Get help with your cybersecurity career here: https://techualconsulting.com/offerings
Unlock the secrets of smartphone security and elevate your tech career with insights from cybersecurity connoisseur Xavier D Johnson. This episode isn't just about bolstering your digital defenses—it's a thrilling escapade through the tech world, from the cutthroat realms of tech job interviews to the vital art of vulnerability research. Xavier, with his wealth of experience and his non-profit initiative buildskill.org, delivers an action-packed narrative that will leave you armed with the knowledge to navigate the industry's ever-evolving challenges.
Strap in for a ride through our collective cultural memory lane as we reminisce about the days when skateboarding and fashion collided to shape our entrepreneurial spirits. Xavier and I traverse the landscape of cybersecurity, discussing the ethics of digital asset protection and the financial implications of this rapidly changing field. Get ready for a deep dive into the essence of capture-the-flag competitions and the nuances of cybersecurity from a hands-on perspective, all while emphasizing the power of community and networking that propels careers forward.
Rounding off our journey, we probe the evolving interplay between AI and the job market, and how competitive pricing in tech consulting can make or break success. Xavier shines a spotlight on the mission of buildskill.org to advance cybersecurity education and career development, providing a beacon of hope for anyone looking to break into the tech scene. Whether you're a budding tech enthusiast or a veteran in the field, this episode guarantees to equip you with the strategies, stories, and support systems needed to thrive in the dynamic world of technology.
If you enjoyed the show don't forget to leave us a 5 star review, to help with the algorithm :)
Email: henridavis@thetechtualtalk.com
➡️ Need coaching help then go here (ask about our financing)⬇️
https://techualconsulting.com/offerings
➡️ Want to land your first IT Job? Then check out the IT course from Course careers use my link and code Techtual50 to get $50 off your course ⬇️
https://account.coursecareers.com/ref/50932/
➡️ Need help getting into Cybersecurity for a low price then check out Josh Madakor's Cybersecurity course at Leveld Careers and use my code TechTual10 to get 10%off your course.
⬇️
https://www.leveldcareers.com/a/2147530874/RuqjrBGj
If you want a high paying role in the cloud then click here⬇️
https://Levelupintech.com/tech
Stop data brokers from exposing your information with Aura!
Click the link below to try out Aura's FREE 14 day trial and see if your personal information has been compromised🔽
https://aura.com/techtualchatter
00:00 - Tech Talk Episode 116 With Xavier
08:03 - Nostalgic Conversation About Skateboarding and Fashion
17:34 - Cyber Skills and Red Teaming Discuss
26:48 - Cybersecurity Ownership and Ethics
39:12 - Threat Modeling and Cybersecurity Discussions
48:36 - Testing, Technical Expertise, and Job Market
58:41 - AI, Jobs, and Pricing in Tech
01:06:30 - Building Skills for Career Advancement
01:16:25 - Blue Team Security Challenges and Practicalities
01:22:20 - Building a Supportive Community in Tech
Welcome back to another episode of the Tech Talk podcast, where we delve into the depths of the digital world with industry experts. I'm your host HD, a fellow content creator, cybersecurity professional and career coach, and today we're thrilled to bring you our guest, xavier D Johnson. I want you to dive into the practicality of tech with us, as Xavier impacts the nitty-gritty of smartphone security, especially at high stakes environments like DEF CON. We're going to cover the essential security measures every tech enthusiast should know when attending tech gatherings, and how to maintain positivity and contribution in a vibrant community. Beyond just safety protocols, xavier will share golden nuggets on acing job interviews within the tech, mastering, the arts of vulnerability research and the undisputed power of networking. We'll also touch on the topic of the current job market, the ins and outs of corporate America pricing strategies, how Xavier leverages partnerships with giants like PWC and Oracle to navigate the ever-changing landscapes of tech contracts and cybersecurity demands. Education is key and Xavier leaves no stone unturned with his new nonprofit build skill dot org, dedicated to giving you the skills in order to help you land a cybersecurity career with help from tech professionals. But it's not all heavy technical talk. We'll take a casual detour through fashion, linear nostalgia and even some TV show banner for a well-rounded tech conversation. Fasten your seatbelts as the technical talk takes you on a journey through securing your digital life, impactful professional development and the harmonious balance between tech-heavy and social grace. Don't miss out on this enlightening episode.
Let's get to the show. If you're looking to pivot into cybersecurity or you're already in a tech role and you're having issues with getting interviews, getting seen on LinkedIn and even succeeding in your interviews, then come check us out. At TechStrel Consulting, we specialize in helping entry-level, mid-level, senior-level people get more interviews, do well in their interviews and secure offers. We have helped people increase their salary on an average of 35K. Now what could you do with an extra 35K? I know I could do a lot with an extra 35K and I want to help you out with that. Right now, we offer consultations, tech resumes and group coaching, and group coaching by ourselves. So in this conference tissue, click the link in the description TechStrelConsultingcom for its last offerings and start your journey in your cybersecurity career today. Thank you, yeah, we good, we ready to start yeah.
Let me see what episode is this this is. I just did 115. I think this is 116. Episode 116. Welcome back to episode 116, the TechStrel Talk podcast. I'm your host HD and listen. It's a double, double day and I did it twice and I'm about to do it. So nice, but we got a guest all the way from what you say, dego. Oh, man, I'm from Detroit. He from Detroit, though. I'm from Detroit, but he live in Dego, right?
now I'm living in Dego right now. He living in Dego right now.
He been on the show before but, today it's in person the energy, Y'all gonna feel it. He own his uncle field shift, oh yeah come on now.
I like to say Al Capone, but we gonna get into it and he is listen.
by the time y'all watch this, he gonna be gone. He in Dallas right now.
He's looking for his uncle field that's all I'm trying to say that's all I'm trying to say Chill, but listen, y'all already know what to do. If you own right now watching on YouTube, hit like, subscribe, hit all, so you can be notified when we drop in everything. And if you don't Apple podcast or Spotify you already know the drill. Leave us a review, share the podcast so everybody can be notified of. Yeah, like this super high fire the sauce. Yeah, we didn't even. I ain't got no questions. Nope, I ain't come up with nothing.
We just gonna talk today. We kicking it, we kicking it.
But X what up though, man.
What up? No, what's happening?
Hey, listen, listen, I'm probably gonna have to cut this off. I mean cut this out because I can't put it on YouTube. I just thought about something. I'm silly, that's why I love movies like that man, it's hilarious. Niggas said. She walked past him and he was like man, I'm just trying to see if it's real. I'm looking for me. I'm gonna say my sister beat your ass. Huh, I was like bro, that shit, stupid man you let a nigga steal your glasses?
Oh man, never. But for those that don't know, we talking about, the movie we talking about, is Buffed Up on Tubi, and that song, all White Buffies, is an infamous Detroit song. I won't say infamous, but it's a famous Detroit song around a pair of buffies which the rest of the world called Cartier Buffalo horns, and that's what I'm wearing right now. I got my buffies on that's why I? Did they all white buffs? You know what I'm saying and I own this pair for shit. I own these since 2015.
So, being from Detroit, is it true, if you got the buffs on, they're gonna look your way, oh for sure. And so if you ain't got them on, you just say I got a buffy issue. Man, it's like, yeah, they're in the shop, yeah, so we remember they used to do this stuff for us in school. So Buffies is the Detroit, what charges is the hood niggas?
for show or army recruits.
It's like as soon as you listen to army recruits charges Camaro challenges.
anything with a high APR yes.
They ready to give it to you with your little sign on bonus or whatever. Y'all getting them in the shot out to my people in the service. Hey, shout to my boy, my boy, johnny, been in Dago for almost what he might be now, for 10 years now.
Yeah, it's got that effect. It's very mad, it's magnetic.
He in the Navy out there though. So I had like a couple of partners. They was in the Navy so they was out there, yeah, so he working out there.
See, that's different. See, I went out there just to go out there and got stuck out there, not because I didn't want to, you know, not because I was stuck really, but I just didn't want to leave. It's during the pandemic, everybody wearing masks. We can't go eat. We're not supposed to leave the house. We can barely get gas. And I'm in Michigan, it's cold. I'm sitting in the house playing Call of Duty, I'm so childish, because you know what.
what I used to start about it's so cold in the D freeze, all right. So I'm looking around. I actually I was going to move to Dallas. I was going to move to Dallas, little known fact, and I came out here it snowed so bad, the pipes got the busting, the power went out. I was like, oh, this is a sign from God, I don't need to be here. So, even the high rise yeah, I mean, I got to show you the video. It was a spot right next to where we at Number. Just, it was nice, it's probably still ready for you, it is. I mean, I might still have to get it. Dallas, treat me real good, that's Southern hospitality.
Southern hospitality, that's a ludicrous yeah, but, man, for the people who hadn't watched this, well, watch your past episode.
Go back and watch it Like subscribe. Who are you? My name is Xavier D Johnson. I'm a serial entrepreneur. I've had a number of businesses, mostly around tech. I started in entrepreneurship in 2004. Had a software company I founded in 2010,. Ran that for seven years. Sold it off to General Electric. Started off in a cybersecurity company four and a half years ago called originally called Enterprise Offensive Security. Ran into some issues with offensive security, the OSCP guys and decided to rebrand. We came out as we Help you Secure. I always tell people, 75% of our brand name is we Help you. That's what we're here to do, so cybersecurity risk management. More recently, started a nonprofit called Build Skill Foundation Build Skill Foundation and yeah, man, I do a lot of things. I'm involved with a few other things like Mentor and Match. I'm the Chief Information Security Officer there and it's a mentorship platform for college students and students to find people in industry that they can look up to and follow a path. I keep open mind. I do a lot of things.
Y'all see, y'all listen. He's trying to hide it, but y'all been seeing the watch, Not the watch Shout out to Bucapong.
Shout out to Bucapong.
You said some stuff right there. First of all, I wanted to go back bro. I was in middle school in 2004.
Yeah, I was in elementary school.
So that's what I'm like. I want to talk about that. Like, how did you, what made you decide to start a company in 2004?
So funny. I grew up on the internet. I was born in 1991. So I'm 12 years old at this time, grew up on the internet and I used to love skateboarding.
You know, if you was born a year later, you could be a part of the people that say we was born a year to dream for like me.
No, no, I ain't get that lucky. But growing up on the internet, man, we had a different kind of set of opportunities and I love skateboarding. So I was just inspired to start a skateboarding company Like yo. I want people to ride my boards, I want people to wear my gear, I want people to use my stickers, and so I came up with the concept and designed some decks, designed a company logo source. You know, this is before. It was really easy on e-commerce just to go find products and the way that we can automate things. Now I would have to pick up the phone and actually call in the Canada the people that would make the hardwood for the decks.
So you went to their phase too. It's funny thing if you was up north, I'm down south. My cousin had a skateboard. I had got like a small skateboard. We skateboarding, we watching Mighty Ducks, we trying to have street hockey teams, we watching Rocket Power Come on, man, that was the way it is. All that. Listen. We playing with. Listen. This is a funny story.
I don't talk about, like, my family a lot. Well, I do talk about them, but in this sense it's funny because as a kid we can't do the generation of the cool boarders, sx, tricky, tony Hawk, matt Hoffman, bia Mix. Hey, my mom was a dog at Matt Hoffman, bia Mix. Bro, I'm telling you, listen, right here and right now, as Shannon Sharp said, I swear for God, the two white men, me and then my other two cousins tell you like we could not touch her in that game, we can touch her in that. She was called at cool boarders. That's how I knew Sean White was years ago playing cool boarders on PlayStation, the OG PlayStation. Back in the day they used to sell the little. They probably still sell them with the little BMX box. You play with them on your desk. Or the Tiny Decks Take Decks. Yeah, see, they don't know nothing about that man.
Kids these days. They got iPads, man, they don't use their hands for nothing. They do.
But you know what, like I said, I got two little girls. As cool as their iPads is when we buy them new toys, they don't know nothing exists. They was playing with new toys when I left, just simple stuff. I love that. I was like you know what? I was putting that stuff in the closet and I was like do kids even have play shoes anymore?
No, kids don't got to play clothes. Right, we had clothes designed to go outside to get dirty.
That's the fact, like for us. I used to ride the bus home to where our land and stuff is. So, mama, she got you some shoes. Most of the time Listen my show. Of course by tech, but I also keep it real because everybody black experience. Come on now. People probably got shoes two times a year income tax and beginning of school beginning of school and birthday.
for show Maybe, but income tax for sure. Come tax for sure.
And if your parents, like mine, they want to spend a whole lot of money in school, you going to shoe department and you, finna, get you some nice shoes, some Reebok, some Nike's or something. Yeah, she gonna say, don't mess them shoes. So you had. So I'm a grandma in them house. I had my shoes that when I want to go play outside in the shoes I put on. Yeah, like I know, a lot of y'all know about that.
You ain't getting another pair. Yes, so if you and they're gonna be dirty if you mess them up. And when you beat them up you know you're going to school.
They gonna talk about you and see, that's when you got to put. You know, when I got a little older, I could like buy my own Air Force ones and you know you get the fresh. But hey, listen, this is this is why, like I be having conflicted things, like I love talking about my tech stuff, I like talking about life too. Yeah, bro, getting the fresh, all whites and I like it. And and trying to walk and not creasing.
Oh man, what type of? Now? What type of things did you do to not crease your white Air Forces? Lift my feet up change the walk change the walk.
When you get home you got to put the socks in it, Getting the force field.
You got to put the force. See, we couldn't get the force field, so we used to take plastic bags from underneath the sink.
These to do is, while I was wearing them, the room I had in the front, I would use the little tissue they put in the shoe.
Yeah, so, it'll make it feel like it's full, but the time they get a little crease in it, man, I had a cousin, so I'm talking about like our same, like we call the country house, is we got a land there and it's like it has road. Then, once you get to a certain spot, is our dirt road. He would get to the top of the dirt road and put some plastic grocery bags on the shoes and walk on home.
Been there, been there, especially when Nelly came out with that two pair. Give me two pair of first ones, oh man.
That's the thing too. Like people's wearing.
Jays. But when F-Force ones was on, they run, yeah yeah. When it was premium F-Force ones, they was coming with football, leather, bronze collaboration, new York Jets and Giants collaborations.
You was you was now see, you had, of course you had the all white, the gun bottom, oh yeah, but then like you couldn't beat, like a good pair of mid white, mid tops, black mid tops, the the black low tops.
I'm not a black forces guy.
See, I was. I had the black low tops before too. It's a mid and then I got put on game. It took me a long time before I started wearing white shoes or white socks. Back then I used to wear white shoes or black socks.
Okay, okay.
And then, of course, black socks or black shoes, yeah. Like everybody. Everybody went on. I got, I got put on that and I had started doing that. And then we wore uniforms. So you got a your fit going to be the khakis. Come on now it's determined on the shoe the uniform shirt, no pocket, yeah, t-shirt, that's, that's, at least that's standard. And then your shorts had to be dickies.
Oh man, come on, man had to be dickies. Come on, man, where you graduate high school 2010. Same year, so we had the same experiences. Them dickies had me in a chokehold, but I had every color.
Yeah, two sets.
Yeah.
You get the official dickies with the different print or you get the dickies with the red logo.
No, it's a different one. I ain't hip. All I knew was cell phone pocket. I needed that. I didn't have a cell phone.
Listen, we, I think and this is what I talk about I like being a millennial, so much we didn't live through the blockbuster, the Hollywood video era.
Someone still had grandparents that had the ring, the notary phone, whatever it called rotary phone, that's what it's called. I love them, I love them. We had phone books. We remember hey, going to the TV guys here on the song man. I still go to the TV guy at most school Because I didn't get digital cable to about 03. So that's when that was out. Oh, so now we got a guy out on here, that's different.
All these HBO channels, boy, that changed the game. That's what see, twitter, let me know, everybody lived the same life, because you'll be like at a certain age when you're a boy, you staying up, you watch, so you really going to be watching. So you got the.
TV real low. I fell asleep with it, with this channel on.
You got the TV real low and so your last button. Everybody got a last button on the remote. Previous Previous channel. You already know, you got it on Disney channel.
Yeah, it's been there. Yeah, yeah, toon Disney Bloomberg.
Right, right, nah, it got to be believable. It got to be believable, right right.
It can't be on Bloomberg, Right. That's the funny thing. You don't care if I don't stop you what?
Right, right, we going to get into tech talk, because he's also a hacker If one of the titles of the last episode was like, he hacked the MacBook at the hackathon. So I want you to actually go back into a little bit there, because we're also going to talk about why people gravitate to want to be on the red team so much and why do they think it's easy. So I want you to talk about that story again briefly about.
Yeah, so I mean, you know, at one point in time I spent a lot of time building applications and running a software company, and so we used to go to hackathons just to make apps, meet other coders, win prize money, that type of stuff. So there's a hackathon in Michigan called M hacks and it was at the Masonic temple, and we're there and they have all of these different students that are doing the challenge. I'm there as a mentor, a friend of mine is there with his company, general Electric, and they have their own booth and so they have a capture, the flag called G E's red. I forget what it's called with this. I don't know what it's called Ghost hacks or something like that right.
Some kind of CTF platform Long time ago at that. Right, we're talking about 2016,. Right, yeah, yeah, this is like 2016. So I'm like 25. And yeah, so of course, I signed up for the Hagathon. I haven't really transitioned all the way into cyber yet. Now I have the skills. I've been spending a lot of time doing it, because that's what you gotta do. You gotta spend a lot of time doing. You can't just manifest it, you gotta. When it comes to cyber skills, you gotta know. Come on now, like you gotta have your tradecraft down. So I've spent time playing with things, learning stuff, and so now I go into this, capture the flag and it's all question based. It's like you know, about encryption. There's a couple of questions about sequel injections and like simple, easy stuff. Ceh test oh, yes, the CEH test. I bang it out. I'm talking about 45 minutes, highest score. They didn't took this to Yale, harvard, mit, all these different places.
So they were recruiting.
Right, that's how they recruit. So I'm at the top of the leaderboard. My own boy like man. My boy Paul Paul Erikson, really good friend of mine. Go add him on LinkedIn, tell him I sent you. He's like man, I thought you were a hacker. I thought you were gonna, like, break the platform, not do the CTF. I'm like you want me to break the platform. He like I mean, if you can. So I'm like all right, shit, say less, I got you. So I'll go to the platform.
I try some authentication bypasses on the admin. I try and look for admin panels, because of course they have to administrate this thing somehow, and I start looking for sequel injections. I'm like so look, the CTF is running on a server. The server is there on site. You connect to a Wi-Fi network to get. So it's a local, it's internet, so it's a local IP address that's associated with the CTF. But it's like 192. Whatever, whatever or 10. Whatever, and so you have to connect to their Wi-Fi to be able to get to that server. So I'm on their Wi-Fi, their own Wi-Fi network. You get what I'm saying and you have to go to this IP address to sign up with your credentials to do everything through the web platform. So of course I'm looking at it like a web app test. I'm like can I get cross-eyed scripting? Can I still tokens, can I? What do I have?
Wait, wait, wait, wait, wait, wait, wait. I've got to educate y'all what is cross-eyed scripting.
Oh man, cross-eyed scripting is when you use a piece of JavaScript to inject into a website and then that JavaScript then fires off in the context of the application. So the way that I will weaponize a cross-eyed script is to have something that will look into your cookie jar and give me all the cookies to a remote server using a cross-header request or something like that.
There you go. Y'all learned. I know y'all. We started off just talking about some foolishness, but we're getting into, so y'all can learn this stuff.
Oh yeah, for sure I spent a lot of time. I love teaching, so I'm trying all of the different cross-eyed scripting, SQL injection, authentication, bypass, directory, forced browsing, all types of stuff. Not coming up with much, I'm like whatever. But it comes to my mind like well, a running the CTF from a Mac Pro is like at the time that the cylinder just came out Y'all remember the cylinder for the Apple Mac Pro and I'm like man, I got a rubber ducky. Now it goes to show you how far I am on the red team. Shit, I got a rubber ducky on me.
Is that rubber ducky, that little thing that I see it's like, it ain't that?
big. Yeah, it's a little USB device that acts, oh so you got the USB.
The one I'm thinking about is what's it called? A flipper or something, A flipper.
Yeah, the flipper fun, the flippers one. It can do the same thing as the rubber ducky. But this is back back back in the day, right?
so so let me ask you something real quick. So you just plugged the USB in. See, I don't even say that because the last what? Episode? I was talking to somebody and we were talking about how oh, that was on the last year with Miranda. We were talking about how to do from what was it? First Republic Bank, or whatever US Bank, whatever bank it is he was able to plug a USB that had adult entertainment into his work computer. And we always talk about, hey, you can put in controls for unauthorized USB, so that could possibly at least make that part hard enough for you to, where the rubber ducky don't work, you put in a USB in. Well, well think about it, right?
Rubber ducky was really cool about it. Is this an HID device, a human interface device? So, due to accessibility, right, it's representing itself as a keyboard, so it's not acting like a storage device. So your policy doesn't say well, you can plug in external keyboards because nobody would get worked up. So now your policy has to be something that's user activity based. Like, this user probably doesn't type 10,000 words.
A second right, because you're dealing with a computer. It's sending keystrokes as fast as a computer can send keystrokes. So it's acting. You have something called ducky script. So you write the payload in ducky script and the payload is effectively control space, enter key, t-e-r-m-i-n-a-l, enter key and then the reverse shell. You're using that cat back out to your host right out in the world. So you're sending keystrokes through, but a human types, usually 100 to 130 words per minute, right? So a ducky script is going to do 10,000 words per minute, right? So you can have a detection there that says, hey, this just sent more keystrokes than humanly possible.
Then it's probably an attack. But also post breach, because you would consider it out of breach the moment that I have physical access to your device and I've put something into your it's a breach. So at that moment I breach GE without any written consent, without any real permission, right, just as a dare. I'm committing a felony. Yeah, computer fraud abuse act, yeah, and that was scary. So at the time I'm thrilled, I'm having a thrill, I'm having a moment, and anybody who's ever broke the law knows that sometimes it can be thrilling just getting away or running that stop sign or that red lighter, no, turn over, it's like that. It's 2 o'clock in the morning, you shouldn't be able to right. It's a free will thing and it's about agreeing to a policy with a company that you don't belong to. But anyway, nevertheless, I get a reverse shell on that host. I'm able to see a number of things.
Now, mind you, it's Mac, and at that time I was spending a lot of time in Linux and Unix as DevOps engineering systems administrator, so I felt really comfortable. So I had a crime job set up, schedule task set up. I said they got a crime. Yeah, I said me a crime job.
Yeah, a crime job is a schedule task. It's something that runs on the cadence. It's a file called a crime time file that you can edit in Linux or a Unix system that will run a command on a specified duration every minute, every hour, every so often of these days, whatever and have a certain language that you can use or a syntax that you can use in the file that will run a command. And so I was just giving myself more shells, like, every hour, give me a new shell. It's an idea of persistence. And then you talk about a schedule task. Well, schedule task on startup run this command. So the moment that you turn the computer off, I might lose all my shells, but when you turn the computer back on, I get my shells back. So these are just some of the things that I was practicing with regard to red teaming right.
I want to read something. Actually, I'm glad you're going into detail Because for my blue teamers, you've been asked in an interview how will somebody remain persistent in their environment? So you're hearing it right now. So I'm asking you this is the only place you're going to get this at. It's a lot of platforms, but this is the only place you're going to get this at 100%. And since you said that, before you go on, you were I don't know how long you stayed in the live, but if you notice, in the live with Miranda, I actually talked about people learning Linux would be one of the foundations of getting this. Excuse me, it's kind of like the backbone of everything, even from offensive security standpoint. How important would you?
say Linux would be. Oh man. I would say that it's so important that I made a living knowing Linux internals and systems administration long before I ever really dove into Windows internals and administration and that while they are completely different domains, they're written entirely different. I was able to make a really good living just understanding Linux and not understanding Windows. Now, through just me wanting to understand Windows better, I went and learned, which was more recently Trying to go back and understand Linux more.
Yeah, linux is different because Windows is used by corporate and Linux is used by engineering. So I was coming up through that engineering track as a developer and was never really working in corporate IT. But cybersecurity, believe it or not, it's owned by CFO because that's in the interest of the financial continuation of the company. Yeah, yeah, so it's actually like if you have a breach, the last person that it rose up to before they reach out to a lawyer is the CFO of the company. It goes above the CIO, above the CISO, above the CTO. It goes to CFO and CFO and CEO makes the decision on if they want to enact their cyber policy, et cetera. But, long story short, that falls under a corporate structure. So a lot of the things that you're looking at in cybersecurity from the corporate side is mostly around Windows domain that type of activity, because not a lot of people run their enterprises on. No one I know actually runs their enterprises on Linux.
Yeah, yeah, that's the saying, that's the thing. It will help you out, especially in IR. I've talked about going through an interview process and this is a thing too. I tell a lot of people, if you could be self-aware and knowing what your weaknesses may be, take it down and then go learn it and then eventually it won't be a weakness. No more Linux forensics. I had dealt with, like you said, in corporate environments, a lot of people using Linux, so I'm knowing, hey, what would I do first, I know the high level things would I do, but if you want to get intricate, I'm like I don't know.
I can learn it, but that ain't my expertise yet Listen, that's how I felt the first time I heard about a shell bag in Linux. I mean in Windows. I said, show bag, what is a shell bag? Right, I still. It's still a little like on the IR side I'm not really strong there, you know what I mean and there's a lot, there's a lot there in forensics and incident response a lot. And you kind of alluded to the differences between and kind of like the different skill sets. I've spent some time at a forensics company called Keevu. I ran their entire red team. I ran all of their what they called it information protection or assurance, or something along those lines Probably information assurance.
That was like before cyber security and information security got hot, it was information assurance, oh yeah.
Oh yeah, and it's crazy. You say I'm working on an insurance project right now. I'm not gonna talk too much about it the federal contract. I'm blessed to be able to have it, but it's assurance is a whole different beast. In security, oh it is, and it's an ongoing thing and it's a lot of money that gets spent where it's like security is much more around keeping things safe and assurance is around making sure things are safe and it's just so. It's a different mindset. Yeah, yeah, I think that we need that. We need a big push back into the assurance side. We're starting to get lost into security.
I think a lot of people are lost in the sauce when it comes to like a lot of stuff, when it comes to cyber or just like like put like everybody. Let me say this Everybody wanna go average 30, but had not put in the work to even average 15. That's what they want and I would say it's contributing to a lot of outside factors. People see a lot of these people. Hey, I just walk out of bed, I got in my Porsche, I went and got some Starbucks.
Hey you can go work from home too and do that Like you sent me some another day. Yeah, bro had the same playbook. Bro was in the range like hey, you can get in the cyber too, I can get you in cyber in two weeks.
I said damn.
Right, and I seen you like my third other day when I was talking about like I've helped somebody get in and double day salary in less than two weeks, but that's not ideal.
You can't just sell that after you get what I mean.
No way I could tell you I mean I could, and then they'd be mad at me, like would I be upset, they mad at me If my goal was just purely money driven?
no, One of the things about cybersecurity that's very, very, very important is ethics. Sometimes that's having hard conversations people. Sometimes that's just telling people the truth. You know, being ethical is the cornerstone of working in cybersecurity. So if someone's telling you that they work in cybersecurity and they can get you in cybersecurity in two weeks, they are unethical and they are wasting their time being unethical on small fries. They might as well go be unethical and go all the way to the top. Print money, do ransomware, go make some real money.
It's only a subset of people that are applies to that kid. Go learn some stuff in a short amount of time and get it back.
I have a friend that was already pretty much in a subset of security in the sense of working, been a product manager in PCI DSS, and I said, hey, go take this course right here and get this, and then they had text me like yo, I just got off from here they offered me like 70k more. But that's only people that already got skills I'm always typically most time dealing with in between no skills to. I'm mid level stuck, whether I do, or sometimes I deal with like some people that got 10 years in the game like me or yourself, and then that's a little bit different. Okay, now you just gotta be strategic with how you move.
Well, you know, that's the reason. It's funny you say that that's the reason why I started Bill's Skill Foundation. That's the real reason. Man is to help people that are on all different paths or, excuse me, at all different points in their journey. Right? So there's some people that are pre understanding of even the domain. There's some people that are early understanding of the domain, and then there's some people that are advanced expert level, that are looking to get to the next level. Right, Cause there's still something after expert management, After you are expert at IC7, you're going to be an M2. You give them some like you restart over into the management track. So you know Bill's Skill.
The thing that makes us unique in this foundation is that we are challenge based. So, instead of me giving you videos, instead of me giving you slides, I'm telling you okay, we talk about the pin testing and the red team thing, right? So for a penetration test, you need to do a port scan. So I'm telling you to go do a port scan, and then what you do is you go out and research, you're okay, you know what is a port scan. What tools can I use? For? I could say, go use a port scan for M-MAP on this IP address or this web address. They go and they do that, and then they have to deliver that to me either in written or video format. So, yeah, yeah, I'm a chill on it Because it's really important, like what you were just saying.
No, it is, and it's also why, I think, why platforms like TCM throughout, because of that PMPT, of making people present your findings to whoever and write it down. It's practical, because that's what people are paying for. Your company is paying for that written report.
That's what I sell. People ask me what do I sell? Cybersecurity? Yeah, sure, but I sell a report. All right, I show up to a meeting, look like this we go out, we had drinks the night before or whatever. But when it comes down to it, when I sit down with you, I do an executive report and I'm giving you a readout to your executive, to your boards, whatever, and letting them know hey, this is what we found. Here's the severity in our opinion, here's the remediation, the potential impact, and we kind of leave it. You know, it's mostly just a report, right?
Yeah, we'll get on that, especially like oh, how do you? I mean, they got calculations, but I'll probably ask you how do you guys calculate possible?
Oh man, that's difficult. Impact is difficult Without demonstration Right.
Yeah, but no, I mean that's good, as you said that, because there are a lot of people, like I said, they not putting in the work, they complaining. You gotta put that work in. You got people getting mad at people all the time, like I just showed you. It's just a whole bunch of. That's why, if people ain't know anything about me over the years, I'll probably I'll be on Twitter by post less and less.
It's just too much BS on there, I started to fall off of Twitter.
I like it sometimes, but this is like you, or whatever you're upset about internally, is coming through your tweets.
And you're like directing it to other people. It's a projection, like I said I was talking about. I tried to vlog that but I didn't really vlog cause I got like busy but I was like nothing you would say on here would make me want you to get fired. I don't care what it is, cause at the end of the day I don't have to agree with you, I don't even gotta engage with you. That's the whole thing. I don't have to. I can block you and move on. People be so hurt. They want people to get fired. Yes, like if you don't. This is a thing people say stuff is similar or is similar to in real life. I said my girl about this is like that, the Gen Z generation and this person probably is not Gen Z, but just in general they used to say and whatever they say and they can say they the internet generation.
They don't think people gonna put pause on them. Oh, so in and similar. You say something to somebody online and then you don't like what they say back, but the difference is you can block them, you don't have to say, hey, you don't have to engage this person right here, like it's lame, especially if it's two black people doing it. Yeah, that's hard enough. That make it worse. And I read, I retweeted, that I was just like. This is why I don't go back and forth with certain you can't, I'm not gonna sound like people.
I remember one time somebody asked me about being misogynistic. I was like I love women. Bro, come on, I don't say none of that hate women. I was about to say I'm what my boy say on baby boy. I'm gonna say what he say that he called him Unstable creature.
Oh, unstable creature. That's what he called him.
I'm just being funny. But just in general though, it's just like if you deal with women in real life and online. There are a lot of similarities.
Yeah.
Women have no problem with going low in the concert. If your mama can have one leg, you make her mad.
That's why your mama got one leg, she walking with a cane and she keep playing. I'm gonna take the other one away.
That's what they do, so imagine what they do online if they can't get to you. Okay, you ain't gonna be working on Tuesday, so you just best just it already look a little sassy when you arguing with women anyway, just leaving alone. Just gone about your day and women in the comments can let me know. But I was like I just don't, I don't got time to it, like, even if I can fry you, I don't want to.
I'm a lover, not a fighter man. We're gonna get some drinks, You'll probably see it.
But all things can be done through a conversation If you want to hear each other out. But if you're just going to be mad, and hey, it is what it is. That's the reason why, like social discourse is like stupid. Sometimes it's like I would prefer, okay, certain only conversations could be had via talking. Yeah, it should only be. It should be conversational. And then it turns to this and that and just people misinterpreted things. But I gotta say I think a lot of misinterpretations are based on what's in here.
But what?
you've been through Perception and it doesn't let you see the whole picture. That's pretty much what it is, but after you did the hacking for GE, what on GE?
what did that lead to? Man, sorry, I had access. I got nervous left, went home the next day, reached out to my boy, paul, let him know. Paul says, oh man, thank you for telling me, because we didn't know what was going on. You know, our detections picked up on it. It was going off. We started the incident response. I can let my boss know. And then, you know, he let his boss know and his boss reached out to me and, yeah, we had a. We had a kind of interesting conversation and that led to the sale of a software company and the start of me doing red teaming over at GE, which is one of the most prestigious red teams in America. Yes, ge red team is like the most leaked, is past project zero.
I had the fact that I ain't seen it.
Yeah, yeah, x Mubix. Mubix worked on my team. He was a part of the GE red team. Yes, I mean. So General Electric, you know they have their conglomerate to have about five five to seven, it depends on where they're at now. Different companies. There was GE digital, ge healthcare, ge lighting, oil and gas, ge water. So you have all of these different. You know companies that make product. They are not a software company, they are a product company. So you know aviation. You have to red team an airplane. You know what I mean.
But you're also getting into. I have a person that I need to get on the show. I actually need to text him because I'm trying to be on his team at JP Morgan. Yeah, outside of red teaming, I think encompassing of what you're talking about a red team in the plane will fall into a threat modeling.
Oh yeah, for sure. That's a big part of red teaming, most important part.
Yeah, and. But I'm saying even threat modeling is a niche now.
Oh man, it is. I was getting paid a lot of money to do table tops. You talk about threat modeling. I'm walking into companies I'll talk about damn, I wish I could say who, but you know, I'm walking into big companies that impact us every day and I'm making up scenarios Like what, if you opened up a PDF to hand JavaScript and it was a worm and I mean shit, that would be really hard to pull off. But that's their threat model, right, and they're like well, we wouldn't really know how to handle that. And then I help them remediate, come up with ways to be able to recover, because some of it is, some of it is zero day.
If you're in the right industry, some of it is zero day, and so then it becomes well, what happens when the light goes off? Right, we talking about those kind of companies. What happens when the lights goes off? Well, now you know you need to have a safe and it needs to be fireproof and it needs to have an incident response, and these have disaster recovery. You need to move to another region.
You got to a DIR plan. A DIR plan, come on now. You got to and you know 231. Explain you three to one, explaining them. You know the different ways to back. It's just there's a lot there for threat modeling. It's really fun. So, if you feel like you want to get in the cyber, spend some time digging into threat models, because what that will do is allow you to be able to speak to what reality is and what you're up against in the industry. So advanced, persistent threats. They leave tool marks everywhere. Learn what tools they use, learn what techniques they use, learn what procedures they follow, because then what that does is empowers you, no matter if you're on a red or blue team, so that you can identify the anomalies like well, I should go check this file.
My job is our team. Was well, not my team, but the team we were sent up to was anomaly detection. Yeah that's a big thing, and that's what they was all about.
Assurance falls into that anomaly detection thing because you want to make sure it like yeah.
No, but like. That's what you're talking about. That's why I like a lot of the like. My advice for a lot of stuff is so simple yeah, but it's like you know from Detroit, so y'all got bouncing, you know? Shout out to Crunk Jim.
Oh yeah, Detroit yeah.
But it's like, hey, you can't get past a good one too. Yeah, you can't, it's always the same thing. My advice well, a lot of people is the same thing like yo get on bleep, computer tech, crunch, crab, sound Security, anybody who's reporting the breaches and read up on them.
It's going to inform you what's happening, like right now. It's not. The breaches are not that technical. I mean, the biggest thing I know right now with the social engineering part of it is sim swapping. Yeah, well, and I got a video that I plan to eventually make on it with a company that has software to try to protect you from being able to be sim swapping. Yeah, that's interesting. That's where it's at, because initially they made the MGM hack look like it was simple.
Yeah, it wasn't, but.
I was like, no, they did some reconnaissance. Yeah, they looked at who these people were whatever they saw on Twitter or LinkedIn, then they sim swapped them.
Yeah.
And that's how they got in. Yeah, that's a part of a big part of the beginning. So he's like, hey, what happened? I've seen where people don't if we even take it off of sim swapping don't identify somebody the right way they need to, and that person's like, hey, yes, in my face on my phone, not that Exactly, and that's why I said the other day I was like, hey, y'all be killing help this. But a lot of companies ain't breached because they got to get help this. That's true.
This video will be sponsored by level of careers. It has a 14 day money back guarantee. It's a we self-paced course and for your reimbursement and counts for continuing education. Here are some of the reasons why you could choose top security high demand, job security, competitive salary, work variety and fulfilling work. The national average salary of information security analysis of 113,000. You're struck through with Josh Maddacour and here is the brief overview of the course Theory introduction, security refresher, security frameworks, security regulations and standards, security operations, symbols. And then you have these great labs where Azure, marketing money, microsoft signals, secure cloud configuration and they help you with job plant and job hard execution. Use my code to try out level careers. You get 10% off by using my code and you'll be taking the next step in propelling your career to new height.
Now back to our schedule program and I think that in the future it's going to be even harder, because now we're starting to get to the point where we're going in the passwordless authentication and they're going to be pushing notifications through authorized applications.
I got a. It's not a hot take, but I actually think that I think companies going to start doing away with the MFA push. It's getting too risky. Like I remember, like a while back, my personal email. I got a push and I recognized it and I went through my thing, logged in, and I was like I don't recognize this so I changed my password. See, a lot of people are not aware what's going on because, like, I don't remember ever putting it into anything and that password is not like guessable, yes, but if you wake up in the middle of the night was your phone keeping on vibrating? And then do the face ID and maybe you hit something by accident. You go back to sleep and wake up and everything going. So that's why I was like I changed. I don't get pushes to my personal account, no more. I have to go into Microsoft Authenticator and put in everything I need to.
That's how it is on my Facebook. I got to go open up and go get a code, a login code, out. Not only get 10 login codes, and after 10 logins I got to go get 10 codes. Yeah, so after the password after the 2FA or the UBKE MFA.
That's the best one, but see, get a code on top. We used to work with people on TSA. They said they should use the Luzde RSA token, so they was calling in to get more like tokens and stuff like that.
RSA football.
Yeah, man, it's crazy though, man, but I'm glad like we're able to give them like this candid conversation of like blue and red. I mean everybody is like, are we talking blue and red? It's football, football practice, defense coming to make offense good, offense coming to make defense good. That's what it's about. When it comes to the table tops, like I remember we discovered a table top that was done by a I ain't going to say too much, I'm going to say CS. If you everybody who's in the security industry, you should know what CS stands for, especially when it comes to the EDR.
They were doing something in the environment, but on my shift we actually saw it, and so the manager was like yo, hey, y'all caught this, but take, hey, don't tell nobody because it's probably a table top for tomorrow. So they already in the environment now and they're going to start spinning up stuff tomorrow and we're going to do a table top. So it was just like, technically, we seen. It was like we don't recognize this, like who is this? It's, it's, yeah, it's some, it's some giveaways. When you understand, like we'll, we'll spend some quick. So that's when they call us and put us in the call about it. So that's the thing, and that's one of the biggest things I tell people when it comes to IRs, like IR sock work knowing your environment that's like one of the key skills. If you know your environment, you'll know what's an anomaly and what's not.
And knowing your environment is not always just knowing the specifics to your environment, but what the norms are for that stack Like. If you know what the normal system looks like of windows 10 at rest, then you will know everything that's different about it and then you can consult with your customer about all of the differences and configurations and they can let you know that's approved, that's approved. That's approved. It's documented here. This isn't documented. But that's documented here. This isn't documented. Then you are able to identify gaps and also potentially able to identify what the attacker did to change configuration and or their tool marks, as I like to call it. So you know, knowing your systems is very, very important, especially if you're doing a test like the O S E P, where you have to do privilege escalation and everything looks like listen, we've been getting to that Cause I don't think I should just last time.
So earlier I was talking about why people think they can just rush into red team, and I feel like red team is one of the least entry level positions out there, come on, I don't think it's entry level, but then I'm a gatekeeper if I say that, so I'll be quiet I don't think you're a gatekeeper, I just think you got to be really skilled.
I've already been labeled as too late, but because people understand they just want to go, I'm going to be Mr Robot, I'm going to do this and that. I'm like. There are contractual things you have to oblige to. If you hit the wrong subnet or what are you doing? You're probably going to be fine. You might get fired. I don't know. I've never dated a part of red team. You got to notify. Hey, we're going to be testing this, this and this. You can be imprisoned so you can impact business operations. Yeah, one of my companies we cannot use in map because it could potentially stop the rides from going at the amusement park.
Man, anytime you do a HIPAA test, when you're testing a hospital, you can't use a map because you can kill someone.
Yeah, people don't know this as much as technical stuff is. It's a lot of non-technical stuff and we've seen the banner back and forth about you none technical, you technical. I'm like everything make the world go round.
Lord have mercy. Again, back to Bill's skill. But I'm right, because, like all of this, stuff is learnable. It gets better with reputation. But this technical versus non-technical thing is nonsense, because if you're technical, your job is to be able to explain it to the non-technical people. That's your job, right? Like the CEO of my company. Well, I'm a CEO of my company, so I got some technical. But the CEO of my customers, right? They're typically not technical people, they're business people that understand finance. That's it they understand. Come on, they understand how to grow a company. So it's up to you to be able to actually explain to them from a technical expertise perspective, dumb it down for them all the way to a third grade level as to why this is important, how it happened, how to make it better. And you want shoes can communicate effectively. We talk about those soft skills. You rich forever. I'm like Rick Ross.
There you go. That's John Doe. Hey, that's my jam right there. Hey, ho, this is my jam right there back in school, man, but I want you to talk about, like, okay, let's do this real quick. You got a person, you got a mentee. Hey, xavier, I want to get into. I want to be a red teamer. I've been working at Taco Bell. What do you tell them to go do? I ain't got no skills, but I'm interested. No, skills, but I'm going to try to hack me. Right now I'm the top 5%.
You're the top 5% of track me. Oh, you already started. That's usually where I will send you. I will send you somewhere like that. Go get some training First thing, like you got to spend your own time training. That doesn't mean paid training. This means training All right. Sometimes you got to pay what you can course Sometimes, and I don't know how far it is going to be able to go. Sometimes you got pirated courses. Right, there are ways to learn things for cost. Cost effective Me is training. Knowledge is free. Rest in peace, air and Sports.
Could they actually find some of the training?
here at the library. You know, in some ways I can't say 100% that you can but what you will be able to find at the libraries are things like Windows internals and systems programming, linux internals, and these things give you an understanding that's much deeper around how the computer works, which will make understanding the cybersecurity aspect much easier. So if you want to get into cybersecurity, the first thing I usually tell people is hey, either go take a course that's aimed at getting you into cybersecurity, or, b you have to start from the computer aspect of like you know, how does the computer work, how does it architect it, what's the architecture? That sort of thing.
I think a part that we leave out a lot when it comes to red teaming is the physical aspect of it.
Red team is red team, not pentesting.
Right, because we leave out the physical security. People Like, how could you do some reconnaissance? That's okay, I just gained access. But I need to gain physical access to something.
Funny enough, I don't get a lot of that. I've been lucky enough to work for a company that has given me some of those experiences. I even have an article on dark reading that was done about me doing a pen test in another country and kind of like the dangers around being black, breaking into things in other countries. But yeah, that aspect is less talked about and kind of is less popular. There's just not a whole lot of it's tough, like some companies.
I know, like when I worked at Goldman Sachs you came into the building and you had to use a certain elevator and you got the extra access card. But so that will require one or two things. You still have somebody and watching them long enough that they forgot. They thought they left it but you stole it. Or the company is in with you on doing this physical pen test. It's called a soon breach.
But a soon breach usually doesn't go over into the physical portion. They really want to know their exposure physically. So that'll come down to sometimes stalking the person up to a certain extent. It really comes down to scope, right man, scope is everything.
Have you watched Jack Reacher? No, jack Reacher is a series on Prime, amazon Prime. At that, they had a lot of tech stuff going on.
Season two Jack Reacher yeah, I got to check it out.
I did some social engineering on the people at the front desk. I've been into suits lately. I was in the suits and then we just like bro that keeps telling the same story but different ways, oh yeah. And we just like we started watching, found I haven't seen that.
Found is a series about a group of people that are all had issues with possibly being held against their will or being abducted, and they worked together to find lost people. Oh shit, and they do it different, different ways and they got a dude. I think you'll like it. They have a guy who is scared to go outside but he's cold on the computer. He cracks everything. Oh he a hook. Huh, yeah, he cracks everything. Okay, yeah, I'm gonna check him out, but you probably like it, though it's like probably one of the more interesting Found, yeah, found, it's on Peacock, peacock, okay.
Say less. It's on Peacock. Oh, that's a free ad for y'all, peacock. Hey it is, yeah it is.
I've been talking about Found a while like on Threads and Twitter. I just talked about it because I felt like it's one of the more interesting shows, but then, like my main show we probably watch every week is Raisin' Kainin.
Okay, no, I'm not, I ain't following that. They didn't lost me Really. Yeah, they lost you. They lost me in the last series in power. That's when they lost me in power.
Well, you know it's about money, so that's why, like it's technically a way, ghost is technically still alive. But I ain't gonna lie, though Tariq been putting on a masterclass of acting in his own spin-off, really, yeah, okay, because you know he been acting for a long time.
Yeah, so, he been putting on the. It's pretty good. It's pretty good. Okay, it's still good advice. He about to usurp it because of the acting. They got in it with the chick that plays Rock, who was Kainin's mom. They got a. I don't know if you watched Snowfall, but if you remember the dude, you remember the dude that had to kill. That was their buddy. I can't think of his name, but Franklin had to kill him at the park. His cousin got killed. I forgot what his name was. I'll show him, but he's playing in it. I cannot think of the actor name who plays Marvin on Kainin. Did you ever see the HBO show Ballist with the Rock?
Yeah.
You remember Vernon friend, the life skin dude that was always making jokes at just around? Oh, yeah, yeah, yeah, yeah. So he plays a character named Marvin. It's, I ain't gonna lie. It's like the acting is like, say what, it's pretty good they be doing that job and the funny thing is most black people know the phrase like starving, like Marvin, and almost every scene or every other scene Marvin's eating something and that's always like one of them, tropes like paying the back to you, like Marvin always eating and he's like I'm starving, this is what I mean and he always eats them.
But so now I know you've been like a serial entrepreneur for a while, so you might have been going through these different apps and flows.
Oh, yeah, oh you have Non-stop Talk about it At the job market. You say yeah, oh, yeah, for sure, job market is directly reflective through contracting opportunities. So I'm gonna give you all a piece of game. Working for yourself is really just taking on a multitude of jobs and having a multitude of bosses. I work for a number of people at any given time. They look at me as a resource right In business. You got resources, so maybe they can't fill a spot internally because it's so specialized. A lot of people don't dig into what my specialization is and I'll tell y'all. I'll give y'all the game man. Y'all might come and take it from me. I want y'all to, because we need more help here.
But my specialty is iOS. That's the thing that differentiates me from everybody else and it has for a very long time. I am one of the best reverse engineers that I mean. I know right With regard to iOS, and I spend a lot of time honing that craft and spending money to hone that craft. Like there's a course right now for $3,500 that I'm hovering over the buy button on just because it's like that important. Yeah, it's that important to me. I want a little bit more feedback from it before I, before I click buy. But yeah, like you know, being in the iOS space is really my, is really my thing. So if you go to Google and you type in iOS space, fuzzing, fuzzi I, I I'll rank Google project zero for their. You know how to fuzz on iOS. So that's, that's my space. And then my secondary space is around AI. I can hack AI.
That's what we, that's what was funny enough. The episode I shot this morning. We was talking about that of getting into AI and the dangers of. We was talking about whether from business we're talking about politics, for, like them, using the AI to clone Biden voice and use some voice command, it's all around ethics. Then we started talking about personal.
You know, you got a little chick, you talking to whatever they know how to make your voice sound like you and the girl hating on your chick. I'm like yo, that's why he was over here last night. And now the AI voice sounding like you, talking like you, was over there, and now you got problems like, listen, I was here last night while you tripping Right. Well, that sounds like you, like all the problems that it can it can do for you.
There's a lot of problems.
Like the guidelines. That's the issue and that's why, like a lot of like what you know what I know is a lot of comes like a lot of people and I was like, hey, I'm taking all the jobs. I was like a lot of companies not even to the point where they can do that, because there's no guidelines or parameters around AI right now. Who has the data that AI is accessing? That's all being worked out right now. So a lot of you don't know that and that's why I think that's what's happening to y'all, but I'm like it's not yet.
Not yet, so learn AI and get into it. One of the other things I want to learn about as well is, like a company I interviewed with like two years ago, they have smart cities. They are a subsidiary of Toyota called Wobin Planet and it was pretty cool. They ahead of everything they have. I don't know if you're a Naruto fan, but they got a. This is the thing in Naruto that Sasuke does, called a Susanoo, and all of this is like a freaking. Imagine whatever height you are, and then it's like this thing that's like five to 10 times your height. It's like big cast of shadow biggest, probably like this building or whatever and the cast like that's the shadow over you. But they got a smart city called Susanoo.
And that's there.
I think the specialty that they were working on is like how to upgrade the EVs and everything else Interesting, Like all the difference, so like.
So being an early adopter is one of the things I kind of like look at is like a lot of times like like, yeah, that's a differentiator, Right, like when we talk about, you know, getting jobs in cyber and keeping jobs in cyber and skilling up. Finding the thing that differentiates you is important, but the job market is directly aligned with the amount of contracts that are available. So you're a resource. So if the job market is soft, there's going to be less contracts available. If the job market is strong, those same jobs that you're trying to feel, typically they'll take a contract for it.
I think that's the way that they actually been moving towards, instead of I've seen more contract roles, less full-time employee, full-time employees and more interns. I've seen that a lot with the companies.
So mean like, when you think about it, right, if you're looking in an industry with a job market is soft, right now you're going to have a harder time getting contracts. Right now we're going through a lot of tech layoffs it's a little bit harder to get some tech contracts right now. It's going to be, it's just it's a little bit more difficult now for cyber, especially, defense is different because we've seen a big push in the people investing into the defense, the defense side. Now for offense, you know, thank God to requirements and regulations. You got HIPAA, gdpr, pci DSS, all of these are these? All these different requirements say that you have to have a penetration test on file. You have to have. You know, if you do, if you're working as a government contractor, you have to have CMMC right, like you have to have a certain level of cybersecurity to be able to work in certain industries. So I feel like the ebbs and flows aren't 100% there from that perspective. But you know, generally in the tech space is you know, when you start to deal with the jobs coming and going, it can be a little bit of a thrash. Now what I've learned is that I I work best offsetting that to another person or another company. So I partner with big companies like PwC, partner of my. Oracle, partner of my, kpmg, partner of my right, deloitte, partner of my.
Now they have a. I ain't got them yet. Come on, I put me together. I got all. I got the big dogs. They consume in the services, they consume in the product. That's really where it's at, because what happens is is it's easy for them to say, hey, xavier, top of the year, we're slammed. Okay, you need resources, I need resources, I need help. Okay, right. And then March rolls around. Hey, xavier, great job with all that stuff. I'll let you know when we need you. It's just a, it's a high, then it's a low. Now they might not need you again until April or October or December.
So a little free game, I guess, for the audience. If you're so, I'm a under assumption that you're doing all these things C to C. Yeah, always CryptoCorp. How do you decide what you want to charge for C to C? Cause I've heard like one of my good friends she told people hey, if you're going to possibly go into CryptoCorp, take whatever salary you get per year. And she said, divide it by a thousand and that's what you charge per hour. That was for for, for what she was doing.
I think she got like a lot of connections. That's basically just doubling up your, your bill rate, right, based on whatever I get. I can understand that perspective for me. I'm going to be honest. This is honesty, a little bit of corporate espionage. I know it sounds bad, right, we talking about ethics. It's a little corporate espionage. I need to know what my customers I mean excuse me, my competitors are charging. That's how I got it right. I know my nearest competitor charging 325, psalm 250. I know my nearest competitor charging 250, I'm on 75.
Hey, actually, sometimes I ask what is it that you wanna pay for this? What's your budget? What is your budget? I can let you know what I can do for that. You might want 40 hours a week. For 70 hours, I mean $70 an hour. Since it's corp to corp. I might got somebody who just got into the industry that wanna take that. I can guide them, mentor them through your project. Make sure that there's a high success rate because of that right, because I'm there helping you and I might only make 20 bucks an hour as a company, but I put them into a $50 an hour job. Now they're making six figures technically right, if I can keep them.
But you pretty much sometimes do what the contractors do.
Oh yeah, because yeah okay cool, you gotta eat, because a lot of it is building relationships. I came in to PWC, I did one engagement. It was $50 an hour. It was a one-off and then I spun back around. I got $150 an hour on an indefinite contract. They've been out there partnering with them for years Now. Some of my customers got well, xavier, you charge me $325 an hour. I do, but I don't do what I do for you. For PWC, everybody has different right?
Yeah, it's, I would be funny. Fellas, women, you got your people you talk to. You do different stuff for this man, you do different stuff for this woman, same way with your customer. It is what it is relationships matter.
I tell you what man PWC got five years of full-time work for me. I already got 10,000 hours lined out for them. So if I see that with you now 4,325 customer, it might only be a 40-hour contract, I might have to have this pen test done for you by Friday, which, okay, like that's it. You come, you won and you done. Now you're looking at you know a 10, 20,000 dollar kind of project, but you know that's one and done. Yeah, you looking at PWC, they want to give me 20,000 a month. You get what I mean.
So it's yeah, so outside of that man, let's talk about your program. Okay, yeah, what you want to know about it this is like well, for one, do you gotta be in Detroit to?
get access to it. No, highly mobile, 100% browser based. So it's online buildskillorg. We still growing. It's very fresh. Please go there. You can sign up.
I'm looking for more curriculum. I'm developing more curriculum. That's what we're raising grant money for. We are a nonprofit. We are waiting to get our 501C3 tax exempt status, but we are a Michigan registered nonprofit as of right now. Shit, by the time you see this, we might have our tax exemption status. We've already submitted, so it's just a matter of time.
And the platform again is there mostly to challenge people, to give them the things that they need to know. You don't know what you don't know. So if I can help you discern what skills you have and what you don't have, and then I can get you to prove that out, then building your portfolio and I've got your portfolio peer reviewed then if you do what we call our certification pathways, which is a number of courses coupled together think about Linux Systems Administration coupled with cloud fundamentals, coupled with cloud security you take those three courses that will lead you to AWS certification. See what I mean. So if you take those paths, you actually do all of the coursework and it's past fail. It's past fail, so you submit. Let's say, on average one of our courses has about 50 exercises you have to do. So. Let's say you have to do three courses to be able to get AWS certified. So now you have 150 exercises that have been peer reviewed and if you do that, you can just get a certification voucher from us. We'll pay for your certification 100% free. We don't take anything from you not a social security number, not a driver's license. All you need is the first name, last name, email address and password. You come signed up through the browser.
You select what course you wanna take. Let's say, right now we have an introduction to cybersecurity course. You go on there. The first exercise is gonna ask you to create some kind of document. The next exercise is gonna be do a poor scan. The next exercise is gonna be do cross-site scripting. We're actually challenging you, and so what happens is you take those exercises, you create the documentation, either visual or written. You submit that to us. We have industry professionals from IBM, qualcomm, apple, google. They actually will look at your work and let you know if it's good or bad. These are your future peers, your future managers, your future customers.
You're now developing a muscle memory of what it's like to gather requirements, go out and do your own research, execute out delivery in a way in which your customer can understand it, receive feedback from your customer. After you've done that, for three or four courses, 50 exercises on average, you've built a portfolio up of what? 150, 200 exercises. So now, yeah, you work at Jack in the Box, you work at Taco Bell, but you just show me you know how to do a cross-site script and turn it into remote code execution or a SQL injection and turn it into a lateral movement to active directory domain, like you just prove to me. And the person that says you know how to do that is a red teamer from Adobe, is a red teamer from Google, is somebody who I would wanna hire but I can't even attract to my organization.
There's a lot of companies that are in the mid-market that can't afford to pay $170,000 for a security researcher who might not find something for the first three months. They might only have 50 bucks an hour. They might only have $104,000, $50,000 a year available for you. You get what I mean. And so now we're opening it up where that's life-changing for you. You were just making 30, 40. If you in California, you might be making 50, 60 working at the fast food, but now you, I think they starting at 25 an hour out there from McDonald's, I mean, you know, I think Michigan's still only paying 725 an hour. So it's rough out here, bro, right. And so like, yeah, of course I'm starting the nonprofit with Detroit in mind, because we have a tax base that I wanna raise. I wanna be able to get people into position where they can buy a house, where they have skills that are transferable from industry to industry. You can work in oil and gas, you can work in healthcare, you can work in payment card industry, you get what I mean. You can work in defense. So I'm looking at it from that perspective.
And again, buildskill Foundation notice, it's not called CyberSkill Foundation, Right. We wanna teach technical skills and beyond that. So that's accounting, bookkeeping, right. Web design, software development, architecture, right. We're looking at it from that perspective of how can we get into different industries that require you to have a technical know-how? And then we'll teach you how to teach yourself and we'll give you the feedback you need and we'll provide you the portfolio and then from there you can get the certification voucher. Now, of course, after the cert voucher, we have programs, not only that we're creating but also partnering with to help staff people. So now you're gonna be able to get some of those soft skills. We're gonna help you with that resume building. We're gonna help you get through your elite coding interview Right.
And so I'm still working on this. This is my vision. This is my dream. Buildskill Foundation is a real thing right now. Buildskillorg is live right now. I would encourage you to go to check it out. If you are a person that shares this idea with me, please come. I will let you know how that you can become an instructor. Right there on the platform. You can make your own curriculum and you can upload it. It can be paid, it can be free. I always encourage free. It's not something that I can pay for right now. I don't care to get paid for it. You know what I care most about Giving people the path that I wish I had. This is my life's work accumulated into one platform. This is how I got to where I'm going.
I don't have an OSCP. I don't have a CISSP, I don't have a CEH. I never did. I only got two certifications AWS certified architect, solutions architect, and I got the security specialty, and I did it because I was going to rent and I had been working in Klaus since 2010. I was working with AWS when it was just S3. So I'm like I know all of this stuff.
I went in. I literally read the frequently asked questions in the parking lot before the test, went through a ticket and walked it down. Oh, I know it is, I know it is. But they can go back to my Twitter and type in AWS yeah, oh, no man. You can ask Paul Erickson. You can ask all my peers that worked with me at Dynatrace when I did it. You could probably go back to my Instagram and look at when I was hanging out with the guy who created the Cloud Guru. And you can go and look at my license. I got a license number on my LinkedIn. You can go see when I took the exams. You'll see I was at re-invent and I took them two days apart from each other and I passed them on site.
Hey, listen you got receipts. So if y'all want to come my comments and say he's capping.
Go check it out first and see if he's man, I know people think I'm capping and that's fine. I spent a lot of time in the industry and I've had a lot of great opportunities. I've had amazing partners, and I tell the story from the perspective of glory. I could also tell you a story of struggle. I can tell you how 100,000 turned to 50,000. I can turn you how a million turned to 100,000. I can show you how this shit breaks down, where the people you thought that was gonna take care of you took care of themselves, leveraging you, and so you can make it about capping or not. But I spent a lot of time in the people that know, know, and I'm not here to prove anything. I'm here to help. We help you. The name of the company is we Help you Secure. The name of the foundation is BuildSkill Foundation. We here to help you. We here to help you build skill. We're gonna help you build skill. That's period.
Yeah, so two people came to my Miranda. We know you busy, but get on it. But also a friend of mine is in Detroit Jury. She was on Miranda's live last week. She's from Michigan, I think she had Detroit right now and her name is Rita Cyberboss. So you should, oh, that's her, she in Detroit.
Yeah, oh man, I never knew that. Yeah, yeah, yeah yeah, she's supposed to come.
She was in Dallas for a while. I was supposed to come back. We'll see if we can make some shake there.
I've been tapped in with her. Yeah, so I got an event in March in Detroit, march 23rd, I need to tap in with her. Man, come on, that's with my bro and my brother. Man, listen, we all flew out to Dallas just to be here. Man, I came from San Diego, my business partner, coral Fowler. He came here from Detroit. I got my home girl, kj. They all out there in the lobby drinking and chilling. Man.
You didn't think I knew about that dear boy, he living dear boy. Shout out to my man, cj Goodfeller Goodfeller, sports TV. I'm going to say boxing, but it's not sports TV. Shout out to CJ Goodfeller he put me on that dear boy on a long time ago, him and you know, it's a lot of funny stuff. I could tell you that I kind of don't know about Detroit, but it's like what East?
Lansing and I don't know, I know I ain't. I don't know nothing about Lansing, I only just know a dude. Oh shit, that's when she can stay.
Yeah, I know a little bit about East Lansing, ann Arbor and all that.
I know a little bit about Ann Arbor. Yeah, I just spent some time on the college campuses, I bet.
Yeah, that's it.
Back then I used to go as Javier. I never went.
That remind me of a dude. I don't know if you got a Tik Tok. It's named Gerald Hudson I don't got no Tik Tok, he he, he were. I think he went like the glasses, with the cameras in him.
Oh man, so he's like talking to the people.
And he's shooting game at chicks and he's like hey, my name Hubert, but they call me Hubert, though you got the res and yeah, he began out a number. He risen, yeah, it'd be funny though It'd be, I could be a lot of stuff Like he'll go in there and use like some song lyrics or some stupid like Get him going. Or he'll go, he'll have some videos where he'll go me and hug and people say, oh my God, uh, uh, what he who? You hugged somebody the other day.
Eddie Guerrero. Oh, I see, I see, I see, I see them do that.
I was like, bro, that was definitely Chavo Guerrero.
For real. So I got a question for you. Yeah, with the nonprofit Um for the, the, the blue team perspective, is there things that we can distill down to just be challenges for people to go out either? Deploy tools, read logs, capture logs Like is it, is it. Can we have something like the blue team on our platform? I don't do a lot of blue team, so I'm just curious.
Yeah, yeah, I could, cause. I think now a question got like all the open open source stuff People like talking about, like the Elk stack like open source, yeah, yep. But now this is why hands down, my favorite probably like provider like security tools right now probably might be Microsoft, because you can get their SIM solution, microsoft Sentinel, you can send up your own instance in.
Azure Free. It's 20, $200 credit, and then you only get charged for the amount of logs you ingest. Okay, so I turned my stuff off, for I killed the whole environment one time because I put these third fees from Alien Vault and they kept on coming in off a logic app, and I was like, oh nah, let me, let me turn this off. And now what you?
just said right there, that would be an exercise.
So yeah, size will be.
go set up your Microsoft Sentinel, make sure you got these permissions to make sure you have multi factor authentication, user role yeah.
Hey, go, go in your signal. Like one day I just saw my clients are like, listen, a lot of us are struggling with you, want to find our projects. But what I was like, just do it. I was like I was sitting down one day I was like I want to send my cloud trail lost the signal.
Let me figure out how to do it. Here you go.
And I figured out how to do it. There you go, and so my class. Anytime I do something in cloud trail, it goes straight to signal.
See what I mean. And so something like that would be an exercise on build skill, yeah, and then someone like you would go and either look at that video or something like that would be a video. So we would ask for them to create a video of them doing that and then prove that it works. You would look at that and go. That's how I would do it.
Yeah, and you take it from there. It's okay. You got all these logs and cloud. Well, go do some crap and cloud trail there you go. And then, hey, make us, make us some detections.
Yeah.
Let's see if the S3 bucket makes some alarms. The simple one let's see if the S3 bucket is made public or not. Yeah, simple stuff like that. So, yeah, it's definitely a way to do it, and that's the thing too is like people go get the courses and everything, but they don't know how to make it practical. That's a defense and that's what people struggle with Like even if you say, like I've been, I'm so busy.
But a lot of times I'll like, hey, okay, cool, I need a open source alternative for a proof point or something Like so I'm going to find one eventually so I can help people out with it, and in there you can just learn different things, because, people, that's the gate, that's real gatekeeping. Some tools you can't touch unless you work at a company oh yeah, for sure. Can't get access to crowdstrike. You can't access titanium. No you got to be working somewhere to get access to titanium, that's how these.
But you know why? Because if I got access to it and I learn how to reverse engineering and bypass it, come on now. I wish I could get a cloudstrike Falcon license. Hey, listen, you can. I mean I can, but they gon charge me. They're not going to give it to me for free. Can you get the demo? I don't know of a demo. I know sitting on one for a long time didn't have a demo.
You should be able to get like a demo trial of it, since you got your own domain and stuff.
Okay, well, you know we'll talk offline about it, but a lot of those people set that stuff up intentionally. So threat actors have to have an end.
They have to act as an enterprise. I know, I just like a gatekeeping thing where you just can't get access to it, man, like a cobalt strike.
You got to have a company to buy a cobalt strike right. To even get a valuation license you have to email from a.
I mean, think about it, Everybody just had a cobalt strike. So that's, I mean that'd probably like a whole another.
I mean, but we all got metasploit, yeah, but I'm not going to get there, I'm not going to stop, I'm not going to site. There's a you know, I'm saying I think you got Kelly on your phone. Oh man, I don't need, I got it, I got a remote server. You know what I'm?
saying they said hacking everything I got it, so you go to what's that conference that you say, hey, take your burner phone to Defcon. I thought it was another one. Is it Defcon, defcon, defcon.
Defcon.
So you want to just not have your phone with your Defcon? I bring my phone to Defcon every year. Really, what you got it and you got in the protective thing so it can get. So at one point in time was I just hacking people phones? Yeah.
Yeah, I mean, you know, it's like this Attack surface area. We talk about attack surface management, right? So cellular phones have a limited number of ways to interact with them from the outside browser, text message, email, bluetooth, wi-fi. So you turn off your Bluetooth, you turn off your Wi-Fi. You always dealing with email threats, you always dealing with SMS threats. So when you go to the conference, your threat model you're, you're, you're, you just turn this off, you just turn it off. Yeah, like you get on that you know.
Yeah, yeah.
You know. And then, like, you got to think having a 5G phone helps because we don't know of any 5G exploits, right, so keeping your phone on 5G is already something. Okay, let's say you can't keep your phone on 5G, having the VPN turned on, right, like, even if they compromise, you get what I'm saying. The network that can see a traffic is stuff like that. So I've never had any problems. I've never had a password leak. Not saying I'm impenetrable, I accept the risk.
I think it's really I was going to message you and say pause.
I ain't going to do you like. Yes, that's heavy, pause, that's heavy, but I am impenetrable. Yeah, from that perspective.
But I want to ask you like, like, what are some things that you maybe want to lead an audience with?
Um man. So one of my major things that I want to lead the audience with is keeping a positive energy, having a positive perspective, mastering manifestation, speaking a positive affirmations, being kind to yourself, being happy, collaborating. Don't think that you need to do things alone. If you feel like you were alone, go into an environment where you're no longer alone, no matter how hard that is for you. Sometimes that don't mean moving locations. Sometimes that don't mean joining clubs. They could very well mean, you know, going to invent, writing, finding events, but you know, de-isolate yourself, become more of a community member and then, if you're, if you're doing all those things, be approachable, remain approachable, remain humble, keep being helpful. We help you, secure, we help you, we Right, I'm starting that with a. The word we, for a reason, is because I don't want it to be something that's about me. I want to foster a mantra, a model, a mentality within the organization that all of us are here to help you. All right, and so you know that those are a few of the things that I would definitely like to leave. And then another thing is if you're trying to get into this industry, the tech industry, you're trying to get into this industry. You have to go to tech conferences and yes, I know they are expensive. If you do not have the money, show up and just hang out in the lobby. You may bump it. To a person like me that goes hey, I've been in there, I've already met the seven people I came here to meet. Here's my pass. Or I'll walk you over to the person and say, hey, you know how you was going to give me a free one. Give the free one to this person. Or hey, come on now Going to the. I've had many doors open for me. I've had many, many, many, many conferences that I do not have to pay for. The year before the pandemic, I went to a conference once per month. I'm back on that, where I'm traveling in, you know, january I was in Detroit. February I'm here in Dallas. March I'll be in Austin for South by Southwest. April we'll keep it moving Right, and so being out in the world, communicating, networking, being vulnerable, but then also going out is not as important as doing the work at home. So never be shy about doing the work Right.
Also, one thing that I learned from my mentor, paul Erickson, one thing I learned is that you should always be interviewing. You should have an interview per month. One interview per month, because what it does is it not only teaches you how to interview and makes you more confident, it also potentially provides you more opportunities that you didn't know were out there. But then it shows you what you don't know. Right, I had an interview with Apple and, of course, I run my own company. I've been running my own company for four and a half years, but it's Apple Right.
I had an interview with Apple and it went about eight years. It went about 80% good, but that 20% was the thing that decided was a determining factor, and it was around some, some crunchiness for me, around ASIN, which is address sanitized builds that you use when you're fuzzing so that when things crash, you can actually see at what memory address how the control execution was flowing and what the actual error was Right. And so he was asking me some more advanced questions around that, because this was for Apple's SEER team, which is their number one iOS hacking I'm talking about. They figure out all the zero click exploits. That's what I do, right, like. That's my world. So you know, I stumbled because I'm nervous. Shit is Apple Right. You know what I'm saying, but I learned something from it. And now it's like if I got those same questions, I would be totally comfortable in ASIN and I might have something. That comes up especially in vulnerability research, which is where I live. Right, and I would love to have a conversation around the difference between red teaming, pen testing and vulnerability research, because we talk about this as if they all blend and they don't.
Vulnerability research it's a completely different monster. It pays well but it's very demanding, depending on your customer, and it's the bleeding edge. It's the real research portion. Penetration testing is kind of like you always have findings. It's finding based research. Vulnerability research is much more around, like we were talking about impact and discoverability, those sorts of things where red team is like long term, covert, persistent, you know, tailored access, but nevertheless, you know, that's that's what I would like to leave people with. You know, just stay positive, stay happy, stay hungry, be helpful.
If you're in a position to help help. If you can make curriculum, make curriculum. If you want to write an ebook, write an ebook. If you want to come and help me out at build skill, come, help me out at build skill. I humbly ask you to, because it's not for me, it's not for my mom and it ain't for my pockets, it ain't for my legacy.
What it is is this for the people that look like us, that come from where we come from, that's dealing with what we dealt with, that didn't get the opportunities that we got. And so, as we build this ladder up, we have to continue to push some of that ladder down so that other people can climb up on it and teach them how to build the ladder, so that they can help us build more ladders down to help people come up, because eventually we don't fall off. Right, you might fall at the top. We talk about the ebbs and flows. If you fall off and you help a bunch of people beneath you, you never really going to fall off because they all go exalt you up. Hey, you should be my manager. Hey, you should get this opportunity. Hey, you know. So you know, just continue to stay humble, stay hungry, keep working. You know, enjoy life.
Yeah, cool Now, and I forgot to ask them this yeah, where can I follow you at on either Instagram or Twitter?
Instagram. I got a private page which you can try and follow me. Xavier underscore. Xavier underscore Johnson. Linkedin. My name is Xavier D Johnson. Instagram, twitter. I'm infinite. I N F E N E T, you know. So, yeah, that's yeah, that's really how you can get in touch with me. I like to interact mostly on Twitter when it comes to cybersecurity stuff. If you're a professional and you want to continue to build your professional, you know, you know acumen or know how, et cetera, reach out to me on LinkedIn. We'll I'll let to have an interesting conversation with you through comments or even through messages. You know, if you have a product that you want to have some testing done for, you know, feel free to go to we help you securecom. Feel free to email me, xavier, at we help you securecom. I'm I'm very approachable. I got the same number for the last Shit. Since 2006, 2005, I've had the same phone number. So if you look hard enough, you're going to find my number. I'm not. I'm not a shy guy. I'm not already getting in touch with.
Listen. My man said he ain't hard to find. You know not either.
Yeah.
I'm glad y'all tuned into the episode. It's been another leg. I don't even want it to be over Kickback episode.
I know we doing after.
I've been looking at the time we finna see. Maybe I'll put the vlog out yeah, I don't know, and we might start the vlog right now. Subscribe to the page so you can figure out what we're getting into Come on but I appreciate you all for rocking with us. Until next time, peace Love.