Bug Business is a series of interviews in which experts from the bug bounty industry shine their light on bug types and trends. Fredrik Alexandersson — better known as STÖK, has become a bug bounty sensation in months. With 40.000 YouTube subscribers and 25.000 followers on Twitter, his fanbase is rapidly growing, but who is this self-proclaimed hackfluencer and what drives him?
I know very few hackers that vlog, crush live hacking events while running a sustainable fashion business. How did you get here?
“No idea to be honest, life happened I guess, I just love learning new things and I tend to get bored super easily. For instance, I bet you know someone in your life that does everything to a certain amount of level and then just out of the blue just quits and moves on to something else. Well that’s me in a nutshell.
A typical example for me is when I was introduced to juggling. I was attending this party and this dude just casually picks up some juggling balls that was lying in the table and starts to run this routine. Not just the normal kind of “three balls” kinda stuff, but really advanced juggling that was super graceful, flowing and smooth. I’m like whaaaaaat!? Normal people can do that?! Not just the ones that more or less born in circus? I wanted to learn how to do that! I had to learn how to do that!
The thing is, I have this talent or maybe curse that I tend to get obsessed about things. If I want it, I go all in! So since this was before the YouTube era and the only way to get information regarding juggling was to go to the library and read books about it. I’m not a huge fan of that — so I did what i knew would work. I practiced. A lot. To be honest I carried my juggling balls around with me everywhere, always trying new things. I went to meetups in parks and met others that did the same thing. One day I managed to juggle a 6 balls shower on a unicycle. That night I went to bed knowing I was done with juggling. I’ve completed the task i set out to achieve, and I’ve never picked it up ever since. I was like, ok, cool I know this now. Next!
But I never stopped skateboarding or being into computers. For me that’s areas of interest I can’t be satisfied with, there is always something new to learn. Whatever you do, you can just tilt your view just a little bit and voila, a totally new area to explore, That’s why I love this industry so much, its ever-evolving, always challenging. You can certainly be good “enough” at certain things, maybe even become an expert in some areas, but if you like me want to keep learning for life, then there really isn’t any bottom, you can go as deep or as wide as you want. I strive to stay curious, I want to know what is going on, to challenge myself, to learn and understand new things, technology, life and people. So I ask questions, how? why? what? what happens if I try this? or that? And its quite remarkable how willing people are to share their experiences and knowledge if you just build up the courage to ask the right questions.”
Who inspired you to become a hacker then, when did that spark for you, working in Active Directory, where did that spark happen and who inspired you?
“I would have to say, that it all started thanks to Darren Kitchen over at Hack5. They weren’t on YouTube yet but on some kind of pre-youtube internet channel back then. Anyways, I was primarily working with infrastructure and Active Directory in Windows 2003 environments and securing radius EAP wireless solutions. You kinda get the idea. You have all this fancy hardware that is doing all sorts of things but how do we know that we actually did configure it right. Somebody probably should test it? So I started researching, learned about the basics of ports scanning, segmenting and eventually learned how to actually do wireless hacking and poking firewalls using BackTrack 2.
In 2014 I moved to Bali and lived there for a time. I was primarily working with Azure design at the time but had brought some pen-testing hardware with me and noticed how promiscuous people were with wireless access. They were not interested in security at all. Not even the digital nomad developers really seemed to care. I was still on the defensive side, blue teaming, patching, maintaining, segmenting, designing, securing. In short, i was making sure that the companies that hired me was secure, but i had slowly pivoted towards the more offensive part. Because you know it, I know it, there are loads of companies out there with huge complex infrastructure, 5.000, 10.000, even 50.000 computers and heaps and heaps of servers. Inside these organisations, you have it departments whose only job is maintaining delivery and working with uptime. These teams hates downtime, but securing an organisation will require scheduled downtime, things have to go down to be patched, updated and secure.
So I later realised that a very effective way to get funding for that patching project or server upgrade my team needed was to show the person that was responsible for the funding how we could “own” ourselves if the systems wasn’t maintained or hardened. And if we could do it, you bet an external actor could. It never failed, POC or GTFO in my honest opinion.
I started with offensive hacking because I wanted to become a better defender.”
That is pretty cool, talking about your experience like Active directory. I have yet to find a security bug in active directory because I know shit about it. So how often do you encounter these? How often can you use the knowledge, because you have been doing this for a long time not only on the offensive side but also the defensive side. Are there any moments or bug bounty’s that you remember you found thanks to your experience in Active Directory. Because I wouldn’t even know where to begin looking for them.
“Absolutely, it’s commonly used in single sign on environment for third-party solutions and authentication. If its not IAM then there usually is Active Directory in back-end. Office 365 and most of Microsofts products run on personal “cloud” instances of AD. And with bigger organisations adapting to it, adding loads of system administrators, it’s hard to keep up with the changes. Things happen, access gets granted to the wrong person due to groups rights, services have elevated rights, passwords get stored inside GPO’s, loads things can go wrong, even a simple thing as a misconfigured DNS server or even a time drift in the servers internal clock can make things go all cray cray. Add automation and deployment to the mix and voila, things will start to get really funky.
For instance, I was playing around with a web application SSO bypass a while back and a simple way to make the authentication request go to the local server in a windows environments instead of the AD is to use ./username instead of username@something in the user form, it’s a simple technique but it managed to give me access to a test account on the local server that was created during the web application installation phase, which then allowed me to access the admin panel. The test account didn’t exist in the AD or inside the apps internal user database since it was created on the local box itself during the setup phase which made it hard for the defenders to identify and mitigate.
Imho, there is almost always misconfigurations and weird stuff going on in old Active directory installations. So even if all it takes is a few “next, next, next” clicks. Don’t publish or sync your AD towards the internet unless you know what you’re doing.”
You recently decided to quit your day job to do full time bug bounty hunting and live hacking events. With another live hacking event scheduled this weekend, what does your schedule look like?
“Since a live hacking event is coming up my routine is obviously way different from how my normal day would be like. But I wake up around 8 o’clock in the morning, do about 30 to 40 minutes of pranayama, yoga, meditation, and prime work. This is where set my mood for the day and get into a positive and grateful mindset. Then I put on some music, pour myself some really strong organic coffee, eat some nice sourdough bread sandwiches and drive into town to my studio. I then work for about 4 – 5 hours before it’s time for a break. Since I’m in the city I usually head out for lunch and then continue to work for another 4-5 hours. For me it’s very important to do things in bite sizes or else I would be extremely overwhelmed. I tend to think about any project that seems daunting, like a wildcard scope target, in the same way as one would eat an elephant or build a brick house? you start and go at it piece by piece.
So, I approach each new target one host at a time. Gracefully, I do my recon, enumerate the hosts, do my content discovery, map out the terrain, study the app, read the docs, try to understand and create a mental map on how the design is intended to work. Then I look for anomalies, things that stand out and try to see if there is is a way for me to use the design against itself. The thing is, since I’m not from a developer’s background I don’t understand most code, so I have to rely on deep understanding of design flows and figuring out what the developers missed. That usually takes time, so I prefer to hunt on programs that I can “fall in love”. and return to them from time to time to see what has changed. Then I do a lot of content creation, recording tutorials, videos, editing vlogs and just being creative. If you add my speaking engagements, thrivestore.se (my sustainable fashion store) FTSMSFTS my latests clothing brand and all the freelance work it’s quite clear that I’m definitely not hacking fulltime.”
You say you’re hacking in cycles of 5 hours. Are you one of the few people that don’t do all nighters when the stumble upon something just before bedtime?
“I actually had that situation last night. I was working on this idea that I wanted to build on, super hyper focused. But thankfully I have Sara in my life. So what happened is that she said “It’s now eight a’ clock, your screen time for today is now over, your brain needs to get some rest” And even though I wasn’t to happy about it at that exact time I knew that if I stayed up all night, grinding on, I would have been totally drained and not to happy about life in the morning, and to be honest, im only half as productive as I think I am if I pull a all-nighter.
But this comes from experience, iv done all-nighters before but learned to adapted accordingly. Being up all night, tired, so close to a breakthrough, trying to muscle through, trying to figure this thing out. Isn’t worth it for me. I now know that I produce WAY better results and consistency if I make sure to get my 8 hours of sleep and a good batch of non screen time every day.”
So you are hacking with Disturbance once again for this event. Is it like a full collaboration? How does it work? Does every member have a set expectation?
“Yeah, the expectations are pretty simple. You are expected to invest the same amount of hours as your peers. If you feel that you don’t have the time to do it, you politely say so, explain that you’re busy doing other stuff and that’s cool too. It’s not big deal. We have a very professional and organised approach. We have a manifesto and defined rules. Shared infrastructure, Slack, GitHub repo, Trello boards and video conference communications.”
More and more live hacking teams are popping up: DISTURBANCE has hit a dozen live hacking events and soon “The Syndicate” will join their ranks. Why is that?
“For us it is very simple. Instead of 9 people doing overlapping work. We collaborate and share both resources and knowledge. We accumulate all our recon data. Recon is the secret sauce of every hackers game. Because how you find your secret stuff is how you diverse yourself from others. And to get the really cosmic bugs you need collaboration. One brain just isn’t enough, and if we can get 9 brains approaching a problem from different angles we can cover more ground in less time and then look all over for that exact scenario, because if you find it once there’s a huge change you will find it elsewhere to.
I’ve noticed that a lot of hackers are very protective about their own recon process. I totally understand that, it’s your own secret sauce, your wordlists. That’s cool, you don’t have to share that. But what you could do is to bring the findings you have and say “Hey!, I found this, let’s exploit it together”. I mean why try to smash your head against something that someone else might already have the answer to.”
Then there’s also Team Sweden, one of the first and most successful collaboration fronts in the short history of bug bounty. Why is that? What’s in the tap water in Sweden?
“I’m not sure, but a lot of Swedes have had access to the internet from their homes since the 90’s . And since English is taught in schools from a very early age the language barrier isn’t there. And with unlimited access to online resources it’s the individual’s own imagination that’s the only limitation.”
I think that Swedish people, and you in general are really creative. You work in sustainable clothing, hacking and making video’s. How do you combine all these things. How do you stay focused when there is so much going on?
“I don’t know, I’m just a crazy person. As I said, I get bored very easily but I can stay hyper-focused on one specific task for a few hours. Then I generally need a break. For me having a sustainable fashion store, doing live events hacking, freelancing, speaking, traveling the world and creating educational content is priceless. I live my dream life.
If I only had to do just one thing it wouldn’t work. But having multiple ongoing projects that i can focus on when the flow is right, keeps my mind busy and entertained, which makes me me enjoy it even more.”
Do you have a script while filming on those live events? Or does it happen naturally?
“It happens naturally. I like computers a lot, but I like to interact with people even more. I am an extrovert outgoing person and it feels natural to me to bring the storytelling element into the conversation. It is a way for me to also remember these moments. It will be really interesting to look back in a couple of years and see how these live events and the Bug Bounty business evolved. Everything we experience now is over in a moment, it just takes a second. But if I am able to leave a legacy and get more people involved in IT security, helping them take that move into infosec. Then my mission is complete. Sadly there is a lot of gatekeeping going on in IT security, people will tell you that you’ll first need at least 5-10 years of experience in infrastructures to even start. Sure it helps, but it is not that important. The ability to learn new things and adapt to the new market is what matters, and I want to be an inspiration for new hackers to enter into this field.”
How much time goes into making a these video’s from start to finish?
“I spend about 30 – 40 hours of editing on each video. For me the “time” ratio is about 1×25. Which means one hour of filming requires about 25 hours of editing, which is typical for the industry. But hey, I love editing. Thats where the storytelling really comes to life. And in todays market you need to make things that stand out, I want my video’s to be engaging so people will be inspired and stay inspired.”
What motivates you to keep sharing your videos?
“I love learning new things, and I believe in karma. For me it’s about sharing is caring, and I realised that why try to educate one person when you can educate 5000 at the same time or whenever the time is right for them.
So i’m doing and investing all this time, so people can learn stuff. I personally struggle with reading books (im more of a audiobook kinda gal) but I do learn a lot from video’s. And i thought that if it works for me, maybe it would work for someone else too.”
If you had all the money and time in the world, what would you do with your creative energy?
“I would continue to do what I do. but at a larger scale, maybe have a team around me. I just took the biggest leap in my career. I decided to quit my day job after 17 years to follow this creative lifestyle. I’m going to gamble, take the leap, give it my all..
It’s scary since im not going to have a fixed income and won’t be able to do certain things that i used to. But I really need to do this, I need to at least try. So in 2020 I I will travel to Live hack events and hack with DISTURBANCE, create loads of educational content and launch my clothing brand fitsmisfits. Live the creative lifestyle and see where it takes me. The goal is simple. Learn as much as possible to become a better hacker and a better content creator, then share that knowledge.”
Do you consider yourself happier now that you are doing full time bug bounty hunting?
“Yeah, 100%! But I still need a strict routine. I also decided that I am going to love myself more. I am not going to be as hard on myself anymore, im going to let myself fail, to try new things. If you have a positive mindset, good things are going to happen. And in fact, I found a critical yesterday so yeah, I’m happy.”
To wrap things up, I hear a lot of people wanting to make the leap to full-time bug bounty hunter or creator. But they are really scared. Do you have any advice for them?
“I would say, don’t jump the ship until you have a little bit of a buffer. Save a little bit of money so you aren’t mentally stressed about paying your bills for at least 5 – 6 months. Bug bounty is hard, you don’t have a fixed salary. Sure, good things happen and you can earn a lot. But it can go both ways. I prepared myself by planning and minimising my expenses. Make a plan for yourself. Set a goal. Maybe do one year and see where it goes. It all depends on where you live and what your tax situation is but to be honest, if I get just one critical or around 6-8k a month that’s more than enough to keep me sustained with my current lifestyle. I realised that i needed to rethink my approach from being based around monthly earnings to instead approach it as a yearly earning and plan accordingly. That has removed the anxiety and pressure of having to “earn” and instead given me the hunger to hack because I want to learn new stuff end exploit cool chains.”