We have invited people from all over cybersecurity to build skills labs on our new platform. Often, we find they have a story to tell. Sometimes, they are even interesting. Our new series throws questions at some of these people. In our first, we chat with Clinton Kehr about guns on the dark web, OWASP and Mr Robot…
Q: Hi Clint. They tell me you started out as a cop? Were you sitting behind a keyboard the whole time?
No. I started out as a police officer in Scottsdale, Arizona - kicking in doors and doing traffic stops. Being a beat cop, you learn front line life lessons pretty fast. For example, to breathe through your mouth when you enter the home of a missing person in 30c degree heat…
Q: Doesn’t sound like the traditional skills pathway into cybersecurity?
I used to enjoy investigations, so I transferred to the ATF. In my new assignment at headquarters I was given the job of running the profile of a dark web weapons dealer. While doing this, I forced myself to learn about technology. By osmosis, I also learned a lot about the mindset of people who seek to do bad things online.
Q: Tell me a bit about that
When people really want something, they stop being smart. OPSEC was very important to them - but they would always ultimately give me an address if they, hypothetically, wanted their Uzi or whatever.
Q: So when did you transition from gun and badge, to Kali Linux?
I started teaching people about how to do online investigations, so I needed to get more technical skills. I decided to give it a go myself at Carnegie Mellon, where I took a course in ethical hacking. I really wanted to be an undercover hacker. It was here I got interested in understanding attackers.
Q: What do you mean by that?
Irrespective of morals, attackers think differently. They are endlessly curious, having to think outside of the existing situation to achieve a single goal. I like this.
Q: So you then moved into training?
I have always been a trainer. I used to teach undercover agents about the dark web, my classroom would have people who were used to wearing full biker dress to work, so it wasn't a big leap into teaching offensive security and appsec once I had the technical skills. With everything shifting left, if you can't understand the code, you can’t understand the problem. It’s like being able to see the Matrix.
Q: So tell me about the skills lab you made for RangeForce?
I created two labs, helping people get hands-on with two CVEs - 2024-4577 (A PHP-CGI Argument Injection Vulnerability) and CVE-2024-49113 (LDAPNightmare). I think these are important things to learn about from a threat intel perspective as there is a public exploit available - so both are being exploited in the wild. This immediately increases the chances of being hit. It’s not a high-end zero-day, but something that could be used at scale against anyone.
Q: Why should people do your lab?
Too many people never get hands on with a threat, so they’re missing crucial experience that might help them make better decisions. There’s no point having a room full of highly paid consultants talking about the dangers of RCE, if they don’t know how it works. This is why RangeForce is useful.
Thanks for the sales pitch, it saves me having to ask boring questions. In that case, let's finish off with some quick-fire infosec questions:
And with that, we come full circle. Thank you, Clint. To try out his lab gratis, just sign up for our free platform here