Unusual Journeys Into Infosec featuring @EpicPewPew

This series has been all about perspective and insight on the challenges around breaking into the wonderful industry that is Infosec. There are however some things that we take for granted, “uncensored” and unrestricted internet being one of them!

In this chapter I wanted to understand the challenges in breaking into Infosec where these things are most certainly not the case- luckily I knew just the person who could shed some light on the emerging Zimbabwe Infosec industry.

For one I have a huge amount of respect for EpicPewPew, having known him through Twitter (and many threadzilla’s), and more recently as an Admin on The Many Hats Club, where we speak almost daily. If you want to know how to maximise your learning with limited resources and internet then he is your go to person.

“My favourite conspiracy is that the bulk of Zimbabweans are intentionally priced out of getting true access to the internet” - EpicPewPew 2018

I hope through this brief article you too can develop the admiration and respect I have, getting to know this talented young man!

This is EpicPewPew’s unusual journey into Infosec…

CyberSecStu: My vision for this article (or series), is to help break the illusion that you have to follow a certain route to have a career in Infosec. I’m looking to understand more about Infosec in countries like Zimbabwe, I’m hoping you can shed some light on your perception and first hand experience.

It would be great if you could start off by providing a little background on your journey into infosec..

EpicPewPew (EPP): Well, where can I start? I am curious person and for me my life has been about searching for the next puzzle, you could say reality is a puzzle.

Infosec came in as a puzzle not only do I play with - but offers a bit more than the other vocations out there. When I started my university education for a honours in IT and Business Management, everything seemed so mundane and intriguing at the same time — for instance Computer programing using C excited me but the format and delivery of the course content bored me.

For the most part of university I spent time going in and out of syllabus and looking into other things. What gave me that final push into Infosec were the crypto puzzles some intel agency put on their site (I forget which), I was like “that seems nice” I dove in and never looked back.

I have taken a lot of winding paths to be honest but I enjoy Infosec. You know computing, particularly computer security has the property of being an area that is cross cutting across all our lives and it is one of those puzzles that if you are curious enough you create new knowledge and get to play with the next puzzle.

Anyway I have rambled enough. So during my studies I got extra cash by helping colleagues by doing their programming tasks and an interesting thing was I not only had to widely variate the solutions I wrote in the code so that they wouldn’t look the same- but had to then try testing my own code to see what could break- fun times, lol.

In my forth year I had to stop my studies because my debt to the school had ballooned to any extent that I had to stop (Zimbabwean Uni’s may request that you not write exams if you are not paid up in terms of school fees). So here I found myself at home- no degree, no job prospects, with just a computer and my brain to keep myself busy. I read, I studied, I tried to self improve and I must note I received a lot of encouragement and inspiration for the likes of @fouroctets>, @ronindey>, @faraday>, @noid>, @tinehnimjeh>, @sev>, the list could go on.

Anyhow, there are no bug bounties in my country nor is there much of a security research community (that I know of). So I started finding bugs in web applications and data leaks in Zimbabwean companies and some in the region.

I would go out searching (there wasn’t a law prohibiting it at the time), and when I found stuff I would tell the company or individual and leave it at that. So one day I met my uncle and he asks me what I have been up to, I tell him I am a “information security researcher” and begin to explain everything to him.

He then asks me if I receive anything in return to which I reply>  “nothing really I do it for the sake of it, it fun and keeps me busy” to which a scathing lecture about self worth and getting value when you add value. Thus at 22 I began my trip as a independent consultant.

That was a ride, lol. Imposter syndrome gets worse when you are young and your reputation rests being to walk the talk and exceed expectations. Anyway I actually landed a few contracts so much so I was able to ask for $50/per hour subject to 10 hour commitment (a lot of money considering my age and lack of portfolio).

Anyway I managed to say no when I couldn’t do a task and arrested the temptation to oversell myself or hoodwink my clients. Got invited to consultative meetings in public and private on issues concerning Infosec, ICT policy and the like. For the most part I was there as the “hacker in the room” and my independence allowed me to speak my mind of issues like monitoring, IP and the like.

Current I am retained as an Analyst at Bitcrack Cyber Security.

CSS: Excellent! Okay, next question, what was one of your biggest challenges when trying to break into infosec?

EPP: One of the largest hurdles was realising that I am not in an intellectual fist fight with every other researcher out there. I had to start consolidating myself (skillset and capabilities), and not run a race. Our industry is very competitive, overly focused personalities and we put too much stock in “genius”, so much so many a young entrant into Infosec burns out trying to become “ThoUgHT LeAder” (sic). I had to pause, reset and being the process of consolidating myself from the ground up. Not only spending time on skills improvement but also investing in my mental and physical health.

I also had to take stock that learning Infosec (and tech in general) in the context of my situation meant not following the typical pattern.

Some would say “There are a lot of resources on the internet”, “Buy a course on $Training_Site”, “Go to tech meetups”, “Practice", “Get an internship” but you when you look into things the high cost of internet in Zimbabwe, the lack of foreign currency and disposable income, the lack of meetups (I am trying to get a Harare Bsides, Pydata Harare, and a Defcon group up though), and the like. I had either to get inventive or resort to dubious means to get things done.

Techies on my end of the world spectrum are resource starved for the most part but things are improving, slowly but surely.

CSS: What advice would you give to someone who wants to get into Infosec but doesn’t know where to start?

EPP: Don’t be quick to settle and don’t be afraid to pivot. Explore technology and speak to other technologists, be part of the community and your path will make itself apparent

CSS: I’d love to explore some of the local challenges where you are, how do you cope with say internet restrictions and usage? And how does this impact maybe how you research?

EPP: Well internet access in Zimbabwe is expensive and not as ubiquitous as as in the west or Asia. For times when I was broke I would poach hotspots or visit friends at their places of work be non conspicuous as possible.

Some times I would get lucky and find a wireless router with default creds on Shodan and log in get the WLAN key and travel to the router, (Harare city is fairly small once you think about it), other tricks where to use VPNs and Psiphon.

On the restrictions part I am very careful about what I say about the president since there are laws against that, but by and large there isn’t much censorship in internet spaces most of it is in the radio and print media.

My favourite conspiracy is that the bulk of Zimbabweans are intentionally priced out of getting true access to the internet. I have since mastered the art of using the least amount of packets I can to complete a task which has made my research method a bit more lean and targeted at an average of 3 cents per megabyte I have no choice. There are some research areas that I cannot look into of course — data breaches, threat hunting, anything that involves having to spend extended periods exploring online or downloading a lot of stuff.

CSS: Thank you for sharing this, internet access is something most people take for granted, but it seems you have found a way to maximise what you have to your advantage!

So you be been part of TMHC (The Many Hats Club), for a while, how has this been?

EPP: Wow it has been a while hasn’t it? Lol I can’t even remember when I joined the club. But it has been a wonderful and liberating experience. I like we can converse freely and all those boundaries melt away, The Director of a Threat Hunting firm makes conversation with a Tech support scammer in India, Teens going into Infosec get to be mentored by 15 year vets, A German CTO and a Zimbabwean digital merc get to play cards against humanity together.

It epitomises what has been lost by most internet communities, real sincere connections with other human beings. no likes, retweets, nothing to cloud the way we interface with each other. You get a whole lot of new perspective, new knowledge, and new friends every other day.

CSS: We should have that as a testimonial on the site!! Do you think having transferable skills from outside the industry can still get you a job in Infosec?

EPP: Indeed! I think for all intents and purposes transferable skills help you specialise much more quickly. Transitioning from helpdesk, sysadmin, development, and the like give you a considerable leg up.

CSS: Perfect- thank you again for sharing your journey and insights. Is there anyone you would like to give a shout out to?

EPP: Indeed! @fouroctets @RealTinehNimjeh @glueckpress @RuraPenthe0 @p01arst0rm @ronindey @oscaron and the Many Hats family. and special mention to Keith Rose http://keithro.se one of the nicest and most skilled hackers I have made friends with in Zimbabwe.

EpicPewPew epitomises everything that is right with the infosec community, desire to learn, pushing boundaries and never giving up no matter the circumstances.

The key takeaway from this interview, is to never stop having a thirst for knowledge, but being realistic about how much you can actually learn.

When we first start out in infosec, we want to learn all the things, which is a great notion. However, this could lead to burnout, or impostor syndrome. Actually we can prevent this by picking interests and honing our skills in core areas, then from a foundation of strength build the wider knowledge.

In summary, you got this.. go out and learn, bathe in the awesome resources that are out there, but pick your fights, and remember if you are starting out, its OK not to know the answer to every question!

Main Image Credit : The awesome piece of artwork used to head this article is called 'Firing My LAZZOR' and it was created by graphic designer Adam Witton.