What's a computer hacker? and other popular questions

This post is part of a series called A journey into smart contract security.

The following Q&A is based on a compilation I did a few years ago. Its information has been gathered from repeated experiences speaking at universities, schools, and particularly from a panel I hosted with colleagues.

It has been modified a bit to serve the purpose of the article. Though I speak about hacking, I will be mostly referring to a small part related to information security. The answers are nothing but a humble approach based on a previous consensus of opinions and my own experience. I hope you enjoy it.

This is a gift for those who seek and can’t find answers to questions I have already provided to my younger self in the past, hoping you find it useful.

Feel free to submit feedback.

Journey game inspired cover.

Table of contents

1. What’s a hacker?
2. What's not a hacker?
3. I did not start younger, is it too late?
4. I want to hack, but where do I learn? How do I start?
5. Are certifications essential?
6. Which is the best way to learn?
7. What kind of profiles work in infosec?
8. Why is offensive security more popular than defensive?
9. Final thoughts
   ∘ Suggestions
   ∘ Suggested courses
   ∘ Key books
   ∘ YouTube videos (and "alternatives" to the books)

1. What’s a hacker?

As a Spanish speaker, if you casually check out what the Real Academia Española says about it, you will find two definitions:

• Computer pirate.
• An expert in information technologies, in charge of systems security and developing improvement techniques.

Google Translate

Though Wikipedia’s article is pretty fair and has a lot more information, I’d like to clarify that a hacker is NOT a pirate.

I understand hacker, as a term that is not explicitly talking about the information security field, but rather the ability to be able to find functionality in things that were not destined to do so originally, beyond any context.

System functionality

In 2007 I was attending an Algebra class. The professor was having issues with the microphone. He excused himself, paused the class for a few seconds, approached the first row, and asked a student for the wrap from the chocolate she just ate — a Bonobon —.

Picture of a Bonobon

He split apart the plastic foil from the aluminum, and used the last one to close the gap between the connectors and the batteries, troubleshooting the issue. He then thanked the student, and we stared in awe while he proceeded with his class as if nothing happened.

That's some real hacking over there.

• Jacob Collier hacks music.
• Wim Hof hacks the immune system.
• The person who invented the concept of a flash loan is a hacker to me.

What other examples can you think of where you or someone you know hacked something? Approached and thought at something different in this way?

Ok great, but what's a computer hacker?

Instead of trying to invent a new definition, I'm going to point out the Wikipedia article for it, which I admit I'm kind of positively surprised about it.

For this post, we will continue using the term hacking referring to computer hacking mostly.

2. What's not a hacker?

• A static profession where you could reach the end of the road.
• Most of the things we see in the news and movies (definitely not four hands on a keyboard nor malware whose purpose is to distract you with kittens 👀).
• Gathering Facebook user credentials from the ex-partner of a friend 😵.

3. I did not start younger, is it too late?

There’s no need to have hacked NASA when you were twelve to be able to dedicate to info sec the rest of your life. You don’t even need a solid background to start, nor even a particular age.

4. I want to hack, but where do I learn? How do I start?

The path is not clear, so don’t worry. Since this field of study is pretty new, there’s not a particular place to go to like there is for other roles where there is certain history.

Fortunately in the past few years, there has been an increase in resources: careers, courses, and training. On the other side, the amount of information we handle nowadays may seem overwhelming and can lead to misinformation, making you feel lost, not knowing what to choose or where to start.

Pick whatever feels comfortable to you, I suggest starting progressively on complicated matters from the beginning to avoid frustration (I may talk about this in another post). You will see that with every acquired knowledge you will start to see things clearly.

For example, every time I start to learn something new, I superficially gather information to make a road map, which I end up iterating A LOT before I finish. New knowledge sets for a different perspective.

I wouldn't dare to say that the ABC of hacking exists, well maybe it does and I don't know! Probably there are thousands of them! Depending on what you'd like to do! Although I recognize there's some core knowledge nice to have in the field. Knowing how a computer works, and some basic network protocol understanding will always help.

But there's no magic 6 months course that will give you the tools to cover everything. Yes, there are some courses, and careers, that can give you a general understanding which will help you to start to find and define this own path I was talking about.

In this path is where you will realize that to do software reverse engineering, you will need a basic understanding of programming languages, compilers, linkers, assemblers, and operating systems; that to be a great smart contracts auditor, you will probably need a general understanding of some network protocols, how blockchains work, EVM concepts, several programming languages, a basic understanding of cryptography, game theory, and more.

Credits to @visuallywise

Thing is, you may not need to study all at once, it depends on the scope of every project. Besides, I suggest applying what you've learned as soon as possible before it fades away. I wouldn't study applied math for a particular domain if I'm not going to use it within the next months.

And this path will take the time it will need to take 😌.

5. Are certifications essential?

Huh. What a subject, am I right?

You see all these folks wearing suits on LinkedIn with dozens of certifications and you're wondering whether you'll eventually need them in your career path.

Truth is, most of the best security professionals I've ever known don't have certifications (or at least they don't collect them as POAPs), only those who needed them were to be able to certify products for compliance reasons.

For example, if you somehow end up auditing a hospital, you'll probably need to be able to certify HIPAA; if you audit an e-gaming platform, you may have to be able to certify ISO 9001 and ISO 27001.

Certifications do not teach you, they just are different mechanisms to validate what you know up to a certain moment.

In short, they are not necessary, nor a requirement to be able to learn.

If taking a certification makes you focus on your learning, then so be it. They may come in handy.

6. Which is the best way to learn?

It is important to differentiate the fact of learning something versus the ability to apply that something.

What is clear is that you could do this wherever: college, university, preparing for a certification, reading from articles, or just experimenting, whatever works for you.

Infosec is versatile field with continuous growth where no profile is amiss.

If you feel the institution where you are at is not working anymore, don't waste energy blaming it or those who teach, seek elsewhere. If you feel the need for structure because you can't work alone, go to a Uni (school, college, or whatever). If you feel both those paths are not useful, keep searching, you will undoubtedly get there, and maybe you'll create a trail for others looking for a similar direction.

7. What kind of profiles work in infosec?

Academics, doctorates, post-doctorates, University/College drop-outs, people who never set afoot on an institution, and more.

Diversity, in general, is something that positively benefits teamwork. The more diversity, the more different points of view and perspectives you can bring to the table. And let's be honest, hacking is all about that, having the ability to see things with a different mindset.

Talking about specific roles or positions, there could be as many roles as domains in the field. There are sites that help you visualize what I'm talking about, like CyberSeek's pathway.

Cyber Security Domains by Henry Jiang

You can always look for open positions on any job hunting platform like LinkedIn, and check out current roles for cyber security domains and their descriptions.

8. Why is offensive security more popular than defensive?

Generally speaking: to attack is more entertaining than to defend, and to defend is way more difficult than to attack. It may be a popular belief, but I think this has changed quite recently.

Developing defense techniques is incredible more complex, you may have to try to anticipate and cover EVERY possible attack. And attacking just requires you to be able to succeed only to THAT particular defense. The level of difficulty is conditioned by that asymmetry.

9. Final thoughts

Each and everyone walks their path, there is no unique way of doing things. This is still new for everyone. You will have to take decisions based on your particular current situation to improve.

We have to understand that not everyone comes with this craving, this passion that drives some of the best, but you can cultivate curiosity as fuel, testing, searching, and experimenting.

Credits to @visuallywise

Suggestions

• Start progressively. Don't fret, we were all there, and that thing that is making you feel stuck will eventually work. You'll get there :)
• Do not compare yourself to others, it does not make sense. Just compare yourself with whom you've been before, just a few months ago will do. And if you see improvement, then you're on the right track.
• Learn languages, particularly English if you're reading this with a translator, given that most of the information we have learned is in it.
• Do not delegate the responsibility to learn to others (family, institutions, superiors, mentors), that's on you. Look for whatever works for you, and if something doesn't, you change it until it does.
• Know yourself. Understand how you better digest information, what makes you want to study more: is it studying at home? attending to events? going to college? a community maybe? whatever it is that does it for you.

Suggested courses

• Pwn College 👍
• Stanford: Online free courses
• Coursera: Cyber Security specialization
• Ekoparty: Hackademy (ES)

Key books

• The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities — Mark Dowd
• Operating System Concepts Essentials — Abraham Silberschatz, Peter B. Galvin, Greg Gagne
• Computer Networks — Andrew S. Tanenbaum

YouTube videos (and "alternatives" to the books)

• How does the internet work? — by Ian Frost on FreeCodeCamp
• How I would learn to code (if I could start over) 👍 — by Tina Huang
• Introduction to Programming and Computer Science — by Steven and Sean from NullPointer Exception
• From Nand to Tetris Part I & Part II 👍 — by Noam Nisan and Shimon Schocken
• Computer Networks (CS144) — by Stanford University
• Computer Networking Course — Network Engineering — by Brian Ferrill, an instructor at Edmonds Community College on FreeCodeCamp
• Fundamentals of Operating Systems (based on Operating System Concepts 10th edition) — by Mitch Davis from University of Mobile
• Introduction to Operating Systems — by Neso Academy

Thanks for reading! My name is Matt, and I’m learning how to make Ethereum more secure. I will be sharing some things from time to time.
Follow me on twitter @mattaereal.