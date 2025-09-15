In this edition of Cyber Frontlines, meet Dustin Heywood, a Senior Technical Staff Member for IBM X-Force. As a researcher and offensive engineer, he’s earned five rare “Black Badges” at hacker conferences and a Queen’s Platinum Jubilee Medal, and has a reputation in the infosec world under the handle EvilMog. In his IBM role, Dustin tackles some of the toughest problems in digital identity and security research. Read more about how he got his start, what he’s learned about human passwords and why context—not just credentials—may be the future of authentication.
Stay up-to-date on Dustin’s work on LinkedIn.
I was always a hacker, even as a kid. I remember being banned from school for breaking into school computer systems and then having to write my Computer Science 30 exams on pencil and paper. So, I’ve always been in this world.
My first computer was actually a Telex machine because I couldn’t handwrite worth a dang back in the ’80s. Handwriting was mandatory. I couldn’t even print. So my mom [brought home] an old Telex from work. It was basically a glorified electric typewriter. And I thought, oh, this is not bad. I can live with this.
I’ve been in network engineering since 2006. I actually started at IBM in Calgary, running BGP [Border Gateway Protocol] night shift operations and managing firewalls. I moved on [to a different company] that led me to a year in Afghanistan setting up communications towers—basically every time a Canadian soldier called home, it was on the system I supported.
When I came back, I applied for a security analyst role at a government-owned bank. They picked me over a candidate with a master’s degree because I’d actually deployed systems in the field. My first project was building a secure wireless network—back in 2009, that was still new territory. From there, I moved into password audits, which led me to Team Hashcat [an independent password security research team]. That’s where I became known as a passive security researcher. I built one of the largest clusters in North America at the time for password cracking, specifically, and got involved in the Hashcat support team.
The bank didn’t want me using my real name, so I took my old gamer tag and became "EvilMog” because someone already had the initials Mog on the [Hashcat] channel. But by 2015, my real identity and cluster size were leaked. Shortly after, IBM picked me up.
I wear many hats. For years, I ran offensive infrastructure engineering for the penetration testing team. I’m a researcher, presenter, offensive engineer and a special role in IBM called Senior Technical Staff Member. My primary role these days is to remove barriers from testers, as well as act as the Canadian Market Liaison.
Basically, if something weird comes up, I solve it. Whether it’s cross-business units, broken processes, hung processes, technical issues that require some deep thought … anything that requires executive-level autonomy with technical capability.
Yeah, password cracking especially. So, protocol vulnerabilities are anything from ‘I need to go get my travel approved’ to ‘I need to go communicate with something directly in the network.’ What you’re doing is, you’re abusing how devices communicate with each other as designed to uncover flaws to later exploit.
You know, every single person who thinks they can create a good password is wrong. Humans cannot generate a secure password to save their life. The only good password I’ve discovered is one that you do not know, that is managed by a password manager and is frequently rotated.
I don’t care what language, what culture … everyone thinks they’re unique, but that idea has already been signatured for the last 10 years. So, unless it’s ridiculously long … and even then, we generate new techniques all the time, with video cards being our primary tool.
We were big users of video cards well before AI ever used them. GPUs are what they call them now. With them being so fast, we can try techniques that we never were able to try offline years ago. With Windows, for example, we’re able to do, on just a modest system, 300, 400 billion keys per second—that’s individual passwords per second—in an offline attack. When I first started here, we were able to pull a billion keys per second.
So, it’s scaling heavily. That kind of work used to take an entire cluster. Now I’ve got that on my Mac M1 or M4.
AI hasn’t changed much on the password side of things. Everything has an identity, and I’ve realized the industry has not solved the identity problem. We just haven’t.
Even with all our fancy techniques, securely identifying users and making sure credentials don't leak is incredibly hard. Inevitably, they get written to a disk or stuck in memory, and they eventually get stolen somehow. So, identity without context is the biggest problem we're facing.
Biometrics are just one layer of control. What’s becoming more important is contextual and signals-based authentication. Have you always logged in from the same Mac in Calgary, or are you suddenly showing up in multiple locations? Are you accessing systems you normally wouldn’t, or logging into several systems extremely quickly?
Those kinds of signals are critical in the enterprise. Many systems, like routers or switches, don’t support fingerprint login, but they can still authenticate through a central server that looks for unusual patterns. The bigger challenge is that a lot of systems don’t communicate with each other. Without that integration, you can’t really know what “normal” traffic looks like. And understanding normal traffic patterns is absolutely critical.
Suppliers are always a fun one. We’ve seen a number of breaches where people have used AI to fake receipts and invoices and then send those to a company for payment.
Although tools and processes are nice, I would spend a significant amount of money and time on training. People are the greatest asset and the weakest link. A tool won’t do much good if an organization isn’t making the best of it.
The funnest one that I won was at CypherCon, a conference in Milwaukee with about 3,000 people. What they do is they set up a safe dial. They hook up to an acrylic safe, and you have to manipulate that safe dial open to get the badge that’s inside. They call theirs a red badge. One year, I got tired of losing all the other competitions because some of their electronic badge hacking is so hard that no one wins—there is no solution. And so, I said to heck with it. I went and I picked up a bunch of safe-cracking hardware and taught myself how to safe-crack. And then I won the red badge for popping that safe one year.
Yeah, I literally sat there for 12-14 hours, manipulated the dial open and then I gave a talk that year on how I opened the safe!
People and credentials are always going to be a threat vector I am watching, especially with AI enabling deep fakes, better phishing emails and other exploit vectors. People are the absolute weakest link, and humans cannot generate hundreds of secure passwords and remember them even if their lives depend on it. Good old-fashioned fraud opens more doors than many would like to admit.
Don’t underestimate the amount of foundational IT knowledge required to get into cybersecurity. I generally recommend five years of experience in Systems Engineering, Network Engineering, QA, Development, SRE. Having foundational knowledge makes you that much better of a security professional. I also recommend doing a tour of duty outside of security throughout your career—the skills you pick up will make you that much better of a researcher.
I do a lot of cool things outside of security. I am a licensed special effects pyrotechnician, for example. I used to do things like scuba diving. I used to be a glider pilot and ride motorcycles. Having hobbies outside of infosec is just as critical as the stuff you do inside infosec. It provides you an outlet to do creative things. Getting outside your four walls and touching grass is just as important as the technical work.
