How to become a hacker?

Why Be a Hacker?

Hacking has shown up in kitchens as chefs use liquid nitrogen as the cooling agent to make perfect ice cream or when they hack food to make tomato fries with potato sauce as the ketchup or just need to make something they don't have the right equipment for...

Chemists have been hacking elements and compounds for centuries. By nature molecules are finicky when it comes to how they behave in different environments (hot weather, cold weather, on mountains, or deep beneath the ocean), so chemists need to deeply understand the properties of the chemicals they have, so they can try to hack together the one they need. Nowhere is this more evident than in the invention of new pharmaceuticals, where hundreds of plants in a region are studied for their chemical properties from roots to fruits, and extracted and combined with others to make new medicines. Then they try again and again, sometimes for years, to get the combinations right and make it do what they want it to do.

Hacking is used in business to understand a market or the buying behavior of certain types of consumers. They research deeply into the forces that drive the area of business they're concerned with, and then they try to change or influence it to make it do what they want. Sometimes they're hacking the product, and sometimes they're hacking you (with advertising and priming, something you'll work with in the Social Engineering lesson).

Hacking has also become an increasingly critical part of warfare. Highly skilled soldiers are resourceful and creative in accomplishing their goals, which is exactly what hackers are. Code breakers, intelligence analysts and field officers use what are basically hacking skills to figure out what the enemy has, what they are doing, and how to take advantage of any weaknesses in their equipment. As more nations rely on computers and networks, the use of hacking in cyber attacks and defense has become a valuable part of a nation's armed forces and intelligence operations. National and international security agencies are even going to hacker conventions to recruit hackers!

More and more of people's lives are online as relationships form, people find jobs, and money is made on the Internet. Information can be valuable – or threatening – and hackers can protect themselves better than anyone else. They can research what's happening to their data. They can make sure to reveal only what they want and just generally keep themselves safer and more private. That's a huge competitive advantage in school, at work, and in life, because the smallest negative perception will eventually be used against you. Count on it.

Why Be a Hacker? How to Hack

Telling you how to hack is like explaining to you how to do a backward flip on a balance beam: no matter how detailed the explanation is you won't be able to do it on your own the first time. You need to develop the skills, feeling, and intuition through practice or else you'll fall flat on your face. But there are some things we can tell you to help you along and encourage you to keep practicing.

First, you should know some little secrets about how hacking actually works. We're going to take these from the OSSTMM (www.osstmm.org). Hackers sound it out and pronounce it "aw-stem." The OSSTMM is the Open Source Security Testing Methodology Manual, and while it may read like DVD player setup instructions, it's the main document that many hacking professionals use to plan and execute their attacks and defenses. Deep in that manual are some real gems that will open your eyes.

Two Ways to Get What You Want

For example, you should know that there are really only two ways to take anything: you take it or you have someone else take it and give it to you. That means all the taking in the world requires interactions between the person and the thing. Obvious, right? But think about it. That means that all protection mechanisms have to try to stop someone from interacting with the thing they are protecting. Unless you lock everything in a huge safe, you can't stop all interaction. Stores need to put stuff on shelves that shoppers can touch. Businesses need to send information through email clients that attach to mail servers and send messages to other mail servers.

All of these are interactions. Some of these interactions are between people and things that are familiar with each other, so we call those interactions Trusts. When the interactions happen between unknown people or systems we call these interactions Accesses. You can either use an access to take what you want yourself, or you can trick someone who has a trust with the target to take what you want for you and give it to you. If you think about that for a moment, it means that security means protecting something from both those it doesn't know and those it knows and trusts.

Exercises

1. What kind of interaction is using a search engine? Think carefully: is anyone giving Access? Is anyone giving Trust?
2. Give a simple example of using Access and Trust to take a bicycle locked to a bike rack.
3. Give a simple example of how you can use Access and Trust to log into another person's web-mail account.

Hacking to Take Over Your World

Hacking isn't just about interactions. You know that. Some people say politics is about interactions. Maybe. But you probably thought hacking is about breaking security. Sometimes it is. What it's really about is taking control of something or changing it as well. Understanding interactions and what they mean in the real world, using the basic terms we've discussed, is useful when you're trying to infiltrate, discover, or even invent. Why would you do this? To have the freedom to make something you own do what you want. And to keep others from changing something you own in the name of what some people might call security (but we're not those people).

For many, many people (we could put many more “manys” here to get the point across that we really mean "way way too many"), security is about putting a product in place, whether that's a lock or an alarm or a firewall or any thing that theoretically keeps them secure. But sometimes those products don't work as well they should, or come with their own problems that just increase your Attack Surface, when a security product should be shrinking it. (The Attack Surface is all the ways, all the interactions, that allow for something or someone to be attacked.) And good luck getting that product improved in a mass-marketing, pay-as-you-go, crowd-sourcing, “you bought it as-is and that's what you have to live with” kind of world. That's why you hack your security. You need to analyze the product and figure out where it fails and how to change it so it works better. Then you might have to hack it some more to keep that company you bought it from, from changing it back to the default!

So when you think of hacking in terms of breaking security, remember that's just one area that hacking is useful for, because without being able to do that, you may have to give up some freedom or some privacy that you don't want to give up. (And yes we get it that you may not care right now about certain things you do or say or post, but the Internet has a long memory and it's getting better and better at helping others recall those memories of you. What goes on the net stays on the net. So consider this for the future you even if the you of today doesn't care.)

Now that you get the idea about interactions, let's get into them into more detail. You know the basic interactions as Access and Trust but have you heard of Visibility? That's the third type of interaction. It's just as powerful as the other two. In police language, it's simplified as opportunity but in hacking it's more about knowing if there is something to interact with or not. This interaction brings along a whole lot of new security techniques like deception, illusion, and camouflage, as well as all-new hacking techniques for avoiding and getting around security measures like deception, illusion, and camouflage!

When famous bank robber Jesse James was asked why he robbed banks, he said it's because that's where the money is. What he meant is that through Visibility he knew that the banks had money where other things he could rob might not. Banks have Visibility: people know what assets they hold. But not everything has Visibility. As a matter of fact Privacy is the opposite of Visibility and it's a powerful way to avoid being a target. Whether on dangerous streets, in the jungle, or on the Internet, keeping a low Exposure and avoiding Visibility is a way to keep from getting attacked in the first place.

Exercises

4. The Internet is so popular for creating myths and perpetuating false stories that it's hard to know what's real information and what is just a hoax. So if you want to learn to be a good hacker, get in the habit of checking your facts and learning the truth about things. That's why you're going to search and find out if Jesse James really did say that. And don't go easy on the answer by just going to the first web page you find, dig a little.
Now that you're getting used to looking things up, find the truth about these common things:
5. In the Inuit language where the word igloo comes from, what does it really mean? What kind of interactions did you use now to find out?
6. Many parents are quick to point out that sugar makes little kids hyper-active but does it really? What interactions are really occurring in their little bellies when children eat a lot of candy or sugary foods that make them act silly and hyper?
7. You might have heard that sugar causes cavities (caries) in your teeth but what is the real interaction that takes place - what really causes it? Is it sugar or not? Bonus points if you can say what brushing is as an interaction to fight the real cause and find the name of at least one of the chemicals that addresses the root of the problem (*hint: fluoride is wrong*).

The Four Point Process

When you take the three types of interactions together, you have Porosity, the basis of an Attack Surface. And like the word implies, it's the pores or “holes” in any defenses you have to have in order for any necessary interactions to take place (as well as any unknown or unnecessary interactions taking place). For instance, a store still needs to put products on the shelves so people can touch them, put them in a cart and buy them. These are the interactions they need to sell things. But they might not be aware of the employees who are sneaking stuff out of the loading dock, which is an interaction that they don't want.

Porosity is something you need to know about to protect yourself or attack some target. But it's not enough to analyze something to hack it. To do that you need to know something deeper about the three types of interactions you just learned. This is another little secret from the OSSTMM and it's called the Four Point Process (FPP). It outlines four ways these interactions are used to analyze something as deeply as possible, and by analyze we mean to mess with it so we can watch it and see what happens.

The Echo Process

We grow up discovering things and learning things by interacting with them directly. Little kids poke the dried-up squirrel with a stick to see if it's dead. This is called the echo process. It's the most basic and immature form of analysis. It's like yelling into a cave and listening for the response. The echo process requires throwing different types of Access interactions at a target and then monitoring its reactions to figure out what ways you can interact with it. The echo process is a cause-and-effect type of verification.

This is an odd way to test something, because although it makes for a very fast test, it also isn't very accurate. For instance, when using the echo process in testing security, a target that does not respond is considered secure. That's the same as not having Visibility. But we also know that just because something is non-responsive to a particular type of interaction that doesn't mean it's “secure." If this were true then opossums would never get killed by other animals when they played dead and everyone would be safe from bear attacks just by passing out in fear. But it's just not true. Avoiding Visibility might help you survive some types of interactions but certainly not all.

Unfortunately, the majority of ways people investigate things in their everyday life is through the echo process alone. There is so much information lost in this kind of one dimensional analysis that we should be thankful the health care industry has evolved past the "Does it hurt if I do this?" method of diagnosis. If hospitals only used the echo process to determine the health of a person they would rarely truly help people. On the bright side the waiting room times would be very short. That's why some doctors, most scientists, and especially hackers use the Four Point Process to make sure they don't miss anything.

The Four Point Process has you look at interactions in the following ways:

1. Induction: What can we tell about the target from its environment? How does it behave in that environment? If the target is not influenced by its environment, that's interesting too.
2. Inquest: What signals (emanations) does the target give off? Investigate any tracks or indicators of those emanations. A system or process generally leaves a signature of interactions with its environment.
3. Interaction: What happens when you poke it? This point calls for echo tests, including expected and unexpected interactions with the target, to trigger responses.
4. Intervention: How far will it bend before it breaks? Intervene with the resources the target needs, like electricity, or meddle with its interactions with other systems to understand the extremes under which it can continue operating.

Back to our hospital example... the four stages of the FPP would look like this:

1. The interaction function is the echo process where the doctors poke the patients, talk to them, and test their reflexes on the elbows and knees and use other tools of the "Does it hurt if I do this?" method.
2. The inquest is reading emanations from the patient like pulse, blood pressure, and brain waves.
3. The intervention is changing or stressing the patient’s homeostasis, behavior, routine, or comfort level to see what happens.
4. And finally induction, which is examining the environment, the places where the person visited before they got ill and how they may have affected the patient, such as what they may have touched, ingested, or breathed.

Exercise

8. As you can see, the Four Point Process lets you more deeply investigate interactions. Now you can try it. Explain how you would use the Four Point Process to know if a clock is working – and then if it's working correctly by keeping the right time.

Now you should practice until you’re a master of researching. The better you get at it, the more information you will find quickly, and the faster you will learn. But be careful also to develop a critical eye. Not all information is truth.