This post will be mainly about 2 things:
My personal journey of learning what “hacking” is.
My reasons for why I no longer consider penetration testing (also known as “pentesting”), cracking, etc to be “the end all be all” of what it takes to become a “hacker”.
The purpose of this post is to educate, and to save people from taking the wrong road to begin their journey of becoming a “hacker”. If you have taken the wrong road (like I did), this will point you in the right direction to get on the proper path.
Background
When I first heard the word “hacking” it was in regards to technically skilled individuals breaking into, spying on, or manipulating computer systems. Multiple times a company had its SQL database leaked and the media reported that “hackers” had broken into the company’s computer system.
Coincidentally, I had already just stepped into the world of GNU/Linux and Python around the same time I was hearing about “hackers”, and I quickly gained an interest in it. I dare admit I even wanted to be a “hacker”. Since my notion of “hacking” was breaking into (ssh worms), spying on (keyloggers), and manipulating (defacing) computer systems, I spent much of my time studying cyber-security, online anonymity, and all sorts of other things with an obsession. I just HAD to become a “hacker”.
Different types of people in this world have different things they sometimes feel like they have to prove to themselves or other people. From my personal experience the people in the “hacker community” likes to prove to themselves that they are intelligent, clever, creative, and smart. I personally felt that if I could “hack” into something, especially if I did it in a way that hasn’t been thought of before, I could prove, at least to myself, that I was intelligent and clever. I thought pentesting was THE epitome of “hacking” and it was the way a person EARNED the title of “hacker”. Thus, this began my journey of trying to learn cyber-security, and find my own 0day exploits.
So I began my journey…. I read the Hacker’s Manifesto by The Mentor. I learned about White hat “hackers”, Gray hat “hackers”, Black hat “hackers”. After learning about the different types, I read Gray Hat Python by Justin Seitz. I read anything I could find on the matter, watched countless Youtube videos, and tried to learn all I could. I admit I even explored Backtrack (which then became Kali Linux). I studied SQL injections, backdoors, worms, insecure direct object references, all sorts of things with an obsession. I learned a lot, and I genuinely felt I was on the right path to becoming a “hacker”. I was wrong.
Enlightenment begins…
Fast forward some years of going through this process of trying to become a “hacker”, and I stumble upon a website speaking of a “hacker” symbol. It was the glider pattern from the Game of Life. I found this image from this website, maintained by an interesting individual named Eric S. Raymond: http://www.catb.org/hacker-emblem/index.html
In the matter of an hour, this single website destroyed the concept of what I thought a “hacker” was for years. It was this following section that truly struck me.
Who should not use this emblem?
“If you think hacking is about breaking into other peoples' computers, those of us the emblem was invented for do not want you displaying it. Go invent your own emblem, cracker. We'll find some way to shame and reject you publicly if you mess with ours.” - Eric S. Raymond | http://www.catb.org/hacker-emblem/index.html
For years I had thought that being skilled at “breaking into other peoples’ computers” was what “hacking” was all about! My entire notion of hacking was destroyed, and much of my study and work that I had done for years felt in vain, all thanks to a single paragraph.
Although I felt disappointed, I knew within myself that what Eric S. Raymond was saying was true. It’s true for many reasons, but while pondering this, I came up with one of my own reasons, and this reason is something I want to share with you.
Seeing “hacking” from a new perspective
During my journey of trying to learn to “hack” one of the things I came across was “buffer overflows”, something that was common for languages like C.
While reading Eric’s website, and while thinking of all the work I had done, something just “clicked” in my mind, and it changed my perspective forever.
Things like SQL injections, buffer overflows, etc don’t come from your genius, they come from the other person’s error. SQL Injections don’t happen to servers that properly sanitize user input. Buffer overflows don’t happen to programs that properly manage data. These things are simple and easy to prevent.
Basically, if you cracked into a system using these methods, it doesn’t prove you were clever, it proves the other person made a mistake. I like to compare this to winning a game of chess, not because you were good, but because your opponent made a dumb move.
This is not to discredit pentesting or cyber-security experts, but it is to hopefully enlighten you for a big reason why cracking is not the road you take to become a “hacker”.
Hackers invent things like the Internet, Cryptocurrency, etc. They solve complex problems with very simple solutions. They believe in creating original things that help others to live free. Being original is hard. Not only do you have to create something, but you have to create something new that hasn’t been created before.
If you've ever thought of an invention, and then did a Google search to see if someone else has thought of it (which usually someone has), you’ll understand how difficult this is.
The Black hat cracker who broke into a bank and stole money didn’t serve anyone besides himself when he did so. He didn’t invent anything, and unless he discovered a 0day, his process involved nothing new. EVEN IF he achieved to breach the system through a 0day that he discovered on his own, as my previous point stated, it doesn’t prove his intelligence, it shows a mistake made by the target.
Again, this post is not to dismiss penetration testing, but penetration testing is all about breaking into systems, finding the exploits, and then patching them up. This work is essential to having security on systems and the internet, so it’s certainly not in vain, but it simply isn’t necessarily “hacking” either. You CAN be a pentester and a hacker, but just because you are a pentester, doesn’t make you a hacker, and that is an important point I want to stress.
Taking a new road
Although I was disappointed that I had been on the wrong path, I had relief to know it wasn’t all in vain. The time I spent learning, changing and improving my way of thinking, would prove both useful and necessary to continue my journey of becoming a “hacker” on the proper path. I changed direction on my journey years ago when I first encountered Eric’s words, and I am still on it. But now I’m on the path with a sense of understanding, guided by my internal compass, happy that things make sense now.
If you decide you want to begin your journey of becoming a hacker, I hope this post saves you from spending years on the wrong road like I did. It might even inspire you to begin your journey now.
Live Free & Prosper,
Zian Elijah Smith