PREFACE

I’m making this guide for one reason, and one reason alone: I want to help people, mainly younger hackers, figure out how to get legitimate day jobs. If this post ends up only helping one person get their career started, it’ll be worth it.

CONTEXT: BLACKHAT VS. WHITEHAT VS. REALITY.

WHITEHAT: Horribly boring people that are in Infosec for all of the wrong reasons. They love reminding you they’re against hackers, and that they’re way smarter than any blackhat. (Hopefully we’ve annoyed at least one Uber-Whitehat who’s taking themselves too seriously right now) ;)

Being a teenage blackhat for fun and exploration is COMPLETELY different than being an adult blackhat for profit.

Career blackhat hackers tend to get caught. Detailed OPSEC, carefully executed operations, and planning eventually don’t matter on the one day that you accidentally fuck up. One day, and your door is getting kicked in.

WHOAMI

Some of you might be wondering why you should take advice from me. My best answer is: This is 100% how I made my career. I’ve been in the Information Security Industry for over 20 years, I’m fairly highly regarded IRL. But I’m an anomaly. Anomalies are fun. I want to help create more anomalies in the computer/tech security industry, though. Why? Cuz I’m old I realize that we need all the talent we can get. We need you.

  • I’m pushin 40, I work at a company you’ve heard of, and I’m paid well.
  • I’ve worked in almost every major sector including retailers, hospitality, communications, power grid/plants, medical, law offices.
  • I dropped out of High School at 17, got my GED instead.
  • I dropped out of college after one semester.
  • I don’t have any certifications (CISSP, CCNA, etc)
  • I don’t have a visible criminal record. [STFU&GETALAWYER]

DAT HACKING LIFE

Growing up I got completely hooked on hacking phones and computers. When I was 12 or 13, I started phone phreaking and explored the phreaking scene pretty heavily. Eventually I got into more hacking related stuff after the internet was in full-swing in the late 90s.

This is literally what Google looked like on LYNX in 1998. (pic thanks to redtahr)
Actually, its an IRIX system & I rooted it with this telnetd exploit from PacketStorm!

HACKING SKILLS vs. CORPORATE INFOSEC SKILLS

I didn’t realize it at the time, but every single one of my hacking excursions actually had very real value in corporate information security. Here’s a few hacks and their Infosec equivalent

  • Voicemail & PBX cracking (PBX Administration)
  • Juno RAS/password sniffing (Protocol analysis, security review)
  • DoS attacks, SYN/UDP flooding, etc (DoS mitigation techniques)
  • Spoofing DNS/Getting Reverse DNS setup for IRC (DNS Configuration)
  • Getting rooted/rm’d (Patching, Incident Response, OS hardening)
  • ipchains/iptables (Effective Firewall Writing Skills)
  • Taking Over Conference Bridges (Social Engineering Awareness)
  • Wireless Cracking (Wireless Security Auditing)

GET A JOB, LOSER

Remember my comment about applying at the local call center? It turns out the call center was hiring for Technical Support and became my first IT job. Even better, it was for Juno Technical Support. I pretty easily nailed the interview considering I knew their software inside and out, but call centers really don’t care about how technically skilled you are. They care whether you can read from a script and get to work on time. The old lady who barely knew how to use a mouse also passed the interview just as easily as I did.

JOB TITLE — RELEVANCY TO INFOSEC CAREER

Call Center: Customer Service/Technical Support — Working in a call center is incredibly valuable. It forces you to be on the phone and think quick on the fly. If you’re already a good social engineer, this job will be a great fit for you. If you’re not, here’s your chance to get social engineering training. You’ll find the skills you learn in a call center will be helpful for the rest of your career.

SK1LL LAUND3R1NG

SK1LL LAUND3R1NG is a term that describes the process of converting blackhat hacking skills into resume-friendly Infosec skills. It’s a way for younger hackers to more easily explain why they know how an LDAP server works, or why they understand what parameter sanity checking is without having to say they “I learned it in my spare time”.

SK1LL LAUND3R1NG: GETTING STARTED.

Instead of just letting all of your hacking experience go to waste, you’re going to start your own IT Consulting business and begin offering those same services.

  • File a DBA (Doing Business As) or a “Fictitious Name” form with the City/County Clerk.
  • Register a domain name for your business.
  • Build a simple one or two page website describing your services and your contact information.
  • Print up some business cards.
  • Buy a business face mask that pairs nicely with your suit.

WHAT ABOUT TAXES AND LEGAL FORMS, ETC?

For now, you don’t have to incorporate, file special taxes, or do anything other than get it on the books with the county clerk’s office as a registered business name. The whole reason for doing all this is that when a prospective employer does your background check, they can see that your business is indeed real and registered with the county. That’s why you need to be sure to do ALL of the steps, though. Otherwise you may fail a background check, and that is definitely not what we’re going for.

TURNING UR HACKS INTO $TACK$

Remember all those Solaris and FreeBSD boxes you’ve rooted? Remember all of the SQL injection attacks you’ve done? Those are all now Information Security Services that your new company offers. This is one of the few opportunities you’re going to get to legitimize your blackhat hacking experience, and turn it into whitehat experience. Do it, how can you possibly go wrong?

DEM ETHICS THO, AIN’T THIS LYING?

Using this method is only unethical if you skip the next and last chapter of this guide. Otherwise, you’re on the way to leveraging all of the skills you picked up while hacking and using them to focus on a legitimate jobs. This is a ticket to getting a good paying career that isn’t going to land you in jail.

GET ‘EM

The final step to make this work is to get a few customers to actually let you do the security/sysadmin work for them. This is SUPER EASY. Offer your services for cheap, or even free under your new company if you have to. Just start asking everyone you interact with if you can do IT/security work for them. People don’t turn down free IT work often, so you’ll have real customers in no time. A customer that you don’t charge is still a customer.

That anxious feeling when you ask a client to please be a client

WHY DON’T I JUST CHEAT? LOL

I know what you’re probably thinking right now. “Why bother with the last step? Fuck it, I’ll just lie and setup the fake shell company!” Yeah, you can do that and probably get away with it too. But why not just take the extra time to do it? The whole point is to clean things up for your day job.

LOL WOOPS MY SK1LL LAUND3R1NG COMPANY IS ACTUALLY PROFITABLE!

You’ve just won the game and legitimized all of your younger blackhat hacking days into usable Infosec experience that you can put on your resume, guilt free. :>

TRICKY COLLEGE TRICK

One last job hack worth mentioning is a tricky thing I did for my college experience. If you haven’t noticed, almost all jobs want candidates that have college degrees. If you scroll up and look under the “WHOAMI” section, you’ll notice it says I dropped out after one semester of college. Why did I drop out after one semester? I couldn’t afford it. But I noticed something interesting happened after I started putting this line on my resume:

SUMMARY

This whole guide is based on the idea of going legit for your income. So be legit. I’ve laid out a pretty solid method to convert your younger hacking years into usable job experience for your resume. The way you ultimately decide to implement these ideas is up to you, but doing it through these channels isn’t all that difficult. Yes you’ll spend a year or two working boring/lame jobs, but that’s how real life works.

--

--

RESARCH, I PROMISE ه҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿ Mildly entertaining at best

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
notdan

RESARCH, I PROMISE ه҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿҈̿ Mildly entertaining at best