Meet Nerdwell: A generalist who isn’t afraid to dig deep
Nerdwell is a father first and full-time professional second. As he currently works in critical infrastructure protection for an electric utility company, hacking is just one of his many hobbies. Furthermore, Nerdwell enjoys “making” as much as “breaking” (i.e., hacking). He says, “I’m always working on a variety of side projects, such as building custom gadgets or home improvements.” Read on to learn about his journey from IT professional to successful hacker; an inspiration for new and experienced hackers alike.
How it started
Nerdwell started his career in IT straight out of high school, building his foundation through industry certifications before earning a bachelor’s degree in IT security. In forging his professional career path, he has conquered networking, firewalls, VPNs, and later application development. This naturally led him to cybersecurity. Since beginning bug bounty hunting in December 2018, he has been amazingly successful, particularly on the Bugcrowd platform.
His approach to hardware hacking in particular stands out, as it combines both the “making” and “breaking” perspectives. “I’m a big proponent of building one’s knowledge from both the ‘making’ and ‘breaking’ sides of things,” he says. “I’ve found that, in most fields, the individuals who build systems, devices, and things also have the greatest insight into the weaknesses and vulnerabilities of such systems, devices, and things.”
Nerdwell not only gives a lot to the hacker community in the form of education and resources, but he has also benefited from the incredible kindness hackers are constantly exemplifying. He states, “I have definitely learned a ton from the community and I’m hugely grateful to all the other hackers that I’ve had the opportunity to work with and even meet in person. I’ve had a blast attending Bug Bashes and learned so much chatting with some of the heavy hitters, like @TodayIsNew, @Zwink, @bsysop, @Specters, and @BrandonReynolds, and seeing how they all approach challenges in unique ways.”
Regarding choosing a platform, he has this to say about Bugcrowd: “I was naturally drawn to Bugcrowd because its web presence felt more professional and well-developed than that of some of its peers. Over time, Bugcrowd has continued to draw me to its platform by being an innovator across the board—in terms of the security solutions it provides to end customers, the training and opportunities it offers hackers, and the practical things, like paying out early and often.”
How it’s going
When it comes to technical specialization, Nerdwell enjoys a broad expertise approach. “I’ve always strived to develop my skillset to be both as broad and as deep as possible,” he explains. “I’d say I’m a strong generalist and then I dive deep based on the demands of work, so I’ve specialized in a lot of things over the years. I’ve done a ton of work with network security, enterprise environments, web applications, mobile applications, and hardware hacking.”
“It’d be difficult to overstate the impact that bug bounty has had on my life,” says Nerdwell. “In addition to all of the amazing opportunities that it’s given me to work on unique and interesting projects, it’s also had a huge impact on me financially. I went through a very nasty (and costly) divorce several years ago that had me on the brink of bankruptcy. It’s through my work on bug bounty that I’ve been able to recover from that experience and get back on track to provide my kids with a comfortable future.”
Current threats to watch and the potential of AI
When asked about current security threats to keep an eye on, Nerdwell highlighted insecure deserialization as a particularly dangerous vulnerability class. “I’ve encountered numerous instances of this bug, and in virtually all cases, it’s led to critical (P1) remote code execution (RCE) findings,” he explains. “One thing that makes this vulnerability particularly troublesome is that vendors tend to take a ‘whack-a-mole’ approach to remediation rather than implementing more holistic solutions.”
The future of technology is coming at us fast, but Nerdwell sees significant potential in AI’s role in cybersecurity. “I’m a huge proponent of AI and constantly working to integrate AI into my own hacking and workflows,” he says. “Personally, I think it will be quite some time before fully automated systems replace human hackers, if ever.” He believes AI’s greatest value lies in its ability to complement human expertise: “A hacker might have insight into a potential novel attack vector. The process of recognizing these novel attack vectors lends itself to the creativity of the human mind. The hacker would then use AI to automate the process of refining that insight into a quantifiable bug pattern and to scour many targets for the new bug.”
The huge payoff potential of hacking crypto
Crypto is complicated, but Nerdwell encourages hackers to leverage that complexity to their advantage. He says, “When dealing with crypto, it’s common to encounter large blobs of seemingly incoherent data, be it crypto keys, hashes, or encrypted data itself. Also, system architects and developers have a tendency to put a lot of faith into crypto, sometimes overestimating the protections that crypto can provide.” In such instances, Nerdwell offers the following advice: “One key to success when working on bug bounty is to look for areas of a target that other hackers have skipped or perhaps just don’t understand fully. This is one big reason why hacking crypto can be lucrative for bug bounty hunters. While it can be time-consuming to hack crypto, the payoff is usually huge.”
Hacking advice: From professionalism to tools
For new hackers, Nerdwell emphasizes the importance of taking action. “My biggest piece of advice for new hackers is to dive in and start getting your hands dirty as soon as possible,” he advises. “It’s very helpful (even essential) to start out with reading tutorials, watching YouTube videos, and reading published reports on the various bug bounty platforms. However, you can only learn so much by listening to someone else talk about their experiences; true learning starts when you synthesize that information with your own personal experiences.”
He also stresses the importance of professionalism on a platform: “Hackers will do well to remember that platform triage teams and customer security teams are made of people—people who are often overwhelmed by the volume of tickets and issues coming at them. With this in mind, take the time to write quality reports, triple-check reproduction steps, and stress test your own logic.”
When it comes to tools, Nerdwell keeps it old school. He says, “When it comes to hardware hacking, I’ve found it helpful to gain as low of a foothold as possible. In other words, aim to get as close to the 1s and 0s as you can. In some cases, that means tapping into onboard communication channels using my favorite tool, the Saleae Logic Analyzer. In other cases, I’ve had great luck pulling chips off of the boards and reading data directly using the Xeltek SuperPro 1600. More than anything else, I tend to rely on IDA Pro for hardware hacking because most projects involve code-level reverse-engineering.”
Impressively, Nerdwell also builds his own hardware devices. A couple of great questions he asks himself before beginning a build is, “If I were going to build this system, how would I do it, and what challenges would I encounter?” His experience has also taught him that, “by iteratively working on both forward-engineering and reverse-engineering projects, it helps the hacker to refine/deepen their existing skillset and expand knowledge/skills in a manageable way.”
After that, it’s as simple as building basic gadgets using what’s available. “We’re fortunate to have easy access to system-on-a-chip (SoC) platforms, such as Arduino, ESP, and Raspberry Pi, which greatly reduce the barriers to entry in making hardware gadgets. A side benefit of taking on such projects is that they necessarily teach you about low-level protocols, such as I2C and SPI, which are also wonderful targets for hardware hacking.”
Incorporating automation to avoid burnout
Burnout is no joke and hits us all. Nerdwell takes a balanced approach to preventing this issue. “For me, hacking is the right amount of challenging and engages both the logical and creative sides of the brain, which all helps to keep it fun,” he says. “In my experience, preventing burnout comes down to the simple things—like getting enough sleep, eating well, exercising often, and maintaining a balanced lifestyle overall. Along these same lines, it’s helpful to pick a nontechnical hobby, such as a sport or another physical activity, which can serve as a valuable decompression outlet when you feel burnout start to creep in.”
Looking toward 2025, Nerdwell aims to enhance his workflow through automation. “One of my biggest goals for 2025 is to better incorporate automation into my workflows,” he shares. “I have a tendency to do things the hard way, which has its advantages, but there’s definitely a place for automation too. This year, I’ll focus on developing some custom automation tools to incorporate into my workflow, which will almost certainly leverage recent developments in the AI space.”
Check out Nerdwell’s latest piece on hacking crypto and follow him for more advice @TheRealNerdwell.