Know your community – Steven Seeley

You all know him from Twitter as “mr_me” (@steventseeley) we are proud to interview Steven Seeley! Vulnerability researcher, Ruxcon and HITB speaker, founder of Source Incite and a long time Wing Chun student!!

Questions

Q: How many years have you been working in the security field?
A: I have been working in the industry since 2008. So, I’m coming up for my 9th year now.

Q: What was your motivation for getting into the security field in the first place?
A: Honestly, like most, I just wanted to break stuff. A very different reason now of course.

Q: What was the first vulnerability you found?
A: I don’t quite remember. But if I had to guess, probably a Cross Site Scripting (XSS) or a Memory Corruption vulnerability that I totally didn’t understand at the time. Ha! Well we all had to start somewhere!

Q: How did you feel when you found the vulnerability?
A: Ecstatic. This feeling only increases as I keep learning vulnerability classes, exploitation methods and vulnerability discovery techniques.

Q: Did someone help you?
A: Many people helped me. I wouldn’t be where I am if it wasn’t for several people (most of which probably don’t want to be named). However, if I had to name one, it would be Mati Aharoni (muts).

Q: What is your field of expertise in vulnerability research?
A: Currently I am focusing on High-end Desktop, Enterprise and SCADA application vulnerability discovery and exploitation on a variety of OS platforms (except mobile).

Q: Is there some security research field that you always wanted to learn but never had a chance?
A: I always wanted to get into kernel vulnerability discovery and exploitation. I’m a user-land guy, because I enjoy finding and exploiting the first point of entry (which is typically via a user-land / web vulnerability).

Q: What would be your dream job? pure research? exploit development? relaxing at the beach?
A: On the beach with the source code to life, with of course, a full outdoor muscle gym.

Q: You are a very experienced researcher and you had the opportunity to participate in many security conferences both as a speaker and as an attendee. What is your favorite security conference?

A: Actually, I haven’t. I haven’t spoken or attended that many conferences! But I would have to say that I like HiTB in Amsterdam as it’s a very professional conference and still keeps the hacker mindset at its core. Also, I find a lot of Europeans attend HiTB and are typically more intellectually challenging as people.

Q: What kind lectures you like to attend? listen to?
A: Almost anything on vulnerability discovery, reverse engineering and exploit development. I prefer the technical talks, the fewer the memes, the better!

Q: How do you choose your lecture topics?
A: If it fits with my areas of interest, then I’m down. Also, if the speaker has a history of releasing actual technical content, then I will probably attend. I like to learn from others that walk the talk.

Q: What do you love most in conferences? (conference events – CTF / hacking village / Hack the badge, drinking parties etc)
A: Definitely the socializing. However, I’m not a big drinker which doesn’t work well in our industry hence why I haven’t attended many conferences!

Q: What is the most exotic place you attended a security conference at?
A: I think Amsterdam. But I would like to make it to Japan one day for Code Blue

Q: In which country, have you been surprised by the size / quality of the security community?
A: I’m certainly not biased but I would probably say Australia to be honest. We have a relatively small population yet the technical expertise out of Australia still surprises me. We have to remember, this is where WANK (the computer worm) and Julian Assange were born. We naturally like to give up the middle finger, that’s the Australian culture.

Q: In your opinion, how did the international security community change in the past 5 years?
A: Two words. Bug Bounties. It turned the curious, casual hacker who would normally be criminalized into a payed superstar. It’s not for everyone but it has certainly has helped secure folks, there’s no denying that. Here’s another two words. Full Disclosure. I have typically seen a drop in full disclosure due to the above two words. In the end, “dem good feelz” don’t pay the kids college education.

Q: Could you please tell us about the Australian / Mexican security community?
A: The Australian security community is fairly small yet highly technical. There used to be only a few main conferences in Australia such as Ruxcon, Breakpoint and AusCERT which kept it tight. Recently though, several friends of mine in Australia have since started their own conferences and are doing very well such as SecTalks, BSides, CrikeyCon, WAHCKon and Unrestcon across Australia. I think this is great as it grows the community even further.

In Mexico, the security industry is quite spread and diverse. We have BugCON and AppSecLatam (OWASP) which encourages security research and helps build the community. But from what I can tell, there is still a large gap with government, industry skills and education. Whilst the education system is largely free, it’s quality is somewhat substandard. Last year, for a semester I taught Advanced PHP Vulnerability Discovery and Exploitation to Master Comp Sci students and in the end, most just wanted to get a passing grade and nothing more. Whilst disheartening, it really opened up my eyes and encouraged me to try and help even more.
Of course I could be wrong about all this!

Q: How has the Australian / Mexican security community changed in the past 5 years?
A: Well to be honest I haven’t been present in either Australia or Mexico for the last 5 years! But within Australia, I see that the education of information security and technical expertise just steadily increases. This is something that I want to try and encourage here in Mexico, as it is the root of developing a strong technical and welcoming community.

Q: When you start a new research project (vulnerability research on a new product) what do you do to prepare for it? do you look for previous vulnerabilities? do you read the documentation?
A: I certainly look at past vulnerabilities and try to find technical details, if any. This helps guide my approach to determine if I should target similar issues or go green as they say and take a different approach. Depending on the target, I will read the documentation. But sometimes the fun of it is simply in this mantra: “I have no idea what this thing does, but I have a root shell”.

Also, I find that documenting any quirks as I go along in the testing, like pieces of a puzzle that can possibly be put together later is very helpful. It doesn’t always have to make sense straight away but if you find a vulnerability, then often exploitation can be easier with these documented quirks!

Q: As an offensive security researcher, how many times do you get “shady” emails / contacted by unknown companies asking about acquiring vulnerabilities? and what is your funniest story for someone who contacted you?
A: Honestly, I get tons. I can’t share any at the moment because they typically get trashed quite fast and I have decent spam filtering. I have several funny stories, but they are better for in-person conversations!

Q: Today you are founder of Source Incite. What services does Source Incite provide?
A: We offer vulnerability discovery and exploit development services.

Q: How many people are there in your company?
A: Well, I am just a one-man show. Possibly looking to contract a few people in the near future, depending on projects that come up.

Q: What is the most innovative project you did as offensive security researcher in the company?
A: Something that’s under NDA currently. But recently I have been having some fun targeting JavaScript engines built upon ECMAScript. Vulnerabilities like this can be easier to exploit and are very satisfying at a technical level.

Q: What’s the single most important piece of advice you would want to give for someone seeking out a career in the security filed?
Share and learn from others, but most importantly learn to teach yourself. You are the master of you. With this concept, you will learn to separate the signal from the noise. You will learn to eliminate the ego and understand the power of “the free will”. Also, get out often. Live a little, life is about balance!

Q: What are your hobbies?
The list is endless and not necessarily in this order…
Wing Chun, Fitness, Diving and of course studying esoteric systems such as Hermeticism.

It was a pleasure, Steve, to talk to you

You’re welcome.