“I make all the mistakes, I might as well tell others before they make them. Fail is literally in my name.” -FailOpen
If you’ve been on our Discord, you’ve probably seen FailOpen before. He is likely our most active user in Discord, can be seen in all of the channels, and almost always has an answer for any question. FailOpen is not only extremely present in Discord, he is also a valued contributor to our projects on GitHub. We were excited for the opportunity to chat with him just before our holiday break about hacking, tech, and a little about reverse engineering BASIC on a TRS80, too.
ProjectDiscovery: All right, so tell me a little bit about how you got started in bug bounty and pen testing.
FailOpen: So I don’t do much straight bug bounty, but the work that I do is still very ProjectDiscovery centric. So I started working for a large military contractor in 2004. I’m the one that proved to the client that the software did what the requirements said, which is a miserable life when you work in military contracts, because those contracts are literally books.
But what I found is rather than trying to prove that things worked, everything broke underneath my hands. I became the lead for breaking everything and tracking everything, and also found that I had a strange memory for remembering all the stuff that you shouldn’t have to memorize.
There was an internal development, leadership development program at the organization. This leadership development program encourages you to move around. Instead of doing a job for ten years, you do it every six months and get pulled into places that you don’t have experience in so you can get it. It’s kind of an incubator type program. Ended up getting into a junior security architecture position, which was sitting next to the red team of that company. And then I quit the program.
ProjectDiscovery: (laughter). Just quit?
FailOpen: Yeah, but I stayed in security. So that’s kind of like a hacker thing, right? It was never, like, planned out or intentional, but it’s what happened. And that was when it was easy to get into security, because security wasn’t a thing people were trying to get into. It’s such a different thing now than what it was then, but I stayed in there, did eight years, internal red team for that. I started going to conferences around the same time, and realized that I don’t understand the conversations that are being had at these conferences about industry problems with compliance and similar issues. So I knew where I was at wasn’t the best place to learn.
ProjectDiscovery: How did you find ProjectDiscovery? What problem were you trying to solve?
FailOpen: Yeah, it was the discovery based tools; they are geared exactly for what I want. And my team thinks I work for you guys because I’m constantly recommending your stuff.
Subfinder I think was one of the first ones that was on my radar. Nuclei, I happened to kind of just start dabbling with Nuclei just before log4shell happened. I’m on the East Coast and the company is on the West Coast. So I was able to wake up to see how bad it really was. Somebody already had a template for it so I was able to get started on our systems. So that kind of got some attention on letting me do what I do.
ProjectDiscovery: So it was right around the time log4shell, and that’s when you found Nuclei and you had the template up and you were able to wake up people on the west coast with like, hey, this big vulnerability just happened. Everyone’s going crazy. I’ve already looked for it. We’re good.
FailOpen: We weren’t good. I had already looked for it, and we can fix it. I mean, it wasn’t as perfect as I’d like it to be, just because of the nature of log4shell. Log4shell is a beast to try to actually find, especially when you have gateways and stuff like that. Everything looks like it’s vulnerable, but it’s really stuff behind. But we know this is bad. But I don’t think anybody needed to be told that they might be vulnerable to that one, because I think it was just everybody. But I gave them a good starting point to start to poke at. And just the cleanliness of the templates lets even someone like me, who, again, historically, didn’t really know what the heck I was looking at when it came to that kind of stuff, write them or at least modify them, understand them, and generally tell if they’re going to break something.
And then I just started digging into more and more of the repos and kind of stuff. And ProjectDiscovery is the only reason why I even remotely know how to read Golang. We were a Python shop. Python is great. I can understand Python. Go is very different from Python. Definitely can’t write it, but I can at least dig in. If I can’t figure out why something is working in a tool, I can at least look at a freaking tool and see how it works in the code. So more than I can say for two years ago.
ProjectDiscovery: What tools other than ProjectDiscovery tools do you use?
FailOpen: It’s getting kind of limited at this point [using outside tools]. ProjectDiscovery kind of has all the things that I need. If you stalk me on Discord, you’ll also see that I haunt the axiom scan, as well as now I’m living on the Trickest discord because I started to use trickist, which is getting to be pretty cool. It’s a neat tool if you haven’t seen it, but axiom is the main one for just straight up being able to spin up 500 systems and do a huge crazy scan. Trickist does really cool pipelines and it’s all pretty graphical and stuff like that. But they have some amazing pipelines already set up and every tool in existence is already in there, and it’s made for bug bounty. So not doing a pitch for them because I’m not affiliated with them, I pay for their stuff, but it was primarily to stitch together the different tools and how to do it quicker and faster, all that kind of stuff. So those are my two ones that I tend to be throwing things at.
Hakrawler was one that I was using before Katana. But like I said, you guys keep filling in a lot of the areas, some of the little guys, basically everything that Tom nom nom does, that always works in, but those are little helpers and stuff, like, mean, I tend to get a lot of play out of what you guys have in place.
Burp is still a solid go to for the stuff that Burp is for, but it’s not something that I’m using nearly as much other than maybe to do some templating for Nuclei. And what my focus is that it does feel like I’m only looking at their stuff and my boss accuses me of that. No, I use other stuff. I like the mentality of the tools and all that kind of stuff. I am starting to branch out more into, I think I asked a couple of questions on mobile and social media type stuff, so I’m starting to gather stuff in those areas and those you guys aren’t in yet, but that point, it’s just starting to be a little bit more hand cram stuff.
ProjectDiscovery: Tell us about a time you faced a huge challenge and what you did to overcome it.
FailOpen: That’s my least favorite question in interviews ever.
FailOpen: I was trying to get out of pen testing. So, the goal was to go work someplace internal, do pen testing, and then slowly pivot. I got a job offer. I come in and realize the manager that was there wasn’t the manager of the team I was interviewing with. So basically the original team had passed, but he took me and nobody told me that. So now I pivoted without realizing it outside of pen testing but to a development team. And basically it was all right, well now let’s learn how to be a python developer and maybe that’ll be helpful.
FailOpen: It was an amusing thing, that was a big learning thing. So I’m trying to learn how to do what that team is doing and not using my background at all, being super stressed out. And so I basically just started on the side doing manual work, instead of trying to contribute to this automated thing, just start doing what I do. I’m going to do what I know how to do and start doing some work and hopefully they catch on that it’s useful and let me do that. And that was like a couple of days before log4shell happened.
And so it was just kind of like that was my path. I don’t think I’m useful because I’m not doing what the team is doing, but I need to figure out a way to convince them to let me just do what I do well. And then all of a sudden, this big traumatic thing happened to the Internet and I was able to kind of come out looking good on it thanks to ProjectDiscovery and me doing what I do best.
ProjectDiscovery: What’s your machine setup?
FailOpen: It honestly stopped mattering. And I have a lot of machines, but a lot of my work gear has always been like these legacy things. But when I started consulting, I bought some beefy mythlogic, like, the big custom things for a crazy bunch of money. But now I’m on a Mac for work. I don’t like Apple. I’m going to hate on them at all times that I can, but it’s what you work on. It does virtualize well, it does do Linux things well. It does a lot of things poorly, like stay cool with a quiet fan.
FailOpen: My personal box is ironically the nerdiest thing I’ve built PC wise. I did all the colored lights for the first time ever; it has LEDs on the fans, and it’s got glass panels and everything, but it’s just something that I put together. It’s got a lot of memory, it’s got a lot of processing power, and it’s got a lot of hard drive space. I game a little bit, but I really use it for astrophotography in the last year, which just takes a lot of all of that to to work with those images.
ProjectDiscovery: What’s the first computer/tech device you remember owning?
FailOpen: First tech device I remember owning was a brother word processor but the first computer that I was on was in my elementary school. We had a TRS 80, which is where everybody should start. But those, when you turn them on, it boots into BASIC. We did have the tape deck, but we couldn’t figure out how to use it because our teacher didn’t assist us with it. He was smart, but he’s like, “I want to see what you guys do.” We were in the gifted class. “Let’s see what happens.”
So we literally sat there and typed in stuff because we had no books or anything. We typed in stuff to see which things returned errors and which things didn’t return errors, and broke down ones that didn’t return errors, then made guesses at what they did. And over like six months, like four of us, we kind of reverse engineered BASIC a little bit just to make it do stupid stuff. The “go to ten” kind of stuff, right. But I thought that was kind of neat. But the TRS 80 will always have a special part in my mind or my memory. First computer we had at home was just some random special that my dad bought from some guy that I know was overcharging us like crazy. You boot into dos and then you tell it to go into windows. But all the games had to run in dos.
ProjectDiscovery: What value do you get out of being in the PD community?
FailOpen: Security is always changing and the tools are always changing. I’m really kind of hoping Katana work keeps going because it seems like it stalled there. There’s a bunch of stuff that’s in draft that I’m really kind of hoping continues to go on the headless side. But besides that one, I’m trying to influence stuff that ProjectDiscovery is working on to meet my needs. And I mean, that works when I hang out in a couple of different groups in the same way. And it’s not like it’s a selfish thing. So things that I need are things that somebody else would need.
It all works out that way. But one, I like helping folks. I learn by teaching. You’re a teacher. I’m sure you get it. I don’t know things until I have to explain to somebody else. And then I realize I don’t know it, so I have to go learn it better. So I’m just trying to keep an eye on what’s going on, seeing what I can learn.
But I’m active in the security stuff because I’m using these tools all the time. I want to see what people are doing. People are smarter than me. If I can help them get through their easy stuff so they can do a cool thing that I can leverage, it all works out. So it’s kind of all that. But I’m trying to also remind myself, because I got really jaded with humanity in general. I do have my “kids these days” moments, but there are good people out there. There’s people who you can tell by the question, one person wants to understand a thing. One person just wants an answer. I might give a link to the answer for the person who wants the answer, but someone wants to understand it. That’s where a thread starts up and we have a whole conversation. Yeah. Then I’m happy for the day.
Thank you to FailOpen for giving me some time this Winter to chat about all these amazing topics and then some. If you’d like to join FailOpen on our Discord, click here. If you’d like to receive the latest news from us each month from our newsletter, click here. Finally, you can read all the rest of our blogs here.