Adam & Jerod catch up with our ol’ friend, Suz Hinton! It’s been a couple years since Suz was a regular on JS Party. Since then, she moved back to Australia, earned a degree in cyber security & won a fidget spinner from the NSA… but that’s not all!
Featuring
Sponsors
Supabase – Supabase just finished their 12th launch week! Check it out
Speakeasy – Production-ready, enterprise-resilient, best-in-class SDKs crafted in minutes. Speakeasy takes care of the entire SDK workflow to save you significant time, delivering SDKs to your customers in minutes with just a few clicks! Create your first SDK for free!
Test Double – Find out more about Test Double’s software investment problem solvers at testdouble.com.
Socket – Secure your supply chain and ship with confidence. Install the GitHub app, book a demo or learn more
Notes & Links
Chapters
Chapter Number | Chapter Start Time | Chapter Title | Chapter Duration |
1 | 00:00 | Let's talk! | 00:38 |
2 | 00:38 | Sponsor: Supabase | 03:13 |
3 | 03:51 | Backgrounds & Friends | 06:06 |
4 | 09:57 | Suz: a brief history 👀 | 01:54 |
5 | 11:50 | Recent history | 03:44 |
6 | 15:34 | Stepping away: the hard parts | 05:29 |
7 | 21:02 | Why start Twitch? | 02:15 |
8 | 23:18 | On confidence | 02:10 |
9 | 25:27 | The OSCON keynote 👀 | 02:42 |
10 | 28:09 | Post-keynote feels | 03:01 |
11 | 31:10 | Not seeking attention | 03:35 |
12 | 34:45 | Sponsor: Speakeasy | 01:49 |
13 | 36:35 | Going anon | 02:39 |
14 | 39:14 | Fame & fortune | 03:03 |
15 | 42:17 | 90210 sideburns 👀 | 00:48 |
16 | 43:05 | Platform famous | 01:27 |
17 | 44:32 | Models of power | 02:49 |
18 | 47:21 | More or just see it more? | 01:38 |
19 | 48:59 | Hangin' tough | 01:46 |
20 | 50:45 | Sponsor: Test Double | 01:23 |
21 | 52:07 | Sponsor: Socket | 03:17 |
22 | 55:24 | NSA fidget spinner | 02:26 |
23 | 57:51 | How do you cyber security | 01:33 |
24 | 59:24 | Hacker shows | 01:19 |
25 | 1:00:43 | Leaving CrowdStrike JIT | 02:26 |
26 | 1:03:09 | Red teams & blue teams | 02:45 |
27 | 1:05:53 | Threat hunter toolbelt | 08:31 |
28 | 1:14:24 | CTF coder's advantage | 08:52 |
29 | 1:23:16 | CTF goals | 08:27 |
30 | 1:31:43 | Infosec job security | 04:03 |
31 | 1:35:46 | What's next for Suz | 01:50 |
32 | 1:37:35 | Pilot's license?! | 05:08 |
33 | 1:42:43 | Landing the plane | 01:38 |
34 | 1:44:22 | Coming up next | 01:04 |
Transcript
Play the audio to listen along while you enjoy the transcript. 🎧
Well, it’s good to catch up with Suz again…
Absolutely.
It’s been years. That’s no fun…
A couple years…
…to be years. It’s fun to catch up, of course, though, right? That’s the fun part.
Yeah, that’s what kind of makes it alright again.
Yeah. I am noticing some familiar background items for you… I think a while back on Twitter you got some – maybe in the last year, I don’t know, some requests or questions about your pegboard back there, and your desk setup, and what you’re doing on it… I don’t know, it seems familiar to me. Am I catching that wrong? You’re not on Twitter anymore, though, right? Or X, whatever you call the platform these days.
Yeah, I’m not really on there anymore. I did chat with Quincy from freeCodeCamp, and I promised him I would actually send him like a picture for his Instagram or whatever of the background, and then I bloody forgot, so…
I just reminded you. There you go.
But I’ll have to get around to it. So yeah, no, you were correct.
How far back was that? Because I recall – it didn’t seem… Maybe a year or two ago, I don’t know. It seems familiar to me in terms of like in my memory, but it doesn’t seem like it was yesterday.
I might have actually – so Quincy and I chatted a couple of months ago, but maybe I shared a photo of kind of the initial setup on Twitter. And it was probably one of the last tweets I did. So yeah, that’s probably it.
So how long ago do you think that might have been? A year, year and a half, two years?
Something like that. A year and a half, maybe? Yeah. It was one of the first things I set up when I got into this space. So that would add up. It’s very important to me.
Okay.
“It’s very important.”
I do recall questions being asked, popular in terms of what you’ve done… And I think it was like you made it yourself. I don’t know. What’s the situation?
The background?
Yeah, the pegboard.
Oh, yeah. I didn’t make the pegboard myself. That’s just from Ikea. It’s their SKADIS range.
Oh, that’s right. Yes.
I took inspiration from just some other pictures that I’d seen online, including someone I know called Thea. Her setup was really cool. She had the shelves with the pegboard underneath, and I just thought that was such a cool look< so I decided to sort of do my own take on it, and then sort of put it into a corner, to make it kind of look like you’re surrounded by your lab… And so that was the look that I was after. I mean, don’t get me wrong, even though I didn’t make the pegboard myself, it took a really long time and a lot of swearing to get everything up, and like stable, and not actually pulling the walls out while I went along. So yeah, it was great. It was a great experience. And it’s actually a really versatile space. I’ve already rearranged it so many times, so…
I think actually when I saw this from you, I was like “What is that?” Now I’m remembering you did not make it, so thank you for closing the loop on that. And that it was IKEA, and that on Etsy it’s very hackable. A lot of people are making 3D-printed things for it… Have you begun to like explore the vast world of SKADIS?
Yes. Yeah. I have like a [unintelligible 00:07:09.13] like collection, where I’ve just got them all saved… And I definitely want to design my own. There’s a few things that I want to put on the wall that just - they’re obviously like a specific product that I have, that someone might not have also owned and wanted to put on a SKADIS pegboard. So yeah, it’s a work in progress, as usual… But it’s kind of that thing where it sort of feels like tweaking your IDE setup, your code editor… It’s like, there’s only a certain amount of stuff you should really be doing for it before you just move on and actually use the space to make something, you know… And so I see it like that too, not to obsess too much about it.
Now, do you 3D-print yourself, or do you save these for a later date when you get the printer? What’s your experience with 3D printing? Yeah, so that’s a 3D printer right behind me, the one with all the stuff stuck on it. It’s also like my post-it noteboard, because it’s just a big sheet of perspex. It’s got an enclosure on it, because it’s also a laser cutter and a CNC machine in one…
[00:08:12.03] Oh, nice.
…so it kind of needs that enclosure around it. I mean, I’ve been in the 3D printing scene since I think 2009, 2010.
Dang.
Forever, basically.
Yeah… Kind of when I got started as like a consumer at home sort of thing. And I released my own jewelry line, 3D printed jewelry line, and all of that… And then since then, it’s become much more sort of utilitarian for me. Like, I use the 3D printer to solve my problems, or to print enclosures for my electronics projects, and stuff like that. That’s sort of why I also got it, because being able to custom-make parts is just very satisfying, especially if you’re interested in certain hobbies that require it.
What kind of problems are you solving? What kind of problems do you have?
Well, right now I’m working on a… Silly project, as usual. [laughs] So I want to be able to mount that project to the wall, actually, and have sort of a little screen on it, and some buttons and things like that… And so I can kind of 3D-print this sort of plastic interface to hold the rest of the project and to mount it onto the wall. So that would be an example. But then I also do boring stuff… Like, I have a set of drawers on my desk, and they sort of had little holes drilled in the drawers, and you’d just put your finger in and pull it out, and it just got really annoying, because if you’ve got stuff in the drawer, your finger hits it, and things like that… So I just ended up printing some drawer knobs that work really well for that set of drawers. And so you wouldn’t even know that it was 3D-printed. I color-matched it exactly, and things like that. But there’s a lot of invisible things around here that are just really satisfying as well, outside of the more exciting stuff.
Always with the funny, weird, offbeat projects going on. So for our listeners sake, who may not know that we’ve known you, Suz, for many years now - I think we met at OSCON, perhaps.
We did.
Yes.
Yeah, I still have the selfie that we all took together.
Oh, nice.
Yeah, I was really excited.
And that had to be like 2017, 2018, something like that.
- Yeah, July.
There you go.
Was it in Austin?
No, it was in Portland.
Portland. Okay.
Yeah. And we had you on the show…
Was I on the show like in the expo with you guys?
I think so…
You did a quick recording there… Because I think we’d done a show before, but then that was the first time we’d met in person.
Yeah, that sounds about right. We had you on the show just like cold email style, and then met in-person there. And then did another show - maybe you were just like part of a… We call them anthologies, where we just put together a bunch of interviews from a show. I do recall that. And then, after that, I was like “We’ve got to hang out with Suz more often”, so I invited you as a JS Party panelist, right?
Mm-hm. That was really fun.
And you did something like 40 or so episodes on JS Party for a couple of years.
Yeah.
So we got to know each other, and we were friends through a couple of transitions in your life… And then – I mean, it was Microsoft, and then it was Stripe… It was New York and then Seattle… Or maybe the other way around. You can remind me.
No, you’ve got it right. New York and Seattle.
Yeah, that’s right. I guess Microsoft would be Seattle. So yeah, New York, Seattle… I remember Stripe… And then visa issues… I’m not sure how much you want to go into any of that, but you’re obviously from Australia… Anyways, we didn’t talk for a couple of years.
Geez, Jerod…
And then I emailed you like “Let’s catch up”, and then I realized you haven’t talked publicly online very much in the last couple of years. Like, not Twitter, your Twitch stream, which was one of the things that made you most well known - it doesn’t look like you’ve streamed for a while, unless you have a new Twitch account… And now you’re back in Australia. So as much as you’re willing, tell us the story. What’s the last couple of years been like for you?
It’s interesting you say that, because it’s sort of like someone else narrating their interpretation of it. It’s actually really interesting. It’s not inaccurate, it’s just…
[00:12:05.09] It’s just like me putting it together from what I can gather… But I have no idea what happened, so…
Yeah, I know. And it almost feels like – my goal, the goal I set out to achieve was actually successful based on what you said.
Okay, cool.
Yeah, I don’t know, so we all went through something pretty big, which was the pandemic, right? And I think I stopped doing JS Party around then, like 2020. And I actually really miss it a lot. But yeah, we talked about sort of why I stepped away for a little bit, off the record… And so since then, honestly, it’s been kind of hectic. I was just running into so many immigration issues with the pandemic, and the previous administration, everything just got really difficult to stay in the US… And I found myself with fewer and fewer reasons to stay in the US, and more and more reasons to just come back home, which is where I consider my cultural home to be, which is Australia.
And yeah, there were just a bunch of goals that I wanted to achieve, that I couldn’t unless I had some kind of permanent residency or citizenship in where I was living. It was really just a paperwork thing, as well as obviously a cultural decision. And so yeah, there were just things I wanted to do, I couldn’t do them, I got sick of putting my life on pause… So I started taking a step back very gradually. So I stopped streaming around the time I decided that I was going to spend the next year sort of trying to find my way back to Australia, but to sort of establish myself in a smart, grown-up way, where I’m obviously being able to do things properly, and in the least stressful way possible.
So I started pulling back more and more… I was going through college at the time too, and that was taking up a lot of my time, and it was actually something that I was really interested in and having a great time with, so I also wanted to step away from Twitch just to give myself a bit more time to study, and things like that.
So yeah, over that next year, which would be from 2021 to 2022 - because I think I gave up streaming in 2021 like May - I bought a house, I graduated with my first ever degree in my life, a bachelor degree in cybersecurity… I found myself a job that I could work remotely here, that was based in the United States… You know, I sort of like just planned everything, planned my exit… Because once you’ve lived in a country for more than a decade, you do have a lot of roots. There’s a lot of bank accounts and all these other things that you have to deal with. And taxes, and planning, and that kind of thing. And so I just did a lot of administrative stuff behind the scenes, and packed all my stuff up and put it on a boat, and all of that.
So it was just a very tumultuous year, but I managed to move back here in the middle of 2022. And since then, honestly, I’ve just been so busy reestablishing myself that I haven’t really wanted to be in the public eye while doing that. Public eye, so to speak… So just been taking some time for myself and to reflect, because this is a pretty big life change for me, too. So I just wanted to be able to do it in reasonable privacy, and have some space to do it.
Yeah. It sounds like you did it, though. It succeeded.
Yeah, it’s been two years now, so I think I’ve been able to reflect back. I think it was a really tough two years, but I’m sort of settling into a good place, and feel like it was a good decision in the end. But yeah, you sort of have to trust the process, I guess, so… Yeah.
Hm. Trust the system.
What was the hardest part to step away from? It seems like maybe your Twitch stream, because there was a lot of people that just loved to hang out with you every week, and it was very – that stream, which I watched it a few times over the years, was very intimate, and it seemed like there’s a lot of friends there that probably missed you when you decided to stop.
[00:15:49.13] It was really nice, actually. That was hard to step away… It was an easy decision for me to make just because I’d been doing it for five years. I didn’t start the stream to become famous, or to make lots of money, or to get attention, or anything like that. I really did start the stream because I wanted to connect with people, and sort of show them what it’s like to work on open source, and show them that JavaScript hardware is really not that difficult. You’re still writing JavaScript, it’s just a slightly different context.
So I have struck up some really lovely friendships with my mods, and with a lot of the people that were contributing to the repos that I was sort of reviewing on stream… And everyone – I just had such an amazing experience with it over five years, but it just felt like it was time to step away. So it was an easy decision, but obviously, I miss that weekly community. It was just really fun to have everyone in the chat. But it sort of wasn’t something that I was relying on as a an outlet to seek approval, or compliments, or anything like that. So it just felt like it got to a point where it was too popular for me, to be honest. It’s not as if I was like the people that get millions of viewers in eSports, but 300 people on a Sunday morning is a lot to handle, especially for my mods, too. And I would say that that was just too successful for me. It’s just, it broke outside of the tiny community that I would have been happier with, and we were getting less and less productive as a result, too… And I don’t know, it just bothered me a lot. I was starting to lose a lot of privacy, and I was just starting to feel that I wasn’t really streaming for myself anymore, I was streaming because there was an expectation to.
That’s hard.
That got really serious, really quickly. I’m sorry.
No –
But I had such a nice time, but after five years, it really just felt like I just – you know, I think that I go through a lot of change as a person, and I think I was just ready to pull back a little bit.
Yeah, it’s hard to show up whenever you feel like you have to show up, not when you want to show up for the right reasons… Or even if you want to, but you feel like you’ve got to perform, versus just create and explore. We’re seeing that on YouTube over time; there’s lots of cycles where longtime YouTubers will step away because they feel like they have to serve the algorithm, not their creative selves, or their audiences sort of like have an expectation. And they will publish something, or put something out that is like off from center, from what their normal content is, like “Hey, can you get back to talking about this thing that I expect you to? Come on, monkey. Dance.” [unintelligible 00:18:28.12] kind of thing. And that’s kind of bad when it comes to – because it’s kind of a double-edged sword, right? You get out there and you do your thing, and then it’s like “Well, you’re kind of popular”, or you have some version of popularity, and that just kind of like compounds, and morphs, and grows… And some people like us, Jerod and I, grow it into a business, and we’re fortunate, and we show up and we like doing it. And I think it’s a part of our job even, Jerod, that is chore, and also very much love… And that kind of comes with anything. At some point it becomes toil, right? How do you stay in the game and love the game, and kind of keep that privacy that you want to when you’re famous? Or at least Internet-famous.
Yeah. I know famous is kind of this very highly contextual thing, and what we’re talking about is we’re all nerds, and we have X amount of nerds who want to interact, or like watch your stuff, or listen to your stuff… So I think you two are very well poised to talk about this again, and because you do so many of these recordings too, I can imagine there are days where you’re just like “I just don’t want to show up. I just don’t want to do this at all.” But it is really rude when you have people expecting you to conform in a certain way. It’s like that monkey dance sort of thing.
[00:19:46.28] I think that where I was really fortunate was because I didn’t rely on it for my livelihood, and again, I wasn’t doing it for to feel like I was worthy, or that I was cool, or anything. It was just so easy for me to step away, because as soon as it’s not fulfilling in the intrinsic way for me, it was just way easier for me to walk away. And so I think I’m thankful for that, but I think people didn’t really understand at the time why I did it… Because I think a lot of people aspire to be popular, or famous, or have people say really nice things about them, and follow them online… And I’ve never given a – I’ve just never cared about Twitter followers, or amount of followers, or amount of this, blah, blah, blah… And I think that some people project those values on you because they have them, and they they look up to you and see you as having achieved something they want to achieve, and that also made me feel uncomfortable, too.
So it is a lot easier to walk away when you compare it to YouTubers who are doing it full-time, and they need people to watch to make them money, from the advertising and things like that. And so I think that’s a really hard place to be in.
But it’s not something that I super-relate to, just because - yeah, I can kind of do what I want, if that makes sense.
Why did you start it? What was your internal, intrinsic motivation to begin with?
It’s sort of what I said before, which was – like, I saw my friend Nolan Lawson do a stream of him maintaining PatchDB. Remember when the offline sort of stuff started coming up –
I do, yeah.
…in local-first, and all of that. And I have open source libraries that I maintain, but like really small; just very small activity on them, because they’re very niche. Whereas PatchDB was something that was being used by a lot of large companies, but also small startups, and individuals… And so watching Nolan just maintain open source in his way, and go through the issues and triage them, and like bug squash and stuff - it was just sort of so interesting. It was a totally different open source experience to me. And I was like “That’s so cool.” And I remember thinking “Maybe this would take a lot of the fear out of – like, I was already doing public speaking, and I was already finding that people were putting me on a pedestal, and I absolutely cannot stand that, because I think that it’s very self-defeating… And if you want to do things, you should just do them, and you shouldn’t let others you look up to make you feel like you’re not good enough to do it, and things like that. And so I already didn’t like the reaction and the way I was being treated by others just because I was up there at certain conferences giving talks… And so I thought “I’m just going to show people that I’m just literally like everyone else.” I sit in my code editor, and I stumble, and I do typos… And also, again, the JavaScript hardware stuff seems intimidating, but at the end of the day it’s writing in the same language that you write in for your job if you’re a frontend developer, or a full-stack sort of Node.js web developer…
So yeah, it was really just demystifying stuff, because I benefited so much from Nolan’s stream that one time. I was like “Geez, this is fascinating.” And I just really wanted to help dispel a lot of that. And then ironically, I ended up even more on a pedestal from my stream, which you can see now why it was so frustrating for me, where I was like “Cool, that just made everything worse.” And I can’t control how people are going to treat me, and that was a lesson that I learned. You can’t control the narrative in that way. You’re just not going to be able to. So…
Yeah. There’s a weird psychological thing… Maybe, Adam, you know more about this than I do from your Brain Science studies, but… There’s something about confidence that comes from not caring, that actually refeeds the same loop… Even with attraction, where it’s like the person who’s not desperate ends up being more attractive to other people, because of that mere fact that they aren’t. And so there’s something about that with, I think, confidence as well, where the fact that you weren’t there for these ulterior motives is actually even cooler than if you were. And it’s like, that feeds back into the coolness factor… You guys understand what I’m saying here?
Mm-hm…
I don’t know how to describe it very well, but there’s something to that, isn’t there, Adam?
[00:24:02.19] I’m just not sure if confidence is the right word.
I’m not either. I’m just talking… I’m not very confident about this…
Well, so this might blow your mind, but I learned this recently… That confidence is memory of past success. So you have confidence, and you move with confidence, I suppose - to use the word in the description or the definition…
You can’t do that, it’s illegal.
It’s illegal, right? Yeah, it’s illegal.
[laughs]
Confidence essentially is memory of past success. And so I’m not sure, if that’s true, if that translates like that. But maybe self-assurance. I think that when you’re secure as a person, secure in who you are, secure in who you want to be, your identity is intact. You’re not wayward with “Who am I? What am I? Why am I?” I think it’s a little bit easier to be more steadfast and strong in those regards… And that is an attractive trait, obviously. Or traits.
Right. Yeah, I think self-assurance is a good way of describing it… And I think that it does take that in order to go live on the internet, and code in front of strangers… I mean, you have to have some self-assurance, because they’re going to be watching your every move, right, Suz? I mean, the fact that you’re okay with just making mistakes in front of people requires a certain level of self-confidence. Ah, not confidence, I guess.
It’s okay…
I guess I’m still going to stick with it. I think it’s self-confidence.
It works. It’s just challenging, that’s all.
Yeah.
It’s a podcast.
…that a lot of people don’t have. I mean – or you have to build it, you know? Even your – what about your keynote speaking; speaking in public, and stuff… Are those things that require practice, nerves all that kind of stuff? Or do you have similar lack of fear in that area?
I thought I recall a story… Suz, did you tell us a story about a speaking engagement? Was it private that you told us the story, or am I remembering the wrong person? I feel like you told us a story, you’re nervous when speaking. Does this ring a bell to you?
No.
No. [laughs]
I mean, I get nervous when I’m speaking, I just don’t think I told you this story. I’m not just like “No, I don’t care.”
Like “No, I don’t get nervous.”
Maybe… I mean, so I was really nervous when I gave that keynote at OSCON, the same OSCON I met you two, because they said “You have eight minutes”, and then I came up with something super-ambitious, as usual, because to me that was a pretty big opportunity, to give one of the opening keynotes at OSCON. And I wanted to – and somebody had recommended me, so I also was like “Oh my God, their reputation is at stake”, you know? And so I took it extra seriously. I take all my talks seriously, but I took that one extra seriously. And you can see in the video, my hands are just like this… Because they had to zoom in –
Was it live coding, or was it scripted? I remember there was a demo. Was it live coding?
It was live coding, and it was semi-scripted. So I had almost like a dice roll thing, where I rolled the dice, and it chose like a sensor, and then some kind of output, like [unintelligible 00:26:50.19] or a screen, or something, and then I had to come up with an idea in between. And to be honest, it wasn’t super-planned. I just knew that I’d be able to remember how to interface with every single device that I’d brought along with me. And so it really was actually unplanned, and the two things that I ended up rolling weren’t actually random. I remember re-rolling, just because the first one I was like “I’m not feeling that one.” But the second one I ended up choosing… So it was semi-scripted in that there was some constraints there, but I really had to do it on the spot.
But the point was I was trying to prove that, again, in eight minutes, if you know a little bit of JavaScript, it’s really not that hard to take a sense of value and then do something fun with it on the other side of it. But I think I ended up accidentally intimidating people more, because they focused more on the fact that I was able to achieve it.
But I was really nervous actually for that particular talk, because it was eight minutes, and there were a thousand people in the audience there for the keynote. That was my biggest audience as well.
I’m going to put this [unintelligible 00:27:53.28] Check this out.
Yeah, that was it. Oh, my God. You can hear it in my voice, and everything.
[00:28:00.29] It’s only because I was there with a camera. I was really into photography then.
Oh, you took that picture, Adam, huh?
I took this photo. Yeah.
Nice.
Yeah, that was it.
We can include this as chapter data if you like, Jerod.
I think we actually talked to you shortly after that. I think you had just come off the keynote.
Yeah. Almost directly after.
You were like decompressing live in front of us. It was awesome.
It was a lot.
Because you were so wound up for it. There’s something about that moment when you’re done, where it’s like, everything’s better, you know… At least that’s how I feel.
It’s funny, because I always go into a hole afterwards, actually. I think that when the adrenaline washes off, some people feel that kind of relaxation and euphoria that they’re done… And for me –
It’s not like that?
…I sort of go into a hole. And I think I’m not great at compliments, and so I got a lot of compliments and accolades as soon as I walked off the stage; people were sending me crypto, as well. Crypto micro payments, and stuff. It was just so weird, and so –
See? Dance monkey…
People kept stopping me on the floor and saying –
Dance monkey. [laughs] “I want you to do more. I’m gonna put some money in the coin slot.”
Se, it’s how it’s it works.
I was getting tipped on some platform where you can tip people, and a lot of it was crypto. So it was really nice of people, but I was getting this thing like “Great talk at OSCON!” and I’m like “Uh, where is this coming from?” So again, when I got off the stage and people were like “I could never do that”, that’s when, again, I was like “I failed.” I ended up just being a show-off, instead of being accessible. And so I fell into a hole about it, because I felt that the attention that I got was unwarranted for the message I was trying to put out.
Oh, gosh…
So I just never learned that lesson, apparently… But I also just cared so much about creating – you know how when you go to the keynotes and a lot of them are sponsored, and they’re just like “Oh, my God…” You’re just waiting for them to finish. And I just didn’t want to be that keynote, even though technically I did have to mention the sponsor, which was the company I was working for, and everything… But I was like, I just don’t want it to feel like one of those really sterile, very clean keynotes, that are just very constrained in what people are allowed to say. It’s just doing the audience a disservice, right? I wanted to get them pumped up for the conference.
Yeah. How did you end up mentioning the sponsor or the brand you worked for at the time?
So I think I had the easy setting working at Microsoft, because you can basically choose almost anything as long as it’s a Microsoft product… And so I was using VS Code, which at the time was almost like a cheat code for being able to get it in there. But I also think that I was mentioning something else that I was using, one of the Workbench toolsets or something that was particularly good for Arduino, that Microsoft put out at the time. And I think I also recommended another platform they have called MakeCode, which was this really cool in-browser IDE for interacting with some of their hardware pieces, too. So I think I made mention of that at the end. If people are feeling intimidated, that’s actually a really good way to get started…
You’ve gotta hate it when a successful keynote backfires, you know?
It sounds so ungrateful, doesn’t it?
All you get is compliments and crypto…
It sounds so ungrateful, but I think that it’s good to talk about this, because it does explain why I sort of seemingly disappeared. I just don’t think it’s for me. Again, I never really sought the attention side of it, and it just bothers me a lot, because I am quite introverted, and also, I want people to focus on my work and not me.
Sure.
And I think that’s where I also struggled, too. I was like “No. So I’m trying to show you this thing, and you keep putting the attention back on me.” And I wasn’t having the conversations with people afterwards that I wanted to be having. And so I felt kind of lonely and frustrated as well.
[00:31:47.03] And again, I think it’s a huge privilege to be a public figure, and you don’t sort of feed off the attention… And I didn’t do it because I was sort of trying to fill that sort of void for myself, but at the same time - yeah, it sort of made me feel very ungrateful for it, because I know a lot of people would kill to be in my position, and I just sort of – in their opinion, I might have thrown everything away… So yeah, it’s interesting. I’m very grateful, obviously, for a lot of the doors that opened as a result of me doing this, I want to make that very clear. And just the fact that I talked on Changelog years ago, that was because of the public work I was doing.
It was.
So it’s opened a lot of doors… Yeah, it’s really helped me in my career, but I think there were just kind of surprising side effects for me at the time. So it’s sort of hard to – sometimes it’s hard to really reflect on that as much as I should be.
Yeah.
So given that, what is your – if you don’t care for the attention put on you when you put yourself out there, and your ideas, what is your perfect world? …in terms of when you show up to the world and you do what you do, what would the better or more preferred reaction be?
I think people coming up to engage about the technical parts of what I talked about… More just technical discourse.
I don’t know, I’m such a nerd. I just want to talk about that. So I caught up with someone recently who I hadn’t seen in like 16 years. We used to teach together at the community college. And I met up with him, and we went for lunch, and he was just like “What are you working on?” And I told him about one of the projects I was doing, and I also told him about another hobby I’ve picked up, which tends to get a lot of questions very quickly, and people going, “That’s so awesome. You’re amazing”, and they focus on me again. But he was focusing on the tech stuff, and he immediately started asking me technical questions about the project I was working on. And I wanted that, because I wanted somebody to sort of like ask questions from their perspective, which will help me either improve the project, or just talk things out, almost like a rubber duck kind of way, and just like nerd out with each other.
And so I think my idea would be just me having a – just going back to the early 2000s, having a blog, like I used to have back then, too… And publishing a project, and like 99.9% of the online population does not care about it, but you get two or three people that are like “This is awesome. Can I send you this link to this other person, who’s done this thing that reminds me of your project?” And “I have some questions”, or “I think you could improve it with this.” That’s the only discourse I really want. I want it to be about the works and about people helping each other change and improve, and push things a bit further, and not be about the personalities. I think that’s just what I want.
Break: [00:34:40.17]
Have you ever considered going anonymous?
Yeah.
Yeah…!
Actually, I’m not close to my bookshelf… I think actually we’ve talked about weird stuff like dead man switches, and things, at OSCON. I’m not near my bookshelf right now in my living room, but I have – I forget the title of the book, but it’s quite well known. It’s something like “How to completely disappear”, or something like that. I forget what it’s actually called. I’ve thought about it a lot. I do have an anonymous pseudonym online, and I do have the domain name for it, and I got an artist to actually draw sort of like the character and everything… So yes, it is a thing, and it’s something that I’ve thought about for a long time, and I think that’s what I’d like to do, with certain projects… It’s kind of lik when famous authors do like a pen name or whatever, they have like a different name, because they want to release the book, but not have it be received with their infamy. I think it’s very similar for me.
Right. So we were talking with Chris Wanstrath a couple weeks ago, founder of GitHub, one of the founders… And obviously, after GitHub sold to Microsoft, he took his money and went home, and took some well-earned rest time. And during that time, he got eventually bored of playing video games and stuff, and he got back into coding, but he didn’t want anybody to know that it was him, because everyone’s going to treat him differently, especially on github.com being defunct. You’re not going to just treat him like a regular person.
So he went and just created an anonymous handle, and he was contributing to people’s projects for a long time as this just rando person that likes open source. And I think he had a lot of success with that. Eventually, he said he pulled the mask off to a few folks, who he became friends with eventually, that he was like longtime contributors to their project; they became friends, and then he would tell them who he actually is. But he had a lot of success with that, and I think that that’s one way that you can get what you want if what you want is like focus on the work, focus on the technical, focus on maybe my thoughts, my words, and not so much on my person, you know?
Yeah, I 100% agree with that. And yeah, I feel like I am on a very similar wavelength to him. Oh, the book, by the way, is called Extreme Privacy.
Okay.
And then the byline is something like “How to disappear”, or whatever. So…
You could be like the Banksy of the programming scene. [laughter]
But that’s the thing, but now he has infamy, right? And people are going to find out who he is.
Right. You just can’t ever pull the mask off, that’s all.
I’ll just have to do really lackluster projects as well.
Yeah, you just have to suck more, you know?
Just don’t be good.
Sorry for my [unintelligible 00:39:08.00] That was so gross.
It’s wild to hear this, because so many people – I don’t really know why, I suppose, or what is drawing folks to this desire… But a lot of young kids – I have young kids, and so I’m seeing them grow up, and I’m seeing the friends that they are making, and friends that I’d like them to make less friends with. And I just see their influences. And they’re younger. They’re not like in their teens, they’re younger than teens. And I have an older daughter too, and so she’s in her 20s, and I’m seeing this shift between different folks. For a while there, people want to be YouTubers. They want to be Instagrammers, or whatever this thing is. They want, for some reason, this spotlight, even at a young age. And I’m not really sure what exactly it is that attracts them there. I suppose it’s the opportunity of various influence…
[00:40:05.23] But I think even at a young age – I couldn’t imagine having influence in my 20s. If I was influential in my 20s - wow, the world would suck a whole lot more than it already does, and it would not have been a positive thing for me to have any sort of primary influence on the world in my 20s.
Right.
It’s so strange that people seem to chase some version of fame or influence. And that’s wild.
I don’t find it strange. I mean, I think it’s pretty common. I mean –
Strangely common.
The desire for fame and fortune is like deep down inside of us, isn’t it?
I suppose, but it seems like it’s a cultural norm where it’s dramatically more than there was. Let me think of when I was a kid. Let me show some of my cards. I desperately wanted to be a ninja when I was growing up, as a kid. And I think that’s maybe a character. I wasn’t seeking fame. Now, I can also say that for a long time there I said I wanted to be a corporate lawyer. And the only reason was because I thought I could be rich.
You did say that.
And I didn’t know any better. I was young.
Because you were a really good storyteller, right?
Something like that.
[laughs] I remember this.
But other than that, I was not interested in being famous.
Were there any heartthrobs, Adam, when you were growing up and you thought “I would love to be like him”? For instance, I can say when I was young – I have an older sister, three years older, and she had friends. And so, of course, younger boy, older sister, sister’s friends… Very stereotypical, right? And they were very much into new kids on the block. This was like 1990, so I was 8, 9, 10 years old. And specifically, was it Donnie Wahlberg? I don’t know, I can’t remember who the new kids on the block were. But they were heartthrobs, you know? They’d walk into a room and all the women would scream. And then they’d have all this money, and these cars, and everything. And it’s like, I wanted to be that guy. I don’t think that’s abnormal. Did you have anything like that, or you just wanted to be a corporate lawyer ninja?
Uh, yeah, corporate lawyer ninja all the way.
[laughs]
I’ll answer your question, but I think what I’m driving towards is a little different.
Oh, okay.
And I don’t disagree with what you’re saying necessarily, but I’ll share the story, because this is fun. This is fun stuff.
This is fun. Suz, are you having fun over there?
I’m very excited about this story, actually.
[laughs]
So I have five numbers for you. I’ll say it. 90210.
Okay. So you wanted to be Matthew Perry. No, not Matthew Perry. That’s from Friends.
Well, either. I guess [unintelligible 00:42:36.10] But Jason Priestley - I was like “If I could be that–”
Jason Priestley. That’s his name.
“If I could be him, my life is solved.”
Because of the sideburns. [laughter]
Sure. The wavy hair… I don’t know. All of it. California…
All of it.
Yeah, you know…
They were very cool. They were extremely cool.
They were very cool.
They were cool.
And what an interesting TV show. What an interesting premise to even reflect on mentally right now… But I think what I’m talking about is different than that. And maybe it’s different, but kind of the same. And I think what I mean by that is that it seems like kids are really into Jordans. There’s shows about Jordans, pawn shops, getting them, people trying to scam…
Are you talking about the shoes?
Yeah, that’s always been a thing. Jordans have been a thing. But I think there’s a lot of people trying to show off the things they do on the internet. Primarily on YouTube. Everything from really cool Lego building, which is like super-admirable… Very engineering-focused. A lot of opportunity if you chase it. To Lego cooking. Who watches Lego cooking?
Lego cooking?
Lego cooking.
Never even heard of it.
Suz, tell me. You’re with me on this.
I’m sorry. I’ve never heard of this.
Oh, gosh. Okay.
So you cook Legos?
No. When you go and you find out Lego cooking, you’re gonna be like “Oh yeah, this is the coolest.” It is stop motion film. The person cooks… It’s just stop motion film. It’s very artist-driven.
[00:44:02.09] Oh, cute.
Okay.
And they make everything. So they take a hatchet and they cut something, and it’s Lego inside. It’s all Lego.
Everything’s Lego?
Everything’s Lego.
Okay. So that’s cool. Stop motion video. I love it.
I just feel like all this stuff in this media is getting people to want to – they see the people they look up to be famous through platforms.
Right.
And so it’s obvious. Like, 90210, Jason Priestley… Although I didn’t want to drive a Corvette and I didn’t want to be any of those people, but I was like “If I could do that, I would have arrived.”
Suz, who did you want to be when you were a little kid? Do you have any–
Yeah, it’s a really good question. I don’t really remember. I’m sure I had them… Mostly – so I was very unpopular in high school. So any female pop star, I just wanted to be as attractive as them more than anything… Because I think that – everyone I think latches on when they’re young to what their model of power is. So I think these days having a YouTube channel, making lots of money and then being able to have the freedom to do what you want with that money, that’s power. So when you grow up as a cisgender woman, you are told that your power is in your looks. So I don’t know if I looked up to anyone specifically and wanted to be them, but I remember just thinking “I would probably not be treated as poorly as I was if I looked more like Britney Spears”, or something like that.
Right…
Yeah. Sorry, that was a very disappointing answer, but I just honestly, I don’t remember if there was anyone who I wanted to be.
It’s alright. That’s fair.
What did you say, something of power? Remind me of the phrase you said.
I just think that everyone has their own idea of what would give them power, and how to actually get there, and I think power is a lot of different things. It’s the ability to influence, and… So yeah, I just think that people latch on to a certain form of power, that they want, and they think that they have a chance of sort of being able to acquire… But yeah, I think when you’re a teenager you’re not quite moved out, you’re not quite a kid anymore, and you’re trying to have more control over your life, and you’re trying to establish your identity and things like that, and I think that’s a very influential time and formative time. And I think that’s where you sort of really start thinking about power in a grown up way as well, and how to acquire that power.
I’m glad you mentioned that, because I think that’s spot on, because I think you may have answered my question, which is what is the reason why… I don’t really think it’s super-strange behavior, Jerod, to want to be famous, but I think it’s kind of strange that it’s so pervasive. It’s so out there for everyone; it seems, at least, and I could be just being hyperbole. But I think you’re right, Suz, that especially when you’re younger, teens, 10 to 16, you’re trying to assert yourself, you’re trying to assert any version of dominance, regardless of gender. You’re trying to showcase that you can control situations, or be in control of your own life, and your own destiny, and you’re trying to direct things… And I think that that probably is a reason, is like “Well, if I have this, then I have power to assert my beliefs, my ideas, control over my future”, et cetera.
I think we just see it more now, because it’s so easy to put yourself out there. Whereas you go back to when we were children, and those people who wanted to be famous - well, they had to go move to Los Angeles, and wait tables while they did all these tryouts, and stuff… Their failures weren’t public. They happened, but we didn’t see them; or their desires to be that thing - nobody knew that I wanted to be Donnie Wahlberg, or whatever his name was.
[00:47:51.19] I actually – more than that, I remember being like “Man, girls like the new kids on the block. I wish I was one of them.” That was a fleeting moment. But my desire was more to be a professional athlete, which is another route to all the exact same things.
Oh, wow.
And so I wanted to be either Michael Jordan or Ken Griffey Jr. So like baseball or basketball. Those are actually guys that I really wanted to be.
Same with Ken Griffey.
Whereas a passing fancy was “Oh, I’d love to be a famous singer.” But I actually was like “If I could be Ken Griffey Jr. and do what he did, that would be a great life.” And so I actually put effort into that kind of stuff for a while, but… I don’t know, I just feel like we see it more. I think it’s more tangible to how easy it is… I mean, it’s hard, but it’s also easier now. I mean, there’s more.
It’s more accessible, I think.
Yeah.
I think it feels more achievable. Like, you cannot be what you cannot see. And I think if you see regular people, even Justin Bieber, and Billie Eilish… “Oh, they had a Soundcloud or whatever, and that’s how they blew up”, I think that that story now just feels much more accessible than the moving to LA thing. I think you’ve got something there.
Should I close the loop for you, Jerod, on the names of all the NKOTBs?
Yes, please do.
Jordan Knight, Jonathan Knight…
Yes. Brothers.
Joey McIntyre.
Okay, the baby face.
That’s right. There’s always a baby face in these boy bands, right?
Yeah, and then there’s the bad guy.
Donnie Wahlberg. May have been the bad guy.
Yeah, I think Donnie was.
And then Danny Wood. Now, when I say [00:49:22.19] “Whoaa-aaa-aa-aaah”, what does that make you think of? Hanging tough, right?
Hanging tough.
There you go.
Yeah.
Sample: [00:49:28.24]
Suz, do you remember New Kids on the Block? Were you around?
I do, but I’m a tiny bit younger than you. So I do… It was more –
NSYNC.
Yeah. Backstreet Boys, NSYNC… What is it, 98 Degrees, 90-something degrees…
Oh yeah, 98 Degrees.
98 Degrees, yeah.
Blue? Do you remember Blue? The UK guy?
“I’m blue, da da dee da da”?
No, no, no, not Eiffel65. There was a UK group called Blue. But anyway. But I do remember like Wham as well… So I’m an ‘80s girl, so I do remember a lot of that stuff. It’s just by the time I was sort of at that impressionable sort of tween stage, it was Backstreet Boys, and things like that.
Right. That was actually more my timing as well. It was my older sister that was New Kids on the Block. So I think I was more – I had them at a younger age, but yes, in my formative years it was NSYNC and Backstreet Boys. And by then I didn’t look up to those guys. I was just kind of annoyed by them… Although there was some talent there… But thanks for closing the loop, Adam. Now, please move us to a new loop, before we start singing again.
Yeah, I’m not going to sing again. I just had to – I hummed, basically. It was not a sing.
Break: [00:50:45.28]
What is on your mind, Suz? What is it that’s got your attention in terms of like technical prowess, exploratory…? Are you playing with hardware still yet? I did not catch your conversation with Quincy yet, but I’m understanding that you’re now a white hat hacker, and the NSA sent you a fidget spinner… Like, without sharing the whole podcast –
Now, that’s cool. [laughs] Hold on. Yeah, let’s stop right there and talk about that.
Well, without sharing – I mean, you can go probably listen to the conversation with Quincy, but without literally copying what was there, what are you into?
Yeah, so I was a little bit just like – that was such a tongue in cheek moment in the podcast that I didn’t realize it was going to become like this big thing [unintelligible 00:56:01.29] title and everything… No, honestly, I went through the bachelor degree to get my cybersecurity diploma, mostly because I just wanted like a curated curriculum. Because I tried to learn cybersecurity before that, and it was just – it’s so broad, and so deep… It felt like – yeah, it just felt like sort of starting again, and so I went through that degree program. I just really, really enjoyed it, to be honest. And through that, through the cybersecurity club at the college I was at I got exposed to the capture the flag competitions, which are like hackathons, but instead you’re actually hacking. So they’re giving you puzzles to solve, and boxes to hack into, across all the different disciplines of cybersecurity. So I was just really enjoying that.
I’ve always been very interested in not just frontend development, which is how we met, but like just everything to do with tech. I just love learning new things, and I love being able to sort of – like, I have the breadth now over the years, but I love being able to choose something and go “I’m going to go super-deep for a bit, and then sort of come out and then look for something else.” And cybersecurity was sort of the most recent deep-dive for me, and I still really, really enjoy it. And then I landed a job at a cybersecurity company right as I was graduating, which was just dumb luck, because I was putting a lot of my certifications and CTF results and stuff on LinkedIn, and I think that got a recruiter’s attention.
So yeah, that’s sort of how that conversation with Quincy came about. It was just something that I’ve been into, and I’m still actually pursuing that in my spare time, pursuing cybersecurity projects and learnings and deep-dives and stuff like that.
How do you cybersecurity?
What do you mean?
[laughs]
Exactly. How do you cybersecurity? Like, what exactly is cybersecurity? It’s so broad… I’m also sort of mesmerized and also enamored by the idea of hacking things, or being aware there’s a box over there and there’s some sort of vulnerability and I’ve got to find it. There is a way in, but it’s up to me to find the 10 or 15 or hundreds of ways you could get in. That to me is interesting, not pursuing it personally, but it’s very – there’s a lure there for me.
Yeah, I think that’s what the lure is for almost everyone getting into cybersecurity. It’s that intrigue, and it’s kind of getting to feel like the bad guy without being arrested and put in prison… [laughter] I mean, honestly, a lot of people just say the same thing as what you’d tell to somebody who wants to learn to code, right? “Just jump in, just get going. Find some resources.” There’s so many resources online.
Kali Linux, right? Spin up a VM of Kali Linux, or install that…
Yeah, Kali Linux, spin up a bunch of VMs, blah, blah, blah. Yeah, exactly. It’s not difficult to get started. It’s just that it’s the same thing when you start anything - you don’t know what you don’t know, and you can just feel lost. There’s all these different directions I could go in. It’s exactly the same as someone learning how to code. It’s just a slightly different technical discipline, I guess. But yeah, there’s a lot of appeal in just having a go at these CTFs, because it is a really fun puzzle. It’s like an escape room, essentially, kind of vibe. If you really enjoy escape rooms, obviously you’ll really enjoy cybersecurity as well.
Did you enjoy the movie Escape Room?
I haven’t actually seen it. I’ve seen Panic Room, but I haven’t seen Escape Room.
Oh, Jodie Foster? I’ve not seen escape room either.
It might get you… What about Mr. Robot?
That’s too intense for me. Occasionally I come around to the idea of I’m going to watch it, but I’m very sensitive as a person, and so I actually get my friends to pre-vet most of the shows that I watch, because they’re like “Is this something Suz can watch or not?” Because if it’s a bit too full-on, I either can’t sleep, or it’s just – I’m not relaxing while I’m watching it. I’m not sort of there for the tension thrillers, and things. I don’t get a sort of thrill out of it like a lot of people do. But I love the idea of Mr. Robot, because I’ve heard it’s quite technically accurate… So it could be really satisfying to watch.
[01:00:11.15] I can concur with that. It’s very – from what I understand of how do you cybersecurity… It was a joke to ask you how do you cybersecurity. It was not meant to be a perfect sentence.
Yes, I’m bad at jokes. Yeah.
Yeah, sorry about that. I can attest that Mr. Robot was an amazing series. It doesn’t go where you think it should. You may enjoy it, but it’s very technically accurate, and quite scary in terms of maybe how fragile the world is. You probably see that now that you’re deeper into it, how fragile the world can be with cybersecurity. We just had a major outage, a BSOD across the world… And it’s crazy. It’s now sort of front and center to everyday citizens globally, because it was a global scenario, you know?
Yeah, 100%. Full disclosure, I just left that company.
Okay…
So it was very close to home when it happened, because I left CrowdStrike in March.
Oh, wow.
And so the fact that I was on the inside, I know a lot about how the software is developed, I know how careful the company is about rolling that stuff out. And I do respect the company a lot; I really enjoyed working for them, and did enjoy learning about how a company does modern antivirus software… And so even seeing a company that’s doing so well just make one small mistake, I think that what you’re saying is a really good point. And considering I had even more context, I was actually quite surprised that it happened, just given how cautious I’ve seen them, having worked for the company… That yeah, even the good guys can take everyone down.
Right.
And so it is incredibly vulnerable. And it grounded flights… It was very much like that Die Hard movie with like Justin Long, where they figured out how to manipulate all the traffic lights and all the things around the city, right? You’d be surprised at how few of these systems are actually well secured. And my time at CrowdStrike, I did a little bit of work on industrial control systems as well, and just knowing there’s like this – what is it called? The seven-bullet rule, or something? It’s like, with just seven bullets you can do a lot to take down most of the important energy infrastructure in the United States. I’m talking off the top of my head, so I’m getting a lot of the details probably messed up, but there’s this kind of like saying in industrial control systems, the seven-bullet theory, like “If you had them, could you take down entire grids?” And yeah, a lot of those systems are running on old software. You see ATMs running Windows XP, right? When you see it crash. And it’s just horrifying how fragile those systems are. And when you work for a cybersecurity company and you’re watching customers get hacked, and you’re seeing how it happened… A lot of the CTFs aren’t necessarily very contrived as far as the vulnerabilities that they’re leaving on the machines. They’re quite realistic vulnerabilities. They’re just a contrived storyline and narrative. But it’s really not that different from everyday ransomware attacks, and things like that.
So CTFs are fun. I did those back in college. I really loved it. And I think working on a red team would be super-cool. I don’t like the fact that at the end of it you just have to write this long report. I don’t know, maybe the LLMs write that for you now and it’s less cumbersome… But I hated that part. It’s like “Oh, now I’ve got to write a hundred-page report.” And it’s like “Well, I’d rather just do the hacking and you write the report. Thank you very much.” But is that what you were actually doing, was red-teaming and stuff? What’s your day-to-day?
[01:03:55.05] I’m of the same opinion as you. I think it would be very tedious as well, because it’s not like you’re sitting there, having fun on a Saturday night with a whiskey. You’re having to be very methodical as well about how you go about things… You have to be very careful not to take down their systems. It’s not a realistic hacking scenario. There are the rules of engagement, which is literally a document you have to cover with them first. And then you have to make sure that they’re not going to call the cops on you if you physically get into the building, but then they catch you… It sounds thrilling, but it’s actually quite methodical, and I think it takes a lot of the fun out of it.
So I was working on a research and development team for threat hunting technology, essentially. So the human side of cybersecurity, where you’re constantly looking ahead and trying to find heuristics, and like what are the latest nation state hacker groups, what are the tools that they’re using, what are the technologies? How can we get ahead of them? How can we design tools that are always ahead of the curve, and not necessarily just trying to be whack-a-mole and things like that? So it was more – I worked with data scientists, researchers, really smart people with PhDs, and I’m like this code monkey, helping them prototype their ideas and things like that. So I was definitely more on the blue team side and not the red hat hacking.
Yeah, that sounds better, actually. That sounds pretty sweet.
It’s still a game, right? Like, we were still playing the game. We were just on the other side of the game. And so it can be really satisfying if you design a tool that helps track down something that hasn’t been tracked down before, or just helps threat hunters do their job much more efficiently, so that they can just kind of look like these supernatural hunters. There’s just something really – that was really interesting about that problem, that I really enjoyed working on.
What are the various tools in the tool belt of a threat hunter?
I don’t know if I can talk about the specific ones at that company…
Sure. Generalize maybe.
In general, working with intel groups so that they can – you know, there are a lot of intel groups around the world, including governments who are embedded in these groups, and operating under pseudonyms online, and are actually interacting with these groups and finding out information… So a lot of it is intel, but also threat feeds, like being able to see new signatures and things like that. But the actual tools themselves tend to be tools that allow these threat hunters to look at an intrusion after it’s happened, be able to kind of look at the chronological events that took place, and just get a holistic view of it.
It gets to the point where threat hunters can look at a couple of lines of command line commands that were run on like an infected computer, or a computer with a successful intrusion, a compromised one, and they can immediately say “Oh, that’s that threat actor in China”, you know? And so it’s more about knowledge and knowing patterns, and being able to then be incredibly agile with being able to get ahead of, I guess, the attacker.
What kind of signatures are they leaving? What’s the breadcrumbs they’re leaving behind? Is it like literally a signature? Is it like a .dat file that’s left behind with a one-liner?
That sounds really cool.
[laughs]
No, it’s more–
That sounds like not a very good hacker, if they leave their signature behind…
Or they leave a file that says “Don’t delete me. Read this message.”
He was Banksy. It was somebody named Banksy.
It can be everything from “Did this person switch to a specific language keyboard?” It can be the specific actual hacking tool. So for example, let’s think of a hacking tool like Bloodhound, or Mimikatz, or something like that… What specific tools are they using, and in conjunction with other tools?
[01:07:57.13] It can also be things like “Okay, does this country have a major national holiday? And was there zero hacking activity on this machine that day, and then it resumed the next day? Okay, well, maybe they’re located in a specific country then”, which narrows it down to a smaller collection of threat actors. So there are all these little sort of bits and pieces that come together… And a threat hunter needs to be able to find something that happened, piece together what actually happened, and be able to inform future detections.
How do these threat hunters get access to the infected systems without fear of additional hacks, or…? I mean, is it like the Heisenberg effect - by inspecting it, you’re actually modifying it? Is it like a clone, a snapshot of the disk, and work with it offline? Or what do they do in order to actually go about their work?
Yeah, so I think you’re also thinking of things like forensics.
Yeah, I am.
I think that’s probably more the appropriate discipline. Threat hunting is not exactly quite like that. It’s more sort of data sifting than anything.
Okay.
So I’m just being really careful about my NDA right now… [laughter] I mean, you can tell. There are certain things I’m saying that are very vague, because I don’t know what would be considered proprietary information. I don’t talk about this topic very often, so it is very difficult for me to delineate that. But yeah, I think you’re talking more about forensics, and that’s something that I learned in college, how to successfully image a hard drive without actually changing a single bit… Which is harder than it sounds.
Right. It is.
And I think this is also a lot of incident response, too. So incident response and forensics are a little bit different to threat hunting, in that they tend to be doing the hands-on work and actually getting into the machines, and doing that.
I think threat hunters are taking information after the fact that’s being collected, and they’re not necessarily doing that work. So yeah, like I said, cybersecurity is really broad, and so you can split these skill sets out into different focuses.
Yeah, I definitely was categorizing forensic people with threat hunting… But I assumed they would be operating at least in similar timeframes with regards to a breach.
How do they get their tasks? Are they just sitting in JIRA, getting threat hunting tasks? I’m just joking, of course, but how do they get their missions? How do they know what systems? Are they active in literal crime scenarios? Are they working for folks like the NSA and the FBI, or private companies like you were?
It’s usually like a self-destructing letter, isn’t it? 10 seconds, and then it self-destructs…
[laughs] There are threat hunters at - yeah, like private institutions. So for example CrowdStrike’s threat hunters are actually threat hunters for hire. So they work with companies directly. And if you look at the product offering online, it’s called Overwatch. There are different tiers of it, where they’ll even give you briefings on the latest threats to look out for, and things to maybe specifically look at for your industry even. So if this company is a financial tech industry and they’re working with CrowdStrike, the Overwatch team, the threat hunters can give actual briefings on what they’re seeing as trends in that financial industry based on attacks on other companies that are similar to them.
The threat hunters do a lot of different services, and so it’s going to depend on whether you’re in the private or public sectors to like what tools you use as well. So I’m sure that there are teams that use JIRA to keep track of intrusions, and dump a bunch of data in there… But I think that a lot of these tools tend to be very proprietary. And so they’ve been designed and developed and incrementally improved based on the specific kind of work that these threat hunters are doing at their institution. That’s all I can say.
[01:12:15.04] Yeah. What’s the best way in to get into this layer of cybersecurity, whether it’s threat hunting, or looking at signatures…? Is it go to school for it, or just get steeped in it, find a community? What’s the best way in?
It’s exactly the same as coding, really. I think if you know what you want to do in cybersecurity, such as threat hunting specifically, or forensics, or something related to that, I think that makes it a lot easier. What you can do is just try and look online for resources, for free resources, or you can actually enroll in some certification programs as well, which will give you the foundation, so you kind of know where to go from there. And obviously, taking part in CTFs.
So the Codebreaker CTF that NSA puts out, the National Security Agency of the United States - we all can have complicated feelings about that company. I just want to sort of preempt that. But they have a CTF every year called Codebreaker, and it’s a reverse engineering competition. And that’s where I sort of got the fidget spinner from, because I took part in it and I sort of placed at a certain level to get a fidget spinner. But that particular CTF I would recommend for threat hunters, because there’s a sort of fictional narrative they put out as part of the CTF, and they keep drip-feeding you all of this additional evidence of a breach, and you’re supposed to unwind what happened.
The one that I participated in, they were giving you everything from compromised Docker containers, to network logs, to - yeah, like Wireshark pcap dumps showing network traffic. And so you had to reverse-engineer a bunch of binary executables, you had to figure out how the Docker container got compromised… Then you had to reverse-engineer the protocol that the threat actors were using on the network, and then you had to kind of then hack back into their computer to find further evidence, you know? I think being able to sift through evidence like that is probably the best skill to practice when it comes to wanting to get into that side of cybersecurity.
How much does that draw out your coding skills? I imagine quite a bit, as you go through that stuff, because there’s so much TDM otherwise.
Yeah, I’d say I had a huge advantage in a lot of the CTFs, because I could write simple scripts even. So let’s say you get a giant Apache log file, and it’s a pretty structured log file, right? So you can use Bash one liners, you can use ORC, and you can use like truncate, and unique, and all of those command line tools, and you can just kind of like glue something together… But if you want to do something a bit more complex, that’s where scripting just really comes into its own. And so during these CTFs, I was writing all sorts of different scripts to filter things, and to count things, and to accumulate things.
Also, there was one time where something was encrypted using RSA, and it was kind of hard to find a tool online to just like dump the text in and decrypt it. And I think that was the point of the CTF. They were trying to make it difficult. So I was able to just write a quick JavaScript implementation of the RSA algorithm, that sort of like brute-forced through and figured out the key. And they obviously gave us a weak key, because otherwise you need like a quantum computer to crack it… But that was so advantageous. Most people either didn’t solve it, or they had to find a tool online that only let you put in one character at a time to crack it… Whereas I had it written in like maybe 10 minutes, and it was done. So it’s a huge advantage, I think, being able to code.
But also, you understand how computers work as a foundation, and that gives you a really good intuition for solving problems. Like, I’ve seen people who have come into cybersecurity but not having an IT background, and there’s a certain intuition that they’re missing, where you can infer things from certain pieces of evidence. And even the Docker container thing, I was able to just jump in, whereas a lot of people were like “I don’t even know how to run this thing. I’m going to have to spend half an hour now learning Docker.”
[01:16:19.27] Right.
So I’ve always had a huge advantage in CTFs, because I do have that coding background.
Yeah, it’s a lot easier to know what to look for in an Apache log if you’ve actually managed an Apache web server for a while, for whatever reason. Or if you’ve – it’s a lot easier to use Docker if you’ve use Docker, and all these things. I mean, maybe that sounds obvious, but when you lack that context, you really are poking at a black box, and you’re just like – you can’t really get in past the surface very easily. So were you on your own, or was it teams?
That particular one Codebreaker - it was very strictly by yourself. And so I think there were 10 problems, and I made it to problem eight… And that’s where I felt that I was hitting a ceiling. It was very specialist reverse-engineering. I ended up looking at the solution afterwards from people doing write-ups, and I was like “I never would have got that.” You had to sort of do this weird – you had to roll the protocol correctly, but then you also had to kind of plant a buffer overflow in order to sort of get through it. I was like “I know how to do toy buffer overflows when the conditions have been presented to me in the correct way”, but it’s a lot harder for me to do that because I don’t have a lot of practice with it. So yeah.
That’s as far as I got back when I was in school, was like I understood how they work, and I could recreate one given certain circumstances… But if you wanted me to actually go in and execute arbitrary code, with the NOP sled and stuff… Like, I don’t know how long to do this thing in order to land in the right spot.
Yeah, yeah. And like how much do you keep going until you give up? Because you’re just like “Just one more, just one more. One more nop…” So in the end, the solution was to use [unintelligible 01:18:02.12] as well. So using gadgets, using assembly gadgets after the NOP sled in order to then like return to C, or whatever, so that you could then run little snippets of the assembly code that were present in the program itself to get what you need. And so I looked at that and I was just like “Yeah, there’s no way I’d be able to assemble that. That’s something that I want to practice for next time” sort of thing.
Yeah, that’s some expert-level stuff right there. Us mere script kiddies can’t go there, you know… We can just run the scripts…
Well, it was interesting, because one of the write-ups that I read was by a high schooler, and I’ve never felt so insecure in my life after that. [laughter]
Well, that’s the thing. They’re on YouTube, getting impressed at a young age, and next thing you know - white hat hacker for the NSA.
Yup.
You said you did 8 of 10, is that right?
Mm-hm.
How did you even get involved in this capture the flag in the first place with the NSA? What made you find it, discover it, want to do it?
Yeah, it was through my cybersecurity club at my community college. It was actually a really high quality cybersecurity club. I’m still in contact with them, and I still volunteer and help people ramp up to doing CTFs. Like, I’ll teach them the coding sort of stuff. It’s like “Oh, here’s how GitHub works. So if you need to clone down a tool that you can’t find anywhere else and get it running, here’s how to sort of use GitHub in its basic form.”
Yeah, so it was through the community college cybersecurity club. They have a Discord that you can join when you’re a student, and they just put – there’s specific channels set up even for specific CTFs, so it’s almost impossible to miss out on when there are actually CTFs going. And people will announce them, and they’ll also hold information sessions, and like I said, tutorial nights where you can go along and follow along and learn a new skill that will help you to tackle those CTFs better.
[01:19:56.10] And then for the CTFs that have teams, that school would also help people form teams as well, which was really cool. So I think that getting involved in the cybersecurity community is one of the only ways to really know, unless you literally google like “cybersecurity CTF list”, or something. That can also help. But most of the CTFs I was doing were the collegiate level too, so they were a bit easier, I think. And so that was a huge help, just to get sort of your feet wet.
Mm-hm.
You’re making me kind of want to get back in the game and give it a shot. It’s been probably –
Yeah, I didn’t know you used to do this. That’s really cool.
Yeah, I had an information assurance sub-program at my university, and so I spent the last two years doing all InfoSec things. I actually did some penetration testing right out of college, and between the report writing and the fact that I felt like when you audit somebody - like, you do your best, but you can’t really say anything at the end of the day, except for “Well, we did our best”, you know. And it’s better than not having been audited, but I always was like “There’s a false sense of security that you have now.”
Yeah, there is.
Which I don’t feel really – I don’t feel great selling that as a service, a false sense of security. And so I realized – also, I wasn’t that great at it. Like, I don’t have as much of a breaker’s mind as I do a maker’s mind. I like to create more than I like to break. It’s kind of what I learned about myself. But also just that, I was like “I kind of want a different direction” from there. Managed some Linux networks for a while, and that’s when I found out about web development, and started doing all that kind of stuff. And that just mapped to my mind better than breaking in and breaking stuff. But it was fun. And I think the CTFs was the best part, because they were very much stereotypical drinking Mountain Dew, staying up all night… You know, doing all the things that happens in the movies, and without having to write a report afterwards, or stamp a thing that says you’re secure on it. They’re just fun.
They’re way more fun than actually doing it as work, for sure. And I relate to the point about feeling like a hacker, and stuff. Like, I always put on like the mood lighting in here, and then I’ll put on the [unintelligible 01:22:09.25] and all of that kind of thing, and I really go all in. And if it’s just a weekend – you know, I don’t have a family, so I can just literally lock in with the Mountain Dew and just do it. [laughs]
There you go.
And so it’s a lot of fun. And again, it’s very low stakes. You learn a lot, and you’re still tickling the part of your brain you want to, just – yeah there’s no responsibility I guess to it either, so… Yeah. And - I mean, they do design the CTFs to be really satisfying, too. There’s nothing more satisfying than running a bunch of checks on a company, and you’re like “Well, you guys are pretty good, but we can’t give you a guarantee.” It’s like what you said, it’s very anticlimactic. Whereas they design the CTFs to specifically be a game. And so you do get those moments where you just miss something, and then you find out the answer and you’re like “Ohhh!!”, you know. And then there are other times where you’re one of the only people that found something, and it feels really thrilling, and so…
I think the escape room analogy is a good one. Like the way it feels.
Yeah. Are you trying to find something? You may have said this and I glossed over, but like the goal is to find a secret, or get into a certain place… What is the artifact that you find? Is it a physical or a digital physical thing? Or is it just access? Or is it something you take back and you show “Hey, here’s proof. I’ve got this thing”?
Jerod, what were yours like? …before I go ahead.
[01:23:41.13] The main ones that we did were - there was a planted vulnerability, and it was teams. And you were attacking each other’s machines, and protecting your own. I’m not sure if that has a very specific name to it. That style of capture the flag. So then there would be a vulnerability on everybody’s network, and the vulnerabilities were all different. And so as a team, you’d have to fortify your network while attacking the other people’s networks, basically. And there would be some sort of a proof, like a flag - whatever you imagine a flag would be; like a string of characters - that you’d have to fetch off of their remote machine in order to prove that you penetrated it. And in the meantime, you’d have to be trying to find whatever vulnerabilities were on your machines, in order to remove those vulnerabilities before you got hacked. And I remember one time we did them nationally, and we got hacked and we got completely destroyed in like 18 minutes one time. We like had our Mountain Dews and were ready for a Friday night, and we lost within the first half an hour, because somebody was so much better than us. And it was like “Oh, very –” Talk about anticlimactic. It’s like “Oh, and we’re dead.” [laughter] So that was fun, but it could have been more fun if we were better at it. That’s the ones that I did. I’m sure there’s different ways they can set them up to do different things. Yours sounds like it was levels. Like, there’s levels of things that you have to do, that you progress through.
Yeah, I think I did a mix of them. So I did CCDC, which is the Collegiate Cyber Defense Competition. I did that with a team, and that was just the defense side of what you just said. So they do hire professional red teamers, and they’re a team from every single college that’s participating. And there’s eight of us, and you have to lock down – they give you an incredibly vulnerable network. The gist of the story is they’ve just sacked the entire IT team, and they’ve hired you on as the new IT team, and you have to basically audit the whole system, find out how it’s vulnerable, lock it down… So it’s the same as what you were saying, but we don’t have to attack anybody. But you spend the first day just auditing, trying to lock things down. They interrupt you with business requests constantly. So you’re emailing the CTO, he’s like “Oh, I want you to look into crypto as a product. Can you give me a report on crypto by the end of the day?”, or something. And so they’re constantly interrupting you and trying to simulate a real business environment where you’re just fighting for your life.
And then yeah, like you said, if they just find one vulnerability, which they will, all of a sudden you’ve got choo-choo trains on your console, and then certain other boxes are boot looping, and you’re just like “Oh, my God… It’s an actual fire right now.”
And so that was a very stressful one that I did, but the others were more about – they’re trying to give you experience with everything in cybersecurity, so there’ll be an encryption section where there’s puzzles. They’ll give you a bunch of encrypted text and they’re like “What does this say?” And it’s more about answering the questions, and completing as many of the challenges as possible. And they’re just smaller toy challenges. And they’ll also challenge you to actually get into a box, for example, and then yeah, find the flag and report what the flag was. So I’ve done a big mix of them.
And then there was the reverse-engineering one, which was NSA, and that’s totally different again. Yeah, it’s been a variety. I think I like the ones where I can just sit and tinker… But the cyber defense one - I really feel like I leveled up, especially in Linux. We spent months practicing, and running password reset drills, and things like that… And being able to audit – and we had this big notebook we were all throwing notes into for each other, and we were on a Zoom call for the entire weekend, talking to each other… It was very high stress, it took me a few days to recover. But I really feel that it forced me to level up, and I’m sure you felt similarly, Jerod.
For sure, for sure. And it definitely felt like my Linux administration skills were peaking at that moment, because you have to know all the commands, and you have to, usually – I mean, the heat is on, which is the way it is, I guess… I’ve never been on a network that’s under attack in the real world, but I’m sure it feels a lot like that, where it’s like if you have an actual threat actor who has access to your internal network - I mean, we’re moving as fast as we can, right? You’ve got to figure out what machines they have access to, how they got in… All these things. What are we going to turn off, or unplug… It has got to be a very stressful situation. And so when the heat’s on, you’ve got to know the commands.
[01:28:21.16] You can’t be sitting there, googling “How do I reset the password on this and that?” All those things kind of go out the window, and you’ve got to just move fast. So I definitely leveled up through those experiences, even when it only lasted 18 minutes. Those were good 18 minutes.
Yeah, but it’s so satisfying sometimes when you see – you’ll run a couple of commands, and you’ll run who, for example, and you see someone’s logged in, and then you find their process ID for their telnet session on SSH, and then you kill the process and you’re just like “They’re out!” And it’s like, then you’re sort of scrambling… It can be incredibly satisfying.
Right. And then you run it again, and they’re back, and you’re like “No, they’re back!!” [laughter]
Yeah, we ended up having – we ended up using Tmux, and just opening all of these different sessions… And we had who running, and top running, and netstat, and everything… And we had them sort of self-updating constantly, so that we could just keep track of it. And everyone was assigned two machines to look after, and that was way too much overhead as well. It was just so hard.
What are the things you would look for on top? Like a new process ID that just seems obscure, doesn’t belong…?
Yeah, something that’s burning up a lot of CPU, too. Some of the tools are really badly written, so they’ll rise to the top of that list, and you’ll actually see it burning a lot of stuff, so…
What we need is top-top. Top of the top.
Yeah, top of the top.
Top of the top.
Mm-hm.
I feel like we should team up and do one. [laughter] I need a team, you know? I don’t have a team anymore, Suz. Although you’re located three quarters of the way around the world from me, so it probably wouldn’t be the best, but…
It has been really difficult, yeah. I’ve stopped participating in the team ones now because of that, which sucks… The last team one I did, I actually was in San Diego for a work trip, and so I stayed an extra couple of days through the weekend, because there happened to be one going on, and that was really cool. Hacking from the hotel, it felt even more hacker movie…
Right. From a hotel room, yeah.
Do people travel to do these a lot? Is it meant to be in the same space, really? Is that where the fun really is at? Like, co-located?
Yeah, prior to COVID I think that was much more common. The cyber defense competition that I did, we all did it remotely for the regionals. But if you make it through the nationals, you actually go there in person, and you’re put in a room… And you can only bring print books. You can’t bring anything digital. And so you’ve got Linux freaking command line books, and you’ve got all of these printouts of cheat sheets you’re going to use, and stuff… And so they’re very strict and locked down. And I think those can be really fun, too. But I mean, a lot of people go to DEF CON, because there are a lot of CTF competitions there, too. I went to B-Sides in Canberra last year, which is our capital state… So there were lots of feds there as well, but they were holding a CTF, and you could just go into the room and just play the CTF from there, and pop in and do a little bit of it if you wanted to. So I think it’s like eSports. There are a lot of in-person stuff. I would see it as an eSport almost.
They’re probably doing them live on Twitch. You can probably Twitch stream this…
Yeah, a lot of people are probably doing Hack the Box, and TryHackMe, which are both like online VM platforms that give you puzzle boxes to solve. There’s a lot of people on Twitch doing those. Even if they’re not talking, they’re just streaming themselves doing it.
Is there a big career in this? Obviously, I mean, as software eats the world and systems morph, and you’ve got more and more things being obviously modernized, is this a lucrative - or not even lucrative, since you’re not chasing fame or money… But is there a major upside? Like, if there’s people listening to this thing and “Geez, I haven’t thought about this.” Or “I’ve got a fancy for it, but I never considered that I’m like super-bored in this current position, and maybe I can pivot.”
[01:32:09.26] I think there’s a lot of job security in it, depending on the role you’re in… Because it’s going to be whack-a-mole forever. There’s always going to be hackers, and it’s impossible to release code without vulnerabilities. There’s always going to be those kinds of things.. And so it is really good job security, in a depressing way… And there is a lot of money in it if you specialize. There’s a lot of really great career opportunities, that again, sometimes it can feel like you’re actually doing something important as well. I think that the feeling of – again, it depends on the role you’re in, but feeling like you are preventing citizen data from being breached… Like, if you work on the defense side, even the pentesting side, you’re helping companies lock down their systems better. I think there’s a lot of reward in it, even if it can be a bit of a depressing industry to be in, because you see a lot of stuff you can’t unsee, and it does make you feel more worried about just how vulnerable a lot of systems are. It can be incredibly rewarding, I think, because I think some of the jobs are a bit more tangible. You’re not just shipping things to make more sales, right? Which I’ve done in previous jobs. I’ve worked for a shoe retailer, and it’s like “Yay, we’ve made more money this quarter. Woo!” That’s not very fulfilling for some people, including myself… Whereas if you’re like “I helped develop this tool that kept out the hackers”, or “I pentested this company and now they’re going to be in a much better security position…” Like, that just feels a bit more tangible and a bit more rewarding that you’re actually helping add some good in the world.
Yeah, I think it depends on where you land, because I’ve definitely heard horror stories as well, and I’ve heard a lot of infosec industry people kind of liken it to game dev, which is – of all the software development careers, game dev looks like the best, but is actually the worst… [laughs] Because everybody wants to be one, and they’re like the sweatshop of developers…
Yeah, it’s so crunchy. It definitely depends on where you’re at.
Yeah.
And a pretty depressing example of that too is if you’re in forensics, there are a lot of really nasty stuff that you can have to sift through in forensics. It’s the same as content moderation. You’re seeing similar things. And so I’m really interested in forensics, but I don’t think that I – again, if I can’t watch Mr. Robot, if I can’t watch scary movies, there’s no way that I can work in forensics without feeling psychological damage from that, and it affecting my mental health. So cybersecurity has a lot of mental health problems, just because of the nature of how things have really messed up… And I think that it’s a tech community too, so it has its own sort of toxic parts, which we’re all familiar with in coding communities as well. Yeah, I think that tech has a lot of immaturities that still haven’t resolved as well as they could, and I see very similar patterns in cybersecurity, to be honest.
So it does come with a warning, but I think given that cybersecurity is such a broad field, there are a lot of things you can do that can either keep you out of trouble, or can find your niche without really being exposed to some of the darker parts of cybersecurity. But I think that’s a really good point that you bring up. It’s not all sunshine and rainbows, that’s for sure, and you can ruin your hobby if you’re not careful. I think that if I did pentesting as a hobby, it would be way more fun than doing it professionally. Such as like bug bounty, right? Like, you can make quite a bit of money from bug bounty; if you find a particularly bad vulnerability, you can have a $10,000 payout. And so I know a lot of people chase that as a bit of a game or a side hustle, and that can be really satisfying.
Well, what’s next for you, Suz? Is that something that’s predetermined, or you’re still trying to figure it out?
Still trying to figure it out.
Can you talk about it, or no?
I can’t talk about it because I don’t know, and I’m trying not to put too much pressure on it.
Sure.
I think I have a lot of options.
That’s great.
[01:36:02.00] And I don’t want to rush into something. So just for full context, and if anyone’s watched my recent interview with Quincy they’ll know, but… I quit my job in March, and then I focused on finishing my master’s thesis. I did a master’s in education technology. So very different from cybersecurity and my coding background. Teaching is something I did earlier in my career, I really enjoyed it, and I’m starting to think that it’s possible I might want to go back… But also, I just thought that that was a really interesting topic for me to study, just for my own satisfaction as well.
So there’s not a lot of pressure on whether or not I want to go back to teaching at community college. I’d teach technical topics, obviously… Maybe I can do some online courses, or something like that… But I have a lot of options. I have a 20-year career to look back on, and I can get a coding job, I can go into another cybersecurity role, I can do teaching part-time maybe and freelance for the rest of it… I’m sort of considering my options right now, but I’ve very deliberately planned my position to have some time off, because I am pretty burnt out right now, so I’m trying to focus more on the things that bring me joy. And then I think it’ll eventually lead to something that will be really enjoyable and fruitful for me.
So yeah… And then just doing my own silly projects again. I think that four years of college, both a bachelor’s and a master’s, really took a lot of time away from me being able to be over in this corner. Like, I’m always at this corner, the computer corner, and I’m not in the cool lab corner… And so I want to get back to that corner of the room. And then on top of that, I’m getting my pilot’s license, so that’s requiring a lot of study and time commitment from me as well. So I’m sort of trying to focus on what I currently have going on, and then I’ll sort of figure it out from there.
A lot of facets to you.
Seriously.
No wonder why people are so interested in you.
Just throwing the pilot’s license in there…
Yeah, so many facets.
Yeah, I don’t talk about it a lot, because it tends to get a lot of – I think that’s what I was alluding to earlier, when I said I have other hobbies, and then people sort of latch onto it, and they’re like “That’s really awesome!” And I’m like “No, but can we just talk about the planes? And can we talk about the laws and regulations? I find that really interesting.” But then they just want to be like “Oh, so you’re going to be a pilot!” And I’m like “It’s not about me. I just want to talk about aviation.”
[laughs]
So it’s the same thing… But yeah, no, I just love learning, and I love machines, and I think that aircraft are a particularly interesting human-machine interface, actually. I drive a manual car… I just love machines. And it’s not just computers.
Knobs? You must love knobs and switches.
Yeah, that kind of stuff. So I’m learning in a Cessna, an old school plane, because it has all of the knobs and the vacuum instruments, and it’s a bit sort of flying on hard mode compared to some of the more modern glass cockpits… But I just love anything that’s a human-machine interface. And so to me, the pilot made sense, but everyone’s like “Why are you doing that?” And I’m like, well, it actually makes sense if you track all the way back to what my interests actually are. But it can seem a bit eccentric to people sometimes, I think.
More dangerous than eccentric in my mind… I think about flying planes and I’m like “Well, what about when you’re not good at it? Isn’t that when you crash?” [laughter]
Yeah, I’m not very good at it. I’m not very good at it at all. I’ve only got like 35 hours, I think now. But I have gone on my first solo, and I didn’t crash the plane, so I can’t be super-terrible…
Right. You must be alright.
But here’s the thing. Planes are a lot more tightly regulated as far as safety goes, as far as the maintenance required, and they’re very strict on “After an x amount of hours, you need to completely overhaul the engine.” And it’s actually safer technically than being on the highway. But I know with ultralight aircraft and light aircraft, the danger level goes up a bit compared to a commercial airliner.
Yeah, the smaller the plane, the more scared I am.
Yeah, I’m in a four seater, the one that I learn in; it’s a Cessna 172, which is a classic student pilot plane to learn, but it’s also a very common one that you can rent once you’ve got your license… So it’s sort of – it’s a good fit. But yeah, there’s a lot of things that can go wrong. I’ve been in traffic incidents when I’ve been solo, where there’s been a plane that confused the runway, and they’re heading straight for me, and I’ve got to like fix it and stuff… So I’ve seen how dangerous it can be already, but I think it’s better than – it’s much safer than a motorcycle. So I’ll just stick with it, I guess.
[01:40:25.29] Oh, yeah.
100%, yeah.
Motorcycles are scary.
Yeah, for sure.
Never been a motorcycle guy, personally. I just was thinking lik – I see so many people here in Texas not wearing helmets, because it’s legal to not wear a helmet. And I’m like “You do not like your life, at all. I mean, you have no concerns or cares, because there is no way you crash and come back from that.”
No. When I was a kid in elementary school, we got asked “Oh, what car do you want to drive?” or something. I forget why they even asked us this. And I was like “I want to ride a motorcycle. That’s what I’m going to do.” And then I got older and I realized I don’t trust myself and I don’t trust anyone else on the road. So it is interesting that I picked up aviation, because I think it does feel like it’s a lot more dangerous, because you’re adding like another dimension, right? Cars are 2D, and planes are 3D, and they’re much more susceptible to weather as well, and so there’s a lot more variables to them. And so motorcycling seems, and I think is a lot more simpler as well, just to pick up and actually learn. But it’s interesting that the danger levels are actually very different from each other.
Well, the skies are more wide open. There’s less idiots out there in the skies. You still have issues, I guess, with who’s landing when and where, but that’s the problem with motor vehicles, is like everybody else making bad decisions. You can’t control them, right?
Yeah, pretty much. And I think as a student pilot, I’ve been taking my time, because I feel that the more dual hours I get in the plane with an instructor, the better, because I can be exposed to a wider variety of scenarios, but have the safety of having someone who can take over immediately if they need to… And that’s been really beneficial. And even just facing an incident on my second solo and my third solo, in a controlled airspace, where air traffic control knows I’m on my solo, so they can give me additional instructions and things like that… I think it is really important to expose yourself to as many of that as possible, because I don’t – I’m getting my license in a few months, I’m quite close, but right now I feel that I want more time to face those uncertainties, to really get a feel for how I would handle them under pressure.
Sounds cool. Well, how do we land this plane, Suz? I think we just say goodbye… I love catching up with you, up to cool stuff… I’m looking forward to your pseudonymous/anonymous open source contributions upcoming… I won’t know. I won’t know it’s you. But I just – I like the idea that you’re out there doing your thing, even if nobody knows.
You’ll find her signature in something, I’m sure. She’s got a pattern you can match to.
Right. And we’ll have to [unintelligible 01:43:12.02]
Yeah, Suz, it was good catching up with you. It’s good to see that you’re well, and good to see just generally the way you approach life, the way you approach decision-making, even from things you’re fearful of, or concerned about, or things that give you more comfort and safety… It’s interesting to see that part of your life.
Yeah, I appreciate talking to you guys. I miss you guys a lot, actually. I was saying in the email, I was just thinking about you guys, and then you emailed, and I was quite thrilled… I always feel like our conversations always go this way. They’re always very fruitful, very thoughtful. And yeah, I’m just glad that you sort of understand the journey that I’m on right now, because I think it’s a very privileged one, but it’s also maybe not as typical, and I’m really enjoying just quietly living my life, I think. So it feels like you guys get that, so…
Yeah.
We get it.
We do get it.
And we appreciate you opening up and sharing with us.
Absolutely. Alright, I guess now we’ll just say goodbye. And thanks for hanging out.
Bye, friends.
Bye, friends.
Our transcripts are open source on GitHub. Improvements are welcome. 💚