how do you become a hacker?

I sometimes get asked how one can develop the skills needed to do what I do for a living. This is a tricky thing to answer, because being a good hacker ultimately means you think “wrong”, not just that you understand tech.

When I interview people for a job, of course I’m looking to see if you have technical chops. More importantly though, I’m looking to see how you think, and how you handle unexpected things.

That “hacker mindset” quality is hard to define, tough to extract over the course of a brief interview, and impossible to teach. We can bring people up to speed in tech stuff, business stuff, project management stuff, etc., but thinking crooked, that’s not really a teachable skill; you either do it, or you don’t.

All that said, understanding tech is definitely a requirement, and fortunately there are tons of ways to gain skills in this (one fantastic resource for this is the book “The Web Application Hackers Handbook” written by PortSwigger).

There are a bunch of resources online as well, (free in most cases), so I threw together a small list of some quality sites that teach tech/hacking:


Basics of Computing



This list is obviously not exhaustive, or even complete really, but hopefully it’s useful to someone.

Another recommendation I would make to anyone looking to get into this field, is definitely get to a hacker con – specifically one like BSides. These are pretty much everywhere at this point, and are very good for learning new things and getting a feel for what hacker culture is like.

hacker != criminal

So, whatever your thoughts on Fox news, I can confirm that this is accurately reported. I know Chris through a couple of conferences we help staff, and if you questioned my getting worried about the recent executive orders around ‘hacking’, the experience he had as a result of his research will perhaps change your mind.

It’s becoming increasingly risky to be a security professional, and I suspect it’s destined to get worse. Events like this destroy the efforts that many people – private sector and intelligence community alike – put into building relationships with white hat hackers to help protect all of us.

Instead, this may make some wonder whether it’s better to just go dark.

welcome back to the net, Egypt

On January 27, 2011, the country of Egypt disabled the Internet for anyone within its borders. It did this in a couple of ways, both via the network (at the BGP level), as well as the name resolution (DNS) level. This means the take down not only impacted Egyptian nationals, but citizens of other countries that happened to be in Egypt during this time period, as well as anyone that was using a .eg ccTLD domain.

I don’t have a lot of time to form a well crafted post on the topic of Internet blockade at a national level – it suffices to say that I’m opposed.

Here are a couple of very interesting graphs, taken from

Start of the BGP withdrawal:

Re-announcement of Egyption BGP routes:

I’m glad that Egypt has decided to allow all those impacted by this outage access to the Internet once more. Welcome back .eg.