The player is loading ...
Sign up to get updates from us
Episode 31: In this episode of Critical Thinking - Bug Bounty Podcast, we're thrilled to be joined by Alex Chapman, a seasoned InfoSec hacker and bug bounty hunter. We kick off with Alex sharing his hacking journey, from a guest lecturer that inspired him, to working on internal Red Teams, to his transition to working with HackerOne, and finally as a bug bounty hunter focusing on searching out those few, high impact bugs. We also discuss the power of collaboration, the challenges of balancing hacking with other responsibilities, and the necessity of flexibility and taking breaks in bug bounty work. Don't miss this episode where we explore the depths of bug bounty with Alex Chapman!
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
Today’s Guest:
https://twitter.com/ajxchapman
https://hackerone.com/ajxchapman?type=user
Perforce RCE
https://hackerone.com/reports/1830220
https://ajxchapman.github.io/bugreports/2019/04/04/perforce-local-file-disclosure.html
(00:00:00) Introduction
(00:01:50) Alex Chapman's InfoSec journey and evolution
(00:05:55) Real-world experience vs. chasing degrees, and the pivot into Bug Bounty
(00:13:12) The benefit of programming knowledge
(00:16:50) Experience in Internal Red Team and hacker mentalities.
(00:23:35) Transitioning to HackerOne and full time Bug Bounty
(00:33:37) Bug Bounty tips, time management, and best practices
(00:41:00) The importance of note-taking and organizational tools
(00:46:27) Hunting Methodologies and focusing on Critical Exploitations
(01:02:37) Collaboration in the hacking community
(01:06:00) Binary Exploitation and Source Code Review
(01:10:59) Configuration file injections
(01:17:38) Justin vs. Alex at a LHE
Justin Gardner (@rhynorater):
Alex, thanks for coming on the pod, dude.
Alex Chapman:
Hey, how are you today?
Justin Gardner (@rhynorater):
Pretty great, dude. This is gonna be a really cool episode, I think. I've admired your hacking from afar and from a close at a bug collision in January. And so I'm really, I'm excited this time to pick your brain and kind of get some of those techniques out of you. I was hoping we could start today a little bit with a little bit of your InfoSec history and kind of talk to us about how the hacker that is now AJX Chapman. has evolved to where he is today.
Alex Chapman:
Yeah sure, so I guess I'm a bit of an old timer, certainly in the bug bandy crowd. I've been doing kind of in professional security for I guess must be at least 16 years by now.
Justin Gardner (@rhynorater):
Wow.
Alex Chapman:
Kind of started straight out of university professionally but had an interest from when I was about what 12, 13 as soon as I could
Justin Gardner (@rhynorater):
That's
Alex Chapman:
learn
Justin Gardner (@rhynorater):
the age,
Alex Chapman:
to program,
Justin Gardner (@rhynorater):
man.
Alex Chapman:
yeah
Justin Gardner (@rhynorater):
Yep.
Alex Chapman:
as soon as I could learn the program I kind of wanted to know how to break things.
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
There wasn't as much information around back then, so I kind of had to scrape pieces together from here and there and then I kind of decided it would be a good idea to do a computer science degree as you do. I
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
hated it, absolutely hated it.
Justin Gardner (@rhynorater):
Yep.
Joel Margolis (teknogeek):
Relatable,
Alex Chapman:
But then found out
Joel Margolis (teknogeek):
yeah.
Alex Chapman:
towards the end of my degree.
Justin Gardner (@rhynorater):
Yeah, relatable for sure.
Alex Chapman:
But then at one point we had a guest lecture from somebody who worked for one of the Big Four, who was a pen tester. I was like, you can actually get paid to do this
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
sort of thing? So that was from then on, that was my goal. Straight out of university, I was into Big Four because I knew they did pen testing. I worked.
Justin Gardner (@rhynorater):
Right. Now when you say big four, is that, you're talking about big four accounting firms? Is that
Alex Chapman:
Yes,
Justin Gardner (@rhynorater):
what you're talking
Alex Chapman:
yeah,
Justin Gardner (@rhynorater):
about? Yeah,
Alex Chapman:
so
Justin Gardner (@rhynorater):
okay.
Alex Chapman:
I went to work for Deloitte,
Justin Gardner (@rhynorater):
Okay, sure.
Alex Chapman:
specifically in their security team.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
I was doing pen testing from then on, so I did about a decade of pen testing, three years at Deloitte, moved to a smaller consultancy. And that's where I picked up kind of red teaming and security research. I knew nothing about Bug Bounty at this point, so this was going back to, 2016, 2017.
Justin Gardner (@rhynorater):
Okay, alright.
Alex Chapman:
And then went to work for Yahoo!
Justin Gardner (@rhynorater):
Nice man, I
Alex Chapman:
Which
Justin Gardner (@rhynorater):
feel like
Alex Chapman:
was...
Justin Gardner (@rhynorater):
a lot of a
Joel Margolis (teknogeek):
Hehehe
Justin Gardner (@rhynorater):
lot of good hackers kind of go through Yahoo at some point. I don't know if it's just like the time period of like, you know, Yahoo was a big name earlier on in the bug bounty scene or in the pen
Alex Chapman:
Yeah,
Justin Gardner (@rhynorater):
testing scene,
Alex Chapman:
hugely.
Justin Gardner (@rhynorater):
but you know, I feel like I see so many people that have gone through there. So I've got a couple of questions for you. You know, you mentioned that you started programming early on, you know, was that out of, but you didn't really get introduced to hacking until later, is that right? Or were you studying programming that whole time of hacking in the youth as well or...
Alex Chapman:
Certainly a little bit of hacking, so
Justin Gardner (@rhynorater):
Yeah.
Alex Chapman:
kind of looking at war games and
Justin Gardner (@rhynorater):
Oh sure sure.
Alex Chapman:
kind of crackmes.de used to exist, I'm
Joel Margolis (teknogeek):
Oh yeah.
Alex Chapman:
pretty sure that's been dead for a long
Justin Gardner (@rhynorater):
Crackme.de
Alex Chapman:
time, but
Joel Margolis (teknogeek):
Yeah, I don't know if that's still a thing.
Alex Chapman:
that
Justin Gardner (@rhynorater):
D-E.
Alex Chapman:
was
Justin Gardner (@rhynorater):
Interesting.
Alex Chapman:
a lot of reverse engineering
Justin Gardner (@rhynorater):
Huh.
Alex Chapman:
specifically on crackmes, so a legal outlet for trying to learn these skills.
Justin Gardner (@rhynorater):
Gotcha. So it was in college where you were introduced to being able to do this as a job. But that's what you
Alex Chapman:
Yeah,
Justin Gardner (@rhynorater):
were saying.
Alex Chapman:
yeah,
Justin Gardner (@rhynorater):
OK.
Alex Chapman:
so I never in kind of a million years when I was in my early teens, I thought I could get paid to do this and then just had this epiphany moment. I was like, I can do this.
Justin Gardner (@rhynorater):
Yeah.
Alex Chapman:
So that was my mission from then on.
Justin Gardner (@rhynorater):
Yeah, dude, that's
Joel Margolis (teknogeek):
That's awesome.
Justin Gardner (@rhynorater):
so cool. I sort of remember, I remember that moment for me as well, being like, wow, you know, this is actually a career path that I can go down, which is really cool because at the same, you know, I started when I was young as well at 12 and 13, and I kind of went down the blackout route for a while and I was like, but then I sort of caught a conscience. You know, I was like, Oh, actually this is really damaging systems that I'm, that I'm working on trying to cover my tracks. Cause I wasn't necessarily good enough to really do a good job of covering my tracks. So
Alex Chapman:
Yeah,
Justin Gardner (@rhynorater):
my,
Alex Chapman:
cuz.
Justin Gardner (@rhynorater):
you know, my track coverings was, you know, rm-rf slash, you know?
Joel Margolis (teknogeek):
Ha ha ha.
Justin Gardner (@rhynorater):
And so, you know, that's kind of when I pivoted off and then, you know, coming into that realization that it can actually be a career, man, what a mind boggling thing. So you mentioned, you know, you were in CS, but you weren't loving that. Why, what is your opinion on, you know, should... aspiring hackers go and get a degree versus going, you know, training themselves or going through a bootcamp or what.
Alex Chapman:
I think my personal opinion from kind of where we are now in 2023
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
is I wouldn't bother.
Justin Gardner (@rhynorater):
Yeah.
Alex Chapman:
I would apply yourself, learn to program. I think all hackers should know how to program, at least basically. I
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
know that's a bit of a controversial opinion
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
in some circles,
Justin Gardner (@rhynorater):
Yep.
Alex Chapman:
but my view on it is you should know how to program, or at least should be interested in learning how to program.
Justin Gardner (@rhynorater):
Sure.
Alex Chapman:
Let's say it like that. and just apply yourself. Blog a lot, blog about everything you can.
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
So I actually used to do hiring and that would be the first thing I would do. If it's evening past screening I would
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
look the person up on Twitter, try and find their blog
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
and see what they were interested in.
Justin Gardner (@rhynorater):
Yeah.
Alex Chapman:
And people who didn't have blogs would actually be in, I would know I'd have to drill them a lot more in an interview to try and
Justin Gardner (@rhynorater):
Yeah.
Alex Chapman:
work out what their passion is and what they're interested in. And again, you can make money in bug bounty. You're not going to start out and make the big bucks, but
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
you can get by and you can again build up an effective CV saying,
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
yeah, I hack this company by this bug, this company by this bug. And to me, that's much more impressive these days than somebody who came out of a... a degree spending all their money to get a bit of paper who actually
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
has next to no real world experience.
Justin Gardner (@rhynorater):
Hmm.
Joel Margolis (teknogeek):
Yeah, I found that to be very true. I also dropped out of college. When I went into college, I was kind of doing some hacking adjacent stuff, stuff that I think now would be considered under the realm of bug bounty slash general infosec hacking. And I think that precursor knowledge really helped me find the path that I was looking for. I had already been very interested in programming and computers and that kind of stuff. And so, once I'd seen like this was a route that could be taken and it was like profitable and it was like very interesting and it was very in line with the stuff that I was already doing and already found a lot of enjoyment with, it just seemed like a very natural progression. I'm curious like how far you sort of like deviated from what you would consider like what you were already doing to pivot into bug bounty or was it kind of that same natural progression?
Alex Chapman:
Sorry, going from pen testing and rotating to background.
Joel Margolis (teknogeek):
Yeah, yeah, yeah.
Alex Chapman:
So yeah, I mean, it's actually going from more of an audit pen test side of things to bug bounties a huge world of difference.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
Like when in the kind of audit space with security, you're reporting absolutely everything and looking for absolutely everything. So you're reporting SSL ciphers and all that stuff that nobody cares about, has no real world impact. But if you don't report it and the client kind of finds out about it, you can get into real trouble.
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
So that's the kind of soul destroying end of pen testing. But then on the red teaming side, I actually got a lot more experience that would be more relatable to bug bounty. And that's kind of actually trying to find and properly exploit bugs in anger.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
to see how far you can get with them and what you can actually do with it. So the bug's no longer theoretical or something popped up on a scanner, you know 100% that it's there and it can be exploited for this sort of impact.
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
And that, I think, was a big learning point for me, was actually not just CVSS impact but real-world impact.
Justin Gardner (@rhynorater):
Mm.
Joel Margolis (teknogeek):
Yeah.
Alex Chapman:
So your scanner says this is a 7.2, so it's obviously high, but... what does it actually give you access to? Does the business care about this thing? Or is it actually a third-party bit of software that, or third-party hosted thing, that means nothing to them?
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
And it's things like that if you can kind of start to bring that experience into the into the BugBand, down the side of things, you'll find you get a lot further as well.
Joel Margolis (teknogeek):
Yeah.
Justin Gardner (@rhynorater):
Oh yeah.
Joel Margolis (teknogeek):
Did you find that
Justin Gardner (@rhynorater):
Fish.
Joel Margolis (teknogeek):
your time at companies were like really helpful for figuring out that sort of security impact? Cause this is something that we've talked about a lot. It's like CVSS versus like direct impact and understanding like security
Alex Chapman:
Yeah.
Joel Margolis (teknogeek):
model of a company. And instead of framing your bugs so that you have like a 9.0 CVSS, like that, you know, that that's good and stuff, but it really matters more like what's the actual impact. How does this affect the company? How can you frame this so that the company sees the impact the same way that you do? And do you think that like your time? companies and all the Red Team stuff really helped with that.
Alex Chapman:
Yeah, huge. And that's also, I guess, on the report writing side of things as well. Because Red Sigma, we used to write kind of 96, 150 page reports.
Justin Gardner (@rhynorater):
Wow.
Alex Chapman:
So coming, like when I first started doing Bug Bounty, I would probably take four hours over each report I was writing.
Joel Margolis (teknogeek):
Oh wow.
Alex Chapman:
And that would be kind
Justin Gardner (@rhynorater):
Oh my
Alex Chapman:
of even
Justin Gardner (@rhynorater):
gosh.
Alex Chapman:
some basic XSS reports would take me several hours to write because
Justin Gardner (@rhynorater):
Jeez.
Alex Chapman:
I was going into that level of detail. Okay that was overkill, but there's
Joel Margolis (teknogeek):
Yeah.
Alex Chapman:
still... Douglas Day working with him quite a lot and he still takes a piss out of me for how much I write in reports and how long it takes me to write a report. But I
Joel Margolis (teknogeek):
It's
Alex Chapman:
still
Joel Margolis (teknogeek):
really
Alex Chapman:
like
Joel Margolis (teknogeek):
funny.
Alex Chapman:
to get that.
Joel Margolis (teknogeek):
Yeah, it's funny because I will, I used to do like the same thing where I would go very, very in depth. I would give them like a full explanation of like, how does this work? What is this doing in the back end? And at a certain point I realized I was like, wait a second, I'm just, I'm explaining to these engineers how their own systems work. They don't
Justin Gardner (@rhynorater):
Mm-hmm.
Joel Margolis (teknogeek):
really
Alex Chapman:
Yeah,
Joel Margolis (teknogeek):
need to
Alex Chapman:
100%.
Joel Margolis (teknogeek):
that. Like for me, this is satisfying, but for them it's like, okay, skip, oh, there's the vulnerability.
Alex Chapman:
Yeah,
Justin Gardner (@rhynorater):
Yeah,
Alex Chapman:
and that's how I fix it, right?
Justin Gardner (@rhynorater):
I think also for us as hackers, it's a fun narrative to convey. You know, like, you know,
Alex Chapman:
hugely.
Justin Gardner (@rhynorater):
I found, especially on reports that I'm really proud of, I'll go above and beyond on the, you know, or at least on the bugs that I'm really proud of, I go above and beyond on the report because I'm like, I want you to understand what a masterpiece this is.
Alex Chapman:
Yes,
Justin Gardner (@rhynorater):
Like, you know?
Alex Chapman:
100%. It's
Justin Gardner (@rhynorater):
Yeah.
Alex Chapman:
when you get the reaction from the program team being like, wow.
Justin Gardner (@rhynorater):
Yeah,
Joel Margolis (teknogeek):
Hahaha
Alex Chapman:
And
Justin Gardner (@rhynorater):
dude.
Alex Chapman:
that's
Justin Gardner (@rhynorater):
So,
Alex Chapman:
nearly worth any bounty. You just say, yeah,
Justin Gardner (@rhynorater):
so
Alex Chapman:
okay.
Justin Gardner (@rhynorater):
satisfying. Yeah. And I bet I bet I bet you get that a lot, Alex, because,
Alex Chapman:
It doesn't,
Justin Gardner (@rhynorater):
you know,
Alex Chapman:
doesn't really happen.
Justin Gardner (@rhynorater):
yeah, yeah. And the fact that you acknowledge it definitely means that it happens a lot. You know, because I've been privy to some of the reports that you've found specifically at the GitHub event last year, just what a phenomenal performance that was.
Alex Chapman:
Yeah that
Justin Gardner (@rhynorater):
So
Alex Chapman:
was...
Justin Gardner (@rhynorater):
Yeah, that was a great day, wasn't it?
Alex Chapman:
Yes, that was a good day for me.
Justin Gardner (@rhynorater):
I believe it, man. I believe it. So I'll talk a little bit more about that later. But I wanted to come back to what you said earlier about, you know, hackers should be able to program or should have an interest in learning programming or should have an interest in programming. Could you speak to a little bit about how that Just speak to that for our listeners and also how that integrates with your style of hacking, which is different than most others, I believe.
Alex Chapman:
Yeah, and that's a really good question. I was reflecting on this a little bit earlier.
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
I spend a significant portion of my time hacking in an IDE.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
I'll
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
be pulling open source repos down, looking through the code, reading the code,
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
trying to find issues and learn basically how a module works or how this server works that they're doing or how the protocol works that they're communicating with.
Justin Gardner (@rhynorater):
Right.
Alex Chapman:
And without... being a program that would be next to impossible. And
Justin Gardner (@rhynorater):
Right.
Alex Chapman:
that's very specific to my style of hunting. But if you really want to, in my opinion, if you really want to be able to understand a bug, you need to know how it was implemented, what assumptions a programmer would have made to introduce that bug, and ideally how to fix it.
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
If you know those three things you can really hammer home what a bug is
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
and start to understand where you might find it in other places as well. It's all very well spraying payloads all over a website, but if you don't really understand what's going on in the backend and what's happening to those payloads then what's the point? You're blindly
Joel Margolis (teknogeek):
Yeah.
Alex Chapman:
throwing darts.
Justin Gardner (@rhynorater):
Yeah,
Joel Margolis (teknogeek):
Yeah,
Justin Gardner (@rhynorater):
absolutely.
Joel Margolis (teknogeek):
that's a really good point. I was actually just talking with one of my buddies who's just starting to get into bug bounty and security and that kind of stuff. And he was going through the Portswigger web academy and he was telling me today that he's now at a point where he can, if he looks at a vulnerability, he can 80% of the time figure out what's going on just by sussing it out and doing
Justin Gardner (@rhynorater):
Mm.
Joel Margolis (teknogeek):
a little fiddling with it. And I think that is so key to really making progress in bug bounty and hacking as a whole, but especially bug bounty, just because it takes that level of understanding of like, what's actually going wrong here? How does this bug interact with other systems? What are the different possibilities for me to move laterally or vertically within this vulnerability to escalate it or to do X, Y, Z? And if you don't have that, then it's really just like throwing darts like blindly at the wall and just like seeing what sticks and just like hoping for the best.
Justin Gardner (@rhynorater):
Yeah, yeah, I'll speak briefly to our audience here as well. Like this is another great example of something that we talk about really often, which is, you know, you don't have to know programming to hack, but if you do know programming, you will find substantially better bugs because you'll understand at a deeper level what is happening and what, you know. you'll be able to understand the exploits that are occurring and you'll be able to go for things that are a little bit deeper. Most of the bugs that Alex submits, statistically even, are between high and crit, right? And on the crit side of, you know, between high and crit, looking from his HackerOne impact, right? He's got a, what is it, 32.7 impact on HackerOne, which is phenomenal. And so, you know, this is... Just to be clear, we won't say that you have to know how to program to hack, but if you do, you will gain a much greater ability to find critical bugs. So that's a great takeaway. And Alex, bringing it back around to your sort of personal InfoSec history, you worked at Yahoo, slash Oath, slash whatever the heck
Alex Chapman:
Yeah.
Justin Gardner (@rhynorater):
they wanna call it in the Verizon media, you know.
Alex Chapman:
Yeah, it was an interesting time.
Justin Gardner (@rhynorater):
Yeah, could you speak to a little bit about that experience? What were you doing there, and what kind of things did you learn?
Alex Chapman:
So yeah, so I was on their internal red team there.
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
So that was, we were kind of every month or so we'd be given an objective.
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
And more often than not, it would be trying to get access to the CISO's email
Justin Gardner (@rhynorater):
Mm-mm.
Alex Chapman:
and show how we could do that with internal knowledge.
Justin Gardner (@rhynorater):
Mm-hmm, sure.
Alex Chapman:
But we used to have a, with the issues that kind of Yahoo had previously.
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
there was always an assumption internally that internal access would be relatively easy to obtain from an attacker's
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
perspective. So we would kind of go from that position of being an attacker with internal access and see what we could do in the
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
internal network and then obviously work with the various teams to get that fixed and see what other kind of defence in depth we could help to implement there.
Justin Gardner (@rhynorater):
How much of your... Go ahead, Joel.
Joel Margolis (teknogeek):
So you mentioned that a lot of the hacking that you do is in an IDE. It's looking at source code. It's looking at how stuff works. Has that always been the case for you just based on your background, or did you pivot into that style of hacking after doing a lot of black box testing and all that kind of stuff and just figuring out that this was what you liked the most or this was what worked the best for you?
Alex Chapman:
Yeah, so that's always been my area of interest. And actually kind of going even lower down the stack into reverse engineering and debugging. And kind of binary exploitation as well. That was always my first InfoSec love, as it were. But there was very little opportunity to do that whilst doing kind of the audit style pen testing that I started out doing. So I remember for kind of months I'd be sitting in a data center with no internet connectivity running nmap against kind of a billion and one servers.
Justin Gardner (@rhynorater):
Oh man.
Alex Chapman:
But I used that time to kind of read off on man pages in Linux and start to program more and tinker more. And then it was like, okay, so what have I got accessible to me? I've got nmap. Okay. So let's learn everything I can about. Nmap and how
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
it works and what it's doing and so it's I guess it's the interest if something picks my interest on rabbit hole down there and we'll just stay there for months if I can
Joel Margolis (teknogeek):
That's so funny. I do the same thing when I'm like, whenever I'm in like a situation where I don't have many options for what I could be doing. I think a great example is when
Justin Gardner (@rhynorater):
Hmm.
Joel Margolis (teknogeek):
I'm sitting
Justin Gardner (@rhynorater):
Mm-hmm.
Joel Margolis (teknogeek):
on a plane, I'll start to do things that I don't normally do. So I'll like read a book or like, or like start to just like read through man pages. So
Alex Chapman:
You
Joel Margolis (teknogeek):
like, I'll just do like things that are like, you know, they consume time, but it's not necessarily the most interesting thing because I'm in this restricted sort of environment. And I feel like that's like a perfect intersection of like. Interest and opportunity breeds, you know, knowledge or information or however you want to build that equation
Alex Chapman:
Yeah, usually.
Justin Gardner (@rhynorater):
Yeah, God forbid you pay that $12.99 for the internet
Joel Margolis (teknogeek):
Hehehe
Justin Gardner (@rhynorater):
on the flight so that you can answer emails or write
Alex Chapman:
Yeah,
Justin Gardner (@rhynorater):
tweets or whatever.
Alex Chapman:
on the eight hour flight.
Justin Gardner (@rhynorater):
Exactly.
Alex Chapman:
I remember quite vividly, literally sitting in a data centre,
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
no internet access, and the particular customer I was working for wanted us to leave our hard drives when we were done with the job. And it was kind of a four week job and I was like, well, what am I going to do with my time? Because it was literally scanning.
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
So I was like, well. I enjoy programming, so I'll just program something.
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
And it was actually quite liberating, writing this whole thing, knowing it was going to get thrown in the bin in a couple of weeks' time, and I couldn't take it with me.
Justin Gardner (@rhynorater):
Ah.
Joel Margolis (teknogeek):
nice.
Alex Chapman:
And that was programming purely for the joy and the challenge.
Justin Gardner (@rhynorater):
Wow, that's
Joel Margolis (teknogeek):
Yeah, yeah,
Justin Gardner (@rhynorater):
cool,
Joel Margolis (teknogeek):
that's
Justin Gardner (@rhynorater):
man.
Joel Margolis (teknogeek):
awesome.
Justin Gardner (@rhynorater):
That is how growth happens when you're doing it for, like you were saying, for the joy of
Alex Chapman:
Hmm.
Justin Gardner (@rhynorater):
programming, for the passion of it. So this was in, going back to your experience at Yahoo! and Oath, this is a red team sort of role. And as I understand, well, my personal experience, so anecdotally, is... that when I was doing internal pen tests, I wasn't doing a lot of, which is different than Red Team, but you know, correlated in some way. I wasn't doing a lot of exploitation or exploit development. I was doing a lot of pivoting around in the internal network. I was doing a lot of escalating of privileges inside the network in order to weave my way through, right? So I'm wondering, you know, how different that was at Yahoo internal Red Team. or if that skill set was developed elsewhere.
Alex Chapman:
Yeah, so it was pretty similar in terms of the pivoting and
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
you kind of spend probably 70% of your time on post-exploitation.
Justin Gardner (@rhynorater):
Mm-hmm, right.
Alex Chapman:
And that was always to kind of prove what you can do. You've exploited the system, now prove what you can do with that.
Justin Gardner (@rhynorater):
Right.
Alex Chapman:
But there was the kind of 30% of initial access, which was pretty fun exploitation.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
I remember I think, I'm sure it's fine to say this, my first week there I wasn't set up properly and was just given the standard laptop, so no more privileges than anybody else would have and by the end of the week I had a remote code execution on Yahoo laptops. I was
Justin Gardner (@rhynorater):
Oh yeah, well that's
Joel Margolis (teknogeek):
That's
Justin Gardner (@rhynorater):
another
Joel Margolis (teknogeek):
awesome.
Justin Gardner (@rhynorater):
one of those scenarios
Alex Chapman:
just like, yeah.
Justin Gardner (@rhynorater):
where you've got like limited, you know, limited scenarios and you just kind of got to work within your environment,
Alex Chapman:
Yeah.
Justin Gardner (@rhynorater):
which is such a hacker mentality thing in general
Joel Margolis (teknogeek):
So true.
Justin Gardner (@rhynorater):
as well, because our whole, our whole job is to take, you know, that, that data center with no internet, that laptop, you know, that that injection point where you can't use special characters and figure out a way to break out of those constraints and get access to greater privileges. So I think, I'm sure it was applicable in so many ways, but even just from a mentality perspective, that'll help you grow as a hacker and build that sort of mental resiliency you need to be able to push through almost any situation you're put in from a technical perspective.
Alex Chapman:
Yeah, yeah, hugely.
Justin Gardner (@rhynorater):
Yeah.
Alex Chapman:
And it was at Yahoo that I really first came across Hacker 1 as well. So that was my real pivot into bug bounty was through Yahoo. And I did everything I could to get on the team that was helping out with assessing impact of bugs that come in through the Yahoo program.
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
And that's where I started to learn some of the bigger names on the Yahoo programs and kind of seeing some of the stuff they were doing. I was like, I could do this.
Justin Gardner (@rhynorater):
Yeah, this is starting to click. So
Alex Chapman:
Yeah.
Justin Gardner (@rhynorater):
you then pivoted, I guess maybe you were still on the internal red team, but you also did some work with the bug bounty program for Yahoo. And that's how you got exposed to HackerOne.
Alex Chapman:
Yep, yeah, hugely.
Justin Gardner (@rhynorater):
Gotcha.
Alex Chapman:
And then...
Justin Gardner (@rhynorater):
And then, yeah, next in your flow was that you actually went and worked with HackerOne for a little bit, right? So how did that come
Alex Chapman:
Yeah,
Justin Gardner (@rhynorater):
about?
Alex Chapman:
definitely. As with most kind of job moves in this industry, I was in Vegas and
Justin Gardner (@rhynorater):
Ha ha ha!
Alex Chapman:
our good friend Martin Miccas took us out for a night, he took the Yahoo team out for a nice meal and
Justin Gardner (@rhynorater):
Nice.
Alex Chapman:
just had a bit of a chat with him afterwards and said, hey, this is, this
Justin Gardner (@rhynorater):
Mm-mm.
Alex Chapman:
I was offered a job relatively shortly after that and went to work for HackerOne in London as
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
a technical program manager. There
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
was a lot of work
Joel Margolis (teknogeek):
And
Alex Chapman:
to do.
Joel Margolis (teknogeek):
how did you like that in comparison to like, because leading up to this, you'd basically been doing purely technical roles, like lots of pen testing, lots of red teaming, lots of writing reports, that kind of stuff.
Justin Gardner (@rhynorater):
Mm.
Joel Margolis (teknogeek):
And then you pivoted from that into like a technical adjacent role where you're managing programs. You're
Alex Chapman:
Yep.
Joel Margolis (teknogeek):
still very involved with like security and that kind of stuff, right? But it's a very different experience. What was that like?
Alex Chapman:
It was challenging. I knew Hacker One was a company that I wanted to be involved with, but it was a difficult role for me. It was a difficult leap. And then unfortunately had some kind of... My personal life took a bit of a turn and
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
that made work very, very difficult.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
So during my time at Hacker One, my wife and I found out we were pregnant.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
But unfortunately very soon after we found out that the baby had Edward's Syndrome, which is a kind of chromosomal disorder,
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
which meant they weren't going to make it.
Justin Gardner (@rhynorater):
Oh,
Joel Margolis (teknogeek):
That's
Justin Gardner (@rhynorater):
I'm so
Joel Margolis (teknogeek):
terrible,
Justin Gardner (@rhynorater):
sorry
Joel Margolis (teknogeek):
I'm
Justin Gardner (@rhynorater):
to
Joel Margolis (teknogeek):
sorry.
Justin Gardner (@rhynorater):
hear that.
Alex Chapman:
So that obviously took quite a lot of my attention away from my job.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
Hackeman were fantastic throughout the whole thing. When it came to when the baby was born. I was given three months paid bereavement leave
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
and went back to, I think I went into the office on the January the 3rd 2019 and quit
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
because I just couldn't do it. And
Joel Margolis (teknogeek):
Was that
Alex Chapman:
HackerOne were
Joel Margolis (teknogeek):
during
Alex Chapman:
amazing
Joel Margolis (teknogeek):
that leave,
Alex Chapman:
through it.
Joel Margolis (teknogeek):
during that leave, did you sort of like step back and reanalyze like where your job was at and how you were feeling about working and all that kind of stuff or did that kind of all hit on, on the day you went back into the office?
Alex Chapman:
Yeah, kind of day went back into the office. It was the kind of period where I was off was very much about self care and looking after my wife and
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
family. And I realized I just wasn't ready to go back to work. And I didn't want to put a hack-a-one in position of having somebody on salary who wasn't doing any work. So I kind of. I swear to my team there, I really appreciate everything, but I'm going to step back.
Justin Gardner (@rhynorater):
Hmm.
Joel Margolis (teknogeek):
So was that day one of full-time bug bounty after that?
Alex Chapman:
Not day one, I took a few more months and then kind of realised I do need to start earning money
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
and that's where I thought, yep, I should pull my finger out and get starting. So I think it was like April... Yeah, actually
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
I think it coincided with the UK tax year, so April 6th or something. I was like, right, let's do this, give this a go and see where we get.
Joel Margolis (teknogeek):
So you'd been.
Justin Gardner (@rhynorater):
Mm. So your transition into bug bounty was a little bit, or full-time bug bounty was. a little bit more strained than most people's. I think that, you know, we've kind of talked in the past before about being in a full-time bug bounty position and the kind of mental stress that puts on somebody. And normally, I think you and I both agree that it's not prudent to go into that position without, you know, a decent financial runway
Alex Chapman:
Hmm.
Justin Gardner (@rhynorater):
and a decent, or at least from my conversation, you know, a decent home life Set up and stuff like that, but that transition actually happened a little bit different for you. So did You know what were the first couple months? Obviously you were dealing with a lot of personal things as well, but from a work perspective Did you did you find it hard to? Focus or were you kind of ready to get back into it after having taken an appropriate amount of time to you know? Grieve and such even though that you know an appropriate amount can never be taken
Alex Chapman:
Yeah, of course.
Justin Gardner (@rhynorater):
to get back into it.
Alex Chapman:
Yes, so it was, I mean, I've been working in security, as I say, for
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
would have been 12 years or something
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
by that point. So security is a relatively well paid industry. So I did have the financial backing to do it without risk. And my wife was going back to work around the same time as well.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
And she's a management consultant. So
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
again, a relatively well paid. job there, so
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
with the two incomes
Justin Gardner (@rhynorater):
That's good.
Alex Chapman:
and the money we had in the bank it wasn't as much of a risk.
Justin Gardner (@rhynorater):
Sure.
Alex Chapman:
I think I said to myself I'll give it three months before I reassess, see how we get on
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
and if I need to get another job at the end of that then I would start to look. That was four and a half years ago
Justin Gardner (@rhynorater):
Haha.
Alex Chapman:
and I haven't looked back.
Justin Gardner (@rhynorater):
Yeah.
Joel Margolis (teknogeek):
So had you been thinking about doing full-time bug bounty or anything prior to that, or was it kind of just like in that time of your life, you were just analyzing sort of the available options, things that you'd been doing, and it was kind of a logical step to just give it a shot and see what happens? Or had you kind of been toying with that in the back of your mind that, you know, I like bug bounty, I'm very involved in bug bounty, obviously working at HackerOne and doing Yahoo you're very in the scene, you're very in the know, your mind is kind of in the right place, and was it kind of just like that natural progression, or was this something that had always been in the back of your mind for? you know,
Alex Chapman:
Yeah,
Joel Margolis (teknogeek):
for a while.
Alex Chapman:
so whilst working at HackerOne I was still hacking on programs that I wasn't managing.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
And I was using that as my kind of technical outlet whilst doing less technical work
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
at HackerOne. I think without, it's hard to say without, how things could have been different. I very much believe in HackerOne and their kind of vision so I could see that I would have stayed with them whilst keeping on hacking in the background but difficult to say.
Justin Gardner (@rhynorater):
Mm.
Joel Margolis (teknogeek):
Did you experience
Justin Gardner (@rhynorater):
Yeah,
Joel Margolis (teknogeek):
a lot
Justin Gardner (@rhynorater):
that
Joel Margolis (teknogeek):
of challenges
Justin Gardner (@rhynorater):
makes
Joel Margolis (teknogeek):
with
Justin Gardner (@rhynorater):
sense.
Joel Margolis (teknogeek):
that balance
Justin Gardner (@rhynorater):
Yeah.
Joel Margolis (teknogeek):
of like TPM and hacker? Cause I've heard a lot of on both sides of it of like, you know, whether it's being a triager or whether it's working adjacent to triage or doing TPM or whatever at hacker one and also trying to do the hacking. And you mentioned that there are certain programs you can't hack on and that kind of stuff. Did you find that to be a real big hindrance that made you excited to no longer be working there or was it kind of just like. If you were still working there, that's fine. You could have gotten around it and figured out how to hack outside of it.
Alex Chapman:
Yeah, I don't think it was too much of a hindrance. I wasn't working on any of the... I think it was only one or two programs that I was working on that I personally would have had a huge amount of interest in hacking. And there are obviously a lot of programs available, so. I don't think it would have been too bad. The bigger thing would have been the time and the energy. So obviously working for what's primarily an American company on UK hours, you kind of have to be a lot more flexible with your
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
time to fit in meetings with the States, certainly West Coast. So I kind of end up working later in the evenings which is... when at the
Joel Margolis (teknogeek):
Yeah.
Alex Chapman:
time I would have been hacking. So it
Joel Margolis (teknogeek):
For
Alex Chapman:
certainly
Joel Margolis (teknogeek):
example, it's
Alex Chapman:
would
Joel Margolis (teknogeek):
930.
Alex Chapman:
put strain on things.
Joel Margolis (teknogeek):
It's 930 a.m. here in California. I imagine it's probably five or six
Justin Gardner (@rhynorater):
Right.
Joel Margolis (teknogeek):
p.m. in the UK.
Alex Chapman:
Yeah, it's, yeah, half-life, so...
Joel Margolis (teknogeek):
Yeah.
Justin Gardner (@rhynorater):
Half five what does that mean is that 530?
Alex Chapman:
It's 5.30.
Justin Gardner (@rhynorater):
Since it's half five yeah by
Alex Chapman:
It's...
Justin Gardner (@rhynorater):
this point
Joel Margolis (teknogeek):
That's one of my
Alex Chapman:
What
Joel Margolis (teknogeek):
favorite
Alex Chapman:
is that? That's
Joel Margolis (teknogeek):
UK expressions
Alex Chapman:
FULL!
Joel Margolis (teknogeek):
because it's for Americans extremely ambiguous as to what that means. Meanwhile, we say like quarter
Justin Gardner (@rhynorater):
Yeah,
Joel Margolis (teknogeek):
till
Justin Gardner (@rhynorater):
is it?
Joel Margolis (teknogeek):
quarter
Alex Chapman:
Bye.
Joel Margolis (teknogeek):
after.
Justin Gardner (@rhynorater):
Yeah, yeah.
Alex Chapman:
In Europe as well, in Germany it would be half six, because they do half two and we do half past,
Joel Margolis (teknogeek):
Oh,
Alex Chapman:
but you
Justin Gardner (@rhynorater):
Oh,
Alex Chapman:
don't
Justin Gardner (@rhynorater):
dude,
Alex Chapman:
say
Joel Margolis (teknogeek):
oh
Justin Gardner (@rhynorater):
no
Alex Chapman:
the...
Joel Margolis (teknogeek):
wow.
Justin Gardner (@rhynorater):
way. Really? Oh no, that's, that's the worst. Um, wow. So, so, you know, bring, bring it back to, you know, this new, this new stage of life you're in with, with full-time bug bounty. You've been, I started in March of 2020 full-time bug bounty and you started in April of 2019, so you've got a year, a year on me and there, there are very few people I'll say that have been able to. Um, sustain. long-term full-time bug bounty. Yacine has done a great job of it, you've done a good job of it. But people often have a hard time with burnout and with, I guess, just the mental stress that comes along with it, even though their earnings might be good. So do you have any tips or tricks for people that are looking to get into full-time bug bounty and how to survive the mental tolls of that?
Alex Chapman:
Yeah, I mean the first one is get your finances in order. I have a lot of people who come to me and speak to me about full time bug hunting.
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
I think I wrote something on it in 2020 maybe.
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
And off the back of that I've had a lot of conversations but it's always make sure your finances in order is the first thing.
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
It was a very low risk. moved for me because my previous experience and connections I was pretty certain I could get a job quickly if I needed to. I also had over a decade of technical professional experience in security so I knew what I was doing and familiarity with HackerOne and some other bug banter programs. For people who want to get into it, first thing is just minimize your risk, make sure you've got enough money in the bank. If you've got a bad run of things, that could be easily three months, you could
Justin Gardner (@rhynorater):
easily.
Alex Chapman:
have a bad run of things. So if you're bug hunting to pay your next rent bill, that's not a good position to be in. And then on the kind of burnout side of things, for me personally, I work... When I am working, I'm just ramping back up again now,
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
I work about three days a week.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
And I'm relatively strict with that because I do childcare the other couple of days while my wife works.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
And that gives me a lot of time away from the computer, so with my family, with my kids,
Justin Gardner (@rhynorater):
Hmm
Alex Chapman:
which certainly helps. And I try to only hack on programs that I enjoy. I know I could make more money if I were to hack on things that didn't interest me,
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
but I'm disciplined enough to say I want to do this and I want to feel the joy of doing this. If I sit down at my computer and dread what I'm doing that day, that's not where I want to be.
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
And that's one of the big reasons I've not looked to go back into full-time work is... I enjoy what I do and
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
I set the direction for what I do on a daily basis and in the long term as well. Giving somebody else that power again I would find very difficult.
Justin Gardner (@rhynorater):
Yeah, no, absolutely. And I think that's something that, yeah, I'm beginning to learn for myself now as well is like, even though I have the freedom to work less hours and, you know, certainly I do take more time off than I would be allowed if I were working, you know, in, in an industry, you know, if I had a traditional job, but The ability to say, all right, I'm actually going to work four days a week or I'm going to work three days a week is something that as weird as it sounds, I haven't really considered up until this point, especially with the other ventures that I have going on it. Sometimes it works out that way, but it's four days of hacking, one day of real estate, three days of hacking, one day of training, one day of real estate or whatever. Right? And so I think that's something that going into this next phase for me, um, in 2024, I kind of want to set the goal of trying to cut my work hours down to, you know, um, to four days a week or maybe even three, uh, under your, under your, uh, example here. Um, and I think that will actually help a lot with, with lifestyle balance because it is really easy to, to get hyper focused on bug bounty and to,
Alex Chapman:
See you soon.
Justin Gardner (@rhynorater):
um, you know, burn out on it really quickly. So. Yeah, that aspect of taking a break and having that built into your schedule. Um, I think is very powerful.
Alex Chapman:
Yeah, and it's the flexibility as well. So if you're
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
having a bad day, just being up to saying that, I'm done.
Justin Gardner (@rhynorater):
Yeah.
Alex Chapman:
Just walking away.
Justin Gardner (@rhynorater):
And I'm stubborn as shit about that. If I'm having a bad day, I'm like, no, the bad days are where your true character is defined. And I just try to push
Alex Chapman:
Nah.
Justin Gardner (@rhynorater):
through it. And my wife is like, you idiot. If you're having a bad day and you have the total flexibility to take it off, why would you work in an environment where you're unhappy, uninterested, burnout? Why would you do that? This is in a... terribly inefficient and she's so right. And so that's such a great lesson and I'm glad to see that that's been producing results for you as well.
Alex Chapman:
Yeah, no, certainly. The flexibility is... That's something that I really value. So I can work normal working hours or I can work kind of
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
10pm through to 3am if I need
Justin Gardner (@rhynorater):
Yeah.
Alex Chapman:
to or just take a day off and work on the weekend when everybody else has taken a day off. So you get to do everything that's... So you get to, like, if you want to go do something do it on a Wednesday because nobody goes out on Wednesdays.
Justin Gardner (@rhynorater):
Right,
Alex Chapman:
And
Justin Gardner (@rhynorater):
right.
Alex Chapman:
then just work on a Saturday so you don't
Justin Gardner (@rhynorater):
Well,
Alex Chapman:
have to compete
Justin Gardner (@rhynorater):
yeah,
Alex Chapman:
with other people.
Justin Gardner (@rhynorater):
that's the other great thing, man, especially for people that like to travel, is like you can make that happen in the middle of the week, right? Especially if your partner can make it happen as well. It's so awesome to be able to just like show up to these sightseeing places and there's
Alex Chapman:
Yeah, 100%.
Justin Gardner (@rhynorater):
no one there, you know, at 2 p.m. on a Tuesday, you know? And so, yeah, what a great benefit that is as well.
Joel Margolis (teknogeek):
Yeah, sorry,
Justin Gardner (@rhynorater):
I'm hoping
Joel Margolis (teknogeek):
I
Justin Gardner (@rhynorater):
we
Joel Margolis (teknogeek):
walked
Justin Gardner (@rhynorater):
can
Joel Margolis (teknogeek):
out
Justin Gardner (@rhynorater):
shift.
Joel Margolis (teknogeek):
of the room.
Justin Gardner (@rhynorater):
Go
Joel Margolis (teknogeek):
I walked
Justin Gardner (@rhynorater):
ahead, Joel, go ahead.
Joel Margolis (teknogeek):
out of the room, but I wanted to ask, so when you do work like three days a week or something, do you find that your workload sort of compensates back for a five day work week? So say you're working 40 hours a week, eight hours a day, five days a week. Do you find that you're working like 12, 13, 14 hours on those three days?
Alex Chapman:
I wish I could sometimes but no because you've got the young kids it's very much some days it will be at 1pm my wife needs to be online to do work so that's my hard deadline I'll take that get the kids go down the park and
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
that's it me done for the day I can pick it up maybe when they go to bed if there's something I'm right in the middle of but
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
it is. relatively strict to three days a week unless I want to kind of stay up late in evenings and some evenings I will do that
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
but that's only
Joel Margolis (teknogeek):
How
Alex Chapman:
if
Joel Margolis (teknogeek):
do you
Alex Chapman:
I'm really
Joel Margolis (teknogeek):
organize?
Alex Chapman:
into it or...
Joel Margolis (teknogeek):
How do you organize when you have like, you know, you're like working four hours,
Alex Chapman:
Yeah.
Joel Margolis (teknogeek):
dip for three hours, come back, work for three hours, leave, hack for two,
Justin Gardner (@rhynorater):
That
Joel Margolis (teknogeek):
do
Justin Gardner (@rhynorater):
was
Joel Margolis (teknogeek):
you
Justin Gardner (@rhynorater):
my next
Joel Margolis (teknogeek):
keep
Justin Gardner (@rhynorater):
question
Joel Margolis (teknogeek):
like lots
Justin Gardner (@rhynorater):
as well.
Joel Margolis (teknogeek):
of notes? How do you, how do you do that?
Alex Chapman:
Yeah, badly I think. I'm getting better at note taking and that's kind of been a big push this past couple of years. So I keep everything in GitLab. I actually use project issue tracking for kind of leads, potential bugs, things I want to look at and have that all in there. I'll write my whole reports in. in there and sign them off and then copy them into the platform. I found that works quite well because it also lets me, if I am away from the laptop and I have a really good idea, I can just jump on to GitLab, open a new issue or append a comment to an issue that I'm working on. That's been working relatively well. I've let it lapse a little bit recently because I haven't been working so much, but I need to get back into that kind of discipline.
Joel Margolis (teknogeek):
That's such
Justin Gardner (@rhynorater):
Hmm.
Joel Margolis (teknogeek):
a developer centric approach. I love that. I think it's funny because generally I think a lot of developers, but myself especially, I'm very in favor of running it yourself and doing all that kind of stuff. But this is one of those cases where a cloud service or any type of hosted whatever is so, so useful. Because I do the same thing with Notion. That's what I use for my notes. Where if I have something come up and I just am out on the street or I'm traveling or whatever and I just think of something, I can pull my phone out, I can open the app, I can jot it down in
Justin Gardner (@rhynorater):
Mm.
Joel Margolis (teknogeek):
the notes, and then later when I'm in a position to be hacking, I can open up my notion and I can go through and I can see the notes that I left for myself. And it's so, so useful to have just that instant being able to just write it down and then access it later where if you're
Alex Chapman:
Yeah.
Joel Margolis (teknogeek):
hosting it yourself, you might be able to do that, but it's a lot more difficult and there's more loops you gotta jump through and all that kind of stuff.
Justin Gardner (@rhynorater):
Yeah. You know, what's kind of odd to me is that a lot of the things that you're talking about, they're, they seem really developer-y for lack of a better word, but you're, you've never been a developer. Is that, is that accurate?
Alex Chapman:
Not, not professionally, no.
Justin Gardner (@rhynorater):
Yeah. So your whole, your whole career has been, um, you know, uh, security. But there are a lot of correlations, which I think is very interesting and is probably, I imagine, is a mindset just sort of base for you as far
Alex Chapman:
Yeah,
Justin Gardner (@rhynorater):
as that goes.
Alex Chapman:
yeah and it's a discipline thing as well.
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
I have the worst memory in the world so if
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
I don't write it down I'll remember it in like six days time when it's no use to me. So I do have to do that and I also find if I don't write it down I'll hyperfixate on it as well,
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
whereas if I write it down I can put it to one side and focus on what I'm doing.
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
joked a couple of times in the past that I've found more bugs whilst lying awake in bed than I do at the computer.
Justin Gardner (@rhynorater):
Yeah.
Alex Chapman:
But if I don't write it down at that point I just won't sleep. There's
Justin Gardner (@rhynorater):
Yeah,
Alex Chapman:
not hope in hell.
Justin Gardner (@rhynorater):
that's, I think that's a great tip for anyone who needs to have a work life balance with bug bounty. You know, if you're, if you're a single guy and you're just like, really just trying to like fricking love the bug bounty. And I remember sitting, you know, before I was married and doing some hacking and I would just hack for super long sprints. And I was just always in the zone and the flow go, go. But as, as I've, you know, realized the importance of work-life balance and maintaining my other relationships. The ability to step away from the computer and not lose a bunch of, obviously you're gonna lose your mental context for sure, but before you can do that, if you can predict by setting a timer or whatever for five minutes or 10 minutes before you have to leave, writing down where you're at currently and then being able to come back to that, I found it's a lot easier to get back in that flow state when you return to it. And it seems like that's what what you've been thinking as well with sort of trying to get back into taking notes.
Alex Chapman:
Yeah, hugely. My next step and progression on that this next year
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
is to really flesh out methodologies for myself.
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
So a lot of my bug hunting is either very ad hoc or I find a particular type of bug and then look around for that bug on different programs. I'm not a very good... Like if you sit me down in front of a web app, I'll get bored within three seconds.
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
But if I've got a methodology I know I can follow and that can help me pick out interesting things to look at. I think that will really help me and then if I get some source code, rather than just looking for, again I hyperfixate on code execution
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
because that's the real big bug. But there are hundreds of bugs I don't even bother looking for, which are really
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
big impacts. So I... I'm going to, my goal for kind of 23, 24 is to train myself and really formalise a lot of the things that I'm doing.
Justin Gardner (@rhynorater):
Mm. So that's, that's a great segue right into your, um, you know, bug bounty hunting methodology. Joel, did you have something you wanted to add before we moved to that?
Joel Margolis (teknogeek):
I was just going to say that that's something that happens. I think I certainly experienced a lot where it's like the things that I look for is like a sliding window or over time as I find new stuff that I
Justin Gardner (@rhynorater):
Mm.
Joel Margolis (teknogeek):
find really interesting or new techniques or whatever. Like that's what I'm really looking for. Like when I'm present and hacking and things that I would look for even like six months ago or a year ago are just not as interesting or not as important or not really what like I might look for it if I happen to see something and be like, oh yeah, let me check for that. I'll be pivoting into different exploitation techniques specifically and exclusively as I progress and I'll just shift the things that I look for over time instead of looking at every single thing that I've ever looked at ever in my entire history of hacking. How do you
Justin Gardner (@rhynorater):
Hmm.
Joel Margolis (teknogeek):
manage that? Do you keep notes of different categories? Or there's a site we've talked about, Hacktricks, that's kind of like this, where there's different categories for XSS, what you could do in... XYZ scenario.
Justin Gardner (@rhynorater):
Mm-hmm.
Joel Margolis (teknogeek):
Do you have anything like that?
Alex Chapman:
I have in the past, and I've lost several versions of it, I am trying to build it up again for bugs that interest me. That's the key thing. I never want to be looking for every bug. that's going back to audit and that's not what interests me.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
Um, but I personally find XSS really quite, quite boring to look for. The only time I ever look for it is if I need an XSS to trigger an RCE or something like that. Um, I was talking to somebody the other day, so I've, I've only found one SQL injection bug in my BugMatic career and I was using that to trigger another more, uh, better bug and, um,
Justin Gardner (@rhynorater):
That's great, I love
Alex Chapman:
that's.
Justin Gardner (@rhynorater):
that.
Joel Margolis (teknogeek):
Yeah.
Alex Chapman:
They're just not bugs that interest me because the fix is input validation or output encoding and it's just not an interesting thing.
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
To me
Joel Margolis (teknogeek):
That's awesome.
Alex Chapman:
personally,
Joel Margolis (teknogeek):
So
Alex Chapman:
that's
Joel Margolis (teknogeek):
it sounds
Alex Chapman:
a
Joel Margolis (teknogeek):
like generally
Alex Chapman:
very
Joel Margolis (teknogeek):
when
Alex Chapman:
personal
Joel Margolis (teknogeek):
you're
Alex Chapman:
opinion.
Joel Margolis (teknogeek):
hacking, nice. Yeah, so when you're hacking, you're not looking at the mediums and that stuff. What are you generally submitting? Is it pretty much highs and crits and very selective? I think Justin and I have a slightly different methodology on this generally. I very pick and choose about what I want to submit. I only really wanna submit super high quality, super high impact, as higher crit as I can get type vulnerabilities.
Justin Gardner (@rhynorater):
Mm-hmm.
Joel Margolis (teknogeek):
and Justin views it more as like
Justin Gardner (@rhynorater):
Mm-hmm.
Joel Margolis (teknogeek):
volume is also important, especially
Justin Gardner (@rhynorater):
Mm-hmm.
Joel Margolis (teknogeek):
when you do it full-time. And so having
Justin Gardner (@rhynorater):
Yeah.
Joel Margolis (teknogeek):
a flow of mediums, maybe not lows, but mediums especially is like really
Justin Gardner (@rhynorater):
Mm-hmm.
Joel Margolis (teknogeek):
important to keep a regular flow of income. And then working on those highs and crits is also obviously important just for big bonuses and all that kind of stuff.
Justin Gardner (@rhynorater):
Dude, I'll report a low. I don't give a shit. I'll
Joel Margolis (teknogeek):
Oh,
Justin Gardner (@rhynorater):
report
Joel Margolis (teknogeek):
okay, yeah,
Justin Gardner (@rhynorater):
a low.
Joel Margolis (teknogeek):
no, it's all on the table, I guess.
Justin Gardner (@rhynorater):
No,
Alex Chapman:
Oh,
Justin Gardner (@rhynorater):
just, sorry.
Alex Chapman:
yeah, I would.
Justin Gardner (@rhynorater):
Continue, Alex, sorry.
Alex Chapman:
Yeah, so I definitely aim for the highest in the crits.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
I think my target is kind of around one or two higher crit a month
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
on kind of the bigger paying programs.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
And that normally ties me over. I was looking at this somewhere. In four and a half years I've submitted under 200 bugs on HackerOne.
Justin Gardner (@rhynorater):
Wow.
Alex Chapman:
So
Justin Gardner (@rhynorater):
We're in Selma.
Alex Chapman:
I do go for very much for fewer and higher impact issues where I can. That kind of changes a little bit if we're talking about life hacking events and then pretty much medium plus we'll go for those.
Justin Gardner (@rhynorater):
Yeah.
Joel Margolis (teknogeek):
Yeah.
Alex Chapman:
Again, I don't like taking the time to report lows. I often find reporting low issues is detrimental to spending the time on finding other issues.
Justin Gardner (@rhynorater):
Hmm.
Joel Margolis (teknogeek):
Yeah.
Justin Gardner (@rhynorater):
Yeah.
Joel Margolis (teknogeek):
Yeah,
Justin Gardner (@rhynorater):
No,
Joel Margolis (teknogeek):
so
Justin Gardner (@rhynorater):
that, that
Joel Margolis (teknogeek):
on
Justin Gardner (@rhynorater):
makes
Joel Margolis (teknogeek):
the topic
Justin Gardner (@rhynorater):
sense.
Joel Margolis (teknogeek):
of...
Justin Gardner (@rhynorater):
I just ran the numbers on that. It's, it's, uh, that's four, that's four vulnerabilities per month on average, it seems.
Joel Margolis (teknogeek):
That's
Justin Gardner (@rhynorater):
Um,
Joel Margolis (teknogeek):
pretty good.
Justin Gardner (@rhynorater):
which is pretty,
Joel Margolis (teknogeek):
Wanna wake
Justin Gardner (@rhynorater):
for a
Joel Margolis (teknogeek):
you?
Justin Gardner (@rhynorater):
full-time hunter that that's, yeah, that is, uh,
Joel Margolis (teknogeek):
For
Justin Gardner (@rhynorater):
that's
Joel Margolis (teknogeek):
that
Justin Gardner (@rhynorater):
definitely
Joel Margolis (teknogeek):
impact
Justin Gardner (@rhynorater):
some
Joel Margolis (teknogeek):
is
Justin Gardner (@rhynorater):
high
Joel Margolis (teknogeek):
just
Justin Gardner (@rhynorater):
quality.
Joel Margolis (teknogeek):
like,
Justin Gardner (@rhynorater):
You've got to be pushing
Alex Chapman:
Yeah.
Justin Gardner (@rhynorater):
out. Yeah.
Joel Margolis (teknogeek):
yeah. Yeah.
Justin Gardner (@rhynorater):
Yeah,
Joel Margolis (teknogeek):
So on the topic
Justin Gardner (@rhynorater):
it
Joel Margolis (teknogeek):
of
Justin Gardner (@rhynorater):
is.
Joel Margolis (teknogeek):
LHEs,
Justin Gardner (@rhynorater):
And, and so.
Joel Margolis (teknogeek):
how does that change your hacking flow? Do you pretty much only do live hacking event prep or how much are you doing typical standard program hacking versus jumping to LHEs?
Alex Chapman:
So I kind of have a kind of all or nothing on life hacking events and that's not just effort that's performance as well. I've bombed in so many life hacking events like only being able to report kind of one or two mega bugs and I kind of feel like out of necessity at that time
Justin Gardner (@rhynorater):
Mm-mm, mm.
Alex Chapman:
all I get one or two or three really high impact bugs.
Justin Gardner (@rhynorater):
Right, right.
Alex Chapman:
And that, so my normal focus is kind of there, but it's a bit more muted. If I can get one really high impact bug in the live hacking event, I'm happy.
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
And then I'll work around that. And again, that also depends on who's running it as well. If I'm really engaged with the customer, and I think Justin mentioned earlier, GitHub was a good example of that last year. As soon as they were announced as the customer, yeah, precisely,
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
as soon as they were announced as the customer, I went all in on GitHub.
Justin Gardner (@rhynorater):
Mm-mm.
Alex Chapman:
So the normal life hacking event period is about two weeks of hacking once you know the full scope of the life hacking event, but as soon as the customer was announced, it was all right, okay. all in so I think I had about four and a half nearly five weeks of hacking on them
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
and that paid off hugely for
Justin Gardner (@rhynorater):
Wow.
Alex Chapman:
that event.
Justin Gardner (@rhynorater):
Yeah, that's awesome, man. And yeah, I remember the majesty of that performance. That will always be concreted in my mind as one of the greatest live hacking event performances I've ever seen. So congrats on that. And in
Alex Chapman:
Thank
Justin Gardner (@rhynorater):
conjunction
Alex Chapman:
you.
Justin Gardner (@rhynorater):
with that, I wanna talk a little bit about. your bug hunting techniques, but also, you know, let's look at specifically for live hacking events. So, you know, you mentioned that you're focusing on high and critical bugs and on live hacking events, you don't get to pick your target, right? Which I understand you're normally pretty picky about because you have a specific set of... of a very particular set of skills that,
Alex Chapman:
I was going to say if you weren't.
Justin Gardner (@rhynorater):
yeah, exactly, that you are going to use to hunt down the high end critical bugs, but that apply less well to other areas just by nature of how that is. When you're going, can you explain to me a little bit about what kind of areas you're looking at? if there's any indicators to you of what might be interesting for these higher and critical bugs. Because a lot of people are stuck in the area where they're finding mediums, lows, and the occasional high, but the crit is very elusive and you're one of the people that consistently finds crits. So, could you talk a little bit about that?
Alex Chapman:
Yes, so I mean the first thing I'll look for is any kind of source code or desktop application that's in scope or where I think I mentioned earlier or where they're using kind of open source modules that I can access the source on. That's my comfort zone
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
so as soon as I see something like that I'll dive into it head first. Normally if you see a desktop application in scope of Bug Bounty Program it'll be a Electron or Chrome embedded framework applications so you can pretty much get the source out of them easily as well to go through
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
And then it's anything that kind of hits my I guess spidey sense of where an issue is so
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
any PDF rendering any HTML rendering
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
I'll always spend time there, so I had a very productive six months in the last year looking at headless browser exploitation.
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
So that was kind of kicked off with H1702 last year I think in Vegas.
Justin Gardner (@rhynorater):
Yep. Yes, it was. Ha ha
Alex Chapman:
There was
Justin Gardner (@rhynorater):
ha.
Alex Chapman:
one target I was looking at that was using headless Chrome to to render some, actually it wasn't user input. This is one case where I did have to find across that scripting.
Justin Gardner (@rhynorater):
Mm-mm.
Alex Chapman:
But I saw they were using an old version. So it was like, huh, I do wonder if I could write an exploit for that. I've
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
not written one for Chrome before, but let's see what I can do. So why not try and write a Chrome exploit under pressure in a few days? Because that sounds like fun.
Justin Gardner (@rhynorater):
Right.
Joel Margolis (teknogeek):
Hehehe
Alex Chapman:
But I was lucky enough there was enough information out there on this older version at the time to cobble something together. And did very well with that bug.
Justin Gardner (@rhynorater):
Mm. Yeah.
Alex Chapman:
And that kind of gave me the
Justin Gardner (@rhynorater):
Well,
Alex Chapman:
itch for that sort of bug.
Justin Gardner (@rhynorater):
I was going to say, you know, on that note, I'm sorry to interrupt.
Alex Chapman:
No.
Justin Gardner (@rhynorater):
But, you know, at that time, that was really, that was something really impressive that we had. that not a lot of us had seen at the bug bounty scene. Because you do see a lot of this stuff in sort of more of the prone to own or like just actual people that hunt for zero days and don't do the competitions. You've seen those there, but that sort of browser exploitation wasn't something we had done, had seen a lot of in the bug bounty scene before. So could you talk to me a little bit about how you went on that path of learning about browser exploitation how you did it so quickly to be able to write and exploit for this specific target in a couple days. That seems like quite a feat.
Alex Chapman:
Yeah, so I've got modest experience with binary exploitation anyway,
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
so I kind of understand all the principles of what you need to do, so bypassing ASLR,
Justin Gardner (@rhynorater):
Mm. Mm-hmm.
Alex Chapman:
what to do when you've got control of the programming counter
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
and all the rest of it. I kind of get those fundamentals, but I hadn't looked at a full-on browser JavaScript exploit before. The... GitHub security blog had some really good posts on it about exploiting a very similar issue than the one I
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
was trying to do. So I started reading up there. I can't remember the person's name who's writing these blogs and probably butcher it if I did try to say
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
it, but really detailed exploitation steps of how they went about finding and exploiting some bugs. So that was a really good stepping stone to help me with that. And it was from that point on when I knew it was possible, it was just sheer force of will and no sleep, I think of that.
Justin Gardner (@rhynorater):
Well, okay, so that's, I'm glad you added that last bit because I was like, in those situations, when I get in that situation, when I lock on, I'm like, I know this is possible, I gotta get it done, right? Then that's when the rubber hits the road for that life balance stuff that I
Alex Chapman:
Yeah,
Justin Gardner (@rhynorater):
preach about all the time,
Alex Chapman:
yeah,
Justin Gardner (@rhynorater):
right?
Alex Chapman:
hugely.
Justin Gardner (@rhynorater):
That's when I say like, all right, am I gonna just brain dump onto this notepad and then go to bed at a decent time with my wife or am I gonna sit here and write code till 3 a.m. in the morning? And so, I mean, I guess, no, I'm gonna put you on the spot. Like, what happened during that event? I mean, what did that life balance look like for you?
Alex Chapman:
It was relatively good at the start of the event because I had
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
no bugs and I didn't have any leads.
Joel Margolis (teknogeek):
Hahaha!
Alex Chapman:
It was about halfway through the event that I came across this target and realised it was going to be vulnerable. And that's where it did take over a bit.
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
But then
Joel Margolis (teknogeek):
Yes.
Alex Chapman:
you also have the difference in that you're flying away from your family or your usual... routine. So going out to Vegas I had eight hours on a flight and a laptop again so I was like right okay let's see what I can do there. I think by the time I landed I had most primitives in place that I needed
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
to be able to prove it was vulnerable
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
and
Joel Margolis (teknogeek):
Yeah.
Alex Chapman:
then from that point on it was then trying to write a reliable exploit for the particular version in use and really hammering that home. I remember I think I got it at about... 5am Vegas time, I finally popped it on the day of that, it was either day before or the day of that particular customer
Justin Gardner (@rhynorater):
Yeah.
Alex Chapman:
and
Joel Margolis (teknogeek):
So
Alex Chapman:
I managed
Joel Margolis (teknogeek):
was it
Alex Chapman:
to
Joel Margolis (teknogeek):
a
Alex Chapman:
do
Joel Margolis (teknogeek):
full
Alex Chapman:
that
Joel Margolis (teknogeek):
exploit to RCE, or was it just like a POC where it crashes or something?
Alex Chapman:
So, full exploit to RCE, but without a sandbox escape. So, a large proportion of the time when you see headless browsers being used in a backend, the sandbox would have been disabled because it's easier to deploy that way.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
And that makes exploiting it so much easier.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
I've only done one successful full renderer RCE through sandbox escape and that was fun. I'm not interested in doing that again if I can avoid it.
Joel Margolis (teknogeek):
Yeah, so I am curious, like, do you think it's worth it, taking that last couple inches? Because I've reported something very similar. We got paid for it at a live hacking event. I think I can say who it was. It was Meta. It was a hardware device and it was using an updated Chromium browser, essentially. And so what we did was we found a POC for that same version range and it was able to successfully crash it, but we didn't decide that it was really worth the effort to, like, push it just that last couple of inches to go from crash, definitely valid, like you could take this further to all the way to like full RCE POC. Do you think that it's worth it
Justin Gardner (@rhynorater):
Hmm.
Joel Margolis (teknogeek):
to do that or will the company kind of understand? And this is kind of company by company, but generally do you think it's worth it to like spend all that time and effort developing a full working POC? Or is it good enough to say, here's a CVE for the V8 engine, it applies to this version. We can see that it crashes with this POC. You can connect the dots.
Alex Chapman:
In my experience, every time I haven't had a full RCEP, I've been like, it's been downgraded to a medium
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
or fobbed off. The recent life hacking event, I had one with a, I just submitted the POC. I was like, this would be a Herculean effort to get to RCE and they were like, yeah, here's $200. So I was like,
Joel Margolis (teknogeek):
Come
Alex Chapman:
yeah.
Joel Margolis (teknogeek):
on man.
Alex Chapman:
So the...
Justin Gardner (@rhynorater):
Oh my gosh.
Alex Chapman:
The benefit, and this is what I really found last year, was that once I had one, and people learnt that I had one, they would come to me and say, oh, I've got this one over here. Have you got an exploit for that? And if I didn't, but I thought there was one that I could, again, develop, I would go and I would do that. So I think in the end, last year, I wrote three, no, four Chrome render RCEs. a phantom JS RCE and a WKHTML to PDF RCE,
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
and each one of those got used at least twice
Justin Gardner (@rhynorater):
Wow.
Alex Chapman:
in Co-Labs as well, which kind of really helped because once it's there it's no effort for me to say, or very little effort, change the version numbers and some offsets.
Justin Gardner (@rhynorater):
Wow, so this is sort of like the reverse, today is new is like, you know, you go to today is new when you need a sub domain takeover and access test on a sub domain or like, you know, like some sort of cookie inject, you know, or some lower level bugs that will help you build a greater chain. And you go to Alex Chapman when you need a crazy, you know, super exploit for your, you know, vulnerable-ish looking. Browser render that's happening. That's that's really cool because that model really does that model really does work We've seen it time and time again at one of the last live hacking events Eric took first place without Having a single report that was his own. It was all collaboration
Alex Chapman:
Yes. Yeah, 100%.
Justin Gardner (@rhynorater):
which was just Absolutely legendary and made bug bounty history about what the power of collaboration, you know has So it's cool to see the flip side of that as well with you. And I think that speaks to your experience within collaboration as well, because you collaborate a lot with a specific set of people at live hacking events, and I'm sure that helps the scenarios where, like you mentioned, your bug bounty experience is kind of up and down like that. So could you talk a little bit about that collaboration experience and how it's helped you Grow as a hunter and also as it's helped your performance in live hacking events.
Alex Chapman:
Yeah, I mean it's... Collaborating in live hacking events is always a lot more fun than doing it on your own anyway. And that's kind of the... One of the things I always fall back on. I
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
enjoy my job and I want to enjoy my job. So it's fun to just get together with a group of friends and go at it. But also the... The hackers who I've been working with on a few events, so Archangel, Rezo and DC,
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
they all have different areas of interest and focus than me. So
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
if I fail to get my one critical,
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
then between them they've got 50 or 60 reports in
Justin Gardner (@rhynorater):
Right.
Alex Chapman:
that we can profit through. But if I get my one... big bug, then it goes the other way. So it's been a really good way of working for me recently, certainly in life hacking events.
Justin Gardner (@rhynorater):
Hmm. And
Joel Margolis (teknogeek):
Nice.
Justin Gardner (@rhynorater):
I bet that
Joel Margolis (teknogeek):
Yeah.
Justin Gardner (@rhynorater):
helps as well with your growth as, as a hacker when it comes to like being able to see. other hackers and their style as well. Cause you mentioned before that you're, you're not as strong in the traditional web vulnerabilities. And then having someone like, you know, Archangel and, and rezo people that have strong web backgrounds. And then having access to those reports as well is I'm sure just a great learning opportunity. And then vice versa for them, being able to see your, your deeply technical source code powered, you know, mega crits, I'm sure helps them grow as well.
Alex Chapman:
Yeah, and that's kind of part of the thing as well. If you're not learning or doing bug bounty, you're doing something wrong. It's, you kind of always want to be trying to improve yourself and your skill sets, and collaboration is one of the easiest ways to kickstart that.
Joel Margolis (teknogeek):
Yeah, that's really interesting. So for like the binary exploitation side versus source code review, do you find that you're doing a lot more of the binary exploitation or what kind of stuff are you really focusing on now?
Alex Chapman:
I do less binary exploitation than I want. It's always a lot more involved and it's got a lot higher cost to doing it.
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
So whilst I would love to have that be my main area of focus, one I don't think I'm skilled enough in it and two it's not as reliable income as source code review and other forms of testing. So if it was just down to me every other week I'd be doing binary exploitation and filling in other areas in between, but I'm not quite there skill level yet I don't think.
Justin Gardner (@rhynorater):
Hmm.
Joel Margolis (teknogeek):
So we've talked about this a little bit when we talked about source code review. We had a whole episode about it. But do you, when you do your source code review, is it more of like a sort of outside in approach or an inside out approach? Meaning do you find interesting like sinks, like you know, there's a command being run here or do you say here's a public endpoint that looks like it might have juicy functionality? Let me see how I can connect these two together. How do you sort of approach a code base when you're looking for those really high criticality vulnerabilities?
Alex Chapman:
Yeah, so I tend to focus on the sinks and then work backwards from there. So
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
as I said, I kind of hyper-focus on code execution wherever I can.
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
And be that through command injection, deserialization, writing arbitrary files, that sort of thing, that's, that always kind of piques my interest.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
And that's where I spend my my time. I over focus in those areas. So I know I could be finding a lot more bugs if I looked a bit more generally. And again, that's kind of one of my goals for this next year or two. But also to bring in more automation into my kind of source code view and binary reverse engineering.
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
So I've been playing around with Co-Ql, Semgrep, Yern, and a few others to kind of... help with that and build up a methodology there.
Joel Margolis (teknogeek):
Yeah. Where do you draw the line?
Justin Gardner (@rhynorater):
That's a... Go ahead,
Joel Margolis (teknogeek):
Sorry,
Justin Gardner (@rhynorater):
Joel.
Joel Margolis (teknogeek):
there's a crazy audio delay, so it's like we keep talking over
Justin Gardner (@rhynorater):
Hehehehe
Joel Margolis (teknogeek):
each other. Where do you like draw the line in terms of when you're going sort of inside out, right? Like if you have something that looks like code execution and you've flushed out sort of what you think are all the paths, there's always kind of that possibility that you might be misunderstanding something or there might be a connection somewhere else. Where do you draw that line and say, okay, it's time to move on and look at the next sink?
Alex Chapman:
Um, normally based on my frustration level. Um,
Joel Margolis (teknogeek):
Ha ha.
Alex Chapman:
if I,
Justin Gardner (@rhynorater):
Feel
Alex Chapman:
if I've
Justin Gardner (@rhynorater):
that.
Alex Chapman:
been hammering on it, yeah, if I've been hammering on it for a couple of days and really can't just can't see any, any future in it, then I'll, I'll try something else and probably, I'll probably go back to it for a couple of days later on, so take a break, go back to it. Um, and then sometimes I'll just outright think no, nowhere that's going to be exploitable. and then somebody like Vax will come along and exploit the exact same thing that I was looking at.
Justin Gardner (@rhynorater):
I hate that, man. I freaking hate it when Vax does that.
Alex Chapman:
He did it on one of the GitLab bugs. Exif tool. I was looking
Justin Gardner (@rhynorater):
Oh
Alex Chapman:
at Exif
Justin Gardner (@rhynorater):
no
Alex Chapman:
tool,
Justin Gardner (@rhynorater):
way!
Alex Chapman:
like, I checked the logs. I was looking at it about two weeks before he submitted his RCE in it. I was like, yeah,
Justin Gardner (@rhynorater):
UGH!
Alex Chapman:
I can see it's shelling out here, but there's no way to get access to it. So I'm just gonna move on. And then saw that, I was like, oh, that's a big bug that
Joel Margolis (teknogeek):
Uh...
Alex Chapman:
I missed.
Justin Gardner (@rhynorater):
man,
Joel Margolis (teknogeek):
Dang.
Justin Gardner (@rhynorater):
that stings. And I just want to go back to what you were saying before when Joel asked about sources in syncs. We've asked that question a couple of times. We've discussed it ourselves as well. And I think this is the first time we've had a really solid like, no, I go to syncs, you know, a sort of response. Like first, I think that's really cool. And I think that shows that methodology is absolutely. you know, an appropriate methodology, a methodology that produces really good results. Um, and, and I think I tend to be on the, on the flip side of that. And I like to try to go look at the sources, see where I can inject, you know, my input and, and then go down all of the routes, you know, and, and it may be because I, I don't have as good of an I, a perspective on, um, you know, which, which syncs lead to code execution, like I've recently been talking about, configuration file injection, and just sort of if you can inject into a templated configuration file, right, that there's a lot of chances for RCE there, because there's this switch of context between your current service and then the service that it's building with that configuration file.
Alex Chapman:
Yep, you too.
Justin Gardner (@rhynorater):
And so I think maybe as, maybe in the beginning, it might be helpful for people to look at sources and then as they gain more experience, they should look at syncs, would you agree with that?
Alex Chapman:
Yeah, I mean, it's really different approaches for different people.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
I know what I'm looking for when I'm looking at a source repository.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
Again, sometimes to my detriment, because I will focus on it. But I've had two recent examples. I've been doing quite a lot of work on JDBC drivers recently. So looking at what can be done with them and there were two JDBC drivers I found out there that I was able to find had Archie file read write in. So that if you can get this to connect to a server, the server can just read anything off the connecting
Justin Gardner (@rhynorater):
Wow.
Alex Chapman:
system or write anything to the connecting system. And that was, I found those specifically because I was looking for the particular file writes. and other things and then worked back from there working up the protocol stack then being right can I access this yep okay can I access this yep okay can I access this yep okay so if I implement a custom Diffie-Hulman key exchange I can get through to this bit. So working backwards really helps me rather than working from the input.
Justin Gardner (@rhynorater):
Yeah, I think this is something that I've actually seen and this actually goes to a bug that I wanna talk about later, which is our bug collision we had at a live hacking event earlier this year.
Alex Chapman:
So forgive me for that.
Justin Gardner (@rhynorater):
I, and we'll get to that, but I want to, I wanna talk about this whole concept of, you know, having a protocol connect and then have that, you know, reverse connection back to the client, have some. have some effect on the client. But you piqued my interest when you talked about those connection pieces. So anything you want to share, any little tidbits that you want to throw out there with regards to that.
Alex Chapman:
I mean, yeah, generally the security boundary when a client connects to a server
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
is less than when a server connects to a talks back to a client, if that makes sense.
Justin Gardner (@rhynorater):
Mm-hmm. Right.
Alex Chapman:
So there's a lot of programs assume that the client will only ever be used in an authorized way
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
to connect to an authorized server.
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
Whereas if you can get a client to connect to a server you control, you generally have a much better security. more privileged access to be able to do things. I'm alluding to the bug that I know Justin wants to talk about, but I found that exact same bug in four or five different client applications.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
Because the original developers thought nobody's ever gonna stick this on a server and connect to an untrusted
Justin Gardner (@rhynorater):
Right.
Alex Chapman:
server with it. or stick in the back and connect to an untrusted server. And then kind of cloud CI CD comes along and we're all using Git and SVN and Mercurial and Perforce and other things to connect to untrusted servers.
Justin Gardner (@rhynorater):
Mm, mm.
Alex Chapman:
Similar with kind of low code environments. Okay, let's let the customers connect to their own databases. So here, just give us a database connection string and we'll go connect to your database and pull the data from you. And a lot of the clients just weren't designed with that security boundary in place.
Justin Gardner (@rhynorater):
Yeah.
Alex Chapman:
So it's a really interesting place to be looking for bugs. And again, it kind of fits my, if it's a client, you can normally get hold of the software. You can reverse engineer it or
Justin Gardner (@rhynorater):
Right.
Alex Chapman:
look it up on GitHub.
Justin Gardner (@rhynorater):
So, so I'll, uh, that, that definitely is a excellent tip for anyone looking for high impact bugs there. If there's a database connection that is being sent from the server to your database or something of the like great stuff there. But I want to, I want to go back to that JDBC piece that you said, you know, uh, so let's say I've got a JDBC configuration, uh, injection, right? Where I, where I can have it connecting out to my DB. Um, you know, I'm not going to prevent you from sharing your research here, but any specific directions you want to point us in or are we looking for a blog post in the future or is this going to, are we keeping our cards close to our chest on this one?
Alex Chapman:
Yeah I mean I'm still actively exploiting a few of these issues
Justin Gardner (@rhynorater):
Okay.
Alex Chapman:
so keep a little bit back but...
Justin Gardner (@rhynorater):
Well, hey, the audience can't tell me I didn't try, because I tried for
Joel Margolis (teknogeek):
Haha.
Justin Gardner (@rhynorater):
you, audience, so...
Alex Chapman:
Well, I think generally if you can change the
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
query string parameters on the JDBC, or if you can control the query string parameters on the JDBC connection, you can do quite a lot.
Justin Gardner (@rhynorater):
Mm-hmm.
Alex Chapman:
A few of the connectors are getting better. So I think the... Which was it? Not DB2. One of the,
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
not MariaDB, MySQL or DB2
Justin Gardner (@rhynorater):
Hmm.
Alex Chapman:
namescapes me, but they've had two CVEs raised against them recently for this kind of exact same issue. And one was being able to specify the location of a log file through a query string parameter, which
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
meant you could write arbitrary
Justin Gardner (@rhynorater):
Ah.
Alex Chapman:
file output out. And another one was a JNDi injection, which was similar to the log4j sort
Justin Gardner (@rhynorater):
interesting.
Alex Chapman:
of exploitation.
Justin Gardner (@rhynorater):
Very cool. Good,
Joel Margolis (teknogeek):
Was the log
Justin Gardner (@rhynorater):
good,
Joel Margolis (teknogeek):
for J what
Justin Gardner (@rhynorater):
good tips
Joel Margolis (teknogeek):
kind of
Justin Gardner (@rhynorater):
there.
Joel Margolis (teknogeek):
led you down this whole rabbit hole of looking at JDBC or?
Alex Chapman:
No, I actually picked this up a few years before that came out and then when that came out again it kind of led me down that path again.
Justin Gardner (@rhynorater):
Yeah, he was an early, early adopter
Joel Margolis (teknogeek):
You could have
Justin Gardner (@rhynorater):
with
Joel Margolis (teknogeek):
had
Justin Gardner (@rhynorater):
those
Joel Margolis (teknogeek):
the log
Justin Gardner (@rhynorater):
sort
Joel Margolis (teknogeek):
for
Justin Gardner (@rhynorater):
of
Joel Margolis (teknogeek):
J-Volt.
Justin Gardner (@rhynorater):
ulns.
Alex Chapman:
Yeah,
Justin Gardner (@rhynorater):
So
Alex Chapman:
I mean,
Justin Gardner (@rhynorater):
that's,
Alex Chapman:
I was
Justin Gardner (@rhynorater):
yeah,
Alex Chapman:
gonna say,
Justin Gardner (@rhynorater):
man.
Alex Chapman:
if I'd had Log4j, that would have been a good payday.
Justin Gardner (@rhynorater):
Yeah,
Alex Chapman:
But,
Justin Gardner (@rhynorater):
a lot of
Joel Margolis (teknogeek):
Yeah
Justin Gardner (@rhynorater):
near misses here, Alex. Like, come on, man. No.
Joel Margolis (teknogeek):
I need to start
Alex Chapman:
story
Joel Margolis (teknogeek):
hanging around
Alex Chapman:
of my
Joel Margolis (teknogeek):
Alex
Alex Chapman:
life.
Joel Margolis (teknogeek):
more. Just everything that Alex
Justin Gardner (@rhynorater):
Well,
Joel Margolis (teknogeek):
goes, no,
Justin Gardner (@rhynorater):
well.
Joel Margolis (teknogeek):
I'm gonna write that down.
Alex Chapman:
I'm sorry.
Justin Gardner (@rhynorater):
Yeah, write that down right away. Um, uh, so I think, uh, we're, we're running to a close here on, on time, but, um, I did want to talk about, uh, this, this bug. And I think, uh, it's enough in the past now that we can kind of, um, that we can kind of talk about it a little bit. Uh, this, this was a bug at a live hacking event, um, earlier this year. And it was a RCE that, and this is the thing that makes me sad too, is that, um, this is a blog post that Alex wrote up on a specific vulnerability and a specific protocol, uh, perforce. And, um, and I, you know, using, to be fair to myself, using other resources and Alex's blog, um, I found, you know, an RCE on this, on this target, the shared target that we had and, um, and. then I submitted the report before Alex did. So he duped, and we split the bounty, right? Cause it's a live hacking event dupe. But you know, it was one, it was a really great example of the way that Alex thinks. And what we were talking about earlier with blogging about things that you're passionate about. And perfect example of this client server trust sort of situation that we have, cause that's where the vuln was. Um, but, and Alex, I don't recall whether I sent you this specific vulnerability before we started, uh, recording the podcast. Do you want to talk to the technical details of this vuln? Uh, did you, do you have the, it fresh enough in your mind, or do you want me to take a stab at it and you can kind of supplement?
Alex Chapman:
Yeah, I think I've actually been looking at it again recently for something else, so it is top
Justin Gardner (@rhynorater):
Oh,
Alex Chapman:
of mind.
Justin Gardner (@rhynorater):
what? Okay, all right.
Alex Chapman:
It's
Joel Margolis (teknogeek):
Oh.
Justin Gardner (@rhynorater):
Talk
Alex Chapman:
out there,
Justin Gardner (@rhynorater):
us through it, man. Talk us through
Alex Chapman:
this
Justin Gardner (@rhynorater):
it.
Alex Chapman:
is an interesting one. So again, for those who don't know, Perforce is a version control system, so similar to Git or SVN, that's heavily used in the game industry because it works really well with very large files, so if you've got really large assets, 3D models, that sort of thing. And it's a very typical example of the client trust that we mentioned before. So all the Perforce client really does is connect to the server and the server then says, run this command. And then the server will say, OK, show me what files you've got. Check the hashes of the files against the files I've got. So rather than it being client controlled, it's server controlled.
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
And that was the first thing that got my interest. I was like, well, how does it give you new files that you don't have on your system?
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
And it turns out it just sends a, I think the command is literally send file
Justin Gardner (@rhynorater):
Yeah,
Alex Chapman:
or write
Justin Gardner (@rhynorater):
it's
Alex Chapman:
file. I
Justin Gardner (@rhynorater):
client
Alex Chapman:
was like,
Justin Gardner (@rhynorater):
dash write file is what I
Alex Chapman:
yeah.
Justin Gardner (@rhynorater):
have in
Alex Chapman:
I
Justin Gardner (@rhynorater):
my report right here, which is just
Alex Chapman:
was like,
Justin Gardner (@rhynorater):
gold.
Alex Chapman:
ooh,
Justin Gardner (@rhynorater):
Like
Alex Chapman:
that
Justin Gardner (@rhynorater):
I love
Alex Chapman:
sounds
Justin Gardner (@rhynorater):
that.
Alex Chapman:
interesting. Yeah. So then seeing that, like, okay, right, how are we going to go about testing this? So what do you do? Break out Python and then start trying to reverse engineer the protocols that's going on the wire and wire shark and building it up, byte by byte, bit by
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
bit, to a point where I pretty much had a fully functioning Perthul server written in Python
Justin Gardner (@rhynorater):
Mmm.
Alex Chapman:
to kind of handle the auth, do all the rest of it to get it to the point. where with just a login it would be able to write an arbitrary file on the connecting system.
Justin Gardner (@rhynorater):
Mm.
Alex Chapman:
And that was great. So I think just in saying this bug collision on the life hacking event I kind of have a bit of a blasé attitude to submitting these bugs that I don't think anybody else is going to submit in life hacking events. And this one
Justin Gardner (@rhynorater):
Thanks for watching!
Alex Chapman:
I wasn't going to submit in the
Justin Gardner (@rhynorater):
Oh, dude, that would have been a nightmare, man.
Alex Chapman:
I'll prove it after the juke period closes because nobody else will find it. And I was like, I've got a little bit of time, I'll get it in.
Justin Gardner (@rhynorater):
Holy moly.
Alex Chapman:
And then when I found out it had been juked, I was like,
Joel Margolis (teknogeek):
Yeah,
Justin Gardner (@rhynorater):
Oh man.
Joel Margolis (teknogeek):
I'm gonna start submitting everything during
Alex Chapman:
oooookay.
Joel Margolis (teknogeek):
the dupe
Alex Chapman:
As
Joel Margolis (teknogeek):
here now.
Justin Gardner (@rhynorater):
Yeah, right.
Alex Chapman:
soon as it was juked, I went to the tradition and I was like, can you let me know who juked that?
Justin Gardner (@rhynorater):
Who,
Alex Chapman:
Because
Justin Gardner (@rhynorater):
who was it?
Alex Chapman:
I want to have a word.
Justin Gardner (@rhynorater):
It was, it was, and it was, I want to say on your team as well, they took, you guys took bets on who it was,
Alex Chapman:
Ciao.
Justin Gardner (@rhynorater):
right? And who was it that guessed it was me? One of them correctly guessed that it was me. Was
Alex Chapman:
Yeah, Marvin Douglas, I can't
Justin Gardner (@rhynorater):
it, I want
Alex Chapman:
remember.
Justin Gardner (@rhynorater):
to say it was Douglas as well,
Joel Margolis (teknogeek):
haha
Justin Gardner (@rhynorater):
yeah. So I appreciated that vote of confidence. It is a... one of the highest honors in my bug bounty career to have duped an Alex Chapman bug. So I'm sorry for using your own blog post against you, but
Alex Chapman:
I'd completely
Justin Gardner (@rhynorater):
yeah.
Alex Chapman:
forgotten I'd written that to be honest.
Justin Gardner (@rhynorater):
Oh, did you really? No
Joel Margolis (teknogeek):
That's
Justin Gardner (@rhynorater):
way.
Joel Margolis (teknogeek):
awesome.
Justin Gardner (@rhynorater):
So you didn't even reference back to it when you had, oh my
Alex Chapman:
Um.
Justin Gardner (@rhynorater):
gosh. Wow, that's crazy.
Joel Margolis (teknogeek):
That's awesome.
Justin Gardner (@rhynorater):
And so I just wanted to go to what you were saying, you wrote out a full... per for server and I'm looking at my exploit right now. And you know, I love that experience of writing out, you know, like a binary level protocol for these sort of things. And you know, you said that handles the auth and stuff like that. I'm looking at my code and it, you know, handles the auth. It's just like, yeah, don't mind that. You
Alex Chapman:
Yeah.
Justin Gardner (@rhynorater):
know, like, you know, it connects to the server. You're like, no, it's fine. Yes, yes, you got it correct. You know,
Alex Chapman:
Yeah.
Justin Gardner (@rhynorater):
like, and then, and then you just, yeah, yes, you're more connected. Here's the code, run. And it's just a fun vulnerability type for
Joel Margolis (teknogeek):
That's awesome.
Justin Gardner (@rhynorater):
sure. Yeah, I think Joel has to bounce to a meeting. So we'll bring it to a close here. Alex, for all of you that are listening, you can find Alex on Twitter at AJXChapman, on HackerWanna AJXChapman, ajxchapman.github.com,
Alex Chapman:
Just
Justin Gardner (@rhynorater):
everywhere
Alex Chapman:
everywhere,
Justin Gardner (@rhynorater):
AJXChapman.
Alex Chapman:
yeah.
Joel Margolis (teknogeek):
JXTravelling.
Justin Gardner (@rhynorater):
Alex, thanks so much for coming on man. Did you have anything that you wanted to say as we sign off?
Alex Chapman:
I appreciate the work you guys are doing on the podcast. It's a good one. I've had to stop listening while I walk the dog though, because I've got to take too many notes. So it's...
Joel Margolis (teknogeek):
Yeah.
Justin Gardner (@rhynorater):
We get that feedback often. So maybe we need to stay on top of getting our notes out that accompany the episodes. And hopefully that'll make for a little bit more of a leisurely listening experience.
Alex Chapman:
Definitely.
Joel Margolis (teknogeek):
Yeah, yeah,
Justin Gardner (@rhynorater):
All
Joel Margolis (teknogeek):
but
Justin Gardner (@rhynorater):
righty.
Joel Margolis (teknogeek):
yeah,
Justin Gardner (@rhynorater):
Well, thanks so much
Joel Margolis (teknogeek):
it was
Justin Gardner (@rhynorater):
again.
Joel Margolis (teknogeek):
awesome chatting
Justin Gardner (@rhynorater):
And
Joel Margolis (teknogeek):
with you.
Justin Gardner (@rhynorater):
yeah, go ahead, Joel.
Joel Margolis (teknogeek):
Yeah,
Alex Chapman:
I appreciate
Joel Margolis (teknogeek):
no, it was awesome
Alex Chapman:
it. It's
Joel Margolis (teknogeek):
chatting with
Alex Chapman:
been
Joel Margolis (teknogeek):
you.
Alex Chapman:
fun.
Joel Margolis (teknogeek):
Thanks for coming on. And yeah, well, we'll probably be collabing at some point in the future.
Justin Gardner (@rhynorater):
Oh yeah, we will. All
Alex Chapman:
Sounds
Justin Gardner (@rhynorater):
right,
Alex Chapman:
good.
Justin Gardner (@rhynorater):
peace.
Joel Margolis (teknogeek):
Alright,
Alex Chapman:
Cheers.
Joel Margolis (teknogeek):
peace.
