So i was in a really good high school https://en.wikipedia.org/wiki/Poolesville_High_School and so there would be some ridiculously smart people who would work on things and because the program was so close knit, information would disseminate between the grades and so the younger group of kids would only get that much better. I got involved in cyber security because the older kids competed in a competition that was for hacking and they did very well. So I strived to be like them and compete in competitions. Note that around this time CTFs were gaining traction, but hadn’t quite got to the high schoolers yet. So the competition that I got brought up on was Brooklyn Polytechnic (now https://en.wikipedia.org/wiki/New_York_University_Tandon_School_of_Engineering) CSAW HSF (High School Forensics). It was a month long competition for high schoolers where the first round you had to spend a month looking at NCIS-like cyber forensics data online (go to fake website clones of facebook to look at someone’s profile, they link to an image they took, image has EXIF data in it that has the next bit of evidence). So this competition was so cool that me and my friends were finalists for the competition. It was so cool, not only did you get an all expenses paid for trip to New york city to compete in finals, you got to also interact with all the other ridiculously smart finalists. They were from all over the country and they were all so cool that we ended up connecting our online social networks with them. A number of my friends today were finalists from that competition, including my roommate. They don’t run this competition anymore because of politics, but I am trying to keep it alive with https://github.com/CTFg/CTFg.
This jump started my social network so my friends and I were now networked with the best cyber security people in the US going into college. The college I went to had a cyber security lab (OSIRIS LAB, you have to play a CTF to get admission into the lab, it is pretty cool). It was a place to hang out between classes and work on cyber security stuff (like CTFs, hacking hardware, talking about semantics of programming) like some serious nerds here lol. There were leadership opportunities which meant that I could learn how to be better at organizing people to work on tasks together (which was something i enjoyed). One of those leadership opportunities was running the very same competition that I got into college with, HSF. I was able to take all of the things I learned while playing the competition, and implement them in a competition that every kid in America would get a chance to play with, how cool was that. The mentors that I had helping me put this together were top notch, some of the best roll models to follow in the footsteps of (they are all amazing people who live great lives).
I leveraged this lab’s network to get me my internships. I worked at BAE systems for two years doing static code analysis to look for 0day vulnerabilities in a product they were using. I then got to intern at Uber which completely changed my life, once again.
Working at Uber let me see what choosing the “right” things really, really fast looked like. They were operating at such massive scale when I joined. The project I got hired onto only had a manager. Literally an intern and a manager. And together we built out the entire mobile security team. Our code is still run on every phone that has Uber downloaded and it is responsible for saving Uber the 20% of revenue that they lost to fraud. Millions and millions of dollars.
Understanding my impact to the world let me feel confident enough to join @Free Wortley (a coworker of mine from Uber) to work on Refinery. He derisked my decision to jump ship of a well paying job (without a college degree since I dropped out), to get paid way less, but on an opportunity that could change my life. We didn’t use our security skills for the first product we were working on, so we changed to developing LunaDefend. This is a project was a work of love. It took the biggest problems that we saw at the other silicon valley companies in regards to security and solved it with this security framework. Unfortunately selling a dev tool is only something that you can do when you have hit a homerun of a product idea, and we just didnt quite get there. …and then came the big one.
As I was walking out the door to go work from the day at free’s, @alex told me about a chinese blog that was talking about a vulnerability in a widely used java library. I thought that was interesting, and drove off. Later that day Free and I were talking about what we could write about that might help us solve our SEO problem. What really cool blog post could we write about that would wow HN. I told Free about what alex had told me and we thought about it for a while. How many projects use Log4j? How hard is it to exploit this vulnerability? What could you do if you exploited this? … wait minecraft kids are using this to crash servers with a chat box message? Could this really be as bad as we think it is? Are we living through the worst vulnerability that has ever happened to the internet?
Turns out, yes, we absolutely were experiencing this thing for real. While this wasn’t actually a zero day (there was a version out with a fix) the communication of the vulnerability was lagging so hard that the chinese blog poster actually was looking at the github commit made to patch the vulnerability and writing about it on his own personal blog. This is what alex translated and read to me that morning. We poured over every single ounce of information that we could get our hands on. Pulling up the log4j code. Making a POC of the exploit. Our blog post had links to tweets that others had made.
Our blog post gets popular on HN, but it isn’t the first result on the page. At the top was another blog post that someone had submitted. Looking at it, it wasn’t really that clear as to what you were supposed to do to fix the issue. Our blog post had everything someone responding from it would have dreamt of. It was clear, concise and most importantly accurate. This quality of work earned us the opportunity of an HN mod replacing the top link of HN to ours.
Most importantly, we kept the blog up to date as more information became available to us through our vast social network that we now became in tune with. Asking the right questions and making the advice from the community as clear and actionable as possible.