Social Engineering, Career Development and Octopus Game: Insights from Eddie Miro Artwork

Security Chipmunks

Welcome to Security Chipmunks where we talk about the development of cybersecurity skills. To stay up to date in today's world you need to be resilient, that’s why as Advanced Persistent Chipmunks we keep chipping away at it.

All Episodes

Security Chipmunks

Social Engineering, Career Development and Octopus Game: Insights from Eddie Miro

July 13, 2025 • Edna • Season 4 • Episode 20

Send us a text

Eddie Miro joins us as a guest on the Security Chipmunks podcast, a social engineer, cybersecurity pro and a community leader, Eddie shares tips and advice for cybersecurity newcomers, shares his past and talks about the competition Octopus Game.

At the heart of Eddie's current work is his involvement with DEF CON, where he runs "Octopus Game" which became an official Black Badge contest designed as a "tutorial quest" for conference newcomers. The game sends participants on missions throughout the conference, helping them navigate the overwhelming environment through accessible challenges and puzzles. What began as a Squid Game-inspired battle royale has evolved into a beloved event making cybersecurity more welcoming to beginners, embodying DEF CON's push toward greater accessibility.

Eddie's transparency about his past, documented in his memoir creates powerful connections with others on similar journeys. After talks, people regularly approach him to share how his story resonates with their own struggles, finding inspiration in his transformation. For aspiring cybersecurity professionals, Eddie emphasizes building strong foundations in IT before specializing, getting involved with community groups, and developing communication skills. His most powerful advice may be the simplest: keep showing up. "Grit correlates higher with success than intelligence," he notes, explaining that persistence often matters more than technical brilliance in career advancement. Whether you're attending your first cybersecurity event or looking to pivot careers, Eddie's story proves that with determination and community support, anyone can reinvent themselves in this dynamic industry.

Socials

Join our Chipmunk community Discord server: https://discord.gg/9yfWP6evYQ
Follow us on Twitter: https://twitter.com/SecChipmunk
You can find us online at: https://securitychipmunks.com

Speaker 1: 0:00

is from a cooperative project for acquiring skills essential to learning. Welcome to the Security Chipmunks podcast, where we keep chipping away at it. I'm your host, edna Johnson. I'm here with my co-host, neil Smalley. Hello, and our guest today is Eddie Miro. Welcome, eddie.

Speaker 3: 0:20

Hey, thanks for having me on the podcast. I'm really excited to be here.

Speaker 1: 0:24

Absolutely. Please tell us about yourself.

Speaker 3: 0:28

Well, like you said, my name is Eddie Miro. I've been in the IT space for about 25 years. My first job way back in the early 2000s was dial-up tech support, so I'm pretty old. I'm really involved in the cyber community. I speak at a lot of conferences. I run a local DEF CON group here in Utah County called DC385. I run an official DEF CON contest called Octopus Game, which was a Black Badge contest last year. And yeah, I'm just generally interested in social engineering and have a kind of an interesting backstory also.

Speaker 1: 1:15

Wow, that is fascinating. All right, so you know I love DEF CON and you have a game there, octopus Game, and it's a black badge Last year. That's amazing. So what is that game like and how do people participate? Can they just join in?

Speaker 3: 1:33

Yes, so I'll give you a little bit of backstory and I don't want to bury the lead, like the reason we were a black badge contest and the reason we're so popular is due to my wife, who also is the contest lead, and all of our volunteers who make it really amazing. But the first year we did it was DEF CON 30, I think yes, and the idea was that we were going to rip off the popular Netflix TV show Squid Game and create a battle royale where players met up and played kids games to duel each other, and it was just a battle royale to the last person standing. It was really fun. The whole idea was just to get people to meet each other and outside of their comfort zone and, yes, it was pretty great.

Speaker 3: 2:28

After that it's kind of evolved a little. Now we have themes. This year our theme is Avatar, the Last Airbender, so the title is Octopus Game for the Order of the White Tentacle. Yeah, our whole thing is just being really accessible to people who are new to conferences and not really sure what to do or where to go. We kind of gamify that process. I like to refer to us as like a tutorial quest for conferences. We send players on missions to different villages and different areas so they can interact with other areas of the conference they might not normally interact with and make some friends and be more human.

Speaker 1: 3:14

Wow, that sounds amazing. So I love how that helps people get to know the conference. So is it kind of like a scavenger hunt for you going around or what?

Speaker 3: 3:25

yeah, I mean like it's kind of a yeah, it's, it's. It's hard to describe, but we do have. We have like small puzzles and basic crypto challenges that they have to solve and we give them maps and different puzzles that will lead them to different areas and, depending on what year it is, they have different things they need to do. Sometimes we just have them go take a selfie with somebody in a village or if it's say, it's like lock picking village, then they have to pick a lock and we have one of the volunteers there kind of validate that they interacted. And, yeah, we it's kind of like a scavenger hunt and like a basic crypto challenge sort of. There are plenty of good CTFs and crypto challenges. Ours isn't meant to be really hard because it's meant for noobs and for people who are kind of brand new, and we wanted to yeah, we just kind of gamify it and give people like a kind of a direction to go, and yeah, it ends up being a lot of fun of a direction to go and yeah, it's a, it ends up being a lot of fun.

Speaker 3: 4:24

Our last, our last year, when we were selected as a black badge contest. The organizers of DEF CON really liked the vibe of our contest and they're really pushing to make you know information security and cyber security more accessible and DEF CON is becoming more family friendly and our contest is kid friendly. So we just kind of really hit the nail on the head that year and our winning player got a black badge and I'm sure your audience knows the significance of that. But just in case there's somebody who doesn't know, a black badge basically gets you back into the conference for the rest of your life for free. It's a very special thing and there are very few contests that get to be a black badge contest. Def CON's cool and sometimes they select random ones and we just happened to be that one. Our winning player got a black badge for a game of Simon Says at the end. So it was kind of crazy.

Speaker 1: 5:24

Wow, that's amazing. Yeah, black badges are really special, so that is wonderful. So I know you do a lot of social engineering. You're a volunteer with the Social Engineering Adventure Village so I wanted to ask you like, how did you get started with social engineering? And I heard you did a talk on it at DEF CON, so tell me about that.

Speaker 3: 5:56

Well, my talk at DEF CON was at DEF CON 27 in the old SE Village and it was on how to weaponize the rideshare relationship.

Speaker 3: 6:10

So I was in between jobs at the time and was driving for Lyft to make some extra cash and I'm a very social person, obviously, so I enjoy talking to passengers and, despite everyone saying they don't like talking to drivers, that was the opposite response that I got, and maybe it's just because I'm more approachable and social, but I found that people were having these really deep conversations with me and it kind of felt like this sort of like pseudo relationship could be formed, kind of like the way people open up to bartenders, where I kind of feel like an anonymous person and people were sharing really intimate details. And the talk was kind of on that experience and I hypothesize on what could be done if you were to weaponize that sort of interaction and how I might utilize rideshare as like a vector in a social engineering attack. You know parking near a target would pretty much guarantee you get that ride. You know it's all geolocation based and yeah, that was my first big talk that I did at DEF CON. Very, very interesting experience for sure.

Speaker 1: 7:25

Okay, that's interesting. Yeah, yeah, nice. So have you done other social engineering thing since then?

Speaker 3: 7:40

So when I was making my transition into cybersecurity, I, much like everyone else, wanted to be a pen tester, so I started focusing on that. I did some pro bono pen tests for some unsuspecting companies in my hometown. It was a lot of fun. My partner and I we did the whole like covert entry. We broke in and we ran amok in the office and it was super fun and it was great. The company had no idea how vulnerable they were. We found the CEO's computer unlocked, sitting right there on their Outlook. So yeah, pretty fun to do that debriefing with them. And they had cameras and I was surprised that nobody responded to it and they said that there was just too many alerts. So yeah, alert fatigue strikes again. I was pretty shocked. It was really bad.

Speaker 3: 8:40

But at that time I was approached by one of the department heads for a community college in Northern California called Butte College and she asked me if I wanted to teach, which I had never considered before because I only have an associate's degree. Why would I be a community college teacher? But I transitioned into education and I did that for a few years. It was a very interesting experience. Eventually I moved out here to Utah. I worked for a company called Arctic Wolf. They're a big MSSP. I was a senior technical trainer there, and, yeah, I've worked for a few other companies since then. Most of my talks, though, are on social engineering, and I'm trying to make a transition right now in my career to go towards the marketing side and kind of like the idea of being an evangelist, going out there and doing talks and doing field marketing and using my social skills and all the public speaking and content creation I do so. I don't know if that answers your question, but there it is.

Speaker 1: 9:48

Yeah, absolutely. I like that you had the opportunity to do education, because that can be so rewarding and it's very interesting like path that you took there. When you're giving people feedback and like advice on getting into this kind of career and wanting to do social engineering, what are some recommendations that you give people?

Speaker 3: 10:18

I mean it's really hard. That's a question that I think about. A lot Excuse me. So that's a really hard question to answer and I've been thinking about it a lot lately and my path to where I got to today is not something that I think anyone could replicate. Today is not something that I think anyone could replicate. So I, in a certain way, I'm almost reticent to give people advice, because how can I tell you to do the things that I've done? And I know I glossed over like a major part of my history earlier. Sorry, I got distracted by the chat, so I know I kind of glossed over like a big part of my history. Earlier I wrote a book which I know we talked about earlier. It's called Outlaw Summer Cyber Dreams. You can't buy it, but you can actually find it on my LinkedIn profile. I uploaded the PDF for free. The reason I wrote that book is because Phil Wiley was having breakfast with me at DEF CON a few years ago and he asked me why I haven't written a book. And the reason he asked me that is because I have a really interesting family history and I'll kind of give you the TLDR.

Speaker 3: 11:42

But yeah, when I was born, my parents were bikers criminals. My dad was a drug dealer. When I was a young child, I was there when we got raided and my dad went to prison. When I became a young man I followed in those footsteps and worked for a couple of years as a criminal. I had a boss who was a known organized crime figure. We traveled around the country and committed lots of crimes and I have firsthand experience with social engineering and being a threat actor. I kept that a secret for a long time for obvious reasons. I was never arrested or convicted of anything. So I have a clean background, which is very helpful.

Speaker 3: 12:30

But it was kind of a thing that I always wanted to share with the world and get off my shoulders and I felt ashamed of who I used to be. So I wrote a book about it. I tried to get it published by some publishers. They didn't think I was famous enough, so hey, fair enough. But I decided to self-publish it. I wrote it myself, I hired an editor to proofread it and I hired a typesetter and I published it on Amazon and it was an interesting experience and I had a lot of people that were supporting me and wanted me to share my story. And it's interesting because it's really counterintuitive to share with the world some of the worst parts of yourself and the fact that you were a bad guy once, and now you're a good guy and you try to teach people how not to get, how not to be victims of people like you used to be and people like the redemption story arc. So I don't regret telling it and it's been very cathartic and it's been very therapeutic to be able to share that and almost break down crying in front of large audiences of people.

Speaker 3: 13:46

But yeah, so if you, if you want to hear that whole story, check out my LinkedIn. It's, it's on there. It's a PDF. But once, once it was clear, all the people that were supporting me had a copy. I stopped selling it because I never did it to make money. The people that were supporting me had a copy. I stopped selling it because I never did it to make money and in hindsight I wish I had spent more time on it and I could easily make it two or three times as long. I remembered so many more stories that I left out and you know it was a personal experiment and I'm glad I did it wow, that's uh.

Speaker 1: 14:19

I'm glad to see that you you, um were able to put that down in writing and and share it. That's a lot to share with the world, and I'm glad to see that you're on on the good side of things now. Um, that's a great like redemption arc story, um, and I know that you have a lot of um knowledge and experience that you can share with people that are going through the bad side of social engineering, and that's so amazing that you're now helping people.

Speaker 3: 14:55

And not only am I using my experience to be a security practitioner and to help people you know and teach people how to think like a threat actor and how to you know, understand how an attack works, but also like a side benefit. That's really meaningful to me is I can always count on at least one person coming up to me after I do a talk. After I do a talk, or even on LinkedIn. This morning, I got a message from someone who who read my book or someone who'll see my talk, and they'll come up to me and they'll say that my story is so similar to theirs and they they appreciate like my vulnerability and like seeing that we don't have to be defined by our past and we can be whoever we want to be and we can, we can take what?

Speaker 3: 15:43

may have you know, been traumatizing, and we can reframe that in a way that's empowering and it's yeah, that's the only reason I still do the talks or or share my story anymore is just for those like those individuals who really resonates with and who who reach out to tell me things. That's an amazing feeling.

Speaker 1: 16:09

Yeah, you're taking control of your destiny, and that's wonderful.

Speaker 3: 16:14

I'm trying, neil, are you going to ask me a question? I see you over there.

Speaker 2: 16:21

Certainly, certainly, see you over there, certainly. So, uh, just real quick, I actually um first came across your work in, uh, this volume of 2600, where you do our article, um, but uh, just thinking more generally, like you've obviously held a lot of different roles and done a lot of different things over the years. What's something you've changed over the years, like, is there certain processes or advice that you would have used to give that you wouldn have necessarily do today, now that you know more?

Speaker 3: 17:05

I think I'll just direct this towards like career advice. I do a few talks on like hacking, the hiring process, and I think my general advice to people is, when you're first starting out, be as general as possible and, like I know, everyone wants to be like a pen tester or they want to be a SOC analyst, and I think I would. I would recommend people take roles that are in IT help, desk, tech support, networking which aren't cybersecurity, but they are foundational and I'm old, so I came from a time where you had to be in networking and IT for a long time before you kind of graduated to cybersecurity, and I'm really happy that there are less barriers to entry now and I'm not a gatekeeper, but I also find my networking experience is very valuable. So it's tempting to want to skip all of that and just go for Security Plus and then try to go for your OSCP or go into like a SOC analyst role and I think it's good to build your foundations first and get some of that experience there.

Speaker 3: 18:22

Be general, but try to identify what your specialty is going to be as early as possible and really look very broadly, because cybersecurity is so much more than just pen testers or SOC analysts. I mean there are dozens and dozens of domains and it takes a while to kind of check everything out and experience different roles. And I mean you might find that you love GRC. I mean there's something for everybody in this field and it's really a lot of people think that being a pen tester is very sexy and it can be, but very few pen testers are out there doing like red team, covert entries, Like most of them are just sitting in a cubicle. It's very automated. It's very much about writing reports. So a lot of people they think they want to be pen testers and they finally get there and realize that they don't really like that and there's so much out there to try. So another thing I just want to finish up this thought, and this is something that I always recommend and some people take this advice and some people don't but get involved with the cyber community. I mean, your viewers are watching this, so they're already part of that ecosystem. They are probably in a cyber discord and they probably go to cyber conferences and they should keep doing that and they should volunteer and they should be active on LinkedIn and other social medias and be a part of the community.

Speaker 3: 19:50

Every job I've gotten for the past 10 years has been through my network and through word of mouth. And yeah, it's something that I know a lot of people don't like because a lot of us are introverts and that's okay. Just push yourself a little bit. I used to be very shy. My first talk I told Edna earlier about. I had a panic attack and it was horrible, but I just kept doing it and I've been on huge stages now and I don't get stage fright anymore. I know that's not typical for public speakers. I know I'm a psychopath, but the more you put yourself out there, the easier it gets. So join a local DEF CON or 2600 group or whatever you have in your area. Go to B-Sides, volunteer, check out the Social Engineering Adventure Village. Just try to be part of the community.

Speaker 2: 20:44

That's so very true. One of my favorite pastimes now is convincing people who've never gone to a conference to go and have peer pressure, you know, and come see what it's like.

Speaker 1: 20:56

Peer pressure. That's my favorite too. Love it.

Speaker 3: 21:05

Look, introverts need someone, some extroverts, to come in and adopt them and, like, force them to do things, and I'm totally willing to be the social nerd.

Speaker 2: 21:10

So, yeah, just be careful if I'm wrong yeah, it just changes the dynamic. If you're by yourself and you're trying to break into like one of those groups of people, uh, it can be. An extra person makes it much easier to get into that dynamic oh, you're right, it's.

Speaker 3: 21:25

In some places it's tough, like my first defcon group was dc530 in chico, california, and I love those guys but like I had to go to their meeting like five or six times before anybody would talk to me, I would just like sit there awkwardly and, like you know, some, some groups have a little thick, thick exterior that you have to get through. You know hackers can be suspicious people but you just keep showing up and you know eventually it'll all work out.

Speaker 1: 21:54

You end up wearing down there their thick armor. All of a sudden, you're one of them.

Speaker 3: 21:59

Yep Exactly yeah, not every group is like that, just for the listeners there are some very welcoming groups trust me, I run a group, and edna, do you don't? You run a group down there too yes, dc47 exactly so like we would love for you to join our group. It's like very hard to find members and like it's such a struggle. So, um, join a group and be active.

Speaker 1: 22:33

And, yes, we love you Exactly. Yeah, we even have virtual ones. So if you don't have a DC group home, you're welcome to join us. Anywhere in the world, we have people from other countries. Come join us.

Speaker 3: 22:45

You guys have an awesome group and you're always doing cool things. My group is small. We struggle out here, but we're also really close to DC801, which is the first DEF CON group in Salt Lake.

Speaker 1: 22:56

City.

Speaker 3: 22:58

They're a really established community. We're in the county just south of Salt Lake so it's challenging, but we're doing what we can.

Speaker 1: 23:08

That's okay. You have a group for the people in your area. Sometimes people feel like another group is too far.

Speaker 3: 23:16

We don't want to drive all the way up to Salt Lake.

Speaker 1: 23:18

It's like 20 miles.

Speaker 3: 23:19

That's so far.

Speaker 1: 23:20

Exactly, there's a group for everyone. I'm glad you have a good group right there. Even if it's small, it's a good group. I've joined your Discord. Your members are awesome people. They're cool.

Speaker 2: 23:35

I mean, it depends on what you're trying to achieve too. A lot of times, if the group is too large, it can be kind of hard, as a new person coming in, to actually make those one-on-one connections.

Speaker 3: 23:48

Totally.

Speaker 2: 23:51

So you don't have to do it all at once. You can start out smaller for sure, so true yep, absolutely.

Speaker 1: 24:00

As long as you're consistent, your group will grow and exactly, just show up just show up, keep showing up dude, like you have no idea how true that is.

Speaker 3: 24:11

Like people know of me and I get a lot of really cool opportunities and part of that is just I just kept showing up and I've just been around for a long time. So, yeah, don't, don't give up. And I know it's really hard right now for people who are looking for jobs and you've a lot of us have been lied to that there are all these unfilled jobs out there and I know it's like really challenging, but you just like don't give up. And I love this statistic. I don't know if it's a real statistic, but it sounds really good, so I'm going to say it anyway.

Speaker 3: 24:39

So it's just that grit correlates higher with success than intelligence. So, like, the people who just like don't give up are more likely to be happy and succeed in the end versus just having, you know, a skill set that you know may be better than yours. Like for me, I I get a lot of jobs and I'm not the most like technically, like advanced person and there are people who are smarter than me, but I bring a lot of other things to the table and part of that is just being part of the community and my network. So don't sell yourself short.

Speaker 2: 25:12

Right. I think that goes to show just how important communication is. It's not just about the technical skills You've got to be able to communicate the concepts to other people.

Speaker 3: 25:21

I mean, soft skills are key and I have friends who are hiring managers and yeah, that's really discouraging, I know, for a lot of people who are introverts. But you won't work in a silo. You will work on a team, you will have to communicate and you will have to have you know you'll be able to communicate through verbal and through written skills. If you become a pen tester, a majority of your time is going to be writing reports. So like find ways to to, to beef those up, join a toast masters group, join a local.

Speaker 2: 25:53

Just gonna say that, you know, I think, uh, one of the things that frustrates me the most is like people acting like you can't learn these skills. You absolutely can. You just have to practice it again and again I wasn't good at public speaking.

Speaker 3: 26:05

The first time I did I was awful. But there are ways to learn and practice and, yeah, there's a lot of opportunities out there if people really want to do that.

Speaker 1: 26:15

Absolutely, and I think that's a great final thought for today. So thank you everybody for listening to this episode of Security Chipmunks, where we keep chipping away at it. Make sure to like, comment, subscribe, do all the things, push all the buttons here and we will see you on the next one. Take care.