BarCode
Barcode is a cocktail powered podcast that dives into the technology, personalities, criminals, and heroes that have come to define modern security across the globe.
Hosted by Chris Glanden.
BarCode
Wirefall
Wirefall is an Air Force veteran and cybersecurity expert. Wirefall shares his journey into hacking, from his early days of electronics tinkering to his career in security consulting. He also discusses the founding of the Dallas Hackers Association and the importance of community in the cybersecurity field. Wirefall explores the evolving cyber threat landscape and the potential impact of AI on hacking. Plus, he reveals how his newfound passion for improv has helped him overcome fear and become a better communicator.
TIMESTAMPS:
0:03:37 - Wirefall’s early exposure to technology and computers
0:06:06 - How Wirefall started hacking and manipulating computer systems
0:10:50 - Wirefall’s curiosity about the World Wide Web and exploration of the internet
0:12:40 - Transitioning from a network technician to a security consultant during the dot-com boom
0:14:23 - The need for security on the enterprise level and the awareness of professionals
0:19:31 - The desire for a different format of talks at local cybersecurity groups
0:23:11 - The meetup is held at encore family karaoke
0:28:26 - The threat landscape has remained similar over the years
0:30:22 - Wirefall’s transformation and interest in AI and machine learning
0:35:19 - Wirefall’s experience with improv and its parallels to hacking
0:41:33 - Improv helps with pivoting and redirecting
0:47:46 - Finding Wirefall on social media
SYMLINKS
Twitter: @DHAhole
LinkedIn Profile: https://www.linkedin.com/in/wirefall/
Telesploit: https://www.telesploit.com/
DHA (Dallas Hackers Association): https://www.meetup.com/dallas-hackers-association/
DC214:https://www.meetup.com/dc214dfw/
DRINK INSTRUCTION
Lone Ranger
1 1/2 oz Blanco Tequila
3/4 oz Freah Lemon Juice
1/2 oz Simple Syrup
2 oz Sparkling Wine
Lemon Twist
Fill a shaker with ice. Add in tequila. lemon juice and simple syrup. Shake well and then strain into an ice filled glass. Top with sparkling wine. Optionally garnish with a lime twist.
CONNECT WITH US
www.barcodesecurity.com
Become a Sponsor
Follow us on LinkedIn
Tweet us at @BarCodeSecurity
Email us at info@barcodesecurity.com
This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.
Chris: Wirefall is an Air Force veteran who has spent the past 25 years in security consulting. He’s the founder of the Dallas Hackers Association, a former board member for the b sides DFW security conference, and a longtime advocate for diversity and inclusion within the infosec community. Throughout his career, Wirefall has established himself as an expert in attack and pen testing. He is a contributor to several notable publications, including Kevin Mitnick’s the Art of Intrusion and the Tribe of Hackers, red team and security leaders books. Wirefall is also the primary developer and chief consultant at Telesploit, where he enables specialized security assessments for clients globally.
Chris: Wirefall, welcome to Barcode.
Wirefall: Thank you, Chris. Thanks for having me.
Chris: Absolutely, man. And first off, I want to thank you for being included and being a part of the Lone Star Cyber circus event that we did last month in Grapevine, Texas. It was an honor meeting you there and just truly appreciate you joining us then and sharing your insights.
Wirefall: I appreciate you bringing the mayhem to the North Texas area. That was a lot of fun. Yeah, Phil, Juno, Neural, and then of course Hutch and Quentin. It was a great show.
Chris: And for those that haven’t heard that yet, it is posted and I’ll post another link. I was glad to be part of it as an outsider, so thank you for welcoming me to the community.
Chris: So let’s start here with your story. I’d love to hear how you broke into hacking initially. So if you don’t mind, just sort of walk me through how your journey evolved.
Wirefall: It’s funny, every time I’ve been on a podcast or talked with people about when it’s framed as tell me your story. All I can think of is Steve Martin and the jerk. My story. You want to know my story, right? No. I’ve always been around technology. Given that I’m in my mid-fifties, the definition of technology was much different than it is now. But still, my parents encouraged education, putting me in a Montessori school. Kids are naturally hackers. Schools beat that out of them. Regular schooling beats that out of them. They go, no, study this, take this test. This is what’s important. A kid wants to learn, so the Montessori system really encouraged that. I’m very thankful for them to have put me in that system. And then also they would bring home things like, my favorite toy ever was 150 in one electronics kit. It had resistors and transistors and even had an IC chip, which back then was new technology. And you took wires and followed the schematics in the little books and learned what all these components did, and then could create your own things. I lived in the radio shacks when radio shacks were actually electronic stores and was then introduced fairly early on to computers. So my parents were divorced, and my mom and stepdad were the ones that got me into the Montessori and the electronics. And then I moved to my dad and stepmothers, and my stepmother was getting into computers at the time. She was a systems analyst back in the day, where there was the punch card feeding system, and really, that was our notepads for leaving notes to each other. But it was really difficult to write on the holes.
Chris: And you said your mother was a systems analyst.
Wirefall: Yes, she was a systems analyst and would have to sometimes go in at night, late at night, to reset printer cues or something, and she would always grab me and bring me along so that it was not alone at night. She didn’t care for that. So she’d grab me and bring me along, little teenager and maybe even a tweener then, and sit me down in a terminal while she did her work. And I would play text based adventure games, colossal caverns, that type of thing. So that was a lot of fun. And then she brought home a computer. It didn’t have a hard drive, it had dual disks and would boot up. And it had an audio coupler, 300 baud or 150 or 300. I can’t remember baud modem so that she could dial in from work now. And not have to go in, which now I no longer had tech space adventure games, so it was good for her. Kind of sucked for me. Gen X latchkey kid.
Chris: What was your first computer at home?
Wirefall: I have no idea what that was. I really don’t remember. It was IBM compatible, but I figured out how to dial in to her work and play those text based games. So that was, I guess you could say, really, the initial phase of the computer type thing is learning how to get into systems without knowing anything.
Chris: And it was because you didn’t have access to that game at home, right, like the primary driver.
Wirefall: Yes, absolutely. And then that was the time frame when I got into dungeons and dragons, and Dragon magazine started posting in the magazines, basically basic scripts that you could run to do things that were dungeons and Dragons related, like create random characters or a random monster list or all of that. So there was no disk included, it was like 50 pages of code that you had to type in yourself, and of course you’re going to fat finger something and it’s not going to work. So that was really learning how to troubleshoot and develop encoding. And my first quote hack was realizing that basic random RnD was not at all random. It was completely based on whatever seed you provided it. So if you give it a seed and you give it that same seed the next time, the same series of numbers would appear.
Chris: And you figured that out on your own?
Wirefall: Yeah, I wasn’t in any computer courses or anything at the time. This is probably 1982 around there. I wrote a little basic script that would run that as many times as I wanted it to, and then it would output all the numbers with which seed it was and what the numbers results were. And now I could go, hey, I’m going to create a random character, and if I wanted it to be a bad random character for them, I could provide a bad seed. If I wanted it for my character. I could put a good seed.
Chris: Although you at that time understood that you could manipulate the system absolutely to your advantage.
Wirefall: And then I got out of it, because I saw my stepmother just working herself to death, always in front of a terminal, and I’m like, that’s not how I want to live my life. I don’t want a terminal in front of me at all times. I want to go out and do things. Of course I didn’t see the mobile revolution where we always have things in front of our face now at all times. That’s just normal. Our phones everybody has at all times. So I mean I never saw that coming. But I went in the military, used my technical training, the electronics. I became a radio repair basically so fixed ground air radios and got the GI bill. So then I came back out, started going to school, and got a job at a sheriff’s office that I was the radio tech, but they also had this new thing, this token ring network. So I went to school and I got an associate in computer network operations and got that job and that was the start of the professional career.
Chris: And it was because you didn’t have access to that game at home, right, like the primary driver. Yes, absolutely. And then that was the time frame I got into dungeons and dragons, and Dragon magazine started posting in the magazines, basically basic scripts that you could run to do things that were dungeons and Dragons related, like create random characters or a random monster list or all of that. So there was no disk included, it was like 50 pages of code that you had to type in yourself, and of course you’re going to fat finger something and it’s not going to work. So that was really learning how to troubleshoot and develop encoding.
Chris: Although you at that time understood that you could manipulate the system absolutely to your advantage.
Wirefall: And then I got out of it, because I saw my stepmother just working herself to death, always in front of a terminal, and I’m like, that’s not how I want to live my life. I don’t want a terminal in front of me at all times. I want to go out and do things. Of course I didn’t see the mobile revolution where we always have things in front of our face now at all times. That’s just normal. Our phones everybody has at all times. So I mean I never saw that coming. But I went in the military, used my technical training, the electronics. I became a radio repair basically so fixed ground air radios and got the GI bill.
Wirefall: Wirefall: I’d spent four years in Europe and everybody’s talking about the World Wide Web. This is 94, this is going to change everything, right? And so I knew nothing about it. I’d been completely offline and I get a local dial up account to a Freenet and do that same curiosity thing. Well what is this? And poke around and start. I swear, anyone who was connected to that free net at that point in time using Windows, which was the vast majority of everyone, then Linux was what, two years old, you could access their hard drive. It was like, no, this is not going to explode, if this is. Anyway, I was just aghast and I’m like, well how do I stop people from accessing my hard drive?
Chris: And what exactly do you mean when you say free net?
Wirefall: It was a dial up ISP and there was a lot of, they called them Freenet’s back in the day where you could get a free shell account and use it to access the Internet. I paid a couple of dollars a month to upgrade from slip to PPP, different protocols to make you go faster with your 14 four modem. I’m poking around, I’m like, this isn’t good. And so start looking for resources, how I can better secure myself. And there wasn’t a lot back then. There’s frac magazine and that type of, there were some zines, there were actually no professional magazines that I’m aware of. So it was learning by exploring with the web, which was great, it taught me that. And then the .com boom did happen, it exploded and all of a sudden real professionals are realizing, yeah, this security thing needs to be addressed. And just because I’ve been doing it probably just less than a year. That was a year more than anyone else. And so the jobs just kept coming in the .com boom. It was just hopping jobs. I immediately went from a network technician to a security consultant for a major bank and then interviewed for a position down here in Texas. I was in the northwest position down in Texas, where they sold me to the customer as the foremost expert in computer security. Don't want. I just don’t want people to access my hard drive.
Chris: In your mind, that’s what you were concerned with?
Wirefall: Yeah, which means he had to learn how to attack it. How are these people attacking it to secure it?
Chris: But there is probably some truth to that. Not many people may have had that knowledge at the time, that is.
Wirefall: And honestly, when folks come up to me and ask how to get into the industry now, I’m at a loss. I definitely encourage them. Usually it’s at one of the networking events that we’ll talk about. I’m saying you’re doing the number one thing that you need to do is get out network. But as far as from a technology perspective, like I said, there were zines back then. That was it. Now you can get a PhD in cybersecurity. I don’t know how you would do it. The best advice I can give is my own advice, how I experienced it, which means you need to get a degree in advanced theoretical physics or something and invent a time machine. Go back to the .com boom and say, I know security. That’s all you had to do then is say you knew it. But it’s very different now. Yeah.
Chris: So that sort of thrusted you into your career. And you said you were at a bank first.
Wirefall: Yeah, my first security centric position was at a bank. They were just getting into online banking. And so they had me do an assessment of the environment, and I came back with, I mean, just reams and reams, because they were getting ready for an audit. So I’m like, here’s all the things we need to do that need to be done. They’re like, okay, well, at least now we know about them, so that when we have the audit, we can go, yes, we’re aware of that. We’re working on it. They hadn’t done anything yet when the audit came in, it was by one of the major consulting companies, the big four, big three now, or whatever. Big two, probably. By the time this airs. They came back with the administrator account had not been renamed, that was the only finding they had.
Chris: Interesting. So it’s like, wow, these are professionals.
Wirefall: And they don’t know what they’re doing. In my mind, I definitely was doing more than, I think, than most people at the same time. Yeah, I guess they didn’t care about their hard drives.
Chris: Right. But then, I mean, it also helped you realize the need on the enterprise level.
Chris: All right, so let’s fast forward to Dallas Hackers association. I’d love to hear more about how that came about and what has been your approach to successfully building and sustaining a successful ethical hacking community there.
Wirefall: Sure. Yeah. I would say the genesis was, I came down here. I’d never really been part of a community before moving down to Dallas, and at that time, I had already turned 30. So I knew nobody here, nobody in the area. We just moved down here blindly for a job. And I started looking around, and there was this group called the Dallas Fort Worth Wireless users group, run by Tony Laurel. And this is the time of where everybody’s doing Wi Fi. The first Wi Fi networks for homes. And Nets Tumblr was a thing, and my background was wireless, radio, wireless, that type of stuff. So I went just to see what it was. And, oh, my goodness, it was so refreshing to be around like minded people. Inquisitive, kind of, maybe a little bit on the edge, but my people, it was like, here’s my people. I didn’t know that you existed. And, yeah, so that was wonderful. I learned a lot from Tony Loro as far as it was a smaller group, especially back then. But he definitely, I learned a lot on how to develop a community from him. So really about that. You may be the steward, but it’s the community that needs to drive where you go.
Chris: Did you grow it just by promoting it online or getting in front of people at other conferences? I guess. How did you sort of assemble the members that ended up joining?
Wirefall: Sure. Yeah. So I did a lot of work for the state, and I was down in Austin quite a bit. And that’s the mothership of all the AHAs. Austin Hackers Anonymous. And I attended there several times, and they’ll admit it. They’re very elitist. They don’t want you to come unless you can contribute, and it’s not, I wrote my first perl script. It is, Here’s how I zero dayed something, for the most part. That exclusivity I wasn’t a fan of. I still, after all of these years, when I go down to Aha, I feel intimidated. So I can only imagine noobs walking in. But what I loved was they had this real mantra, participate or don’t come now. I think by coming you are participating. So I view participation as a slightly different way. But it was encouraging people to contribute. And the talks were not 1 hour, one and a half hour monolithic. Here’s the subject for tonight. They’re fire talks, so 10 minutes, get up, say your spiel and get off. So you get exposure to a lot of different ideas, a lot of different viewpoints. I really enjoyed that format, which didn’t exist up here in Dallas. So when I came back and was working back up here, I supported the local groups and that’s my number one thing is always support your existing local groups. So DC 2014, our Defcon group at the time, it was called Nasig, North American Information Security Group that went away and became North Texas cybersecurity group. But they were all that monolithic talking head. And if it was on a subject that I found interesting, if it was on web application penetration testing or something, that I then great. But if it was on PCI compliance or something like that, I was going to have a really bad night. So I wanted to see this format here and nobody else was doing it. Got it. So I did it. I would much rather somebody else did it because then I could just sit back and make snide comments, not have to carry it. I have a '99 Yukon and the entire back is filled with my gear. I have to bring that out every month.
Chris: I’ve seen that Yukon.
Wirefall: Yeah, that whole back is filled with my gear when I go to DHA.
Chris: Just talk to me a little bit about initially starting that up and then just scaling it out.
Wirefall: Honestly, I think first just do it. There’s going to be likeminded people. Out there, even if it’s just a few of you. At one time, we were just a dozen people at first with DHA. And that’s enough. That’s enough. But what grew it, I honestly think, is the place we were initially at. On Wednesdays, they had a special of half price wings. I bought wings and beer and put them on the tables and people came. That definitely helps. But yeah, now we’re 100 plus most months.
Chris: That’s amazing. I also wanted to ask you, how can folks today that are interested in joining, what does that process look like? You come out okay, no registration needed?
Wirefall: No, we’re on Meetup. And that’s basically how I think it grew faster than the other groups in the area. They were slow to get online and advertising. They would have mailing lists or those types of things. A website which you’d have to just find. We put ourselves on Meetup, and a lot of people found us through Meetup. And then Twitter took off and, yeah. We were on there, but it’s basically a mini con every month now. We don’t currently have a CTF. We had a CTF for years. We’re in transition on that. But where you could just come and learn hacking, we have lock picking every month. Lock sport. We have a career room with a book swap where people bring books that they’re done with and others can grab them. So if you’re just getting into the field, you don’t have a lot of extra cash. Grab a book or two, talk to other people. We’ve had hardware hacking and coding sessions. If it’s overwhelming, which it can be for some folks, we have a chill out room where there’s just board games and stuff like that. That’s so cool.
Wirefall: You just show up on meet. If you need to find us on Meetup, we’re on Meetup and on Twitter. You don’t have to RSVP. You don’t have to sign up through Meetup. You just show up. I’d say whatever the meetup numbers say for the attendance, it’s going to be two or three times that because most people don’t go through Meetup.
Chris: Do you cap your attendance?
Wirefall: No. We have had one time where the fire marshal walked in and just kind of shook his head and walked out.
Chris: And where is this held?
Wirefall: It is at encore family karaoke, a Korean karaoke bar.
Chris: Nice.
Wirefall: They open just for us on that day. We have the main stage, which is where all the fire talks go. So you actually get up on stage in front of a screen and do your presentation. And then we have, I mentioned all the other things, we have the lock, sport and career room. Those are all the side rooms of the karaoke bar. So it’s really like we have a mini con.
Chris: Yeah, it sounds like a mini con. That’s awesome. Is it once a month or do you have it more frequently?
Wirefall: No, it’s once a month. First Wednesday of every month. And then the venue is so fantastic that DC 2114, our Defcon group, now is the second, it’s always the second Wednesday. It now meets at the same place.
Chris: Oh, nice. Man, these venues better be, like, security experts by now. Like, just overhearing, you guys.
Wirefall: Yeah, we’ve definitely become family at family karaoke. And I just noticed last night that not last night, this past Wednesday, when one of the bartenders was wearing DC 2014 hoodie it said disobey on the back.
Chris: You’re making an impact. So, as someone who leads a community with many people learning from your contributions to the industry, I’m curious to know who were some of your own key mentors or resources that you utilized that provided you guidance throughout your career.
Wirefall: Like I said, when I moved here in 99, I was in my 30s. Already, and I had no community. So definitely reading the zines and looked up to folks like loft heavy industries with Mudge and CDC, all the things they were doing. That was interesting. But I didn’t interact with anybody. I wasn’t on the message boards or doing any of that kind of stuff. The first mentor from that perspective was Tony Loro. Probably other than some managers in my profession, was Tony Laureau, because I learned the importance of community and the power of community. But for my whole life, I would have to say my wife and I have been together since 95, and that is about the time I got into this and the reason I am where I am is because of her. She had so much more confidence in me than I ever had. I was just this little introvert that never thought I was like, wow, I got a job. This is awesome. And I’m basically working at a sheriff’s office fixing radios and playing with their new network for, I think at the time, it was $12 an hour, and I thought I had it made right. And she just kept pushing and kept pushing, and then there was an opportunity that came up for us to move. It was like, two and a half hours away to Vancouver, Washington, and she’s like, let’s do it. I would never have even applied to the position if it wasn’t for her, just because I didn’t feel that nobody actually met the qualifications pretty much back then. So I read them and believed them and go, no, I can’t do this. I can’t do this. I can’t do this. And she’s just, no apply. Do it. Wow. And every single thing she’s been behind me on.
Chris: So she was really a north star for you.
Wirefall: Absolutely, yeah. I would have still been probably working in the county at some point. And I’m not saying I wouldn’t be happy, but definitely wouldn’t have become what I’ve become.
Chris: So I’m going to switch lanes for a moment. Over your many years of security consulting, along with your current role as chief consultant with Telesploit, what are some of the biggest changes that you’ve seen in the cyber threat landscape? And as we discussed at the Lone Star cyber circus event, how do you feel as though AI is reshaping it?
Wirefall: Starting with the differences between the threat landscapes back then and now, I would say same shit, different day. Honestly, most of the time is we fix the issues, but not the root causes in most cases. So, yes, you can no longer do the ping of death because they fix that, but they don’t fix the root cause of not knowing how to build securely. I think that’s one of the big differences between builders and breakers. The builder breaker mentality, I think we’re getting better and better at it because of the devsecops, where you’re building that into the pipeline. But still, every time we come up with a new technology, we do the same, we implement the same weaknesses that we didn’t learn from previously. Coming from a telecom background with they learned that all the early freakers, if you don’t put management in band, then we create data networks and us, we put management in band, and then we create wireless networks, and we do the same types of mistakes. We put the same mistakes that we had in each previous technology into the next one. So whatever the next technology is, there’s going to be very similar, or at least very similar root cause type problems. I believe now AI, this is where I’ve gone through my, I think my biggest transformation. I was a curmudgeon up until recently. I would joke always that if it was machine learning, it was written in rpython, and if it was AI, it was written in PowerPoint, because it was a buzzword and it was not AI. We’re seeing AI. Degenerative AI is, I’ve been lucky enough to watch Hutch at your podcast with Quentin. I also had the privilege of being with Hutch and Quentin on two panels at North Texas Issa conference this past year. And it’s like, well, you know, these are smart dudes. Maybe there’s something to this. And I took my first course, prompt engineering for developers, and blew my socks off interacting with Chat GPT through API and what you can do. And, yeah, I’m now getting all these excitements for the first time in quite a while of how can now use this to make my job easier. But also, how are the attackers going to leverage it to make everyone’s job harder? Basically, I am a defender that uses attacker methodologies. How are they going to use it? Because that’s how I need to learn how to use it. Yeah, exactly.
Chris: It’s so difficult to predict what’s next. But from the attacker standpoint, what AI capabilities have you seen today could be used to help aid in their attack methodology?
Wirefall: Yeah, I think there’s definitely a new attack vector against those using generative AI systems where they’ve shown that they can make a chat bot give, sell them a car for a dollar or something. So there is definitely a new attack vector there. But I think really, from an attacker perspective, what it does is what we’ve been experiencing since the very beginning of doing these types of assessments and penetration tests is at first, nobody was doing this period. So, like, when I started, NMAP didn’t exist. And then it was published in Frac magazine, and again, you had to code it yourself and run it and troubleshoot it. So you didn’t even have port scanners. A very robust port scanner. You start getting these tools like NMAP, like Nessus. Now, it allows more people access to be able to play with those things, right, because they’re not having to write their own tool. There is a tool, and we’ve progressively been seeing that to where those types of things increase accessibility and ease of use. Like, back in the day, there was a website called Packetstorm.
Chris: Oh, yeah, I remember that.
Wirefall: Oh, yeah. You download the tools from there, and a lot of times there’d be a purposeful mistake in the code to stop noobs from writing, from just running it and exploiting something without really understanding it. You had to know what you were doing at least a little bit to be able to go in and, okay, here’s what I need to do. Here’s what I need to fix. And then run the tool. And it would work. So they were putting a barrier to entry for that, right. Then all of a sudden you just had things like Metasploit, where it’s like, now anybody can just download Metasploit and click, point, click and run it. There’s still some manipulation, you need to understand the tool, you need to understand how you get a shell and all these things, but it made it much more approachable for more people. I think we’ve continued to see that in the industry. And now the culmination of that is generative AI, where now a user that has no coding experience, no anything, could potentially use a system that didn’t have the safeguards in place or that there’s known ways to get around the safeguards to just say, hey, do this for me. That opens it up to the entire world. Basically anybody who has any language processing capabilities. So it’s volumetrics, I think. The attacks are the same thing mostly, but it’s volumetrics. You’re now becoming much more asymmetrical.
Chris: Let’s talk about improv, man, because when I got to know you, you told me that you’re into improv now. So, yeah, just curious how you discovered improv and if you’ve uncovered any parallels between navigating an improv scene and hacking.
Wirefall: Sure, yeah. I can’t encourage it enough. If you’ve never done improv, even if it absolutely terrifies you, because it did me take that chance. It is life altering. Absolutely. I’m in my mid fifties. I wish I had found this 30 years ago. My life, I’m not saying I don’t like my life, but it would have been completely different. There would have been a lot less stress in my life. One, because improv is just playing, you get to play, and that takes off stress, but also just how you learn to process information. Let’s take a step back. Why I got into it was I was that little introvert that never had community, and speaking in front of people terrified me. So I start a hackers association and stand in front of people and talk, which was terrifying. But after so many presentations, you just keep doing it, you keep doing it. It becomes second nature. And so I got over that fear by doing it. But every one of my presentations was 100% scripted. I knew everything I was going to talk about. I’d practiced it a dozen times. Everything was scripted. I’d maybe go off script a little bit, but I really pretty much had it memorized. And then there’s extemporaneous communication. So if I’m in a room and somebody would just ask me, so tell us a little bit about yourself. I automatically freak out. I don’t have a script for this. Right. So to the point where I would get tunnel vision, I would feel like passing out. Oh, wow. My heart would race. I would feel like my hands were shaking. It was really bad. Yeah. That was just for presenting in the beginning, but I overcame that. I still get that same feeling in impromptu situations, so it terrified me. And my wife and I support each other, and we have a date night thing. We always decide for this year, we’re going to do this, or this quarter we’re going to do this. And one year, I picked a full season at the symphony, so we would do that every week. And it was my turn, and I picked improv, and we started it. Got a couple, probably about a month and a half in. Month, month and a half in, and then Covid hit shut everything down. And so that was my intro to it. It was absolutely terrifying. And as soon as you make the decision to walk in, they shut down. Yeah, basically, it was like, okay, well, this is interesting. So things start opening back up. I go to my wife earlier last year and say, hey, would you like to do improv with me again? I want to do this. And she’s like, have fun. It was not for her, but I got bitten by the bug hard. I go in there, and it’s absolutely terrifying. Then after you do it and you do it and you do it, all of a sudden, I realized my biggest thing, where the fear was coming from was fear of failure. And in improv, just about every time you fail, it’s spectacular when you don’t. But everything’s basically a failure, which in improv, they’re taught there is no such thing as failure, because every single time you’re not going to do the best thing you possibly could because it’s made up on the spot. You don’t have all the resources at your disposal. You did what was exactly supposed to happen. That’s what they preach.
Chris: Interesting.
Wirefall: Doing all the reps, we call them reps, just like anything else, like working out or doing whatever, doing the reps is all of a sudden, I was starting to feel comfortable where I could go out on stage in front of people, and I will be doing that tonight. And you don’t know who you are, where you are, or what you’re doing. You have no idea. And some of the things it teaches you is that you’re out there with another person, and you have to establish a reality very quickly. So you have to be completely attentive and listen. I learned how to listen in my 50s because we all hear each other, but usually you’ve got half of your mind doing other things because you can kind of process what they’re saying and you know that person and where they’re coming from, and you make all these assumptions. There is nothing to assume when you walk out on that stage as a blank slate. And you have to listen to your partner, watch your partner figure out what they’re doing and figure out where you are and who you are and what you’re doing. It’s a heightened level of being in the moment. They really preach that is you’re in the moment. You can’t plan ahead. You need to find out what’s happening now. But then with some of the correlations, which is crazy, because we’ve had now several members of Dallas hackers join the improv troops I’m part of, and we’ve had even several improv folks now that attend Dallas hackers. And I really do see a crossover in these communities. One, they’ve both been very diverse. There’s just people coming from all different backgrounds, viewpoints, and then also that one of the things I found is in improv, the whole thing is they call it finding the game. So all of a sudden, you’re just building the scene with the hope of finding the game, which is some sort of pattern that is anomalous, that kind of goes out and is funny because it’s anomalous. It’s not just a day in the life of you don’t want to just watch two people just talk about their day. There’s going to be something that’s unique, and you pull on that and you enhance that, and then you explore it. Then you enhance it, then you explore it. That’s hacking. Hacking is looking for that pattern, that anomaly, that thing that really is like this doesn’t look right. I definitely think there’s some similarities there.
Chris: I’m sure it has also helped you learn the art of pivoting. Mentally just hitting a wall and then being forced to redirect yourself in the way that you want to go.
Wirefall: Absolutely. Where does this take me? Where does this take me? I said, it’s life changing. I absolutely, 100% believe that because it was reinforced just recently. A couple of weeks ago, I interviewed for a job for the first time in probably 15 years. I’ve been with the same company for 23 years now, going towards retirement there. Some changes are happening before retirement, little introvert me was terrified. I would be sweating before an interview. I would be trying to fight my urge to throw up and all that kind of stuff, just in general. So it’s been a long time since I’ve interviewed and I thought, I’ve come a long way, but this isn’t a presentation where you have a script. You don’t know what they’re going to ask. You don’t know any of this. And I thought, I’m going to experience the same terror that I used to. It was freaking easy. I mean, it was like, this is improv, really. I’m taking the information in, I’m listening, and then I’m responding honestly.
Chris: And it’s automatic for you now, right? I mean, I’m not saying every situation, but situations that you before would be overthinking or scared. Now it becomes more comfortable.
Wirefall: Just because of the reps. This is what I do every week in class is I go up and I basically allow myself to be vulnerable and fail in front of people. And once you get over that, once you get over yourself, it’s a revelation.
Chris: Have you always forced yourself to be put in scary situations like this, just knowing that you’ll overcome it? Has this been a pattern that you followed, knowing that ultimately there will be a positive outcome?
Wirefall: Absolutely. Whether it was my first conference talk or even probably my nth conference talk, I’d submit and then get accepted and be like, why did you do that? And it was because of this fear. I think one of the reasons I have been successful at what I do in penetration testing isn’t so much my elite skills. I’ve been doing it for a long time. Yes, I’ve gathered some knowledge, but I know people surrounding myself at Dallas acers. There’s some incredibly elite people there, and I feel not worthy, but it’s not my elite skills, I do have a curiosity, but it’s really not the curiosity of how does this work? It’s the curiosity of why did you put a security control in place, kind of like a door with a lock? It’s like, I didn’t want to know what was behind that door until you closed it and locked it. Now that’s all I can think about. It’s just being childish. You can’t tell me what to do. You can’t tell me where to go. And these things that evoke fear in me, it’s my body telling me, you can’t do this. You can’t go there. And even though it’s myself telling me that, I’m like, you don’t tell me what to do. And so it’s a rebellion. It’s a childish rebellion of I’m being told I can’t do something. Screw that. I’m doing it.
Chris: It’s a healthy rebellion. Unless it actually kills you, you won’t do it.
Wirefall: Unless it actually kills you. There’s a lot of things that could do that, but unless that worst case scenario actually happens, which is most likely, it’s a percent, you can’t even consider it, it's so low you wouldn’t consider it.
Chris: So tell me what’s next for you? Do you have any new projects on the horizon other than being involved with DHA, your improv? I know you said you interviewed for a position, so talk to us a little bit, if you can, about what’s next for you right on the horizon here.
Wirefall: Next week, I’m starting up my next improv class, but I also signed up for another class, standup comedy. Because now improv is feeling comfortable. Yeah, that terrifies me. Now will I stick with it? I don’t know when I was starting to feel comfortable with improv. Initially, I was like, okay, I can do this. Let’s make myself uncomfortable. And I started musical improv. So you’re doing a scene in regular improv, and then all of a sudden it goes, okay, sing about pickles. That was beyond. I got to the point where I realized this is just causing too much stress. I went through, like, five classes, and then I dropped it. I was just like, this is causing stress. This is not helping. Right. And I’m never going to have to, in real life, stop and start singing about pickles. And then I should have the pickle song memorized.
Chris: Unless you’re doing a pickle commercial or something like that.
Wirefall: And then I should have the pickle song memorized.
Chris: Anyway, so that’s cool, man. Standup comedy.
Wirefall: Which terrifies me, because now you’re not up there with a person who’s trying to help you make you look good, and you’re trying to make them look good. You’re up there alone, and you’re not making this stuff up on the spot. You had time to prepare. You better make us laugh. You better be funny. That’s scary. I hear you, man.
Chris: Well, good luck with that, man. I really believe that you will absolutely kill it. Listen, before we go, would you mind letting us know where we can find you and connect with you online? And then also, you mentioned a meetup link for DHA as well. Should people listening to this just search for that?
Wirefall: Yeah, you can just search it by the name, but it is Dallas Hackers Association on Meetup on Twitter X. It’s at Dallas underscore hackers.
Chris: And you are very active on X as well.
Wirefall: I used to be. Once the exodus happened right, yeah. A lot of the people I interacted with were no longer interacting, which was kind of sad to see, but also it was almost freeing in that I did create an account on Mastodon. I never go on there.
Chris: I know, me too.
Wirefall: But it was also freeing because I spent way too much time on social media, and I feel a lot better now. So you can find me on Twitter at Dhahol.
Wirefall: So, yeah, there’s a backstory to that, of course, but Wirefall was taken. So I’m at DHA hole.
Chris: Wirefall was taken.
Wirefall: Wirefall was taken. It’s kind of funny, that handle, I’ve been using it since '96. There was a musician that called themselves Wirefall that didn’t put out a lot, but evidently got the handle. And now there is a, I don’t know what game it is, some computer game where there is a move called the Wirefall. And so now, before, when you search Wirefall, basically all you got was me. Now it’s all about computer games.
Chris: Damn.
Wirefall: But, yeah, so DHa hole or on LinkedIn. I dox myself. My vanity URL on LinkedIn is Wirefall, it’s got my real name on the page.
Chris: So you’ve been in Texas for a while. You know the community well. In your opinion, where is the best bar in north Texas and what makes it unique.
Wirefall: Yeah, I don’t go out a lot as far as to the bars, but I would have to say what I’ve enjoyed the most is the truck yard in the colony.
Chris: I’ve never been there, but the guys from cyber distortion told me about that place.
Wirefall: So you’ve got all kinds of like the Cadillac Stonehenge type thing. So you’ve got all the cars put into the ground, it’s outdoors. You’ve got multiple food trucks, and you usually have live music. Every time I’ve been there, it’s been country, which isn’t necessarily my cup of tea. But live music bars, food trucks, and if it’s not too hot out or not raining, then they have indoor stuff as well. But it’s really nice to go outside and be able to chill.
Chris: Okay, well, I just heard last call here. Do you have time for one more? If you opened a cybersecurity theme bar, what would the name be, and what would your signature drink be called?
Wirefall: I would name it running scans, because whenever you ask what are you doing? I’m running scans. So I call it running scans. So you’re out of the bar and you’re just running scans.
Chris: I didn’t know if you said running scans or scams because you could do both at the bar.
Wirefall: Oh, scans. Yeah, it could be both. But running scans or maybe compiling plugins, that takes a long time, too. But running scans and then the drink would be the exploit. Okay. And unlike what people would probably think, that you’re going to use, like, a high risk critical vulnerability, so you’re going to use a high proof alcohol, the way you really get an exploit is by chaining together low risk vulnerabilities. So it’s just going to be an amalgamation of a bunch of different low alcohol drinks, so your liqueurs, just dump a whole bunch of liqueurs in there into a big cup. And that’ll be the exploit.
Chris: Wirefall. Thanks for stopping by, man, and sharing your story with us. It was great to catch up again, and I hope to see you again soon, man. I got to come back out to Texas, maybe stop in on a DHA session.
Wirefall: Yeah, absolutely.
Chris: Get up and maybe do another live show.
Wirefall: Yeah, we do DHA, and then when we break down, we do a live on stage after party.
Chris: I’ll even do some standup comedy.
Wirefall: I’ll pull you into an improv skit. We’ll do live improv.
Chris: I’m down. All right. All right, man. Well, thanks again. You take care. Be safe.
Wirefall: Thanks, Chris. Take care.