 Welcome back to the Cyber Underground. I'm Dave the Cyber Guy. I must go over who I am again. I'm Dave Stevens. I teach IT and cybersecurity at the University of Hawaii Capulani Community College. And I'm here with the president of the Hawaii Advanced Technology Society that's our cybersecurity club for all the UH campuses. And Max here, Max Rietta, welcome. You're the president of the KCC chapter of CAPCC, Capulani Community College, right? Yes. Welcome. It's good to have you. You're only a second year and you're our second president of this chapter. Yes, apparently. Yeah, we've only, we just started this a couple of years ago. And I wanted to talk to you today about, about your experience, you know, what caught you into it, where you think you're going, what you're getting out of it. We just got to emphasize that there are more ways to get into cybersecurity than going to YouTube and these other hacker sites and trying to figure out how to hack computers and doing it illegally and joining things like Anonymous and doing hacktivism. You can do it legally. You can do it safely. You can get your education in a formalized way. You can do clubs. And that's what we're here to talk to you about. So tell us a little about you. First of all, how did you get to the islands? Or are you from here? I'm not from here. I'm actually from California, but I moved here in around third grade. So I technically am. That's pretty from here. I mean, before third grade, we're not too much to count before that, right? This is true. Where are you from this island? Oahu? Yes. Yeah. Okay. Good. And the high school, folks who want to know what high school, right? Are you grad? Kaiser. Okay. Good. One of my daughters graduated Kaiser. Okay. That's good. So Capulani is right down the street. Yes. Right. So that's good. And is that why you chose Capulani? Because it was just the best regional match for your location. It was right there. It was cheap and it was there. You had a lot of choices, though. We do cybersecurity at three of the four community colleges out here, right? We just started at Windward, too. So four community colleges on Oahu plus two four-year universities, and you chose Capulani. And when you're done, will you be going on for a bachelor's degree? Yes. West Oahu. West Oahu. Will you be doing that then? They have two routes, right? They have the IT and then they have the information security and assurance. So which path? I believe it'd be the IT. IT. Yeah. But you're doing cyber while you're at CapCC? Yes. Okay. Let's talk about your journey. So you grew up here, basically. And somewhere along the line, you decided information technology? Yeah, I was actually going to be a pilot. And then I realized I didn't want to do that. Okay, so I had the similar journey. So mine was motion sickness. Okay. I decided I'm really sick in the air. This isn't going to work for me. Yeah. So what about you? Why did you decide you changed? I was thinking about it and I was talking to other pilots and they said they had to go through a long process of just flying cargo and other things. And I didn't really want to be like a bus driver in the plane and like in the air. You got to pee your dues. Yeah. You get a lot of flight hours. Yeah. Unless you go in the military. Yeah. Right. A lot of my friends. Even then you could fly a cargo plane. Yeah. Yeah. That's true. But at least with the military, the cargo planes can be massive. Yeah. So those things, they carry tanks. I can imagine that get kind of fun. Yeah. But you know, if that's not your gig. So, so many other things to choose from. Why IT? Why did that bubble up to the surface? It was, I wanted to do piloting because of the mobility I could travel. But IT, you could do that too. Sure. Everybody needs it. Yeah. So you can work from your computer. As long as you have a computer, you could work. So I could travel and work. So that's why I felt IT was a good choice. The roaming thing. Okay. Good. And more and more people are hiring for remote positions. Most especially in cyber security, right? So you can do remote vulnerability assessment and things like that. Is that what got you towards cyber? Because once you get into information technology, there's so many paths. There's databases, web. There's programming for desktop and mobile. What took you to security? Security has everything within it. So I feel it would give me more options to choose from. If I didn't like networking, I could learn coding, but I could still be in security. So that's why I chose security. That's a good point. A lot of people don't understand when you get into cyber security, you are the pocket knife of the IT industry, right? You have to be jack of all trades. Yes. Master of none, but just good enough to know that element. And it helps in two different ways, right? It helps when you're doing the attacking and testing the boundaries of a company, hopefully legally. And it also helps in defense, right? Because you know how to defend because you know there's an avenue, a vector of attack. So you can prevent it. Yes. Right? So that's great. You're in your first year. You just completed your first year. Yes. How to go. What were your feelings in the program so far? You've taken basic networking, probably basic programming. Yes. And you did cyber security fundamentals, right? And then your basic database class? Not yet. Not yet. You still got to take that. Yes. It's a fun one. All the first year stuff is pretty fun. What did you think about it so far? I loved it. I didn't realize there were certifications that you could get to become an ethical hacker. I never knew there is ethical hacking. It's a little bit of oxymoron to most people. Yeah, it doesn't match. You kind of do the, what are the, scooby? Yeah. Yeah. It's ethical. How does that work? But you know, that's just a signed piece of paper. That's the only difference, right? You're still hacking, but someone says it's okay. Yeah. That's and we're going to do some of that pretty soon here, right? Yeah, we got one coming up. So our audience should know about once a year, sometimes hopefully more. We get companies to volunteer. Thank you for volunteering companies. We really appreciate you volunteering. We know how hard this is for you to trust us. So we go and we test the boundaries of companies. We do vulnerability assessments, internal scans. We do penetration testing. And we're going to try to do one this year coming up in October for our next victim customer. Sorry. The next customer is going to say, thank you so much. And we teach all kinds of weird stuff. You're going to be in our next year's classes now, network security, and the cyber attacks and defense, basically the ethical hacking. Yeah, right. You're coming up. We teach everything, including lock picking, which is a great one, right? So you wanted to do that as a club event. Yes, right? So let's talk about the club, right? You're you're you're learning as you go through you learn you get a cyber security certificate at the end of this. And that's the formalized training, right? We also hook you up with internships, which we'll talk about in a second. But during that experience, we also give you the chance to do club activities, which is outside of class. Tell me a little bit about your experience, how you got into it? And why you chose to lead the club? Because you're the president now? Yes. Well, I got into the club because I realized people are a very good resource. And if I was having problems, not understanding how to do security, it's looking it up is going to help me. But if I had like a resource of an actual person, it would that connection actually helps me learn a lot more. And I feel that for everyone else. So we actually did a pen test in last year in March, over break, and it was an event that I learned so much in. And the club members also agree with me. We did it was with UH Manoa's gray hats. So we we did a mock pen test, we went through the entire process, even doing the write up at the end. Well, let's let's go through the steps in that process. Yeah, five or six steps. Go ahead and outline the process that you went through. That's the formalized part of that pen test. Okay, so first, there is the scanning reconnaissance reconnaissance. Yeah. So we would do the recon figure out or we would first do the scope and figure out what the what they're asking us to do. Now, that's important. Yes, right, because if you do something that they didn't say was okay, you're out of scope, you went out of the bounds and you could be in trouble, right? Because they didn't actually sign the paper saying you could do that. Yeah. So the first thing you had to determine with the customers. Can we do? Yes. And also, you can, you would do more than like more work than you're getting paid for true. So I was like, Oh, okay, like that's good point. Yeah, they really hammered that in like, you know, the scope of the project. So after doing that, doing the recon, going into the machines, it's all fun from there. But the documentation after was what got me. But I feel like that's something that's very important. That needs to be taught. Because I think not many people realize that's your mission. Yeah, that paperwork that's so boring. To come up with, I get it. You know, it's not the fun part really. But that's your mission. That's the product you're supposed to deliver. So taking copious notes as you go through all these steps, massively important. So you did you did recon, of course, you did open source intelligence, right? You went out there and scanned websites or looked at social media. You looked at the company's websites, probably, right? And then once you determined all those elements that you can you can use in things like phishing emails and things like that, then you can do some scanning. Oh, were you allowed to do internal scans or external scans on this network? I believe we did both. I'm, it was my first time actually doing a pen test. So it was a little hazy. But I remember having like internal knowledge of the computers. So So did the customers give you a little bit of information about the the network itself before you started out? Yes. Okay, so that's, that's what we'd call either gray box or a white box. Okay, yeah. Right. So a white box, let's let's go through the different boxes, right? We have white box, the customer tells you everything. And you just go test. Then there's a gray box where they tell you a little bit. They want to know if you can find out more, right? That sounds like what you went through. Yes. And then of course, the hardest, which was the first pen test we ever did with the club is a black box. And it took us months. And we really didn't get very far. But we did actually trip some people up. But we had to do a tremendous amount of research. So if you sign up for a black box test, it is the toughest know what you're getting. Ever, right? You just that is that's one of you you want to charge some serious coin for a black box. And you you ask for six or nine months to recon and people really have to be liberal with that. And customers, when you're talking about the scope, we've done pen tests where they say no, just email us. And that's it. Just do the phishing emails. And then other customers have said you get it's weapons free. And we actually broke in to some of the places and use lockpicking and other other methods to get in. So after the scanning, did wait, did you use just like nmap? Or did you use Nessus or one of the other tools for scanning? Yeah, we used nmap, a lot of nmap. So that's a lot of high hand coding. A lot of bash scripting. That's good. That's great experience. And so well, yeah, you did this with UH Manoa. Yes. So UH Manoa, our viewers should know out of the 10 campuses in the University of Hawaii system, UH Manoa is the mother ship, first campus, and then some of the other community colleges sprouted up. And then we got a couple of other four years, including UH West, also on this island, but on the other end of the island, right? So you did that for the the original campus, which has a club called the Grey Hats. Yes, right. Okay, that's great. I'm glad you guys are working together. Tell me a little bit more about this experience. Well, I want to do that more with our club this year. Yeah, because it was so beneficial for everyone. I was, I didn't know much going into it. But after coming out, it was a three day kind of bootcamp experience. So I really enjoyed that. It's good that you know this too, because now when new members come in, they're going to be, you know, first years, they're freshmen, you can mentor them. Yes. And I find that when I mentor somebody, when I teach something, actually learn more. Yes. I absorb more of the of the material by teaching other people. So this is a great experience. You're not only getting the formalized education, you're going through the homeworks and the labs and all the other things we do. But now you're mentoring others, which helps you absorb that knowledge to get better at it, gets more practice. And one of the things that I love to tell people was the club is one of those activities you can add to your resume when you're out there trying to get a real job because they ask you three questions. You know, what's your education? What are your certifications? What have you done? What's your experience, right? And most of the time you get out of like a two year degree, really haven't done much. Got that little internship we give you. But with the club, you're actually doing the things that you want to do in real life. You can actually say, Hey, I've done four pen tests already. Yeah, say, you know, I had an internship and I did this and we did vulnerability assessments. So it adds to that entire experience. You know, and if you go on to UH West, you're going to find Dr. Matt Chapman, who is in charge of that program out there. He's a tremendous asset to your career. He's going to boost you and put you into more more activities that give you the real life hands on experience. So you can translate that into a real career. You're looking forward to that. Yes, I am highly. Okay, what we got about one minute to break. Why don't you tell us a little bit more about your club experience, and then we're going to take a little break. So last year in the club, we also did a networking event. And that was very fun. Other than meeting people within the industry that could give us advice and tips on how to do things or like what route to take, what certifications to get. I think it was very helpful. And the under we also did NCL and National Cyber League. Yes. So those are the virtualized labs that you can do individually or as teams, right? And that happens a couple of times a year. Yes. And it's nationwide. How did you do? I did all right for my first time. I was getting pulled along by my other team members, but it was very fun. And I'm going to plan to do it again this year. It's quite an expensive, right? It was 25 bucks. I think this last time. Oh, yeah, it's it's quite reasonable to get into this competition. And most people don't because they have this fear of failure. And I encourage everyone to just go in and fail. Yeah, just so you can see the environment. I'm glad you enjoy it. I'd like you to keep it up. We'll try to coach you more as you get through our classes as much as we can. We have such a small staff, but it's great that you guys are teaming up. What's your membership right now? What's your roster? What are your numbers at? I believe we have 14 members. 14 members. Yes. We're gonna have a great pen test. Yes. Okay, we're gonna take a little break. Come right back out of the commercial. Let's pay some bills until then. Stay safe. I'm Jay Fidel of Think Tech. You know, George Santayana said, you know, if you don't study history, you're gonna you're doomed to repeat it. And we have a history professor. It was wonderful to have him, John David and HPU. And we do this thing, a history lens. We see the world through history. Very important, critical to understand our world around us. We do this on Tuesdays at 2 p.m. whenever we can get him. Right. What would you add to that, Jay? Just tune in, folks, because we're talking about incredibly important issues. And we're projecting backwards into history, looking through the lens of history to add to our knowledge about these very important current issues, like white supremacy, trade and tariffs, impeachment, all of these important issues that we've been addressing on this show. Yeah, it runs all the way from terrifying tariffs to historical history. John David. That's it. Thanks a lot, Joe. Hello, everyone. I'm DeSoto Brown, the co-host of Human Humane Architecture, which is seen on Think Tech, Hawaii every other Tuesday at 4 p.m. And with the show's host, Martin Desbang, we discuss architecture here in the Hawaiian Islands and how it not only affects the way we live, but other aspects of our life, not only here in Hawaii, but internationally as well. So join us for Human Humane Architecture every other Tuesday at 4 p.m. on Think Tech, Hawaii. Welcome back. Thanks for staying with us. I'm Dave, the cyber guy. We're talking with Max Rietta, president of the Kapiolani Community College chapter, the Hawaii Advanced Technology Society. I can't say that fast. It's not going to happen. So it's hats, caps, you see. Welcome back, Max. We were just talking about where you're from in California. You're from here, but, you know, way, way back, your family was from Pasadena, right? Yeah. So I was, I was from just north of there. We were talking about the horrible traffic in LA, which we can almost get a taste of here in Honolulu couple times a day, right? Can I get that experience at West Oahu soon? Oh, that's right. So our audience who's not from the island should know. UH Manoa is in the Honolulu area, and then that, that's the east part of the island and the west side of the island has just become heavily developed over the last 20 years. They call the second city or Kapolei. And just shy of Kapolei is UH West Oahu, another four year campus. But there is only one road that goes between here and there. It is a massive freeway. How many lanes across is it? I'm not sure. It's got to be 10 or 12 lanes, right, all the way with both ways. And it locks up tight, like a parking lot. Yeah. And then you get, it's a horrible commute, man. I don't envy you. Do you get to drive? You have to take the bus. I will be getting a car. I actually had a motorcycle that broke down. Oh, but I realized with these new responsibilities of being a club president, I need to be able to get places consistently. Good for you. Yes. Wait, how old are you? 22. And you're responsible. I know. That is just amazing. You're kicking the millennials to the curb, man. That's great. All my daughters are millennials. Listen up, girls. My daughters. Listen up. This is a responsible person. You see this person's doing things the right way. So you are in your second year. Let's talk about your journey now, what you expect and what you really want to accomplish. So your next year, you're going to be president of the club. We're going to try to do a pen test. We want to do more club activities. So we just did a club activity just before the summer started with the US Army military intelligence. The PowerShell Empire. That's a tool in Kali Linux. Or did it come with it? Or do we have to download it? I can't remember. I think we downloaded it. We installed it. Yeah, we installed it. So let's subscribe what you had to get ready for. So have you installed your virtual machine of Kali Linux distro yet? Yes, I have. Good. That was one of the first things we had to do last year for the club. And I believe it would be a good thing to do this year as well. Describe the Kali Linux distro and why we use it. It's customized for pen testing. It has all the applications we use. And so you don't have to download them onto your other computers. There's four hundred something tools are already in there. Yeah. And we still download more. Yeah. And we still download. There's more stuff out there. Yeah. And Kali Linux is a Linux distro or distribution of flavor of Linux based on deviant for our viewers out there. We're going to inform them. It's not windows. What you'll see coming up in your new courses here, the labs that we do are mainly use your Kali Linux virtual machine, which can be on a Mac or a Windows machine, right? And then we use something like the metasploitable download ISO, which is just the wide open stuff full of vulnerabilities. Linux distro, probably Ubuntu or something like that. And I will teach you guys how to hack that and find out how to realize that it's been hacked. We'll look for the clues, which is the two levels you want to know. You want to know how to actually break in, but you want to know if you're defending that system, how do you know it's been broken into? Yes. Right. So that's a massively important thing. But we do that on your machine. So you can repeat these labs. And the great thing is once you get those two things installed and they're communicating, you can isolate them from the rest of your network so you don't kill anybody else, right? And you can repeat experiments that you've seen done on the web. You just go out there and look at VulnHub. Have you seen vulnhub.com? I have not. Okay, we're going to go to VulnHub. A lot of fun. Okay. So people say, Hey, look at I broke and they step by step instructions. Oh, this is how you do it. And for the majority of the time it works. But as you know, people put up instructions and then the system gets changed. So sometimes it doesn't work. You got to figure it out. Yes, right? That's the thing that I think most people in it don't understand that if you haven't set up instructions, it's good for the 35 seconds until the next edition comes out. And then they'll leave the instructions up and they just don't work. Yeah, it's up to you to figure them out. That's why I teach people are so valuable. Yes, because there's no instructions problem solving, right? Don't be the problem solver that I am. So I am a superstar problem solver. I am not a superstar star problem avoider, which is probably why I'm so good at problem solving is because I make those bad decisions or I have in my life. It's better if you learn from me. Don't make all those mistakes. Just do it right the first time. Learn from your elders. I did not. It looks like you're going down the right path. This next two years you get to learn and I'll share some stories with you about what to watch out for and how to keep yourself on the straight and narrow. And then you got to choose where to go with us. Now, do you know within the cyber security realm? What do you might want to do? I would rather be on the defensive side defense. So blue team. Yes, right? Okay. What part of defense? Now you don't want to be the guy that scans logs all day long or you want to be the firewall configuration guy or you're going to be defending the office 365 cloud version or? I'm not sure. I want to own my own company. So if anything, I would be managing people doing that. That's great. But yeah, right? Entrepreneurial spirit. That's I encourage that, especially in the security field. It seems that if you if you go to work for a company, you do make a good paycheck. You will. And there's always a need for you. So you'll never be out of work. The problem is you're really not in control of your career. Right? Yeah. But if you open your own company, especially in cybersecurity where the unemployment rate is 0%, right? There's always work for you. So as long as you're good with finance and you get the right CPA to handle your accounting and you know how to do a business license, you can be okay. And it's a good life. Just get used to saving money. Yeah, because you make money and then you make no money. Yeah. Well, it's kind of like acting. You know, you work in Hollywood, you work for six months and then you don't work for six months. But if you save your money, you just fine. This is true. Yeah, most of my friends when we were growing up living outside of Hollywood, you know, a lot of actors, right? Yeah. A lot of my buddies would would would work for six months doing gaffing or you know, sound on a movie set. And then they take six months off because they saved up enough money. They went surfing in Bali or, you know, toured Europe. My dad was a stuntman for in California. Really? Yeah. You've got that look to you. You do. You got that swagger. So bring that to the game. It means a lot. You know, the self confidence goes with security. You're going to do well. Oh, thank you. So your journey now is the next two semesters with us at least. What then? What then? I would be getting an internship and pursuing my degree at West Oahu. So our internship, we do one at West Oahu and you'll do another one, I believe, at West Oahu, right? We do one at, sorry, Capsic and then West Oahu. So Capsic is the one you haven't done yet? No, I'm preparing. Okay. Did you sign up for the class? Because it's a class. Yeah, I signed up for it. Okay. I talked to the teacher already and I was asking if he could help me get one. He's like, no, I have a lot of kids to help. So I was like, okay, well, I'll try to get mine right now then and figure that out during the fall. After the show, I've got someone for you to call. So you can have a job right now. That's really not a problem at all. Like I said, it's zero percent unemployment. So I have employers calling me all the time. Hey, we need somebody right this second. So I will hook you up. Don't embarrass me. Okay. The internship teacher, you'll be happy to know Dale Nakasani. He's going to be our guest in a couple of weeks. Okay. Yeah. So next week, you're the president of hats Capsic and Cappy Elani, Rochelle Monslungan was the previous president and is now president of UH West. Yes. Right. And she's graduating, but she's going to host the show next week while I'm at Black Hat, which we missed you. You need to go out to Black Hat and Def Con. Yes. Something you should should make that pilgrimage once a year. Yes, I would like to see that. It's it's a little pricey, but you get student rates and hopefully this marathon with thing we're doing, we're going to get you some some money for next year. Yeah, let's hope that that happens. Okay. So with our last minute, tell us about your expectations and your journey after you graduate UH West. So after I graduate, I would like to work a little bit, save gain experience, professional experience and then work and start to develop my own company and more of security for homes, because I know homes are becoming smarter with the internet of things and all that. Smart homes are built without security in mind. Yes. Yeah. If I fit that niche, then that would be good. That's a good plan. I like that. The Underwriters Laboratory, UL, who comes out with some of the standards for electronic devices, is coming out with a whole security standard, because things like webcams, nannycams, automatic door locks, garage door openers built with so little security that they're going to put the security standard in there. So maybe that could be your specialty. Yes. I hope, I hope because that's a perfect niche that is yet unfilled, especially in Hawaii, you could be the pioneer, be right out there in the vanguard of the assault. All right. Thank you very much, Max. Thank you for having me. All right. I know I want you to host another show coming up in a couple of months, right? You said you were comfortable with the October slot. Okay. So, ladies and gentlemen, be prepared for Max to come back around October and do a show all by himself and he's going to get some experience hosting the Cyber Underground, which is another one of our tools to get the students up to speed. Okay. Thanks for coming by everybody and thanks for listening to us. And next week, I will be in Black Hat Def Con in Las Vegas, Rachel Monsalungan, our former hats, CAPCC and current UH West Oahu president of the Hat Society will be hosting a show with Todd Nakapoy, our state CIO. That's going to be an interesting show and then I'll be back the following week on the 17th. Until then, everybody, stay safe.