Portuguese English German

About

Hello,

I'm Anderson Dadario.

I've been diving deep into IT and Information Security since 2005. I'm passionate about startups, data science, neuroscience, instrumental music, information security, and software engineering. Learn more on LinkedIn , or check out part of my story below:

Story

When I was in the 7th grade, during an "informatics class," where I used to learn about Microsoft Office and how to search on Google, Altavista, Yahoo, etc., a friend of mine showed me something astonishing. On Internet Explorer 6, he selected "View > Source Code", which opened a notepad window containing the source code of the current web page, whose address I've forgotten. In fact, today, I'd pay to remember that page.

This moment occurred just a few months after the release of the movie, The Matrix. So, I started to imagine strange things related to code and realized that I wanted to create those codes. So I asked my friend, "Where did you learn this?" He replied, "I've been using this website (webaula.com.br), which has a free online HTML course." That was the starting point of my career. Later on, this friend pursued a Cinema career, and I continued studying information technology but developed a passion for entrepreneurship, information security, and data science, in that order.

I started coding in HTML, copying JS scripts, and attempting to modify them little by little until I was able to develop my own scripts. After that, I discovered server-side languages, more precisely PHP. I was so delighted that I contributed some open source scripts hosted on PHPBrasil, a Brazilian website that hosts PHP scripts and articles. I'm not sure if GitHub existed back then.

I even tried to build my simple MD5 cracker, a script in PHP that attempted to break MD5 hashes by brute force using a while loop, which I named "MD5 Brutal Breaker". A few months later, I discovered why that wasn't a good idea at all and why cryptography is so fascinating. A few years later, I discovered that MD5 is doomed, as are SHA1, RC4, SSL... and also discovered that this list never stops growing!

Hacking

I've heard many definitions for this. One of my teachers once said that Hacking is like being a God, so he didn't believe that any person could truly be a hacker. That's the most extreme definition that I have so far about hacking. To journalists, hacking is essentially stealing data, doing harmful things virtually, etc. For me, and I think for the YC community too, it means understanding how something works in detail and seeing how you can alter its behavior or expected output. It involves playing with creativity and deep knowledge about a specific topic. Some use the term "Hacker" interchangeably with the term "Engineer". I believe that they are two very different terms. Regarding this topic, there is an essay that's worth reading.

One day, in my 8th grade, my Art teacher said, "Please, do some research about this famous artist and cite the website from which you took the information." The homework happened to be shared among the students, but without the website citation. So, I had an idea to put all the answers on a website and use that as a reference. It seemed lame, but clever. At least that's what I thought. Today everyone can create a website, but it wasn't true 10 years ago, so it was kind of cool. All students got 8.5 out of 10 possible points, and the teacher said she wouldn't accept that suspicious website again.

Thinking of how to improve this idea, I created a website to unite all students to share homework anonymously, even before Orkut became popular in Brazil. If Orkut hadn't existed, I certainly would have created it. I remember how much I had to improve at that time. To protect the files uploaded by the students, I just set a permission to 600 to prevent them from being accessed over the web. When someone wanted to download, I just set a permission to something like 777, started the download, and reverted the permission to 600. Then I understood that I could put the file under some folder not exposed by the Apache web server and so on, but it was a start. One decade later, and people are still leaking documents as you can see on Google Hacking. Try to search "ext:pdf CONFIDENTIAL" on Google, and you'd be surprised by how many results show up.

Startups

First attempt: After working a bit at Nube, I decided that I should try to start my own startup. At that time, many group buying companies were becoming popular in Brazil, such as Peixe Urbano. It's a Groupon copycat that made a huge success here, but like any other group buying company, it ended up in bad shape after the bubble exploded. They are still alive, but it's not the same.

At that time, I didn't know, of course, so I just followed some random instinct and said that the future would be focused on group buying, instead of a general one. I'd build one focused on food, because I love food, so it seemed like a good rationale, haha.

Six months passed, and I built Dica Gourmet using PHP and PostgreSQL. It had a better UX than Peixe Urbano, huge pictures of food. It was amazing, but I needed to find partnerships and made only one cold call. No success. I stopped trying to sell after that, haha. Lesson one: selling is hard. After that experience, a good job offer came out of nowhere, and I returned to work in a company.

Second attempt: Two years later, I started building an InfoSec as a Service web app that would automate requests for many information security services. I was looking forward to it being useful as a front-end for a security consultancy firm. I finished it using PHP again because I was so focused on learning security that I didn't study another language at the same time. However, in the end, I realized that it wasn't what I was looking for. I wanted to build a self-service web app that could make my life as a security consultant easier, which led me to the third attempt:

Third attempt: Gauntlet.io! One year after my last attempt, I embraced the challenge to run multiple scanners against a website and went all out. This is what I am currently doing. I've been writing a few posts about how it's going (here and here). I've never dedicated so much time to an idea like this before. It's been two years now. Part of it was learning Ruby on Rails and AWS, part of it was working for a payments startup, part of it was teaching CSSLP and, of course, working hard and coding a lot most of the time. I also created FindMyEngineer in an attempt to have multiple products to minimize the risk, but it deserves an entire post to talk about it. So many things happen at once for everybody, I guess.

Certifications

This is such a controversial topic, but I'll keep it short as I don't have much to say. Before achieving some popular certifications in the information security field (CISSP, CSSLP), many people talked to me about how hard it was to get any of them. I saw that as a challenge, studied and passed. I didn't overthink this topic. In the end, I learned a lot, although, as expected, only part of it can be applied to your day-to-day. Still, learning more aspects of security that I hadn't worked with before gave me a broader vision of security itself, e.g., Business Continuity. If you're thinking about achieving one, consider what you'll learn rather than how your CV will look. They'll help you a lot, and I'm very proud of achieving them. I've described my journey on how to achieve CSSLP here.

For CISSP, I first took the 1-week review seminar, then, because I had just joined Walmart, I didn't study for the exam. At that time, it was more important to study topics related to my job activities, e.g., Java, rather than hold any other certification. So I waited 8 months to start studying. Then I read the book I had for 4 months, practiced on some tests and passed. Many wait for the company to pay for the training or exam... but don't wait. The career is yours.

Still, certifications are very good to prove part of the knowledge that a professional must have in the security field, for example, but if that's all you have, you need to study more. That's what I believe. For example, it's good if you know how to apply security to the SDLC, but it's great if you can actually apply security to the SDLC and have something to show for it. Theory supports practice. Practice supports theory.

Will add more content over time ...