We spoke with Matthew Hickey, CTO and Co-Founder of Hacker House and co-author of "Hands on Hacking" about his start in cybersecurity, writing a book, and avoiding burnout.
Tabatha: Thanks for taking time to talk today. Jumping right in, how did you get into hacking?
Matthew: I grew up in an era where computers were penetrating daily life, and a lot of people were getting exposed to them for the first time. Filing cabinets were still a thing when I was growing up, and computers - they're very anarchistic in nature. I think hacking is a naturally rebellious thing that a lot of young people will do or graduate towards, and it's an important skill because it really is something that anyone can do. It's something that you can pick up and can learn, and it's quite empowering to understand how technology works.
It was something that I was naturally drawn to. Once I started to understand what I could do with computers and how I could leverage them to gain access to things - that perhaps I shouldn't have been able to - it allowed me to challenge misconceptions and my views of the world, but also computers and networks, in general how they work and what they do.
It's not really like, why did I get into hacking so much as why other people aren’t, because it's something that I think is really important to everyone's life. Understanding technology, what it does, how it works and the inner workings. That process, the whole desire to understand and learn is really what computer hacking is. It has a massive benefit to organizations to understand security and why hackers do these things.
I grew up in a very technological household. We had computers from a very early age. My dad used to bring them home from my grandmother's school. These were some of the first computers people had ever seen, so they were really influential in my life growing up. Trying to understand what they did and how they worked was key to that. So I didn't so much be a hacker as that's just what people were called, and it was really a fringe thing. We didn't have an industry, there wasn't a big business. It was just people that took things apart to try and understand how they work.
Tabatha: How do you decide, this is what I'm going to do for my job?
Matthew: You know, trying to get a job in this field as the industry came up was challenging. It wasn't something a lot of people were making much money on. Prior to large malware attacks like MyDoom and SQL Slammer, computer security was still a niche area. It was seen as a group of loosely organized people who would just challenge things academically. There was no real formality to it or money in it. People introduced things like CVE numbers and all the rest of it, and it grew into a business from there.
I was just fortunate enough to be around at the time that was going on and getting some good breaks in my career. I had to write to companies and I remember getting a lot of rejection letters, just as many if not more than I had positive letters.
As businesses grew and understood that they needed hacking skills to defend their networks and that these skills were integral to what we as organizations and companies and governments do, it became something that I was able to profit from. Being able to take those skills and utilize them in a work environment was challenging. It was like I was following my dream though and it was what I wanted to do with my life.
I was turning my hobby, my passion, and things I enjoy doing into my job. Understanding computer security problems and getting paid for it, right? There are no two ways about it. That was the big draw behind it.
Tabatha: How do you avoid burnout, and what continues to motivate you in this industry where the burnout rate can be so high?
Matthew: Family and Church. I have a young daughter, my family is super important to me. I think it's important to have some sense of purpose in life, and there are things that I enjoy that are not computer-related that I try and do with my family. Going for walks or taking time away from things and just giving myself a chance to reflect on it without becoming so serious about it all.
You’ve got to remember that while we do a serious job - cybersecurity is important - still, it's important not to take yourself too seriously too. You need to be able to unplug from things to go look at and work on other problems in life. I find family is a strong reason to do anything, really. I come from a big family, and that’s always been an important part of my life.
Tabatha: Speaking of not taking it too seriously, you post as Hacker Fantastic, and your avatar is a Rainbow Dash from My Little Pony. Is there a story behind that, or do you really like Rainbow Dash?
Matthew: When I got my first job in penetration testing, I would ride a BMX to my place of work, and I would chain my BMX up in the car park, or I would skate to and from the office at night. As part of that I got interested in spray paint art - going out, and painting on the skate parks. The character, Rainbow Dash, was chosen for no other reason than it was fun to try and draw it with spray paint. Then it evolved and became this pirate pony that was deep dreamed in AI, and I was just having fun with it, really.
When I actually watched the show, I learned that it represents to a lot of people, friendship and community. I couldn't find anything more wholesome than that for young people to look at. And it’s just a little bit about my background - hanging out at skate parks, riding BMXs until all hours, biking to my office job where I did cybersecurity. I did this well into my late twenties until I got a little bit too old to hang around the skate parks. It was partly why computer hacking became part of what I like to do. I see it all as art, and the Rainbow Dash image was just something I was having fun with. So yeah, that's where it came from, and the choice of words was more just about trying to spread some of that positivity. I wanted people to see something that was fun and a little bit different from what you would normally see, you know?
Tabatha: How did you decide it was the right time to write a book or to even write a book at all?
Matthew: Hacker House was set up as essentially driven to develop solutions for industry. One of the things that we kept encountering was that our clients were bringing us in as experts to do things that they could be taught and become self-sufficient to do. We really focused on trying to solve what our client's problems were. Working on a book, the course, and educational content became core to the company mission. We try to advocate for computer hacking and computer hacking as a solution to modern business problems.
We'd already made the decision to make the book, make course content, push through. It was just a natural extension of the process where we were documenting things to help people understand cybersecurity and cybersecurity problems in a practical way and give them examples to see for themselves. They could actually understand that this is something high school kids can do, why it relates to business, what can it do, and why companies can embrace these kinds of problems solving people. The book was just an evolution of what we were doing. We tried to make it accessible to people. We wanted to try and get it into people's hands so that they could do the same things that we were doing to understand those benefits that it can have to the world.
Tabatha: It seems that you've set up this book quite holistically rather than simply a technical run-through.
Matthew: It's one of those things that I encountered a lot of my clients, people wanted to understand how to get into this. It was really like compiling a lot of different views, a lot of different situations to put something out there that we knew would have practical results, right? Someone could take this book, read through it, and could conduct some elements of penetration testing - they could understand why those processes work to equate that mindset because a lot of this is really about problem-solving.
It's still a science, it's a logical process, it has a methodology, it has a start, middle, and end, and you can't really know everything. Still, you've got to teach people how they can understand what they're doing and how they can go and get more information. Not to just confine them to here is step A, B, and C.
That ingenuity, that creative thinking, that process of challenging a system and trying to figure out a way inside of it - that's what creates innovation. It's what drives change. It's what makes security systems more secure, right? Why do we still have HTTP as the default in the web browser? Surely by now, with most sites being HTTPS, we should just be requesting HTTPS first. We'd eliminate a whole class of bugs. But you know we've got to get people's behavior to change. We've got to start embracing that computer systems are themselves inherently not secure, right? They take work to secure them, and they encounter a lot of very similar problems. Something as simple as a command injection attack or a database injection attack, or a leaky log files sitting on an external server - these are all things that companies can, and should, be able to find themselves. They should grow resources and invest in their teams to have that kind of capability.
And we realize that if you have expensive hacker training, you're charging thousands of dollars - $7,000 for a SANS course - something like that, then you're eliminating groupings of people who might be very well adapted to cybersecurity. We've seen these skills coming from a postman, bartenders, people from all walks of life - at one point, I had a background in sales. People can learn these skills, and they can use it to empower themselves. It's an important topic for the world. Every business really struggles with this. None of them are getting it right. Some are, but those are the rare few and in between, and it's a big part of embracing that understanding of technology to improve it, right? We wanted to make a book that reflected that. I wanted something that someone could go pick up off the shelf with no real prior knowledge of it and learn the things I've learned by doing it the same way we've done it.
Understanding the basic premise of different kinds of attacks and building on the knowledge, so they have some kind of foundational grounding to say, "You know what, I understand a little bit about computer security." and then not be afraid to push boundaries themselves. If we don't push the boundaries of systems, we'll never really understand their limits.
Tabatha: How long would did it take to write the book? What was the best part and worst part of writing a book?
Matthew: So it took about two and a half years to complete the book from start to finish. From the initial concept design to where we discussed it with a publisher, we began to collate material, resources. Because we built the labs for the book at the same time, it was really quite a challenge to integrate technology from all different eras of computing. We have some bugs from the early nineties and some from just last year or this year. It's very difficult to have that kind of spectrum of problems all in one place. Someone can pick up a book, read through a chapter, and actually, just go do that example as well. They can go and complete that same kind of methodology and understand what that problem really looked like.
And I can't really say there was a worst or best part. The whole thing was just so much work. We're really grateful to the teams we've worked with, the guys over publishing, the technical editors. There's more than just myself involved, Jennifer, all of the work that was done, and the team who had to pick up some of the slack when we were busy. It was so much work. I'm glad to be able to put something out there that's cost accessible and affordable. It's something that people can pick up and enjoy. That's really the best bit, the fact that it's there now and people can get it, they can access it. We didn't really do it for any other reason than we wanted people to understand what this process was.
It was a challenge for us to create something that targets the grounding skills. If I'd have written another book on how to write BSD kernel internals or low-level systems exploitation, it would have been well-read, but it perhaps wouldn't have had any impact. It wouldn't have helped somebody get a job. It would have satisfied their curiosity. But we needed to write something that would explain to people how the lay of the land looked for industry, for jobs, for business, and the practical skills that they would need. So we really wanted to bridge that gap between the academic universities, the degrees, and the skills people were learning themselves. We wanted to give them something structured to understand that these are the foundations that many computer networks are built on. These are why there are problems and how they look. So that was the best part, getting it to people. Getting it into their hands and seeing it being released and seeing people enjoy it. That's really the best part of it.
Tabatha: You've included a chapter on writing reports - thanks for including Dradis in that. Reporting tends to get just such a bad rep so how do you encourage folks to focus their efforts on reporting?
Matthew: Reporting is the part of the work, which has the most visibility for your efforts. Sometimes to a client, it doesn't matter how elegant that exploit is or how convoluted the access mechanism was, the report, the documentation that I produce is the product of my labor. It's something you should always take pride in - whatever you produce. And it's hard to give it the dedication that sometimes it deserves, right? Because report writing can be cumbersome, creating a document can sometimes produce results that are in themselves as much art as the problems they describe.
If you look at that document as being something that represents your work, then why wouldn't you want to take pride in it? You want to make sure that it's not just something that you can understand, but it's digestible for others, for the effort so that they can take away from what you're doing and translate that back to their business to make use of that information.
If we just sat around writing exploits and hacking things all the time, often a lot of that information would be lost. It wouldn't translate over to business. People wouldn't see the value in what you're doing. I find that it's a product that's produced that I want to take a lot of pride in. So it's got a lot of visibility. It's something that I think is a little underrated as a skill. We don't praise reporting enough. It takes a different level of skill, but it's also artistic in itself, right? You're describing very complex things to someone who might not be technical. That in itself can be a bit of an art. It takes work, and it takes a bit of practice to get that right. I've tried a lot of different things.
I think it's just the same as if you are giving a talk at a conference. You do your due diligence. You want the work that you're producing to be valuable. You want it to be something that you are proud of, that this isn't just some advisory that you scrawled down on a napkin. It's important, really, to be able to document. That process, being able to do conference talks, being able to go out there, being able to represent yourself, and your brand and show people what you do. You've got to be able to give them something, and reporting is an element of that.
It's something that has value. It holds weight. It's the tangible results that someone's going to pick up. You might have hacked the company six ways from Sunday, but if you haven't explained and documented why the company was insecure in the first place, they're never going to learn from that. You're just going to be showing them a problem and finger pointing, it's frustrating for people. You've got to be able to translate to them in a way that's going to encourage growth. If you just see it as a labor that you have to do, as part of this security processing part of this work, you won't enjoy it in the same way.
No one likes doing the dishes at home; everyone prefers to do other things. We don't like doing chores, but those chores make the house look nice and presentable.And it's the same with this kind of work. You've got to be able to present it to people in a format they understand. Otherwise, your efforts are going to not be taken seriously. You're not going going to be able to show people why things are broken and what they can do about it. And that's a big part of what professional hacking is. It's using these skills to identify people's risks and false sense of security vulnerabilities and then helping them address it. So you've got to look at it in the same way as it's another skill that needs to be learned to be effective at computer hacking today.
Tabatha: What other products or solutions were you using before you found Dradis?
Matthew: I have tried everything from a Canopy, Excel, Word, XML, Markdown, Latex, issues in GitLab, JIRA. We have tried everything to integrate our workflow as penetration testers doing ethical hacking. But our work is not just running scans. We're often tasked to look at products that might not have been looked at or investigated before. We're doing a lot of things that are deeply technical. It's important for us to have a tool that doesn't just produce reports. It's got to work with our workflow process. It's got to integrate with how we manage and structure our engagements.
Dradis is available as a community edition, which helped our students who wanted to see what those tools might look like. It's certainly better than trying to teach people how to be desktop publishers. You can use Microsoft Word, but I'm sure we've all lost hours at some point fighting with fonts re-rendering themselves or images changing up mysteriously. That can cause such a delay and slow down in the actual delivery of a project or the results from a technical assessment. It was important for us that we had something that encompassed the breadth of our workflow process and produced a quality deliverable.
From start to finish of an engagement, it's important that we have a methodology. It's important that we can follow through that methodology, track our engagement status, track back our issues back to different work units. So it's not just the reporting for us, it's very much job management. All jobs, whether it's engineering, software engineering, you have these kinds of job management systems. Dradis is flexible enough to produce professional documents which can be exported and give us raw access to the XML. We can streamline it into things like our GitLab or Jira, because we're kind of a mix of a software house here as well. So when we're doing those kinds of tasks, we need to relate that back to documents and find it just easier to export and work with our clients' systems. Dradis is such a good fit for us. I started using it and immediately, I was like, I am never writing another penetration test report in Word again. Pure and simply because Dradis was just a much more effective solution to use with our structure and style of working.
Tabatha: We are big fans of reading on the Dradis team. What are your favorite books, either security-related or non-security-related, those that you just read for fun and learning?
Matthew: So when you sent me this question, I immediately walked over to my library. I pride myself on my books. I've built an extensive library over the years. I've whittled it down to what I consider essentials. I have large volumes of lots of reference texts, a lot LTE, Verilog, smart cards, software-defined radio, very much rule books, essentially for computers. Kind of like the Dungeons and Dragon nerds who collect the extra campaigns, that's how I am with reference texts.
Picking a particular book, my favorites in security, I really like POC||GTFO. They compiled two as Bibles. They were great books that encompass different kinds of security problems. I like works that challenge my thinking like Silence on the Wire by Michael Zalewski. Another very good work on computer security problems. I enjoy a mixture of other things as well, other fun books a lot of things about policies and policies design, post 9/11 doctrine. I like conspiracy texts as well. I just like to learn and books are a great way to do that. The largest chunk of my library is not really how to hack or Hacking Exposed or anything else. A lot of it is just the art of electronic engineering, reference texts for different standards.
I have a lot of very old processor manuals from different RISC and system designs, and they are really special to me because they're old texts. They're very difficult to find, they've passed through many hands. These are well-worn books, but they're still very, very insightful. And I like nothing more than grabbing a book like that on a Sunday and just getting into some computer problem and finding and learning more. Because that's what this is, right? You're learning and you're trying to explore knowledge. And I try and read as many of those kinds of books as I can, so it can be hard to find more fun books. I do enjoy reading to my daughter. We read a lot of kids' books and various other funny things like that, and that's quite enjoyable. She reads books that are very different about dinosaurs and stuff like that.
Tabatha: Any big plans now that you've published this book?
Matthew: You know, I like getting outdoors. Try to go walking, hiking and finding time to go camping if possible, playing with drones outside. I just try and keep myself a little bit busy sometimes. Going out and about and just walking. I mean, there's plenty of nature out there. It's difficult in light of the pandemic. I miss being able to just go out places and sit down and do other things, but I think it's important to not get stuck in a rut. You’ve got to try new things, you've got to go to new places, and the world's big. There's plenty of places to go and camp. There's plenty of places to get out and try and go for walks and things like that.
You don't have to go too far, just get in the car and go for an hour. And I think that's important. Going and looking at wildlife and I see some great things. One of the best things I liked about hacking as a job is I've been able to travel places I wanted to go and see. I grew up in a rural part of Northern England, so outdoor stuff is what I enjoy when I'm not working anyway. I think it's a healthy thing to do. Everyone should try and find something that's healthy for them and go and practice that to get an escape.
Just to not have to think about what's going on elsewhere and in politics and what they're reading on the news. Just get out there and go see some nature sites, see some deer, some animals, try and find something to do. Get into a bird-watching or something.
There's plenty of spy tech you can repurpose for having a laugh when you're out in the wilderness. I quite enjoy taking my radios out there and messing around, doing science experiments, so it can be healthy as well. You’ve just got to make sure that you try and take time off from the computer.
Plans now that the book is out the door is to keep building on what we've been doing with our training, building on our services development, and continue as a company, to keep working hard and trying to achieve good results for our clients.
Matthew Hickey, CTO and Co-Founder