Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 33 - philbugcatcher
242 Plays19 days ago
riptide and philbugcatcher discuss AI, AI, and more AI, transitioning from management consulting to bug hunting, why top notch human auditors will always have a place, adapt or die in crypto, taking risks to succeed, and much, much, more ...
Recommended![Episode 19 - 0xe4669da [SPECIAL n00b EDITION] image](https://media.zencastr.com/cdn-cgi/image/width=112,quality=85/image-files/677fcded3f04b4e1c3f96cfc/1b4f61b7-5c8c-48b2-9d61-66ec9549c632.png)
Transcript
Technical Challenges with Zencastr
00:00:06
riptide
Oh, see, I hit the intro button and I don't hear anything. Do you?
00:00:11
philbugcatcher
I heard it.
00:00:13
riptide
You heard it and I didn't hear it.
00:00:14
philbugcatcher
I heard the intro, yes.
00:00:15
riptide
What the fuck, man? Okay, as long as it's in there. I swear to God, man, I use Zencaster and I always reboot this Mac before I do it because I've had issues and like, I just, I never know what to expect, man.
00:00:29
philbugcatcher
Have you rebooted this time?
00:00:30
riptide
I've had, say again?
00:00:33
philbugcatcher
Have you rebooted this time?
00:00:35
riptide
Always, man. I don't play around. But then it always tries to fuck me somehow.
00:00:38
philbugcatcher
thank
00:00:40
riptide
Like, I don't know.
00:00:40
philbugcatcher
But is it solvable?
00:00:42
riptide
The worst thing, man, like with this whole podcasting thing, and I don't know what I'm doing, is like when you're mid-podcast and then like my power's gone out or something's gone wrong with the connection and then like trying to mash it up and like it's the biggest pain in the ass.
00:00:59
philbugcatcher
but but is it solvable
00:01:02
riptide
Uh, sometimes, yeah. Sometimes I've just kind of had to scrap it. And, you know, you don't want to talk about the same stuff for like 30 minutes. So I have some that are like, just, just unrecoverable, just in the graveyard.
00:01:14
philbugcatcher
Mm-hmm.
00:01:15
riptide
i don't know what to do.
00:01:17
philbugcatcher
a
00:01:18
riptide
But, you know, overall, it's good. So
Introduction to Bounty Hunters Podcast and Grego AI
00:01:20
riptide
anyway, so welcome back to Bounty Hunters. Fuck, that's a weird intro because I couldn't hear my music that gets me pumped. Welcome back to Bounty Hunters. We are sponsored by no one. Everyone pulled their sponsorships or else I wasn't getting paid anyway, so I stopped sponsoring. So I'll just shout my own company in here.
00:01:37
riptide
Grego AI, where we hunt all the bugs with the best AI out there. Um... I don't have a tagline because I just made that up, but it's pretty cool. We just launched our company and we we hope to be the best in
Can AI Truly Hunt Bugs?
00:01:54
riptide
this space. And I'm never going to put a tweet out that just hypes up some bullshit like certain people with certain platforms talking about their AI bug hunters.
00:02:04
riptide
The only things you'll see from us are bugs we found confirmed with receipts that are legit. So... There will be no hype. I will not join the hype train.
00:02:15
philbugcatcher
I like it
00:02:16
riptide
It's the humble train because I know.
00:02:17
philbugcatcher
I like it. Yeah, and and it's the, ah it seems like people are always over promising and under delivering. And it's refreshing to see someone doing the opposite.
00:02:30
riptide
I can't stand it. It pisses everyone off. And look, I've been through business school. I've been through all kinds of marketing, this and that. I get it. I understand it.
00:02:40
riptide
However, I'm not going to play that game. I just don't want to do it. So we're going to remain humble chads and humble AI.
00:02:44
philbugcatcher
Yeah.
00:02:47
riptide
should rename it humble AI.
00:02:48
philbugcatcher
Yeah.
00:02:49
riptide
But the goal is the goal is to create a business, make money, and secure the ecosystem and just help grow this thing that we
00:02:49
philbugcatcher
okay
00:02:58
riptide
we engage with every day and make it safer. And I know that AI is a way to do it. And it's just, um I mean, man, over the past six months, the shift, I mean, tell me on your side, like you've noticed this, right? Like the shift from, oh, it's not going to happen to suddenly everyone's repping their AI, this and that, you see it getting better and better.
00:03:22
philbugcatcher
Yeah, yeah i'm i'm still I'm still skeptical to be honest about AI in general, not only to bug hunting.
00:03:28
riptide
Hmm. Hmm.
00:03:32
philbugcatcher
But yes, I mean, it's a tool.
00:03:37
philbugcatcher
one One way of seeing it is it's a tool. ah And people can find creative ways to use this tool. So there's value in it. There's obviously value in it.
00:03:49
philbugcatcher
But I don't think it's like a holy grail or something. Or like like a silver bullet, like ah of a magical tool that will show all of the bugs I don't think that's gonna happen.
00:04:03
riptide
Not yet. Not yet. I'm very bullish on it.
00:04:06
philbugcatcher
Maybe not ever.
00:04:08
riptide
ah I don't know, man.
00:04:09
philbugcatcher
Really.
00:04:09
riptide
I mean, i could tell you kind of some of our experiences with it. And
AI's Role in Audits and Effectiveness
00:04:14
riptide
we've we've gone pretty hard into this space. And... um we've gotten to to a place where as long, like when you have a normal audit, right? The client briefs you with, he gives you all the materials that you need to know, all the docs.
00:04:28
riptide
And then he'll also tell you, hey, these are expected behaviors. These are kind of known risks we're willing to accept. And you have all this context. With AI audit, you have to give it the same context. You have to assume that its that it needs to have all that information or else it it can't come to the right conclusions.
00:04:47
riptide
But if you do give it that, we found that it's very, very, very good and false positives, we've kind of fixed that. And but it's just to to see it find things that you look at it from a human's perspective and you think, huh, that is a very unique kind of attack path that I don't know if I would have thought of.
00:05:07
philbugcatcher
Cool.
00:05:09
riptide
I think that's the really cool thing.
00:05:09
philbugcatcher
Cool. Nice.
00:05:14
philbugcatcher
nice
00:05:15
riptide
Yeah, so...
00:05:15
philbugcatcher
as I have a feeling that like everyone, every security professional starts off um as a as a skeptical with AI for for bug hunting.
00:05:32
philbugcatcher
And then some of these ah try to to build something and then you guys see something and you change your mind. i so Yeah, this is ah this is a pattern I have observed.
00:05:47
riptide
and
00:05:52
riptide
And I don't think anyone's solved it yet. ah Where that's the cool thing. It's like people say, oh, AI is going to find all the bugs. Well, you got to find the right approach that successfully does that. And we've seen prompting, know, so many different ways to do prompts.
00:06:10
riptide
and you come up with different results and people don't really understand how the AIs work in the first place.
Potential and Limitations of AI in Security
00:06:16
riptide
So I love seeing different implementations of finding bugs, like different architectures behind the scenes, interacting with the LLMs because you know people don't know which is going to find the bugs the best way. But I think as long as we get to that best approach through you know trial and error like everything, we get a better outcome for the ecosystem.
00:06:38
philbugcatcher
ah Agreed, agreed. One thing that I think about as well is, um I think, I think, like I have no, ah even though I'm skeptical, I have no doubt that someone we will eventually come up with ah with ah and an auditor, and an AI auditor that can find lots of valuable bugs.
00:07:06
philbugcatcher
And, ah that is better than many human very strong auditors but still if you if you if we go back in time i don't know maybe maybe a year or two when people were not talking about ai for auditing so much and if one person came up and said hey i am a genius ah and that person let's let's assume that they are actually a genius and then that person says I'm going to find all of the bugs and I'm going to take every other auditor's job.
00:07:43
philbugcatcher
there There will only be me. ah This doesn't make sense because one of the one thing that is important for security is that taking taking a step back from from finding bugs and and and stuff.
00:07:59
philbugcatcher
ah programs need to be flawless. It's not that you need to find the the hardest or the most hidden bugs or the most severe bugs. You must find all of the bugs that would allow uh user funds to be stolen and some other things but mainly user funds to be stolen uh and one thing that helps finding that is having different approaches uh it's like ah it's it's the swiss cheese uh theory that you stack uh several layers
00:08:34
riptide
Mm-hmm.
00:08:35
philbugcatcher
so that the the the you reduce the chances of having a hole all through the layers. So I think when ah we have stronger, like, I don't know, maybe LSR level AI auditors, this will be ah one one auditor.
00:09:02
philbugcatcher
And then we will have others as well, because even this one ah auditor that it doesn't take weeks to to to do an audit. It does it in, I don't know. i don't know how long it will take to run it, but certainly not weeks.
00:09:21
philbugcatcher
and will probably not cost as much as a human auditor, but it it will miss bugs. I don't think it's reasonable to to ever assume that any tool or any human would be able to find all of the bugs, especially when you we consider more complex systems, like systems that have that interact with one another and systems and systems that...
00:09:40
riptide
Right.
00:09:50
philbugcatcher
um they are ah live in real time receiving user input and things like that. um
Why is Human Oversight Essential in AI Security?
00:10:02
philbugcatcher
i think we really need like an
00:10:07
philbugcatcher
like an army, like several professionals and AIs and tools and everything that we, have every resource that we can deploy ah to make sure that the system is safe or the systems are safe.
00:10:22
riptide
Yeah.
00:10:24
riptide
the The final boss is guaranteeing no bugs ultimately.
00:10:28
philbugcatcher
Exactly.
00:10:29
riptide
And and if we could do that, yeah that's that's the goal. But this kind of layered approach that you spoke about, um and that's kind of the methodology that we're all going by.
00:10:41
riptide
The flaw with that is the these audits are priced like like they're bug free, like they're guaranteeing a client a bug free outcome. If you charge $100,000 an audit and then your contract gets hacked,
00:10:58
riptide
well, the company the audit company is not liable. They said, hey listen, we can't guarantee that we didn't find all the bugs. Like, well, dude, that's a lot of money that we just paid you from our limited amount of ah funds that we have here. and And we thought it was like, you got everything, you're the top name.
00:11:16
riptide
And when I heard stories like that, it really kind of pissed me off because this is another thing that we're disrupting is I tell other auditors this and I'm like,
00:11:27
riptide
Guys, this whole like where you can make LSR rates on a weekly basis, you won't be able to maintain that going forward. I'll guarantee you that. That AI auditing will bring that cost down when we could beat you on time and money and quality No one's going to pay 20 grand a week. Like those are the heydays of auditing that unless you're guaranteeing a bug ah bug free contract, you can't charge that. it's Nowadays, it's just impossible. It's much different than it was six months ago and certainly a year ago.
00:12:05
philbugcatcher
that That's a good point, but if let's let's make a parallel here. Think about
00:12:14
philbugcatcher
public companies, but publicly traded companies. every Every quarter they get their financials audited by an accounting firm.
00:12:28
philbugcatcher
and the rates that these that that the partners from these accounting firms charge is like 10 times LSI rate.
00:12:38
philbugcatcher
And do you think that they guarantee that the audited numbers is correct?
00:12:39
riptide
No, they
00:12:46
philbugcatcher
No, they don't.
00:12:47
riptide
no they don't
00:12:48
philbugcatcher
because Because like we can, when when if we think at it from a product point of view, this is a bad product because it should guarantee.
00:13:01
philbugcatcher
It's not like if i'm an if if I'm an investor, if I have a company and and I have other people running this company for me ah and and I pay an auditor to make sure that the numbers that the people that are working for me, that the numbers that they are reporting are correct,
00:13:17
philbugcatcher
are correct And I pay, I don't know, $200,000 a week for a partner and and his team to to audit the financials. And I give them access to every a number, every facility in my company.
00:13:35
philbugcatcher
I want them to assure me to to
Auditing Industry's Flaws and Financial Parallels
00:13:37
philbugcatcher
to to say, hey, these are, I am 100% sure that these numbers are correct. but they do not deliver that. And I think that's a bad product. But at the same time, I think this is a natural limitation.
00:13:49
philbugcatcher
we
00:13:53
philbugcatcher
It's... I will...
00:13:54
riptide
It's the same thing.
00:13:55
philbugcatcher
Yep.
00:13:55
riptide
They're doing the same thing. they're They're giving what they call a clean opinion, as you know from your your ah your past experience.
00:14:01
philbugcatcher
yep
00:14:02
riptide
yeah here's I worked in banking a long time and and dealt with that a lot, where if a big four company says, hey, your books are good, it's just it's a clean opinion. And it basically means they've got the...
00:14:14
riptide
they've got the They've they've done all the research on their end and they're like hey, you know this this looks pretty good But we're there's no guarantees
00:14:25
philbugcatcher
Exactly, there's no guarantee. And every year we have several cases of fraud in publicly traded companies. So i think I think we can we can we can use this like as a comparison. Every year we have big hacks on protocols on the blockchain.
00:14:44
philbugcatcher
Even though many of these protocols have been audited before, many of these protocols had put bounty progress before. and they get hacked, even though honest and hardworking and intelligent auditors look at their code, ah but sometimes it's not completely flawless and sometimes blackheads find things.
00:15:06
philbugcatcher
So yeah, I think this is this is, I see this as the nature of the business.
00:15:17
riptide
But I see it changing. There's no way it doesn't change. And I think it's much easier to use your like public company comparison. Imagine you worked for General Motors, right? you're the CFO.
00:15:29
riptide
And you have to sign off on the financial statements. And you have to do your own research. You have to reconcile everything and do the best of your ability. And you get an audit firm and everything.
00:15:41
riptide
But that is a massive corporation. with And here's the thing. With many, many humans involved, and legacy processes. And you could just imagine, like, even if with AI that runs this whole thing, who knows how many things are, are, you know paper invoices and this and that. So there's a lot of things that can just make it so it's not 100% accurate.
00:16:04
riptide
Whereas in the blockchain, everything is digital. everything is 18 decimal places and you would think that this environment is just ripe for the right ai to come in and we need to find a way to be able to prove
00:16:11
philbugcatcher
Yes.
00:16:22
riptide
that, hey, this is 100% bug free. And um I think i mean the closest thing I could think of to trying to not do that explicitly, but like you work at Sertora, right, the per prover, and you're able to kind of prove these things, which is cool, but we all know the limitations on that if the right things aren't being proved and just like the right tests aren't being created for ah for a protocol.
00:16:44
philbugcatcher
Fair
00:16:47
riptide
But it's a step in the right direction. if If we could find a way to just somehow prove like with absolute truth, and I'm sure some some big brain will find that out, like a way to mathematically do it like, hey, it's bug free.
00:17:00
riptide
That would just be such a game changer with this whole space.
00:17:06
philbugcatcher
fair point
00:17:08
riptide
However, dude, even du david if we had that, even if we had this, right?
00:17:09
philbugcatcher
air point
00:17:12
riptide
Some human, so I'll blame it on a dev. They'd be like, you know what, man?
00:17:16
philbugcatcher
Yeah.
00:17:17
riptide
We got to push this update. I just, new feature. I got to put, the users are asking for it. We got to push it. And it's always the human link, man. And it'll be some bug hunter, like white hat mage or something.
00:17:30
riptide
he'll He'll have a proxy alert and he'll be like, oh yeah, I've been watching this one.
00:17:34
philbugcatcher
Yeah.
00:17:34
riptide
I knew it. Ha, ha, ha, ha.
00:17:38
riptide
You'll always need these guys, man, because humans just fuck it up.
00:17:39
philbugcatcher
yeah
00:17:42
philbugcatcher
That's yeah, that's the thing. That's the thing. And another thing is I agree with you with with the point that you that you made, but I think this is mostly true when you think of smart contract implementations and blockchain implementations because they are ah you know how they work. You you you see their code and they will behave as the code says.
00:18:05
philbugcatcher
But these are not the only attack factors for protocols. and And these are not the only things that we look at when we when we audit protocols.
00:18:15
philbugcatcher
So we have governance, ah we we have admin powers, and we have we have teams with multisakes. So out of scope, yeah.
00:18:24
riptide
Out of scope.
00:18:27
philbugcatcher
but But they can still cause loss of funds.
00:18:30
riptide
Absolutely. Absolutely. I always think back to tapioca, tapioca DAO, audited by everybody. And then what happened? Private key compromise.
00:18:41
riptide
Yeah.
00:18:42
philbugcatcher
Yeah, yeah, exactly.
00:18:44
riptide
yeah
00:18:45
philbugcatcher
Exactly. so So how would an AI solve that?
00:18:50
riptide
Oh, that's a thing, yeah. well though you
00:18:51
philbugcatcher
Because you you you you need to have you need to have a human to sign the transaction. like All right, unless you, yeah, you might have an AI to to review every transaction, but I don't know. um I don't know.
00:19:04
riptide
Are you talking like an ongoing monitoring type thing?
00:19:05
philbugcatcher
I don't think...
00:19:08
riptide
How would that solve it?
00:19:10
riptide
Like ongoing security protections? Like if you had, like you said, a malicious transaction was signed?
00:19:17
philbugcatcher
yeah if if if we can i don't know i i i don't think that's a solvable problem to be to be honest because i think the only way to ensure would be to take the authority away away from humans because humans can make mistakes and they will make mistakes So, all right, you take the private key away from the humans.
00:19:38
riptide
The caveat. Right.
00:19:42
philbugcatcher
You start it in a safe AI, or ah let let let's assume we have a perfectly safe program
00:19:48
riptide
right
00:19:49
philbugcatcher
ah that you can speak to this program, ask this program to do things. And then they will do these things for you as long as it as long as it doesn't hurt users or something, as as long as it doesn't make you lose funds or something.
00:20:10
philbugcatcher
ah
00:20:10
riptide
Why do I feel like we're we're a long way from that?
00:20:12
philbugcatcher
But no, but i don't think that's a good i don't think that's a good outcome.
00:20:19
riptide
Why not? Trusting the AI?
00:20:22
philbugcatcher
Losing your freedom.
00:20:24
riptide
Yeah, I agree with that.
00:20:25
philbugcatcher
You you wanted i want it, I want to operate myself. I want to make my transactions. I want to choose exactly what I do when I do it myself.
00:20:38
riptide
Yeah, you want to make the decision, not the AI.
00:20:42
philbugcatcher
Exactly.
00:20:43
riptide
Yeah, and you may make a mistake, but hey, yeah.
00:20:46
philbugcatcher
is Exactly. and and and so and and And I have this, ah and i'm i'm I'm more like, I'm picturing a persona.
00:20:49
riptide
Yeah, no.
00:20:58
philbugcatcher
It's all like 100% my personal opinion. I think i would um ah i'm I'm always willing to change my mind. So who knows what will happen, what new products we will have in the future.
00:21:10
philbugcatcher
So I might change my mind about this, but think think of this persona, think think of the person who thinks that way. that person might be a signer for for a multisig for an importing protocol.
Human Accountability in AI Systems
00:21:26
philbugcatcher
this might be the culture of one of these protocols.
00:21:29
philbugcatcher
and and this is and and And I don't think this is necessarily like a wrong opinion of the person wanting to to to have that direct access.
00:21:39
riptide
No, I think it's a valid opinion. And I think ultimately you hold someone responsible for it, right?
00:21:42
philbugcatcher
Exactly.
00:21:46
riptide
If you don't have, it's just like self-driving cars or something.
00:21:46
philbugcatcher
Yeah.
00:21:49
riptide
Like if you're not signing the TX, then well who is? And who do you who do you put the blame on?
00:21:55
philbugcatcher
Yeah.
00:21:57
riptide
Say that causes a loss of user funds because you know the AI... I mean, God, we're not talking about right now. You see so many horror stories like, oh, Cloud Code deleted my repo without asking or something like that.
00:22:05
philbugcatcher
Yeah.
00:22:10
riptide
But I mean, you have to have some human as a responsible party. So ultimately, there's consequences that can be felt as a result of an action. If you just have an agent doing everything, ah yeah, there's there's issues with that.
00:22:25
riptide
Where's the repercussions?
00:22:25
philbugcatcher
Yeah, and and also how how do how do how do you ensure that your agent is safe?
00:22:26
riptide
Yeah.
00:22:30
philbugcatcher
Like I have followed some some accounts on X that they are they are AI breakers. Like but what they do is that they figure out a way to break AIs.
00:22:39
riptide
I love those.
00:22:41
philbugcatcher
i Yeah, me too.
00:22:41
riptide
you follow Pliny, the liberator?
00:22:43
philbugcatcher
Exactly, this this was the person that I that i was that i was thinking about.
00:22:44
riptide
Oh, he's the best.
00:22:48
philbugcatcher
Have you seen what he did with Rock a few months ago?
00:22:50
riptide
I just saw it. Yeah.
00:22:51
philbugcatcher
that that was crazy that that was crazy he he he broke grok he broke grok like 100% like on uh yeah so so so can you can you really trust that like uh as as your only layer of protection
00:22:52
riptide
Yeah. he he He blows my mind.
00:23:00
riptide
He breaks everything. He breaks them all.
00:23:15
riptide
Yeah, no way.
00:23:16
philbugcatcher
Because if if we if we are talking about AI, like a a super powerful AI auditor, ah like going going back to to to where we started this part of the conversation, i think the summary is, yes, AI is is a wonderful tool. We don't know,
00:23:37
philbugcatcher
ah
00:23:40
philbugcatcher
i think we think, we will be able to eventually do wonderful things with it, even more wonderful things that than we are able to do with it today. But it it's not like it will replace human auditors entirely. I think the the things will will coexist.
00:24:00
philbugcatcher
And depend depending on the market, we were my we might have a smaller market for for humans, depending on the market, because...
00:24:06
riptide
their Their prices will come down.
00:24:09
philbugcatcher
Or or not. Because let's say that you can get rid of... All right, let's say that we only need humans to find
00:24:21
philbugcatcher
super difficult bugs, extremely hidden bugs that the a AI cannot find and those bugs that currently only top security researchers can find.
00:24:26
riptide
Mm-hmm.
00:24:35
philbugcatcher
If you are one of these top security researchers, ah I don't think there's a reason for you to lower your rate. Because from a protocol perspective, they need the code to be flawless.
00:24:50
philbugcatcher
They cannot, like, it's not like, okay, I will ah you use this AI tool, it will cover 99% of the possible bugs in my in my code. 99.9% of the possible bugs in my code. The protocols cannot afford to not have that 0.1% coverage.
00:25:11
philbugcatcher
So they they need that auditor and that auditor who is still, who who covers the blind spots of the AI, in my view, that auditor is super valuable.
00:25:26
riptide
Oh, absolutely, absolutely.
00:25:27
philbugcatcher
So that's that's my that's my theory. i think i think it might it will become increasingly more difficult for new researchers and for the ones that have not developed this their skills yet. And I think nowadays, like,
00:25:43
philbugcatcher
A year ago, I was trying to convince all of my friends to to become a security researcher. I told them, hey, this is this is the best industry ever. um I would tell them and try to convince them to become security researchers. It's it's hard in the beginning, ah but for smart people, can can the beginning is a short period. So if they hold on for a few months,
00:26:10
philbugcatcher
they can become good security researchers and then things get much easier. i was trying to convince everyone. Nowadays, when people come talk to me about it, i don't really ah i i don't really incentivize them to to follow. Like I help, I provide support, but if they ask me, ah like, do you think this is the the right move?
00:26:36
philbugcatcher
Nowadays, my answer is, I don't know.
00:26:38
riptide
Mm-hmm.
00:26:39
philbugcatcher
Because there are not as many contests as there was before. um There's more competition in... I have a feeling that there are always more stories of auditors getting wrecked, of doing work, finding valuable things and not getting paid for it.
00:26:57
philbugcatcher
So, and and I feel like all of these things are worse now than they were a year ago. ah And if if we get if we start getting stronger auditors, it might, it will probably become even more difficult for this part of of auditors that they are still developing their skillset.
00:27:24
philbugcatcher
So probably,
00:27:24
riptide
Absolutely, yeah.
00:27:26
philbugcatcher
Yeah, and this and this is something that is happening with software engineering as well right now.
00:27:30
riptide
Mm-hmm.
00:27:32
philbugcatcher
So this is, yeah.
00:27:32
riptide
Yeah, this is this is interesting. It's it's really cool seeing, you know, if there's two different ways to look at this, I think. One is you're scared. And the other, you see it as an opportunity.
00:27:44
riptide
And maybe it depends if you're pessimist or an optimist. But I look at everything, like change and everything, especially having been in crypto so long, I'm used to this rapid change. You know, I'm seeing the change in auditing and bugs and, know,
00:27:58
riptide
the contest and everything and it's not what it once was right and is it still a place to make money yes but it's been saturated a lot and it's harder to get people to pay and there's there's so many more challenges now so you just have to say okay well this has been saturated especially solidity um how do you move to the next you know the next opportunity well Logically, I said, okay, well, AI looks like a strong player here and we're able to come up with something.
00:28:27
riptide
But I would also tell guys, like just don't do what everyone else is doing, man. I mean, focus on some language. don't I would say don't even do solidity. like Know how solidity works, this and that, but use AI to your advantage, okay? And then look at things that...
00:28:43
riptide
maybe no one's looking at or there's a few eyeballs on it. That's what I've always said, man. Like I tell people my weird methods of finding bugs. Like I grab a block in the blockchain and just look at transactions because you could find things that aren't on bug bounty platforms that will you'll still get paid for. like there's, I don't know what the number is, but it's millions and millions of contracts are out there.
00:29:05
riptide
And that's just Ethereum.
00:29:06
philbugcatcher
Yeah.
00:29:06
riptide
And they're on all these cool chains. And like, there's so many things to look at. Just don't don't go to ImmuneFi and just look at the the you know the protocols up there. Don't go to HackerOne.
00:29:17
riptide
Just look, man. Just look around and you'll find something. And if it's interesting to you, dive in. And if it's like a hard language or math intensive, man, do it. Use AI to to help you with it and understand it. And maybe you find something, but you have to look at it as like it's a changing industry and you either adapt or hit the road.
00:29:40
riptide
There's nothing else I can tell you.
00:29:42
philbugcatcher
Agreed, 100%. Yeah. And also, on this...
00:29:52
philbugcatcher
On this... Is... I think there's a very valuable lesson in that, that professionally, like on on on on a more almost personal level, I, since the start of my career,
00:30:07
philbugcatcher
I have positioned myself as a generalist and a problem solver. So ah ah when i when I shifted gears one and a half year ago to become a security researcher,
00:30:22
philbugcatcher
um
00:30:24
philbugcatcher
it was i had never i I had never had any exposure to code, to any language. But still it felt ah like a natural move for me to go from doing corporate finance and doing management cons consulting, which sounds a lot different from security research, but it still felt like a natural move for me to go from from that other place to security research.
00:30:56
philbugcatcher
Because I see myself as a problem solver and I try to solve difficult problems always. ah and And when you do that, when you are that person, when when you are a problem solver, there will always be problems to solve.
00:31:16
philbugcatcher
And the more difficult the problem is, the lower number of people in the world that can solve that problem. ah So...
00:31:27
philbugcatcher
So, so yeah, career advice. try try Try to be a, try to be a generalist. Position yourself as a problem solver, solve difficult problems.
00:31:35
riptide
And then,
00:31:39
riptide
and you have to
00:31:39
philbugcatcher
And
How Should We Adapt to AI Changes in Industry?
00:31:40
riptide
insert AI on that now.
00:31:40
philbugcatcher
yeah, 100%.
00:31:42
riptide
Like this this is so recent, man.
00:31:43
philbugcatcher
one hundred percent Yes.
00:31:45
riptide
Like we're still all adapting to this and some are adapting faster than others, but you have to take what you just said and say, all right, yes. How does that apply now with AI? Like how can I still beat the competition?
00:32:00
riptide
while using my own strong problem solving abilities plus AI. So I can beat this guy and earn more money or whatever you wanna do. you know And that's that's the thing, like everyone's trying to figure out the right way to to leverage that using their own human brain as well, which is so cool to see my guy.
00:32:21
riptide
I mean, you can't even keep up. It's it's just, it's wild, man.
00:32:23
philbugcatcher
yeah you can even keep up that that's it yeah yeah
00:32:26
riptide
Mm-mm. It's impossible. You got to pick, I'd say this, like pick one area and focus on it. Like don't, don't go on X, man. And like, I saw your comments on X recently, how the, the algorithm's getting shitty and I kind of agree, but I realized like when I'm scrolling through there, even before he changed and everything, I'm like, this is kind of like,
00:32:41
philbugcatcher
Yep. yep
00:32:49
riptide
like i don't I try not to look at the news at all because it just pollutes my brain. And I'm looking at X and I'm like, what is the difference here? Am I really staying up to date on what's happening in the ecosystem? Maybe there's some hacks in that.
00:33:02
riptide
But a lot of it's just kind of like like, I stepped away today and I'm like, I don't know if this is that valuable for me to really be on this platform that much at all.
00:33:13
riptide
Do you feel that way?
00:33:16
philbugcatcher
I feel the same way, yes. And it's addictive.
00:33:19
riptide
Oh, it's so addictive.
00:33:21
philbugcatcher
Super addictive.
00:33:23
riptide
I don't have the app installed. ah just If I go to it, I'll just have it on the the web browser on the phone so it sucks really bad.
00:33:29
philbugcatcher
Yeah, yeah, it sucks. So yeah, I'm i'm the same. I deleted the, I uninstalled the app. but but I use it on on the browser and it's terrible.
00:33:43
philbugcatcher
So I end up spending less time than i than i used to, but i do I still do spend some time there.
00:33:46
riptide
yeah
00:33:49
philbugcatcher
I don't know why.
00:33:50
riptide
the The goal of that for me was like to kick me off my phone. Like I got this black and white phone. I just don't want to use the phone because I have kids and I just hate it pulling me away from anything.
00:33:57
philbugcatcher
Yeah.
00:34:00
riptide
So I forced myself to go sit on my office chair at the laptop if I want to do anything. So it's kind of uncomfortable and you're not just sitting on the couch scrolling.
00:34:06
philbugcatcher
Yeah.
00:34:09
riptide
Like I'm here in the office. I'm either doing work or I got to come up with some excuse for sitting in this stupid chair rather than, you know, a phone will suck you in. So, yeah.
00:34:20
riptide
um i But I pulled a tweet that you, I think you retweeted or you tweeted it. And i thought it was really cool. I'm going read it. it's So I think you retweeted. It says, it's simple. If you're a guy and do not and do not taking massive risks, you will end up with a mediocre life.
00:34:38
riptide
Either create the life you want or live the life the system created for you. And what a banger of a quote, man. Do you think many people understand that?
00:34:48
philbugcatcher
this is ah This is a good one nope
00:34:52
riptide
is When did you say, hey I'm quitting being a management consultant and I'm just going to do my own thing? Do you feel like you're a robot?
00:35:03
riptide
Like you felt like you were going to get exactly what everyone else got?
00:35:08
philbugcatcher
So it was it was not entirely my choice, to be honest. I don't think I have, I don't think I have, um I don't remember if I have reading about it, but let me let me tell you the story of how that happened.
00:35:24
philbugcatcher
ah
Personal Career Transitions in Tech
00:35:25
philbugcatcher
So i became as I became a management consultant in 2017.
00:35:32
riptide
Mm-hmm. Mm-hmm.
00:35:32
philbugcatcher
at and the biggest firm at at McKinsey, at the most pre prestigious firm in the world for management consulting.
00:35:41
philbugcatcher
And I worked there for four years and then pandemics came. My work involved a lot of traveling and traveling was important for me personally because i was i was that work was super, super stressful.
00:35:54
philbugcatcher
And being traveling all the time, getting to know different places, ah and living for a few weeks at a time in different places. This was what made that work um pleasant for me.
00:36:12
philbugcatcher
and Because yes, I was working 12 or 14 hours a day sometimes, most most days.
00:36:21
riptide
Mm-hmm.
00:36:21
philbugcatcher
ah But I was doing that in Japan. I was doing that in in a village in France. I would i was doing that in in New York. so in And it would it would change a lot. So that that was that was exciting for me. and then pandemics came and and i had to to work from home but management consulting works in a way that you must go to you where your client is you cannot do that uh from home that theres there's even a movie about it with george glooney and and hathaway um
00:36:57
philbugcatcher
that kind of illustrates this this thing. So I was in a country where the economy wasn't so good. So every problem every project, that every client in that country, they only wanted cost cutting projects and projects to to lay off people. And this is not the type of thing that I that i enjoy doing. And and McKinsey had ah had a ah policy back then that people could not travel. So that was the only thing that was available for me. So I decided to quit.
00:37:29
philbugcatcher
And then i became ah I became an independent management cons consultant. I had lots of clients and lots of people that that I came to know throughout the years, colleagues, clients, and random people that I that i knew. So I had my my clients and then I became an independent management consultant. And I and i started traveling again and working for these for these clients when was their country's travel restrictions allow.
00:38:00
philbugcatcher
So I did that until 2024. And by 2020, end of 2023, four
00:38:06
philbugcatcher
and by twenty twenty end of twenty twenty three ah Uh, one of these clients, the client that had hired me like several times, these were all short term projects, like a few weeks, four weeks, six weeks, eight weeks. Uh, and there, there is one client that I had that I did several projects for them. And then, uh, we started discussing about me join and joining them, joining them full time. Uh, and these involved me moving to, to their country.
00:38:40
philbugcatcher
And we had that aligned and then ah by by early 2024, my wife got pregnant ah and then I thought I don't want to to move to their country anymore. So I spoke to them and and I said, I don't want to move anymore.
00:39:01
philbugcatcher
Does that work for you? Because if it did not work for them, I would probably move. And then I said, no, it's fine. it's its It's okay. Don't worry. And then a few months later, ah out of a sudden, got a call with the CEO. that like I woke up. i was I was further west from them. so I was four hours ahead on on on the time zone.
00:39:29
philbugcatcher
So I woke up, there was ah an email like at six in the morning with an invite for a meeting with the CEO at nine in the morning.
00:39:39
philbugcatcher
I joined the meeting and the CEO said that I was fired. ah because they they they have a new policy and everyone want want everyone must must work from the office. They will not have anyone working remotely and and that's it, I have to go.
00:39:56
philbugcatcher
ah
00:39:57
riptide
Now, let me ask you, did you say while you're on your severance, did you try to get more consultant jobs or did you make the bug bug hunting switch?
00:40:08
philbugcatcher
So that's, so, so
00:40:13
philbugcatcher
So two things happened. yeah i At first, I i thought, fuck, ah how how how i how how am I going to pay my bills? and And I had a pregnant wife, like six six months, five five or five or six months pregnant already.
00:40:29
riptide
Mm-hmm.
00:40:30
philbugcatcher
ah So my so i I went on searching mode. I started trying to think, what am I going to do? And try to to decide what am I going to do? um in um So I considered getting the job, like a full-time job.
00:40:48
philbugcatcher
and the way i do it is i go to my network i go to the people i know and people that know me uh because i think hr in general sucks so the the the really the best way to get a job is to is to speaking to people that know you professionally that that know that you are ah good strong professional so i did that i went to speak to my network And then ah my network, these people, they are my friends, like not super close friends, but friends. So I tell them that my wife is pregnant and they are happy about it. But then they tell me, hey,
00:41:25
philbugcatcher
I cannot hire you now. And then in three weeks you go off on parental leave for and. and
00:41:31
riptide
You shouldn't have told them.
00:41:32
philbugcatcher
Yeah.
00:41:33
riptide
They don't give a fuck, man. It's all about the dollar.
00:41:35
philbugcatcher
Yeah. ah But I told them I I had told them are I.
00:41:41
riptide
You're an honest guy. Phil the bug catcher, very honest.
00:41:44
philbugcatcher
I learned my lesson. So, ah but yeah, ah so that was not an option.
00:41:47
riptide
Yeah.
00:41:52
philbugcatcher
What they told me is that come speak to me again in six months after your month after your your son is born and you spend some time with him as a newborn and then come speak to me again.
00:42:03
philbugcatcher
ah So that was not an option for that time. And continuing as an independent cons consultant was not an option as well because of travel.
00:42:13
riptide
who
00:42:14
philbugcatcher
because the the job requires constant travel. um So I decided to become an investor in cryptocurrency.
00:42:24
riptide
Now why?
00:42:24
philbugcatcher
I didn't have...
00:42:25
riptide
what was What was that about?
00:42:25
philbugcatcher
I i have...
00:42:26
riptide
Wait, what what year? What year are we in right now?
00:42:32
philbugcatcher
2024.
00:42:34
riptide
okay
00:42:34
philbugcatcher
Yeah.
00:42:35
philbugcatcher
ju june Between April... This story that I'm telling is between April and July 2024. Because...
00:42:42
riptide
Okay, I'm just trying to think where the market was at that point.
00:42:42
philbugcatcher
because
00:42:45
riptide
Was it a bull market?
00:42:46
philbugcatcher
I had, I had, I had, uh, kinda, but I didn't have this perception back then.
00:42:53
riptide
Okay.
00:42:54
philbugcatcher
Uh, but what, what, uh, I have, uh, I have, I have done like as a cons consult, as a cons consultant, uh, I have done lots of things related to trading, uh, and, and quant trading, uh, and, and things like that and arbitrage things all for Tradify.
00:43:17
philbugcatcher
ah And I thought I'm gonna do that for myself in Web3. So I started studying and I thought, okay, I'm gonna build an arbitrage bot.
00:43:30
philbugcatcher
I started this way. And I bought a scam course for like $500 about it.
00:43:35
riptide
ah yeah
00:43:37
philbugcatcher
ah And I had it in, it's a program. It's different in Tradify. This is not how this is done. You don't necessarily need to code your program.
00:43:46
riptide
Right, right.
00:43:47
philbugcatcher
It's more like you design your strategy. And I have designed so many strategies. and strategies that I know that work because I designed them for my clients and and the clients made money with that and they hired me again to to to improve it and to build new things so this is something that ah that ah that I'm used to doing ah and then in Web3 it's much much closer to the code like the the code is at least as important as the strategy itself And
00:44:16
riptide
David
Embarking on Solidity and Security Research Journey
00:44:17
philbugcatcher
so I realized it and I thought, okay, so i need to know how to read these programs.
00:44:22
philbugcatcher
how how I need to learn how they work and they're in solidity. So how do I know solidity? Then I found Patrick Collins, watch his videos, based Patrick Collins.
00:44:33
riptide
Miller, PhD.: : Based Patrick Collins. Look at that. Shout out to Patrick. Had him on here.
00:44:37
philbugcatcher
Yeah, nice.
00:44:37
riptide
Great guy.
00:44:41
philbugcatcher
um so So I was watching his videos and I thought, oh, this is this is difficult. This is not something that I will learn, like, I don't know, in a week.
00:44:52
philbugcatcher
This will take longer. And he talks a lot about security. So I thought, okay, this is what I'm gonna do. um I'm gonna become a security researcher for a short period of time until I can learn how to how to read and how to write.
00:45:11
philbugcatcher
this language so that I can build my things. ah But in the end, I found out that I love doing security research and I and then and and and i decided to continue to to be a security researcher.
00:45:26
riptide
And why, like, why did you, cause initially you you said, Hey, I'm going to make an art bot. I'm going do trading. And then you move into solidity. Like where you, did you look at bounties and think like, oh, it's some, some big money out there. Did you see what auditors were getting paid? Like, like why, why were you, or did you just mentally say, wow, finding bugs is really cool.
00:45:52
philbugcatcher
Finding bugs is really cool. Because the the other reasons, that that they would tell me to do otherwise.
00:45:54
riptide
That was it.
00:45:58
philbugcatcher
Like one thing is that I was never impressed with the money in the industry. Because people out of, like people in management consulting and people in banking, in in investment banking, you make so much more money.
00:46:14
philbugcatcher
It's ridiculous. What, what
00:46:15
riptide
Back in the day, yes. now no.
00:46:19
philbugcatcher
oh, now they do, now everyone.
00:46:22
riptide
No, no way, man. We're not talking like pre-financial crisis. Back in the day, you could make uncapped. So many regs came in on the banking side is all I could speak for.
00:46:34
riptide
But nothing comes close to like, boom, you got a million dollar bounty in the day. I always saw that was that was wild, man. The wild west of of solidity, seeing these guys take home some major paydays.
00:46:48
philbugcatcher
who Yeah. Like, if you if you go back a few years, $10 million dollars in a year in Balinese, this is a lot of money, even for even for those those other industries.
00:47:02
riptide
Oh yeah, it's huge.
00:47:03
philbugcatcher
but but and But nowadays, a few million, like $2, $3 million dollars per year, ah Like, this is a lot of money, but like you can do that in other industries.
00:47:19
riptide
At least you say it's a lot of money.
00:47:20
philbugcatcher
what what what ah a Yeah, or do not wish for a mansion, do not wish for, I don't know, a house in the Hamptons.
00:47:22
riptide
You've been hanging around crypto Twitter too long. One, 10 million, not enough. It's like, dude, that's, it's a fuck, it's a fuckload of money, man. Maybe don't live in New York. Don't live in Miami. Yeah, it's a lot of money.
00:47:40
riptide
Exactly.
00:47:41
philbugcatcher
And things like that.
00:47:42
riptide
Exactly.
00:47:42
philbugcatcher
And you'll be fine. Yeah. ah
00:47:44
riptide
Yeah. Yeah, it's true.
00:47:46
philbugcatcher
But what what made me stick to to this industry is ah not having to talk to people as much as I used to. i wasn't i used to have like 30 hours of calls per week.
00:48:03
philbugcatcher
Like every week.
00:48:03
riptide
Yeah, yeah.
00:48:05
philbugcatcher
And one thing that has always been the worst part part of my job is sometimes you have a problem that is super straightforward.
00:48:17
philbugcatcher
Like e there is no not not much like it you have an objective answer to the problem. But then you have to convince people.
00:48:28
philbugcatcher
And some people are just they are not rational. ah and And then you you everyone puts pressure on you because you must do that and that must be done.
00:48:43
philbugcatcher
But someone doesn't think that way. Yeah,
00:48:49
riptide
But economics told me that everyone was a rational actor.
00:48:53
philbugcatcher
yeah, yeah, yeah, yeah. yeah
00:48:56
riptide
i Dude, I tell you the the biggest thing, i'm with you, like in banking, you'd have client calls, like you're always on calls, right?
00:49:04
philbugcatcher
Yeah.
00:49:04
riptide
had a similar path, like I got laid off during COVID, went into crypto. But i I loved just not having calls, not having to talk to anybody, doing everything online.
00:49:16
riptide
And then, you we're raising for this company and I had to like get back in that mode. And it was so difficult. Like I had to book calls. I had a calendar full of calls. i was like, oh my God, I remember this shit.
00:49:28
riptide
Oh, it's a big shift.
00:49:29
philbugcatcher
yeah This is, this I'm going through this right now. So right right now i'm i'm I'm still a security researcher. I'm still auditing code, but I'm also building a product.
00:49:43
riptide
a
00:49:43
philbugcatcher
And going back to that mode, it's, yeah, it's a challenge.
00:49:49
riptide
Can you tell us about it? What are you building?
00:49:51
philbugcatcher
not Not yet.
00:49:52
riptide
Okay. All right. Top secret.
00:49:54
philbugcatcher
Yeah, but soon.
00:49:54
riptide
I like that.
00:49:55
philbugcatcher
Yeah, yeah, yeah, soon.
00:49:55
riptide
Soon. ah Cool. Very cool, man.
00:49:59
philbugcatcher
But yeah, like, ah so being able to ah be, a work from home and then, all right, there are challenges to that. I do not always work from home. I
Balancing Blockchain Security Work and Life
00:50:10
philbugcatcher
have an office in my house and I have an office outside of my house that when I,
00:50:17
philbugcatcher
when I cannot work, like when it's too much noise at home or when my son wants to go to my office too much. Sometimes I go to my to my other office. But being able to, whenever I want work from from from home, and being close to my son and working in my own time because that that that's the thing like when i only have code to review and find bugs on it it doesn't matter if i had do it at nine zero in the morning or or or 2 a.m
00:50:50
philbugcatcher
um
00:50:51
riptide
Exactly, yeah.
00:50:52
philbugcatcher
so having the flexibility to uh it requires what's it called i forgot the word discipline yes it require requires a lot of discipline otherwise you're fucked because it's not like other things where you so in in in my old job some sometimes i elect discipline i'll be honest uh but if you have a presentation it's it's feasible to
00:51:00
riptide
Discipline? Yeah.
00:51:06
riptide
Yeah.
00:51:19
philbugcatcher
come up with an entire presentation overnight uh but you cannot come up with an audit overnight it takes it takes time so we so the the discipline part is is much more important uh in in auditing uh but still some sometimes i don't know some sometimes it's a sunny day uh and me my wife and and and my son we go to the to the swimming pool and we spend an hour or two and then i go back home i and i go back to my to my auditing
00:51:27
riptide
Right, right.
00:51:49
philbugcatcher
and and if didn't put in as many hours as i wanted during like normal working hours it's okay like after my son goes to sleep at seven or eight p.m uh i i come back to the office and work later more so having this flexibility like and and it's not like it's not that i do not want to speak to people it's more like uh speaking to people you have to be respectful of their time so it's not like you can Just, oh, I want to go to the swimming pool with my son. Sorry, I will not be able to join this call. Can we talk at 8 p.m.?
00:52:23
philbugcatcher
No, that's not a thing.
00:52:24
riptide
Yeah.
00:52:25
philbugcatcher
That's not possible. So having this flexibility was was well what drew me to WebTree security. And then also that the fact that the work is much more objective and there is usually less ambiguity to it.
00:52:43
philbugcatcher
This is something that i enjoy as well.
00:52:44
riptide
yeah
00:52:47
riptide
Yeah, I mean, God, there's so many perks to to doing what we do. I think the coolest thing is like, all right, everyone's on Telegram for what it's worth, right? But you everyone's living everywhere and you don't know where people are.
00:53:00
riptide
So if a message is unread, like say you just don't feel like responding, no one cares because no one knows where you are anyway they don't your sleep or whatever so you and it goes both ways but it's like a no pressure situation unless it's a few days then obviously know respond but it's a no pressure situation rather than the corporate lifestyle where it's like everything's scheduled and and uh this flexibility is a problem though because like we had um we were trying to get some srs on our side uh for the company
00:53:08
philbugcatcher
Yeah.
00:53:17
philbugcatcher
yeah
00:53:33
riptide
and you try to pull people in who are used to having this kind of like just like no commitment schedule hey i'll just when i find a bug it pays the the bills and the other time i'm just going to do whatever i want it's a tough lifestyle to pull people away from and say like hey man come on uh yeah but i think i think we have a great job and and um
00:53:47
philbugcatcher
Yeah. Yeah.
00:53:56
riptide
I think well yeah the good guys will find ways to keep maintaining doing what we're doing. Maybe we'll adjust in certain ways.
00:54:02
philbugcatcher
I hope so.
00:54:03
riptide
Yeah. I mean, smart guys will make it. the When you start seeing the lower like the lower hanging fruit completely wiped out and new entrants having trouble coming in, there's always new innovations and new things that that happen. And you just have to change with it. That's it.
00:54:22
riptide
That's all we can do.
00:54:24
philbugcatcher
Yes, yes, yes.
00:54:24
riptide
That is it, man. Well, Mr. Phil, we are at about an hour. i usually cut it here, but really appreciate you coming on the podcast. Fantastic to have you on.
00:54:35
riptide
And we will see everyone next time on the blockchain.