I was, I was doing some reconnaissance on a certain company and trying to be like, are they releasing any new IoT devices? And basically the search tool came back and said, nope, nothing, nothing from this year. And I was like, wait a minute, I don't think that's true. And I was able to go through to the FCC website and do a little bit dig and dig a little deeper and find out that they have reported to the FCC that there's some new, new, new devices under development.
And so there's little things like that where again, you can be a creator, you can use it to create or you can consume it and just assum it knows all. Welcome to the Philip Wiley Show. Take a look behind the curtain of professional hacking and hear compelling discussions with guests from diverse backgrounds who share a common curiosity and passion for challenges and their job. And now here's your host, offensive security professional educator, mentor and authority, Philip Wiley.
Hello and welcome to another episode of the Philip Wiley Show. Today, I'm excited to have Matt Brown joining. This is going to be especially fun for me because not only does Matt work in cybersecurity, Matt is also a YouTuber and content creator, which is one of the things that I really enjoy geeking out on. It's kind of funny. One of a good friend of mine, Arfal, that founded Dallas Hackers, lunch last week, last Friday.
And one of the things we're talking about, our interests span more than just cybersecurity. You know, some of the people that either have been into cybersecurity that long or that's their only passion and focus, that's all they talk about. And so sometimes it's not as much fun as when you've got people around that have multiple interests and you can discuss those things. And cybersecurity I get to talk about so much. But the content creation is not as frequent and common.
So it's always good to have someone that works in that area and hopefully I can pick up some tips and tricks from you. Welcome to the show, Matt. Well, thank you. Thank you for you for having me on. And excited to have this discussion. Yeah, it's great to have you. And before we started off, for the, for the viewers, those that are just listening only, you may want to check out the YouTube video because Matt's got a pretty cool lab there in the background.
He's got all the hardware, hacking equipment. It's really cool the way he's got his camera set up to look down his workbench so he can, you know, record or view whatever he's working on at the time. So that's pretty cool. It's kind of interesting the kind of setup that you have to do for the kind of content creation you do. Yeah. So like we were talking about beforehand, I've taken a lot of hints, a lot of setup advice actually.
There's a vibrant laptop motherboard level repair community on YouTube and some of their microscope camera choices, I've modeled after them so it's don't have to create that all on my own. Yeah, I'm sure that was took a little more research and be able to find the right place because, you know, most content creators aren't doing anything where you have to actually see it. Unless maybe someone that's into lock picking. Then it wasn't be as specialized in.
But you still have the camera pointing down at the locks or whatever you're working on instead of just at yourself or just sharing a screen. Yeah, I've definitely evolved my camera setup over time, but I think one of the things my viewers really like is seeing things up close under a microscope and having a camera and a microscope set up where I can use two eyeballs and have a, have a camera attached.
There are some microscopes where you have to flip something and you become, you become a cyclops and you can only see out of one eye and the camera takes up the other, the, the other spot. But yeah, so, so this one, it can do all that at the same time. And I can do micro soldering work taking apart IoT devices and stuff like that at a really close level, which. Is fun, very cool. And so it was kind of interesting that we finally got to meet in person. So Matt and I got to meet@hardware IO USA.
It's a hardware security conference and they also had some training, a really cool training. I was really impressed to see that Joe grand was teaching training there and looked like it looked like some really good training. I wished I'd known a little bit more, knew about it ahead of time that I could have possibly tried to sign up for some of the training because I don't know anything about the hardware side and could really use to, to learn that.
Yeah, the trainers there are really what I would consider the top, top professionals in their specific niche. Right. So at the conference you have people who are interested in all areas of hardware security, but within that, that niche there's a bunch of these micro niches where it could be, you know, somebody's the expert on Bluetooth hacking software defined radio fault injection was the class that I took So I got to take that from Thomas Roth, who was a really good instructor.
So yeah, a lot of world class talent and teaching going on there. Very cool. So before we get too far into the conversation, always have my guests share their hacker origin stories, kind of how they got started and their story up to where they are today. Yeah, so mine started. I feel like I talked to a lot of people that have a similar story that, you know, they just liked tinkering with electronics and computers when they were a kid. I actually had an incredible opportunity.
I feel like people don't have this opportunity. In junior high we actually had an electronics and soldering class where I got to learn to solder for the first time. And so I've always just been interested in taking apart stuff, seeing how it works. And my first introduction to hacking was watching a YouTube video. Funny enough, all comes full circle with the content creation. Watching a YouTube video on cracking WEP.
WEP, which as we all in the industry know, is very vulnerable wireless protocol, even back back then. So I remember it was so cool. I, you know, installed Linux on a bootable cd, not, not a USB stick, but a CD that was a bootable Linux distro and running a few commands that I, that I copied from the YouTube video. And just that experience of getting to see the WI FI password of my home network come back and for IT to be able to decrypt that was. Was pretty eye opening for me.
And it kind of led me to continue in my journey of learning. And so I did that in college. I kind of did an IT degree in my under and then in my grad school I did, you know, computer engineering slash information assurance. So kind of a cybersecurity focused degree. And from that point on I've entered industry and gotten a chance to do a lot of offensive security, whether it was in more of a consulting role or as an internal IoT pen tester. Very cool.
And so what I was, we were talking earlier you mentioned how you used to be involved in IoT Village, so that. That's pretty cool. Yeah. And actually so, so that was a fun story. So I worked with the IoT village folks for a little bit and got to host the Village, which was fun because actually my first time to DEFCON, I went and competed in the IoT Village CTF and actually placed second in that when I was competing by myself my first time at DEF con.
So that was, that was a kind of fun experience and a fun introduction to DEF CON as a whole. The conference, but specifically the Villages, which is where you'll find me if you're at DEF con is definitely hanging out in one of the many villages because I feel like those are the spaces you get to interact with people more one on one instead of feeling like you're cattle that's just being herded places. The DEF CON success is great, but there's just a lot to do there.
Yeah. So before you got into the hardware hacking, did you start out the traditional pen testing and hacking route? Yeah, so I definitely started in more of a traditional kind of like IT infrastructure. I actually, you know, held IT jobs. I've kind of held all sorts of jobs around the tech space. I've, I've done some dev work, I've done some system administration and, and then also some more blue team type roles, whether it's part time while I was in college or in the workforce.
And so those experiences have all given me this other perspective when I am doing pen testing and kind of lets me psychoanalyze the other side a little bit and be like, if was a developer, if I was a system admin, how would I make mistakes? What, what shortcuts would I make? And then I try to exploit those.
Obviously being on the offensive side, I. Would think with that background too makes sharing the remediation steps a little bit better than just, you know, folks that don't have that background. Yeah, I, I, I tell people this all the time. If you, if you can communicate clearly and you can, you know, do the technical work of whether it's pen testing, you will go, you will go so far in this industry because that is, it's almost more important than the technical findings of a pen test. Right.
Is being able to communicate them and being able to give practical recommendations or give recommendations on how to completely remediate the vulnerability. But if you can't do that, how to defend or detect against that vulnerability and if you've had that experience on the blue team side or sysadmin side, you have a lot better handle on. And I'm sure with having that sysadmin experience makes things a little bit easier. If you get a shell to a system opposed.
If you just purely came in just learning the offensive side. Yeah, yeah, you, you know, where, yeah, where, where, where, where they're likely to make shortcuts and mistakes and, and all these things that are, yeah, if you, if you just came purely from the offense side you, you might, you might try some way more technically challenging way of exploiting a system than the easier routes. Yeah. So for someone that wanted to get into offensive security, what would you recommend education wise?
Ooh, that is such a tricky question. So obviously I went the academic route, right. I got an undergrad degree and then I got a master's degree and I personally enjoyed that experience and it was a good experience for me. But I meet so many people in this industry that have none of that and they're very proficient in what they do technically and in their career advancement.
Obviously getting in the door in an entry level role is going to be a little bit more of a challenge if you don't have that academic background. But I would say not to be like watch my YouTube channel. But there's so many good content creators out there that are giving away top world talent level advice and teaching for free.
We were talking earlier, you can go watch Nahamsek in his videos and he's a world class bug bounty hunter and he just for free gives away advice on how he finds vulnerabilities, his methodology and things like that. And of course there's also, you know, training courses by those same people that are very cheap. Right. Compared to that formal academic degree. So I would say if you are successful in the academic world, I still think there's value in that.
And especially having a course set like computer science. Right. If you really understand the fundamentals of how computers work and you're a good programmer, that is going to make you an excellent security researcher or offensive like, like a, in a, in a pen testing role. But I don't think it's necessary. I think you need to be a self starter and you need to just go dig into some labs, find some targets and get hacking. And you learn by doing it more so than learning about hacking.
Yeah, I think sometimes that the academic side gets downplayed too much, although it's not the only way to go. But one of the things I would say is if you're, if you're not really self disciplined and you kind of lack structure, sometimes the structure of a college or university can help you. Maybe there's things that you don't realize that you need to learn like you know, it based degrees or computer science or even cybersecurity degrees or software development courses.
There's a lot of basics that people gain there that they may not otherwise know about unless they really thoroughly do their research on what they need to learn to build that base knowledge before they get into the actual security piece or the hacking piece of offensive security. Absolutely. In my time, so I went to Iowa State University for both my undergrad and my graduate degree One of the really cool, there's a lot of, a lot of things I liked about it.
One of the really cool things they had was a student group that was, it was like a club, right? It's a bunch of other like minded people that are interested in hacking and security and things like that. And they would just meet and give talks and they would collaborate on projects. And then they also hosted these cyber defense competitions where they would give you a set of VMs that were chocked full of vulnerabilities and give you like a month to secure those.
And then they brought in professional pen testers on the weekend who just wanted to go, you know, wreck these kids systems for eight hours on a Saturday and, and really give them a real world experience of what it's like having, you know, a professional hacker come at their systems and try to defend them. And then there's a debrief where they get to learn all of the hacking tools that were used against their systems.
So I learned so much in those experiences and getting to talk to these people who are working in the industry. So that was one of the cool things that a lot of these colleges are doing nowadays. They're giving a lot of hands on experiences. But like you said too, there's the background, right? There's, there's like every day where I don't have one of those critical skills, I'm having to kind of backfill it. So I always feel this way about electrical engineering.
I went more the software route in college and I'm always trying to backfill some of this fundamental electrical engineering knowledge doing hardware hacking. And I'm like, man, if I would have just taken that one course in college, like I would, I would have this background. So you sometimes don't know that you need it until way later on in your career.
Yeah. So kind of speaking of the hardware hacking and hardware security, for someone that wants to get into that, how would you recommend they train themselves? I mean, because that's just as not as obvious as all the web app pen testing courses you find out there. All the network pen testing cloud, you name it. You know, that doesn't seem as easy to find and maybe you'd really need to know those resources to know what would be a good resource. Yeah, I, yeah, I agree with that.
And that's what, that's probably a, that's a big question. I get on my YouTube channel and in my Discord server, a lot of people are wanting to get into hardware hacking and especially, especially if they watch a video like mine, they're like, oh, you have like all this expensive top tier equipment back here behind me. And if, if you see that as the only image then you're like, I can't, I can't aff that I can't get into it.
And so what I always encourage people to do is to find a simple target to hack on. Like maybe you just go to Goodwill or another thrift store and you find some old WI fi router and then you start taking it apart and you start trying to learn more about that system, that device. And then only when you encounter a problem that you need a tool to solve, then you and go and acquire that tool and you kind of do it bit by bit like that. And you don't need to buy the most expensive tools at first.
There are lots of cheap options for tooling. But the way I learned is that that's, that's kind of how I learned. And there, then there's some blogs out there where people will write up, you know, hey, this is how I took apart this device and I found this vulnerability or I dumped the firmware and you can just go try to replicate.
So, so the first thing I would suggest to people is find some, something cool that you saw, whether it's in a YouTube video or a blog, and just try to replicate what they did. And that will give you a lot of hands on experience with the tooling and hands on soldering that, that you might need to do. Very cool. So are there any kind of kits that anyone can buy to learn hardware hacking? Ooh, there, there are some kits out there.
I, that's, that's generally not the way I go, but there is are some from a company called Addify and they've got a bunch of supplies and some targets involved in that. The thing about hardware hacking, that's hard and I kind of alluded to this in the different niches that are within that hardware, like at the conference that were within the hardware security conference, there's many different kinds of targets.
So for example, I focus mostly on Linux based IoT devices and those, the tooling that you use to attack those is of a certain type of. And then what I'm trying to get more into is attacking microcontrollers which are a completely different architecture, require a different set of tools to go after.
So yeah, so that's why my suggestion is usually find the thing you want to hack on and then find a guide that's going to walk you through that step by step and try to replicate it before you and a kit might provide that, but I find the self kind of exploration approach is usually best.
And so one of the things I definitely wanted to discuss too, since you've, you know, you're a content creator, you have a YouTube channel, and I just wanted to get into that a little bit with you and kind of discuss that experience with you. Yeah. So I started the YouTube channel a couple years ago, and my goal for it, I was like, this YouTube channel will be successful if over my lifetime I hit like 10,000 subscribers.
That it very quickly, you know, showed me that, wow, there's more potential than I was thought in this space. And so. But my, My philosophy for the YouTube channel, which is very different from other people's style of content, is for the most part, it is unedited. I'm not. Not carefully editing together my video. I. I hit record over here on my computer, and I have, you know, a couple cameras that I can switch between. Right. So I have, I have this camera here.
I can, I can screen share my compute, my computer screen if we're, if we're doing something with software. But then I also have the desk cam and the microscope camera. I think people want, like, a lot of the feedback, the positive feedback that I got was that I would show people my mistakes. Right. I would, I would encounter a mistake, I would make a mistake, and then I would correct it. And that was something that was a little bit more real life for people, and that resonated with folks.
Yeah. So. So how many subscribers are you up to? Cause you tried. You talk about wanting to hit the 10,000 mark. Yeah, I, I recently, you know, I, I like, I got my plaque. So I've gone over the 100,000 mark, and I think I'm sitting at 166 or 167k right now. Yeah. Wild ride. It's been. Congratulations. That's pretty awesome. Two years, right? Yeah, yeah. I was setting my goals for 2025 back in November, December, and I was like, at the end of 2025, I want to hit 100,000.
And then one video just took off and it like, knocked that goal out really fast. I'm like, oh, I need to set new goals. So where we. Where did you get your inspiration for your content creation? Did you have any resources that you look to. To kind of help you along your way? Yeah, actually. So there's a couple of really good youtubers out there. Live Overflow, which he is actually. Sorry. So Live Overflow and Stack Smashing.
So Stack Smashing is Thomas Roth, who is actually the trainer that I trained under@hardwareio this year. So that was a cool experience to get to go to his training. And so both of their videos are really well done in the cybersecurity space. And then Thomas Ross, or Stack Smashing, he specifically does hardware hacking YouTube content. So topically, those are a couple of my big inspirations. There's a bunch of others that I couldn't possibly name all of them.
But then the method though, because my method is very different. So there's a YouTuber called Louis Rossman who does MacBook board repair. And so he does some different content now, but that's how he got started. And he would do, you know, 30 minute, 45 minute, an hour long video uncut of him under a microscope or on the overhead camera doing soldering, doing repair of these laptops.
And I was seeing the number of views he was getting in the sub count and I'm like, oh, there's, there is still a market out there for long form, unedited, almost livestream style content that even in the day and age of, you know, short attention spans and things like that, there is a market for that kind of content, which I was inspired by because that fits more my style of just talking about my process and making mistakes and fixing things.
So that's the approach I went with and kind of combined that approach that I saw from him in the, in the repair space and the cyber security influence. Yeah, I think it's great that you're doing that because, you know, we live in an Instagram world where people are only showing the polished, perfect, you know, end results and you know, you going through and you mess up, you figure it out. People kind of learn some troubleshooting along the way. So I think that's great the way you're doing that.
Yeah, I certainly wouldn't have it any other way. And yeah, it seems to resonate. So I'm glad, I'm glad my mistakes can help somebody. So as far as the content creation's gone, how's that kind of helped you out career wise? Yeah, so that's been kind of incredible. So the YouTube channel, very early on I got hit up by someone who was participating in a live hacking event in the bug bounty space.
And I had never done bug bounty before, so I got invited to an event that was being put on by Amazon to hack on some of their devices and to find vulnerabilities. That's the basic concept in bug bounty. And then you get paid money based on how critical those vulnerabilities are. And what category the devices or the asset falls into. And so I ended up partnering up and me and me and me and my teammate, we won the event.
And so that kind of launched me into, into the bug bounty space to the point where I've gotten invited back to a number of these events. I'm actually wearing the shirt I got from Scotland. So I got to go, got to go to Scotland and hack on Amazon and AWS targets and yeah, just meet some of the smartest people in the world in the bug bounty scene. Yeah, that's very cool. And then congrats on your success on YouTube.
That's pretty amazing because I've seen some people that have been doing it for years to reach that or some people have been doing a long time. It hadn't for me. For instance, my YouTube channel turned 18 years old this month. Wow. But my YouTube channel started out as a place for me to post videos for my powerlifting meets. So I do powerlifting competitions and I'd upload the videos. That was the first thing I reused it for.
And then I got into teaching and I uploaded some of my lectures from the college, my pen testing lectures up there as well as, you know, then the podcast and then did some streaming before. So that's pretty cool to see that you're able to reach that level of success in such a short time. Yeah, it's definitely been surprising and, and a fun, fun ride to be on.
No, but, but those channels are cool too because I always appreciate following people on YouTube and it's so interesting to see when their content style or the thing that they're interested has changed because you really, you really do get to feel like you're connected to like a real person. Right. When you, when you see that in their content.
So like a very micro niche of that is like, like I said, I kind of started on these Linux based devices and in a few of the most recent videos and in some that will be released soon, I've been targeting more microcontroller based devices. So like it's fun to see people's progression through their YouTube, their, through their content. So you being on the hardware hacking side, do you think that's a really promising area for folks to get into?
Because I would, from my point of view, I just don't see as many people having the experience with that. Like some of the other areas are kind of flooded with, with people doing that particular thing. Yeah, there's. Wow. Yeah. Yeah. I actually got, I actually got asked this recently and I feel like we're all having these conversations of is AI going to steal our job? I'm, I'm just, I'm an optimist generally in life, so I don't, I don't think that's going to happen.
But there's, there's this funny billboard and I feel like I've seen this all over social media where like this construction company put up an advertisement and it was like, hey, chat GPT finish this building was the, was the ad, right? And so I always think about that when I think of hardware hacking and you know, job security, right? It's like, yeah, sure, maybe they'll make a robot someday that can like desolder to the flash chip over here and automatically analyze the firmware.
Who knows, maybe I'll work on that next. But I do feel like this is a good area to get into now. The opportunities are fewer, the amount of people in the space is fewer, but the opportunities are fewer. So I'll just give you an example of bug bounty.
I would estimate of the bug bounty assets that are out there, which are pretty representative of tech in general and cybersecurity demand, I would say probably about 95% of those targets are web or mobile, and maybe 5%, that might even be a generous percentage to say 5% of bug bounty targets are hardware based. And so you extrapolate that to the industry. It is a niche, right?
So being at the Hardware IO conference, it was a conference of, you know, 200, 300 people and these are the best hardware hackers in the world, right? And so there is a smaller, there is, there is a smaller niche there. But I do think it's going to grow. I think, I think stuff is going to continue to grow. More of this AI stuff is going to go on the edge, meaning out to devices where that processing used to be done back in a, back in a data center.
And so more people want AI on the edge of, of their smart device networks and stuff like that. So I think that is going to also drive just a ton of demand for hardware security. Yeah. So from, since you bring up AI from a career perspective, do you think it's important for cybersecurity professionals to learn something about AI? Yeah, just like, you know, I don't know, like a carpenter who has like a hammer and then like somebody comes along like, here's a nail gun, right?
You're going to, you probably want to learn how to use that tool, but you also don't want to so, you know, lend yourself to the tool that you wouldn't know your Craft without it is what I would encourage people. There's an individual, Daniel Priestley, I've been reading his book and I have been listening to some of his work and he's got a saying where he says that AI will create two different groups of people.
They'll create, it'll help people create more than they ever could or consume more than they ever could. So in this industry, you definitely want to, you know, keep thinking with your brain and thinking outside the box. And I think that's how, in using AI to do that or to speed up the, or to automate away the annoying stuff that you, the repetitive stuff you do all the time, that will be a big help. But yeah, I don't have any. Again, I'm very optimistic that my job's not going to get taken away.
It might change. It might change. It's always interesting to hear the point, point of views on how quickly, you know, jobs will be replaced because of, of AI. But then again, I didn't really look into it, but the paper that Apple came out with that says the artificial general intelligence is further out than what people think it is.
Yeah, I read that paper and that it's like when, when presented with, yeah, I, I assume we're talking about the same paper when presented that the, that the algorithms, the LLMs, when presented with a new reasoning, new type of reasoning challenge that they'd never seen before, that at least the current LLMs are kind of falling on their, on their face when they try to, when they try to attempt those problems. Right? And that's, and that's something that I experience all the time, right?
So the thing I use AI for a lot of time is reconnaissance and information gathering, right. I might read a serial number of a chip off of a board and then I might throw it into, you know, a deep search or something like that and say, okay, give me all of the information back. Is there any vulnerability information? You know, are there any known vulnerabilities about this? Go out and kind of scatter out and do a search.
And the other day I was doing this, I was, I was doing some reconnaissance on a certain company and trying to be like, are they releasing any new IoT devices? And basically the search tool came back and said, nope, nothing, nothing from this year. And I was like, wait a minute, I don't think that's true. And I was able to go through to the FCC website and do a little bit dig and dig a little deeper and find out that they have reported to the FCC that there's some new devices under development.
And so there's little things like that where again, you can be a creator, you can use it to create, or you can consume it and just assume that it knows all. And once you do that, you're kind of handicapping yourself to its abilities. Yeah, that's some good points there. It's pretty interesting to see how it's taken off in the popularity of AI and you just always kind of wonder, you know, you see a lot of stuff out there, you really wonder if it's hype or accurate.
And then you have the things like this Apple paper coming out that's saying that things aren't as far along as people are saying. So it's always interesting to see the two opinions. Yeah. Oh, yeah. So we're getting down towards the end of the episode. Is there anything that you'd like to share before we end? Yeah, just if anyone is interested in Iot security, Iot hacking.
Yeah, just I, I, I do have a discord community where people come, they ask questions, they do research projects together so that that link can be found in the description of pretty much any one of my YouTube videos. So if anybody wants to find out more or ask questions, there's a ton of people, really smart people, people smarter than me, that are actively participating in that community. So I just encourage them to go check that out. Yeah, thanks. And we'll include that in the show notes.
So make it easier for people to find your YouTube channel and your discord. Cool. So, yeah, thanks for joining. It was great chatting with you and good to learn more about the hardware side of things and then also to get to discuss content creation, which I don't always get to, but which is always fun. Try to learn from, from people like yourself. Yeah. Thank you so much for having me on. It was a blast. Oh, thank you. Thanks everyone. And we'll see you in the next episode.
Thank you for listening to the Philip Wiley Show. Make sure you subscribe so you don't miss any future episodes. In the meantime, to learn more about Philip, go to thehackermaker.com and connect with him on LinkedIn and Twitter @ Philip Wiley. Until next time.