Hacking Your Career
A practical guide to turning your hacking experiences into a career launchpad. by notdan
Paywall blocking you? Click here to reload and enjoy for free.
Find me on Twitter! https://twitter.com/notdan
PREFACE
I’m making this guide for one reason, and one reason alone: I want to help people, mainly younger hackers, figure out how to get legitimate day jobs. If this post ends up only helping one person get their career started, it’ll be worth it.
I’m not trying to convert blackhats to whitehats. I barely even subscribe to the classification of “blackhat vs. whitehat” in the first place. However, they’re useful terms for this guide, so you’ll see it a few times throughout.
CONTEXT: BLACKHAT VS. WHITEHAT VS. REALITY.
WHITEHAT: Horribly boring people that are in Infosec for all of the wrong reasons. They love reminding you they’re against hackers, and that they’re way smarter than any blackhat. (Hopefully we’ve annoyed at least one Uber-Whitehat who’s taking themselves too seriously right now) ;)
BLACKHAT: Mostly liars that don’t have any money, but pretend to be rich by flexing a few hundred dollars and a BB gun on camera. They don’t typically hack, and instead are only interested in their egos and e-fame. They someday hope to be as popular as OurMine. (Hopefully that annoyed at least one Uber-Blackhat who’s taking themselves too seriously right now. Yes, it was painful to type out, haha) ;)
REALITY: The reality is that we all Lie somewhere in between “whitehat and blackhat”. Nobody sticks to the playbook 100% of the time because it’s not humanly possible to have perfect judgement. We’ve all made mistakes, taken our testing one step “too far” or crossed an ethical boundary at some point. Intent is usually what swings people into either the black or white hat categories.
If there’s any single thing that you take away from this post, understand:
Being a teenage blackhat for fun and exploration is COMPLETELY different than being an adult blackhat for profit.
Career blackhat hackers tend to get caught. Detailed OPSEC, carefully executed operations, and planning eventually don’t matter on the one day that you accidentally fuck up. One day, and your door is getting kicked in.
The question becomes: Is it worth it? For the purposes of this guide, we’re going to assume you decided “meh, prison kinda seems like it might suck..”
WHOAMI
Some of you might be wondering why you should take advice from me. My best answer is: This is 100% how I made my career. I’ve been in the Information Security Industry for over 20 years, I’m fairly highly regarded IRL. But I’m an anomaly. Anomalies are fun. I want to help create more anomalies in the computer/tech security industry, though. Why? Cuz I’m old I realize that we need all the talent we can get. We need you.
- I’m pushin 40, I work at a company you’ve heard of, and I’m paid well.
- I’ve worked in almost every major sector including retailers, hospitality, communications, power grid/plants, medical, law offices.
- I dropped out of High School at 17, got my GED instead.
- I dropped out of college after one semester.
- I don’t have any certifications (CISSP, CCNA, etc)
- I don’t have a visible criminal record. [STFU&GETALAWYER]
DAT HACKING LIFE
Growing up I got completely hooked on hacking phones and computers. When I was 12 or 13, I started phone phreaking and explored the phreaking scene pretty heavily. Eventually I got into more hacking related stuff after the internet was in full-swing in the late 90s.
By the time I was 16 I knew how to use packet sniffers and debuggers. I even had my own method of getting free internet via Juno’s hidden passwords in their software. On IRC, I became friends with a small group and we figured out ways to do new and fun things nobody’d done before. It truly was the Wild West of the Internet.
By the early 2000’s I had played with almost every type of OS you could think of. We’d get into silly packeting wars, social engineer operators for conference bridges to talk on, make prank calls, and act like… well, immature kids.
During all of this, we were learning systems and mastering technologies that people with Computer Science degrees didn’t even know existed.
I eventually realized my thousands-long rootz.txt wasn’t going to help me get a job working with computers. I couldn’t write “experience rooting multiple versions of UNIX on random servers” or “Advanced password cracking techniques from pilfered shadow files” on my resume. So, I actually gave up on the idea of even trying to get an IT Security job. Instead, I focused on my next favorite thing, phones. I applied at the local call center for a job. Yeah I was a phreak.
HACKING SKILLS vs. CORPORATE INFOSEC SKILLS
I didn’t realize it at the time, but every single one of my hacking excursions actually had very real value in corporate information security. Here’s a few hacks and their Infosec equivalent
- Voicemail & PBX cracking (PBX Administration)
- Juno RAS/password sniffing (Protocol analysis, security review)
- DoS attacks, SYN/UDP flooding, etc (DoS mitigation techniques)
- Spoofing DNS/Getting Reverse DNS setup for IRC (DNS Configuration)
- Getting rooted/rm’d (Patching, Incident Response, OS hardening)
- ipchains/iptables (Effective Firewall Writing Skills)
- Taking Over Conference Bridges (Social Engineering Awareness)
- Wireless Cracking (Wireless Security Auditing)
GET A JOB, LOSER
Remember my comment about applying at the local call center? It turns out the call center was hiring for Technical Support and became my first IT job. Even better, it was for Juno Technical Support. I pretty easily nailed the interview considering I knew their software inside and out, but call centers really don’t care about how technically skilled you are. They care whether you can read from a script and get to work on time. The old lady who barely knew how to use a mouse also passed the interview just as easily as I did.
Moral of the story? I had to start at the bottom just like everyone else.
Do you need a job, but don’t have any work experience? Need to start somewhere? Below is a list of some jobs that require zero previous experience. More importantly, these jobs can be used to build up a resume so that you can land the higher paying Infosec jobs as quickly as possible.
JOB TITLE — RELEVANCY TO INFOSEC CAREER
Call Center: Customer Service/Technical Support — Working in a call center is incredibly valuable. It forces you to be on the phone and think quick on the fly. If you’re already a good social engineer, this job will be a great fit for you. If you’re not, here’s your chance to get social engineering training. You’ll find the skills you learn in a call center will be helpful for the rest of your career.
Call Center: Telemarketing / Collections — This job is probably the most difficult of all call center jobs, mainly because you’re talking to really pissed off people all day and on top of it asking them to give you money. I’d recommend you do Collections for only a short period of time, because it’s a terrible industry filled with completely shitty people. Your social engineering skills will be put to the test at this job, that’s for sure.
Computer Repair Shop — If you can land a job doing computer repair, go for it. I got some of my best experience in handling and learning how new malware variants worked doing computer repair. In addition to malware, you’ll also get really good at hardware repair and troubleshooting core Windows issues. Those skills easily translate into being better equipped to troubleshoot server issues in an enterprise environments. If you’re already familiar with malware, packers, and advanced Windows, this job should be a slam dunk for you and an easy paycheck.
Helpdesk — Helpdesk jobs are also very similar to computer repair shops but often are a little more advanced and hiring managers take your technical skills in to account when hiring. You’ll be working with malware removal/reversing, troubleshooting core Windows issues, and a wide variety of things.
Fast Food — You’re currently a hax0r, right? You’re owning stuff and dumping databases with SQLi, rooting some boxes, right? Get a job at Burger King for a few weeks. You’ll learn two things: 1.) How to influence people through Social Engineering when they’re all angry because their fries are over-cooked. 2.) You’ll find out what kind of job you’re going to top-out at, if you decide to go solely blackhat for income and catch a felony charge early on.
Federal convictions limit your job options, and the FBI doesn’t hire hackers they bust anymore. Unless you’re the best of the best, you’re probably not gonna make it as a career blackhat for very long. If you end up getting busted before you get some legitimate work experience, it’s going to be really fucking hard with a felony hacking charge. Hack/explore/tinker in your spare time. Get your income from legal hacking during the day.
*If you do happen to already have a felony on your record, don’t despair. Luckily it’s 2017 and the tech/infosec industry has progressed a ton. There’s plenty of firms that will still consider you for a job with a criminal record these days. Hit me up on Twitter if you’re having trouble finding employment because of your convictions and I can try to help. https://twitter.com/notdan
SK1LL LAUND3R1NG
SK1LL LAUND3R1NG is a term that describes the process of converting blackhat hacking skills into resume-friendly Infosec skills. It’s a way for younger hackers to more easily explain why they know how an LDAP server works, or why they understand what parameter sanity checking is without having to say they “I learned it in my spare time”.
The hard truth about recruiters and hiring managers: Employers would much rather see that you learned about UNIX or DDoS “on the job” instead of “in your spare time”. Things you “learned in your spare time” can sometimes be easily dismissed, whereas “job experience” is almost always paid attention to.
SK1LL LAUND3R1NG gives recruiters and prospective employers what they want, while not forcing you to sell yourself short.
SK1LL LAUND3R1NG: GETTING STARTED.
Instead of just letting all of your hacking experience go to waste, you’re going to start your own IT Consulting business and begin offering those same services.
- File a DBA (Doing Business As) or a “Fictitious Name” form with the City/County Clerk.
- Register a domain name for your business.
- Build a simple one or two page website describing your services and your contact information.
- Print up some business cards.
- Buy a business face mask that pairs nicely with your suit.
This can all be done for extremely cheap. It usually costs approximately $50 to file the paperwork with your local county government (in the United States). The domain name and website are maybe $20. Business cards are usually free or extremely cheap for the first 250 cards. You can have a legitimate business of your own setup within a week for around $100.
WHAT ABOUT TAXES AND LEGAL FORMS, ETC?
For now, you don’t have to incorporate, file special taxes, or do anything other than get it on the books with the county clerk’s office as a registered business name. The whole reason for doing all this is that when a prospective employer does your background check, they can see that your business is indeed real and registered with the county. That’s why you need to be sure to do ALL of the steps, though. Otherwise you may fail a background check, and that is definitely not what we’re going for.
TURNING UR HACKS INTO $TACK$
Remember all those Solaris and FreeBSD boxes you’ve rooted? Remember all of the SQL injection attacks you’ve done? Those are all now Information Security Services that your new company offers. This is one of the few opportunities you’re going to get to legitimize your blackhat hacking experience, and turn it into whitehat experience. Do it, how can you possibly go wrong?
DEM ETHICS THO, AIN’T THIS LYING?
Using this method is only unethical if you skip the next and last chapter of this guide. Otherwise, you’re on the way to leveraging all of the skills you picked up while hacking and using them to focus on a legitimate jobs. This is a ticket to getting a good paying career that isn’t going to land you in jail.
GET ‘EM
The final step to make this work is to get a few customers to actually let you do the security/sysadmin work for them. This is SUPER EASY. Offer your services for cheap, or even free under your new company if you have to. Just start asking everyone you interact with if you can do IT/security work for them. People don’t turn down free IT work often, so you’ll have real customers in no time. A customer that you don’t charge is still a customer.
When I started doing this whole thing, I recall being at the doctor’s office for a visit. The receptionist muttered something about the printer not working so I just flat out asked her “Hey, want me to look at that for you?” I offered to take a look for free, but after she mentioned it to my doctor, he offered to hire and pay me for my services. That day I left with my first legitimate client, my doctor’s office. #FeelsGoodMan
WHY DON’T I JUST CHEAT? LOL
I know what you’re probably thinking right now. “Why bother with the last step? Fuck it, I’ll just lie and setup the fake shell company!” Yeah, you can do that and probably get away with it too. But why not just take the extra time to do it? The whole point is to clean things up for your day job.
Taking the final plunge and getting real customers means you won’t need to worry about anything coming back to you in the future. You’ll never have to worry about getting called out by a future employer, and you’ll get even more Infosec experience with your new customers.
You might find your new company is successful and turns a huge profit. For mine, I eventually started asking for $50/hr and it worked. People easily agreed to that price. I grew up in a really small town, and making “a million dollars” was like, “im rich forver” money. It turns out, a lot of other local on-premises consultants actually charged way more than $50/hr, so I was undercutting them and started raking in money. This holds true to this day. Unless the big one has happened and we’re using seashells for currency again. In which case, fuck.
Regardless of whether you charge, if you get a few legitimate customers and do a few security assessments/IT gigs, CONGRATULATIONS:
You’ve just won the game and legitimized all of your younger blackhat hacking days into usable Infosec experience that you can put on your resume, guilt free. :>
TRICKY COLLEGE TRICK
One last job hack worth mentioning is a tricky thing I did for my college experience. If you haven’t noticed, almost all jobs want candidates that have college degrees. If you scroll up and look under the “WHOAMI” section, you’ll notice it says I dropped out after one semester of college. Why did I drop out after one semester? I couldn’t afford it. But I noticed something interesting happened after I started putting this line on my resume:
“College 2002–2002 (On hiatus) — Major in CS”
I started getting way more call backs, even though it was clear that I hadn’t finished the degree and that I wasn’t even attending anymore. Why?
HR and recruiters at many corporations discard candidates if they don’t have college listed on their resumes. It’s a total bullshit practice, but it happens a lot. Often times the actual team manager doesn't even know that HR is doing this, and could care less if candidates have a degree. In Silicon Valley? Most managers are literally former hackers that decided getting paid was kinda cool.
That said, if you don’t have plans to get a degree, go and attend college for at least one semester and then drop out. This gives you the ability to legitimately put “some college” on your applications and resume, and be able to provide proof (transcripts) that you went for a semester. I know for a fact I’ve gotten at least one job because I bypassed a filter and explained I couldn’t afford college during my interview.
SUMMARY
This whole guide is based on the idea of going legit for your income. So be legit. I’ve laid out a pretty solid method to convert your younger hacking years into usable job experience for your resume. The way you ultimately decide to implement these ideas is up to you, but doing it through these channels isn’t all that difficult. Yes you’ll spend a year or two working boring/lame jobs, but that’s how real life works.
I’ve done the math and I’ve seen the average pay for mid-tier carders. According to one study, mid-tier carders make $90,000/year on average. Doing legitimate Infosec work during the day can *easily* get you paid $150,000/year, but with the bonus of not having to constantly worry about jail. $90,000/year and worry constantly about feds? No fuckin thanks, fam! But if you have guaranteed millions waiting for me let’s talk maybe, lmao. (it dont exist, its a joke.)
HINT: Anyone offering that is likely a fed, haha.
TL;DR for the whole document: Go fuck yourself, thats what. It takes 10–15 minutes to read this guide.. if you’re too lazy to read it then you’re definitely too lazy to make real money ;)
IF YOU ENJOYED THIS GARBAGE, PLEASE RT IT!
[:::::::::::::::::::::::::EOF:::::::::::::::::::::::::]