Hacker Perspective: Teague Newman
A hacker is someone who can make something work in the way they wish because they understand the "how" behind it. Physical or logical, the basis doesn't really matter. It is the desire to understand the mechanics and the process. It's the "how" and the "why" that is central to the thought process of a hacker. However, it goes beyond just being curious. It's also the implementation. Personally, I work with computers, but that is not the only type of person who I think can be a hacker. A hacker is also someone who is willing to use their end creation or modification and stand by its design no matter if it's hardware, software, or even a procedure or a philosophy.
The hacker ideology spreads much further than computer hardware and software. So often in mainstream media, the phrase "hacker" is used with a malicious connotation. This perversion of the term makes many people who truly embody what a hacker is shy away from the hacker community due to a fear of being labeled something "derogatory." Others simply feel that they "don't work on computers," so there is no way that they could be a hacker. I've met many people who would never consider themselves hackers but they truly are the essence of what a hacker should be.
Initially, I never labeled myself as a hacker because I somewhat felt the term should be earned. I didn't want to be the person that just went around saying "I'm a hacker," while having no real basis for saying so. That aside, I think I have embodied my own definition of a hacker for longer than I was willing to admit to myself. I've always tried to understand how exactly things worked. Sometimes it was out of curiosity and other times it was out of necessity.
When I was in high school, I began to care more about the details of how things worked. I can definitively recall an incident where it was out of necessity. I was doing a paper for school on my computer and it was in the 11th hour. That's when Murphy's Law kicked in. The computer blue-screened and I was unable to finish my paper. At this point, I was comfortable with computers, but not knowledgeable enough to fix everything myself. I can remember making a number of phone calls desperately trying to find someone who could fix my computer on very short notice. When I finally reached someone, I was quoted a figure of around three hundred dollars to fix the computer... That was the defining moment where I began to learn much more about computers.
I knew that I could not afford to pay to have it fixed and I also knew that my paper had to be done before the next morning. I went to a friend's house and we began to search the Internet for information on the error. Between the two of us, we were able to determine what was wrong and devise a solution to get my machine back up and running so that I could turn in my paper the next morning. This was the point where I became comfortable with attempting to fix my own computer.
The next logical progression of this was to become comfortable working on the hardware. Once again, this came from necessity. The issue this time was that static had fried my graphics card. I decided once again to fix the issue myself and went out to the store to buy a graphics card. When I got home, I opened up the computer case and swapped out the old card for the new one. It was the first time I had actually opened my computer case, but it really was so much more than that. I successfully swapped out the card, but more importantly, I removed another barrier. In this situation, the case had always been a physical barrier between me and the actual hardware. Once I acknowledged that barrier, I was able to move past it. Previously, it had been "out of sight, out of mind," but now it was something that was within my reach and eventually led to me learning about all the components contained within.
These two events removed limitations that I had set upon myself. They were small steps, but they were confidence-builders. They showed me that working on a computer was not beyond my reach even though, at the time, it was not my primary focus. I was now much more comfortable working on and around computers. There was one more thing that really solidified my confidence and enabled me to trust myself enough to really start working on things on my own: my brother, Drew.
I can recall a phone conversation where my brother was telling me about Linux and explaining it on a basic level. After the conversation, he sent me a few distributions and encouraged me to buy some swappable hard drives and the bays for them. With the swappable drives, I could install one or more distributions per drive and see which I liked the best. At this point, I was comfortable enough to add the bays to my own machine - and installing an operating system was not the daunting task it was a few years before.
I played with the different distributions on and off for a few months and became fairly comfortable using them. Drew now tasked me with setting up servers running certain services and left me to my own devices. There was one particularly brutal Java install that left me dumbfounded. I had asked questions to all my usual sources and could not find anyone who knew how to fix the particular issue and no one seemed to know where to look for good documentation. I called my brother, feeling rather defeated, and began asking him if he knew what was going wrong. He didn't particularly know what the problem was, but his solution was what solidified everything. I can't recall exactly what was said, but it was something to the effect of, "...be resourceful, don't just pursue your regular avenues. There is a solution out there. You just need to find it. If what you are doing isn't working, try something else until you figure out what you need." Shortly after that conversation, I found what I needed and finished up the install.
The advice was basic, but it was the catalyst that made everything mesh. I no longer felt like I would break something by opening it or working on it myself and realized that there is always an answer out there - you just have to find or create it. I now felt completely liberated. Nothing seemed out of reach. That doesn't mean everything is convenient or affordable, but the majority of the time you can figure out just about anything if you are willing to try and look for the associated information.
I now looked into everything that interested me and actively tried to gain a deep understanding of how things worked. This permeated all aspects of my life. I looked into everything from how graffiti artists gained access to some of the more obscure places, how satellite cards are programmed, and even how to reprogram the chips in friends' cars to adjust things such as air fuel ratios.
Aside from taking a deep look into everyday things, I became interested in security vulnerabilities. By this point in my life, I had many certifications from industry vendors. After going through all of this training, I had a pretty good general idea of how things should be implemented when deploying a computer or network. When this knowledge was combined with real life experience, patterns began to emerge. Many times in production environments, things are not deployed as securely as they should be. The reasons for this may vary, but the end result is the same: you are left with a vulnerable system.
In my spare time, I set up labs at home to simulate these vulnerable systems. I would then try to exploit these systems to learn more about the actual vulnerabilities as well as how to prevent them. I had a really romantic idea that maybe one day I could actually get paid to exploit systems and help show people how to secure them as well.
The idea of being a pen-tester was really still a pipe dream. I was doing general consulting on anything computer related and any security jobs I received were a bonus. I had taken the Off Sec 101 class and thoroughly enjoyed it, but just couldn't break into the penetration testing field. The problem in transitioning to the penetration testing field was how do you pitch your first test? Are people going to let you attack their network when you have no prior professional experience doing it? It was the problem of "You can't do the job unless you have experience, but you can't get the jobs that give you experience because you have no prior experience." It seemed like an impossible predicament.
And then I caught a break. In 2009, James Shewmaker ran a section of the U.S. Cyber Challenge. It was a capture the flag competition - that also happened to be free. So I enrolled. I looked at the competition as a place where I could validate what I had learned in my own lab and in the classes I had taken. As it turned out, I did pretty well and was able to prove to myself, and others, that I could actually apply these skills.
I continued competing in every round that was held, but, more importantly, a community began to form and I stayed involved. James left the network up between rounds so that participants could tinker. Many of us hung out in IRC and shared knowledge and worked on projects together between rounds. It was here that I picked up a few new tricks, and was also able to help others learn a thing or two.
By the end of the year, I had ranked fairly high in the rounds in which I competed. At this point, a handful of the top competitors were invited to Washington D.C. to compete in an "all stars" round. This was great; it was the first time that I was able to meet the people that I had been competing against and working with for the better part of a year. James had also scheduled CNN to cover the event and we ended up making the front page of CNN.com.
From that point on, I was able to transition into exactly what I wanted to do. There were people who currently worked in the information security field involved in the competition which, in turn, led to many of us getting job offers. It was no longer a pipe dream. I'm lucky enough to now be a professional penetration tester and instructor. I enjoy what I do very much and consider myself very fortunate to be able to do what was once only a "romantic idea." It seems as if I have found the perfect fit. The work I do enables me to stay on top of current industry trends and their associated vulnerabilities and the flexible schedule has even allowed me to do my own research. Being an instructor allows me to share my own knowledge as well as learn things from those I teach. My students seem to always teach me something also. There is always someone who has a rare piece of knowledge that they are happy to share with me.
The best advice I can give to aspiring hackers is to acknowledge your barriers and go one step beyond them. If you know what is blocking you and are willing to take that first step into learning about it, you may very well find that it isn't as difficult or daunting as you may have initially imagined it to be. When you take curiosity past the point of "I wonder," and mix that with a desire to learn and the motivation to acquire the necessary knowledge, you can master anything you want.
Teague Newman is currently working out of the Washington D.C. area as a professional penetration tester/security researcher. He was most recently a member of a team composed of Tiffany Rad, John Strauchs, and an exploit writer who exposed vulnerabilities in the way PLCs are implemented in correctional facilities.