Welcome back to one of our favourite blog series, where a different member of the team is introduced on the second Monday of each month. In these posts, you can find out more about the hoodies behind Zerocopter.
This month we sat down to talk to our Head of Research & Development - Mattijs van Ommeren. And we are so excited to introduce you to him! Mattijs is responsible for running a super exciting playground where new technologies are explored, and features and services are experimented with to enhance Zerocopter's platform.
Please tell us a bit about yourself, who is Mattijs van Ommeren?
I am a curious guy who loves solving puzzles. In my youth, I loved taking electronics apart and reassembling the parts in a Frankenstein style with mixed results. Later on, I discovered personal computers and was fascinated by using those in interesting ways, like modifying games using a debugger (cheating and bypassing protections, *cough*) and programming weird stuff in Turbo Pascal. When I finally landed a serious corporate job, computer security (mostly the hacking part, actually) kept luring me, and I decided to turn it into a business by becoming a self-employed pentester. A few years later, I was employed by several consulting companies to help build a security practice in the realms of IT as well as OT (Operational Technologie, as in Industrial Control Systems) and rediscovered my love for hacking hardware.
How would you describe your job title in a couple of words?
My title is Head of Research & Development, which in practice means I am running a playground for exploring new technologies and experimenting with features and services to add to Zerocopter’s service offering and platform. The past year I have been working on architecting a new exciting Zerocopter experience!
What do you like about working as a Head of Research & Development?
What I like the most about my job is dealing with complex challenges and coming up with creative and innovative solutions, familiarising myself with cutting-edge technologies, and, above all, working with some of the most awesome people in the field.
How did you end up at Zerocopter?
I ended up at Zerocopter because Edwin (our CTO) and I thought it was about time to start working together, as we have been hacker friends for quite some years. For me, it was the moment I started to see potential in the concept of Bug Bounties (despite my initial scepticism), and Zerocopter apparently could use my can-do approach. Bottom line: let’s have fun!
If you could trade positions with anyone in Zerocopter for a day, what would it be and why?
It would be interesting to trade positions for a day with Jan-Albert because he always seems to get the better Whisky tasting opportunities.
What have you learned from working at Zerocopter?
At Zerocopter, I learn every day. Whether it is about new technology, customer needs, or people/technology gaps - it is always nice to get feedback, process it and discover new ways of improving quality of life and security and learn along the way. It is okay to make mistakes as long as you take them as an opportunity to learn. It would be good if more managers acknowledged that and started to value employees who continuously try, fail, get back on their feet, and persist. It is passionate people that are the true contributors to improved security, not the magic blinky-da-bling boxes.
What resources (book/podcasts/courses etc) would you recommend to someone (new) in this industry?
The Dark Net Diaries podcast is a personal favorite, not in the least place, because together with Edwin and Victor Gevers, I was featured in an episode where we explained how we got access to Donald Trump's Twitter account. Not because it was a particularly leet hack, but for demonstrating that simple security measures like password hygiene and 2FA can come a long way.
If you want to learn more about hacking, the obvious recommendation would probably be sources like "hackthebox.org" and OWASP. But many new people in the industry often lack basic computer science knowledge. Therefore, I can recommend Harvard's free CS50 course https://www.edx.org/cs50. This course can help you to see the bigger picture and make you a better security professional.
When was the first time that you heard about the term “bug bounty” or “RD/CVD”?
I don’t remember exactly when I got acquainted with the term, but I think around the time HackerOne was launched. As an avid professional pen tester, at first, I was skeptical, but over time I started to believe that the added value of yearly pentests by the same contractor over and over again is rapidly decreasing. Pentests often have a limited scope (no hacker ever said: let me stop here because it is out of scope), focusing too much on compliance rather than on ‘real’ security. In this industry, the norm seems to be producing mediocre quality reports that end up somewhere in a drawer, never to be read, let alone followed up. Organizations that are interested in bug bounty and disclosure programs seem to be more mature and focused on obtaining actual results. They are also more driven to fix vulnerabilities to improve their security posture.
What is your favourite stereotype about the hacking industry and why?
Although I consider myself a hacker, I do not consider myself part of the “Hacking industry.” Of course, mass media depict the stereotype of a hacker wearing a hoodie or, even worse, a ski mask, operating a computer with a crowbar. Utterly ridiculous, of course. Most passionate security professionals are more the type of heroes without a cape, but that is graphically somewhat difficult to depict, I guess.
Do you have a (hacker)handle/username? And what is the story behind that name?
Alcyon is my common hacker handle, and @alcyonsecurity is my handle on Twitter. Recently, I am not very active on the platform, especially after Elon Musk made it his personal toy. About the origin of the handle: when I needed a company name as a freelancer, I was inspired by the kingfisher, a bird that is not afraid to dive deep and get wet to catch a fish. And that is, according to my philosophy, about being prepared to dive deep and get out of your comfort zone to improve yourself and get the best results.
We hope you enjoyed the blog and got to Mattijs better! Stay tuned for the new blog in May, and find out more about the hoodies behind Zerocopter!