HOW TO GET START HACKING?
Why teach hacking
When I talk with people outside hacking/information security
circles about learning to hack the most common question I get is,
"Isn't teaching people how to hack dangerous? What if they use it to do
bad things?" The question is rooted in a mashup of several overly
simplistic and misapplied ideas, and syllogistic fallacies.
1: Hacking requires "specialized" skills.
2: Learning "specialized" skills is a "dark art" and are only pursued by
someone intent on doing evil. This is obliquely saying that learning to
hack is akin to black magic and only evil people do black magic so all hackers are evil.
3: Security through obscurity works.
4: Take all this and wrap it in a syllogistic fallacy.
Driving a car is a specialized skill. A bank robber uses a car in a
robbery. Bank robbers are criminals. You drive a car so you are a criminal.
It is easy to see how shallow thinking, fear, and logical fallacies has lead mass media to portray hacking as always being a crime.
Is it possible to defend without knowing the methods used by your adversary?
How would police officers catch criminals if they did not know how they think and what methods they used?
How would our military protect us if they did not know the enemies tactics and have the skills to repel them?
The SANS Institute is one of the premier information security training and certification organizations. They are famous for saying "your offense should inform your defense."
I am a hacker. My skills were acquired through a lifetime of training on
my own, with the United States Navy, and as an information security
professional.
I use them daily to defend systems from both criminals and state actors and I am actively training the next generation of hackers to do the same.
Back to Table of Contents
How do I Learn to Hack
If you think all hackers are criminals, then see "Why Teach Hacking" before continuing.
I am often asked, "How do I learn to hack?"
I have learned that the term hacker can mean many things to many people
and is a highly debated topic. The meaning of hacker has
evolved/devolved over time depending on your point of view (whether you
are a hacker or not).
Many hackers today define themselves based on the roots of hacking, which you can read about in "A Brief History of Hackerdom" and the Hacker Wikipedia article.
However, the word hacker has morphed and mass media uses it to mean a person who uses specialized technical skills to commit a crime. For more on this see "Why Teach Hacking."
Hacking has evolved to address not just the use of skills but the process by which you acquire those skills.
Therefore, the simplest definition of hacking is the process by which
you discover the difference between what something was designed to do
and what it is capable of doing.
Many would argue that this definition is too broad and would include
endeavors outside the scope of technology, computers, and networks.
I have come to see that the same quest for knowledge and skill
prosecuted by the old school hackers is the same process used by those
mastering other fields of endeavor from astrophysics to knitting.
Hacking is as much about the journey as it is the destination.
I will be focusing on hacking as it applies to technology, computers, and networks.
Our knowledge and skills are like a block of Swiss cheese, which appears
solid but is full of holes. Hacking is not just about applying your
knowledge and skills but also the process by which you fill in the
holes.
Figuring out the best place to start can be difficult because we often
are not aware of what we do not know, so I am providing a framework to
get started. It will then be up to you to follow the breadcrumbs, find
the holes in your knowledge and skills, and fill them in. During this
process, you will find more holes to fill in and during that, even more
holes. It is a lifelong, never-ending pursuit.
Back to Table of Contents
Ethics
The "hacker ethic", just like the term hacker, has morphed over time. Originally,
hacking was driven by a thirst to understand how things work and was
conducted on systems that the hackers had a right to access. Mix the
ideals of hacking with a bit of anarchy and you end up with hackers that
prize ideas and exploration over personal property rights.
Mass media
has camped on this idea and do not recognize that most of the hacking
going on today is by people who do believe in property rights and are
using their hacking skills to defend those who can't defend themselves.
In the non-fiction book "The Cuckoo's Egg", Clifford Stoll
encounters a new systems administrator who adheres to the anarchistic
version of the hacker ethic. Clifford underwent a change in his thinking
during his experiences chronicled in the book and knew the systems
administrator's philosophy was wrong but could not articulate it. By the
time Clifford reaches the end of the book, he provides an excellent
rebuttal. Based on Clifford's rebuttal I have formed one of my own.
Property ownership is a cornerstone of society and built using a fabric
of trust. In many cases that trust is an unspoken agreement and in
others the trust is codified in law. More often than not, the trust is
not enforced until after the fact.
The dashed white line on the freeway reminds the drivers of that trust
but it does not prevent another driver from making a left hand turn in
front of me at 80 miles per hour. Likewise, when I get a drink out of
the vending machine I trust that it will not kill me. If it does, my
family will be rich after the lawsuit, but I will still be dead.
If we cannot trust one another in any circumstance then the fabric of
trust unravels and people stop building the very systems we want to
explore. You cannot have your cake and eat it too.
As hackers, we have a choice we can explore without regard to property
rights and destroy the fabric of trust or we can repair and reinforce
property rights and the fabric of trust.
With great power comes great responsibility.
You have to choose.
I too had to make this choice. Through providence, I was led away from
the "dark side" and have spent a lifetime defending others. My hope is
that you will join me in this endeavor.
Back to Table of Contents
Where to Start
You will find that everyone's background and skills are a little different so there is no best place to start (see How Do I Learn to Hack).
I recommend reading through this page to get the big picture and see
which area interests you the most and just jump in. No matter what you
start with it will eventually lead to all the other areas.
Back to Table of Contents
Where to Get Equipment to Play With
You do not have to break the law to get systems to play with. It is
possible to get lots of equipment to play with at little to no cost.
Tell everyone you know that you will take any old electronics they no longer want. You can also pickup systems alongside the curb on trash day. Sift through the equipment and keep the useful stuff, scavenge the rest for parts, and then recycle what is left. Power supplies are particularly useful when building Raspberry Pi and Arduino based systems.
There is a charge of $10.00 to $15.00 each to recycle TVs and monitors with CRTs.
I have found that people are a little more willing to call you if you
tell them upfront that you will use the equipment for training, find it a
new home (like a Hacker/Makerspace),
or responsibly recycle anything you do not use. This relieves them of
the burden of recycling but you might have to pay to recycle the TV's
and CRTs; thankfully, they are becoming less common. The treasure trove
of free useful equipment I have gotten over the years more than offset
the small cost of recycling the occasional TV or CRT.
Atlanta Electronic Recycling Centers
CHaRM - Tue - Thu 09:00 - 16:00, Sat 08:00 - 16:00
Dekalb County Georgia Recycling Centers
Seminole Road Landfill M - F 08:00 - 17:00, Sat 08:00 - 16:00
In the DeKalb County Tax Commissioner' Office parking lot (M-F 08:00 - 16:00)
Companies replace workstations, laptops, servers, and networking equipment every three to five years. It is common to depreciate
the cost of the equipment on their taxes. If they then sell or donate
the equipment to a charity they can end up paying additional taxes
because they received a value greater than the depreciated value. The
taxes can be more than what it would cost to pay a recycler to take the
equipment.
This is an opportunity. It does not cost them anything to give you the
equipment. Everyone you know works for a company. Talk to your friends
and find the person in the company you need to talk to about getting
their older equipment.
Back to Table of Contents
Find Like-minded People to Exchange Ideas With
The best way to go through a minefield
is to follow someone. I highly recommend finding local like-minded
people with which to trade ideas. I am located in Atlanta Georgia so I
will list examples from here. I will also provide some links to help
find similar resources where you live. If there are not any, then start a
group. Hacking is all about improvising, adapting, and overcoming (to borrow from the U.S. Marines). You also have the Internet, and online groups are a good way to get involved with others.
Pick the groups you associate with carefully. Hanging out with the wrong
crowd can get you arrested just by association. If you want to work in
information security your reputation must be above reproach because they
will give you access to their most sensitive information and systems. A
single arrest can end a promising career.
You will hear stories of criminals that were caught and later got jobs
in information security. This is the exception. What you do not hear are
the stories of permanently damaged lives, which are far more common.
Atlanta Hacker, Maker, and Security Groups
dc404 - Atlanta Chapter of DEF CON
atl2600 - Atlanta Chapter of 2600
Atlanta Ethical Hackers, Penetration Testers, & Information Security
Georgia Tech College of Computing Information Security Student Organization
Atlanta Information Security Resources
Atlanta Hacker/Maker Spaces
No comments: