By Synack Community Outreach Squad:
Ellie McCardwell and Jenn Yonemitsu
We asked one of our “most wanted hackers” (he doesn’t hack and tell) how he got to be where he is today. Here’s our anonymized interview with one of the best of the best! His path to becoming a hacker was a continual process: full of experimentation, trial-and-error, and learn-as-you-go techniques.
“You have to teach yourself, and learn how to learn.”
Trending into the hacker scene at the early age of eight, he watched the movie Hackers with one of his friends, and says “that’s really when my fascination became something that drove me to get more involved in hacking.” He started spending a lot of time on the internet to learn as much as he could, while his friends started putting together CTF competitions and opening up other sorts of challenges. He joined as many of these hacker challenges as he could, sometimes spending weeks and months trying to complete them.
Through high school and college, he continued to keep up on the latest hacking trends: reading up on everything and joining online chat rooms.
“I never really chose to be a researcher, it chose me.”
His first real “hacker moment” came in college with some friends where they were curious about finding entries to the hidden tunnels and secret rooms on campus. They probably could have picked locks and built custom door bypass tools, but they wanted to come at the problem more creatively. While his college day curiosity may have been a little mischievous, he started to realize that it could be used as a method to solving problems. “I prefer stuff where internet and code meets reality- where controlling devices; overflow valves on a dam, power grids, can be done through code…The more and more we see implementation of IoT, the more interesting the targets will be out there.”
“Hacking can be used to solve problems and have real-world impact.”
When asked about his skills, surprisingly, he doesn’t think they’re all that sharp. As a part-time researcher, he spends about 10-15 hours a week messing around new technologies and looking for vulnerabilities. He says it’s important to “acknowledge that your skills might be rusty when you go in on a new target. You learn on the fly and sharpen skills as you go. If you’re going to keep things interesting, you need to find new targets. You’re never going to know everything about anything new. It really is a craft, a trade.”
“I like that Synack sits in between me and the customer and handles all the worry.”
When asked about working for Synack as an SRT member: “I can do what I’m already doing and get paid and not worry about the details of engagement. I like that Synack sits in between me and the customer and handles all the worry and all the rough parts of being a hacker.”
He said he appreciates being part of a highly trusted, elite crowd of hackers who can combat advanced attacks and get creative, and push him to sharpen his skills.
SRT Spotlight Chats:
How did you learn to be a hacker?
Honestly it’s never been about “learning to be a hacker”. It’s a mindset. If you are dedicated and curious, everything just falls into place in its own way. I’ve always just had this undying curiosity about how things work, and how to take advantage of them. Learning to hack was really just a series of small challenges I posed to myself throughout life. I wonder if I can break into that safe, I wonder if I can change my grades, etc. Start small and work your way up.
Meeting friends with similar interests in hacking and computers really grew my ability. Bouncing problems off of each other, and working together, and teaching others, makes you learn.
Fortunately, more and more often there are information security programs at colleges that will teach you these things. They are fantastic for learning the foundations.
What advice would you give to help get a new hacker started?
Start small. Learn the basics: networking, how to use different operating systems, how different technologies work. It all builds on each other. You may not realize it up front, but the better you get, the more you will wish you had a more solid foundation from the start. It may not be glamorous at first, but it will pay off.
… NEVER cause monetary or physical harm to anyone or intentionally damage. If you screw up, own up to it… remember that machines are more and more often networked, your actions could cause a car to crash, a dam to break, or a medical device to fail.
Pick a lofty goal, and work towards it tirelessly. You will learn more from just trying things than you will any other way. Pick it apart piece by piece.
How do you continue developing your skills now?
Every now and then a new technology or product will come on to the market that sparks that fire inside you. You can’t seek it out; it just happens. And when it does, it’s game on. I sharpen my skills by continuing to break something unfamiliar.
Just because you are a great hacker in one area doesn’t mean you are good in another area. Most of the time, hacking is just teaching yourself and going from “0 to Hero” on a specific topic in order to rip it apart.
We tapped another one of our SRT members, Jared DeMott- a real expert in the field, to weigh-in on “Learning Hacks”. He gave a great talk at RSA called Why Cyber-Training Is Key, and How to Do It Right. Watch his full presentation here.
See some of Jared’s tips from the talk that we outline below:
Take classes from Pluralsight:
Security for Hackers and Developers: Overview
Security for Hackers and Developers: Code Auditing
Security for Hackers and Developers: Fuzzing
Advanced Malware Analysis: Combating Exploit Kits
Another great resource for classes: