Today's hacker Rhynorater
JXoaT: Where did you first hear about hacking? What was your first exposure to it?
Rhynorater: So, my first exposure to hacking was actually my neighbor. When I was growing up, he was maybe three years older than me and really into hacking- he was a black hat. But, I thought it was really cool.
From there, I kind of went down a little bit less white hat and more gray-hat/black-hat route. But I eventually caught a conscience about some of the stuff I was doing– the money I was costing people and frustration I was causing people, so I decided to stop doing that at the age of 15. From there, I picked it up again in college and got introduced to bug bounty.
JXoaT: So, you had experience since you were relatively young then?
Rhynorater: Yeah, I want to say I was around twelve or thirteen when I decided I was going to take a swing at this hacking thing.
JXoaT: And I feel like there are a lot of people in that age group, especially when it comes to game hacking. There are a lot of kids right now who are interested in tweaking their favorite games a little.
Rhynorater: Actually, you know I said it was my neighbor who got me into hacking, but maybe it was parental control bypasses at 12 or 13.
JXoaT: *laughs* Fair, fair!
Rhynorater: I just wanted to play more RuneScape. But one of those two were definitely my first gateways. A fair share of parental control bypasses and having that neighbor.
JXoaT: I’m sure there’s someone on some forum who appreciates you for spreading that advice. So, when you’re not at your keyboard, where are you?
Rhynorater: Oftentimes, I am spending time with my wife (Mariah) and working on my real estate business. I own two rental properties now. I recently just bought my second home and I’m working on fixing it up right now. So, I’m doing a lot of handyman work at that property.
I’ve come to realize I really love the art of house beautification and remodeling. Even though remodeling sounds less artistic to me. However, there’s another word I think describes what I mean better..
It’s one of the only artistic mediums that I really vibe with now-a-days. I love music. And I sing and play the piano, but I really like making my house and the houses of my tenants pleasant places to be.
JXoaT: That’s a unique experience to enjoy. Is that something you started when you came back to the states?
Rhynorater: Yeah, I actually bought my first rental property back in 2019 as my primary residence. I fixed that guy up, since it was a total fixer-upper. We lived there for about 6 months. Then we moved to Japan, rented that property out, and Mariah’s dad managed it for us. So, we didn’t have to worry about it too much when we were in Japan. It provided a good income, built us equity, and the appreciation on it has done pretty well since.
Credit to Mariah on that one! It was her call on that buy, and I said, “alright, let’s do it.” And it worked out great.
JXoaT: How long were you in Japan?
Rhynorater: We were in Japan for a year and 9 months. We were in language school for 9 months, but then we quit after I joined a company in Tokyo. I was essentially doing bug bounty through that company there, however it had its own caveats. But I was essentially still doing the same thing.
It was a way to stay in Japan for a bit longer and enjoy our time there. It beat being in language school for 5 hours a day, then coming back to a couple of hours of homework. At that point, we were making friends and practicing our Japanese with them.
Then towards the end of our time there, we participated in a church plant in Yokohama, right outside of Tokyo. So, we were missionaries for 3 to 6 months, spreading the gospel in Yokohama.
JXoaT: That is a very different aspect of you I wouldn’t have known. I’ve talked to other hackers learned more about how religion is part of who they are. It isn’t a commonality I don’t always see represented.
Rhynorater: There’s actually an astounding amount of top tier hackers that are Christians and there’s a lot of comradery between us. I’m really happy to have a community in that area. I talk about it when people ask me questions like, “how do you not burnout as a full-time bug bounty hunter?” And, to be perfectly honest with you, it’s the grace of God. It’s a focus on having my values placed somewhere other than my achievement in bug bounty.
And not to say as a Christian you can’t make that mistake. But, before I really leaned into finding my identity in Christ, more so than my work achievements, I would take things a lot more personally. Like, when I didn’t get that rank I wanted in a live hacking event, or my bug got downgraded, I’d get crushed. And for me, those are the kinds of things that take a mental health toll. But when you define your self-identity and worth in the love of God, which is never failing- I don’t know, there’s just a peace about it. It really helps me to continue on in bug bounty and helps every aspect of my life.
JXoaT: I think there’s something that I’ve seen in you particularly, especially when you talk about this and missionary work. It is the want or active participation of helping other people. A good example of that is your work with the ambassador club. We recently talked about how you had a group of people that you essentially showed an exploit to, and gave them a direct path to a bug.
And, bug bounty is a very competitive space. So, doing that for people is an intense kindness.
Rhynorater: Yeah, absolutely man. And all I can say about that is that that's the work of Jesus in my heart, and also the work of giants whose shoulders I stand on. Because, people did that for me- and I always shout out Tommy DeVoss, since I wouldn’t be here without him. He took time out of his day, one random day in 2017 to come to a college cyber security club and talk to me and the group about bug bounty. That day changed my life forever. His openness about his bugs, and then everyone at live hacking events being willing to share if you pursue and talk about your curiosity.
We all stand on the shoulders of giants and that I think is our shared reality in all of tech. At the end of the day, nobody knows everything from C# or python, all the way down to how electricity is coming across the wire. There’s just so many pieces, and we trust those pieces without knowing- so, we build by trusting the work of others. So, I think it is important to give that back to the community.
JXoaT: I agree completely. Speaking of which, the most recent way I’ve seen you give back to the community is your podcast (Critical Thinking Bug Bounty Podcast).
So, what inspired you to start doing them?
Rhynorater: To be perfectly honest, I wanted a podcast to start listening to about bug bounty. I saw there were a couple of people who took a stab at it and stopped after a couple of episodes- I really don’t blame them now that I’m in that position!
So, I wanted that piece of content and was like, “Well, I can talk,” and “you know who else can talk, Joel.” So, I was talking to Joel one day and he had helped me with an awesome bug (he’s phenomenal) and one of my go to people when I have a problem that I can’t solve.
He's very nerd snipable, which I call him out on in a podcast episode. He’s able to get in the mindset of, “Oh, dude, check out this cool thing” and fixate on it. So, that’s a great aspect in a friend. And also, Joe has a lot of great experience in the blue team side, as well. He’s been working as an appsec engineer at Uber and Tinder- all over the place. And I wanted that other side of the table to be represented in the podcast too. He has a lot of valuable opinions from that end and will help as the podcast matures. We want to talk about vulnerabilities, but also talk about how to remediate them.
Really, I just wanted a podcast to listen to, and I can talk all day about bug bounty- which I am sure you’ll see from the runtime of our podcast.
JXoaT: Oh I know, I tuned into the first episode and have the second queued up for the plane ride home. But 50 minutes, FOR YOUR FIRST EPISODE. And I understand being your first episode, it is an introduction of the podcast for your audience, but you still had incredible content throughout it.
Rhynorater: Thanks man!
JXoaT: I completely enjoyed it even as a novice.
Rhynorater: Well, the next one is an hour and fifteen minutes, SO BUCKLE IN.
JXoaT: I’ve got a four hour flight, let’s go.
And, again, I am glad you shared this with the community, because podcasts I’ve seen had lacked the depth I was looking for.
Rhynorater: Yeah, actually, when I was looking and doing research for the podcast- I want to just go ahead and give a shout out to Day podcast, they were the only other podcast in the space that I could find and they were really supportive. Literally, from the first day I posted something, they were like, “Hey, checkout this podcast. If you like our podcast, check out this one.” I didn’t contact them or anything, and they are just so cool for doing that. I really appreciate that. It’s a good space to be in.
JXoaT: I have an off the beaten path question for you now, and kind of goes back to you living in Japan. You were in the ambassador club in Japan and now you’re in one here in the United States. So, you’re the first person I know of who has been an ambassador to two places.
So, my question is, when the world cup comes up this year– where are you gonna be man?
Rhynorater: To be perfectly honest, I think I am going to be in Virginia. That’s where my squad is now. And the team in Japan is in really good hands. Mokusou, his name is Sou, he’s a really passionate hacker. He’s a really good hacker, just a brilliant individual in general. Then you also have Ryotak, who is also extremely talented. Then you have other foreign friends in Japan who are really skilled. Hopefully, we can get Masato Kinugawa to go, he’s really skilled and part of the Cure53 team. So, I think they have a great team.
But, in Virginia, we have some up and comers, for sure. Obviously, we have me and Tommy DeVoss here. So, I think it will be a good run this year. I didn’t get to participate as much last year, due to transitions in my own life. But this year- I’m ready to buckle down.
JXoaT: I’m excited to see how it will all turn out in the end.
So, closing question, what advice do you have for other hackers out there?
Rhynorater: Yeah man, it’s hard to consolidate it to one piece of advice. There’s so many facets to hacking, it's a massive industry in general. There’s a lot of components that need to come together for you to be able to do it successfully.
At the end of the day, it’s understanding attack vectors. This is something that I talk about with my students. It’s understanding what kind of attack vectors are feasible and finding what attack vectors work with an application’s threat model, then being able to implement those attack vectors to see whether they work or not. If you’ve got those three pieces, you’ve got enough to be a hacker.
That’s the kind of place I try to get my students to, this process of saying, “Okay, there’s an application here’s its threat model. People should be able to access this, or do that- what kind of attacks are technically feasible that we can test?” Then obviously, if you maximize the amount of test cases you try, over time, you’ll find bugs. I say this, but definitely don’t take my own advice at times, but focus on that cycle. The threat model realization, understanding the threat model for an application and coming up with technical approaches to see if you can implement those threats, and then validating if they work or not.
If you want to stay sustainable in bug bounty, do not define your self worth off your success in this field. It’s not going to work, I promise. Save yourself a lot of pain and energy by putting your self-worth elsewhere- wherever that may land.