I was a teenage hacker kiddie in the 90s. This is back when half the Unix systems you telnetted to didn't even employ password shadowing (you could just cat /etc/passwd and to see the password hashes) and the local university's internet uplink was run off a VAX VMS system.
 |
| With support for up to 8MB RAM! |
It was the first real "community" I really felt I belonged to. Redboxing my way onto the Defcon voicebridge and sharing philez on fly-by-night underground BBSes, learning about the mysterious phone and internet systems worked, the secret knowledge that the powers that be kept safely squirreled away. Reading through the trolling that John Draper endured daily on the DC-STUFF mailing list was like reading the morning paper.
It was the youth outsmarting the old guard and every second of it was thrilling.
Somehow, despite being a reckless teen full of angst and idealism and a penchant towards anarchy and a skull full of technology exploits I managed to not get arrested - although I did manage to get a uniformed officer to show up at my door a couple of times and my dad once had to pay a lawyer to write a "kindly fuck yourself" letter.
Back then though, getting your ass arrested was pretty much the only way for a kid like me to make a career out of infosec - it would at least get you some notoriety or a book deal and con speaking engagements. Hackers at that time, regardless of how big your talent or benign your curiosity was, were something to be feared and scorned.
"Hack" was a four letter word.
To be fair, there were hardly any ways to legally explore your curiosity - virtual machines were not a thing (multicore/threaded processors were still decades away) so spinning up a machine to hack away at meant actually having multiple physical machines on your network.
 |
| At $3000 a pop who could afford to have more than one of these things? |
Not only were the extensive hardware requirements for running your own home lab prohibitively expensive - especially for a cyberpunk teen - but the operating systems one needed to learn were utterly inaccessible. Linux was still nascent and required an established knowledge of *nix to even get installed and working over a PPP dialup connection. The vast majority of systems I encountered in the wild ran Unix System V which was designed to run on massive servers, cost thousands to license, and simply were not available for the likes of myself in any case.
Literally the only way you could get any practice in a real Unix environment was in busting root, which was laughably easy - remember I said password shadowing was still largely unadopted and MD5s were simply stored in /etc/passwd for harvesting. John the Ripper was widely available on the underground it even with the meager processing power and storage space for dictionary files we had at the time, cracking a hash could usually be done by letting it run overnight on my 486.
Heck, I paid an extra couple of hundred bucks extra to get the DX version because it had the math co-processor and I wasn't sure if that would help in cracking hashes but it had the words "math" and "processor" so surely it was more formidable doing hash stuff.
There were no "hacker schools" or certifications; knowledge of information security had to be gleaned from technical manuals, or inferred from what they did not cover, if you could even get them.
My high school guidance counsellor recommended I take a programming degree if I wanted to pursue my passion for nerdy things because that was essentially what people thought that people who were "good with computers" did, but I was never really interested in writing code beyond the scripts that were necessary to complete whatever objective I'd set for the moment.
I bought a book on C and my main take-away from it became the style in which I would take notes - cascading indents for subtopics.
I still take notes like this to this day.
 |
| I can hardly fathom any other way to take notes. |
Around that time, PC based digital audio workstation ("DAW") software was becoming available and I quickly realized that this made recording and producing music at home in "high quality" possible. By "high quality" I mean 44.1KHz, which the same rate as "CD Quality" and utterly amazing in contrast to the cassette tapes we were used to.
So, devoid of career path options into infosec, I instead directed my nerdery towards computerized music production, which was just emerging at the time as a possible field. Electronic music was just really beginning to take off and it was a whole new galaxy of sounds and resulting genres that were begging to be explored.
This became my main "hobby" for the next twenty years and I ended up recording hundreds of songs, playing tons of shows and festivals, running a couple of labels, managing a bunch of different artists over the years and building a commercial recording studio.
Some time I'll make a separate post about that.
Side note: these two core interests would later reconnect in Las Vegas at Defcon 22 when I was invited to perform at the con.
 |
| Still the coolest stage pass I've ever been issued. |
In the meantime I'd managed to go to University for English & Philosophy (super useful in a job hunt believe me), got married, made some kids, needed to support them, then got divorced and ended up with sole custody. My kids were challenging - love them each to death but they were traumatized by their mother and each diagnosed with either ADHD or autism, they were a huge handful and raising them on my own required a job that was local, paid reasonably well enough, and was
extremely flexible.
So flash forward 13 years, I've whittled out a niche for myself at a local technology company which affords me almost unlimited flexibility to do essentially whatever I wanted or needed to do - attend doctors and therapists and "all team meetings" or just fiddle with my interests. These hobby interests still included "cyber security" stuff, I played around with wardriving and hacking my own routers, creating Linux VMs and poking them until they broke, building drones, Arduino controls for my greenhouse automation, and so on.
Then suddenly, my kids are all in their mid-to-late teens and are functioning in the world and it seemed almost all at once my role of having to be available at all times vanished and I found myself with free time for the first time in... well, since I'd become a dad.
First thing I did was go super deep into the music stuff. Although music production had remained throughout those parenting years as a primary focal point for my own ADD, it was something I did after they were in bed, when I could focus on it for five consecutive minutes without being interrupted by demands for snacks or to report that they'd set the dog on fire. (Hyperbole but just barely, they did one time put the cat in the fridge).
I could finally afford the equipment to really go hog wild in the studio, and the time to put it all together and make use of it.
In case you're curious:
Two released albums later, my mind started wandering.
I wasn't really interested of making a "career" out of music - fame was never a goal and the older I got the more I realized that I would despise being famous. Through my work in the music industry over the years I've made friends with some genuinely famous people and what I heard about it from them really made my mind up about it. And although I had some business success recording other artists in my now commercial-grade home studio, doing it as a primary source of income was neither feasible where I live (not a major urban center) nor was it something I particularly desired.
Basically I did it because I liked it. I made songs because I wanted to hear them, and if other people enjoyed them too well then cool. Recording and producing other artists helped cover the cost of some of the gear.
But I had other interests. I'd spent a "summer abroad" at a French Immersion program in Trois Pistoles when I was younger. Although I learned enough to order beer and hit on girls, I was never fluent, mainly because I wasn't really trying - I was really just looking for loving in francophone places. Watching French language programs I would catch maybe 10% of what was being said. But as the years transpired I regretted not putting in the effort and realized that I'd always wanted to be truly bilingual.
After trying out different learning tools and apps I eventually settled on Duolingo.
Every day I do it, still, no matter how busy I am, even if it's just one quick one minute practice lesson. And know what? It actually works. I'm not fluent enough to take inbound support calls or argue with a native speaker, but I can read French language articles and catch most of what's being said. My comprehension - and especially pronunciation - is exponentially greater and growing every day. Amazing.
So then I thought, I've always been interested in radio and had spent a fair deal of my youth playing with CBs and scanning shortwave skip after sunset, and wouldn't it be fun to play around with very long range radio telecommunications? I thought "why don't I just get my HAM license?"
 |
| Maybe it's just me but this is suuuuper cool. |
So I started studying.
In case you didn't know, obtaining even the base level amateur radio operator's ("HAM") license is in fact pretty difficult and isn't something you can just do without a pretty broad understanding of the physics of electromagnetic propagation, solar cycles, electroncs... you even need to know a fair bit about the law and how it affects licensing. And for good reason too, once you get on the waves it is very easy for an operator to cause all sorts of problems if they don't know what they're doing (and even if they do).
With great power comes great responsibility.
Well, after a couple of months of studying and doing practice tests I felt like I was ready so I contacted the local amateur radio club and booked a time with one of their licensed examiners and did the test, and can you believe it, I passed - with honors, which entitled me to operate on the more interesting lower frequency band (which is called "high frequency" or HF), which can literally reach all the way around the world.
Cool. Super cool. Something I always wanted to do so I just started working on it and learning. Instead of playing games or watching TV I made a hobby of learning. It wasn't easy, I had to actually study, a lot of the stuff was way over my head despite my broad background in nerdy things but that's the point - to learn something you don't already know. Nobody is born knowing repeater frequency offsets, you have to learn it first.
I stuck to it and lo and behold I learned the stuff and got the qualification.
This was like a revelation to me.
What else had I always wanted to be qualified at? What did I actually want to do for work now that my kids didn't need me every minute of every day?
Naturally infosec was top of my mind, so I started looking into it. And what an incredible change had come to the space since I was a youth. It was an actual industry now. The resources available make me regretful that it hadn't been available when I was young - not just tutorials but actual full-fledged programs were everywhere, certifications and degrees and even PhD's in "cyber security" were available, from major Universities even.
Good grief, the resources were almost too plentiful. Where to even begin?
Now, having started learning about network protocols back in the 90s and having spent most of my professional life working with, selling, installing, maintaining and troubleshooting "IT" systems gave me a huge advantage to the base level courses.
I'm the most experienced noob.
Actually getting out and trying the new techniques was thrilling - it made me feel like a kid again, popping root shells and netcatting hashes back home. Even my old friend John is still around and better than ever.
Wanna practice hacking legally? There are websites you can sign up for that will spin up VMs that are specifically vulnerable to certain exploits which they then walk you through step by step the exploitation of. Go ahead and break the machine if you want, it will just load a fresh image next time.
Want a certification? There are DOZENS.
 |
| No seriously there are dozens. |
The big problem became which to get?
So I started simple. Let's get the basics. By most accounts, that's CompTIA A+.
Well let me tell you, nothing is more frustrating (or difficult to focus on if you've got ADD) than going over vast swaths of "foundational knowledge" you already know. It's like I'd been a backyard mechanic for decades, decided I wanted to work in a shop so started my schooling and the first year is nothing but "this is a piston, and this is a spark plug, and the piston compresses the fuel mixture..." blah blah blah.
Yes I know it's designed for and aimed at literal noobs with no background in the subject.
But I was popping shells and busting root before most of the kids taking these classes were even born. I needed to skip ground school and practice doing barrel rolls.
I spent a couple of months doing free or almost-free courses through
Udemy and
Cybrary and
Coursera and
Infosec Institute but ultimately, just like any other field of work, HR departments are looking for the almighty piece of paper. They don't want to hear about how you have spent a lot of time hacking your neighbor's wifi, they want proof from an institution that you have the background.
My kids are of an age where I've been coaching them on job-hunting and one of the things I've taught them is to look for a job that you would like and see what qualifications they are wanting. Reverse engineer your job hunt. You really want to be a firefighter? Look up what the fire departments are looking for in a recruit - NFPA 1001, ICS, etc. See which certification bodies they recognize.
Applying the same technique for my own new career I asked myself: what parts of this do I really enjoy? What job would I be totally stoked to answer the phone for, what activity is going to get me jazzed when it gets assigned to me rather than groaning.
My career in technology sales had made me an adept social engineer - that's what selling is, convincing people to spend money on your product. Recognizing their wants and fears and exploiting them to do the thing that you want. That goes nicely with Penetration Testing, as do my other interests. So pentesting jobs were scoured and the credentials they sought were noted.
I've always been good at finding information, digging around and figuring out who people or organizations were. Footprinting, Open Source Intelligence (OSINT) and Threat Intelligence are now fields available outside of military institutions. Qualifications sought were noted.
Recovering data and investigating system failures had been something I've always enjoyed and was naturally good at, and would you look at that, Incident Response and Computer Forensics are fields you can work in without working for the alphabet orgs or local police. Huzzah.
Note those qualifications too.
Now, here's the frustrating part I remember from being a teen trying to break into the workforce and it's all the more fucky for still existing as I'm approaching my mid-40s: every single job wants you to have years of employment experience. The classic catch-22: you need experience to get the job, but how do you get the experience without the job?
Comments
Post a Comment