The player is loading ...
Sign up to get updates from us
In this episode of Critical Thinking - Bug Bounty Podcast, we chat with Corben Leo about his journey in bug bounty hunting and ethical hacking. We discuss the state of DNS rebinding in 2023, a Twitter thread by Douglas Day (@ArchAngelDDay) on one-hundred bug bounty rules, and our own unique approaches to bug hunting. We also discuss Corben's recon-focused bug hunting methodology and how he developed it. Don't miss this episode filled with valuable tips, insights, and Corben's Boring Mattress Company.
Follow us on twitter at: @ctbbpodcast
Get on our newsletter for some exclusive content: https://www.criticalthinkingpodcast.io/subscribe
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
Today’s Guest:
Article on the State of DNS Rebinding in 2023:
https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/
See @ArchAngelDDay's twitter thread about 100 bug bounty rules:
https://twitter.com/ArchAngelDDay/status/1661924038875435008
Talkback - Cybersecurity news aggregator:
PyPI announces mandatory 2FA:
Timestamps:
(00:00:00) Introduction
(01:05) State of DNS rebinding in 2023
(04:40) 100 Bug Bounty Rules by @ArchAngelDDay
(05:30) Give yourself a ‘no bug’ limit
(07:00) The value of reporting Low and Medium Bugs for Bug Bounty Programs
(11:15) Reporting Out of Scope Bugs
(14:30) Reporting IDORs as Access Control Bugs
(17:28) Talkback
(18:12) PyPI's mandatory 2FA implementation for software publishers
(Start of main content)
(20:07) Starting out in bug bounty/ethical hacking
(25:00) Hacking methodology and mentorship
(28:15) Identifying Load Balancers
(33:20) Triage and live events:
(38:30) College and Computer Science vs. Cybersecurity
(45:45) Importance of writing for the Hacker Community
(51:21) Storytelling and report writing.
(55:00) When to stop doing recon and start hacking
(01:00:58) Lessons Learned from BreachlessAI and the pivot to Boring Mattress Co.
Justin Gardner Rhynorater (00:01.996)
Yo, yo, yo, welcome to the pod, Corbin.
Corben Leo (00:05.102)
Thanks, thanks for having me, excited to be here. Excited to spend some, yeah, no worries.
Justin Gardner Rhynorater (00:07.492)
Thanks for stepping in last minute. We had Joel disappear on us this week. He had some family stuff coming up. So I texted Corbin yesterday at like 9 p.m. and be like, yo, can you get onto the pod tomorrow morning? So, appreciate you stepping in, man.
Corben Leo (00:24.686)
Of course.
Justin Gardner Rhynorater (00:26.368)
All right, so I've got a bunch of questions for you. And I hope, did you grab a report by the way?
Corben Leo (00:33.779)
Yeah, I have one in mind.
Justin Gardner Rhynorater (00:35.284)
Okay, cool, nice. I was gonna go to my collaboration stuff and see if we could find one that we worked on together. But yeah, if you've got one, that works too. Okay, so first let's go ahead and do the news section. So how this works, Corbin, is first we do the news and then I ask you a bunch of questions that I've got in the doc about your life and your hacker vibes. But since we've got no Joel today, you're stepping in and you're doing the news with us.
Corben Leo (01:01.356)
Yeah.
Justin Gardner Rhynorater (01:04.416)
Alrighty, so first thing that I had on the list here, and this is pretty cool, I really like just DNS rebinding as a concept, but there was an article that came out earlier this week called State of DNS rebinding in 2023. And actually, I think it got released actually about a month ago now, but it just came across my feed. This was by an NCC group. And essentially,
Justin Gardner Rhynorater (01:30.756)
It's exactly what it sounds like, a State of DNS rebinding article, and it talks about all of the different sort of restrictions that they have in the space. There's local network requests, which is a sort of a new restriction that's coming into place. Unfortunately, like in this upcoming version of Chrome, we're about to lose access to a bunch of local network stuff. Yeah, but it's...
Corben Leo (01:50.211)
Hmm.
Corben Leo (01:53.499)
too.
Justin Gardner Rhynorater (01:58.584)
just to sort of summarize it, it's gonna start, there's gonna be some core stuff that's gonna start coming in, into play on local network access. And this is already in what is called a Chrome depreciation trial, which essentially allows for us to have a developer token that you request if you still need this feature, so that they can still like sort of
Justin Gardner Rhynorater (02:27.236)
gradually roll it out and not break everything. So that was something I'd never heard of before and I thought was pretty interesting.
Justin Gardner Rhynorater (02:37.004)
Um, let's see, what else is there here? Um, yeah. Okay.
Corben Leo (02:41.538)
Good thing all these bug bounty programs are in outdated versions of Chrome still, right? Everyone's ten versions behind.
Justin Gardner Rhynorater (02:45.296)
Yeah, I know, right? Yeah, they still have like, you know, a lot of times what you run into in those sort of situations is like super mega old Chrome's and that becomes the problem, right? It's like, oh man, how do I hack this thing that doesn't have any of the features I've been used to for the past, you know, six or seven versions? Let me see what else I had here on the notes. So yeah, this is something that we talked about when we did the episode on rebind multi-A.
Corben Leo (02:57.242)
Yep, yep, it's a bit too old.
Justin Gardner Rhynorater (03:15.616)
That is that Chrome can, there is a rebind that you can do in Chrome that's instant, using a record that has multiple IP addresses that it resolves to. And that can rebind only to local, or only to 0.0.0.0, which is like sort of a private IP address. I mean, technically you can access local services, but it's not necessarily specifically a loopback or local IP address space.
Corben Leo (03:24.258)
Mm-hmm.
Corben Leo (03:36.59)
Hmm.
Justin Gardner Rhynorater (03:45.844)
there's a Chrome issue that we'll link in the description saying specifically, you know, tracking that specific vulnerability. But as of right now, the takeaways from that article are that you can still attack services on 0.0.0.0 using Singularity or my DNS rebinding tool. And then the other thing that I didn't know was that the WebSocket port scanner still works. So you can still do timing attacks against local.
Justin Gardner Rhynorater (04:16.085)
services and services on the local network using a WebSocket port scanner, which I thought was pretty rad.
Corben Leo (04:17.096)
Hmm, yeah.
Corben Leo (04:22.414)
That is cool. Makes sense.
Justin Gardner Rhynorater (04:26.85)
Yep. Let's see what else we got here.
Justin Gardner Rhynorater (04:31.84)
Yeah, so let's see. Douglas Day, Archangel D-Day is his Twitter handle, posted a Twitter thread, which I know Corbin loves, right?
Corben Leo (04:45.628)
It's been a while.
Justin Gardner Rhynorater (04:47.292)
Yeah, yeah. Um, and he dropped 100 very short bug bounty rules. And I think at the end of the tweet, he kind of linked to, uh, Ryan holiday tweet, um, where he got that sort of, uh, flow from, but this is a really cool, um, tweet that has a bunch of really nice advice for, uh, what you would do if, if you were, you know, a hundred different rules for bug bounty and what kind of stuff you should try to approach.
Justin Gardner Rhynorater (05:17.268)
So I figured let's go ahead and take a peek at these real quick, Corbin, and read through some of these and give these a talk. One of the ones that popped out to me was give yourself a no bug limit. I do three hours. So he said that if you don't find a bug within three hours on a specific part of the target, you move along. What do you think about that?
Corben Leo (05:20.119)
Mm-hmm.
Corben Leo (05:43.198)
I mean, I think that's... I think that makes sense. I mean, I don't think I'd... I don't do three hours. Maybe I should, but it's just like, okay, I'm kind of sick of looking at this. I'm gonna go look at something else.
Justin Gardner Rhynorater (05:50.145)
Oh really?
Justin Gardner Rhynorater (05:54.704)
So you move along pretty quickly.
Corben Leo (05:56.522)
yeah I move on decently decently quickly especially when it's like a really big app if it's bigger then it's like okay I don't see anything I don't know I tend to like some people do more of like the pen tester methodology where it's like okay I'm gonna test this specific thing for literally everything whereas like okay I'm gonna like just check out the different functionality and then I'm gonna like I don't know go where like my spidey senses like are tingling in one area so like I'm gonna go look at this and then okay I don't see anything here and I just kind of do that.
Justin Gardner Rhynorater (06:00.372)
Okay, gotcha. And, and... Yeah.
Justin Gardner Rhynorater (06:26.508)
I feel like you have a pretty strong hacker spidey sense, which I think we'll touch on a little bit later in the flow, but I'm definitely interested in trying to crack that nut a little bit, because when I read through your threads, and just when I've seen you at the live hacking events and such, I feel like you find bugs that are pretty different from what I find. So I think our methodology sort of deviates a little bit there, and you're a little bit more recon heavy, which is cool.
Corben Leo (06:49.845)
Yeah.
Corben Leo (06:53.122)
Mm-hmm.
Justin Gardner Rhynorater (06:56.168)
Um, let's see what else we got here. Oh, okay. So this is another one that I thought was pretty cool. Uh, 24, uh, it says six, six, one K mediums pay more than one 5k crit. Don't ignore any bugs. And I think this one is kind of like once, cause there there's a certain brand of hacker that just kind of only reports highs in crits and that's great. But I totally agree with, with Douglas here that there are a lot of people eating and even ignoring lows I think is, is a mistake because one.
Justin Gardner Rhynorater (07:24.632)
that's value you could have in your pocket. And two, what the company is gonna pay for it, it's something that they want. It's something that they think would secure up their tax surface. So I would say never, never don't report a bug that you think might be valid.
Corben Leo (07:35.043)
Mm-hmm.
Corben Leo (07:39.934)
Yeah, I agree with that. I mean, there's sometimes... I guess it kind of depends.
Corben Leo (07:48.97)
Like if you find a stumble across a medium or low bug, why would you not report it? Because it's just like, yeah, you might get duped, but hey, if there's a chance you're not, then I guess that's like free money. But yeah, then there's other people that just don't even look for mediums or anything like lower than that too. But yeah, no, I agree with that.
Justin Gardner Rhynorater (07:55.329)
Mm-hmm.
Justin Gardner Rhynorater (08:06.208)
Yeah. I don't know. I feel like I stumble across mediums or lows when I'm looking for higher impact bugs. Like that's the kind of thing that I like, you know, when I'm... And I've talked about this on our episode. I'll have to pull it up right here. The episode where we talk about how to find a good program, episode 13. I kind of talk about this, you know, whenever I'm choosing a program, I always try to pick a program that has good payments for lows and mediums as well.
Corben Leo (08:12.039)
Yeah, same here.
Justin Gardner Rhynorater (08:34.348)
Because as you're going after those highs and crits, you're always going to stumble upon the lows and the mediums. And it's just nice to have a good consistent, you know, influx of bounties coming in to keep you motivated and to keep your wallet full if you're a full-time bike bounty hunter.
Corben Leo (08:38.383)
Yep. Exactly.
Corben Leo (08:42.754)
Mm-hmm.
Corben Leo (08:48.926)
Yep, exactly. I think like the inverse of this problem too is like when you're only looking for like lows and mediums I don't know people who like I guess I don't know like anyone specifically who does that but I mean, I guess that's a mistake too is I guess that might just be like Kind of like when you're newer. Yeah, I think it's just a beginner thing to trying to like crack to find like bigger and bigger things so Yeah, I don't know where I was going with that
Justin Gardner Rhynorater (08:59.059)
Mm.
Justin Gardner Rhynorater (09:04.644)
Well, I think that's a beginner thing as well, you know?
Justin Gardner Rhynorater (09:11.916)
Yeah. I think it, I think it, I think it can, I think it can go, you know, if, if you're just not dreaming big enough in your attack vector mentality as well, like if you're never thinking, like, for example, I, I very rarely, I used to very rarely look for, um, uh, arbitrary account takeover.
Corben Leo (09:19.728)
Mm-hmm. Yep.
Corben Leo (09:30.87)
Mm-hmm.
Justin Gardner Rhynorater (09:30.912)
Right? Because I was like, this bug is just kind of like a myth. Right? Like, does this really exist though? And then like, you know, I see you and OXACV and some of the other hackers out there that just kind of have a different mentality start popping some of this stuff at live hacking events. And I'm like, oh, wow. Literally OXACV. I like, I love it, man. He literally, I think you know the one I'm talking about.
Corben Leo (09:34.695)
Yeah. Yeah.
Corben Leo (09:46.719)
Hehehehe
Corben Leo (09:53.906)
Yeah, I know exactly what you're talking about. That one was actually insane. That was absurd. I thought that couldn't be done.
Justin Gardner Rhynorater (09:56.756)
Yeah. And it was just like, like literally 15 year legacy code where he popped an arbitrary account takeover just because it was like a, it was like a string contains bug rather than a string equals bug, which is crazy. Um, so I think keeping, keeping the attack vector mentality high is another really good solid tip.
Corben Leo (10:02.605)
Yeah.
Corben Leo (10:10.704)
Yeah.
Corben Leo (10:13.322)
That one was... yeah, that one blew my mind.
Corben Leo (10:18.874)
Mm-hmm. Well, yeah, and also don't like put restrictions on ideas before you try it too. It's like, oh, there's no way that could work. It's like, you'd be surprised by how much code is just like strung together with who knows what. Yes, exactly. And there's just weird services that interpret things differently. Like, you never know.
Justin Gardner Rhynorater (10:24.456)
Mm-hmm. Yeah.
Justin Gardner Rhynorater (10:28.847)
Yeah.
Justin Gardner Rhynorater (10:33.284)
Yeah. Devs do crazy shit sometimes, man. They really do.
Justin Gardner Rhynorater (10:40.352)
Yeah. So I knew I, I know I kind of threw this on you last second here with the tweet, but you see any of these that, that stand out to you in particular?
Corben Leo (10:49.472)
Um, let me see.
Corben Leo (10:56.75)
I mean, I think... Let's see.
Corben Leo (11:07.191)
Let's see, 36. You find a bug that's out of scope. This is a whole another, this 36 you could talk about so much more too is like, if you find a bug that's out of scope, still ask the customer if they care. I don't know, that's a really tough one because there's obviously reasons you have scope sections in, you know, programs have scope sections, you don't want them hacking.
Justin Gardner Rhynorater (11:09.892)
36.
Justin Gardner Rhynorater (11:18.264)
What is it 36 if.
Justin Gardner Rhynorater (11:23.708)
Mm-hmm.
Corben Leo (11:34.262)
you know, like third party. Obviously it's like, you might have to try and RC on something, but like it's contained as a sandbox, it has like access to nothing. But there's plenty of still like out of scope things that have like an insane impact that like the customer might not know about too. I've had cases of that.
Justin Gardner Rhynorater (11:42.197)
Sure, sure, sure.
Justin Gardner Rhynorater (11:47.796)
Mm-hmm. Yeah. Yeah. So you say don't ask the customer if they care, just submit the bug or what are you saying?
Corben Leo (11:54.506)
Not necessarily, it's like, I don't know, it's really difficult because, um, like you shouldn't just go like hacking out of scope stuff just for the sake of hacking out of scope stuff. Um, but at the same time, I don't know, I don't want to get into this and like encourage people for going. Yeah. I mean, there's lots of times I've had some pretty good bugs by going a bit out of scope and to be fair, it's a program that has like.
Justin Gardner Rhynorater (12:09.316)
I don't know, I feel like you do that Corbin, like...
Corben Leo (12:24.098)
that has had a VIP section where they have only a certain number of assets that are in scope for the VIP pain program. They also have a VDP. So like with that program, it's a lot easier to do this. But I've had like instances of like a domain that isn't even related to that company. And it was actually it turned out to it was owned by them. But it was somehow linked to this like one asset, this like production database of all their customers. And it was like
Justin Gardner Rhynorater (12:27.06)
Mm. Sure. Sure. Mm. Mm.
Corben Leo (12:51.574)
this huge like information leakage that was by some like it was way out of scope. I don't even think it was listed in their like VDP program, but it was still owned by them. And so like that one was paid for their max, like a max crit inside their VIP program. Even that wasn't even like listed in scope. But then I've also had like another companies all have like internal host names.
Justin Gardner Rhynorater (12:53.572)
Dang dude.
Justin Gardner Rhynorater (12:58.481)
If. If.
Justin Gardner Rhynorater (13:06.296)
Wow, even in the VDP.
Corben Leo (13:13.782)
that they use for networking, you know, inside like Kubernetes pods, just within their like corporate network. And there'll be times that there's like assets that are still in the internet with like SSL certificates linked to those and you can still hit those. And like, there's like vulnerabilities on those apps that like, okay, it's not listed in scope, but hey, this is like really bad. This is like internal like infrastructure. There's like lots of like sensitive information. I don't know, you can find like bugs in these apps that where it's like really bad and they still care about that. That's just like, they don't even think to list that.
Justin Gardner Rhynorater (13:18.554)
Mm-hmm.
Justin Gardner Rhynorater (13:24.941)
Yeah.
Justin Gardner Rhynorater (13:35.641)
Yeah.
Justin Gardner Rhynorater (13:38.424)
Yeah, I feel like that's kind of crazy, you know, right? Because like, if they list something, and you never really know for sure, unless you're internal, but if they list something like, okay, www is in scope, and www is just reverse proxy to this backend, you know, API that they have that is on a different domain. And so literally everything that, every piece of functionality that www has,
Corben Leo (13:46.37)
Mm-hmm.
Corben Leo (13:56.194)
Mm-hmm.
Corben Leo (14:00.031)
Yeah.
Justin Gardner Rhynorater (14:05.944)
you know, is getting routed through this API. But that backend piece, if you access it directly, it's not in scope, that doesn't really make any sense. So.
Corben Leo (14:12.35)
Yeah, it's like, yeah, like example.com forward slash API is actually just reverse proxying to API dot example.com, but that's not listed in scope. And it's just like, I don't know. It gets, it gets weird.
Justin Gardner Rhynorater (14:17.654)
Exactly.
Justin Gardner Rhynorater (14:22.356)
It does get weird. It does get weird fast there. I think, um, and I think one other one that just popped out to me and then we'll move along to the next, next little thing here is, um, if an app is number 28, if an app uses UUIDs, you can still look for IDORs, just set AC to high. And I think this is one of, one of the, the mistakes that I made early on is not realizing that.
Justin Gardner Rhynorater (14:45.344)
is that, you know, some programs will say, hey, UUID, IDORs aren't gonna be a thing, but that's literally what the attack complexity high metric was made for. It's like, hey, there's some piece of this attack that requires some state to be, the application to be in some state or some piece of information that I don't know, but it's reasonable for me to get. And so, you know, these sort of IDs in these IDOR scenarios aren't really being treated as sensitive information. And so,
Justin Gardner Rhynorater (15:14.456)
Um, it's definitely, I think falls within the scope of AC access control high to report that.
Corben Leo (15:17.386)
Yeah, well, and like, to be fair, I wouldn't really even call it, I don't know if I'd call it an idor, if I just call it like an access control bug. I don't know. Maybe not. I mean, I guess it is still, I guess an idor. I just think like, when people think of idors, because that means like you're still, you're just referencing another object. But I mean, like, I don't know, I guess with a lot of programs.
Justin Gardner Rhynorater (15:25.454)
Oh really?
Justin Gardner Rhynorater (15:28.405)
Yeah.
Justin Gardner Rhynorater (15:31.952)
Yeah.
Justin Gardner Rhynorater (15:39.395)
Yeah.
Corben Leo (15:44.63)
Like a lot of people just when they think of idor, they think it's like, okay, I can just like increment, decrement a number. And sometimes like I've had success where I just say like, hey, it's an access control blog and it kind of clicks for them because they're like, oh wait, you can't just easily get this like UID, but like you can find ways to leak it still. So, and you're like, still shouldn't be able to access it. So sometimes just like framing it, like access control issue or like lack of like access control or something like that. It's just like an easier way to present it to someone who might, you know, just not, yeah.
Justin Gardner Rhynorater (16:13.932)
Yeah, not get the full picture for sure.
Corben Leo (16:14.09)
I guess think the same way you do. Yeah, and that kind of goes into like 41 when you just as like spend the extra time making your report look or read nice. It's just write well, write clearly. Because I mean, this whole thing is about communication. So yeah. Hm hm.
Justin Gardner Rhynorater (16:22.401)
Mm. Yeah.
Justin Gardner Rhynorater (16:27.748)
funny you should mention that, Corbin, because I have on my list of notes about you when I did my little OS int on Corbin before this episode, one of the things that really stood out to me a lot is your propensity for storytelling and writing and combining that with hacking. And so, tell you what, let's finish the news section and then I'll come back to that real quick, okay.
Corben Leo (16:52.702)
Yep, yep, yep. No worries. Ha ha.
Justin Gardner Rhynorater (16:55.544)
Real quick, so definitely check out that tweet by Archangel. It's Archangle, Arch, please say it for me, Corbin, please. Like Archangel, thank you. I couldn't say Archangle, Archangel, geez. Sorry, sorry, you know, like, I get that. Arch, Archangel D-Day is his handle on Twitter. Go check it out, it's a great tweet.
Corben Leo (17:02.375)
Ah!
Corben Leo (17:05.742)
Archangel? Arch? Archangel is. Arch? Archangela. Getting into, getting some math. Say that ten times fast.
Justin Gardner Rhynorater (17:24.692)
Okay, next one that I wanted to talk about was a service called TalkBack. This is actually put out by LTAM, one of the companies that we mentioned before on the pod. And this is just a news aggregator for cybersecurity related, infosec related content. And I've just got this favorited and I'll pop this open every couple of days and just kind of scroll through the last couple of days of news. I just wanted to throw that out there because it seems like a pretty good resource. It's not necessarily.
Corben Leo (17:45.582)
It's really cool.
Corben Leo (17:51.126)
Yeah, I've never seen this before.
Justin Gardner Rhynorater (17:52.544)
Yeah, it's pretty, I don't think it's caught on as much. So I'm hoping that people will start using it a little bit more. And yeah, it's not necessarily bug bounty oriented, but it is, you know, infosec oriented. So for those of you that have a little bit broader horizon than just bug bounty, that's a good place to look.
Justin Gardner Rhynorater (18:12.552)
Um, let's see, uh, last thing on the news item for today was, um, PyPy, uh, just released recently that they are going to enforce mandatory 2FA for all software publishers. And I think this is a great idea. Um, I think that, uh, this is something that should have been implemented a while back. And I think this will really help with the whole, um, it's not necessarily dependency. Yeah.
Corben Leo (18:36.874)
Supply chain attacks. Yup.
Justin Gardner Rhynorater (18:39.004)
Exactly, supply chain attacks. Not necessarily dependency confusion, but it's like a scenario where you can take over the account of a person that has done, is the author of a certain PyPy library. So I think 2FA on this is really gonna make a difference.
Corben Leo (18:55.39)
Yeah, that would be huge. From just like even attacks where, you know, like someone's social engineers at the main registrar, that happens. Yeah, so this is all sorts of other things besides that too, but that's a really good idea. I'm surprised that wasn't, yeah, it'd be huge.
Justin Gardner Rhynorater (19:01.035)
Yeah.
Justin Gardner Rhynorater (19:08.27)
Yeah.
Justin Gardner Rhynorater (19:11.2)
Yeah, I'm surprised it wasn't implemented before either. That definitely seems like a no brainer thing, but I do wonder what's gonna happen if they don't have that. For example, if somebody just doesn't update their 2FA and they just never log into their PyPy account, are they gonna prevent them from pushing updates to it or something like that? Could be interesting to see.
Corben Leo (19:16.398)
Mm-hmm.
Corben Leo (19:26.52)
That's it.
Corben Leo (19:29.894)
Mm-hmm. Yeah. Yeah, it would be very interesting. I wonder if, does NPM do this at all? I th-
Justin Gardner Rhynorater (19:37.686)
I don't know, I feel like they should.
Corben Leo (19:40.342)
I'd be very happy. They definitely should. OK.
Justin Gardner Rhynorater (19:43.028)
Yeah, I think it's not mandatory, but it is something that you can configure. See, and I'm glad PyPy has sort of taken the first step and moving in that direction, kind of setting the industry standard. You know, my beloved language, Python, just happens to be just doing everything right. So I love to see that. Dude, I love it, man. I really do. I still write Python every day. It's the best. Okay, so news section.
Corben Leo (20:02.71)
Good old Python.
Justin Gardner Rhynorater (20:12.42)
Don Corbin switches from co-host to guest. So, man, we've been hacking together for probably five years at this point. And I don't know that I've ever heard the whole like, how did you get into bug bounty story? You know, I know we've run into each other at live hack events, but like.
Corben Leo (20:13.926)
Over.
Corben Leo (20:23.574)
long time. Mmhmm.
Corben Leo (20:34.318)
Hmm
Justin Gardner Rhynorater (20:38.56)
My backstory is Tommy, Tommy DeVos just rolled into my, you know, cybersecurity class and just started teaching about Bug Bounty randomly, um, without even being invited to the best of my knowledge. Um, I know he just showed up one day and I was like, uh, hello. Um, but yeah, what's, what's yours? How did you hear about Bug Bounty and, and, uh, that whole industry?
Corben Leo (20:46.063)
Yeah.
Corben Leo (20:50.438)
Oh that's so funny. Uh, who's this guy?
Corben Leo (21:00.675)
uh... well i didn't know i'd gotten uh... like hacking as a freshman high school but i didn't know bug bounty was a thing really to do ethical legal hacking until i was a junior high school uh... and i had on twitter and i saw someone's tweet i think it might have been tommy too i think he treated like he has ordered ten thousand dollars uh... for
Justin Gardner Rhynorater (21:04.921)
Mm-hmm.
Justin Gardner Rhynorater (21:14.873)
Okay.
Justin Gardner Rhynorater (21:22.172)
Oh really? Oh my gosh. Why is he such everyone's origin story?
Corben Leo (21:27.678)
Yeah, and so he was like, someone I think he'd tweeted out like a big bounty amount that he got from like Yahoo or something. I was like, what? Like, that's a lot of money. He did this for what? Yeah. And so then, like, I clicked on the link that was in the in the tweet. And then I like came across HackerOne. I'm like, whoa, you can get paid to report vulnerabilities. And so I signed up for HackerOne and gave it a test. It was a struggle at first. I thought it was like a god at hacking. But that's something that'll humble you really quickly.
Justin Gardner Rhynorater (21:33.376)
Sure. As he does.
Justin Gardner Rhynorater (21:44.557)
Mm-mm.
Justin Gardner Rhynorater (21:53.097)
Yeah. Yeah.
Justin Gardner Rhynorater (21:56.24)
Yeah.
Corben Leo (21:57.482)
And so, yeah, then I started doing bug bounties kept after it and yeah, here I am.
Justin Gardner Rhynorater (22:01.552)
Okay, so you literally, I mean, you didn't really know any other in-person bug bounty hunters. You just kind of found it on Twitter and then kind of rolled into it.
Corben Leo (22:08.69)
Yep, yep, I had no idea about what it was. So I think I followed Tommy on Twitter. I found some other Bug Bounty Hunters on Twitter and just started following them. Yeah, I just signed up for HackerOne. I read through some, I like scrolled through Hacker... No there wasn't, no there wasn't that. There wasn't any like Pentester, I don't think there was like Pentester Lab or any of those courses and stuff. So I had taught myself to hack before that.
Justin Gardner Rhynorater (22:20.208)
Yeah.
Justin Gardner Rhynorater (22:25.552)
There's no Hacker 101 at that point either, you know? Yeah.
Corben Leo (22:40.331)
A lot of going through exploit DB stuff. And then, yep. And then a lot of just reading tutorials and reading people's Twitter posts, blogs. Then just trying through trial and error.
Justin Gardner Rhynorater (22:42.8)
Oh yeah, the classics.
Justin Gardner Rhynorater (22:54.928)
Nice. So... Yeah.
Corben Leo (22:55.062)
I spent a lot of time on the DOD program when I first started. I mean, I started on public programs and tried to do bug bounties, and then I just failed miserably. So I tried the Department of Defense, and I got tons of dupes from that, but it was a really good experience in practicing.
Justin Gardner Rhynorater (23:04.048)
Mmm.
Justin Gardner Rhynorater (23:08.784)
Oh yeah. It's so funny, man. I think I'm getting notifications right now from like four years ago that of them closing bugs that I reported four years ago. And I'm like, on one hand, like that's kind of impressive that you're actually still tracking this bug. But on the other hand, like why? Four years, like, please. So I mean, do you endorse that the...
Corben Leo (23:19.987)
Yeah. Yup.
Corben Leo (23:26.138)
Yeah. Wow. Yep. Yeah.
Justin Gardner Rhynorater (23:37.744)
DoD, VDP to bug bounty, you know, sort of like a training ground for actual bug bounty for like you receive a bounty, bug bounty methodology or would you do it differently if you went back?
Corben Leo (23:51.542)
Would I do it differently than what I did, like, originally? Ugh.
Justin Gardner Rhynorater (23:53.872)
Yeah, I mean, just say, so if you were advising someone to start now, would you say go ahead and start on the, the DOD program? Or would you say, you know, try to just go and go straight after bug bounty?
Corben Leo (24:04.99)
I mean, that's a hard one. I would say, I don't think you can go wrong with either. I mean, it took me 10 months to get my first bounty, but that was okay for me because I was a high schooler, I was just doing it my free time, like, sitting in school, just kind of hacking for fun. So I mean, like, if you have prior experience, yeah, like for me, I didn't have tons of like, I didn't have...
Justin Gardner Rhynorater (24:15.152)
Mm. Yeah. Right.
Corben Leo (24:29.09)
I was in high school, didn't have that much experience with computers. Um, hacking didn't have like, so I feel like you already work as like security engineer, there's some pretty solid fundamentals. I mean, why would you not just go for, um, go for just any like normal bug bounty program. I think for people who are wanting to work on like fundamentals, um, just. All that jazz, I would say like work on recon all that.
Justin Gardner Rhynorater (24:32.656)
Sure, sure.
Justin Gardner Rhynorater (24:42.32)
Okay. Gotcha.
Corben Leo (24:53.566)
Just get a very good solid understanding of different vulnerability classes, different technologies and stuff. I'd say go for the Department of Defense because they have all sorts of stuff.
Justin Gardner Rhynorater (25:00.848)
Yeah, they do have a lot of different stacks. And I think also you can see your origin, a little bit clearly in your current attack vector methodology, because, you almost have sort of like a Jason Haddix-ish flow of like, all right, I'm gonna do X amount of recon and I'm gonna find like these weird, ASPX endpoints that are like, no one ever thought was real. And it's not necessarily like,
Corben Leo (25:11.032)
Yeah.
Corben Leo (25:22.43)
Yeah. Yeah.
Justin Gardner Rhynorater (25:30.8)
And, you know, don't get me wrong, I've seen you, you put on new companies and old companies alike, but, um, you know, I feel like the DOD, having such a wide scope, having such an array of technologies and being a little bit more outdated sort of led you down the path to being, you know, focusing really hard on recon and having that be a key part of your methodology, would you agree with that?
Corben Leo (25:36.118)
Haha.
Corben Leo (25:41.044)
Mm.
Corben Leo (25:49.652)
Mm-hmm.
Corben Leo (25:52.162)
Yep. Yeah, yep. I'd say that. And then hacking a lot with like naffy. Naffy like mentored me a ton. So like, yeah, I have a lot of like naffy like mentality when it comes to like infrastructure and stuff like that too. So yes.
Justin Gardner Rhynorater (25:56.624)
Oh yeah, that'll do it too.
Justin Gardner Rhynorater (26:06.928)
Any tidbits on that you want to share? I think Nathy is an interesting character and we'll probably have him on the pod at some point, but his hacking methodology is definitely pretty different from a lot of what I've seen.
Corben Leo (26:12.878)
Should definitely.
Corben Leo (26:18.818)
Yeah, no, he finds apps that no one would ever found and just completely destroys them once he's found them. That's what I love about it. It's like, okay, just like you make new opportunities for yourself and then, yeah.
Justin Gardner Rhynorater (26:25.008)
Mm-hmm.
Justin Gardner Rhynorater (26:27.792)
Yeah.
Justin Gardner Rhynorater (26:35.376)
So I mean, what does that entail?
Corben Leo (26:37.742)
I mean I don't want to give his away.
Justin Gardner Rhynorater (26:39.184)
Well, okay, well, it's yours now too. I remember, hold on, I remember this deal though, that you had with Naffy a while back. And if we have to cut this section, we can. But, you know, there was a deal that y'all made about Naffy working with you and him getting a certain percent of your bounty and you guys were working at a life hacking event together. And that was like what? That was, I think it was that, maybe it was that one. That was probably like four or five years ago, right? Yeah, four years ago.
Corben Leo (26:55.187)
Uh huh. Yep, yeah. Yeah.
Corben Leo (27:05.198)
It's 2019-ish, I think? Yeah, it's like four.
Justin Gardner Rhynorater (27:08.368)
So I feel like the, I feel like the statue of limitations on that is up. I mean, you got, I mean, if you don't want to DOS your secrets, that's I mean, or docs your secrets, that's fine. You know, if you don't want to disclose all that, but yeah, I, I, I just, I think it's really interesting. I know that, uh, Naffy's approach is largely a virtual host enumeration based in a lot of scenarios, which is something that on a lot of people poke at, and, um, I think mapping out the in internal routing.
Corben Leo (27:29.894)
Mm-hmm. Yeah.
Justin Gardner Rhynorater (27:35.632)
on a company can result in some crazy stuff. Is that still a part of your methodology?
Corben Leo (27:38.746)
Oh yeah, absolutely. Yeah. Yeah, I look a lot at load balancers. I play a lot with load balancers and just like different ingress endpoints. And I mean, the nice thing is like, when you do it for a long time, you can kind of start noticing like how apps work. And then also just like, if you've been in like software development or I guess, I guess like if you've ever played with like Kubernetes, set up like infrastructure on that, it's like you get a pretty solid understanding of just how, you know.
Justin Gardner Rhynorater (27:47.216)
Mm.
Justin Gardner Rhynorater (27:58.48)
architecture or whatever.
Corben Leo (28:08.418)
how it's made, how everything works, and you can start poking at stuff.
Justin Gardner Rhynorater (28:12.656)
Welcome to this episode of How It's Made with Corbin Leo. And so, okay, so how are you identifying a load balancer? Is that, are you just doing virtual host scans and seeing if multiple stuff pop up and then assuming that that's a load balancer?
Corben Leo (28:14.895)
how it's made.
Corben Leo (28:26.842)
I mean, it kind of depends on the tech. It kind of depends on the technology, right? So like with Amazon, you have like C names to like ELB. I mean, you can look at like, you can look at headers, like response headers will make it obvious. There's default. Well, like.
Justin Gardner Rhynorater (28:30.832)
Mm-hmm.
Justin Gardner Rhynorater (28:34.864)
Mmm, mmm, nice.
Justin Gardner Rhynorater (28:43.664)
what kind of stuff have you seen in response? So just to break down what he just said just a second ago, if there's a C name to a, on a host to a Amazon endpoint that has ELB in the domain name as the result of the C name, then that's elastic load balancer. And that's gonna be clearly doing some load balancing, right? And then you said in the response headers, there's some stuff that might be there.
Corben Leo (28:51.566)
Thanks for watching!
Corben Leo (28:58.114)
Should be the elastic load balancer.
Corben Leo (29:04.063)
Mm-hmm.
Corben Leo (29:09.13)
Yep, so like you'll see maybe like, let's see, like, for instance, like with Kong, you'll see like a header that has like Kong in it and that's like an ingress, you'll see like Istio, Envoy. So like it can do that. Then there's other times where like headers aren't and then you'll just know like default responses like back end not found or something like that.
Justin Gardner Rhynorater (29:20.848)
Okay, so it'll it'll disclose the technology stack.
Justin Gardner Rhynorater (29:34.896)
Mm-mm. Okay.
Corben Leo (29:37.994)
And then it's just like trying it on a few apps and seeing like if there's like a header, like if, um, you can also just like, um, kind of think how like FFF does or FFF, however you say it. I hate, I hate trying to pronounce this and FFF. Yeah. If you like set, um, you can do like auto, like how FFF does it like auto calibration. So you like send a couple HTTP requests, different house headers, see how it responds and if it varies, like maybe you'll try it, um, fuzzy in there. But.
Justin Gardner Rhynorater (29:51.76)
FFF FFF hehe
Justin Gardner Rhynorater (30:06.48)
Hmm. Nice. Yeah. It's, it's tricky, man. I definitely don't don't. I started doing that a little bit, uh, on some apps, uh, on some specific targets that I know are vulnerable to it. And, uh, it's, it's not, and I even tried to build some automation around it at some point starting. And this is something that I'll tell people that are building out the recon flows nowadays is like, you know, if you have a bunch of hosts that map, you know,
Corben Leo (30:07.883)
Yeah.
Corben Leo (30:18.351)
Mm-hmm. Yeah.
Justin Gardner Rhynorater (30:32.08)
those hosts are not necessarily only gonna map to the IP addresses that they resolve to. So in your sort of recon framework, in your recon architecture, you should be building in this functionality that is gonna be allowing you to map domains to IP addresses, right? And I think that makes a big difference because you can find, you know, different domains are accessible on different IP addresses than the things they resolve to, which could give you different access.
Justin Gardner Rhynorater (31:04.016)
You agree?
Corben Leo (31:05.322)
Yeah, and I mean, like a lot of it, yeah, a lot of it isn't even like vhosting too. It's just like, okay, this, um, this host name might point to like Akmai or some like IP that doesn't resolve, but like the chances are is that that IP might still be exposed and it's just like, the way they're routing it is defined this way, but this host is still here and you can just access it this way. So.
Justin Gardner Rhynorater (31:21.904)
Mm-hmm.
Justin Gardner Rhynorater (31:27.216)
Sure, nice. Solid, okay, well that's some good tips if you're trying to keep an eye out for the sort of vhost realm and enumerate some internal assets using that. So you started off in book bounty, you just signed up for the website, took 10 months to get your first bounty, and then you started rolling. How did you land in the live hacking event circuit?
Corben Leo (31:35.742)
Mm-hmm.
Corben Leo (31:47.186)
Mm-hmm. Yep.
Corben Leo (31:52.762)
Um, that's a good question. I think it was, I, after I started getting more comfortable with Bug Bounties, I started looking at Yahoo. Um, and so I started hacking on Yahoo a bit and had like some XXCs. I think I had like an XXC, a couple SSRFs. Um, and then I think my first event might have been, there was one in New York, and it was a team event. It's like the only team event.
Justin Gardner Rhynorater (32:00.56)
Mm, mm.
Justin Gardner Rhynorater (32:17.936)
Mmm, yeah.
Justin Gardner Rhynorater (32:21.648)
That was your first event? Wow. I guess we had worked together before then, at that point then, because I feel like I knew you at that point.
Corben Leo (32:21.846)
with Yup. I think it was my first event, I'm fairly sure.
Corben Leo (32:31.402)
Yeah. Yeah, because I think like I knew I knew you I knew Sam. I think that I yeah I'm pretty sure that I can't remember what other event would have been. Oh no my first live hacking event I was not a hacker. That's when I was triaging at hacker one. Yeah. Okay.
Justin Gardner Rhynorater (32:35.44)
Mm-hmm. Yeah.
Justin Gardner Rhynorater (32:50.48)
Ah, that's right. Okay, okay, okay. Now it's starting to get the picture a little bit clearer.
Corben Leo (32:55.898)
Yep, it's making more sense to me. So I had been hacking on Yahoo for a bit, and then I had done a semester of college, and then I dropped out of college and was triaging at HackerOne for like six or seven?
Justin Gardner Rhynorater (33:04.816)
Mm-hmm.
Corben Leo (33:16.562)
Six, seven, maybe eight months. I think it was less than that. But I was triaging at one of the first, or my first live event, I was one of the Vegas events at 702. So I was doing triage there. And I'd already known people from hacking with them as well. So, yeah.
Justin Gardner Rhynorater (33:19.184)
Mm. Mm.
Justin Gardner Rhynorater (33:31.152)
That tracks.
Justin Gardner Rhynorater (33:34.896)
Yeah, that, that definitely tracks. So that's an interesting path. Like I feel, I feel, I've sort of recommended this to some of my friends that are trying to get into Bug Bounty and are also not necessarily in love with the fact that Bug Bounty doesn't have consistent income is that, hey, if you get started, you get rolling, you start understanding how Volms can be reproduced and you start understanding, um, you know, it'll add a little bit more technical level and you jump into a triage role that can really boost your game.
Corben Leo (33:51.427)
Mm-hmm.
Justin Gardner Rhynorater (34:04.56)
Um, you would agree with that?
Corben Leo (34:04.978)
Yeah, I'd agree. It definitely also helps you like learn even how to write better reports down the line. Yeah, definitely. Definitely. I would also recommend that to people who are in that boat.
Justin Gardner Rhynorater (34:12.048)
Mm-hmm.
Justin Gardner Rhynorater (34:19.184)
As an ex-triageur here, what is some of the stuff that we do that's hella annoying from the triageur side?
Corben Leo (34:28.278)
From the triage side, it would be like there's people who just write like you just give you like the URL or they just like write the most basic report with like no information. I think it's gotten a bit different. I don't know how like.
Justin Gardner Rhynorater (34:40.304)
Mm-hmm.
Justin Gardner Rhynorater (34:46.16)
Cause this is like four or five years back down. Mm.
Corben Leo (34:48.15)
This was a long, this was five. This was in 2018. So this is math, yeah. So I think, yeah, one of the biggest irks, I guess, was just like the lack of writing. Some people did it like, just give you this, give you a URL, like add 10 words, like.
Justin Gardner Rhynorater (34:55.28)
Yeah, yeah, so five years ago now. Yeah.
Justin Gardner Rhynorater (35:06.256)
Mmm.
Justin Gardner Rhynorater (35:09.136)
Now, at that point in time, did you have to rewrite the report for the customer? Okay.
Corben Leo (35:15.454)
Yeah, yep. So we had our own like internal templates and internal expectations of like what we had to write and provide. So like people would also write like 10 pages in that. And then we had to condense that to like we got to pick every like the important parts out and give like a very clear, concise, like reproduction. Here's the impact, stuff like that for like customers. That was also super annoying.
Justin Gardner Rhynorater (35:25.36)
Hehehehehehe
Justin Gardner Rhynorater (35:32.048)
Mmm.
Justin Gardner Rhynorater (35:35.632)
Dude, Hacker One needs to start training, Hacker One needs to start training like their own offline, you know, model, LLM model to be able to do that. Cause that'd be pretty nice to just be like, okay, you know, here's this like, you know, Alex Chapman 25 page report. And I need to condense this down to like, you know, a page or two for the customer. That'd be pretty good.
Corben Leo (35:44.028)
Yeah.
Corben Leo (35:51.95)
Mm-hmm. Yeah.
Corben Leo (35:56.414)
Yeah, summarization. Yep. Yep. Or like a Hacker One Grammarly. Can you? Yeah. Yeah, that'd be pretty cool. No. Probably not. That's one thing I said is that it could be really cool to have a language model fine-tuned to my specific writing style. That'd be amazing for reports. It'd save me a lot of time.
Justin Gardner Rhynorater (36:01.968)
Yeah, right. That would be really good. I'm sure you can't use actual Grammarly at, at, at hacker one. Yeah, that. Yeah, that makes sense.
Justin Gardner Rhynorater (36:18.64)
Yeah, well you can train it a little bit. I've done some of the stuff for the pod, just sort of taking the writing that we've done, with descriptions and titles and stuff like that. And then it just takes the actual content of the podcast and then it says, all right, here are six suggestions for the title or here are three different rewrites of the description and stuff like that. And I think that just provides a nice little jump off point.
Corben Leo (36:29.355)
Yeah.
Corben Leo (36:38.904)
Mm-hmm.
Justin Gardner Rhynorater (36:44.688)
And I trained it with the previous titles and descriptions and stuff like that too. So it still has the same sort of voice and that sort of thing. And I think LLMs do a pretty good job of keeping the voice consistent across multiple bodies of text. So that's pretty rad. Solid, okay. So I guess as you left triaging eight months max after you started.
Corben Leo (36:48.714)
Yeah, yeah.
Corben Leo (36:58.182)
Mm-hmm. Yeah.
Corben Leo (37:12.194)
Mm-hmm.
Justin Gardner Rhynorater (37:12.208)
Why did you do that and how do you feel about the triage realm nowadays?
Corben Leo (37:18.57)
Um, no, I, it was a good experience, but I was getting kind of burnt out of it. And, um, my parents wanted me to go back to school. They wanted me to go to college. Um, I didn't really want to go to college, but, um, I was like, screw it. It's kind of fun just to, I guess, be a kid not have responsibilities. Right. And so, um, yeah, I decided to transfer to a school out in South Dakota and.
Justin Gardner Rhynorater (37:35.216)
Yeah, for sure.
Corben Leo (37:42.294)
Yeah, I mean it was a good experience, but I'm really glad. I went back to school not necessarily just because I needed the education, but it was just a fun experience in general where I just got to meet friends and have a good time.
Justin Gardner Rhynorater (37:48.176)
Mm. Yeah.
Justin Gardner Rhynorater (37:52.656)
Nice. So you grew up in, was it Minnesota? Minnesota, and then you went out of state to South Dakota. So for those of you that are not in the US, South Dakota is like, there's nothing in South, there is, there's Mount Rushmore, I think is in part of South Dakota. But South Dakota is one of the least.
Corben Leo (37:58.282)
Yep, Minnesota.
Corben Leo (38:01.622)
I went out of state. South Dakota, yes.
Corben Leo (38:13.97)
Yep, yep, it's on the west rapid.
Justin Gardner Rhynorater (38:21.04)
popular and populated states in the US. So what made you move from Minnesota and instead of going out of state to any other state, what made you land on South Dakota? Not trying to diss your new state here, I'm just saying, you know, like, gotta provide the context, you know?
Corben Leo (38:23.559)
Yeah. Yep.
Corben Leo (38:30.854)
Yeah. Yeah, so it was, I think it was, no, I know, I know. It's pretty unique. It's super, yeah, super, super unique. And like, whenever I tell someone I'm from South Dakota, they're just like super confused and you're like, wait, and I think like North Dakota or there's two Dakotas, like where's that? But yeah, so it was July when I decided I wanted to be done with triagee, I believe.
Justin Gardner Rhynorater (38:43.76)
Yeah. Yeah.
Justin Gardner Rhynorater (38:47.984)
Yeah, yeah, exactly.
Justin Gardner Rhynorater (38:57.52)
Mm-hmm. Mm-hmm.
Corben Leo (38:58.294)
And I had thought about going to either school in Minnesota, but it was so late that a lot of schools didn't have transfers open anymore. And so there was one school I'd heard of in South Dakota that was known for cybersecurity for some reason.
Justin Gardner Rhynorater (39:04.56)
Mmm, yeah. Mm-hmm.
Justin Gardner Rhynorater (39:14.128)
Oh cool.
Corben Leo (39:15.19)
And that's not what I was gonna go for. I went for computer science. But I was like, hey, these people at least will like hacking. I like hacking. Or at least I'll find some people that are at least interested in the same topic. And they had applications open super late. So I just applied to transfer and they accepted. Yeah, and then so then I just went out there on a whim. Just kind of last second, why not, I guess. Still close enough to home, but also new and why not.
Justin Gardner Rhynorater (39:17.936)
Mm-hmm.
Justin Gardner Rhynorater (39:24.816)
Share it, share it.
Justin Gardner Rhynorater (39:31.312)
They got it. Nice.
Justin Gardner Rhynorater (39:38.224)
Yeah. How did, how did you enjoy that? Like I feel like that's one of the things that I, I don't really endorse nowadays is like going to college for the sake of going to college. But I think lately my
Justin Gardner Rhynorater (39:54.864)
My opinions have been kinda coming back around of like, you know, while you're young, you don't have to grind, grind, grind, you know, and, you know, go hard on the career stuff. You can actually just go and enjoy. And college is, you know, a great place to meet other friends, participate in club activities, that sort of thing. So if you're still looking to grow as a person, college might be a good place to do it.
Corben Leo (40:02.636)
Yeah.
Corben Leo (40:07.114)
Mm-hmm.
Corben Leo (40:10.738)
Mm-hmm. Yeah.
Corben Leo (40:17.386)
Yeah, no, I would agree with that. I mean, it's hard to because it's I guess it can be expensive. Right. But I mean, I, I definitely enjoyed it. I don't think I like to like the computer science stuff. I didn't really, I don't think I ever needed like the education. I think it was as good. I wouldn't rely on it just to get to where you want to be. Like I would never just go through courses and expect you know, to
Justin Gardner Rhynorater (40:21.968)
Yeah, yeah, for sure.
Justin Gardner Rhynorater (40:35.632)
Mm-hmm.
Justin Gardner Rhynorater (40:41.744)
Mm-hmm.
Justin Gardner Rhynorater (40:46.16)
to pop out the other end, yeah.
Corben Leo (40:46.534)
No, exactly. Yeah, to come out and say, oh yeah, I know everything, I'm ready for this. I think if you really want to learn or get anything, you have to spend the time doing it yourself, personally. Especially in the tech space, things move so quickly and technologies change. So yeah, I think if you want to grow as a person, meet some really great friends and just really enjoy your life, I definitely would recommend college still because...
Justin Gardner Rhynorater (40:50.48)
Yeah.
Justin Gardner Rhynorater (40:54.608)
Totally.
Corben Leo (41:11.934)
I mean, you have your entire life to grind. You might as well enjoy some time going from that younger, like high schooler age where you think you're an adult, but then you finish college and you're like, wow, I'm a totally different person than I was back then. So I think it's good for, I guess, character development and personal development.
Justin Gardner Rhynorater (41:14.416)
Mm.
Justin Gardner Rhynorater (41:25.872)
Yeah.
Justin Gardner Rhynorater (41:28.688)
Yeah, for sure. It definitely is. And yeah, I think that is something that I, you know, from an early age was also very career oriented. And so I think that having that extra, you know, time to grow, figure out who you are, not a bad route, just to say the least.
Corben Leo (41:46.326)
Well yeah, and it gives you a lot of time to like, I guess experiment with what you really wanna do too, right? So, like for instance, for me, like, it gave me so much time to do bug bounties and also like, just like develop my skills in that. Like, you can learn, I guess, whatever you want. You have plenty of like free time to, you know, explore hobbies or I guess what you wanna do with your life.
Justin Gardner Rhynorater (41:51.44)
Mm-hmm, that's true.
Justin Gardner Rhynorater (41:55.92)
Mm-hmm.
Justin Gardner Rhynorater (42:09.2)
Yeah, yeah, for sure. So I know you just said you did Comp Sci as well, yeah? Yeah, so I did Comp Sci as well. I have to say, from a hacker perspective, I feel like a lot of the stuff that I learned in Comp Sci is incredibly relevant. Like if I want to go and do...
Corben Leo (42:13.643)
Yep. Yep.
Justin Gardner Rhynorater (42:27.312)
software engineering and I want to like really optimize this algorithm and get like the, you know, complexity down, you know, whatever, then it'd be really great to have computer science background. But a lot of hacking isn't really about that. And it's more about understanding the full flow of everything. Right. And I think
Corben Leo (42:28.919)
Mm-hmm.
Corben Leo (42:31.808)
Yeah.
Corben Leo (42:35.048)
Yeah.
Corben Leo (42:45.622)
And I think that's why comp sci is better than a cybersecurity degree, right? It's like, I don't think you don't really need... Like that's, that's why I'd always recommend like comp sci if someone doesn't know exactly what like they want to do, because it's just like, it lays down a very solid, like baseline. But again, it's like, I don't think you even need a degree. It's just more so as like...
Justin Gardner Rhynorater (42:49.136)
Yeah.
Justin Gardner Rhynorater (42:56.72)
Mm.
Justin Gardner Rhynorater (43:00.24)
Mmm.
Justin Gardner Rhynorater (43:06.128)
Yeah. Yeah.
Corben Leo (43:08.882)
I like, if we're going to talk about degrees and getting one, I'd say computer science just because of the fundamentals rather than like, oh we're just going to learn how to hack and it's like wait, you still need all these other fundamentals to get good at it, right? So.
Justin Gardner Rhynorater (43:18.384)
Yeah, yeah, I totally agree with that. I think, I think unless you're going to a really like reputable cybersecurity institution, you know, then I think it may be better for you to focus specifically on comp sci and then supplement with your own, you know, certificate based training towards cybersecurity. But actually, Corbin, I'm gonna I'm gonna disagree with you on the on this one, because I think personally, this is the this is the hierarchy right here. You've got you've got a cybersecurity degree. You've got computer science degree.
Corben Leo (43:28.383)
Mm. Yeah.
Corben Leo (43:42.158)
Mm-hmm. Okay.
Justin Gardner Rhynorater (43:46.416)
and you've got computer engineering degree. And I think like, okay, so I think all of the people that I like, for example, Joel and Sam Erb and like some of the other really like just, I feel like I talk to these guys and they're like, yeah man, I remember like, you know, when I was desoldering this thing from this board in college, I'm like, what? Like, you know, and yeah.
Corben Leo (43:48.75)
Okay, yeah, okay, yeah.
Corben Leo (43:57.39)
Yeah, yeah, okay.
Corben Leo (44:08.558)
Yeah, my school didn't have computer engineering. I would, that would have been a fun, that would have been, yeah.
Justin Gardner Rhynorater (44:12.976)
And I feel like even the people that I met at my school that were doing computer engineering instead of computer science, I was like, man, these guys just have a little bit of a deeper understanding of just lower level concepts. And I think, exactly, an even better baseline. So I was gonna say, if people are gonna go into college and get a degree, I think I would actually push computer engineering over Comp Sci or even cybersecurity. Yeah. Yeah.
Corben Leo (44:25.358)
Yeah, even lower, yeah. An even better bassline.
Corben Leo (44:40.046)
Yeah, I'd agree with that. I don't disagree with that.
Justin Gardner Rhynorater (44:43.088)
That's good. Okay, getting back over to the list over here. So I guess let's talk a little bit about your combination of writing and hacking, right? So I know we talked a little bit about sort of copywriting and like just this whole concept of trying to develop yourself as a writer. And then, you know, you kind of wrote all these Twitter threads that went mega viral a while back. So any...
Corben Leo (44:57.23)
Mm-hmm.
Corben Leo (45:04.75)
Yeah.
Corben Leo (45:08.43)
Mm-hmm. Yeah.
Justin Gardner Rhynorater (45:11.12)
tips or tricks to share with the hacker community about the importance of writing or how to write well as hacker.
Corben Leo (45:16.814)
Yeah, I mean, when I was writing those Twitter threads, I got so much flack from people about like, oh, you oversimplified this or like, I got a lot. Oh, yeah, there was lots of people that were like making fun of me or, um, not necessarily making fun of me just like give me crap or just saying, oh, like, oh, did the intern write this? Like, um, like people were very, um, I don't know, I guess being, uh, what's, I don't even know what the word
Justin Gardner Rhynorater (45:24.112)
Did you really? Jeez, man.
Justin Gardner Rhynorater (45:32.656)
Mm-hmm.
Justin Gardner Rhynorater (45:39.12)
Dang dude.
Corben Leo (45:45.294)
But that's totally fine with me because like that's not who I was writing for. And so like you have all these people who write like these like immaculate like technical writings as kind of just like a I don't need to stroke my own ego and try to sound as technical as possible because like okay you write that you're making your audience and people who can understand that you're alienating first off you're alienating a huge audience and you're also only writing for like a really small number of people who might be on the same level as you.
Justin Gardner Rhynorater (45:45.424)
Yeah dude, yeah.
Justin Gardner Rhynorater (45:50.32)
Right.
Justin Gardner Rhynorater (46:03.344)
You're alienating them.
Justin Gardner Rhynorater (46:06.288)
Yeah.
Justin Gardner Rhynorater (46:13.904)
Yeah.
Corben Leo (46:14.254)
And like my whole purpose of writing these Twitter threads were to, I guess, figure out how to explain things clearly and reach a larger audience, get people interested in bug bounties, get them interested in hacking and also have them still be able to understand it and get intrigued in it and maybe wanna try and learn some of this, right? And... And...
Justin Gardner Rhynorater (46:23.248)
Yeah, and simplify it too. Yeah.
Justin Gardner Rhynorater (46:28.976)
Yeah.
Justin Gardner Rhynorater (46:37.584)
Yeah, and I think you didn't simplify it too much. It's not like, okay, I went to the internet and found this directory. It's like, no, here's the exact subfinder command I used, here's the exact GAU command I used, here's the HD, you know? Yeah, and so I think it's a really nice balance of technical content and storytelling, which is until you've tried it, you don't really know how difficult it is, because it's very challenging.
Corben Leo (46:42.766)
Yeah.
Corben Leo (46:47.534)
Yeah. Yeah, he's FF, yeah. Yep.
Corben Leo (46:57.07)
Mm-hmm
Corben Leo (47:00.014)
Mm-hmm
Corben Leo (47:05.646)
Yeah, I spent a lot of time writing those threads. I think the fastest one I wrote was like 55 minutes, which was like probably maybe like a waste of time, but no, it was like really good to practice because it's such like technical writing, but still writing in a way that's intriguing and you know, like, yeah, I guess intriguing and like interesting.
Justin Gardner Rhynorater (47:07.536)
cough cough
Justin Gardner Rhynorater (47:30.416)
Yeah, I think that's a great skill. I mean, being able to captivate an audience is really powerful. And it's not a skill that's very commonly, you know, paired with a high level of technical ability. And so I think that's one of the podcasts that I listen to on a regular basis is my first million, and it was talking about how, I love that pod. And one of the things that they've talked about just from a framework perspective is like, you don't have to be.
Corben Leo (47:36.622)
Mm-hmm. Yeah.
Corben Leo (47:44.238)
Mm-hmm. Yeah.
Corben Leo (47:51.246)
Yeah, okay. Yep.
Justin Gardner Rhynorater (47:58.512)
the best at hacking or the best at blockchain or the best at any of these other things. You just have to take, you know, a above average ability here and combine it with an above average ability over here. And now you've got a mixed skillset that's really unique and marketable. And I think your ability to do something like that with this writing is really, I think that's amazing.
Corben Leo (48:10.67)
Mm-hmm.
Corben Leo (48:16.014)
Yeah. Yep.
Corben Leo (48:23.15)
Mm-hmm.
Justin Gardner Rhynorater (48:23.568)
So nice stuff there. And so, I mean, do you really largely credit Sam Pahr's copy this or whatever it is writing course or copy that? Yeah.
Corben Leo (48:30.03)
copy that. Yeah, that course was really good. So yeah, that's, that's a big reason why. Yeah, I took that course and then I wanted to try applying it to something pretty technical. And so yeah, I mean, that was, that was a pretty, yeah, it's a great course. I still go back and go through it. I'm at least like pieces of it to kind of just like refine writing skills. I think everyone should take a course on.
Justin Gardner Rhynorater (48:44.4)
Mm-hmm, yeah.
Justin Gardner Rhynorater (48:54.224)
Mm.
Corben Leo (48:58.798)
Copywriting just because it's like just writing effectively. I guess like you don't need to be super long-winded Yeah, I think it's I think it's a good a good course But at the same time that's like this is a problem. I have a Twitter right now is that everyone's Becoming markety mark market it market Market II Marketer II yes wherever everything's like a marketing thread now, and it's like
Justin Gardner Rhynorater (48:59.728)
Mm.
Justin Gardner Rhynorater (49:19.184)
Marketer-y. Okay.
Corben Leo (49:25.422)
You have to have this good combination of like effective writing but like actual substance, right? Like yeah, because like I've seen so many like, oh, Bard just killed GPT-4, like here's 10 prompts you can use. It's just like all this noise of like you don't really like everything is supposed to be like when everyone's doing the same thing, it's just I don't know. It's just so like.
Justin Gardner Rhynorater (49:32.304)
genuine content, yeah.
Justin Gardner Rhynorater (49:37.424)
Oh my gosh, it's everywhere, man.
Justin Gardner Rhynorater (49:50.128)
Yeah, it gets to be overwhelming.
Corben Leo (49:51.758)
You're just being, yeah, you can tell marketing material versus like, you know, actual substance, material substance is still like captivating, I guess.
Justin Gardner Rhynorater (50:00.112)
Yeah, lots of lots of bloat out there, I think. And so taking this this ability to do copywriting or, you know, effectually tell a story and convey and captivate an audience and transporting this into report writing. So, you know, I'm interesting to see how I'm interesting to hear your opinion on how that's affected the severity of your reports.
Corben Leo (50:02.862)
Yeah.
Corben Leo (50:14.862)
Yeah, yes, that's...
Justin Gardner Rhynorater (50:22.192)
And I will just before I let you answer that, I will say Nagli is a big proponent for this as well. And you just, you gotta, I've collabed with Nagli on a couple of reports and I'll write some stuff down. And he's like, no, no, no, no. How do you ever get, how do you exactly, no, no, no, no, no. How do you ever get critical reports when you write like this? And Nagli just kind of like rewrites it and like very strongly states everything. And I think that's one extreme as well. And it definitely works for him. But what are your thoughts on?
Corben Leo (50:22.606)
Mm-hmm.
Corben Leo (50:34.126)
No no no no no no no no, yes. Yes, yep.
Corben Leo (50:48.014)
Yeah.
Justin Gardner Rhynorater (50:50.096)
you know, the value of copywriting and storytelling in the context of a technical report.
Corben Leo (50:55.822)
Yeah, so like for me, I don't really do, like it's not storytelling in my report. It's like very technical, but it's technical where it needs to be, right? So like the summary might not be as technical, like, okay, I found this bug, blah, blah, blah. This is what it does. This is, I guess how it works. And that's like pretty technical, but like the summary and then the impact are not maybe like...
Justin Gardner Rhynorater (51:01.36)
Okay.
Corben Leo (51:21.806)
more like copywriting, but it's just more, just very clear, straightforward to the point writing where it's like, this is the impact. This is what you can do XYZ where you're listening explicitly why this is a critical and what your specific views are on that. Because like, this is why I think...
Corben Leo (51:41.454)
I talked to someone about this, or we had a whole talk at, I think it was one of the Hacker Advisory Board meetings, about the impact section and the purpose of the impact section. People were like, oh, well, it doesn't make sense to me because I just write my impact in the summary. And I'm like, well, for me, in my impact section, I'll write either, okay, maybe I'll have, if I'm lazy, I'll just write basically what I had in the summary. Otherwise, if it's an actual critical report, I will list out every single metric
Justin Gardner Rhynorater (51:47.088)
Mmm, yeah.
Justin Gardner Rhynorater (52:04.08)
share.
Justin Gardner Rhynorater (52:06.992)
Yeah.
Justin Gardner Rhynorater (52:11.344)
Mmm. Peace, yeah.
Corben Leo (52:11.424)
Yeah, piece that I've like selected, and I'll explain why I have it set to that and why it should stay set as that. And then if the program disagrees with me, they'll at least have an exact, very clear response back of why they disagree or why that should be changed. And that leads, that helps a lot with like disagreements on severity. And I think that's...
Justin Gardner Rhynorater (52:15.472)
Mm.
Justin Gardner Rhynorater (52:17.808)
Mm-hmm.
Justin Gardner Rhynorater (52:35.312)
Big, great, great tip there. I mean, I rarely go to that level of detail, but in the times that I have, it's really made those triager misunderstandings that sometimes get your report downgraded or program misunderstandings that sometimes get your report downgraded, it's really minimized those. So I'm actually gonna write myself a note right now to go in and do that for the next live hacking event, because especially when you're at the live hacking events and like reports are flying all over the place and triagers are adjusting stuff and.
Corben Leo (52:47.15)
Mm-hmm.
Corben Leo (52:52.078)
Mm-hmm. Yeah, exactly.
Corben Leo (53:01.134)
Yep. Noise, noise, noise, noise. Yep.
Justin Gardner Rhynorater (53:03.408)
you know, it gets really tricky to have those, you know, complex CVSS conversations. And if you provide justification for each metric, that's the word you're looking for, metric. Yeah, and if you provide explanations for each one of those metrics, then I think it could really provide a lot of clarity.
Corben Leo (53:07.566)
Mm-hmm.
Corben Leo (53:12.878)
Yep, metrics. Thank you, English.
Corben Leo (53:21.39)
Yeah, yeah, and it also like it forces the program to really to really like dive deep and like actually consider your report rather than like, okay, yeah, we have this bug. I don't know, it like really forces them to think through all the different aspects that maybe they haven't thought through before. So.
Justin Gardner Rhynorater (53:36.752)
Yeah, for sure. Solid. Let's talk a little bit about more about your hacking methodology. And then I also wanna talk about some entrepreneurial pieces as well, because that's something you and I have sort of bonded over being hackers and entrepreneurs at the same time. So that's something that I'd like to talk about as well. So I guess just talking a little bit more about the recon flow, we touched on this a little bit earlier, but you're going out there, you're doing recon and
Corben Leo (53:47.662)
Okay. Yep. Yep. Mm-hmm.
Corben Leo (54:02.574)
Uh-huh.
Justin Gardner Rhynorater (54:05.808)
This is a quote that we quote almost every episode. I love this quote from Jay Haddix. The whole point of recon is to find more applications to hack, right? And so when do you stop and actually intentionally hack an application versus continuing your recon? And yeah, we'll break that question off there.
Corben Leo (54:13.486)
Mm-hmm.
Corben Leo (54:25.774)
Yeah, because that's a really hard, I think that's a hard skill to learn for beginners is when to stop doing recon and when to start hacking because it's really easy to get into the pattern of like, okay, I'm just going to run sub finder, I'm going to write ff and everything and just keep finding until maybe you somehow find a git directory on some host or something like that. So I guess it's pretty difficult.
Justin Gardner Rhynorater (54:30.576)
Mm-hmm.
Justin Gardner Rhynorater (54:33.68)
Mm-hmm.
Justin Gardner Rhynorater (54:38.864)
Totally.
Justin Gardner Rhynorater (54:46.736)
Right, right, right, right.
Corben Leo (54:54.126)
to define Like what exactly will make me stop but a lot of times it's just like intuition So you see like I'm doing like directory brute-forcing I've used like three word lists not finding much Maybe I'll just like hop to the next host. Oh, I found interesting director on this like maybe it's like
Justin Gardner Rhynorater (54:54.544)
Mm-hmm.
Justin Gardner Rhynorater (55:00.624)
Sure.
Justin Gardner Rhynorater (55:08.112)
Mm-hmm.
Corben Leo (55:17.55)
like a react app on this like subdirectory and then you can go through the JavaScript files and start actually hacking and doing like normal, um, actual like hacking your hacking methodology or I guess more like pentesting methodology, I guess. Um, and then yeah, it's just kind of just this like intuition flow that I have kind of nailed down.
Justin Gardner Rhynorater (55:27.568)
Sure, sure. Yeah.
Corben Leo (55:38.67)
Sometimes I'm lazy and say, okay, I'm just gonna run FF on a bunch of different hosts and just do it that way. Or I can just do it in the background while I'm looking at something else too.
Justin Gardner Rhynorater (55:46.384)
Well, that was the follow-up question to this was like, okay, so you found a couple things, or you found your 40 or 50 hosts you're gonna assess and you go to each host and you kind of do smart FF instead of like normal FF where you go to the host, you're not just brute forcing on slash always. Sometimes you're going to the host and you're saying, okay, well, the index page redirects to slash.
Corben Leo (56:01.454)
Yeah.
Corben Leo (56:06.99)
Yeah.
Justin Gardner Rhynorater (56:12.304)
Dashboard, but then it gives an error or something like that. So you actually brute force under slash dashboard
Corben Leo (56:13.774)
Mm-hmm. Yeah. Yeah, it's not like, oh, it's an images directory. I'm going to keep, I don't know, something like pretty obvious. Yeah.
Justin Gardner Rhynorater (56:19.76)
Right, you don't wanna waste your bandwidth doing that. But how many would you say, you described two extremes there, you described finding a specific application and then just really sort of going deep on that based off of your intuition, and you also described just sort of brute forcing everything. Where do you think the average sits? Like, of like, all right, I'm normally brute forcing like three to four applications at a time, or 10, or 20, or one at a time, and really just reading all the JavaScript files while it's running.
Corben Leo (56:36.782)
Mm-hmm.
Corben Leo (56:45.71)
Mm-hmm. Mm-hmm.
Corben Leo (56:50.99)
Yeah, I typically just do one at a time for the most part. Yeah, so I will, I think focus is also really important and that's dangerous when you try to go after too many things at too many times, like you're just gonna miss things. So typically I can get a pretty good feel for, you know, like what I wanna hack on. So it's like, I'll do my reconnaissance and it's kind of just this process of like filtering all this data down to like a single thing at a time.
Justin Gardner Rhynorater (56:53.04)
Really? Okay. That's cool.
Justin Gardner Rhynorater (56:59.088)
Yeah.
Justin Gardner Rhynorater (57:02.512)
Yeah.
Corben Leo (57:20.654)
Um, and so I will typically do recon until I find a host that's interesting. Then I'll do recon on that host. And so I'll do like directory root for a scene. If there's like dashboard on it, then I'll start like reading through JavaScript files and just start like hacking it. Um, then when I'm sick of that single one, I'll go hop to something else. Um,
Justin Gardner Rhynorater (57:28.4)
Mm.
Justin Gardner Rhynorater (57:35.376)
solid.
Justin Gardner Rhynorater (57:38.352)
That's cool to hear because I definitely didn't see your methodology that way. I figured you'd be doing, you know, directory brute forcing across multiple hosts, you know, 10, 20 hosts on a regular basis. But for you, and I think this is something really cool to highlight with Corbin's methodology here is that.
Corben Leo (57:50.158)
Mmm.
Justin Gardner Rhynorater (57:54.992)
he's a little bit of a recon hacker, but he also is like sort of a deep recon hacker, right? Cause you're going to a host, you're doing a lot of directory brute forcing, you're doing a lot of enumeration, but also you're doing that in a smart way. You're reading the JavaScript files, you're recursively brute forcing on folders you've found, that sort of thing, and keeping your attention on one host, which I think is really, I think that's key.
Corben Leo (57:58.478)
Hehehe
Corben Leo (58:08.398)
Yeah.
Corben Leo (58:12.366)
Mm-hmm.
Corben Leo (58:17.198)
Mm-hmm. Yeah, we're also like adjacent hosts as well. So like the JavaScript file might reference some other APIs and then like working on those too, because it's all a part of this like one bigger like application. So
Justin Gardner Rhynorater (58:20.368)
Mmm. Yeah.
Justin Gardner Rhynorater (58:25.936)
That's a great tip. So you're breaking apart the JS file, you're saying, okay, these are the adjacent hosts to this, the hosts that work on this specific, or that power this specific website, and you're using text from the other page, using references from that JS file to enumerate stuff on the APIs as well. Solid man.
Corben Leo (58:34.894)
Mm-hmm.
Corben Leo (58:37.902)
Yep.
Corben Leo (58:41.966)
Yep. Yep, exactly. Yep. And so that's that's pretty huge, too, because there'll be so many like API endpoints, you'll never be able to guess. I'm without you know, all this other like contextual, all these all these other contextual pieces. So yeah.
Justin Gardner Rhynorater (58:49.52)
Yeah.
Justin Gardner Rhynorater (58:54.224)
Man, I gotta find this tweet from you. I was just reading through some of your tweets that you put out previously, and it was like, oh, here it is right here. I'll link it to you, hold on. I'm gonna send it to you in Discord. Scroll down, and we'll put this tweet in the description as well. This is Corbin's.
Corben Leo (59:02.99)
Mm-hmm.
Justin Gardner Rhynorater (59:14.96)
Corbin's tweet on hacking the military. But scroll down to like the fourth, or no, it's the third tweet. And it says, yeah, after reading the JS files in directory brute forcing, I came across this endpoint. Squirm2004 upload course.aspx. And I'm like, what do you, what is that? Was that in your brute forcing? Like, no. How did you, so, but you got that ASPX file from reading the JS file, and then I guess maybe you found the full path by like.
Corben Leo (59:30.35)
Yeah, yeah, yep. Nope.
Justin Gardner Rhynorater (59:43.408)
brute forcing some directories and such.
Corben Leo (59:44.654)
Yeah. And so like I, one thing that I do that I don't know if anyone else does is, um, I'll find a, like a directory called like JavaScript and I'll just, I'll brute force for JavaScript files. Um, so, um, I've done that. And also I've tried to find CSS files cause sometimes I'll do like import like image from like this and it'll be like some like super long directory that like you might not be able to find.
Justin Gardner Rhynorater (59:54.352)
Mm-hmm.
Justin Gardner Rhynorater (59:56.976)
Mm-hmm. That's big.
Justin Gardner Rhynorater (01:00:07.472)
Mm-hmm. Mm.
Corben Leo (01:00:09.326)
But yeah, I think I was brute forcing through four JavaScript files and I had like come across a new directory with like JavaScript files and I brute forced some in there. Then that's when I came across that ASPX file. It was just referenced in some JavaScript file that I found. Yep, yep, so it's like going through JavaScript files to find some end points and then brute forcing those and then in one of those, there's like a reference to that, so.
Justin Gardner Rhynorater (01:00:24.72)
Nice, so you actually brute forced for the JS files, which led you to this more complex ASPX endpoint.
Justin Gardner Rhynorater (01:00:38.576)
Nice, that's a great takeaway, I like that. Nice man. So we're at about an hour now. I did have one other sort of status of yours, or post of yours that I wanted to look at. You know what, but I think we're gonna save this one for a different time, because I did wanna follow up on some entrepreneurial stuff as well. So currently, so okay, a couple months back, you announced Breachless AI.
Justin Gardner Rhynorater (01:01:08.464)
And I kinda wanna hear about some lessons learned from that because it seems like you've pivoted over to Boring Mattress Co. now, which I also, I love, and I'll hold up my phone for the YouTube video. I've got Boring Mattress Co. on the back of my phone, and I've actually had a couple people ask me about it already, so you're getting free marketing off of this. But, you know, what happened to breachlist.ai and what kind of lessons did you learn from that?
Corben Leo (01:01:08.59)
Mmm, yep.
Corben Leo (01:01:19.054)
Yeah. Yes. Yes. Yeah. Yes, thank you, thank you.
Corben Leo (01:01:35.598)
Yeah, so, um...
Justin Gardner Rhynorater (01:01:36.336)
I'll first introduce it too, because people may not know.
Corben Leo (01:01:39.726)
Yeah, so Breachless, the idea behind that was that I was going to use artificial intelligence to basically the idea was to do analysis of incoming emails and adding, well, let's take a step behind the current state was like, it was to help prevent social engineering attacks, right? And so like you have companies like Know Before.
Justin Gardner Rhynorater (01:01:46.832)
Artificial Intelligence.
Justin Gardner Rhynorater (01:02:00.592)
Mm-hmm.
Justin Gardner Rhynorater (01:02:04.368)
Mm-hmm.
Justin Gardner Rhynorater (01:02:08.848)
Mm-hmm.
Corben Leo (01:02:09.07)
Like all these different companies that are doing these, what are they called? So security awareness trainings. And so it's like, you force employees to go through really boring, outdated videos that are like 20 years old, or they're just like really like irrelevant to like the average person. Like a hacker might think, oh wow, these are like really funny, these are really cool. And then you have your average Joe's, like this is the stupidest thing I've ever had to watch, what I have to watch this. And the problem too is like, okay, yeah, you watched a video.
Justin Gardner Rhynorater (01:02:14.064)
Yeah, yeah.
Justin Gardner Rhynorater (01:02:25.808)
Share.
Corben Leo (01:02:38.35)
four times a year and you never remember it in the moment. And so my idea was to add context to actual emails in like the form of a banner to help people identify social engineering attacks or potential social engineering attacks just like right in each email. And so that was the idea there. It didn't go very far. I had actually had a pretty sizable wait list. I think I had like...
Justin Gardner Rhynorater (01:02:47.312)
Mm.
Justin Gardner Rhynorater (01:03:03.952)
Mm-hmm.
Corben Leo (01:03:08.398)
200 to 300 companies on that wait list. Yeah, it was actually, it was actually pretty decent. There were some pretty decent sized companies on that. But what made me move away from it was I wanted to bootstrap the company. I didn't wanna raise venture capital. And it was also a pretty crowded space.
Justin Gardner Rhynorater (01:03:10.576)
Nice, dude. That's a lot actually, yeah.
Justin Gardner Rhynorater (01:03:22.896)
Mmm.
Justin Gardner Rhynorater (01:03:25.616)
Yeah.
Justin Gardner Rhynorater (01:03:31.888)
just fishing, anti-fishing stuff.
Corben Leo (01:03:35.438)
Yeah, just like email security stuff. I don't think that necessarily should have like maybe. Turn me away so much, but I think the biggest issue was the requirements for a lot of companies have for like SOC 2 audits. So it's like basically companies when they want to use, let's see, like I don't want to mess it up.
Justin Gardner Rhynorater (01:03:42.224)
Mm-hmm.
Justin Gardner Rhynorater (01:03:48.752)
Oh, what is that?
Justin Gardner Rhynorater (01:03:58.768)
Sure. And while you're looking that up.
Corben Leo (01:03:59.47)
It's like a compliance standard, which is how organizations manage data. And so you have to go through this compliance process and be able to provide this to each customer that asks for it. And so that costs at least $150,000. And I didn't really want to pay that out of pocket with an
Justin Gardner Rhynorater (01:04:03.408)
Mm.
Justin Gardner Rhynorater (01:04:08.976)
Yeah.
Justin Gardner Rhynorater (01:04:19.28)
Gotcha.
Justin Gardner Rhynorater (01:04:24.816)
No way.
Corben Leo (01:04:28.494)
you know, like develop an MVP and then have, you know, have to pay $150,000 out of pocket just for that. Like that's a pretty big expense out of the pocket, especially without raising money. And so yeah, it's kind of on it. Yeah. Yeah. It's a very, yeah, it's big. And there are people I think that I think you can find an auditor, like you could probably give like equity to and pay them a lot less. But yeah, with that, it was just kind of like a turnoff. And
Justin Gardner Rhynorater (01:04:28.848)
without VC.
Justin Gardner Rhynorater (01:04:37.712)
Yeah.
Justin Gardner Rhynorater (01:04:40.944)
That's a huge barrier to entry for new players. J-Jeez.
Justin Gardner Rhynorater (01:04:52.016)
Mm-hmm.
Corben Leo (01:04:57.998)
Then my co-founder, Dehi, was talking about getting back into the mattress industry. Yeah, and so I jumped over to that and I was also very intrigued by consumer goods, so I thought that would be a cool thing to tackle as well.
Justin Gardner Rhynorater (01:05:02.448)
the mattress space.
Justin Gardner Rhynorater (01:05:11.664)
Yeah. And sleep is such a cool thing to go after too. Like I feel like that is, is an amazing industry. Yeah.
Corben Leo (01:05:17.134)
Such a traditional industry. Yeah, yeah, so hopped over to that. I still think the Breach This product, the idea there is pretty cool. If someone can like execute on that.
Justin Gardner Rhynorater (01:05:28.24)
I can see the gears turning in your head still, like as you're talking about it. Yeah, it's a great product.
Corben Leo (01:05:32.398)
I know, I still love it. I know, I still love the idea, and I don't think it's a bad idea. It's just like, you know, maybe someday. Who knows.
Justin Gardner Rhynorater (01:05:41.232)
Yeah. Would you consider selling or handing off that email list or waitlist of companies to somebody who wanted to take a stab at BreachList?
Corben Leo (01:05:52.782)
Yeah, I mean, I'd still be interested in like being involved with it somewhat, but it's just the like, do you want to raise like venture capital? It's just like a whole nother completely different than, you know, just like a bootstrapped profitable business from the get go.
Justin Gardner Rhynorater (01:05:55.696)
Mmm.
Justin Gardner Rhynorater (01:06:01.904)
Yeah, well there you go. If any of you other hackers out there are interested in an entrepreneurial opportunity, I love the product. I think it would be really, I think it's a really good fit, you know, having an email banner, having some sort of add-on for G Suite or for Outlook and, you know, scanning.
Corben Leo (01:06:16.27)
Yeah, yeah, and who knows, Microsoft might just have this and there's now with GPT-4, they'll be able to do that too with Air Defender, so who knows.
Justin Gardner Rhynorater (01:06:23.76)
Yeah. Well, that's the other thing is I feel like maybe my timelines are a little off, but did you launch this before Chad GPT blew up?
Corben Leo (01:06:33.166)
I think it was about... I think it was... I think it was just before... it was really early. It was before ChatGBT was released.
Justin Gardner Rhynorater (01:06:35.632)
about, about, yeah, or at least it was very early. Yeah.
Justin Gardner Rhynorater (01:06:44.688)
Yeah. And so that that's man. Yeah. That was a great timing of the market, I think, you know, like, you know, that before that whole thing blew up, you know, you had already launched this. And and so, yeah, man, I'm I've still got I've still got high hopes for I would love to see it at some point pop up. So definitely let me know if you're if you're getting back into it again, because I think that'd be really I think that'd be a really cool thing to be involved with. And also, you know, I hope.
Corben Leo (01:06:47.31)
Cause they had GPT-3, the API for that and that was it. They had like a playground.
Corben Leo (01:06:57.646)
Yeah. Yep.
Corben Leo (01:07:08.91)
Mm-hmm.
Justin Gardner Rhynorater (01:07:14.224)
you find someone in the industry who's got the bandwidth to take it on, because I would love to use it in an organization. All right, I guess the other question that I have is like, what sort of hacker entrepreneurial takeaways did you have from that experience of pivoting? Like, was that a hard move for you to pivot away from it? I could see a little bit of...
Corben Leo (01:07:20.238)
Yeah.
Justin Gardner Rhynorater (01:07:41.744)
cognitive dissonance, I think, in your eyes.
Corben Leo (01:07:43.63)
Yeah, yeah, I mean, um it wasn't
Corben Leo (01:07:51.214)
It's different because like it's still I still like the idea but I'm also like I don't know where it I like I'm still optimistic but I'm like pessimistic in other ways because like yeah the cyber security field is like extremely saturated from where it used to be but at the same time I like the idea a lot and I think it could be very helpful.
Justin Gardner Rhynorater (01:07:55.76)
Mm-hmm.
Justin Gardner Rhynorater (01:08:05.776)
Mm.
Corben Leo (01:08:19.822)
But then I'm also pessimistic about, okay, why can't Microsoft just add that? Which I think they very well could. Now, with their integration, I think with all their integrations, it's probably a good thing I did step away from it.
Justin Gardner Rhynorater (01:08:24.08)
Yeah, I think they probably will.
Justin Gardner Rhynorater (01:08:32.24)
Hmm. There's definitely market risk there. I think, you know, because you could easily get replaced by a big player or you could get acquired by a big player. You know, that's the other thing. And so. Yeah.
Corben Leo (01:08:36.238)
Oh, huge, yeah.
Corben Leo (01:08:40.046)
Yeah, exactly. Yeah, for someone who wants like a quick integration. So, I mean, I... I'm not like, I guess worried about it. It was actually relatively easy for me to jump away. It was... First it was like, it's a little... a little sad because I liked the idea, but at the same time I was like, I'm...
Justin Gardner Rhynorater (01:08:57.648)
to pivot.
Justin Gardner Rhynorater (01:09:06.991)
Yeah.
Corben Leo (01:09:08.91)
I had all these other kind of, like, had some doubts. But yeah, I knew it's where I needed to go next, and I guess I just had to trust my gut on that.
Justin Gardner Rhynorater (01:09:13.487)
Yeah.
Justin Gardner Rhynorater (01:09:19.375)
Yeah, for sure, man. Well, I'm glad to see that you, you know, were able to successfully assess the difficulties of that specific challenge in Pivot. And I'm excited to see where Boring Mattress Co. is headed. Do you have any update on that? Last I heard you, you got your prototype out to the house.
Corben Leo (01:09:35.598)
Thanks for watching!
Corben Leo (01:09:38.158)
Yes, it's super comfy. I've been sleeping on it for a while now. I love it. It's super, super amazing.
Justin Gardner Rhynorater (01:09:41.968)
Yeah. So I mean, are you gonna make a lot more, are you gonna make much modification to that mattress or are you guys gonna just move forward with it?
Corben Leo (01:09:50.126)
Um, not to the mattress itself. I think we're still iterating on the covers. That's like the outside of it. That's like, um, you have like all your phone, there's like fire sock on it. Um, and then the cover is like the, the outside, like the aesthetic. We're still figuring out that. Um, but yeah, we're not going to take any. Yeah. That most piece that's not important for comfort really.
Justin Gardner Rhynorater (01:09:52.496)
Mm-hmm.
Justin Gardner Rhynorater (01:09:59.024)
Mmm.
Justin Gardner Rhynorater (01:10:04.336)
Mm.
Justin Gardner Rhynorater (01:10:07.12)
that piece of it, gotcha. I think, let me just go ahead and add my two cents to the mattress industry here. I got these bed sheets, and this is bed sheets, it's a different arena, but who knows, maybe you could do a package deal or something. Yeah, and so I've got these bed sheets, and for one, there's like these bamboo bed sheets that are just super like cool, and cool meaning like,
Corben Leo (01:10:21.966)
Mm-hmm. No, we will probably at some point, yeah.
Corben Leo (01:10:31.566)
Mm-hmm.
Justin Gardner Rhynorater (01:10:36.432)
you know, not like the opposite of hot, not like cool as in amazing. Yeah, they're very cool, you know? And they're awesome and I love them and it really helps me sleep better. But also, they have this little pocket on the side of the bed. It's built into, you know, the side of the mattress, the fitted sheet, or the fitted sheet that goes on the mattress. And it's a perfect size to like put your phone in. And it's just like such a nice little thing. You know, you're in bed, you got your phone, and then you just slide it right into this pocket. So.
Corben Leo (01:10:39.342)
Yes, not like, oh these are sick. Heh. Yeah.
Corben Leo (01:10:57.614)
Oh nice! Interesting. Yeah, and just put it next to it. Never seen that before. That's funny. That's really cool. That's so funny.
Justin Gardner Rhynorater (01:11:06.128)
Anyway, there's your little tidbit, cut me in whenever you make millions off of that. And yeah, we'll be good. Cool, well, dude, thanks for coming on to the pod. I tried to dedicate this last section to the Boring Mattress Company, but you got any other shout outs you want to make?
Corben Leo (01:11:28.206)
Not really. Shout out to everyone hacking out there. Aspiring entrepreneurs.
Justin Gardner Rhynorater (01:11:29.36)
Solid. Yeah, well, you can find Corbin at, you know, twitter.com slash hacker underscore, and then Boring Mattress Company is twitter.com slash boring mattress, which somehow you got. That's awesome.
Corben Leo (01:11:43.118)
That's because no one in that industry is gonna admit that mattresses are boring. They're... they've got... that's... yeah. Also, I like the brand. Yeah.
Justin Gardner Rhynorater (01:11:46.224)
Yeah, that's true.
Justin Gardner Rhynorater (01:11:49.712)
That's a great, yeah, and I love the copy as well on the description for your Twitter page. So I'll let, I won't even read it out loud. I'll just say for those listening, go to the page, follow the account and read the description because I think it's a great example of engaging copy. All right, man, well thanks for coming on. Appreciate it. Sweet, that's the pod.
Corben Leo (01:12:00.686)
Yeah, tease. Yeah, there we go.
Corben Leo (01:12:05.87)
Hmm.
Corben Leo (01:12:12.686)
Yeah, thanks for having me.
