Today we are happy to introduce you to Hidde Smit. Hidde is a Senior Security Consultant, pentester, and Bug Bounty explorer!
Watch the interview, or read it below – you choose the format!
Chantal: Thank you, Hidde, for coming. I’m very pleased to welcome you here. Could you maybe tell us a little bit about yourself?
Hidde: Yeah, sure. My name is Hidde Smit. I’m 31. During my day job, I’m a senior security consultant, and I spend most time pentesting. In my free time I’m a freelance pentester, and in any other remaining time I do Bug Bounties for Zerocopter, which is really enjoyable.
Chantal: So basically your whole life is existing of hacking!
Hidde: Pretty much, pretty much. Well, sometimes you do get tired of it. If you if you do too much, you might burn out. So I tend now with the nice weather, I tend to relax a bit. I like to game. I use the game on a high professional level. I went to Cologne for tournaments and stuff, but nowadays it’s just casual because I still don’t have the time and energy for it anymore. Instead I put that in Bug Bounties for example.
Chantal: Okay. And what’s your favorite game?
Hidde: Just regular shooters.
Chantal: Regular shooters?
Hidde: Regulation shooters, like arena shooters.
Chantal: Okay, maybe what’s your favorite game at the moment?
Hidde: Probably a Counter-Strike I guess.
Chantal: Counter-Strike, yeah. So you already talked about that you were a professional gamer. Interesting! So how did you became a hacker?
Hidde: Yeah, well, I attempted a study in IT, but it seemed that I’m not such a good programmer, so I stopped. And then I did safety and security, which is not IT, but it’s more like how did this company burn down, criminology theory, or law and justice? But that got boring as well. So I was like, how can I combine this with IT? And I was like security, IT, cyber security, whatever, you know. So I did some internship and my graduation, it was enjoyable. And during my study I managed to compromise facility management portal and I ended up ordering new furniture, which almost got me in trouble. So that was I guess my first real hack – bypassing login and ordering furniture. They weren’t happy with that. I did get a 20 euro coupon.
Chantal: Oh, really?
Hidde: Yeah. So I guess that was my first Bug Bounty or Responsible Disclosure. And yeah, after the study, I happened to to roll into it. Someone invited me to eat at McDonald’s and he was like, maybe you should work here. And he helped me, gave me solicitation training how to present yourself. I ended up landing my first job in security. And from there on, the ball just started rolling.
Chantal: Yeah, and you’re still not bored?
Hidde: Well, it is that I got in the pentesting niche, which is really enjoyable, but the standard findings do get boring. So, it’s more like if you find complex vulnerabilities or you chain multiple vulnerabilities along each other, which leads to a pretty impactful thing that does get me hyped up, but the standard ones you see nowadays it’s kind of boring.
Chantal: So you like to have the time to find out how you can chain vulnerabilities?
Hidde: Yeah. Well, of course, you don’t always find it. And if you’re delivering an empty report, it’s like the biggest bruise of your ego possible.
Chantal: You always want to find something.
Hidde: Yeah, you always want to find something and if you don’t find anything or it’s empty report, you kind of start wiping your tears, right, so.
Chantal: Yeah.
Hidde: But whenever it’s possible, I, of course go really deep and try to find a lot of good stuff. Impactful stuff like ending up on water processing plants, even though you started in office automation, stuff like that. That does give you like the dopamine.
Chantal: Yeah, I can imagine. Is that also why you started doing Bug Bounties?
Hidde: Yeah, well, I attempted it during my first job. I attempted Bug Bounties, but I just figured that I didn’t have enough energy and time for it. I would be pentesting week in week out and then in the weekends we do Bug Bounties. But I just noticed I didn’t have the energy for it. And then sometimes I put in reports and it seemed like the Bug Bounty platform didn’t have the interest in the research. And they seem to be like penny-pinching, I guess. But now with my new job at the government, it’s like so easy going, got so much spare time and energy that I was looking to do some more things. So I started voluntary work. And throughout there I met you and you introduced me to Zerocopter. Yeah. And ever since I’ve been doing Bug Bounties for Zerocopter every now and then. So that’s really, really good.
Chantal: Is that maybe a different experience doing Bug Bounties for Zerocopter than for other platforms?
Hidde: Yeah, yeah! It’s like Zerocopter definitely seems more reasonable, more respectful. It always seems to be fair. So you don’t feel skimmed or whatever, right. So sometimes you spend your entire weekend and then you find one thing which in your eyes is pretty impactful and then you get told “no” and they close it. That would be disappointing. But I haven’t had anything like that at Zerocopter. So I do say Zerocopter is more respectful.
Chantal: That’s good to hear. That’s why we do this. So thanks. Did you have any challenges while hacking or in this industry?
Hidde: Yeah, well, you know, I did the study in safety and security and then I went looking for a job and they tell you, yeah, go secure doors or something, and what are you doing in IT? So it’s like people tell you that you can’t do it because you don’t have a study for it. So it was really hard to get into a job. And once you get in a job, it’s like you always ask yourself if you’re good enough. Like you kind of feel dumb because you don’t know anything. It’s like, maybe I don’t belong here.
Chantal: Famous imposter syndrome, yes.
Hidde: Now it’s more like flatlining a bit. So it’s going better now, right. But but at the start it’s really stressful. But also, yeah, it’s difficult.
Chantal: And is there maybe something you are like super proud of, maybe a hack or something you did in a pentest? Of course, don’t disclose any details!
Hidde: Yeah. I mean, there’s always interesting things like, I don’t know, the water processing plant was a really nice one.
Chantal: I can imagine.
Hidde: Going from a regular office workstation into water processing plant, that was a really good one. But yeah, there is a lot.I also tend to forget a lot. You just go from one project to another. So it comes and goes. I think the real achievements might be actually, it kind of sounds lame, but passing those courses – the offensive security courses, where you have a 24 or 48 hour exam. It’s like you just suffer for two or three months and then you do that exam, which is really hard and you barely make it. And then you see your colleagues attempting it and they don’t make it. So then I’m like, well, at least I know something, I did something right. Because it’s like if you’re comparing pentest findings to each other, it’s always a different story, it’s a different case. So, it’s hard to really be proud about findings.
Chantal: You are proud that you passed those exams!
Hidde: Yeah, yeah, those are like on the same level to compare. Comparing your Bug Bounty earnings, it’s like, you had 30 private invites. Congrats. I don’t, you know, it’s just like, how much time do you want to put in it?
Chantal: Yeah.
Hidde: So some people do it as a full time job. I do it next to my job, so it’s a totally different story.
Chantal: And is there a way that you try to keep up with everything that’s happening in the Bug Bounty or hacking world? Because it changes all the time.
Hidde: Yeah, well. You know, it’s like they say, it’s a never ending process of learning. I mean, you read about it every day pretty much. When my alarm clock goes, I spend scrolling through the Internet for half an hour first and same when I go to bed, which might be unhealthy, I guess, but yeah. Well, Burp Academy, for example, it’s really good. They tend to have practice labs about certain methodology, a certain vulnerability class. So it’s like if you find out that you’re lacking in a certain category, you could actually get really targeted practice over there. So that’s really good, because there’s a lot of sources, there’s a lot of stuff to read and it’s just you can get overwhelmed. I think you should focus on a certain point. So if you want to go in web applications then you go to the Burp Academy and maybe you read the OWASP testing guides. But if you’re a fan of Azure and you want to start pentesting Azure Active Directory, then there’s no real known methodology there. So you have to collect all sources together. I think it’s just important to focus on one aspect at a time and just slowly grow there before you branch to another one.
Chantal: And is there one aspect or a vulnerability class that you maybe are an expert in?
Hidde: I guess I’m not really an expert. I’d say it’s more like recognizing the vulnerability. So, I don’t have infinite memory and I actually don’t even keep notes about anything. So, some people have like really big documents and notes explaining how to do every single vulnerability type. I don’t. So whenever I find something, I just start Googling again, like what was it again? How does it work? And then I look of examples and how it works. And then from there on, I work it out myself.
Chantal: Yeah, no, but it’s a really good point because you cannot remember everything and you cannot learn everything. There’s so much to learn about, and Google is definitely your best friend.
Hidde: Yeah!
Chantal: So you talked about doing Bug Bounties, but I know that you also do a Responsible Disclosure or Coordinated Vulnerability Disclosure. What’s the favorite swag you ever got for Coordinated Vulnerability Disclosure?
Hidde: Well, I guess it must have been a hoodie. I’m a real hoodie fan because you sit all day and if you sit all day you get cold, right? So I get cold arms, I get a cold neck. So I tend to just wrap myself in the hoodie, put on the hood entirely over so I don’t get cold.
Chantal: For the companies, hoodies are good to give away!
Hidde: Especially like thick soft ones. I’m a sucker for soft clothes. It’s not like some get really crispy when you throw them in a washing machine. I want good quality ones.
Chantal: Quality soft ones, that can last for a long time.
Hidde: Yeah, exactly.
Chantal: Okay! And do you ever go to a conference in your hoodies?
Hidde: Well, not in my hoodies actually. I just got normally dressed, I guess. But yeah, I think the only one I’ve went to was OWASP Appsec, and that one was in Amsterdam at the time, I think. That was my first one. I was actually surprised. That was pretty good. There were quite a few people were well known in the Bug Bounty scene. And of course you also had the really broad management talks, so you just don’t go there. So you have to filter the list where you want to go. So, I really enjoyed that one. But they they switch countries every now and then of course. I still want to go to maybe Black Hat or DefCon. That’s quite expensive. Maybe I can fix something with work, who knows.
Chantal: Maybe earn a little bit more in Bug Bounties or get invited!
Hidde: Maybe, yeah!
Chantal: Did you ever think about doing a talk about what you learned?
Hidde: You know, sure, I can talk a lot about whatever, but I feel like I’m not a person who can talk really well about a certain aspect. So if you want to, at least that’s how I see it, if you go to a conference, you want to learn something really specialistic, something new.
Chantal: Deep dive.
Hidde: Yeah. So I’m not someone who does research on those things. I just..
Chantal: You just find the bugs.
Hidde: Yeah, I just do pentesting or Bug Bounties, which is more like the person who does the work and not the research.
Chantal: And is there something that you might want to share with aspiring hackers to let maybe learn or to do, like what are the ‘to do’s’?
Hidde: Yeah, well, it depends on what you want to do. If you want to do web applications, I’d say first start with a bit of theory, like reading OWASP Security Testing Guide, for example, maybe the application security verification standard as well, so you know how developers implement those. After that you might want to get practicing so that the Burp Academy is really good. And then you see that people often tend to get stuck in the Capture The Flag scene or the VMs like Hack the Box. But I say if you reach that level when you did a few, or maybe you don’t even do them, you just go straight to Bug Bounties. Because with most Bug Bounty platforms, you have to first get a few findings to start getting invites. So why not just start on the Bug Bounty platform and then you notice growth at the same rate as the invites you get. Because if you really want to go that way, you have to invest some time in it. And if you’re really well, first in application security and you start with no invites, that can be quite demotivating. So I’d say just don’t get too stuck into the capture-the-flag scene or the the vulnerable VMs and just start doing something.
Chantal: Yeah. And also maybe not too stuck in the theory. Like Bug, Bounty platforms are a good way to practice and put everything that you learned into actual real-life situations.
Hidde: And if you want to make your job of it, just try to land a starting job. I don’t think it really matters where. A lot of starters start in the security operations center. So, just find a starting job, and you can go from there. You have to start somewhere. Many people look at the end result like whoa, someone got so much in bounties, so he’s making it this day job. But then you’re only looking at the end result, and you have to look at the process towards it.
Chantal: Yeah, don’t forget that they spent a lot of hours to get there as well.
Hidde: They’ve probably been wiping tears because they’re not finding anything as well.
Chantal: Yeah, no, definitely. So what are your thoughts on the future of this industry and the role that hackers will play in it?
Hidde: Yeah, that’s a hard one, right. I mean, people right now are already saying, yeah, pentesting is going to be automated. Well, you know there will always be some automation, but you have to interpret it and maybe exploit it to show the impact.
Chantal: Do you think we can actually automate pentesting?
Hidde: Nah, I think if you look at the current static analysis tool for writing code, I mean if it was really that good, why would we find any vulnerabilities, right? So there will always be business logic flaws where you skip a step or do the steps the application was meant for you to do in a different order, resulting in some unexpected results. So it’s like there are also non-technical findings that you can’t solve with scanning tools. So I’d say there will always be work and security. It’s a job that involves humans. Humans make mistakes and for now I haven’t seen anything that’s flawless in scanning, so I doubt it’s going to be flawless anytime soon. And if it is, then we all just move to some consultancy or advising job, right? Like we got the knowledge so then we can advise on how to build proper applications or networks. Yeah, there is always going to be work.
Chantal: Is there anything else you would like to tell or share?
Hidde: Yeah, sure. It’s like there’s a lot to do in security, so I’d say take good care of your mental health. People work 8 hours a day and then you read about guys doing Bug Bounties so you’re like, well I’m going to do it as well. So you spent your entire weekend doing Bug Bounties, but without you noticing it might build up a lot of stress because you don’t get to relax and power down. So yeah, if you notice that you’re getting really frustrated or you sleep badly, stuff like that, definitely take it down the notch and chill out. I’ve had the same with my previous job, just doing so much in security. It’s really overwhelming. And hackers don’t have working hours and then they do anything whatever they want. So you can really spend all your life in it, but I’d say you also gotta live your life a bit.
Chantal: Yeah, you could do 24/7. Yeah, no, let’s not do that.
Hidde: Yeah, exactly.
