Why I got into cybersecurity
INTRO
This is a response to a post by Garrett Mickley
When I was a kid, I did a lot of potentially illegal shit. However, I never got in trouble for my shenanigans, mostly for one simple reason: I confessed.
When I learned about WiFi hacking, I once went into a restaurant. My family knows the owner, but me being me, I just had to poke around the network. I found a misconfiguration (admin:admin, what else) and I started looking at the configurations. I found out what the external IP was, could set up tunnelling to any other devices on the LAN from the Internet, basically all the good shit… if I wanted to be a bad guy.
I did the apparently dumb thing instead, and I talked to the owner. I told him what I found and told him “hey, to fix this, you gotta change the password.” I was fully expecting to get kicked out, beaten up, all the bad thoughts were popping up as I was standing face-to-face with this huge guy.
“Wow, that’s bad. How do I fix it?”
Hacking the venue
I had a bunch of times when I hacked the venue. This ranges from turning off TVs and changing channels to something that interested me at a restaurant to full-blown getting into the router at a prospective employer. What I believe kept me out of trouble or jail was the fact that I know what needs to be changed and had the guts to come forward and say “Hey, there is bad stuff here, I can help you fix it.” Sometimes, I even changed company policy due to my tomfoolery (one bank doesn’t allow net msg send ever since I played around with it.) I turned off menu TVs at several fast food chains and felt bad afterwards, seeing the staff climb ladders to put everything back in order.
These may be bad examples, after all, I didn’t disclose nearly enough of those, but even I have certain ethical boundaries. I’m not going to go dumping and releasing client data from an ISP that I found has its timesheets for all employees open to the Internet. I called them, explained my situation, and 100% of the time, I was met with a “Oh, thanks! We didn’t know that! It’s out of date, but it really shouldn’t be there. If you find anything else, let us know, will ya?”
How to stop being evil: Think before you do dumb shit
When I started getting into cybersecurity, I quickly found that the amount of work I would have to do was greater than the fun I would have. It is difficult to do black-hat shit, where you have no security and can only rely on yourself. Compare that to a penetration test, where everyone knows you’re there, you can make a ton of noise, and the only thing you’re waiting for is a paycheck. I couldn’t do black hat shit because I can’t take the stress. Okay, I hack a website and dump all of it. What now? Do I sit on the data, save it, and keep it for a rainy day? Did I really delete all tracks? Did I hide myself well enough? What about that one website visit 3 weeks prior where I just looked around the website?
I know how much could go wrong, and I know I’m not good enough to account for everything that could go wrong. That’s what stops me from using my skills for evil. If you want to live the black-hat life, I don’t want to know about it, but do what you want, just know that your actions may have consequences.
Is turning off TVs in a venue annoying? Yes. Is it illegal? Probably not. Is it fun? Absolutely.
Why I still got into cybersecurity if I do dumb shit all the time
The main reason is I’m paranoid. I’m always thinking about what someone else could do to me, and I want to know the tactics someone bad could do to me. As a part of that, I have to learn how to defend against them. This is what can differentiate a black hat from a white/gray hat: A black hat doesn’t need to know how to defend, they can make do with attack techniques (black hats don’t usually write reports). If I learn the attack and defense for my own sake, why shouldn’t I get paid for it?
It’s a good way to get further motivation and develop my skills, because I can basically use my paranoia to instruct others.
Outro
I have some skills that could make me a villain. Do I use those skills in places I shouldn’t? Absolutely. Do I report my findings to the owner of the thing I just hacked? If possible, yes. It’s sort of like karma, where I do bad shit, but I try to balance it out by turning the “attack” into a “learning experience” for everyone involved. I have to be careful, of course, because the more I know, the more dangerous I could be, but even though I could break into an office, steal all the laptops, and delete security footage on my way out, I get enough of that excitement in Hitman, and if I’m going to go on-site for a red teaming engagement, I want that letter of authorization in my pocket to avoid jail.