May 04 2015
My teenagers, like many teenagers, are curious about what their father does for a living. They’ve been to maker faires, security conferences, unconferences, Defcon, BSides, Hack in the Box, and they’ve really enjoyed them all. They’ve heard me talk about all sorts of current events in the context of computer security. Quite frankly, I’m a little surprised they still want to hear about security and privacy considering my propensity to monologue (aka rant) about most things security related at the drop of a hat. But they’re both sponges and given that security has become something that’s in the public awareness, they’re still interested in security, and by extension, hacking. Or maybe it’s security that’s ‘by extension’, because the idea of breaking into something will always be sexier than the idea of securing it.
This weekend that curiosity hit a critical threshold and the oldest Spawn asked “Dad, how can I learn to hack?” Now, I’ve never been a hacker, just a tinkerer who understands a little about a lot of things, so I did what many good security professionals do when faced with a question: I went to Twitter. And I got a lot of good suggestions from folks like Wim Remes (@wimremes), Improbably Eireann (@blackswanburst), Andreas Lindh (@addelindh), Adrian (@alien8) and Erik Wolfe (@ArchNemeSys), just to name a few. I also got some cynical feedback from Sid (@trojan7Sec), but that’s fodder for a different blog post.
Before I get to the list of sites sent to me, I have to mention another experiment I’m trying with the Spawn and for my own education. As my co-worker, Larry Cashdollar (@_larry0), suggested I have a Raspberry Pi 2 with Kali Linux sitting in the living room waiting for the Spawn to get curious enough to start poking around on it. I taught them how to use Putty to log into it and let them go, but it is a bit intimidating for a first time Linux user and it’s mostly sat there untouched so far. That being said, the very first thing Spawn0 did was to change the admin password on me and lock me out of the system, until he came into my office giggling like a maniac. It was a proud Dad moment.
So, without further ado, here’s a list of the suggestions:
- Untrusted – This was the first suggestion I received and the one that Spawn0 immediately latched onto. He completed everything but the last level in one afternoon. His feedback was that it’s not exactly a ‘hacking’ tutorial, but that it’s interesting and fun none the less.
- Metasploitable – Another request by Spawn0 was a suggestion for a Linux VM for him to play with and learn on. Metasploitable is a great tool for exactly that, especially when it’s coupled with the Kali Linux RPi system for testing from.
- Over The Wire – “learn and practice security concepts in the form of fun-filled games” pretty well sums it up. I’ve always maintained that security and hacking are more about the thought processes behind decisions than they are about the technology and this helps build the foundations for those thoughts.
- Hack This Site – This one came in while he was in the depths of Untrusted, so it hasn’t been tested yet. I played with it when it first came out and I’m interested to see how it’s evolved and how a young adult can learn from the site.
- Cybrary.it – More of a library than a tutorial, there’s still a lot of information to be gained from this site. I’m not going to encourage the Spawn to become a CISSP, though I may point him in the direction of the CCNA. Foundational networking is more important than having knowledge that’s a mile wide and an inch deep.
- Hacking: The Art of Exploitation – Back to my theme of understanding the foundations, this book looks at the underlying ideas of hacking. Originally published in 2003 and updated in 2008, it’s still recommended reading today. Thanks to my team at Akamai, I brought home a copy of Future Crimes by Marc Goodman from RSA, and both of the Spawn are taking turns reading it. Might explain the uptick in hacking interest.
- Mathy Vanhoef – I was pointed to the Memory Hacking blog post, but there’s a lot of crammed into a few posts on this site. Probably beyond a beginner, and some of it’s beyond my understanding as well.
I don’t necessarily want either of my underlings … I mean children … to follow in my footsteps and become security professionals, but I’m a strong believer in exploring as many different interests as possible. And anything they learn about hacking, from the underlying philosophies to the technical details, will be helpful in their future. No matter what they decide to do with their lives, knowing how to program, how to hack and how to things work at the bits and bytes level are going to be important in their futures. And it gives me an excuse to dust off some of my own skills as well.
More suggestions for sites to add to the list are appreciated.
Edited to add suggestions from Twitter:
- From @gianluca_string – Exploit Exercises – A host of virtual machines to beat upon and break. Gianluca Stringhini says he’s using in his hacking class this semester.
- A glaring oversight when talking about teaching kids to hack was HacKid Conference. Both of the Spawn consider this to be the best experiences they’ve ever had at a security conference. Wish I could take them again, but living in the UK makes it unlikely. (hat tip to @beaker and apologies for missing this the first run through)
- From @EricGershman – PicoCTF – This was a competition targeting middle and high school students from last year, but it’s been continued with access given to teachers for tracking of their students.