Unusual Journeys Into Infosec featuring @PaperGhost

Its time to board the ship HMS Unconventional and sail down the sea of discovery (its only article 3 and I’m already running out of these!), this time we’re on an international adventure, learning about kidnapping, fine art and malware from the wonderful PaperGhost (Aka Chris Boyd).

If you are new to the Unusual Journeys into in Infosec articles, the vision for the series is to provide stories and inspiration for those who may have not considered, or may be struggling to find a path into Infosec!

I’ve been a big fan of PaperGhost for quite a while, so I was excited when I got the chance to speak to him about his unconventional path.

For those that don’t know PaperGhost he is currently a Malware Intelligence Analyst at Malwarebytes and seven-time Microsoft MVP in Consumer Security and former Director of Research for FaceTime Security Labs. He’s presented at RSA, InfoSec Europe and SecTor, and has been thanked by Google for his contributions to responsible disclosure on their Hall of Fame.

His story about how he got into Infosec is about as unique as it gets, I hope you enjoyed his story as much as I did when I interviewed him!

CyberSecStu (CSS): First of all thanks for agreeing to help with this article, I know you have a Fine Art background, can you share with me how you got into Infosec?

PaperGhost (PG): I started out with a fine art degree, and used to paint, sculpt, make movies, conduct the occasional orchestra, and also spent some time acting for a theatre group.

My career plan at the time was to work for DC Comics, drawing Batman. One of my friends was based overseas, and they fell in with a bad crowd of people. When we’d talk in Messenger, we’d use certain keywords to denote if the bad people were around, and I’d pretend to be her friend from the beach.

I hatched a plan to get her out of there, which involved me doing a TEFL (Teach English as a Foreign Language) course, moving to Japan, getting her out there, and sorting her life out. Sadly, it wasn’t to be — the job fell through, and when we were talking about what happened (complete with fake names because some scumbags were in her immediate vicinity), all of this old, secret chat text started filling the text box.

Neither of us had any idea what was happening, but the guy standing beside her figured it out pretty quickly. I lost contact after that, and only found out through a sort of mutual connection that she’d been beaten up pretty badly and gone into hospital.

He also had enough computer know-how to know it’d been hacked with a chat Trojan, and some random idiot had chosen the worst possible moment to post up old chat text for a joke. I lost touch with her after that, as she stopped replying to emails, attempted phone calls, chats — she just vanished.

CSS: OMG.. that’s dreadful!

PG: I took some time out in Hong Kong, was pretty much kidnapped and forced to go to a wedding ask me another time (I did- here is the recording), fled to the mainland and spent some time drifting from fishing village to rural farmland.

In one of the villages, a group of teens there who were into computers started teaching me some basics about hacking. Meanwhile, I had the idea that I wanted to get more involved in this, and maybe prevent something like this happening to anyone else.

I attended a hungry ghosts festival, where they burn paper money offerings to their dead relatives in the hope they don’t come back as vengeful spirits, and one of the relatives of the teens who knew what I was doing suggested PaperGhost as a handle.

So now I had a reasonably decent username and a blog, and from there I just started writing about scams in my spare time while selling car insurance during the day.

I had no real idea what I was doing, or what was a “big” story or not, but by chance or design I started covering things that nobody else had seen before and I quickly started getting press — and death threats — on a regular basis. Eventually I caught the eye of a few US security companies — this is back in 2005/06, when UK hires were fairly rare — and was hired by FaceTime Security Labs to front their blog and public facing research.

I kept wandering into big stories, especially where social engineering, or Adware vendors were concerned, and grabbed a bunch of so-called “firsts”, including the first web browser installed without permission, the first IM rootkit, and the first worm on Google’s Orkut (which got me a spot on their hall of fame, pre-hall of fame name).

CSS: I remember some of these stories from when I was in Infosec Recruitment!

PG: Some 12+ years later, and I’ve worked for Sunbelt Software, GFI Software, Threat Track Security, and now I blog and research for Malwarebytes as a senior threat analyst. I don’t feel that lack of tech qualifications have held me back, though by the same token security centric degrees weren’t exactly available to me back when I graduated anyway.

And that’s pretty much all of it :) Should anyone be interested in what (probably) happened to the person that started all this off, there’s a handy presentation:

CSS: That is an excellent story and I will ask you about the HK wedding another time! (I did- here is the recording).

What do you think are the biggest barriers for people looking to break into Infosec today?

PG: I give a lot of talks at universities for students about to graduate (already got one pencilled in for next year!), and a lot of them see us all rambling on Twitter but don’t want to jump in for fear of being flamed or just ignored.

Echo chambers are everywhere, but it’s always good to remember some of those chambers are also a barrier to entry. It’s also a matter of confidence, as the majority of Infosec people I come across on social media are perfectly friendly and happy to offer advice.

I also think people can still make it with no qualifications — degree or otherwise — and there are tons of roles in security begging for a diverse skillset. Not everything is code.

We need writers, we need people who can communicate with an audience, we need someone that can get to a radio interview in less than an hour and know what to say and what not to say. We need designers so info-graphics don’t look terrible, and web designers who can help a security firm look as professional as possible. There’s lots to do, and we won’t run out of it anytime soon.

CSS: Again great answer- so with that in mind, what advice would you give to someone who is just starting out or is looking to make the jump?

PG: I say this to every group of students, and they always give me the same disbelieving stare, but: set up a blog in your spare time. Figure out how to communicate your ideas. It doesn’t have to be anything fancy, just get into a routine.

Anyone wanting to make the jump likely already has a test box set up, and knows what they want to explore or look at. They just usually don’t have a good tool set for getting their points across, and that’s fine — it takes time.

But then, that’s the advice I’d give someone who wants to be public facing and follow a route like my own. If that isn’t their thing, jumping into a level 1 tech support role is an amazing way to quickly discover what works and what doesn’t in a particular industry, and works wonders for realising how hard it is for both the end-user and the person desperately trying to solve their problem.

CSS: Fantastic, I’ve really enjoyed learning about your journey! And thank you for sharing with me.

There are many important lessons I believe people can take away from this interview with PaperGhost. Firstly he rightly pointed out that Infosec is not all about coding, and there are many routes you can take.

Being able to communicate effectively is vital; especially in written form! There is no point having the skills to hack the planet if you can’t effectively inform people about the risks of doing so!

And finally, if you have an account on Twitter, Slack or Discord don’t just lurk but instead get involved in conversations — I promise you the Infosec community doesn’t bite. We welcome engagement from all!

Main Image Credit : The awesome piece of artwork used to head this article is called 'Ghost Monster' and it was created by graphic designer Niels De Paepe.