Marcus carey v2

Marcus Carey

Enterprise Architect ReliaQuest

Marcus J. Carey is an Enterprise Architect at ReliaQuest where he does security research and product development. Prior to joining ReliaQuest, Marcus was the founder and CEO at Threatcare (acquired by ReliaQuest) and has 20 years of cybersecurity experience. Marcus has worked in penetration testing, incident response, and digital forensics with federal agencies such as NSA, DC3, DIA, and DARPA.

Description

In this episode, we talk about cryptography with Marcus Carey, enterprise architect at ReliaQuest. Marcus talks about going to the military and learning cryptography, what cryptography is, and the foundational things you need to know in order to make sure the apps you’re building are secure.

Show Notes

Transcript

[00:00:05] SY: Welcome to the CodeNewbie Podcast where we talk to people on their coding journey in hopes of helping you on yours. I’m your host, Saron, and today we’re talking about cryptography with Marcus Carey, Enterprise Architect at ReliaQuest.

[00:00:18] MC: Code is a force multiplier. It’s beautiful because whatever your expertise is, you can probably use code to help you do your job better.

[00:00:27] SY: Marcus talks about going to the military and learning cryptography, what cryptography is, and the foundational things you need to know in order to make sure the apps you’re building are secure after this.

[MUSIC BREAK]

[AD]

[00:00:47] TwilioQuest is a desktop roleplaying game for Mac, Windows, and Linux to teach you real world developer skills. Take up the tools of software development, become an operator, save the cloud. Download and play TwilioQuest for free at twilio.com/quest.

[00:01:04] Ambassador Labs enables developers to ship software faster on Kubernetes. Sponsor of both the Ambassador API Gateway and Telepresence open source projects, Ambassador Labs is used by tens of thousands of developers worldwide. Learn more at getambassador.io.

[00:01:21] RudderStack is the Smart Customer Data Pipeline. Easily build pipelines connecting your whole customer data stack, then make them smarter by ingesting and activating enriched data from your warehouse, enabling identity stitching and advanced use cases like lead scoring and in-app personalization. Start building a smarter customer data pipeline today. Sign up for free at rudderstack.com.

[00:01:47] New Relic helps engineering teams all over the world visualize, analyze, and troubleshoot their software. Discover why some of the most influential companies trust the New Relic One observability platform for better uptime and performance, greater scale, faster time to market, and more perfect software at developer.newrelic.com.

[AD ENDS]

[00:02:12] SY: Thank you so much for being here.

[00:02:14] MC: My pleasure.

[00:02:15] SY: So Marcus, you’ve been coding for over two decades. Tell us how it all started for you.

[00:02:19] MC: Well, that makes me feel old.

[00:02:21] SY: No, you are wise and experienced. That’s what you are.

[00:02:24] MC: I started coding in elementary school. I remember learning basic a long time ago. And in high school, I took Pascal, another programming language. I saw the movie WarGames growing up and I just knew I wanted to work with computers. I came from a very poor background, so I didn’t have access to computers. But what eventually happened is I joined the US Navy and I did a career field called cryptography. So I was a cryptographic communicator in the military where I did cool stuff like communications, networking, and one of the first things that I had to do is I had to manage a database of classified material.

[00:03:01] SY: Wow!

[00:03:02] MC: So I got to learn how to program in a database type language, also started scripting and stuff to make my job easier back then. It all started for me in the military.

[00:03:12] SY: Wow! So when I think about cryptography, especially in the military, I’m thinking spies and secret missions, Mission Impossible, maybe some Borne. Is that really what it’s like?

[00:03:22] MC: Yeah. To most people, it would probably be like that. I was lucky enough that I did. I was a spy for eight years and did all kinds of cool stuff at the highest clearance in the land, access to all kinds of training and all kinds of computers and all that stuff. It was definitely high tech and it was mind blowing coming from where I came from.

[00:03:43] SY: Are you able to tell us any stories, anything interesting that happened while you were there?

[00:03:46] MC: Tons of stories. Most of the things that people do online nowadays, the military and intelligence community had many of those things a long time ago.

[00:03:55] SY: Oh, really?

[00:03:55] MC: Including cryptography, right? To keep the secret secret in communication systems. When I was 18 years old, this is 20 something years ago, we had stuff like Twitter in the military already.

[00:04:08] SY: Oh! What? What are you all doing on Twitter?

[00:04:11] MC: Intelligence stuff, sharing information, and that’s what the internet was built for. The internet was created by the Department of Defense, long history there. I got to experience technology and it was 20 some years ahead of its time. So it gave me kind of like an advantage to most people that don’t have that background.

[00:04:30] SY: What was the most exciting thing you worked on when you were there?

[00:04:33] MC: The most exciting thing I did in the military was I managed the global network for the National Security Agency and also helped build their security operations center. Basically, I got to see other people trying to hack into the NSA. That was pretty cool.

[00:04:49] SY: Wow! That is fascinating. So I think when we think about cryptography as citizens, I think we have this idea that the military is constantly spying, constantly surveilling, they know absolutely everything about us. Is that true? Is it really as invasive as we are afraid that it is?

[00:05:08] MC: Well, big picture, I think that there’s so much data nowadays that it would be hard to just do wholescale spying on everybody. It’s too much information, too much information. But if people want to target particular individuals, that’s actually quite possible, and why that’s important is not just sort of the US. The US has very good laws, believe it or not, to protect civilian, like US citizen being spied on. We have laws and people do use those laws. So people aren’t trying to randomly spy on people. But in different countries though, their laws are not the same, their leadership of those countries are not the same. I look at everything in a global sense. I am a cybersecurity professional and we kind of believe in kind of like a Hippocratic oath, like doctors take. And in security and privacy, that’s how you have to think. You have to think of it as a global problem. If one set of people are being able to be spied upon easily, that affects everybody. So we want everything to be secure and we want privacy for everyone.

[00:06:13] SY: So we talked about kind of your career and what it’s like to be in the military doing cryptography, but let’s talk about what cryptography actually is. How would you describe it?

[00:06:23] MC: Cryptography comes from just like everything else. If you know anybody Greek, they’ll tell you everything comes from Greek. So cryptography is hidden messages. And hiding those messages, you can do it in a lot of different ways. And essentially, there’s a lot of different algorithms. The algorithm is what keeps those secrets jumbled up and typically you have an algorithm and you have some kind of key. And a key is what can unlock it. I remember growing up, there used to be these decoder rings inside a cereal that we used to play with.

[00:06:56] SY: I don’t remember that.

[00:06:58] MC: So you just called me old again. Thanks. Yeah, but a decoder ring was essentially a simple cipher. It was what we call a substitution cipher back in the day. So you substitute A for G and therefore and so on. So basically you substitute 26 characters for another character. So that’s the simplest form of a cipher.

[00:07:22] SY: So when I hear about cryptography, I’m thinking code breaking and just really, really complex code, but what does the code actually look like? What languages do you use? What tools do you use in the cryptography field?

[00:07:35] MC: You can use any form of code by the way. And the codes that are compiled, any algorithm that’s compiled is going to be way faster, but you see cryptography implemented in all sorts of languages. So the languages don’t matter. I encourage anybody to just learn one language, learn one language, be really good at that, and what you’ll find out is that you’ll be able to move to other languages. Because most of the languages that we program today are what they call “high-level program languages”, and it is somewhat easy to move back and forth between the languages. So don’t be thinking you have to learn something in particular. Nowadays, people learning something like Python, and that’s a great starter language to do. And the algorithms typically are like mathematical problems and you can actually program any math problem in code. And so Python is a great language to start, or you can do something like JavaScript for web development. I use a lot of JavaScript in Node. Node is used for a lot of backend stuff.

[00:08:38] SY: What about platforms? When you’re a web developer, your platform is a browser. That’s where you do stuff. When you’re a mobile developer, your platform is the phone. So when you are doing cryptography, what are you doing it on?

[00:08:50] MC: Well, most of the cryptographic algorithms are done on an in-system and that will be coded and put in a browser. So most browsers are coded in probably something like C or C++. And so the processing is done by your computer. Or in a cloud cryptography, it’s going to be something installed on that machine. So most of the mathematical operations for crypto is going to be some kind of what we call a binary package. It’s going to be compiled and you’re going to reference that. And when I say reference, I mean, you’re just going to use that code. The golden rule, the most important thing that anybody that’s getting into web development doesn't worry so much about crypto because there is a lot of what we call libraries out there to use all sorts of cryptography. So I would just be like, “Okay, you need to know what library they use.” But what we say, there’s a saying, we say, “Never roll your own crypto.”

[00:09:49] SY: Really?

[00:09:50] MC: Never roll your own crypto. That means don’t try to implement your own cryptography. Just use the libraries that are available. You can even mess up the implementation, but use the libraries that are already provided for you is what I recommend.

[00:10:03] SY: Is it just that it’s too hard, it’s too complicated or why not roll your own?

[00:10:07] MC: Because good cryptography is usually peer reviewed and most of it is open source. So there’s people with math degrees and physicists and all kinds of crazy smart people that do cryptographic algorithms.

[00:10:20] SY: Okay.

[00:10:21] MC: And some of those people even work for government agencies that are really smart and they come up with these algorithms. Funny thing on the NSA thing, people don’t know this, but NSA’s mission is to help provide secure algorithms for the military and for companies out there.

[00:10:39] SY: Oh, companies too?

[00:10:40] MC: Yeah. Yeah. Totally. Because what happens is you have espionage all over the world. So the US wants to protect US companies so we’re not spot on as well.

[00:10:51] SY: That’s a good point.

[00:10:51] MC: You have to prevent stuff like bank fraud, all kinds of different things. Just think of how many things that the government uses and companies use. So you don’t want people hacking that stuff. So NSA, one of their core missions is to help people with secure algorithms. So NSA actively tries to crack cryptography just to make sure it’s safe.

[00:11:11] SY: Interesting. Interesting.

[00:11:11] MC: If you have somebody like NSA and all the horsepower and computers they have, if you try to roll your crypto, you might run into a problem where you implement something that has flaws. So that the current libraries that are out there that you can use will help prevent that.

[00:11:26] SY: What are some of those libraries? If you’re a web developer, mobile developer, are there kind of common tools that we might come across that we might use?

[00:11:35] MC: The most common thing that you’re going to use is you’re going to probably try to implement TLS. Some people talk about SSL. Anytime you want to have that lock on your browser, if you’re using Chrome, you’ll have something that says HTTPS, that’s using TLS.

[00:11:51] SY: And what does TLS stand for?

[00:11:52] MC: Transport Layer Security, I believe.

[00:11:55] SY: And what is that?

[00:11:56] MC: Basically it’s a way of what we call public key cryptography or public key infrastructure. So what happens is traditionally back in the day, if you wanted to exchange a secret message, we would have to exchange a key and we would both have to have that same key on each side. That’s what we call symmetric encryption. Symmetric means we both have the same key. So what TLS allows you to do is we don’t have to have the same key to do it to exchange our private message, but there are public and private keys in place. So when you go to a website, what you’ll have is you’ll have the public key essentially of the website. And from there, you’ll do it and exchange, it’s like a handshake, and then you exchange what they call a session key, and this is all part of the algorithm. This is why it gets super complicated. But the TLS, what that does is it allows us to not have to have the same key initially, but there’s a process for us to exchange a key to have what we call a session key. That session key allows us to communicate, watch videos, tweet, whatever that is, that allows us to do that over secure communications. But again, most of these libraries are built in. You just have to know how to implement them. And one of the things you don’t want to do is you never want to reveal. If you’re doing PKI, you might have SSH keys. SSH stands for Secure Shell. A lot of people use Secure Shell to communicate in upload files. People use SSH keys to log into machines on Amazon, for instance, is a good thing. But that’s another protocol, but any kind of crypto you’re going to implement, you’re probably going to have private keys and public keys. Never publish your private keys into a GitHub repo. Remember this. This is maybe one of the most important things I’m going to say. Always keep your private keys private.

[00:13:56] SY: So one of the things that I know comes up a lot as part of product development is authentication and OAuth and that sort of thing. That’s part of crypto too, right?

[00:14:06] MC: So authentication does not require cryptography at all.

[00:14:10] SY: Okay.

[00:14:11] MC: Authentication means I’m going to let you log into my system. But if I want to verify that I am who I say I am, you can use cryptographic algorithms to prove that. Now a good example is when I go to facebook.com and I have that lock, there was a process there that said, “Oh, we looked at Facebook’s public key and we can verify that that’s who we’re talking to right now.” But yeah. And by the way, all those different protocols like OAuth and all those authentication protocols, the information is transmitted over a secure SSL or TLS communications. So crypto is being used in the process of those, but it doesn’t require crypto. Another thing that you probably see, you’ll see crypto sometimes, cryptographic things like hashes, and some of those hashes are related to cryptography.

[MUSIC BREAK]

[AD]

[00:15:24] Want to learn more about Kubernetes, but don’t know where to start? The Kubernetes Initializer lets you build your own application right in Kubernetes’ playground in just a few clicks. Automatically configure Ingress, a continuous integration pipeline, authentication and more. Try it for free at getambassador.io/codenewbie.

[00:15:44] RudderStack Smart Customer Data Pipeline is warehouse first. It builds your customer data warehouse and your identity graph on your data warehouse with support for Snowflake, Google BigQuery, Amazon Redshift, and more. Their SDKs and plugins make events streaming easy, and their integrations with cloud applications like Salesforce and Zendesk help you go beyond event streaming. With RudderStack, you can use all of your customer data to answer more difficult questions, and then send those insights to your whole customer data stack. Sign up for free at rudderstack.com.

[AD ENDS]

[00:16:23] SY: So tell me what it was like to study all of this. Because it sounds really hard to be totally honest. It sounds very mathematical and really smart and it sounds like it required a lot of studying. What was your process for learning all of this?

[00:16:35] MC: It’s just a snowball effect. I tell people, “Start where you are and over time you just learn and learn and learn and put yourself in a good position to learn.” The best way to learn though is as I found in my own personal life is learn how you best are able to learn. You got to learn how you learn because I can’t tell you what the best way for you to learn, because I don’t know, you may be an auditory learner. You may be a visual learner. You may learn by hands-on. You may learn by reading. So the key to anything in life being able to learn and even cryptography is I know I’m an auditory learner. I also am a hands-on learner. So listening and implementing stuff has been able to apply that snowball effect over time, of course, when I was young, but I also had a benefit of joining the military when I was 18 years old and they trained me and what you see now is 25 years of experience talking.

[00:17:37] SY: So when you study cryptography, what exactly are you learning? Obviously you’re learning how to code, but you mentioned that all these algorithms are built by physicists and mathematicians and all those fields and disciplines. Do you have to learn all of that as well?

[00:17:51] MC: Well, you don’t really have to know what’s under the hood of the algorithms, to be honest with you. You need to know how to implement them securely. Again, like some of the stuff is even like keeping a program key private and you’ll be surprised. People check these kinds of keys into their GitHub repos, or even like from a security perspective, do not put your API keys out there. Sometimes you see that in a GitHub repo because it’s like how do you implement things securely. There’s no silver bullet on security and sometimes people think of cryptography and think of, “Oh, I’m automatically going to be private and I’m automatically going to be secure.” Well, that depends if you use them in the right way. So learn what the algorithms do. Right? TLS, how do you implement TLS? Well, you need to get a certificate from somebody to issue a certificate and you need to put that in the right place on your server. You have to follow those particular steps. In cryptography, no. Like I said, you can do it, but it’s a math process. I’m talking about building the algorithms and building a software that does these things. That’s way harder. You don’t have to know all that stuff. You don’t have to know all the algorithms. You don’t have to know all that stuff, but what we can do is we can go from the recommendations and guidance. There’s an organization called NIST in America. NIST actually provides guidance of what algorithms you should use. And so look up NIST. NIST always has best practices. They’ll tell you what key link you should have, what kind of hashes you should be using, all that information is public because it’s in our government’s best interest to make sure that everybody’s secure.

[00:19:34] SY: So are these topics, just the world of cryptography, is this something you can learn on your own? Or do you need a degree for this? Does this need to be studied? And also, what does the industry look like? Because I feel like I see a lot of security certificates out there. Is this a certificate-driven industry?

[00:19:52] MC: We live in an amazing time right now. You don’t have to have a degree to do pretty much anything related to computers, and it includes cryptography. I don’t think you have to have a degree to do any of this stuff. And the price of training and to get started coding and building, you can go to some of these online learning places and you can get courses for 10 bucks to learn how to do something amazing. You can get those courses, the same courses to learn how to do cybersecurity and understand how to implement algorithms correctly, YouTube of course. So we’re in an amazing time to learn and hopefully we can take all those advantages, all those opportunities and build something amazing.

[00:20:40] SY: So you started your own security company about seven years ago. Tell us about that transition from military to being a business owner.

[00:20:48] MC: Yes. It’s funny. Ever since I was young, I wanted to be an inventor and I think that a lot of people that do code, coding to me is like building Legos. So it’s just building blocks and basically I’ve always wanted to be in a company and all that stuff. And I learned how to write code throughout my life. And one of the cool things, over time, I learned a very unique skill set as far as testing out security. Some people would call me like a white hat hacker where I get to break into companies and tell them where their flaws are and all that stuff. So what I did is I built software to automate that process. And what I tell people, this is what’s important, code is a force multiplier. It’s beautiful because whatever your expertise is, you can probably use code to help you do your job better. Whether you’d be a doctor, lawyer, whatever, there’s products around all these different industries. And so my industry was server security. So I built a product and I built a company in a space that I knew best. And that’s why I recommend people do it. If you learn how to code, even if you come from a different career field, there might be some way that you can make maximum impact on that other career by learning how to code.

[00:22:07] SY: What are some of the biggest differences? I assume there’s a lot, but what are some of the biggest differences between what your work looked like in the military and what you do for yourself now?

[00:22:16] MC: On the military, when you’re in the military, military kind of owns you.

[00:22:22] SY: I imagine that. Yeah.

[00:22:24] MC: So now being a civilian, of course, you can do what you want to do pretty much. The cool thing about being in the military was that it actually gave me, I got a master’s degree in service security and it didn’t cost me any money. I had no college debt and my daughter’s going to college for free. My daughter’s tuition is like 30 bucks a semester.

[00:22:44] SY: Wow!

[00:22:45] MC: Because I was in the military. So back then it sucked to be in the military, but the benefits were me being able to get that degree, it means a lot out here in a civilian world. And it actually made a lot of difference for me.

[00:23:00] SY: What are some of the cases you’ve worked on your own? You mentioned some white hat hacking that you’ve done. Can you give us an example of a project you were particularly proud of?

[00:23:09] MC: Not really.

[00:23:12] SY: Is it all secret?

[00:23:14] MC: It’s funny because server security is one of the close to the best things that people play in business. They don’t want you to know when they’re vulnerable and all these different things. But I can tell you some of the cool software I built and I know that there’s been applications that people use it for. So I built this thing a long time ago called “HoneyDocs”. And it was funny because what I built is I built these documents that if you open up this document, it would tell your location. So you can send it to somebody. I will send you a document. You open up a document and I would know exactly where you are from a geolocation perspective. And so I was at a conference and a foreign police officer from Europe, he told me that, “Hey, man, thank you for that project. I was helping to find hostages with it.”

[00:24:01] SY: Wow!

[00:24:03] MC: That’s crazy. So you never know where your work’s going to go. And I built another tool. It was a keylogger, basically a keylogger captures anything you do on a keyboard. Right? So I built a keylogger into this hacking framework and I know that that keylogger was put for good, the white hat thing. Right? So what’s interesting about code is definitely when you create hacking tools, some people are going to use it for good, like the Italians, or some people are going to use it for bad. But in a good case, I had a friend that hacked into a government website and put my keylogger on it and he was capturing all the key logs at an agency. But it was just to show them the bad stuff that can happen. Those are two stories of the stuff that I wrote. Anyway, like I said, I always think that everybody has a superpower. So I try to use my superpowers for good. So my hacking skills are for good. So all the developers coming up out there, remember, use your super powers for good. If you ever watch X-Men, there’s like Xavier. I’m like Charles Xavier.

[00:25:05] SY: Nice! So for folks listening who aren’t necessarily interested in getting into cryptography as a profession, but they’re building their own apps and of course they want to be secure and safe. What are some basic things, some foundational things that they should either know or do to make sure that the apps they build are safe and secure?

[00:25:27] MC: Yeah. So there’s this thing called OWASP Top 10 that you can check out. OWASP tells you things not to do with your web apps. It gives you really good guidance on the common flaws that people build in. The funny thing about computers and code and stuff is that we’re all human and we tend to make the same mistakes. So that’s a great resource to look at, to see what mistakes that you can make. But of course, when you deploy something to production, you want to definitely have your SSL certificates in place and all that. Also, remember, do not treat your API keys in any private keys as gold. You don’t want to allow those to be in the ether out there. Another one thing that I see people doing is what they’re doing is they’re writing client-side code, and this is going to mean something to some of you all, they’re writing client-side code and including secrets in the client-side code.

[00:26:22] SY: And that’s visible. People can see that.

[00:26:25] MC: One hundred percent. Somebody just sent me some yesterday. Somebody had an API key on their client-side code. So make sure that anything private, you want to use them on your server side. Anything like API key, passwords, anything like that, don’t expose them to the rest of the world. Also, eventually you want to at some point be become familiar with what we call penetration testers are trying to do.

[00:26:50] SY: Yeah.

[00:26:51] MC: So penetration testers are people that try to, they’re white hat hackers, and they try to break your web apps. There’s two things that I recommend. This is a security thing. There’s two automated scanners that you can use. One is called Burp, B-U-R-P, write this down, because even if you’re starting, you want to try to play with this at some point. It’s called Burp, Burp Suite. And what Burp Suite does it tries to enumerate your web application and it’ll tell you the flaws in it. It’ll discover stuff that you did bad automatically. And there’s one called ZAP Proxy, ZAPP. It does the same thing. And then what’s cool about that is that once you run your automated little scanners, you’ll learn how to fix those errors and it’ll make you a way better developer.

[00:27:48] SY: Coming up next, Marcus talks about what some of the biggest misconceptions about cryptography are after this.

[MUSIC BREAK]

[AD]

[00:28:10] Explore the Mysteries of the Pythonic Temple, the OSS ElePHPant, and The Flame of Open Source all while learning the tools of software development with TwilioQuest. Become an operator, save the cloud. Download and play TwilioQuest for free at twilio.com/quest.

[00:28:29] New Relic knows that the planet needs our help. That’s why they’ve partnered up with our team at DEV to host Hack the Planet. From now through February 28th, you can take advantage of their free tools to build a climate change monitoring app with the power of software observability. It’s a great chance to win cash, community bragging rights, swag from New Relic and DEV, a tree planted in your name, and other prizes, too. Learn more about the Hack the Planet Contest on New Relic’s dedicated community hub, therelicans.com. The Relicans is your place to connect with other developers. Meet the team behind New Relic’s software monitoring platform and show off the app you built for Hack the Planet. That’s therelicans.com. Happy coding.

[AD ENDS]

[00:29:19] SY: So what are some common misconceptions about cryptography? What do people get wrong about it?

[00:29:23] MC: One of the biggest misconceptions about cryptography is that you put crypto in it and it’s secure.

[00:29:30] SY: Interesting. Yeah.

[00:29:32] MC: Or one of the other things I see people doing is they think your site has SSL on it, did the site secure. So the site can be totally on secure and it has an SSL on there.

[00:29:43] SY: Oh, wow! I don’t know that.

[00:29:46] MC: Also, when you talk about cryptography, there’s two different ways we use it. We use it to encrypt data in transit and we use it to encrypt data at rest. Now the data at rest piece sometimes that you might have your computer and when your computer turns off, it encrypts everything on a drive. Right?

[00:30:06] SY: Okay.

[00:30:07] MC: So if somebody steals your computer, they can’t decrypt it. Right? But there’s only one problem with that. The problem is when your computer is live, people can still steal everything because it’s not encrypted then. You know what I’m saying? So that’s bad, but that’s the truth. So encryption doesn’t automatically fix everything.

[00:30:28] SY: So if people listening want to get started in cryptography and want to figure out what are some good resources, what’s the best way to get started, what advice do you have for them?

[00:30:37] MC: Well, I think first of all, you need to understand how cryptography is used in web applications and things. If you’re just getting into code, learn how you use it. And again, don’t try to boil the ocean. Just learn the specific use cases that you can take advantage of right now and use them and then keep on learning. I’ve actually mentored tons and tons of people. Sometimes people, when it comes to a subject that they’re kind of intimidated by, they kind of don’t do anything. They have to know everything about everything before they put a move forward. My recommendation is just have faith that some of this technology works and just use it and then you could figure it out as you go. Well, when you first get into a car and you learn how to drive it, you don’t know everything about the car, but you know the car will get you from point A to B. The same thing with cryptography. How do I use this algorithm? I’ll be using this algorithm to secure my website’s communications. All right, cool. How do I do that? A, B, and C. That’s all you have to know for now.

[00:31:46] SY: Now at the end of every episode, we ask our guests to fill in the blanks of some very important questions. Are you ready to fill in the blanks?

[00:31:52] MC: I am ready to fill in the blanks.

[00:31:55] SY: Number one, worst advice I’ve ever received is?

[00:31:59] MC: When I was going to get out of the military and people were saying that the jobs are terrible and don’t get out and don’t take a chance. And I think that we all receive that advice sometimes in our lives. I’ll tell you that everything’s going to work out and leaving the military, it was great being in, but also I think that whatever goes, you put it in front of you, you can achieve. Don’t be scared about failing.

[00:32:25] SY: Number two, best advice I’ve ever received is?

[00:32:29] MC: It was somebody that kind of told me to appreciate my own value. This is when I was going out to raise money for my company. I ended up raising $4 million for my venture startup, which is pretty amazing.

[00:32:41] SY: Wow! Good for you.

[00:32:42] MC: Somebody from the hood like me that was amazing.

[00:32:45] SY: That’s amazing for anybody. That’s great.

[00:32:48] MC: But what I learned is that people were investing in me because I gave them an opportunity to win. Right? So they were investing in me. And I didn’t understand it, I was worth being invested in, and I want to tell everybody out there, you’re worth it. Don’t underestimate your value. Don’t underestimate the value you bring to the world and to other people.

[00:33:09] SY: Number three, my first coding project was about?

[00:33:13] MC: My first coding project to learn how to code was to do a catalog of my CDs.

[00:33:19] SY: Oh, interesting.

[00:33:20] MC: And what’s interesting about that is that you always have to do something that’s interesting to you to learn how to code. This is a key right here. Sometimes you’re going to be doing some kind of project to learn how to code and it’s going to be boring as a mug. Switch it up and do something that you actually care about. So kind of like alter the project that you’re working on to be something that you actually care about. And that’s what got me to coding. And it got my son into coding too. My son, when he was young, my son was 11 years old. He’s 25 now. He’s a senior engineer. He didn’t go to college. He graduated high school when he was 17 and he’s been working full-time for a publicly traded company. He has his own team at this company. Crazy.

[00:34:03] SY: Wow! That’s exciting.

[00:34:04] MC: How I got him to learn how to code was he hated doing his homework. So I taught him how to do the math algorithms. He did all the math algorithms in his homework. And so that’s what taught him how to code. And he’s been coding since he was 11.

[00:34:17] SY: Number four, one thing I wish I knew when I first started to code is?

[00:34:22] MC: Don’t give up. It took me too long to be really good at it.

[00:34:25] SY: How long did it take you?

[00:34:26] MC: I mean I still think I’m getting good. So 20 some years later, I’m still learning. That’s the point though. The point is don’t give up and you’ll make it to a point where you’ll have an aha moment where everything is going to click for you. And the truth is since things change, you’re always going to have to learn it and stuff is going to keep on clicking. So don’t give up.

[00:34:53] SY: All right. Well, thank you so much, Marcus, for joining us.

[00:34:55] MC: My pleasure. Thanks a lot.

[00:35:03] SY: This show is produced and mixed by Levi Sharpe. You can reach out to us on Twitter at CodeNewbies or send me an email, hello@codenewbie.org. Join us for our weekly Twitter chats. We’ve got our Wednesday chats at 9 P.M. Eastern Time and our weekly coding check-in every Sunday at 2 P.M. Eastern Time. For more info on the podcast, check out www.codenewbie.org/podcast. Thanks for listening. See you next week.

Thank you to these sponsors for supporting the show!

Thank you to these sponsors for supporting the show!