This week's security brown bag topic was the Quad9 filtered DNS service: pros and cons, alternatives, etc. This post contains my notes.
This page stands to aggregate resources that may be useful to folks interested in starting out as hackers. It's made up of a few mini-essays and many links and references to longer-form resources. Don't try to go through it linearly; skim for topics that interest you and cherry pick what you find useful right now. The rest will still be here if and when you need it.
Feedback most welcome via the usual channels.
There's plenty of writing out there about what it means to be a hacker. You should be familiar with the definition of "hacker" from the Jargon File. There's a lot in the Jargon File that I consider outdated, but it's a seminal part of our cultural history. Having at least a passing familiarity is worth your time.
You'll find, as you read different accounts, that there's disagreement on what makes a hacker. This is the nature of the one thing we do generally agree on: a hacker must be a creature of independent thought and action. It clearly follows that we view what we do differently.
I plan a future blog post to cover some of my thoughts on the matter. For now, I intend to give you just a few tips to help you begin grokking how the community works.
Hacker identity is rooted in independence, personal responsibility, and competence. Getting respect in our community requires that you value these qualities, and demonstrate that you are doing your best to live up to them (no one ever does completely, but that's just being human).
We honestly don't expect newbies to show up with a ton of competence. Everyone started out knowing very little. The problem newbies are the ones lacking independence and personal responsibility.
We cannot read your mind and tell you what you will be good at; it's your job to find things and try them. You will fail at some things, succeed at others but be too bored to become great, and have various other not-the-right-fits before you find your niche. This is generally considered to be a necessary part of your professional evolution. The process both ensures that you end up working on things you actually care about and have talent for, and ensures that you gain at least a cursory familiarity with a hand full of areas outside your core expertise.
We do not have time to hold your hand. You should be respectful of our time by using documentation, learning how to be easy to support and mentor, asking questions appropriately on IRC and mailing lists, and so on.
Part of personal responsibility is not walking around with a sense of entitlement. I use that word in the American sense, where "entitlement" has come to mean "the belief one is owed things neither earned or paid for". Many people show up and say "teach me".
I had some amazing teachers and mentors when I was younger. A few years ago, when I was really feeling a lot of weight on my shoulders due to just how few people in my generation had picked up some of the subspecialties I work in, I talked to a couple of my mentors about it. I felt responsible for so much, and I felt alone. My mentors were supportive, but at this point they were aging: a couple had died, more were slowing down or preparing to retire. I'd just realized that it would fall to me to fill the gap, and I needed to train my own help if I were going to have any.
"Why didn't you teach anybody else?" I asked, feeling slightly childish.
They said that they had been waiting for more competent students to come along.
I couldn't believe it. I wasn't competent when I started. I was 12 years old, and I didn't know that there was more than one programming language in the world or what an issue queue was. They taught me anyway. I demanded to know why I was different.
The answers were all along the lines of "you were just so cute and helpful that we couldn't bear to turn you away".
I spent a couple of years--yes years--just facepalming at the idea of "cute and helpful" as selection criteria for future internet maintainers. Then, one day, I suddenly grokked...
"Cute" in this context meant that I was polite, didn't complain when corrected or didn't know things, and I tended to make the channel more pleasant to be in. My enthusiasm was catching. "Helpful" was about how I showed up. It never occurred to me to go to strangers and ask them to teach me things for free. That wasn't part of my culture. I showed up and started doing scutwork... fixing small bugs, triaging issues, giving support in IRC and on mailing lists, and fixing documentation. I learned things by quickly becoming part of the "inner circle" of many projects. I was liked for my good attitude and hard work, and why wouldn't even the most highly sought-after developer take a half-hour to help explain something to a kid who was doing hours of free work on his or her project? It turns out that "cute and helpful", or rather, "pleasant, courteous, and ready to work" isn't such a bad metric after all.
I cannot emphasize enough that this is the key to getting the best quality of hacker education, without going to or paying for school. Do high-quality, free work for smart people, and do it with an amazing attitude.
I'll cover this strategy in more detail later, under "How To Learn".
Kinds of Hackers
Many people equate "hacking" with "pentesting", or breaking into things. That's a lot like equating "engineering" with "failure testing components": you've named one task amid a huge and varied discipline, ignoring the rest. While some of what you will find in this document applies to software and hardware hacking in general, the focus is on learning to defend networks and secure infrastructure software.
Building Out Your Kit
No matter what kind of hacking you intend to focus on, you'll need good tools. For the software and information security hacker, this will mean a workstation and some sort of lab setup at a minimum.
A hacker's primary workstation
First of all, yes, you must run Linux or BSD. Get over it now. This is probably different than what you are accustomed to, and yes a few hackers get by on using Mac OS or Windows as a primary workstation. The people who do so are expert enough to work around the shortcomings of those systems. If you, as a newbie, work from those systems, about every third thing you do will require extra time and debugging. You will be asking your mentors to put in extra work to make up for the inadequacies of your tools, and wait for you to take longer to learn, because you are not using the most efficient possible tools.
When you ask people to do work for your benefit, such as teaching you valuable and highly marketable skills that they take personal risk in teaching you, you disrespect them by making it harder and slower merely for your comfort.