How to Become a Hacker(zalberico.com) |
How to Become a Hacker(zalberico.com) |
(I bring it up because too many people see hacking as glamorous when it often is not, except for the payoff at the end)
Like anything, it's usually the payoff that is exciting and glamorous. I know the old hacker mantra: 'boredom and drudgery are evil' hence why we automate everything, but I don't think the mantra holds true for most hackers. The best hackers know that programming essentially works against you when you do it, because there's no instant gratification. You have to constantly bang your head against the wall (even because of simple syntax mistakes that make you feel like a n00b all over again).
The payoff is always fantastic though. Whitehat or blackhat, knowing that all that hard work and grunt pays off is a wonderful feeling. I tend to veer towards whitehat stuff though because of the old saying: 'If you can't do the time, don't do the crime'.
PS: Found 0day on Paypal when I was 12 in the early '00s, never got paid or recognized for it :(
PS: Congratulations? How is this relevant, gate-keeping aside?
Sure, if you mean the creativity, bending the rules of what's possible, general interest in discovery... that's traits people have in the first place before being called hackers. But that's not the only way.
There's a strong "if you can't figure it out on your own you're too stupid to help" vibe to it, while the rest of the dev world has actually made some decent strides toward valuing inclusion and education.
So, even though it sounds obvious : the number one priority is meeting other people, sharing information. Social skills are sooo important if you're not an absolute genius...
From the ESR article linked: “The basic difference is this: hackers build things, crackers break them.”
A true hacker asks a lot of questions. Lots and lots of questions. The longer you hack, the more obscure, interesting, and fascinating the questions become.
In fact, a key part of becoming a hacker is figuring out the right questions to ask. You learn to do so by asking the wrong questions. As you gain experience, revisiting old questions can lead to beautiful solutions.
Another important aspect of being a hacker is sharing knowledge! Hacking is about learning. A lot of what I learned is from reading what others have wrote. Also by failing and experimenting.
When I was a kid, I did ask my friends "how do i become a hacker" and "how do I hack". I'm glad I did, because I've been enjoying the journey ever since.
But I do tend to call people out on this when people stifle curiosity with these type of claims. Knowing myself, I know that 10 years ago I might've taken your advice to heart as I didn't know any better. I know that I've done this in other areas of my life and it has had a negative impact.
So I am here to produce a counter voice loudly proclaiming that one should be very sceptical about taking your opinion to heart.
Some people claim God exists. And I therefore should live quite differently than I am right now. I require extraordinary evidence.
Some people claim that you can't become a hacker if you need to ask it. I require extraordinary evidence.
In spirit of my sentiment, I'm going to give you a counterexample. I'm the counterexample.
Step 1: Go to http://www.catb.org/esr/faqs/hacker-howto.html
Step 2: Complete Binary and Malware Analysis at the Vrije Universiteit
Step 3: Complete Computer and Network Security at the Vrije Universiteit
Step 4: Complete Hardware Security at the Vrije Universiteit
Step 4b (bonus, I mean, you're there now anyway): Complete Kernel Programming at the Vrije Universiteit
Step 5: Go to https://hackthebox.eu, hack at least 1 easy, 1 medium, 1 hard and -- for good measure -- 1 insane box
Congratulations, you are now a hacker in every sense of the word:
1. You broke into computer systems.
2. You needed to be curious in order to do it.
If you think this is my whole path then that's not true. This is simply the happy path that I uncovered. It's not optimal, but it works. It might not work for everyone, but I'm sure it will work for more people than just me.
I am now a hacker. And I'm sure there are more counter examples stemming from the VUSec group that started hacking real machines after that.
That's my evidence. I don't expect that you have enough evidence as your position is much tougher and I wouldn't even know how to begin on starting an argument that does. My point simply is: please be a bit careful about the accuracy of your statements if it implies negative consequences. Inconvenient truths are fine, but simply opinions without any backing that leads to something negative really feels disheartening to read.
Note: I didn't downvote. I don't think you had any ill intentions. And you do provide your actual view in a succinct manner (something I could learn from O:) ). And that's what discussion is all about, albeit a bit rough at times, perhaps.
Just curious, theoretically speaking, what are some evidences that would be 'extraordinary enough' for you to believe? For sake of argument, let's assume we're talking about the Judeo-Christian god as described in the standard Bible.
Obviously, the number 100k is arbitrary.
Oh, and it should be done in such a way that I can know 100% that it wasn't because of some weird mushroom/drug trip. God is all powerful, I'm sure that shouldn't be a problematic requirement.
This is extraordinary enough. At least, with evolution theory, I actually am able to see this to some extent. It helps that I've played poker as a hobby and had to think about probabilities on an emotional level a fair bit.
There simply should be no room for doubt. Whenever I'm able to understand a mathematical proof, then I have that feeling as well. Mathematicians also can make quite some extraordinary claims. And then they back it up.
Just curious, what would be the 'MVE' (minimum viable evidence) such that you would choose to believe?
For example, if instead of flying and zapping to another planet, what if they just fly (without some mechanical invention)?
> Oh, and it should be done in such a way that I can know 100% that it wasn't because of some weird mushroom/drug trip.
How you can you know 100%? That doesn't make any sense. Are you just referring to believing something with faith such that it feels certain?
> God is all powerful
Yes, but he can't make illogic logical. Therefore, I don't see how he could make you 'know 100%' something. He could convince you with evidences, sure.
I'm simply answering this honestly and I'll confess that I'm not a model citizen on this. In any case, I'm too lazy to think about it. That's the answer. It's why I have a bit of an over the top heuristic. But I also think: surely if one is all powerful, that's not an issue.
> How you can you know 100%? That doesn't make any sense.
God is all powerful, God can devise a scheme in which I'll know it 100%. Here's one for you: I believe that humans have powers that are to quite similar to telepathy, not the same though. We call it WhatsApp. That's extraordinary evidence in such a way that I'll know it 100%. Currently we're moving to machine learning inferring brain patterns. We might actually get to real telepathy.
To me that just sounds insane! But it's true! What?! I am the type of person that finds it quite easy to imagine that I'm simply just a human and nothing more than that. From that baseline our modern world is so crazily magical. It would be awesome if God is in that, but it doesn't need to be in its sheer magicalness.
I have one hypothetical reason why a God (or god-like civilization) might exist. That would be the simulation argument. Also, if we're capable of reproducing consciousness and run simulations, then who is to say that someone isn't already running one? What I do believe is that we might have the potential of becoming Gods as a species. We're trying our damn hardest anyway.
If we're capable of engineering anything and travel anywhere, then one might ask if we can create the exact same universe as we are in right now where (if determinism is real, big if) and if we can do that... Well then again, we might wonder, has this happened before?
So interestingly enough, in my mind, the process of science can turn out to be a very very religious endeavour. Or it might be able to completely dispell it.
It's all speculation during my lifetime though. So I like to keep it to the realms of highly reproduced science (aka engineering and to a big extent physics).
But yea, that doesn't say much about the Christian God, or any religion really. Science is my religion, I simply like the process more of having evidence for things than believing a certain book is the holy word and that I should take it seriously.
I'm sorry if I ranted a bit too much. I don't usually talk about this stuff as it is highly speculative and I have better things to do with my time such as focusing on reality.
I appreciate the non-judgemental tone of the questions by the way.
To the extreme, we don't 'know' that 1 + 1 = 2. In fact, you can't be quite certain that you just read that equation correctly. Or perhaps, after you read it your memory (mental or computer) was corrupted: it actually said 2 + 1 = 2.
You believe that 1 + 1 = 2. First, you believed it because someone told you (you trusted your ears). And then you reasoned about it for yourself, and you saw how if you have 1 object and another 1 object and combine them, then you had 2 objects (you trusted your eyes). And eventually you figured that this equation is perfectly knowable because it a metaphysical truth, but you still had to trust your mind to be infallible for that. Even if we believe 1 + 1 has always equaled 2 in the past, we have to take on faith that that is still true in this moment.
In any case, I always thought this type of stuff was a bit pendantic. And in some perspectives, I still think it is. Such as the "I need to get stuff done" perspective.
However, when I took truffles in Amsterdam (that's legal), this is exactly what I went through. And from that experience I can truly only know that: I experience therefore I am.
It's a spin on Descartes, but suffice to say I couldn't really think (not logically anyway), but I could still experience. It's really unsettling to be corrupted. You have no clue what comes next really.
Other than that, the idea that I assume reality to be true is already a leap of faith. It might all be a fantasy world or a dream. It also might be what we think it is: real.
I think something I would have included that I thought about later is being curiosity driven. It's more personal, but I've found a lot of what I've really enjoyed (and where I've learned the most) has been from allowing myself to go down random rabbit holes to play with different things.
There's some risk to this if you never go deep enough, but I think the benefits are worth it.
I think there's also something to PG's essay about liking debugging specifically too.
I hope your article helps create the same effect on an unknowing high schooler. Thanks for putting it out there!
http://www.catb.org/~esr/faqs/hacker-howto.html#nerd_connect...
I once told my boss about one such idea I had, that I thought would be beneficial to the rest of my collegues. He told me, "Go to the principal, and word your idea so it sounds like it's his idea, and I'm sure he'll give you the go-ahead for it." I told him straight up, that, "Nah, then I'll rather keep it to myself."
Well, I guess you actually found databases instead of scraping sites. The OSINT community does that too.
Start anywhere, any programming tutorial, or any arduino project recipe. Get immersed and always figure out how the stuff really works. You are most likely smart enough to do it.
If employment is an issue, well, what you learned from the above should take you at least halfway to a job and probably make your career better.
Aw, alright - the sword bit is fictitious but the rest is true. Contact with a deity can confer status.
My version on how to become a hacker. It's just another reference point.
Step 1: Go to http://www.catb.org/esr/faqs/hacker-howto.html
Step 1b (bonus): read Hacker News (it actually helped, it also really distracted, the latter part is why it's labeled as bonus)
Step 2: Complete Binary and Malware Analysis at the Vrije Universiteit
Step 3: Complete Computer and Network Security at the Vrije Universiteit
Step 4: Complete Hardware Security at the Vrije Universiteit
Step 4b (bonus, I mean, you're there now anyway): Complete Kernel Programming at the Vrije Universiteit
Step 5: Go to https://hackthebox.eu, hack at least 1 easy, 1 medium, 1 hard and -- for good measure -- 1 insane box
Congratulations, you are now a hacker in every sense of the word:
1. You broke into computer systems.
2. You needed to be curious in order to do it.
This took me 8 months, personally (60 hours per week). I found it a lot of fun. It could take you a lot less time or more time.
-----
I'm assuming you already know how to program, if you don't then get the following prerequisite knowledge.
Step 1: do CS50 in order to learn programming and learn how to learn programming languages. What I've seen in students is that the first 6 weeks are experienced as more difficult than the last 6 weeks (hint: it's because you start off with C). So don't get discouraged. If this is not you and it is the other way around, I've seen that too (though, I've seen it less. It depends on the default mode of thinking that a person uses).
Step 2: do https://www.nand2tetris.org/ to understand computer systems and get some assembly under your belt.
Step 3: if you feel like this road is too rigid, do a project that you're interested in here. Get it out of your system now, because the above mentioned stuff took me 10 months, personally. Create a computer graphics engine with OpenGL and Java. Yes, you could do C++ but that's complicating things for now. If you really want to though, go ahead, C++ is a fine choice if you're burning with passion.
These 3 steps probably take between 4 to 8 months. Some people with a hacker mindset could do this within 2 months, or 1 month even (email me if you did!). Some people that have other stuff going on in their lives will do this in 8+ months. It's all fine.
Check out your local subreddits, find links to invites and start forming relationships with people you may never meet. Because more often than not, these are the people that will introduce you to concepts, jobs and cool shit you'd never find out on HN, Reddit or blogs.
I think a lot of the complexity of modern software development is powers that be, entrenching their powerful positions by layering more and more complexity, so that no team of a dozen people can ever hope to compete.
There is no attempt to re-factor our current way of doing things to reduce the complexity 10x. We're stuck with multiple OSes, multiple languages, multiple tools for each language, a plethora of frameworks that do the same thing but slightly differently and none of them do anything uniquely excellent, they're different for historical reasons, not pragmatic.
Half the web developer jobs are a matter of manually solving SQL <-> user interface problem, specific to a business domain.
Why we don't sit down and create protocols/specs for each business domain that span across SQL, UI, security and permissions levels so that each bank doesn't have to hire a team of IT people to do the same thing slightly differently is beyond me - I can only guess it is because nobody in government understands how computers work.
We're seeing some reduction in complexity with cloud providers, but it is of the worst kind - it is consolidation combined with vendor lock-in, proprietary software and pay-as-you-go pricing, yikes!
"(a good example book for this currently is Designing Data Intensive Applications)."
I got this book recently and was planning to read it soon, does he thinks the tools and techniques mentioned in the book are a waste of time, or the opposite?
Hope most HN readers are not coming here looking for new system breaches or vulnerabilities.
And, maybe not coincidentally, I agree with everything in that post.
There are more self-described hackers that do good and creative things, and not just related to computer security than the malicious types. Fun fact, the "maker" movement was a branded version of the "hackerspace" movement for people. Any time you hear about a Maker they're also a Hacker just kind of a subset of them.
Source: I'm senior staff of DEFCON, the largest hacker conference on the planet.
Other comments have mentioned "cracker" in relation to invading systems. Before computers we had "safe-crackers".
I was super into reverse engineering and loved the challenge. It seemed at some point "cracker" moved away from someone who can break software protections through reversing to someone who uses tooling to break into systems, without understanding how computers work. I still prefer "cracker" as someone who can reverse and break software protections.
Also, Thanks for helping out with Defcon! Been there a couple times and plan to go again. At the next live con i'm down to meet and talk about hacker lore!
If it's nothing to do with software or hardware security, then it's not hacking.
And yes, this site is itself woefully misnamed.
https://www.google.com/amp/s/www.newyorker.com/tech/annals-o...
Did you think this resource was about the infiltration profession?
Edit: readability
If you can land a job like those at PARC or Bell Labs, then yes, "carreer hacking" is certainly possible. Considering how many IT professionals there are now and how few there were back then, I'd say those kinds of jobs are even more scarce now than they used to be.
It's not impossible, but it's not a realistic expectation.
> If you’re devoting a third of it to something completely unrelated to your passion
A programming job is likely to be as far from any kind of hacking passion as any other, with the added disadvantage of possibly poisoning the well, so to speak.
It's a big difference between sating your own curiosity in a hackeresque way, learning about what interests you, programming whatever the heck you like, and working professionally with software development.
If there's a programming job with no specs, no customer demands, no deadlines, no legacy maintenance, no market pressure, no platform preferences or language requirements, please let me know, would you? :)
Edit: spelling
Donald Knuth was giving a presentation to celebrate someones birthday by debugging his old FORTRAN code. He was having trouble giving it since his PDF of his presentation was autoforwarding using Adobe Acrobat. I figured out that Preview would avoid this outcome. I think this is the largest contribution I will have to Computer Science.
I spotted the bug in 30 seconds.
It was then I realized that even at the top of our profession, everyone is still human beings with their own sets of strengths and weaknesses, and I have just as much potential as anyone else.
I've seen Knuth give other (more recent) talks out of slides like that one (https://cs.stanford.edu/~knuth/karp80.pdf) where each PDF page is a possibly different size and he wants it displayed full screen individually, but don't recall that problem from other times… so the impact of your contribution may extend beyond that one talk!
"A thing may happen and be a total lie; another thing may not happen and be truer than the truth." -- Tim O'Brien, The Things They Carried
Possibly more of a British English usage; I'd appreciate somebody with better formal language knowledge giving a less shallow insight.
> Congratulations, you are now a hacker in every sense of the word:
> 1. You broke into computer systems.
> 2. You needed to be curious in order to do it.
There are multiple ways to get to 2. This is one of them. There are multiple ways to get to 1. This is one of them.
I simply leave it in the middle as to who gets to decide what the definition of a hacker is. I simply took both definitions that I know to be defined by hackers themselves (point 2) and the media/general public (point 1).
Subverting computer systems to let it do other things that you want is very very much a part of the definition of 2. Which is how breaking into computer systems and following your technical curiosity can overlap.
But I would totally agree with you that we'd live in a sad world if my path was the only way in which people became hackers.
Also note that Hacker News is on there as a bonus and if it wasn't as distracting as it is, then I'd put it there as mandatory. HN stimulates purely the curiosity part of hacking.
Is it for folks who are focused on going below the application layer (working on OS/Kernal etc) or just general. I find my MacOS to be such a comfortable system to hack and wonder if I actually need to move to Linux natively to get more involved in projects below the application layer.
I've enjoyed learning hacking skills by configuring GNU/Linux partially guided by an excellent MIT course by MacOS users (freely available at https://missing.csail.mit.edu/). On MacOS you can get a lot out of customizing your shell, text editor, terminal multiplexer, etc. with dotfiles. But I prefer a more completely free (libre/open) operating system because it doesn't stop there, I've patched and compiled my own custom window manager as well, and my entire operating system has the level of hackability that I love in the terminal. I guess all of the software I've mentioned is not below the application layer but above other applications (except for the most part the text editor).
>Step 3: Complete Computer and Network Security at the Vrije Universiteit
>Step 4: Complete Hardware Security at the Vrije Universiteit
Can you share the resources i.e. Books, Videos etc used in the above courses? Might be a good starting point for those who want to delve into the subjects.
I know it's the COVID season(s) but other than that: these courses cost 1200 euro's for non-EU students, I think. I'm relatively sure about the price (range: 1000 - 1500 euro's). I'm not sure if they allow contract students from the US.
Let me think about this for a bit.
A hacker is defined as someone who's curious about technology. If you have this knowledge and apply your curiosity to understanding more of it, especially on how systems shouldn't behave but somehow do, then you're a hacker. An example of this type of hacking is creating Tetris in the game of life.
If you break into a computer system (legal or illegal), you're a hacker.
This knowledge helps you to both goals. It helps towards the broadest definition of what being a hacker is, no matter which person you talk to. There is of course the requirement that you're curious as well. But IMO if you're capable of successfully passing this, then you are curious and when given free reign, it'll be applied and you'll learn even more about computer systems.
It's not the only way, but it's one way of doing it. It's not the best way either, but it does answer the question: I want to become a hacker? How? Well, follow this path, tick off every box, notice the change within you and your thinking and voila. You're a hacker.
Obviosly, this is simply my opinion. Feel free to disagree. But I do view that it is that simple. Bear in mind that this path takes at least 2 years if you don't know how to program. So it's much easier said than done. It took me 8 years to get to this point (I studied a lot of other things).
Given that explanation, is there something you don't get? It's a genuine question.
I think the term cracker had the same media portrayal problem probably starting with the movie Sneakers (of the top of my head, no fact checking there) but it is a much more niche term in general and if you were to generally use it around people, probably even in computer adjacent jobs, they'd be more confused by what you're talking about then recognize it.
That being said yeah I'm 100% down with considering crackers being the DRM busters. I personally kind of consider demo scene wizards to be part of the "cracker" group even though it is completely unrelated. There just seems to be a heavy amount of overlap.
A cracker, to me, is someone who breaks software protection. A hacker can be good or bad, and that makes the word more fun.
Poker, sports betting arbitrage, bug bounties... All were fun before I tried making them my day job.
"Well, let's say you can shave 10 seconds off of the boot time. Multiply that by five million users and thats 50 million seconds, every single day. Over a year, that's probably dozens of lifetimes. So if you make it boot ten seconds faster, you've saved a dozen lives. That's really worth it, don't you think?"
I must have optimized Computer Science at least maybe a minute or two. Too bad it won't change my Erdos number.
It was really cool getting a selfie with him.
This power is only multiplied when having to answer good questions about the system and even explain it in ways that may be different from your usual model but that clicks better with the other person.
If I were to make an accurate account of all the time and energy that goes into my most successful and well-engineered software products, the majority of the productive time happens "offline" from the Internet and/or even my laptop's screen.
I spend a ton of time turning the abstract parts of the problem over in my head while doing "nothing" (or during the mundane tasks of everyday life), and even when I do get in front of a screen, I still spend a ton of time just sketching out notes in a text editor - basically arguing with myself until I've managed to jot down some good conclusions on how the design of a Thing should be done. Most of those notes get thrown away eventually, as they materialize into resultant source code. I have sometimes spent weeks or months turning an idea over in my head or in these textual debates with myself before a line of code is ever written.
I'd argue that it's not the distraction or time spent before a screen, but the complexity software engineering becomes. Back in late 70s and 80s if you owned a personal computer, you can literally map the whole memory into your brain. A commercial game could be developed in under 2-3 months. Just look at how ID Software managed to pump out tons of games in under one year. They are definitely very talented, but how come they don't do it nowadays, or even in the late 90s?
Nowadays computing is the red sea where competition is cut throat and even great talents only get to work in a niche area.
I wonder what the modern version of these are.
I do agree that such positions are much rarer nowadays than the Cold War in which states were willing to invest X% for scientific progression. Nowadays? Let's cut everything that doesn't have a strong political backer.
Maybe in 100 years people will realize that maybe there is something more to business than short term appeasement of shareholders.
Maybe in 100 years people will realize that regulated monopolies are not necessarily a bad thing.