Dear diary….

Ok, so I thought that would be a funny way to start each of these entries, but having now typed it and heard how it sounds in my head I am going to change direction (A lot of thought has gone into this post clearly!).

A little backstory and the divulging of a shameful secret is in order I guess. I decided not to get into web exploitation for the reasons it seems lots of people first set out upon that path. I wasn’t motivated by the allure of large payouts or the prospect of riches and fame doing bug bounties. It merely seemed like the next logical step. A couple of the job interviews I had while attempting to get some kind of junior role after passing the OSCP seemed to indicate that was a skill set they were looking for and was an area I should know more about in order to not get passed over by any other jobs my limited experience might qualify me an interview for. So I set about trying to learn those skills and the knowledge I would need succeed at it. A bunch of challenge websites, blogs, videos, The Web Application Hackers Handbook and many hours later I felt I had a decent grasp of everything involved and full of confidence and gusto was ready to showcase my newfound knowledge and get a job on the back of my now versatile skillset!

Well, that’s not actually anywhere close to true. You see what I’ve come to realize is that like lots of you out there, I feel like a big, fat, giant imposter. I learned these skills mostly by reading blog posts and copy and pasting things, so clearly it can’t be that hard and I posses nothing worthy of being paid for. I also see how much it is I don’t know because this field is so vast, and reading those same blog posts, while helping me learn, also made me acutely aware of the distance from where I am now to the point where I posses the depth of knowledge and expertise contained in those writings. And of course, I never look behind and see how far it is I’ve come, because who does that? Anyway, the whole imposter syndrome thing is something I could write a bunch about, but I’ll save it for a different blog post. Basically though, it keeps me from doing things like applying for Synack Red Team when I see them make a post about it in the OSCP forums, because there’s no chance I know enough to pass their test.

Well, apparently that’s not exactly true either, because after talking to someone who gave me a much needed “Who cares? If you fail just take it again later, BFD” pep talk. I took and passed the test and then the interviews and the next thing I knew found myself filling out employment records and being welcomed aboard. Wow, maybe I don’t suck after all and now that I’ve learned the value of believing in oneself I’ll go on to lead a professional life full of satisfaction and success. I did it! Roll credits, El Fin! Well…

So now we get to my shameful secret. That was something like 16 months ago and in case you haven’t figured it out from the title, I have never found a single bug. Zip, zero, zilch, nada. How is that possible? When I first started I was under the impression the rule was you had to a find a bug in your first couple weeks in order to stay on, so while I lacked much belief in myself I was motivated by the time crunch and I really thought it was cool to be on SRT and so spent most of my time looking for something. But I kept turning up empty. Then I got a lucky break in that apparently I started just after they decided to change that two week rule, and it was now going to be evaluated on a yearly basis. So with some breathing room I decided I’d work even more on my skills and then really give it hell. Well a wicked cocktail of ADHD, depression, and a worldwide pandemic seemed to always throw a wrench into my plans of coming back and getting that first bug. And then the more time that went by the more impossible and unlikely it seemed because of how much time had gone by. A pattern that for me just leads to avoidance, which then turns into shame.

Also it doesn’t help that apparently Synack Red Team is seen as an indication I must have some skill (not sure why that is, I mean I’m part of it, how good can it really be?!) and that as a former professional poker player my resume is basically devoid of any real jobs, so having SRT on my LinkedIn means I get recruiter spam and interview offers. Which while I started learning these skills so I could land a job, how exactly are those interviews supposed to go now though?

Interviewer: “So tell us a bit about some of the bugs you’ve found during your *checks some papers* year+ at synack red team? What is the most interesting vuln you’ve discovered?”

Me: “Uh…….”
Me: “……..”
Me: “……”

Me: “OMG, is that a rhinoceros?!!?” *points and then runs*

So what should be helpful, instead just feels like a weight that drags me down and fills me with shame.

The thing is though, I actually don’t totally suck. If you give me a challenge where I know there is something there to find, I’ll get it. I do well on web challenges in CTFs and sites like Hack The Box, and I’m very good at explaining difficult concepts to both technical and non technical people alike which is a valuable skill in this space. However it’s like night and day when I’m out of that artificial environment and in the real world looking at a random website that may or may not have something. Then it’s just confusion, no confidence, and hopelessness. There is shame too, have I mentioned the shame?

So what is the point of all of this? Basically I’m just tired of feeling like a fraud, so fuck it, I’m going to put it out there for everyone to see. Maybe it makes the shame work for me, you can’t very well start a blog like this, and then not follow up and work towards getting that first bug, cuz oh man, how bad would that then look and feel!? (*nervous laughter*). Also I know this same feeling is something a whole bunch of people in this space struggle with especially those of us who are self taught, so maybe me blabbing about it helps someone else. And if I can change just one life out there for the better, then it was all worth it! (Yeah ok, that sounded even less funny than “Deary Diary…”)

So my plan going forward? I’m going to devote time each day to looking for real bugs, and I’m not going to stop until I find one. I’m going to write about the process here, and if I fail miserably, well at least I added some content to my webpage, so it’s not all a loss, heh.