Yeah. When that happened, I was like, holy crap, there is something here. My whole thing is, I have nothing against conferences, I love going to conferences, I love BSidesSF, I like Portland's BSide, ShellCon I gotta think of a few more. Kernelcon was a really good one too.

Joseph Carson:

Kernelcon. Yeah. It's impressive.

Ben Sadeghipour:

Yeah. AppSec Cali, AppSec Global, AppSec DC, 44CON, you name them, I love conferences. I love going and speaking at these conferences. But when I go to these conferences, it's such a broad thing. You have people talking about blue team, red team, SOC, all these different things. I want to just learn how to hack things. I want to hack offensive security. How do I hack into a website? How do I find X, Y, and Z that's going to help me as an offensive web security engineer, whatever you want the title?

So I created NahamCon. There's a reason why we don't have a CFP for NahamCon. I look at what the research has been done throughout the year, and I reach out and say, "I love this research. I love this blog post you did. I love this talk. Do you want to come and talk about it at NahamCon?" If you go on Twitter right now, there's two people that just released stuff in Europe. I literally wrote on the bottom of their tweet that says, "Do you want to come present this at NahamCon?" Publicly. I have no shame in doing that. And they said yes, they reached out, and they want to come and do it at NahamCon.

So it's just more of a... What do I want out of a conference? I'm sure I'm not the only person that wants a focused conference on web hacking. And that's how NahamCon was created. And it's my way of also giving back to the community. We don't charge our attendees at all. It's completely free. It's on Twitch. You can join and watch, you don't have to be following us, you don't have to be a subscriber.

Joseph Carson:

We'll definitely make sure we get all of the links, so we can add them to the show notes.

Ben Sadeghipour:

Absolutely.

Joseph Carson:

For the audience as well. Because definitely, I'm pretty sure there's a large part of the audience will definitely want to attend.

Ben Sadeghipour:

Yeah. But we don't charge people, we have sponsors that help us pay for it, and we give a large portion of it back. We give away PWK… offensive security vouchers. We give… vouchers. We're going to have book vouchers we give away. Most of it, we get these and then we give them back, and we put money into our CTF. John Hammond, God bless that guy, man. He is one of the key players in NahamCon. And I reached out to him very randomly, "Do you want to do a CTF?" Yep. We put it together. I think last year we gave $5,000 in prizes to our CTF, which is one of the higher ends of it if you look. And John gets very creative with his CTFs.

So it's just more of the two people that love the community, being Heath one of them or STÖK being one of them, they join me every time, and then John loves similar things. We all come together. What don't we like about other conferences that we have been in the past? We avoid it. What do we like about conferences that we go to? We bring those on. And every year we experiment with something new, from villages to you name it. We have done something really different every time, and it's been something that I've really enjoyed doing.

Joseph Carson:

That's fantastic. I think that's what we all enjoy doing, is when we get the things that we like at conferences and the things we don't like, and then we try to bring them into the new generation. And that's how DEF CON started, was... It was the evolution of Black Hat, ultimately. It was the next step into really getting where we can actually really share our knowledge in a different audience, and be part of a village, be part of a community. Question, though. Where did the Naham come from? What was the background there?

Ben Sadeghipour:

That is something I've never discussed. Everyone's trying to figure it out. I don't think... Every podcast I go on, they ask me the same question. It's something that's going to always stay a mystery. It has no meaning to anybody. It's not a real word. It's something that means something to me. It's a combination of things as family, childhood things that I put together, and has zero meaning. I've had people tell me they looked it up in a dictionary, trying to figure out what it means.

Joseph Carson:

Trying to do decipher it.

Joseph Carson:

I think it's really cool. It's definitely memorable, and it's very unique, and you definitely got a... It's something that people completely match to you, for sure.

Ben Sadeghipour:

It doesn't make any... Honestly, I was sitting there, I was like, I needed something that had a meaning to me, and there's a piece of my childhood that came into it, and another piece of a family thing that came into it. And then I was just like, I'm going to be in security, just slap a sec at the end of it. And now that I'm doing branding stuff and content stuff, it's too late to rebrand, so I've stuck to it. And NahamCon, it was just... So the first conference we did was VirSecCon, Virtual Security Conference. Very creative. And then it worked, but then we were like... I sat here with my team and I was like, what do I call this thing?

And we couldn't come up... I didn't like any of the names. I'm just like, I'm going to call it NahamCon. And then I felt really weird about having my own name as a conference. Then I see things like VeeCon for GaryVee, and other people doing similar things. I'm like, I'm not that big of a content creator, but it's normal to create something and name it after myself. But I've also stepped out of NahamCon. I'm no longer the host even. It's less about me because my name's on it. This year it's being hosted by Farah Hawa, instead, last year it was hosted by STÖK and Jason Haddix. I'm phasing myself out as a host, and then being an organizer and focusing on the community aspects of bringing people together more than anything.

Joseph Carson:

That's always important, because I know the pain. I remember, I've been host for a lot of events, and the time-consuming into it, and it takes your focus away from the things you want to be doing, which is around the part of it where you want to be keeping it to what you want it to be. If you're spending time hosting and organizing and planning, that's a lot of time that somebody else can be doing, for sure. So what's next on the charts? What's your plan for... I understand you're going to be doing a lot more mentoring then. And what's next for the plans that you're going to be doing?

Ben Sadeghipour:

My next thing is actually taking my brand on the actual next level, whatever you want to call it. I've taken a step back from... I went from an intern to doing some director work at a company, now became a VP at the next one. And I realized the nine to five was a great place for me to learn all the experience that I wanted, combining with my last experience with digital marketing, and now it's dumping all that into my own brand and company. I don't know where it's going to go. I want to do a lot of content, obviously. My course that I want to update and do more teaching, and then getting into actually helping others get into InfoSec, get their first job, have an impact on the community a little bit more. I don't know. This is week one, as we speak, of me being on my own for my own brand. But hopefully I can start doing some consultancy and doing some work of my own and seeing where it goes.

Joseph Carson:

Absolutely. I think you have definitely the creativity and the knowledge and the passion to really... I think there's very few people that does what you do, and you're changing the community, you're changing the way that we learn, you're changing the way to be able to come together. And I think it's great. For me, I think that's definitely the way forward. And even, I remember early this year I was really happy to see... I was at RSA, and during RSA there's the cybersecurity bloggers' meet-up, and I was like, it's still bloggers who was going to it? And I was so happy that they are now evolving that... I think it was... I invited John across, and Jason came along and we were all...

Ben Sadeghipour:

I was there. I missed you guys.

Joseph Carson:

You were there, we probably missed each other. And I was so happy that they were actually talking about changing the format there’s no longer, it's about content and creativity and innovation, and they're now opening it up. And so for me that was an exciting... I think that was a pinnacle moment of where that old school, new school was now going to the next level. So when Jennifer got up and she was talking about that whole new change in idea, and especially when a lot of the people… we probably missed each other and we were there at the same time. I've got some great photographs of me, John, and Bruce at the event as well we were all together, because I met Bruce the week before, because he was in Tallinn and we were chatting at the airport. And then he literally went home, and we met up again at the bloggers award. But definitely, I think this is the new… we really want more people to work together and do a lot of more live events, because I think that's where the future is, especially for hacking.

Ben, it's been awesome having you on, it's been awesome chatting with you. Any things that you want... For those who's watching, who's wanting to also get into this, and do streaming or getting into speaking and getting into... Either want to become a mentor or get mentored, any recommendations you have for the next generation, or even those who's been in the industry for a long time, and just looking for something new to get into, to learn.

Ben Sadeghipour:

Yeah. For people that want to get into the whole content creation thing, honestly, it sounds very generic or cheesy, just do it. Honestly, just get out there, and don't let the little minor details get in the way. If you look at my early streams, it's just me in an empty room pretty much, with a webcam and an old laptop that I had I was just streaming on. It doesn't matter. If people want to get some value, they’re going to show up and learn from you. As long as you're giving value and you're giving back, I think people are going to see that and want to be a part of it.

And people that want to get mentorship, want to get started, it's also the same thing. You have to get the experience. You've got to stop learning at some point and start executing and using those things that you have learned. There's nothing wrong with asking people questions, but the one thing that I ask is, I get a lot of heys and yo and hi DMs with no context. If you're going to ask a question, remember the first thing I see is the preview of the message. Hey, I want to ask you about X. Hey, I saw you’ve done Y, I want to ask you about it. Get that person's … I get a lot of DMs. I filter them and try to answer as much as I can, but that opening statement that you have is your chance to get that person to go, this person's asking me a real question, versus can you help me with... And then I open it, and it’s hack my ex-boyfriend's account, hack my ex... That's when you have to be very, very good at making it clear that, I've tried X, Y, and Z, but I'm really stuck on doing this, and can you give me a pointer? Really ask the right questions so people want to help you. Help me help you, is the way I could put it.

But there's a lot of resources. I'm not going to get into them. They're online, go look for them. There's a lot of platforms that you can learn from. But at the end of the day, it's just, you get out what you put in, and you just got to put in the work.

Joseph Carson:

Yeah. You definitely got to put in the work, because it is something... It takes a lot of time and a lot of commitment. And I think definitely at some point in time you have to jump in, you have to take that leap as well. And you got to try it and just get started.

So Ben, it's been awesome having you on. We'll definitely make sure that, for the audience, that we'll definitely get all the links to make sure that they know how to contact you, and to all of your content and your streams and so forth. I'm pretty sure they'll be really excited to learn more from you. It's been awesome. I've learned a lot as well, and it's been great connecting, because it looks like we've been in a lot of the same places, just we've missed each other by minutes or by just being at the wrong side of the room. But definitely looking forward to next time, we’ll have to get some time to catch up and have a good chat. And I'd love to come on one of your streams as well at some point, so we can do some live recon at some point as well.

Ben Sadeghipour:

Love that.

Joseph Carson:

Even with my rusty Perl and COBOL skills. If you ever have a COBOL problem...

Ben Sadeghipour:

I'll let you know. I'll definitely reach out.

Joseph Carson:

But it's been awesome. So again, thank you for coming on. For the audience, hopefully this has been valuable for you. And I definitely think, really getting into content, learning new ideas, being a fly on the wall, watching over somebody's shoulder and learning, is definitely... It's a great way, and never be afraid to ask questions. That's I think one of key takeaways, is never be afraid to... Google is something I use. You're going to forget things. So take notes, write things down, and don't be afraid to reach out. Don't think that we've become experts of everything. Just make sure you surround yourself with a great knowledgeable community who's always willing to help. So tune in every two weeks to 401 Access Denied. Ben, NahamSec, it's been awesome. Take care and stay safe. Thank you.

Ben Sadeghipour:

Thank you. Thanks for having me.