Interview: Shannon Morse

Courtesy of Shannon Morse

Courtesy of Shannon Morse

It’s time for another interview. This time, I talked with Shannon Morse, to talk about technology, cyber security, and being nerds.
Today, I’ve got an actual celebrity. Please welcome Shannon from Hak5, HakTip, ThreatWire, and a bunch of other projects. Thank you for agreeing to talk to me.

Shannon Morse
I’m not a celebrity! Haha 🙂 Hi! Thanks for having me!
Let’s start off with the basics. How did you get involved with Hak5?

Mutual friendship. There’s an online show up in Toronto called Pure Pwnage, that I would drive up to see whenever they hosted live events, back during my college years. The guys at Hak5 also used to drive up there to do a show called “Call for Help”, and they went to some of the live events for Pure Pwnage, as well. We met and totally hit it off, and although most of my friends thought I was somewhat crazy, I ended up moving into the HakHouse in Virginia right after I graduated.

At first I didn’t want to be on Hak5, but I was coaxed into it by my ‘now’ cohost, Darren [Kitchen, host and founder of Hak5]. Been doing the show since then! That was 8 years ago.
Darren is like the cool guy all of us nerds wanted to be.

I’m telling Darren you said that! He’ll love it. Haha.
Have you always been into technology and hacking?

Not hacking, but definitely technology. My dad used to bring me to a local computer store when I was a kid and he’d explain what all the parts did. He helped me build computers when I was young and he even had a PC in my room next to my crib.

Hacking was something I never thought I’d have the capability to understand, but the Hak5 crew showed me the light, so to speak.
Do you have any official training in anything, or has it all been learned on your own, or from your friends and coworkers?

The only training I’ve gotten professionally is from previous employment or school. I took a Java coding course in college (I don’t think that counts!) And I worked at a bank when I first moved to Virginia. They trained me on credit card processors and a bit of networking, so I learned a lot there. Otherwise it’s just been lots of bookworm reading and trying things on my own. If you can find a decent tutorial, the internet can be a great teacher.
Yeah. I think most of us have been sort of self taught. It wasn’t until the last… decade or so that I’ve seen non nerds get interested in cyber security. I know someone who is going to school for it, and has never used Linux before.

It helps to have cybersecurity so much more mainstream now.
Yeah. There have been so many attacks lately. It used to be just a dude attacking their former employer or something. Then there were a few teams who had political agendas. Then came full scale data breaches affecting millions. What are your recommendations for the average person on protecting themselves from these attacks?

My grandma recently asked me how I feel about that spat between the government and Apple regarding the iPhone in the San Bernardino, CA case. I told her that I didn’t think Apple should give out decryption information and she, as conservative as she is, agreed with me! I was floored by her response.

For Normies (not us hella-nerds): 1) Never use public wifi. 2) lock your devices with pin codes or passwords. 3) Use different passwords for all accounts.

Obviously there is a LOT more we can all do to protect ourselves but that’s the basic advice I give my family. They usually freak at the idea of different passwords for everything, but I’ve shown them how to set up a password manager and they usually find it to be fitting.
Do you recommend password managers?

Yes! Absolutely. That’s actually something that Darren and I disagree on. I use LastPass, even though they were purchased by (I think) LogMeIn. Used it for years. It’s consumer friendly and can be very secure depending on how you use it. I’ve tested KeePass and 1Password too, both of which I recommend.
I used to use 1Password, and switched to KeePass. Then KeePass was compromised. But I use randomly generated passwords, and I just can’t memorize them all. What about dual factor authentication?

2FA is a little harder for family to understand, but I generally tell people to use it if available. I wish 2FA was available on more platforms, for some banking sites and social networks. It is disappointing that it usually takes some kind of breach for a company to finally implement it.
I hate how it’s available on Facebook, but only if I have cookies enabled. I use incognito mode by default, so it doesn’t work. Speaking of banks. I try to change passwords once a year. For some idiotic reason, banks (or at least the banks I use) have the dumbest rules for passwords. You can’t use special characters, sometimes you can’t use too many characters. You’d think that they are the most important logins, and they should offer the best security.

When I worked at a bank, I had this older gentleman in the drive thru who requested a withdrawal. I asked for ID (I was new and it was protocol!) And he argued with me. One of our Managers came over and vouched for him. It pissed me off. I thought, what is the point of having protocol if you don’t follow it? I don’t care if you recognize him, he should follow the rules like everyone else.
Or at least expect YOU, as someone who doesn’t know him, to follow protocol. I think that’s the basic idea behind the USB Rubber Ducky. Humans are the point of failure.

YES. Humans are the biggest worry for SysAdmins because of the inherent trust people put in things and other humans. We automatically think that no one is up to no good. It’s why social engineering works.

The USB Rubber Ducky looks like a flash drive but can be coded to type anything into a computer faster than a human can type as soon as you plug it into a PC. It was featured in Mr. Robot because of the idea of inherent trust. People find a free flash drive, their first thought is to open it.
There’s a fine line between convenience and protecting yourself. Sadly, I think a lot of people err on the side of convenience. I love the Rubber Ducky. That’s how I found out about Hak5, and all of the great videos your group posts.

Even we as ultra-hyped-up-secure-paranoid folk sometimes err on the side of convenience. I used my fingerprint as an unlock on my phone, because it’s convenient. I do know that I shouldn’t, and I’m willing to take that chance. But in other cases, like using 2FA, I always err on the side of security.

We’ve found over the course of our podcast that there weren’t a lot of other folks doing what we do- we’re creating products for the InfoSec community, but we’re not just a brand for the experts, we are also trying to welcome beginners with easy to understand tutorials and shows.
What’s wrong with fingerprint scanners?

So fingerprints have to be legally given up to law enforcement, while PIN codes can’t. As of May, a warrant can be issued to make you unlock a phone with your fingerprint.
Ah. Bad times.

The Fifth Amendment protects you from turning over a password or pin.
You seem to act as the everyperson on Hak5. Asking the questions that beginners or intermediates would ask. Do you ever ask questions from Darren to which you already know the answer, on behalf of the audience?

All the time. And sometimes I get heat for it. I’ve read in the comments “she’s stupid, why is she asking that question”, to another person saying “thank you! That was exactly what I needed to know!”

I always stand by the newbies. You have to start somewhere with everything. No one is an expert in everything, and everyone has questions to ask. I always tell people that you shouldn’t be embarrassed to ask a question, because chances are someone else wanted to ask it too. Be confident for everyone and ask! You’ll be helping everyone. It’s the Watson technique. You have the expert, Sherlock, and his Watson, who asks the questions for the audience.
I thought so. You, in particular, show a lot of patience and explain things. I love how the programming has multiple options for people with varying degrees of knowledge. Plus you all seem to have a great chemistry with each other.

I love to teach people new things. I love seeing their faces light up when they “get it”. And if you just start in the middle without explaining theory or the reason why you wrote a line of code, you won’t be opening up your class or your podcast or whatever it might be, to a larger audience. InfoSec NEEDS people. So we can’t just make content for the experts.

Yeah, I was super awkward when I first started on the show, which was weird for me because I am a thespian, but over time we’ve really gotten our chemistry down. Same for Patrick [Norton] and I on TekThing, too!
What coding languages do you speak?

I understand C++, Python, Java… does HTML count? Haha! I used to make anime fan sites on Geocities.

However, I’m no expert in any of those. I can decrypt them, can’t write a program other than a text adventure. Haha.
I am reading a book on programming. Trying to learn C++. I am usually able to decode it, but haven’t played around too much. I think HTML and CSS are great places to start.

Is it hard to be a woman in the tech industry? I mean, I’m sure the comments section is a nightmare. But hopefully, you’ll inspire other young ladies to get into computering.

Computering lolol

Yes, it is. Still is, but it is much easier now. I’m married to a guy outside podcasting or InfoSec, btw, but I’ve seen comments like “she’s fucking him” (meaning my cohost). Or “she’s just in it for the guys”.
You can turn anything into a verb and make it better by adding “ing” or “ify”. As in, “I’m going to eatify”.


Since I have this huge back catalogue of podcasts now from almost a decade of work, I think that a lot more people respect me as a podcaster than when I started. I still see some of the rude comments but now the difference is that people stand up for me!

I do try to stand up for other women in InfoSec whenever I can. There aren’t a lot of women in the industry and even less watching my shows. Lots of father’s have their daughters watch Hak5 with them and whenever I meet their kids, I always try to show them how cool InfoSec can be. I love seeing little girls interested in technology. 😀
I could totally understand the idea that the male cohosts would be interested in you, but historically, nerdy dudes… not popular with the ladies.

Haha, I hope not! Patrick is married with two adorbs kids. I did date Darren back in the day for a short time, but we mutually agreed that we are better as business partners than romantic partners. I’ve been with my hubs (we call him SnubsHubs) for six years and counting.
Congrats. How did you come up with your hacker alias, anyway?

It was a gamer screen name! I got it in high school. My friend Danny helped me come up with it. Originally, I was Snubsieboo, then Snubs. Which is great if a website doesn’t accept five character usernames.
Nice. And that was adorablized into Snurbs and stuff?

Yup! That’s my Ermahgerd version. Like, Ermahgerd, Snurbs
Heh. Does it bother you, the way nerds are portrayed on TV? Like the dudes are always fat neckbeards with fedoras, and the women are always quirky girls in glasses who dress weirdly.

Well, I dress weird, so no. Haha. I think there is a lot of stigma towards the way people think that nerds and geeks should dress, and it’s incorrect in many ways. For example, people think hackers always wear black hoodies and tennis shoes. To be honest though, I’ve found many hackers wear nice dress shoes, blazers, and have nice haircuts.
It’s like the cliques in high school. The cute girls are all cheerleaders, the popular guys are jocks, etc. But it seems like as adults, the cute girls grow up, and the popular guys grow up, but the nerds stay the same.

Same goes for the women – lady nerds are supposed to be pixie girls with cute glasses and tiny boobs. Sorry, but women all over look differently and have different styles. Our industry does not equal our style choices. I once had a dude get mad at me in a YouTube comment for not having properly manicured nails. I was like, really though?! Because I’m not gonna look like a perfect manic pixie for you.

I did a secret study once. I did a segment a couple years ago where I wore a geeky gamer shirt and discussed something I studied. The comments were all very positive. I then did a similar segment on another topic, and wore a floral blouse. The reaction in comments was much more negative. Most of the negativity was about either my looks or my education. It showed me that people subconsciously (or maybe consciously) make a bias towards you based on what they think you should wear.

The negativity had nothing to do with my segment at all! While the gamer shirt was positivity about the content.
Yeah. It’s so dumb to me, how the stereotypical nerd (you know, the kissless virgin type) is so desperate for the pretty girl to like him. Then in real life, they treat the pretty gamer girl terribly.

I’ve probably been playing games a lot longer than the kids being trolls, tbh. I’m old.
You see, there’s this magical age as a teenage boy, from like 13 to… 25, where you’re a complete prick. The internet just made it easier for them to display their prickidity.

Lol. YouTube recently made it possible to block certain words, and it’s gotten much easier to block people too. I’m generally nice to everyone, but as my friends say, “you don’t wanna see Snubs when she is pissed off.”
But I wouldn’t be surprised if there were a few women who would have loved to be out of the closet nerds, but the negativity was so great, that they said, “screw it. I’ll be a model.”

Probably. I don’t mind taking a few blows for the other ladies like me. I’m loud and proud, geeky ftw.
Plus, and this always gets me, so many slang words were created by us. “lol”, “ftw”, “pwn” etc. I don’t take the blame for “fleek” and “yolo” though. Or when the cute girl wears the hipster glasses and thinks that it magically makes her a nerd. I think we’re old enough, and maybe your experiences were different than mine, but when I was growing up, being a nerd was dangerous. People would bully you, even worse than they bullied everyone else. Then nerd became cool. I blame superhero movies for that. I guess on one hand, I’m glad it’s cool, but I do miss how small the groups used to be.

Yes, when I was in school it was hard for me too. I used to draw a lot of anime characters back in middle school, and was treated as an outcast because of it. But I found a core few other kids that liked the same thing as me and we stuck together. I didn’t have a lot of friends, but the ones that I did find – we are still friends 15 years later.
That’s another great thing about the geeky cultures. There were different groups. Like, I don’t like anime. But I like computers. We could each be geeky about our thing, and were generally accepted. To outsiders, we were all the same.

What do you think you’re proudest moment has been in the tech world?

Hmmm that’s a tough one. I think it was the moment that I realized that I am a voice in the industry. A year or two ago I started being asked to take part in other podcasts and events as an influencer.

But for me… it’s not about being a celebrity or popular, it never has been. If it was I would have been a cheerleader, but I didn’t do that because I wanted to stay true to myself. So other podcasters and InfoSec persons started inviting me to come on their shows as an expert in the industry or as their guest. That for me, was big for me. I do think that I still have a lot of time to grow and learn though. I’m always learning. I would love to reach a point where I’m giving talks at hacker cons or doing speaking engagements.
I think the industry has been desperate for someone like you, and your team, but you in particular. There were the so called script kiddies, and the guys on watch lists. You help people to learn, while being one of us. Plus you’re a good public speaker and a female, which is very refreshing.

Thank you for saying that 🙂 I hope that what I’m giving to the community is filling a void. I have such a passion for what I do now. I love my job. I’d do it for free if I didn’t have bills to pay lol.
How involved are you in Hak5? Like, do you help design new toys… I mean “tools” like the aforementioned Rubber Ducky, and the LAN Turtle*? Do you write your own scripts?

*Note: The LAN Turtle is a device that looks like a USB Ethernet Adapter, but allows stealth remote access, network intelligence gathering, and man-in-the-middle monitoring.

I am in charge of the shows. We have a HakShop manager who handles logistics for vending at conventions and the online store, and Darren and Seb [Sebastian Kinne] are the Masters behind the products.
What does being in charge of the shows entail?

My job is ensuring everything goes out on time, managing social aspects, working with sponsors and networks, outreach. For content, I’m in charge of writing my own scripts, research, hosting, and the studio setup. I also just recently learned how to edit!! Editing is so much fun. It’s very creative, I’m learning. I host / produce four shows for the channel, so it ends up being a full time job. Sometimes I work late to get a show out on time, but I don’t mind since I enjoy it so much. It does get stressful sometimes if a segment breaks (technology always has a way of breaking just when you need it to work the most).

I also do my own show whenever I have time on my own channel. 😀
I totally agree. I was always a good writer, but that was never really an interest to me. Then I bought this domain, simply because it was finally available. I had my art website, and didn’t know what to do with this one. So I just decided to use it for complaining. Now I’m slowly writing a book called “101 Reasons Why I Should Sue My Parents”.

Lmao. I’ll read that book. Lol
It’s silly. Like the #1 reason is because my parents didn’t let me have those shoes that lit up when you walked on them.

How many shows does Hak5 do? I was looking at your bio and you are so crazy busy.

I loved those shoes as a kid. They came back, you know! They have adult ones now. Though we could probably make our own with an LED rope and a quick code.

Hak5 the company does: Hak5, HakTip, Metasploit Minute, ThreatWire, and Pineapple University. I’m not involved with all of them. I also work on TekThing for Consumer Tech, and now and then I’ll take outside job opportunities.
Yeah. Now everything can be done with a Pi.

I heart Pi.
What’s your favorite OS right now?

Ubuntu! Omg I’m in love. I finally switched when I got snubs-angry at Windows for being lame, so wiped my laptop. I still have W7 at home for Adobe Photoshop and Light Room, but otherwise I’m really liking Ubuntu lately.
You’re using the main Ubuntu, right?

Yeah, Ubuntu 16.04, the newest one.
Nice. Do you like the Unity GUI? I couldn’t stand it, so I moved to Ubuntu Mate.

Honestly I don’t mind it. I know a lot of people hate it but sometimes I’m just too fucking lazy to switch. 😛
Yeah. I do love the colors though. Do you do a lot of virtual computing?

No, not much at all. It’s not something that I’ve needed to look into… yet. 🙂
What are your plans for the immediate future?

I want to ramp up my hobbyist show, Snubs Report (it’s more lifestyle, not tech). For Hak5, I’d like to get more comfortable with the idea of giving a talk at a hacker convention, so that’s something I’m trying to get better at.
What do you mean “better at”? What do you need to work on?

I’m also working on doing more outreach for atheists and women in the industry.

I’m not very good at public speaking. Talking to a camera and talking to a real life audience are very different. While I used to do a lot of theater, that was acting. Public speaking is being yourself and knowing what to say from your own mind, not memorized words. It’s a difficult task for me but something I want to master.
Ah. Good luck. I think that just comes with practice.

Haha Thanks!! I’ll need all the good luck I can get!
Oh yay. You’re an atheist. I could probably talk to you for hours about that topic, but I’ve put myself on a religious rant diet.

Hahaha no worries. Yes! I am. It’s one of those words that still has a sore stigma around it, so I try to show people that atheists are loving and caring people, too, with morals. I may get some beef for it but it’s a part of who I have always been.
Yup. I’m actually going to a debate with David G. McAfee in a few months. He’s a great spokesperson for atheists because he is so calm and respectful, whereas people like Dawkins, Bill Maher, and myself are really outspoken and border on mean.

Have fun in the debate!
Thanks. Have you heard of Matt Dillahunty?

Yup! I watch his Atheist debates. There’s a six degrees of Matt Dillahunty going on for me. I went to college and am friends with JT Eberhard, who writes for Patheos.

Since he’s one of the outspoken ones in the genre he also knows a bunch of folks who do atheist podcasts. I’m hoping to meet some of them one day. I’m a fan girl of a few of them. 🙂
Nice. What was your major?

My major was Restaurant and Hospitality Administration. Hahahaha. And then I started doing a show about hacking. Because that makes sense.
Really? My real job is in the hospitality industry. My degree is in art. Go figure. Great way to spend a bunch of money.

If you have children, do you plan on calling them “SnubsCubs”?

Omg. Now I do. Kids aren’t in the near future for me and SnubsHubs. We are both really focused on growing our careers and seeing the world.
Yeah. Enjoy life.

Well, I don’t want to take too much of your time. Is there anything you’d like to talk about that I didn’t mention?

I think you covered it!
What would you like to plug? Any especially good episodes coming up? It turns out you might be able to detect someone’s PIN from their wearable.

What?! I haven’t read about that yet.

Yeah, plug Hak5 and TekThing. We are working on a crossover series of episodes where we build a Linux MAME cabinet on both shows.

Cool, thanks for the link. I love reading about stuff like this.
In that case, thanks for talking with me, good luck with the conventions, and keep up the great work.

Thanks! Really happy to do this for your site. 🙂

Leave a Reply

Your email address will not be published.

%d bloggers like this: