Let’s track this from the beginning.
Why am I writing this piece? The answer is at the end of the post (go there for a tl;dr).
On this blog I usually stick to technical posts because that’s what I feel like doing, teaching other people things I’m still learning to share my path. I’m a huge fan of the Feynman Technique. In case you don’t know who Richard Feynman was, check him out. I put him in my personal Hall of Fame, a great scientist and a great educator. Thing is, sometimes growing is not only about technical skills, it’s also about motivation, so I decided to share my (still ongoing) story on how I
crashed landed in the cyber security world.
So, for once, I am putting aside technical writing, exploitation, reverse engineering and the likes to focus on something more “human”.
The beginning is pretty “classic” I’d say. I started
messing up playing with computers pretty early, so early I can’t actually remember not having a computer when I was a kid, though I clearly remember my parents being wise enough not to plug me into the internet immediately. Starting so early though had the (unpleasant) consequence I now don’t have a clue what was the first model of computer I owned, so I don’t have any cool story, like many of us in the industry have, that starts with “oh my first machine was a T-82 with so-few-kilobytes of RAM and bla bla bla”.
I clearly remember however I wanted so badly a gameboy as Pokemon Gold was all the rage back then and all the cool kids on the block had it, and I must have annoyed my parents so much (as one of the kids had a prehistoric form of gameboy emulator) that they finally allowed me to connect to the internet and search for a emulator (dammit, wouldn’t have it been easier to just buy me a gameboy mom?). And so my parents made the huge mistake of letting a seven year old hurricane like me hear that strange combination of noises emitted by a box full of blinking lights (were you searching for dialup modem sound?). Initially I was just amazed, so amazed at the possibility of basically being able to search for anything passing through my mind that I OBVIOUSLY didn’t hear the usual “don’t do dumb shit on the internet” rant all parents embark on when they first let their children on the internet (and still, I didn’t find that goddamned emulator immediately, I didn’t know English back then. Don’t judge me, I was just a kid).
You should definitely quit, kid
Fast forward a couple of years and at eleven I was in I-want-to-be-able-to-code-videogames mode and, as usual, I didn’t have a clue what it takes to create a videogame, so I embarked upon my great crusade to learn C++ (of course, almost randomly chosen by the array of available programming languages). A crusade that OF COURSE failed (take note of that, failure is somewhat of a recurring pattern in my life when it comes to cyber security). I think I printed something like 300 pages of C++ manual and my mom was like “you better not waste all that paper and actually read everything that’s printed on it”. You fool.
Side note, I never had a lot of confidence in my learning skills until very recently to be honest, so when I encountered the first difficulties in learning programming while self teaching I ended up abandoning my quest to become a videogame programmer pretty soon. That happened after a couple of days of failing to understand incredibly complex computer programming topics like… variables (don’t judge me, I was only a slightly more grown up kid, but still a kid). I think it didn’t help the fact that once I was in a computer store with my mother and she proudly told the guy that worked there “my son is trying to learn programming” and I added with a bit of sadness “yes but I am stuck at variables, I don’t really understand what they are and what to do with them…”. The
dickhead pseudo IT pro nice guy working at the store answered “well, if you don’t understand variables there’s not much you can do, you should probably quit!”. You ugly son of a bitch unwise man, you dealt the fatal blow. IT pros (or people who think they are pros), please be nice to kids and encourage them, don’t throw them under the bus just because they are young and clueless.
Lamers gonna lame
Three years went by, more or less, and when I finished middle school my grandpa bought me a laptop. Until then I had to share my PC with my younger brother so I didn’t have a lot of room for mods or trying out new stuff. At that point I went through most of Microsoft’s OSs, namely Windows 95, Windows 98, Windows Me, Windows XP and Windows motherfucking Vista. I don’t remember clearly when, but at some point I found out about Linux, the OS “all hackers use”. Cool, who doesn’t want to be a hacker? And now I have a computer I can
fuck up modify without a lot of consequences (for my brother, at least) so I threw Ubuntu (yes, Ubuntu was the first distro I installed, got any problems with that?) on a USB drive I had lying around and installed it on my brand new laptop. The impact had been… strange? No easy click and execute GUI, no installing malware disguised as cracked videogames software through the familiar double-click-on-a-exe-and-forget-it.
What’s the first thing a wannabe hacker wants to hack? OF COURSE IT’S SOMEBODY ELSE’S WIFI! I clearly remember spending a shitton of time trying to understand how to crack a WiFi password, and I actually succeeded on a couple of occasions. You see, back then (10 years ago, give or take) WEP was still very widespread (today nobody uses WEP for WiFi protection right? RIGHT?). For those of you out there who don’t know what WEP is, it’s a (not so old actually) standard for protecting a WiFi Access Point, it’s the crippled granddad of WPA (ok, it’s not exactly like that, but that’s not a cryptography essay okay?). What is really cool (from an attacker perspective at least) is that WEP protection is really easy to crack, so easy that even a fifteen year old with a week long Linux experience can manage to do it with Aircrack-ng. So, I was in the dentist’s waiting room (like every young nerd I had braces and they had to be checked regularly) with my trusted Ubuntu laptop and there was this WiFi with WEP protection from an apartment downstairs. While waiting there for my turn I thought “what a better time to
commit a crime which can potentially stain my future carrier test out what I learned some days ago with Aircrack-ng. After a couple of minutes I had it, I still remember the password clearly, “tpqmq”, a five character key to hacker’s heaven! Ok, it was a lame hack and I was (and to be honest, still am to this very day) just a script kiddie, but to me it felt like I had the power of a god! I broke through the chains someone put on something I shouldn’t have had access to, I made it! It felt great, let me say it. But it pretty much stopped there, WEP was already dying by that point and WPA2 was not that easy to crack as it needed an already connected client to deauthenticate and then intercepting a hash that had to be brute forced. Fairly impractical, but I did manage to score some hits using Wifiphisher, though they weren’t anything technical or exceptional. The novelty quickly wore off.
After that things stalled for some years as I didn’t really spend a lot of time trying to learn, I was a script kiddie who did not want to grow, partly because I had close to no trust in my learning skills. Seriously, I convinced myself I had no real talent and that there was no point in even trying to learn, improve and become a real hacker. And it would’ve stayed that way, if it weren’t for the MOCA.
Welcome to the grown ups’ game, kid
A game changer in my growth has been starting to attend hacker conferences and hacker camps. The first hacker camp I ever attended has been the Metro Olografix Camp, a.k.a. MOCA, in 2016.
MOCA is a hacker camp which is held every four years in Pescara and I was lucky enough to have the possibility to attend it. At the camp I was able to meet a ton of different people, from the common IT technician to the hardcore computer engineer, from the 12 years old script kiddie who wanted to learn the craft of the grown ups to the super skilled hacker full of knowledge and anecdotes. It was an awesome and awful experience at the same time. It was awesome because I was struck by the amount of really skilled people attending this kind of events and the fact that everyone was eager to showcase their skills and teach what they know to others. It was also awful however because it dawned on me how little I knew about hacking. And not only about hacking, but about every aspect of IT in general! This kind of experience is really humbling because you can find pros basically in every branch of technology, people whose knowledge dwarves yours by many orders of magnitude. I met awesome guys, people like Zen, who taught me a lot of the black wizardry behind drones and radio comms, or Illordlo who introduced me, a young, unskilled and clueless kid, to the dark art reverse engineering. But one great person who stood above the crowd those days was Rageman, who later became for me a mentor and a great friend. I would turn to him in days where I felt helpless and without a guide and he would always reassure me and tell me that every skill in hacking can be conquered, given the right amount of persistence and study discipline. There were many other guys and girls that became for me an example and that really sparked in me the will to persist and grow in this field, I consider this event to be the real turning point in my personal growth when it comes to hacking. It was truly a game changer. I attended many other conferences and camps from that day and they all served me well in their own way. I met other people, many way more skilled than me, few a little less, but a lot of them became life companions and I often turn to them for advice or just to have a chat. In the end this is the true value of camps and conferences, meeting new (and most of the times, awesome and better than you) people. And those people will help you grow, they will introduce you to new topics and areas previously unknown to you and make you a better professional everytime.
Aim high, you will always have time to shoot lower
It may be an unpopular opinion, but another thing that helped me a lot are certifications. To this day I managed to clear OSCP and OSCE from Offensive Security and CRTP from Pentester Academy. I know that at their core those are just pieces of paper (or dead trees if you like), but the inherent challenge they posed to me has been invaluable. Two friends of mine, negat0r and his brother donz, once told me “yo, you ever heard of OSCP?” and I was like “yeah, kind of, isn’t that the one with the 24 hours long exam?”. Two days after that they invited me to negat0r’s house, where a friend of theirs was going through the certification exam. I only spent a few minutes there so I didn’t really see exactly what he was doing, but he was laser-like focused. Seeing the guy I thought “man, that must be really hard!” and in fact it was, he had 24 hours to pwn five servers, one of which required the student to write a exploit for a buffer overflow vulnerable process. “This is crazy, I would never be able to do such a thing!” and after staring at the guy performing what I thought was black wizardry through the keyboard of his laptop I decided to call it a day and go home. I spent the next week thinking about it and suddenly one day, in a moment of pride, I said “screw this, why can’t I do the same thing?” and in I went. Two weeks later my three months long journey to the OSCP started, it was June 2017, just a few days after my birthday. And man, it wasn’t easy at all. I would spend most of the days going through the PDF, the lessons and in the lab. I managed to root most of the machines in the lab and when I thought I was ready I booked the exam, a week before the lab time ended (good job there managing time kid, don’t do the same mistake and use all the time at your disposal). When it started I felt a mix of thrill and anxiety. It was 10AM. At 5PM I had enough points to pass, having pwnd four out of five machines and having local access to the fifth. I couldn’t root the last machine and at 11PM I decided to go to bed, see you tomorrow
bitch. The following morning, after a good night’s sleep, I managed to root it. I wrote the report and a couple of days after Offsec reached out telling me I did it, I was OSCP certified. I felt proud and empty at the same time, I conquered a objective that just a couple months before I thought impossible for me to achieve, but at the same time I felt like I needed more. I made it sort of a personal challenge to clear a certification exam at least once a year. That happened in 2017, next year in September I passed the OSCE exam and this year in May I completed the CRTP exam from Pentester Academy, a certification which taught me a lot about Active Directory attacks and exploitation.
I know it’s sort of a mantra these days and everybody says that, but really, get out of your goddamned comfort zone. Moving out into the unknown (for you at least) really forces you to step up your game and improve, trust me.
So, to wrap this up. Why did I write this piece?
It’s mainly a memento for myself, when I have those dark days we all have in which we doubt our competence and our skills. And I hope it can also help those that are going through the same struggle I went through when beginning, when everything is new, and complex, and difficult, and frankly scaring. Yes, there will always be someone better than us, people way more skilled in their respective fields, but that shouldn’t make us feel sad or useless. A friend of mine told me that he feels a bit depressed recently because he attended a SANS course in Germany and realized how little he knows about hacking, “the others out there are so skilled, there’s no way I can reach them…”, and that is right, partly. It’s like Zeno’s paradox applied to hacking, when you think you have caught up with someone else’s skills they will have become better than they previously were and so you have to start chasing them again. That’s only normal, but rather than as a curse we should see it as a blessing, it forces us to improve everyday. Make it a personal goal to become better than your yesterday’s self.
Since meeting other professionals I realized a constant, continuous, and genuine comparison with others can only make us better at our craft as it allows us to see through our true weaknesses and strengths. Realizing how little we know compared to others greater than us should ignite that flame of “I want to grow and become a better professional”, it shouldn’t be a reason to settle or just give up. And that’s valid not only for cyber security, but also for all the other aspects of the human nature, because there’s no point in being a great hacker if you are an awful person.