![](\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/01\/SeungJin-Lee.jpg\"\/)
<\/p>\nOn our last blog post \u201cKnow your community\u201d we interviewed Ionut Popescu from Romania. Today we had the honor to interview Beist (SeungJin Lee)!<\/p>\n
Introduction<\/em> <\/span><\/p>\n Questions<\/em><\/p>\n Q: How many years have you been working in the security field?<\/strong> Q: What was your motivation into getting into the security field in the first place?<\/strong> It turned out they had one or more IP address and port number that were used for connection to their server. I connected to the MUD game through a popular Korean BBS. The BBS was responsible for charging me according to how many days I played per month. I was thinking to myself \u201cHow the BBS calculates charges if I will connect to the MUD game directly and not through the BBS? There would be no way.\u201d<\/p>\n So I gave it a try. I figured out the game\u2019s IP address I was playing but I could not figure out what was their port number. So, I learned how to use telnet, it could have been much easier if I knew coding (Making an automatic script that tries to connect from 1 ~ 65535 ports), I literally typed myself \u2018telnet target_ip [1-65535]\u2019 in a way of total brute-forcing. I\u2019d tried the poor brute force attack for days. One day, the connection message popped up and I was exhilarated.<\/p>\n The funny part starts from here. Right after the attack success, I realized this could be called \u2018hacking\u2019 even though it was super lame. So, I quit the game just right after that, and went to a library to read computer books. And I joined a wargame site called \u2018hackerslab\u2019 and I was getting knownto infosec guys in Korea. Eventually, one security firm called CyberResearch wanted to hire me when I was 16, and of course I took the offer.<\/p>\n Q: What was the first vulnerability you found?<\/strong> Q: How did you feel when you you found the vulnerability?<\/strong> Q: Did someone help you?<\/strong> Q: What is your field of expertise in vulnerability research?<\/strong> Q: Where and when do you conduct your research (office \/ home \/ coffee shop)? On your free time? Late at night? <\/strong> Q: You are a very experienced researcher and you had the opportunity to participate in many security conferences both as a speaker and as an attendee. What is you favorite security conference?<\/strong><\/p>\n A: Although I used to like big security conferences until a few years ago, I\u2019m now moving to smaller ones. Am I getting old? I can\u2019t name every conference I like here, but I love SYSCAN (Singapore), CODEBLUE (Japan), BREAKPOINT (Australia). Of course, there are awesome conferences in Europe as well.<\/p>\n Q: What kind lectures you like to attend? listen to?<\/strong> Q: How do you choose your lecture topics?<\/strong> Q: What is BoB?<\/strong> Q: What do you love most in conferences? (conference events – CTF \/ hacking village \/ Hack the badge, drinking parties etc) <\/strong> Q: What is the most exotic place you attended a security conference at? <\/strong> Q: You also meet different security communities around the world. Tell me about the security community in South Korea How big is the community?<\/strong> Q: Do they help each other \/ new guys, with training?<\/strong> The government supports the community in many ways. One best example might be BoB (Best of Best) which is a government-funded program. Its purpose is to make next generation cyber researchers. Many middle and university students apply to BoB and only talented students get into the training. There are top hackers as mentors and they teach those students. <\/p>\n Q: How do you contribute to this community?<\/strong> Also, I\u2019ve joined other security related programs as a supervisor. Named to advisory council for Cyber Command in Korea and a member of information security committee for PyongChang Winter Olympics. <\/p>\n Q: In which country have you been surprised from the size \/ quality of the security community?<\/strong> Q: In your perspective, how did the international security community change in the past 5 years? <\/strong> Q: As an offensive security researcher, how many times do you get “shady” emails \/ contacted by unknown companies asking about acquiring vulnerabilities? and what is your funniest story for someone who contacted you?<\/strong><\/p>\n A: An unknown person asked me to sell a google chrome 100% remote code execution + sandbox escape. He said $10,000 should be enough according to the google bug bounty price range.<\/p>\n Another guy wanted me to teach him about how to find bugs in modern web browsers. $50 per hour rate he offered me.<\/p>\n Q: You are GrayHash’s founder, What was your motivation for creating it?<\/strong> Q: What services does GrayHash provides? <\/strong> (By the way, we\u2019re about to release our first security product to public. It\u2019s a binary based obfuscator for iOS\/Android\/Embedded systems. It supports 32\/64bit and native\/java layers. Currently, it\u2019s only able to work on ARM but we\u2019re planning to support other CPU types such as MIPS and PPC.)<\/p>\n Q: How many members are part of it?<\/strong> Q: What\u2019s the single piece of advice you would want to give for someone seeking out a career in the security filed?<\/strong> It was a pleasure, Beist, to talk to you<\/strong><\/p>\n You\u2019re welcome.<\/p>\n<\/p><\/div>\n https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
SeungJin Lee, known as Beist is a 32 years old security researcher from South Korea. Beist is the founder of GrayHash (pen-testing company) and highly regarded security research that found over 100 vulnerabilities.<\/p>\n![\"\"](\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/01\/SeungJin-Lee.jpg\")
<\/a><\/p>\n
A: I\u2019ve entered this field in 2000. My first job at Cyber Research was to do pen-testing for big companies in Korea. Then, I spent more than 4 years in the military service. After that, I worked for 2 years as a freelancer and founded GrayHash.<\/p>\n
A: I played an online game (text based multi user dungeon) a lot when I was young. But their service fee to play was horribly expensive and I was just a poor student. When the bill came to our home, my parents were always angry at me. However, I could\u2019t stop playing the game. So, I wondered if there is a way to play the game for free. At that time, I didn\u2019t know about computer security, I didn’t know TCP\/IP, C language etc, so I searched the internet to know how MUD games works. <\/p>\n
A: I don\u2019t exactly remember which one was my first finding. But I think it was from Zero-board that is popular web-board \/ CMS in Korea. It was a remote code execution vulnerability by bypassing file upload restriction feature of the program.<\/p>\n
A: It was a great moment because Zero-board was the most popular web software at that time. That meant that my name could be spread all over the internet and reach many of the info-sec community. In addition, I really tried very hard to find bugs and I literally spent days\/weeks to find one single bug in the program. <\/p>\n
A: Unfortunately, no. That was the first remote code execution bug in Korean info-sec community. It was a kind of high-profile target. So I was all alone on this journey.<\/p>\n
A: Hard to answer. As nature of pen-testers\u2019 duty, I\u2019ve learned a lot of things so far. Web, mobile, game, embedded systems, browser, messengers, and so on. It\u2019s not rare that pen-testers work on \u2018A\u2019 project this week and jumps on \u2018B\u2019 project the next week. But if I have to answer the question, I would say finding memory corruption style bugs by source review \/ reversing binary is what I\u2019m good at and like doing.<\/p>\n
A: Of course I\u2019m a researcher. But I can\u2019t spend every night doing hacks anymore (Which I used to do!) because I\u2019m now the CEO of a company. I meet people and write many emails every day. However, I still have chances to conduct research because our company provides pen-testing services to clients. I prefer doing the job at my office since it\u2019s cozy and close to my apartment. I make effort to not conduct researching into the late hours quite as much, unless there is no meeting tomorrow\u2019s morning.<\/p>\n
A: I\u2019d like to attend talks about hunting bugs and reverse engineering. They\u2019re kinda old school but still my favorites. Also, I like entertaining talks by skilled hackers. <\/p>\n
A: It\u2019s getting harder to give technical talks publicly as I spend most of time to work for our company and they\u2019re all NDA signed. But when I teach BoB students, I prefer talking about reverse engineering and how to find security bugs. <\/p>\n
A: KITRI runs a special program called \u201cBest of Best,\u201d targeting talented students who could become security experts in the future. About 130 students from high schools to graduate schools are selected based on prior experience to be trained for six months. Programs include simulated cyber war with classmates. <\/p>\n
A: CTF is my favorite. If not for CTF, I would have not entered into the security field. I used to take part in many CTFs, DefCon CTF and wargame sites. I wish I could go back to those times. Also, I like meeting my info-sec friends at conferences. We usually hang out and have countless shots. I wish every conference talk started at like 1pm!<\/p>\n
A: Definitely, CCC (Germany). I can\u2019t exactly explain why, but if I should guess; First off, I could\u2019t speak English at all at that time and I\u2019d never went to English speaking country before. The hacker culture at CCC was so exotic to me. Of course I enjoyed it a lot there. <\/p>\n
A: Considering South Korea is a small country, the security community is big enough. We have more than 300 security firms and the community is huge. Many middle\/high\/university students are very interested in working for IT security sector. There are more than 50 cyber security clubs at universities. More than 20 CTF per year. More than 10 security conferences each year.<\/p>\n
A: The academy (university), community, industry, and the government help each other. Universities have special selection in the admissions system. For example, in many East Asia countries, if you want to go to top schools, you have to get really high SAT scores. But if you\u2019re good enough at cyber security, you probably can get accepted.<\/p>\n
A: I\u2019ve participated in BoB since its first year. I advertise BoB program over the world and teach young students at the campus. We get about 130 new students every year and some of them are extremely skilled considering their age. <\/p>\n
A: U.S., China and Russia the biggest communities in the world and everyone agrees with it. But I think Sweden has an amazing security community. It\u2019s smaller than Korea but their skill set is awesome. I\u2019ve asked my viking friends about it but no one told me the answer. I\u2019ll figure it out one day!<\/p>\n
A: Full-disclosure has been decades. Today, less full disclosures from independent researchers, but more full disclosures from companies. And the notorious argument, \u201cis full-disclosure good or bad to public?\u201d, is never gone. The argument won\u2019t be gone in the next 5 years, at least.<\/p>\n
A: I had worked for 2 years as a freelancer before creating the company. I was having more and more contracts and it was almost impossible to finish them myself. Also, I wanted to work my previous co-workers. I spent many years at army before and i missed them. It\u2019s a pleasure to do something with smart and good people. Finally, I managed to persuade them to join my company. <\/p>\n
A: Every company has its own products. It can be embedded systems, mobile applications, banking systems, and so on. We try to find security holes in their products and tell them how to fix. So, we\u2019re a pen-testing company. Hopefully, we can globally expand our business in this year. <\/p>\n
A: At the time of writing, we have 15 people. Most of them are engineers. I wish we had more engineers but it\u2019s really hard to hire skilled security professionals.<\/p>\n
A: Learn computer languages first. C\/Python\/Assembly. If you want a quick way to be a hacker, jump into CTF \/ wargame sites, they are probably one of the best means to get started. Do this every day. You may need to spend many of days. Always check out new security bugs published by other researchers. Try to understand and exploit it yourself. Now, you can go for finding bugs yourself.<\/p>\n
On our last blog post \u201cKnow your community\u201d we interviewed Ionut Popescu from Romania. Today we had the honor to interview Beist (SeungJin Lee)! Introduction SeungJin Lee, known as Beist is a 32 years old security researcher from South Korea. Beist is the founder of GrayHash (pen-testing company) and highly regarded security research that found … Continue reading Know your community \u2013 Beist (SeungJin Lee)<\/span>