I'm Anderson Dadario.
Diving deep in IT and Information Security since 2005. I'm passionate about startups, data science, neuroscience, instrumental music, information security and software engineering. Learn more on LinkedIn , or check out part of my story below:
When I was in my 7th grade during an "informatics class", where I used to learn about Microsoft Office and how to search on Google, Altavista, Yahoo, etc, one friend of mine showed me something astonishing. On Internet Explorer 6, he selected "View > Source Code", which enabled a notepad window containing the source code of the current web page, which I forgot the address. Actually today I'd pay to remember that page.
This moment was just few months later than Matrix release, the movie. So I started to imagine weird things related to code and realized that I wanted to do those codes. So I asked my friend "where did you learn this?" he said "I've been using this website (webaula.com.br), which has a online HTML course for free". That was my career initial point. Later on this friend went to Cinema career and I kept studying information technology, but developed a passion for entrepreneurship, information security and data science, in this order.
I started coding in HTML, copying JS scripts and trying to modify them little by little until I was able to develop my own scripts. After that I discovered server side languages, more precisely PHP. I was so delighted that I contributed with some open source scripts hosted on PHPBrasil, a brazilian web site that hosts php scripts and articles. Not sure if GitHub existed by then.
I even tried to build my foolish MD5 cracker, a script in PHP that tried to break MD5 hashes by brute force using a while loop, which I named "MD5 Brutal Breaker". Few months later I discovered why that wasn't good at all and why cryptography is so amazing. Few years later after that I discovered that MD5 is doomed, SHA1 is doomed, RC4 too, SSL ... and also discovered that this list never stop growing!
I heard many definitions for this. One of my teachers once said that Hacking is like being a God, so he didn't believe that any person could truly be a hacker. That's the most extreme definition that I have so far about hacking. Hacking for journalists is basically stealing data, doing bad things virtually, etc. For me, and for the YC community I guess, is to understand how something work in detail and see how you can change its behavior or expected output. Play with creativity and deep knowledge about some topic. Some use the term "Hacker" interchangeable with the term "Engineer". I believe that they are two terms very different. Regarding this topic there is an essay that's worth reading.
One day, on my 8th grade, my Art teacher said: please, do some research about this famous artist and put the website that you took the information from. The homework happened to be shared among the students but without the website to be put on it. So I had an idea, just to put all answers in a website and use that as a reference. So lame, but so smart. At least that's what I thought. Today everyone can make a website, but it wasn't true 10 years ago, so it was kind cool. All students got 8.5 from 10 possible points and the teacher said that won't accept that suspicious website again.
Looking for how to improve this idea, I've created a website to unify all students to share homework anonymously. Even before Orkut become popular in Brazil. If Orkut didn't exist, I certainly would have created that. I remember how much I had to improve that time. To protect the files uploaded by the students, I just set a permission to 600 to prevent it from being accessed over the web. When someone wanted to download, I just set a permission to something like 777, started the download, and reverted the permission to 600. Then I understood that I could put the file under some folder not exposed by Apache web server and so on, but was a start. One decade later and people are still leaking documents as you can see on Google Hacking. Try to search "ext:pdf CONFIDENTIAL" on Google and you'd be surprised by how many results show up.
First attempt: After working a bit on Nube, I decided that I should try to start my own startup. At that time many group buying companies were becoming popular in Brazil, such as Peixe Urbano. It's a Groupon copycat that made a huge success here, but as any group buying company out there, ended up in a bad shape after the bubble exploded. They are still alive, but it's not the same thing.
At that time I didn't know, of course, so I just picked some random instinct and said that the future would be focused group buying, instead of a general one. I'd build one focused on food, because I love food, so it's a good rationale hehe.
Six months passed by and I built Dica Gourmet using PHP and PostgreSQL. Better UX than Peixe Urbano. Huge pictures of food. Amazing, but I needed to find partnerships and did one cold call in total. No success. I stopped trying to sell after that hehe. Lesson one: selling is hard. After that experience, a good offer came out from nowhere and I went back to work in a company.
Second attempt: two years later I started building an InfoSec as a Service web app that would automate requests for many information security services. I was looking forward for it to be useful as a frontend for a security consultancy firm. I've finished it using PHP again, because I was so focused on learning security that I didn't study another language at the same. However, in the end, I realized that it wasn't what I was looking for. I realized that I wanted to build a self-service web app that could make my life as a security consultant easier, which led me to the third attempt:
Third attempt: Gauntlet! One year after my last attempt, I embraced the challenge to run multiple scanners against a web site and went all out. This is what I am currently doing. I've been writing few posts about how it is going (here and here). I've never dedicated too many time into an idea like this before. It's been two years now. Part of it learning Ruby on Rails and AWS, part of it working for a payments startup, part of it teaching CSSLP and, of course, working hard and coding a lot most of the time. I also created FindMyEngineer in an attempt to have multiple products to minimize the risk, but it deserves an entire post to talk about it. Too many things happens at once for everybody I guess.
This is such a polemic topic, but I'll keep it short as I don't have that much to say. Before achieving some popular certifications on information security field (CISSP, CSSLP), many people talked to me about how hard was to get any of them. I saw that as a challenge, studied and passed. I didn't overthink this topic. In the end I learned a lot, although as expected only part of it you can apply to your day to day. Still, learning more aspects of security that I didn't work with before gave me a broader vision of security itself, e.g., Business Continuity. If you're thinking in achieving one, consider what you'll learn rather than how your CV will look like. They'll help you a lot and I'm very proud for achieving them. I've described my journey on how to achieve CSSLP here.
For CISSP I first took the 1 week review seminar, then, because I had just entered Walmart, I didn't study for the exam. At that time was more important to study topics related to my job activities, e.g., Java, rather than hold any other certification. So I waited 8 months to start studying. Then I read the book I had for 4 months, practiced on some tests and passed. Many await for the company to pay the training or exam ... but don't await. Carrer is yours.
Still, certifications are very good to prove part of the knowledge that a professional must have, in the security field for example, but if that's all, you have to study more. That's what I believe. For example it's good if you know how to apply security to SDLC, but it's great if you can actually apply security to SDLC and have something to show. Theory supports practice. Practice supports theory.
Will add more content over time ...