Andrew Hay

Today’s interview is with Chris Boyd. I first met Chris Boyd at SecTor’09 and he has THE most interesting story about how he got into security and generally has fantastic stories about random things whenever he travels.

Q: Tell us a little about yourself.

I’m Chris Boyd, and I complain about a lot of stuff on the internet. Most of it is security related, but not always.

Q: How did you get interested in information security?

Many years ago back in Uni, I had a good friend who lived in another country. We kept in touch by phone, video diaries and the net. She had a lot of problems, and lived in a bad part of town. Unfortunately, she fell in with a crazy drug dealer who used her place as a base of operations and also got her hooked on the stuff she’d spent so long trying to kick. I’d talk to her on IM and pretend to be her pal from near the beach or something along those lines – we had “keywords” so I’d know if he was around or not.

I don’t know if this is still the case, but back then the only way she could get online was to buy these prepaid cards for a certain amount of net time. She needed to save up to go to a detox retreat, but the only way she could stay on the straight and narrow was talking to me online…which of course was using up her detox money. I have many horrible tales – one which particularly sticks in my mind was when he turned up at her place out of his head and trying to smash the door down while waving some sort of big hunting knife. She then went MIA for about two days, and it was horrendous – turned out he’d cut the power and left, but I had no idea what had taken place until she got her power back.

I hatched a plan to get her out of there, which involved me picking up a “teach English in Japan” qualification – she’d do a runner, meet me there, I’d get her cleaned up and the world would be a wonderful place.

Yeah, I know – terrible plan.

So anyway, first the school I’m supposed to be teaching at tells me they’re overbooked for teachers and I’d have to wait another month or two. Then I’m talking to her on IM (knowing he’s in her house) and suddenly all this “secret” chat starts filling the textbox. We had no idea what was going on, and then he sees it and goes crazy.

She went offline for good that time, and through a “friend” of hers (using the term loosely here, as pretty much everyone around her was a bit…uh…crack addled?) I was told she’d been beaten up pretty badly and put into hospital. He was also decent with a PC, and could tell it had been hacked and I guess someone had chosen that exact moment to start pasting up our saved chatlogs onto the screen for giggles. After that, she didn’t come online again, stopped answering her phone, stopped responding to letters….basically dropped off the face of the earth, all because of some moron being leet with her PC.

At the risk of sounding like a walking comic book cliche, it made me ditch my chosen occupation at the time in favour of learning

a) What had happened on her PC
b) Why it had happened and
c) How I could learn how to do horrible, horrible things to the kinds of people that put stuff like that on there.

I eventually settled on a number of security forums like Spywarewarrior.com, and Suzi Turner (the admin) introduced me to people like Wayne Porter & Alex Eckelberry and Alex was good enough to fly me to a CNET Antispyware conference where I met all of these people I’d only previously seen on a PC screen. By chance, at the time all of this was going on I started popping up in the press for things I’d found or written about or whatever and eventually I was hired to work in security fulltime. It’s all a bit odd, to be honest.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I’m self taught, with no qualifications in IT which isn’t that uncommon – especially for anyone who got into this via the antispyware route. I have a BA Hons degree in Fine Art, and was painting pictures, writing music and dabbling with orchestras before getting into net sec. A lot of the art stuff came in handy for coming up with potentially interesting ways of presenting the material I’d written, general promotion / interaction etc.

Q: What did you want to be when you grew up? Would you rather be doing that?

I wanted to be an artist for DC Comics. One guy I went to Uni with draws for them now, he’s done very well. Sometimes I wonder what I’d have ended up doing if I’d kept doing art stuff, but I’ve probably helped more people doing security than I would have drawing out of proportion pictures of Batman so who knows.

Q: What projects (if any) are you working on right now?

Well, I was recently made redundant (or my position was, technicality fans!) so I’m doing nothing other than looking for work. It’s tricky, because I don’t live anywhere close to where security companies are based. Most companies require you to be in the lab with people or relocate, which is fine – but that’s not possible right now. So I guess what I’m saying is, someone will ultimately hire me to work remotely or I go do something unrelated to security. It’s not something I haven’t prepared for, but there are quite a few companies who are happy to roll with it so feel free to cross some fingers for me while I do the interview dance.

It’s always struck me as faintly ludicrous anyway for a part of the industry that depends on people sitting there looking at the internet all day long to have a chance of finding something new. See that thing over there I wrote about that got a ton of press for my company? While I was finding / writing about it, your guy that *would* have found it was in his car driving to work, or walking up three sets of stairs or talking to some guy by the vending machine while waiting for free donut day.

Who benefits more?

Q: I know that you’ve got quite the collection of video game equipment and somehow convince people is for “research”. What kind of things do you have in the Bat Cave these days?

I’m still looking to flesh out my Space Channel 5 collection (which is still the greatest music game that doesn’t involve plastic guitars, and quite possibly beats those too): http://www.flickr.com/photos/paperghost/sets/72157605702349932/

I think I might have every single known version of “Mexican Flyer” known to man, woman or child. I still need to get hold of an inflatable Morolian and a metal lunchbox. WHAT.

Q: Can you regale us with a particularly funny story from your research into the world of video game user/account fraud?

The funniest video game hax story I saw was one that allowed people to temporarily change their ingame name to whatever they felt like. They’d find out what Gamertags game devs had, then copy them and run around ingame claiming to give free tshirts or ingame items to anyone foolish enough to hand over their login credentials. At that point they’d use custom made tools to artificially inflate the stats associated with the stolen account then try selling it on places like EBay and various forums.

Of course, that’s not really very funny. But a side effect of being able to change your ingame name was the ability to bypass the swear filters, and that certainly was humorous when you wandered into a game of Halo 3 and saw this: http://www.flickr.com/photos/paperghost/3784614096/in/photostream/

Whoops.

Q: What is your favorite security conference (and why)?

I eventually got round to enjoying my first RSA, although for the most part it was terrifying – I scheduled in a 3AM panic attack just so I could be cool as a cucumber when the talk came around. I think my favourite so far was SecTor in Canada, you were well looked after and people had a genuine interest in what you were there to talk about. Any conference that’s research driven gets a huge thumbs up from me.

Q: What do you like to do when you’re not “doing security”?

Videogames, anything Batman related, collecting old consoles and listening to Mahler. Mahler is awesome. Oh, Hong Kong cinema. Huge fan. I did my Uni dissertation on Political symbolism in 20th Century HK Cinema. That’s probably been done to death by now, but it was pretty fresh back in 1999 (fresh enough I had to give the lecturers copies of the films I was talking about so they had some context for it).

Q: What area of information security would you say is your strongest?

Until they all went under – haha – I’d say it would have been digging out scams by the Adware vendors and blowing holes in everything they said as a defence. Direct Revenue, Zango, all those guys – it was relentless and deservedly so. My only regret is that I didn’t cost them more money, but some of my stuff ended up in the NYAG Vs Direct Revenue case so that was satisfying. Besides that, I’d hope it would be the ability to latch onto an area of security that hasn’t been poked much and run with it. I did a lot of work exploring the world of the script kiddie and that had a lot of positive feedback. Using videogame consoles as a platform for “really bad things” (TM) is something I’m also glad I looked at, it taught me quite a lot about the (sometimes overlooked) technical skills some of the scammers out there have.

Q: What about your weakest?

I am not a coder. So many people assume if you do security, you’re a coder. Or that you know / do everything when really my core skills boil down to being able to find new or different kinds of scams, make a big noise about it and do everything I can to get it shut down. It’s a very specific area and skillset, and it doesn’t include everything.

Oh, and that whole Cloud thing? I need to get oiled up and wrestle with it for a while.

Q: What advice can you give to people who want to get into the information security field?

You know, I have no idea – if I had some certs in it, I guess I could say “do these” and it’ll help. But I don’t, and I pretty much fell into it by chance. I’m sorry, that’s the worst answer ever. Can I fix it by saying “Follow your dreams, Beefcake! Beefcake”?

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

My blog is Vitalsecurity.org, my twitter is twitter.com/paperghost. I used to write on blog.spywareguide.com which is where most of my research stuff resides.