When it comes to protecting the internet, Erik de Jong does not shy away. From training in electrical engineering to working in the cybersecurity industry, researcher erikdejong has remained passionate about securing the cyber world. We hope this month’s spotlight can serve as a reminder to follow your dreams and pursue your goals! Check it out.
How did you get into the Cybersecurity space?
“I trained to be an electrical engineer in college, where I specialized in embedded systems and communication between computer systems. After college I worked as a network engineer for a MSP and over the years my interest started to shift more to cybersecurity as a professional career rather than a hobby. In 2018 the incident at OPCW in the Hague where Russian spies tried to hack into a WiFi network was the point where I decided I wanted to use my skill to make our world more secure. So after that I decided to get some Offensive Security certifications and get a day job in the cybersecurity sector. Looking back at my life it is no big surprise I got to where I am today.”
What and/or who first sparked your interest in hacking?
“All my life I have been curious to learn how things work, especially appliances and computer programming. When I was around 7 years old in the mid 90’s my dad showed me how to write simple computer programs and I was sold on the idea of machines doing boring work for me rather than having to do it myself. In the early 00’s while in high school I started getting into topics such as reverse engineering and OS design which lead to writing key generators and cracking software protection. During this period I learned that if people said something can’t be done it’s usually because more effort is required rather than something being impossible (try harder, haha).”
No matter how many times you fail, keep trying. One day, when you get it right, you’ll look back and be glad you didn’t give up. 🥲
“Later on, when I was in college I was lucky to land a student job for a company that was looking at building new project using embedded Linux appliances. This was in a time before popular single board computers such as the Raspberry Pi, which meant support and tooling for platforms other than Intel was pretty fragmented. I had to learn a lot of low level things even though I had been using Linux and compiling kernels for 10 years by then. With all this background knowledge I started to find increasing numbers of vulnerabilities in devices and software throughout the years.”
How long have you been hunting?
“I have been doing research and writing exploits on and off for about 15 years now. It was only after I started hunting for bugs on Bugcrowd in 2019 that I have adopted a more professional stance and started to plan time to work on certain projects taking into account the returns on my time invested.”
How have bug bounties impacted your life?
“Bounties have certainly impacted my life! While the housing market was quite tough at the time, I was able to buy a nice house with a greatly reduced mortgage because of money I made off bug hunting. It was quite interesting having to explain mortgage agents and notarial staff that no money was being laundered haha.”
No money laundering around here, just saving the world! 🌎
Are you a part-time or full-time hacker? How much time do you spend hacking each week?
“On average I spend around 10 hours a week hacking. I choose to work part-time to make sure it stays something I enjoy rather than becoming a chore :)”
Thinking about becoming a full-time hacker? Check out Codingo’s blog here, which outlines a list of important pros and cons to consider if you want to turn bug bounties into a living.
What has been your biggest challenge while hacking and how did you overcome it?
“On top of time management it’s certainly hard to keep focus if there is a period where I don’t find anything for a while. It is also quite frustrating to be stuck on something where you have a hunch it can be exploited but haven’t found the to do that way yet. By now I have learned when to park a problem and have another crack at it after I’ve had more time to think about it.”
We might need your tips on how to know when it’s time for a break or to keep hunting. 🙏
Do you have any favorite tools or resources to learn? What are they?
“I have found there are not a lot of tools required for the way I work. For reverse engineering I tend to stick to software like Ghidra, jd-gui and good old `grep` :). In the end I figure that if something can be found with a tool somebody will have found it by now so I prefer the manual approach. Apart from tools I have found documentation on (standard) libraries to be invaluable when working out how an application works, I think I have yet to find a project where I didn’t consult the trusty old `man` pages. To sharpen my skills I usually just download random software from the internet to analyze and attack, somehow I feel a bigger sense of achievement breaking something nobody broke before rather than training on labs where so many people have been before. Gettings some CVEs in reward is a nice bonus ;)”
Do you have any advice for new hackers or people transitioning into bug bounty?
“Find your niche, if you do the same as all other hackers you’ll end up with a lot of frustration from duplicate reports. Also make sure to understand things as low level as you feel comfortable with and then go a little bit deeper, because understanding how something works helps in finding ways around common fixes. There have been many times where I was able to bypass fixes just because developers didn’t know obscure details of software involved. Don’t be afraid to invest time in a new skill that might not pay out directly, for instance why not make it a personal goal to learn regular expressions before the end of the year?”
“Never let other people tell you what to learn, if you have a hunch something might be useful why not spend (a reasonable amount of) time on it! Recently I have noticed an increasing number of online classes about bug bounty hunting. I would avoid replicating something other people do and instead focus on your own research, as the industry gets more mature you’ll need to stand out from the crowd if you want to be one of the top players in the field.”
What’s an important lesson that you wish you learned early on in your hacking career?
“I learned the hard way that vendors might not always be as happy about your responsible disclosures. Especially before I started hunting on Bugcrowd I sometimes felt let down by vendor responses (or even the lack thereof). Managing my own expectations is one of the most important lessons I have learned from bug hunting. In my experience Bugcrowd is pretty good at standing up for researches and this alleviates headaches from dealing with vendors. On the other hand, the world is not just black and white so try to understand any criticism you receive and be sure to accept a good counter argument after considering it objectively.”
How do you avoid burnout? How do you take care of yourself and your mental health?
“It certainly comes down to planning, I try to plan my projects to keep enough downtime in between to give my brain some time to breathe. Learning when to take a break and when to stop are the most important things to keep motivated and avoid burnout. I live in a rural area so I definitely make sure to spend enough time outside in nature with my family and to get some exercise to keep fit. Any stressful day can be rescued with a nice bike ride along the seaside!”
Where do you see your journey going from here? What are some goals you have for this year?
“I am always trying to challenge myself to force personal growth and this year will be no exception. I feel I have to work on my reverse engineering skill for software written in Go, it is something I have been putting off way too long! Apart from that I would love to get more experience in serverless computing and find some nice fat bugs there.”
“With the pandemic somewhat died down I also hope to find the time to attend more in-person events, the Las Vegas Bug Bash last year was great fun and gave me a taste for more after doing everything remotely the last years.”
Why do you hunt with Bugcrowd?
“I feel really in tune with the Bugcrowd staff and customers. Over the years it has been great to deal with mostly the same people and I especially enjoy doing follow-up testing on private programs. I especially appreciate the way Bugcrowd is always trying to enable my personal growth by working on great (private) programs where I can learn something new while at the same time applying my existing knowledge to earn a bit of cash at the same time.”
Tell us what you do for a living or your career aspirations.
“I have a day job at an internet service provider where am part of a team responsible for overall security of the organisation. While it is not as technical as the projects I do for Bugcrowd, I really like the dynamics of working with people from all over the organization to increase our security level. In the end corporate security is actually so much more about humans and their behaviour than it is about implementing technical solutions. Taking somebody through their workflow and finding ways to do this in a safe way that is still productive is a challenge that never gets tired.”
What does your life look like outside of hacking?
“I have a lovely family with two small kids, so family time really helps me to relax. Nothing better to get my mind off computers than seeing them grow up and explore the world. My other hobbies include reading (I consider the e-reader I bought back in 2012 to be the best purchase in my life), walking, cycling and cooking (my partner is a vegetarian so I have learned how to cook great vegetarian meals that she and I both can enjoy!). I am also part of group with regular game nights where we play role playing games such as Call of Cthulhu using an online boardgame platform while we chat about nonsense on Discord.”
Who is your hero?
“I don’t really have a hero per se but I do like to take to heart the advice Raymond Chen gave back in 2006 in his blog post “It rather involved being on the other side of this airtight hatchway” (https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31283) when I assess the impact of security issue. He also has some greatly detailed articles about computer architectures, if you like low level and obscure stuff you should certainly check it out!”
Tell us a fun fact about yourself!
“Once while travelling in China, I ended up giving an impromptu masterclass on how to make pizza to staff and customers at a Chinese supermarket. It was a pretty surreal setting with people getting ingredients from the store shelves and some even going out on motorbikes to look elsewhere for stuff they didn’t have in this shop. In the end they brought out an oven into the middle of the store where we baked some pizzas and before sharing them with the audience.”
Our next LevelUpX is going to feature Erik on how to make pizza. We’re kidding (maybe 😉).
Want to stay caught up with all things Bugcrowd? Follow us on Twitter and Instagram and don’t forget to join us on Discord! Are you ready to join the hunt? Sign up for a researcher account today and start your hacking journey!