Welcome to our new blog series, Meet 1337! Each month, we will shine a light on one of the genius minds within our awesome network of hackers!
Today, we would like to introduce you to Wietse Boonstra. With a passion for unraveling digital mysteries, Wietse seamlessly transitions between roles as a pentester and a Bug Bounty hunter.
You can watch the interview between Wietse Boonstra and Chantal Stekelenburg, or read it below! You choose the format!
Chantal: Hi, Wietse, thank you for coming! Can you tell us a little bit about yourself?
Wietse: Of course, I am Wietse, I am from the back corner of the Netherlands. I’m a pentester. I like to break stuff and check stuff out. I just want to know how stuff works, so that’s what I like to do and what I do all day long.
Chantal: But not only figure out how stuff works, you also break things?
Wietse: Absolutely, yeah!
Chantal: Is it accidentally or on purpose?
Wietse: It’s on purpose, yeah. I really like to take stuff apart, even hardware and software. And for now, it’s mostly software, and I’ll try to find security issues in that. I really enjoy it. It gives me a kick to find stuff and to report it, that’s the main thing. And then I make the world a bit better.
Chantal: So, is the kick coming from actually finding this stuff or getting it fixed?
Wietse: No it’s finding, definitely finding. And then, for the fixing, I usually let the DIVD do that stuff. So, I do the responsible disclosure. And the thing I like to do is find a vulnerability, write a script, automate it, or stuff like that. That’s fun for me to do, and I spend way too much time doing it.
Chantal: So you don’t really have the capacity to wait before it gets fixed?
Wietse: That’s the part I don’t like. I have to get in contact with the company or people who have to fix it, and I do explain it, I try to make a report or something or go to a meeting with them and explain I found this. But to get to that point that you have contact with a company.. that’s, I don’t know, way too much work. And I don’t like that. If I find something I report it to the DIVD, they go, start the procedure for getting in contact, and I’m on to the next thing. I want to break, so yeah!
Chantal: So the communication part is left to someone else?
Wietse: Absolutely!
Chantal: You’re back to breaking stuff.
Wietse: Yeap!
Chantal: How did you become a hacker? When did you start hacking?
Wietse: Well, I think that question is more like something that came from early when I was little. My father, well, he had a device and I’m like telling my dad, I want this thing to do that. And he said, okay, well, let’s take it apart and see what we can use. And that’s kind of how I rolled into it. And with the software, it’s kind of easier to do that because I try to understand the electronics, but I don’t really get it. But in software, it’s like, okay, we put a burp between it and see what’s happening. And yeah, well, that’s kind of how I rolled into it. And probably 10 years ago or something like that, I’ve been really only focused on that. So that’s how I got into it.
Chantal: Okay, so how much time do you actually spend on hacking? Is it like an entire day, the entire week?
Wietse: It’s kind of compulsive, I guess. I can start in the morning, and then I realize oh it’s 2 in the morning, maybe I should have eaten something and drunk something.
Chantal: But is that every day?
Wietse: It was. I’m kind of trying to cut back on that, but yeah, it definitely was. I was sitting on the couch, and my girlfriend was watching Netflix, and I was like, okay, let’s break this, or how does this work so yeah.
Chantal: So you’re hyper-focused?
Wietse: Absolutely.
Chantal: So you actually do spend most of your days on hacking?
Wietse: I did, not at this moment anymore.
Chantal: Do you have any other hobbies?
Wietse: Yeah, lego!
Chantal: That’s a good hobby!
Wieste: Yeah, building stuff! But no other hobbies.
Chantal: Hacking is a hobby as well!
Wietse: It’s a passion, I guess. I want to know how stuff works, so take it apart, and you know how it works, so yeah
Chantal: So you have a job?
Wietse: I do.
Chantal: As a pentester?
Wietse: Yes!
Chantal: And next to that, you also do Bug Bounties and the Coordinated Vulnerability Disclosure. How did you get that job? Did you face any challenges, or was it easy to get that job?
Wietes: Well, I got one of my first jobs because somebody asked me, can you check our system? I’m like, well, okay, I’ll check it. And I got into their internal network, and I’m like, okay, I’m here. Put my CV on their server, and they were like, okay, what’s going on here? And then they hired me. So, yeah, that was fun.
Chantal: That’s definitely a fun way to get a job!
Wietse: Yeah, well, they gave me permission to check them out, but then yeah, I’m like, okay, I found this.
Chantal: Basically, leaving your business card.
Wietse: Yeah, absolutely. That was my first job, I guess. And now I have got my own business in pentesting, and I noticed so many companies hiring those people and those people, and I was like, cut out the middleman and do it myself. So I did a training OCP, and I got into conversation with somebody, and he said, can we hire you, and from there on..
Chantal: You just started working for yourself?
Wietse: Yeah, I think I did pentesting for maybe two years with a company, and then I started my own. And it worked out!
Chantal: That’s very fun. So, do you like being your own boss?
Wietse: Oh, absolutely!
Chantal: Do you also say no to certain kinds of assignments or?
Wietse: Yeah, I did a couple of times. In the beginning, I didn’t, but then you notice you’re good at something, and you cannot be good at everything in security. It’s probably 80% web application pentesting, and that’s why the Bug Bounties are very interesting. That’s also, I don’t know, 80%, for me at least, web applications.
Chantal: Yeah, Bug Bounties are definitely the most easy to set up on a web application.
Wietse: Yeah, absolutely! I think web application is also the easiest part to do Bug Bounties or pentesting because it always follows the same route. And I hate Windows, so I do not understand how that works in security testing.
Chantal: So, web applications it is. Could you share maybe what your most interesting or crazy hack was?
Wietse: Well, Kaseya was the most interesting to me.
Chantal: So what happened with Kaseya?
Wietse: I was doing a pentest, and I got a laptop, and I was… this application or VSA was installed under the agent. And I’m like, what is this? It’s crazy. But there was no time left to check it out. So I went in my spare time, I kind of asked Kaseya: can I get a copy on my server because I want to check it out, and they are like, how many people do you have, I don’t know 6,000 or something. I don’t know! So they gave me a local copy, and then I pulled it all. I spent weeks on it, checking it out again on my couch, and I discovered a couple of serious vulnerabilities. And that, well yeah, that’s the whole story about Kasseya, if you Google it, there is enough to find.
Chantal: Oh yeah, if you Google, you can find a lot more about it and what happened after!
Wietse: And when the ransomware hit, the DIVD told us, hey be careful, these guys, the Russian criminals, are serious guys. And I’m like, I hadn’t slept for four nights, so I was kind of freaking out. And then I came home, and my door was kicked out, and I’m like, well, what’s going on here?! And my kid was home, so I’m like, where are you, and he didn’t respond. But long story short, he kicked the door himself, and I was freaking out, yeah, for nothing. But yeah, it was kind of a weird week.
Chantal: Yeah, I can imagine
Wietse: And afterward, I got a good friendship out of Kaseya with the CTO so that was fun!
Chantal: That’s cool! That was a crazy time!
Wietse: Absolutely!
Chantal: Any other surprising stories or fun facts?
Wietse: I think my lawn mower was the most fun. I could take over all the lawnmowers. I probably still can, I don’t think they fixed it, but don’t tell anyone.
Chantal: So you had a lawn mower yourself, right? You decided to take a look at it, and you were able to, while not being the owner, take it over.
Wietse: Yeah, take all lawnmowers from the same brand over. Turn them on/off, I don’t know. Probably could probably upload a new firmware but I didn’t go there. That was kind of funny, but again, that’s exactly what I do okay. I got a lawnmower and thought, what does it do, how does it work, take it apart, check it out, so, and this was only the Android application that was broken.
Chantal: So you didn’t actually have to touch the lawnmower, just the application?
Wietse: Yeah, absolutely.
Chantal: Those are fun things like being able to take over someone else’s lawn mower and do crazy stuff. It can be fun.
Wietse: I could have done that, but yeah, no!
Chantal: You didn’t! All right, what are your favorite tools or resources, or maybe like content to take in and learn from?
Wietse: Well, I don’t have one. How I work, for example, I take something apart, and then I’m like, okay, what is this? I don’t understand it. And then I start Googling and then just expanding my knowledge.
Chantal: So Google is probably your favorite tool?
Wietse: Yeah, absolutely!
Chantal: So you do a lot of Bug Bounties and the pentesting but also the Coordinated Vulnerability Disclosure. Do you get any swag?
Wietse: No, not really, but the best swag I had was from Zerocopter, and it was the coffee!
Chantal: The hacker coffee?
Wietse: The hacker coffee that was the most fun I had and I’m kind of sick and tired of the Dutch Government t-shirt, so I stopped doing that.
Chantal: You don’t accept them anymore?
Wietse: No I don’t want them, no. So they gave me, I don’t know, 10 or so, and I’m done with it
Chantal: Do you have a favorite kind of swag to receive?
Wietse: Haha, money? Gift cards! No, I’m not really doing it for the swag. It’s the kick I get out of finding vulnerabilities and reporting it that’s kind of the next thing. If they want to give swag or donations, I’ll ask them to give it to the DIVD or something like that. So, for the rest, I don’t care.
Chantal: Or just actually get paid for it?
Wietse: I’ve had a couple of times that they asked me eventually, hey, can you help us, and became a customer of my company. That’s the best swag you can get.
Chantal: Yeah, the best swag is getting a job!
Wietse: Yeah, so they hired me, but that’s never my intention. Also, if I do a Coordinated Vulnerability Disclosure – I never ask for anything. It’s like, guys I found this and this and this, and I’ll explain to them who I am, what I do, and that’s it.
Chantal: And you fix it?
Wietse: Yeah, and if you have questions you can ask me, free.
Chantal: Do you like to go to conferences?
Wietse: Well, I’m kind of just getting started with conferences. We went to MCH, I really liked it, it was so much fun.
Chantal: And May Contain Hackers in the Netherlands.
Wietse: Yeah, and DefCon, of course! These are the main conferences I’ve been to.
Chantal: Because I have gotten to know you online, mostly, and then all of a sudden, you were at a conference. I don’t remember which one, but it took you a long time to actually go there! Is there a particular reason that you didn’t go to conferences?
Wietse: If I have to say, probably too many people around me. So if I meet other hackers, I am like, okay, these guys are great, and I just do my thing and hack stuff, and it’s not that much of a deal, so I’m like, okay, who am I there, I don’t know!
Chantal: You don’t think it’s an opportunity to learn something from other people?
Wietse: Good question! Probably yes!
Chantal: Okay, so you should go to more conferences!
Wietse: Yeah, absolutely, okay, working on it!
Chantal: Is there anything that you would like to learn in the future?
Wietse: Definitely hardware hacking. That’s my next goal. That’s probably for the coming five years.
Chantal: It does sound like you already have some experience in that. Like from childhood, maybe?
Wietse: Yeah, that helps. And I understand basic stuff. But look at Jilles Groenendijk that’s my idol for hardware hacking. I’m like, okay, what this guy can do is crazy, so that’s kind of where I want to go.
Chantal: The new kick?
Wietse: Absolutely, the new kick!
Chantal: And is there anything aspiring that you would like to say to hackers who are basically looking to do this as well or maybe start somewhere? What would you give them as a tip?
Wietse: Start breaking stuff and responsible disclosure. You have to be responsible! If you find something, report it. If they don’t do anything about it, okay, well, tough luck, but yeah
Chantal: Do adhere to the rules!
Wietse: Absolutely, yeah, don’t go too far if you find something, don’t exploit too much, I would say.
Chantal: Yeah, just give evidence that the vulnerability is there, and then report it to the company so that they can fix it.
Wietse: Absolutely! I never got in trouble for reporting something, but I think what I did in the beginning was what I said earlier: explain who you are and what you do. And what I did or also do is say I discovered this vulnerability in your system from this IP, from this time till this time. Be open and honest, that’s the best thing you can do, I guess.
Chantal: They can use that information as well to check their logs and see that it was you, and that information can help.
Wietse: Absolutely. And don’t ask for money! Give a good signal about who you are and what you want to do, and stuff will come, I don’t know how to say it, but at least if you do good, you receive good! So that’s what I think, at least.
Chantal: Are there any misconceptions or like stereotypes about hackers that you think are stupid?
Wietse: I’m not wearing a hoodie and stuff like that. I have children, I don’t sit in my attic doing stuff like that. But for the rest, I don’t care about that; the thing I do, I do it with passion. I enjoy myself, I get a kick out of it, and that’s what’s most important! What the rest of the world thinks, I don’t really care, so yeah.
Chantal: That’s a good one. Do you have any thoughts on the future of this whole industry and what role hackers will play in it in the future?
Wietse: That’s a difficult question..
Chantal: Is hacking going to change in the future?
Wietse: With AI, I guess some stuff is going to change, but there’s still always somebody who needs to interpret it.
Chantal: Because you are kind of big on automating things.
Wietse: Well, automating, as in if I find a vulnerability, I like to write a script or a program that exploits it. You could use it, weaponize it for mass exploitation, so that’s what I like to do. But that’s just for me because, okay, just press this button, and it works.
Chantal: You might like to make it easy for other people also like the companies you reported to?
Wietse: Well, of course, you automate the vulnerability to get a shell or something, that’s the fun part for me. That’s what I get a kick out of – write just a simple Python script that does my stuff, and that’s kind of for me. I do not publish it, not always, at least..For Kaseya, I wrote the whole script that did everything I needed to do to get a remote code execution there, and nobody has it, I still have it on my system, so that that’s just for me, just for fun. So I can get my skills in programming better, and that’s it.
Chantal: Okay, so you don’t think that this is maybe going to happen more and more in the future, and other people are going to do that as well, and it might be something that we per se don’t need people anymore?
Wietse: I’m a bit scared about that. I think there’s like 80% will probably be automated, so that. But I don’t know. Maybe it depends on how you interpret some vulnerabilities. I don’t even know if an AI can do multiple stages, I don’t know if an AI can do that. Probably after a while, yes, but hooking stuff together if you have three exploits, you get remote code execution, for instance, I don’t know if an AI can do that.
Chantal: I do think it’s going to make maybe our work more efficient and we can probably use it. We can be lazy
Wietse: I like that!
Chantal: But no, there are lots of vulnerabilities, and I know that you have found quite a lot of vulnerabilities also that no system would ever be able to detect because you look at it in a different way.
Wietse: Well, that’s probably it, we kind of look at it in a different way, but then again, AI probably can learn to look at it in a different way as well. I don’t know where this is going.
Chantal: It would be interesting to see!
Wietse: Probably will be dead by then…
Chantal: So why do you hack with Zerocopter?
Wietse: I don’t feel like a number with Zerocopter. I know everybody at Zerocopter. I think a lot of people at Zerocopter know me. And I don’t know, they listen. If I say hey guys, I found this, it’s not that important, they’re still like, okay, well, thank you for reporting it. It’s good communication. They know me. That’s the thing I really like. So, if you have the other Bug Bounty platforms, you really like a number. You have to work really hard. When you get your vulnerability, and you are like, hey guys, I found something. They would be no, it’s nothing, and you are, yes it is, look at this. And I think that’s not the case in Zerocopter. It’s like, hi guys, I found this, and sometimes they give you help. So, hey, have you checked this or tried this? That’s what I really like. So that’s why I only do Bug Bounties with Zerocopter, and the rest don’t even feel like it.
Chantal: So, did you ever try doing Bug Bounties on other platforms?
Wietse: Yeah, like Intigriti, I did a couple, and we could find stuff there too. But it’s a lot of work to do public programs. And with the private, you sometimes get invited. And it’s just more fun with Zerocopter. It’s private, you get invited because you have those skills they need for that program, so that’s kind of what I like the most.
Chantal: So it’s maybe a good one to touch upon. Because our first introduction with you at Zerocopter was via Coordinated Vulnerability Disclosure. Maybe you can tell me how that happened?
Wietse: I did my CVD with Zerocopter, and then I just asked, can I join your private program? But then I think you guys said, no we don’t accept any new ones. But then eventually I think I asked again, or something like that, and then you guys were, okay, well, just join us!
Chantal: Yeah, so we noticed you because you were kind of a frequent Coordinated Vulnerability Disclosure reporter, and you were on the waiting list, and eventually, you got the invite. And you were able to join our Bug Bounty programs. And you are a big contributor to a lot of those programs!
Wietse: Oh, cool! Thank you! Yeah, well, again, if it’s a passion, you like to go the extra mile. So, I guess that’s what you guys noticed.
Chantal: Yeah, your passion and dedication also, to sometimes going from a very small thing to a very big impactful thing
Wietse: I think small things are important to report as well. I know this is small, but it could potentially be really bad. That’s kind of how I look at it. So I don’t need the money for it, if I get a Bug Bounty, then that’s fine yes, but if it’s something low or informational, that’s fine too. So the program needs to get better, or the software of the client needs to get better, and small steps make it better, too. So that’s what I really like. And that’s what you guys give room for, too. So it’s not that you guys say it needs to be critical or something like that. That’s fun for me to get critical, but for the company that you’re testing, it’s also important that you do the informational or the low ones. So that’s it!
