We think we know our mind is our best hacking tool
From his early days of script kiddie shenanigans to helping shape the landscape of bug bounty programs, Inti's story is a thrilling ride through the highs and lows of offensive security. It also serves as a statement of the transformative power of curiosity and ethical hacking.
Inti not only sheds light on what happens when expectations meet reality, but he also shares his unique approach to problem-solving with real-life examples you can add to your own process.
Inti's bio
With 12+ years of experience in this space, Inti is a Belgian ethical hacker and cybercrime investigator. He currently works as the Chief Hacker Officer at Europe’s largest vulnerability disclosure platform Intigriti and is also a founding member of the Hacker Policy Council.
Inti also excelled in various bug bounty competitions, where he’s been rewarded by companies like Google, Meta, Yahoo, The US Department of Defense, or Amazon for identifying critical vulnerabilities in their systems.
Dive deeper into this conversation to learn:
Why the best hackers started their career by running scripts and trial and error [03:47]
Why bug bounty hunters need to nurture their creativity when looking for particular vulns [07:37]
What the main differences between bug bounty and pentesting are [09:46]
How to impersonate developers as a bug bounty tactic [13:42]
Why bug bounty often looks like a rabbit hole [25:24]
Why it’s important to define your own success and appreciate your failures [30:33]
How AI helps ethical hackers eliminate repetitive and boring tasks [34:19]
How deep research can lead to unexpected wins in ethical hacking [43:55]
Join us as we explore the intricacies of bug bounties, the crucial role of mindset in hacking, and how to turn every failure into a stepping stone to success.
Resources from this episode:
Inti’s personal website
Inti on LinkedIn
Inti on Twitter
Inti voted “IT person of the year”
Inti de Ceukelaire on hacking broadcasters: Interview
AMA with Inti de Ceukelaire for the Bug Bounty forum
Inti about hacking your way into Metallica on the Critical thinking podcast, Ep 33
Listen to this conversation on:
Episode transcript
Andra Zaharia: Only the most curious and persistent people thrive in offensive security. How do I become a better hacker? How can I build and maintain my advantage over adversaries?
And what's limiting my ability to think creatively?
This podcast is for you. If you're the kind who's always digging deeper for answers, join me as I talk to some of the world's best offensive security pros about their work ethic, thinking, and real-world experiences.
This is We think we know, a podcast from Pentest-Tools.com
Prepare to be intrigued and inspired in this episode of We think we know as we unravel some of the most interesting storylines in cybersecurity with Inti from Intigrity.
From his early days of script kitty shenanigans, to helping shape the landscape of bug bounty programs, Inti's story is a thrilling ride through the highs and lows of offensive security. It's also a testament to the transformative power of curiosity and ethical hacking.
Inti not only sheds light on what happens when expectations meet reality, but he also shares his unique approach to problem-solving and also shares some examples you can add to your own process. Join us as we explore the intricacies of bug bounties, the critical role of mindset in hacking, and how to turn every failure into a stepping stone to success.
[01:40] Andra Zaharia: Let's get into it. Inti, welcome to the We think we know podcast. We're very excited to have you here, and I am very curious about a bunch of things from your present and from your past, and especially from, let's say, behind closed doors on things from your mindset and from your toolbox, which I cannot wait to unpack for our listeners.
Inti De Ceukelaire: Absolutely. I'm super happy to be here and not talk about anything. So let's just jump into the conversation.
Andra Zaharia: Let's do that, so you mentioned - because I dug through some interviews, of course, before having this conversation. At some point, you mentioned that around 2011, the bug bounty activity, kind of at that stage in your life, felt a bit like an assembly line, and I was wondering what that looked like and what was the inflection point where that changed for you.
Inti De Ceukelaire: Okay, so in the very beginning, 2011, I was 16 years old then.
I was working in a grocery store, and I absolutely hated that job. Sorry, Nancy, my boss, my former boss, if you're listening, I hated the job. I liked you, but I didn't really like stacking all the racks, etcetera, that was just not my only good at it either.
So when I saw that Google was coming with this program where you could get, at a minimum, $100. For me, that was a lot of money. I was absolutely super intrigued and I really wanted to do this, but I didn't know how to hack.
So I taught myself cross-site scripting, which wasn't super hard to do because essentially there's tutorials everywhere on the Internet even then.
And I started copy pasting payloads in anything that remotely looked like a Google website all the time.
And I didn't know what it did. I didn't know how cross-site scripting worked. I just knew if I see a popup box I may get some cache and I can finally quit my job. So I just started really spanning payloads everywhere. I was a script kitty.
[03:47] Inti De Ceukelaire: I think most people started being a script kiddie. A lot of people don't really like to admit that even the most elite, best hackers, at a given point, you're just running scripts and trial and error and a lot of my initial findings were invalid.
But Google - and this was also a kick for me - they took time to explain to me, I don't think they had too many participants in their bug bounty program back then. They did take the time to explain to me why I was wrong and how I could improve. So gradually I understood, okay, if I can only execute cross-site scripting payload for myself and not for somebody else, that won't be valid.
I need an attack scenario and Google really allowed me to think like an attacker. And I'm still grateful for like just considering the time they spent, given how much they probably earned at Intigrity. sorry, at Google. It probably costs them more than actually the boutique they ended up paying just by all the consultancy time, let's say, the hacker that I am today, always putting the attack scenario first.
Andra Zaharia: That's very cool. That's such a cool story. And I think that there's a very useful nugget of information there for companies that are just setting up their bug bounty program.
They may be more inclined to spend more time giving this kind of feedback. Of course, it depends on the company, but that's very generous of them to do so. And it highlights how many generous people there are in this industry willing to put in the time to help out people who are just starting out. That's really nice to hear.
Inti De Ceukelaire: Absolutely! The best feeling you can have and I see this because we manage a bug bounty platform over at Intigrity. We try to put a lot of effort in our triage, even if people are consistently not really contributing to the programs, let's say, of course, there's a limit. We do not want any of our customers to experience any noise.
But our triage team will really try to train these people and explain to them, like, look, you're basically wasting your time. Take this time and spend that into reading these resources, doing these challenges, exercising yourself. And it's so fulfilling to then see people grow and actually start earning real money. That is just because you're investing in them in terms of education.
Inti De Ceukelaire: Once they know it, they can replicate that, but also just giving that first bounty to them. Sometimes it's life changing. Some of these people, they come from areas where education is much less normal, or a given level of education, let's say, is much less normal as in countries where we live.
And just to be able to provide the education for free, thanks to this community, because there are so many free resources out there, that is amazing. And I don't think that is something that a lot of other industries have. Typically, you have to pay for and create to get somewhere. I don't think that is the case with ethical hacker hacking. I never paid for a course, I never paid any premium subscription for a tool. Just did it myself and it was entirely free.
Andra Zaharia: That is one of the greatest things about this space. And even this sharing of experiences and of stories and examples like you're doing now, this contributes as well, so much to shaping not just what people know to do - so, not just their skills and skill level -, but also shaping their mindset and helping them form, let's say, some standards that are both healthy for them and are high enough in quality that they know what to pursue further in their development, not just as hackers, but as human beings overall, which I think that that's one of the greatest things in this industry.
[07:37] Inti De Ceukelaire: Yeah, I always say, and I'm not sure, I mean, this hasn't been scientifically proven, but hacking, in my opinion, is 80% to 90% using your might, and 10% using the tools or your actual computer keyboard. There are so many great tools out there, and you can find so many great vulnerabilities with them. But some people just expect by running a tool, you will get juicy bugs. No, you have to learn how to master that tool, but also when to use it or when to tweak it.
I use a lot of tools that I end up tweaking a little bit in the end, just because it fits my flow better. Because if everybody is conducting exactly the same test, we're all just - I say this with all respect for QA analysts, but I will feel like a QA analyst. And there's a reason why I didn't become a QA analyst. I cannot just go through a task of items to go through and just compliance testing-wise, just check everything that I've done.
Inti De Ceukelaire: I need some level of creativity. I need to be able to really use my brain to invent scenarios that maybe are less common, and I need to be able to do that differently for every specific application. That's just how my mind works.
I know there’s great hackers who are very focused on methodology. I know that they're super effective at making bug bounties as well. So I think that's really what is so interesting about this industry. We have so many different people with different approaches, and that is what makes it so effective.
Andra Zaharia: Exactly. And thank you for highlighting that, especially because when it comes to offensive security, people who don't know exactly, let's say, the nuances and each type of activity tend to blend it all together and have a hard time maybe distinguishing between penetration testing and bug bounty hunting and red teaming and all of the other concepts that we are so familiar with.
So when it comes to bug bounty hunting, in comparison or in relation to penetration testing, what do you think they have in common? What set of, let's say, behaviors and tactics do they share that are just as valuable in one, let's say, type of activity as it is in the other?
[09:46] Inti De Ceukelaire: Well, I think that penetration testing, of course, there's some more, I would say, rules attached to it. At the end of the day, you do have to write that report. So even if you don't find something, you may want to spice a preorder report with maybe some practical tips, best practices, etcetera.
Typically in bug bounty, these things are not really being processed or triaged by the security assessment team. So bug bounty focuses a little bit more - I mean, the word itself incentivizes impact, whereas I think penetration testing leads more to compliance. Just knowing that somebody does it, just knowing that these endpoints have been covered for bug bounty, what I really like, and I do think there's a huge overlap as well because you can perfectly use all the pentesting techniques, apply them to bug bounty, and probably vice versa as well.
There is a little bit more freedom in bug bounty, which is why I believe that a lot of pentesters, after their hours, maybe in their weekends, etcetera, they do bug bounty. Because then you may have this whole idea on a client that you would be like, “this may work, but I may not have the time. I need to finish this report by tomorrow, I need to make sure that I focus, that I get everything done.”
Inti De Ceukelaire: Well, big bounty really allows you to put in that time. It's not always super helpful that you have so much time and bug bounty because I've been in so many situations where I literally spent the whole weekend, like from Friday afternoon to up until Monday morning trying to crack something and that it didn't happen. At the end of the day, you also feel like, okay, what did I accomplish here? But then I try to think, did I try something unusual that maybe at this application did not work, but that may work on a different application?
So I try, even though if I don't find something, even though if I don't earn any good bounties, I still have my notes. And there's been many times when a particular attack scenario that I had in mind for a specific app didn't work out. I could just recycle that for the next opportunity. So I tried to see these things as an investment because at the end of the day, for bug bounty you don't get paid for your time, and for pentesting, you do get paid. I think that is the main difference.
Andra Zaharia: Definitely one of the main differences, indeed. And I appreciate you highlighting notetaking and thinking like building a body of knowledge because this is what we do through our work. We build a body of knowledge that we can then improve. That eventually turns and we refine it into a system that gets us different results than other people. And I know that you focus a lot on this. You focus a lot on looking where no one else is looking, on getting different results by having a different approach and by focusing a lot on scenarios.
So how does that work? And what do you get from focusing on scenarios instead of looking for particular vulnerabilities or having, let's say, the approach, let's call it standard approach or common approach?
[12:57] Inti De Ceukelaire: I think this stems from the nature of bug bounty, where at the end of the day you will get paid for the impact. So you may have a super cool vulnerability where you can change some important data. But if that data doesn't relate to any other systems or is not used in a context where it actually super matters to the company, in the broader perspective, let's say, it's not really worth a lot.
Whereas in pentesting, if you are tasked to pentest a specific asset, typically there are exceptions of course, but typically you're not really tasked to see, okay, what is the broader impact on maybe other components as well outside of the scope of your assessment? Everybody loves bug bounty scopes that are extremely wide.
[13:42] So with that in mind, I try to impersonate two kinds of people. First thing I try to do is I try to get in the heads of the developer. I try to make this mental picture of this person that coded this application, and I try to literally be in the meeting where they decided to build that application. And I'm like, what kind of edge cases do they have in mind? Who are their customers? What is important for their customers? And especially what are the things that they may try to cut corners on because it's not super relevant to their business?
Inti De Ceukelaire: Maybe they kind of need to have it for compliance reasons, but they wanted to spend at least effort into actually building the feature. Because typically these critical bugs are not in the most focused areas, let's say. But it's more in the edge cases where you have a customer that is too important, so you still build this feature for them, but it's excluded from the scope for other assessments, etcetera. And it kind of becomes this inheritance that needs to be there, but nobody really likes to maintain. That is what I look for.
From the other perspective, I try to jump into the head of an attacker, and I go really far into this. I try to darken the lights I put on my hoodie, and I really feel like a criminal hacker. Of course, I don't behave like one, but I put on some cool hip-hop music, and I'll be a gangster. Whenever I do this, my wife tends to mock me, and she says, do you have one of your episodes again? I say, yes, I'm trying to find this cool bug. But for me, that really helps, that kind of role playing into be the bad guy or the bad girl. I don't discriminate.
Inti De Ceukelaire: Then I tried to look, what is something that an outsider may be on the look for? And then I try to go for the money scenario. Okay, how could I steal a lot of money from this company? Because that's typically what's super important for the people data. What is some crucial data that maybe is not super clear to everybody, but what are their crown jewels? And then I try to go after them within the scope of the bug bounty program.
And very often it leads to something, not always to something that I was looking for. But if you challenge yourself to push the boundaries to always try something new, you can never really lose, because at least you tried.
Andra Zaharia: And, at least, walked away with some helpful knowledge that, again, you can apply somewhere else. Those are two very helpful perspectives, especially because we don't often hear people in this space talk about how important it is to understand the mindset of developers and to understand how business makes decisions when it builds web apps, when it builds their infrastructure when it decides who their providers are, and so on and so forth.
Because there is no perfect scenario in which a business will be able to do everything that it wants, even with the best intentions, to truly have everything in place. That's just.
Inti De Ceukelaire: And for that, I have a secret helper. And that is typically the job site of the company because typically people put out jobs to solve a problem. And sometimes these problems are security problems in a way as well. If somebody is looking for Salesforce security engineers, it may be that they on their own Salesforce program, you have this cool language that you can use within Salesforce, for example. Maybe they're looking for somebody to further secure that.
Well, then I should be on the lookout for Salesforce instances that they deploy. Same with any other language, any old platform that they may be using. For me, browsing the job website is a very good idea about, okay, where does this actual company put their resources in, what is priority, what is focused, and especially where are they maybe understaffed because I will be the type of hacker that will take advantage of that, which is something that hackers do anyway.
Andra Zaharia: Absolutely. It really is. And I appreciate how meticulous you are about this because it can be difficult to understand and infer all of these things when you haven't necessarily worked in a corporate scenario when you haven't been in these meetings and talked to all of these people and see how things happen. And I think that sometimes that may present a bit of a challenge for certain.
Perhaps younger or just people, younger hackers or hackers who are starting out because they don't have that workplace experience. So this is a really helpful way to build some of that experience. What are some other ways in which you can connect to the reality of how things work inside a business?
Inti De Ceukelaire: Yeah, very good question. Let me first comment on what you said there, because I absolutely agree. Actually, in my scenario, I had less than 5% of my time. I am in corporate meetings. We're building out a platform. In my previous job, I worked at a radio station. I got the best IDs when I worked as a webmaster of a radio station, because my colleagues who were totally not into security sometimes were working with tools that maybe aren't super secure or they were saying certain things that was like, maybe I could use this in one of my hacking exercises.
[19:15] And I do think that there's a problem that if you're hacking 100% of your time, you run out of ideas. Somebody who is an artist, that for me at least, hacking is a form of art. It is a creative, it is almost a sport, it's something creative. And if you do this all the time, eventually you will get tired of it and at least for me, I will lose inspiration. So that is why for me, it's at least important to still do other stuff to get your inspiration from.
For some people, this is doing sports, for other people it is maybe rather than doing pentesting all the time, also having one day for research or a day where you do something completely different, maybe a hackathon where you try to change the company or meet people in areas where you haven't really explored, for example, sales.
Inti De Ceukelaire: Lots of pentesters absolutely don't want to deal with the clients, but if you get the experience, please do try it because you learn a lot from just talking to clients. Whenever I arrive at a live hacking event, the first thing I do is to talk to the client and ask them where would you look for a vulnerability? I would say nine out of ten in the exact area that they point to, I do find a vulnerability. They know their systems better than I do.
They kind of probably have a sense of where it smells, but they never either had the time because they are on corporate reasons, or they were waiting for the moment until somebody would ask them, do you think that is actually secure? And then you see this little light in their eyes that says, hey, wait a minute. Yeah, I would go and look there and this is sometimes what people need in order to actually find security issues.
[21:11] Inti De Ceukelaire: So I would always say, try to get inspiration from all kinds of channels. There are a ton of YouTube channels as well that are senior security-related. And right now I am diving into, I'm a web hacker, I'm diving into hardware hacking, I am diving into hacking with laser and stuff like that simply because I'm interested in it. And it feels great to be a noob again.
A lot of people are, once they reach some level of status, they're quite afraid to admit that they don't know everything. And I think that's a pity because, yeah, that is limiting them. Like, you can’t be the best at everything. You have to do the cycle again, a lot of people only go through one cycle. They get a noob, they become a noob and then they become better middle, senior, etcetera.
Inti De Ceukelaire: But it's nice to be a junior again and just to learn, ask questions. And if you're afraid about this, some people who respect me as a web hacker, but that are more experienced into hardware hacking, I probably ask them a dozen of absolutely stupid questions that they don't mind, because I'm just a pro. Like, I know nothing about this. Explain me everything. If you have time, let's go grab a coffee. And just always try to challenge yourself. Always try to learn. That's a cool thing. This is one of the industries that you can never catch up, never.
Andra Zaharia: And that sometimes can feel overwhelming. But it's also a great saying because it's filled with possibility. It's filled with opportunities to try things, to be creative, to refocus your attention on something else.
When you feel maybe you've reached a plateau in a certain area, and then you can just start picking up something else. Because how you learn actually gives you that opportunity to be able to learn and to master almost anything. And that's the great thing about it. But thank you, particularly for mentioning how important human connection is and how important it is to meet people face to face.
As uncomfortable as it is, and as much as we don't want to do it, sometimes that really matters.
And I think that we can really see that at life hacking events like you mentioned, at conferences, we walk away with some of the most, just some of the best memories that we have. And we walk away with insights to which perhaps we wouldn't have paid as much attention if we would have read an article, listened to a podcast, or just did something else, simply because that in-person presence really matters. It's our biology speaking and making things really stick.
Inti De Ceukelaire: Yeah, fully agree. And also just like explaining something that you're struggling with in terms of technology to somebody else is sometimes really part of the solution. Of course, in our industry, there are a lot of things that we can't talk about due to NDAs.
But sometimes I will generalize or anonymize a problem and just at the dinner table, talk about it to my wife, which I believe she still likes, or she's very good at pretending that she's listening. But no, I think that she's really listening to it. And she will sometimes give very good suggestions that are maybe not always a solution, but she helps me look at a problem from a different way, and very often then I do find the actual solution.
[24:36] But it's so refreshing for your mind to just get out of the context and try to take a step back. A lot of people cannot take that step back. They just look at the problem. And like you say, tunnel vision is a very big issue. Things can be super overwhelming as well to people. And I do see that with bug bounty because that is still a difference between pentesting and bug bounty.
Inti De Ceukelaire: Bug bounty can even come across, in my opinion, more overwhelming sometimes than pentesting, because the scope is endless. In pentesting, at the end of the day, sometimes you have a methodology, you have to take these steps. You can be creative, but of course, at the end of the day, you will know by the end of the week, by the end of this period, the assessments will be over.
[25:24] With bug bounty, it's really easy to go into the rabbit hole, spend a lot of time, and then not finding anything can be super overwhelming because you never really know should I stop now? You don't have your boss or your manager that will say, sorry, it's time to move on. We have to finish this report.
Inti De Ceukelaire: My personal advice for people would be, even though the scope is huge, challenge yourself to limit the scope. When I start hacking on something that has the widest scope possible, for example, Google, I mean, how many applications do they even have? I will try to limit it to one application, but I'll go even further than that. I will try to really limit it to maybe a subset of functionalities. For example, today I want to find a work in their “what you see is what you get” editor, and then you have very specific challenges.
Very often people try something, it doesn't work immediately and they move on. But it can be very good to know. Okay, no, I first want to list all the potential scenarios I have in mind for this. And by limiting it, it will force you to be more creative. Because normally, if you were to look at this from a normal pentester’s perspective, you will only spend a couple of minutes. But now, okay, I have to spend at least a full day on this. But it's such a small functionality.
Inti De Ceukelaire: It will force you to think more creatively about solutions. Because when you're bored, when you don't know what to do, typically you come up with the best solutions. If I go on vacation first, I do all the crazy activities, skiing, water sports, whatever. But at the end of my vacation, I always need at least three days to do absolutely nothing. Not even reading a book, just sitting there looking ahead of me, no requirements, nothing. I can do stuff if I want to, but that is the most refreshing.
And then when I go back to work, I have IDs again. Automatically, if you feel bored, you will sign, I don't know what it activates in your mind, but it activates something. People should be more bored often. We try to fit in the gap by watching a serial, by watching television, but that is not being bored. We just go sit on your couch and do nothing. That's how you become a hacker.
Andra Zaharia: Excellent. Here's some excellent life advice. Well, you sometimes need to do nothing so you can get to somewhere, to the next big thing. And that is so, so true, because we don't give our brains enough of a time to decompress, to process information, to just make those creative connections that cannot be forced. We just need time to think over things.
And that's such an underrated skill to cultivate, especially because in cybersecurity, and perhaps even more so in bug bounty hacking, there's this idea of instant gratification. And so many people want it. They want to grow now, they want to know the thing now. They want to learn things, they want to get their bounties, they want to get all of the ego-boosting things that come with that experience. And that lack of patience can lead to, just like you mentioned, moving on to the next thing, not giving it enough time, not going deep enough, not spending time thinking of potential scenarios, and so on and so forth, which leads to frustration and many other things.
So I was wondering, how can you develop in a bug bounty hunting scenario, how can you develop these essential life skills of sitting with discomfort, of persevering, which can then translate into other areas of your life as well, or into some other career layers that you want to add to your journey as a hacker?
Inti De Ceukelaire: I think it's important for everybody to define success in the right way at every stage of your cycle.
Everybody can be successful if it's you who determines what success looks like. The problem is that people go on social media and they say, okay, I want to get a million dollar bounty because some other guy that has been, or girl, that has been doing this for over ten years has achieved that, and they don't see all their failures.
I can be super grateful for, or I try to be grateful for a failure because like I said before, sometimes you tested something really cool and you can just imagine that it worked. However, that application was coded, that your test is outside of your control. Psychologists call this like the circle of influence, but it's really applicable for penetration testing as well. Like how well the developers did their job. You have no control over that.
[30:33] Inti De Ceukelaire: But if you at least tried something that you believe was cool, or if you at least try to come up with one creative solution, or even in the report writing, if you try to find the best practice or give the best possible advice to a customer, that can also be a success.
Success doesn't have to be that you have to find a critical in every single application, because there may not be a critical or it may not be possible with the type graph. So yeah, people get stressed, and I understand why. But I would say that to answer that question, my advice would be to try. I know it's hard, but to try to define success yourselves and not go, try to realize that whatever the rest is sharing, nobody is sharing their failures.
And by the way, something that we recently was quite a cool experience, but during a life hack event, we had this bonus. So it was a multi-day life hacking event, and we would pay $1,000 to somebody who would share anything. It could be a failure, it could be something they learned that day. So we had the daily bonus for that. And people really loved the idea because then they knew, okay, I'm going to try this. If it doesn't work, I'm just sharing this with my colleagues. I can still get paid for my failure. And this whole failing forward approach, where people just share their failures as well, turned out to be super successful because you had two people who failed at the same thing.
But when they combined the knowledge of each other failings, they eventually still found a bug. They found something, and we need to share what didn't work more, because if we do that, it ironically will result in more vulnerabilities found. It's that collaboration aspect that stays super important
Andra Zaharia: And making it safe, creating that safe space for people to actually share their failures, such an important thing because we tend to glorify results in this industry like many other industries do as well.
It's not something that's particular to offensive security, but by doing so, we may create unrealistic expectations and may not make it as comfortable for people to admit that they come from humble backgrounds, that they have the same challenges, everyone has the same challenges on a fundamental level, in the sense that we're all humans, we're all imperfect, and that's how it works, and that's why we have a job. And so yay for that. Not a bad thing. Not a bad thing to be vulnerable.
Something that I wanted to ask, particularly on the topic of, let's say, the fallibility aspect of human nature. That's where some claims in the industry come in and say, we'll just automate everything, so human errors can do because humans can cover everything. So we'll just automate. Let's just automate things and be done with all of humanity and its imperfection.
But even though we know that blanket automation is entirely bogus and definitely not workable. Sometimes not even automating certain stages end to end work for the same reason, because it takes a lot of nuance and craft in this industry. And I was wondering, what's your take on that? And how do you relate to automation? How do you use it, and where do you feel its efficiency actually ends and starts working against you?
[34:19] Inti De Ceukelaire: Yeah, so I really believe that any tool can be useful as long as you use it in the right way. And automation itself, unless it's being powered by a higher deity or whatever is never really going to be super successful. Even if this is a bold statement, even with the AI that we have right now, I wouldn't say that AI is creative. AI is able to predict what we will think of as creative. It will be able to create a lot of iterations about all of our art combined, but it will not come up with new stuff. It doesn't happen.
It will make us think that it came up with new stuff, but it currently can't even, or most of these algorithms can't even draw fingers. But if you look at how they would browse the web or how they would access an attacker, what you do see, and this is certainly a trend, is that we are heavily protecting the web against robots now.
Inti De Ceukelaire: And I know we had annoying, I'm not a robot captchas for the past. What was it like, 20 years maybe now? But it will get worse for us as humans in the future, because as these things start getting better at solving those, we're going to come at a point where there's going to be so much processes in order to prove that we're a human, that automated black box testing will also probably be more challenging.
So we will need to invest more in tools or tool whitelisting, I would say, to make sure that there are exceptions. But the cool thing is, the moment you start creating exceptions for tools you have, well, then the hackers going, and the moment that we will, and I have no doubt that there will be AI’s capable of simulating like an APT sorry, or any other malicious actor, they will be able to do that, yes.
And that is what I like about the industry now. You have so many papers on how we can actually beat AI, and typically it's in the most stupid ways possible that a human can even fool. But this AI, because it's trained a certain way, you can actually fool them with it. So I'm not afraid of AI. I'm not afraid of overly automating stuff. I think that we will always meet people. I do think I do embrace automation because it can help us get rid of the iterative stuff, things that we have to do over and over and over again, and of the boring stuff. I would love to just come up with ideas all the time. Just be in my shower and tell my personal AI, hey, I have this idea. Let's now do this. I would pay a lot of money for that. Because now I don't have to go through all the data, test every single website. The hackers of the future are the hackers that will just probably tell their automation, tell their AI, whatever we will have by then. This is a great idea. And those will be IDs. And I hope to be, or maybe I don't hope to be proven wrong at this one, but I do think I'm right. It will take a very long time. If not, maybe it's impossible that an AI will come up with something that we actually will believe is created, because an AI is always powered by data. Humans are, in my opinion, perfectly capable of coming up with completely new ideas, new methodologies, new techniques, without the data being present. Yeah.
Andra Zaharia: I love that flavor of optimism. We need a lot more of that in this industry because we tend to see, and our job is to look for all of the things that go wrong. So that can easily turn into a confirmation bias where everything we see has something wrong with it. Because when you only have a hammer, you tend to see nails everywhere.
Inti De Ceukelaire: The cool thing is, and I recently, I compared this with Transformers, like the movie, like, all right, let's say that the other party now has this terrible automation setup and terrible AI setup that can attack millions of systems at the same time. Well, that we, the defenders, will also have those capabilities. We will also have these tools. And at the end of the day, it will be their tools fighting against our tools. So you create just, it's another leak, but we will be the puppeteers then. So our job will not be gone. We will need to continuously upgrade our tools and update our AI systems to outsmart theirs. So, yeah, things just shift, but they will keep, like, people have been exploiting vulnerabilities all the time. There's been vulnerabilities since the beginning of humankind, and there will continue to be vulnerabilities in every single system, including AI, for many years.
Andra Zaharia: I absolutely believe that as well. And I also believe that there are more defenders than there are attackers, because humans, essentially, they want to do good, they want to protect. And once they have a taste of what it's like to do something good while also having fun while also learning and getting paid for it, then that is a powerful experience that shows you that, hey, this is actually a career I can build.
This is actually a journey I can sign up for. And I do have this. At the end of the day, people matter more than computers. And I know that I'm helping, that my work kind of helps someone down the line. And making that connection, I feel like, is super powerful. And the fact that bug bounty programs such as the one that you're running bring people into this experience helps create a lot more potential defenders or people who help defenders, people in offensive security whose essential job also translate to actually helping someone boost their defenses. So that's a really nice way to see that Avengers assemble kind of sentiment.
[40:30] Inti De Ceukelaire: Yeah, it's only exciting. Yeah. And I believe we haven't even started yet. I fully agree with what you're saying there, that there's probably already much more defenders than there's malicious actors. I would argue that maybe 10-15 years ago that was different, because the regulations have very much changed since then. When I started, at least, I couldn't find anything on the Internet when I was like 14 or 15 years old. There was very little that you could actually do as an ethical hacker. Like, ethical hacking itself didn't really exist. Okay, you had pentesters you had consultancy, but it didn't sound as cool.
I wanted to hack, and back then, I didn't know that pentesters were also just hacking. But this whole concept of ethical hacking had so much evolved over the past years that in the beginning, you had to hone your skills on custom labs, challenges that were fake, but pretend to be real. But these were these environments, like TryHackMe, like Triangle sites, etcetera.
Inti De Ceukelaire: But right now, you have so many platforms, like stuff like HacktheBox. But you also have, this is the case in Belgium as a Belgian, for example, recently, you can just hack any website, anything that is on Belgian ground legally, as long as you act ethically. So you don't even need permission. If you report it to the company, to the government, and adhere to a set of ethical hacking rules, you can just do it.
So the scope is literally start in BE, which is something that I know other countries are looking into as well. And then if you want to learn how to hack, you can start by, I don't know, securing your local hospital or stuff like that. And then I believe that for me, it was okay. The money for bug bounty was large, but just a feeling as a 16-year-old, like, I'm helping Google right now, or I'm helping even closer at home companies that I really care about that have so much important data that is worth more than any bug bounty for me.
Andra Zaharia: That is so cool that this is happening on a government level. And I hope that this happens more because we definitely need this kind of brought into a place of, hey, this is how we do things around here. This is normal. This is not malicious behavior. And thank goodness that people who have been advocating for this for so many years are finally getting results and they're finally creating this change where the authorities understand that we need to enlist people's help so we can have this overall improvement in security, especially for the parts of society which are the most vulnerable. So I really love that example.
Inti De Ceukelaire: Absolutely. Everybody should be a hacker. Think about it. If everybody were a hacker, the Internet would be a safer place. Ironically, it is.
Andra Zaharia: And the world that depends on it. Not so much. To wrap up our conversation, I thought we might just go into a bit something that's really exciting for you right now, something that captivates your imagination and your energy. What is that something?
[43:55] Inti De Ceukelaire: Good question. I try to do, and I can't reveal a lot yet, but I try to do a yearly research topic. So basically I nurture myself. I give myself a challenge, like, I really want to learn more about this, and I start nerd sniping, and I try to learn everything about it. I read all the Internet standards written 20-30 years ago, and right now I think I'm onto something, and it's starting to paint first results, it starts appearing in the wild. Actual attack scenarios that I could use on bug bounty customers.
And only recently I got the first payout for it. So that is something really cool because it starts from research, so I'm having fun. It's not really tied to any assessment. And then when you see your baby actually making money on the Internet and being especially helpful for these companies, a new attack scenario that they haven't seen before, I think that is super cool, and I hope to one day be able to bring that to a conference in a presentation. But we're still in the phase. Will this end up working or not? So I won't reveal too much,
But other than that, something that I also really enjoy doing is making cybersecurity accessible to a wider audience. And I'm preparing this magic show that I will tour with in my home country. There's not really a translation, but I guess the best translation would be magic tricks. But then the word hacking is somewhere in it, so magic tricks but it doesn't really sound well in English. It does sound well in Dutch.
And I've prepared this whole magic show, but the clue is that the magic tricks are not actual illusions, but they're actual hacks. So I'm trying to combine my passion for magic with my passion for technology. And it's going on air in May, and I'm really looking forward to it because again, I'm surrounding myself with an audience that comes to the show that doesn't always know anything about cybersecurity. And when I talk to them after the show, it's just super good to hear their responses to the show, what they thought that they were expecting, but also just to learn from them.
So it's my way of connecting with people talking about cybersecurity, but still connecting with people that are maybe outside the whole community of our cybersecurity world. So, yeah, really looking forward to that. And spending almost every night, every weekend into preparing these magic tricks.
Andra Zaharia: That sounds really exciting, and I hope you put that show on the road someday so can see it outside of the Netherlands as well. But that sounds very entertaining.
Inti De Ceukelaire: There will be an English version. Let me just try it in Dutch and then I'll see what I can.
Andra Zaharia: Excellent. Excellent. Well, thank you so much for sharing all of this today, Inti this was really interesting. And there are so many things that are instantly actionable for people who want to try something else, for people who want to challenge themselves, and for people who want to see what it looks like when you actually do the work and when you actually see what it takes to persevere because that makes all the difference at the end of the day. So thanks for being here.
Inti De Ceukelaire: Thank you for having me.
Andra Zaharia: Ever wondered how deep the rabbit hole goes in the world of ethical hacking? Well, we're still falling, and we're dragging you along with us. One question at a time.
Thanks for wandering through this maze with us as we tackle the nitty gritty flipped misconceptions on their heads and maybe, just maybe, made you rethink some of the things that are important to you.
This has been the We think we know podcast by Pentest-Tools.com and before I sign off, keep this in mind.
There's always a backdoor, or at the very least, a sneaky side entrance.
See you next time.
