Episode: 3692
Title: HPR3692: What is a real hacker?
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3692/hpr3692.mp3
Transcribed: 2025-10-25 04:11:00

---

This is Hacker Public Radio Episode 3692 for Tuesday the 27th of September 2022.
Today's show is entitled, What Is A Real Hacker?
It is part of the series' privacy and security.
It is hosted by Lurking Pryon and is about 31 minutes long.
It carries an explicit flag.
The summary is, I discuss, the issue of what makes a real Hacker with my my son.
Alright, welcome to the episode.
I'm joined here again by my son, Isaac.
Hello.
Alright.
He sat in earlier this week.
I did an interview for a student who is interested in becoming a Hacker.
So he was asking me questions and about my experiences as an ethical hacker, what I've
done, what kind of education, all that fun stuff.
Well, that brings us to the inevitable question of what is a real Hacker?
And I get this question all the time and I get into these arguments.
Well, I don't get into them, I witness them.
What is a real Hacker?
What do you say, Isaac?
What's a real Hacker?
A real Hacker is probably not somebody that just like gets somebody's login information.
That's not a Hacker, that's just somebody who is, yeah, but a Hacker is probably someone
who can digitally breach into a system.
What can you do that with a password?
Yeah.
And see, this kind of brings me to my point of everyone's perception of a Hacker is different.
We all have different perceptions.
I have a different perception than my son.
And I probably have a different perception from everyone that's listening to this.
So let me rephrase the question, what's a real doctor?
That's a harder question, right?
Is a podiatrist a real doctor?
I mean, he only works on feet, but is he a real doctor?
I guess so.
What about a cardiologist?
Is he a real doctor?
I mean, I guess so.
What about a gastroenterologist?
They just deal with your gut?
Well, yeah.
What about a brain surgeon?
Yeah, like even...
And you see where I'm going with this is when you say what is a real anything?
What's a real carpenter?
What is a real lawyer?
What is a real judge?
What it, you know, the thing is there's a lot of factors that go into that.
And I'm going to say that the question is not what is a real anything?
What's a real...
What makes a real Hacker?
That's like saying what makes a real doctor?
A degree makes you a doctor.
You go through medical school, you get your doctorate, and you pass the medical boards,
and boom, you're a doctor.
Does that mean you're a good doctor?
No.
No, no, and we know that.
We've all seen plenty of legitimate doctors that aren't very good,
but technically they are doctors.
So I'm not going to talk about what is a real hacker.
That is an ambiguous question that you will never get an answer to.
What I'm not going to talk about is what makes a hacker?
Because again, that's ambiguous, and it's all relative.
And it depends on what it is that we're talking about as far as what hacking actually is.
And it means something different to everyone.
So that is, again, an argument that you'll never win.
And if somebody sits there and tries to tell you, oh, I'm a real hacker and somebody isn't,
well, by what criteria are you making that assumption?
I mean, when you sit there and say, I'm a real hacker, but nobody else is.
Well, that sounds pretty arrogant to me.
I mean, that'd be like somebody saying, oh, I'm a real lawyer and no one else is a lawyer.
I'm pretty sure that that's not a true statement.
And I'm also pretty sure that if you're saying that,
you probably aren't as good as you think you are.
Just saying, that's usually people who are crying out for help.
They need some attention.
They never got love from mommy.
And they seem to sit there and just say, well, if I tell everyone the best,
and I put everyone else down, then I'm going to get the attention that I need.
Please, somebody, if you hear this, just go give that person a hug
and tell them you love them and it's okay.
Just say, look, stop being an asshole.
Here's some love.
I'm going to give you a hug.
There you go.
I know mommy didn't do this for you, but there you go.
You can feel better and go on your merry little way.
And I'm dead serious about that.
So what makes a good hacker?
Now, this, again, it all depends on what we're talking about hacking.
Are we talking about hacking into web applications?
Are we talking about hacking web databases?
Are we talking about network hacking?
Which model of the OSI are you operating at?
Are we talking about hardware hacking?
Are we dealing with regular IT systems?
Are we dealing with purely cloud environments?
And if so, which cloud environment?
Because they're not all the same.
And are we dealing with maybe industrial control systems?
Because those, again, have their own unique thing.
So when you take the disparity of what exists in the world of IT,
think about all the different operating systems,
all the different hardware that it sits on,
all the different drivers, all the different applications,
all of the different protocols that
run to allow these things to communicate.
There is a ginormous amount of stuff
that nobody can know all of it.
You can't.
And even in IT, I mean, you'll see job applications
where they want somebody to be an expert in, like,
20 different things and be willing to pay you
half of what they would have paid some one five years ago.
But that's just companies being stupid.
In the real world, though, we get siloed.
We specialize in something.
Whatever that something happens to be,
whether you're a programmer or a developer,
and even if you're a developer, you're
going to get siloed working on certain types of programs
or certain kinds of projects, because this
is what you're good at.
If you're doing networking, you're
going to get siloed working on that kind of stuff.
And even within the networking environment,
are you touching firewalls?
Are any kind of boundary protection?
Or are you simply just internal?
So we have this mass of siloed knowledge.
And to expect a hacker to be any less specialized
is ridiculous, because you have to know a system well enough
to be able to exploit it before you can hack it.
So that means you have to have a level of knowledge
that lets you know how this thing works
and be able to reverse engineer that
and make it do something that it was not intended to do.
And then take that and do something with it
that furthers your goal, whatever that happens to be.
Today, it's very easy to get into hacking.
The people who are really smart have made tools.
They've got GUIs, they're graphical interfaces.
They ask you a question, you push a button, it does it.
What the fuck happened?
What did you do?
I don't know, but now I'm in someone's network.
Congratulations, you're a fucking hacker.
No, no, you're not.
You're a fucking script, kitty.
That's what we call them.
You can run a script.
You can follow fucking simple instructions
that you saw on YouTube.
Oh, download this thing, put this in.
And boom, now you're in.
Yeah, you're a fucking script, kitty.
You're not a hacker.
Go home and fucking put your head under the sheets
and wait for the boogeyman to come and get you.
Now, the people who develop those tools,
the people who are actually looking at the applications,
identifying the weaknesses, figuring out
how to exploit them and the writing the code to do it,
and then putting it together so the other idiots
can go and exploit it, well, those, my friend,
are the real hackers.
Now, does that mean you're not a real hacker
if you use tools?
No, no, not at all.
I have no problem with somebody using tools.
And again, you're gonna have to use
a wide assortment of tools.
And the problem with tools is the less often you use them,
the less proficient you become at using them.
It's like anything else.
If you are really good at playing a guitar
and then you put it away for 10 years,
when you come back, you're gonna have to knock off some rust
and kind of figure out, okay,
how do I make my fingers do this again?
And then boom, you're back at it
and then after a little while,
your fingers start remembering what to do
and then hey, you're back at it.
But I'm not knocking people who use tools.
That's not what I'm saying.
What I'm saying is people who purely are just
using a tool, getting in and calling themselves
real hackers and putting down everyone else,
well, I would say take a look in the mirror
and see if that's really true
because I willing to bet it's not.
Now, can other people use those tools
as part of a process, understanding what that tool does?
Anytime I use a tool, I know both the command line and the GUI.
When I say, okay, on the GUI, go ahead and do this.
I know exactly what it's doing.
When it runs that command, I know what it's doing.
I know what it's doing.
I know how it's working on the back end.
I know what it's taking advantage of.
But that's the difference is I understand the tool
and how it works.
I understand what it does.
There's plenty of people who just follow directions
and boom, now all of a sudden they're hackers.
Well, that's a sad situation and a place we probably shouldn't be.
But we are.
And the barrier to entry into hacking is so low
that I would say there is no barrier.
As long as you can get a hold of a computer
and find your way to YouTube or Reddit,
you can become a hacker.
It's easy.
You go, you download the tools,
you follow someone's tutorial and boom, you're in.
You're a hacker.
Well, you're a script kiddie.
But anyway, you can go and put down everyone else
and tell them that they're not real hackers
and that only you are because you follow someone else's tutorial
using someone else's tool
that you have no idea what the fuck it did.
But hey, you're a real hacker
because you got into some organization.
Sounds legit, right?
And the thing is, there are so many more of these people
than we would even care to believe.
Now, let's talk good hackers versus bad hackers.
Again, this is a line
that is not clearly drawn in the sand.
What's good, what's bad?
That is situational, my friend.
What is good in one situation could clearly be bad
in another situation?
There needs to be context to the action.
So it depends on the situation and the context
in which it's given as to whether or not
something is good or bad.
Now, at the end of the day, it comes down to intention.
And I see this pretty clearly.
Is my intention to help my customer become better
and less susceptible to attackers?
I would classify that as good.
Somebody, on the other hand, who is hacking in
for profit, motivation, revenge, financial gain,
something that really does not have
that entity's best interest in mind.
Well, you're probably not good.
But, again, I told you context, right?
Well, let's take the current state of affairs in Ukraine.
There's a whole bunch of hackers
who are working on both sides.
There are Russian hackers who are working
in the Russian interest attacking everyone
who's supporting Ukraine.
Are they bad?
It's not necessarily.
Not necessarily, they're defending their country.
So, are they bad?
Again, hard to say.
Now, the people jumping in on Ukraine side,
attacking Russia.
Are they good?
Not, again, it depends which side of the coin you're on
and how you look at it.
And what all is being done,
is there a vested interest in this?
So many different things.
And for those of us who are what we call white hackers,
look, I just want to remind you all
that pretty much any of us are a couple paychecks away
from being a black-hat hacker.
You lose enough money, you lose enough things in your life,
and you can't find any employment.
Those skills start to look pretty good.
You may have spent a whole lot of time
defending organizations,
and you know exactly what their weaknesses are
and how easy it is to get into.
And you know where there's something
that you could get and sell for money.
I know it's sad, and I don't like to talk about it,
but the truth is,
sometimes necessity is going to drive you
to do things that you wouldn't necessarily do.
Now, for me personally, I have a huge allergy to prison,
huge, I really do not think I would do well in prison,
and I recognize that about myself.
And I also know that with my Scottish blood,
I have shit for luck, zero luck.
So it would be my luck that the very first time
I did something bad,
it would happen to be that there was an FBI
informant that was there working with me on it,
and I wouldn't end up going and spending the rest
of my life in prison without ever getting anywhere.
But that's just my luck, and that's my fear.
And thus, I would probably starve to death
before I tried to do that.
I would be out bagging groceries
or picking up garbage or something,
maybe even putting a cardboard sign up
and standing on the street corner,
because at least in a lot of places
that won't get you in jail, not all.
They're cracking down on that.
But other people, they're not as morally bound,
they don't have the same allergy to prison.
So, again, what's good, what's bad?
You know, everybody.
It depends on point of view.
Everybody rationalizes things in their own way.
And I'm not sitting here saying that one is good
and one is bad.
Now, from a legal standpoint, depending up on which
country you're in, can I definitely draw a line on that?
Yeah, absolutely.
But you're talking to anyone anywhere in the world
with any kind of a background.
Yeah, no, I can't draw that same line
without knowing more context.
And that personally is a decision for each person to make.
Some people start out of black hat hackers
and then realize the amount of damage they've inflicted
and move over to becoming white hat hackers.
We've got plenty of people that are perfectly happy
being gray hat.
We've got plenty of people that are just happy doing things
and the fact that they make money off it is good, too.
There's all kinds of things.
So, that's not what this is about.
This is about what makes a good hacker.
So, in my experience, knowing the system that you're attacking,
knowing how it works, knowing what the tools that you are using
to exploit that system are doing.
What are those commands that are being run?
How is it impacting the backend system?
And what can you do with that after you get in?
It is one thing to exploit a system,
but then you've got to pivot from there to somewhere else.
Okay, I got into a printer on somebody's network.
That's great.
What do I do now that I'm on a printer on someone's network?
How do I pivot to get to something that's actually important?
So, it takes more skills than just being able to run
a single solitary exploit.
So, what makes a good hacker knowledge knowledge knowledge?
And then again, you know, people ask me,
well, hey, is it better to just do things like hack the box
and other capture the flags where I can just learn
to home my skills or should I go to college
or should I get certifications?
And again, my answer is yes.
It depends.
Now, I am a huge fan of education, huge fan.
You guys already know that.
I'm a huge proponent of going to college
and getting your degree.
I am a huge proponent of advanced education.
And the thing is, is you learn more than just
how a system works when you go through college.
You're exposed to other things
that broaden your horizons, open you up to new things.
It teaches you how to research.
It teaches you how to be more open
to different kinds of concepts,
how to broaden your horizons
and have a less narrow construct of the world.
So, I am a huge fan of education for many reasons.
But with that knowledge, you go to college,
you get your degree, you learn how those systems work,
what they, how they function, how they communicate,
how they interconnect.
And then you can go on and practice those skills
on different hacking sites like Black Box or Packed Box
or whatever it is that you want to do.
And then you can go and get certifications
after you've gotten sufficiently skilled at it.
And you're like, hey, I'm pretty sure I can do this.
Let me go take this test and get a certification.
Great.
Should you get a certification instead of education?
Me personally, I say no.
I say get both.
Get the education and the certification.
As you're going through school,
you're gonna be learning stuff.
Take that learning, build a lab at home
or find stuff online, hone those skills
to the point where you can get a certification.
If you can get certifications while you are going through college,
that is an extra bonus.
And then always, always, always hands-on experience.
You can have a degree, you can have buttloads of certifications.
But if you have no experience, nobody wants to hire you.
And that's a problem because you want to get hired.
That's kind of the point.
You want to get hired.
So internships, if you're in college,
you probably have a good chance to go through and do internships.
If there's not that opportunity,
look at companies around you and see if you can find a company
that does pen testing and say, hey, I really want to get into this.
I have no experience, but I'm willing to learn.
I'll work for free or maybe cheap,
whatever the case happens to be.
Can I come out and work with you guys?
Do stuff, help you with grunt work.
Just I really want to learn.
I'd like the opportunity.
You're going to find that a lot of companies
are very receptive to that.
So kind of look for those opportunities.
And keep in mind, if you ask a lot of people are going to say, no,
there's me a lot of companies say, no, we don't do that.
No, we don't need anybody.
No, we don't need any help.
No, I don't want to pay anyone else.
No, I don't want the risk.
But then somebody's going to say, hey, yeah, that sounds cool.
We could kind of use some extra help.
And I don't need a full time employee.
But yeah, if you want to come in and help,
we'll be happy to teach you.
But you have to keep asking until you find that opportunity.
And then that helps you with actual experience.
And the thing is, don't just stop at companies that do pen testing.
There are lots of organizations around you
that do security that need help.
Like what about your library, your public library?
What about the grocery stores that you go to, the drug stores,
the corner stores, wherever you go to get gas?
All of those places have some kind of a team doing something.
Now, it might be nothing, or it could be a lot of something.
So you might walk in and say, well, hey, what kind of computer
security do you have?
And you might find out that the corner store that you go to
has zero security.
In which case, you might be scratching your head
and wanting to go cancel your credit cards
and get something else like cash to buy stuff there.
It's just the way it is.
So maybe you could help them out and say, hey, you know,
here's some things that you could work on
and make yourself more secure.
Now, does everybody want to be more secure?
No, I've worked for doctors here in the US
that flat out told me to my face that HIPAA was a myth.
I'm like, what the fuck?
And they're like, yeah, HIPAA is a myth.
It's not real, it doesn't exist.
I'm like, well, there's people in jail right now
that would disagree with you, but okay.
So I stopped working for those or with those people
and would not let them put my name anywhere near
their company as ridiculous, but there it is.
Now, the next thing about what makes a real hacker,
most real hackers I know are actually pretty humble people.
They don't go tooting their own horn
and honestly, the fewer people that know
what their actual skills are, the better.
They don't really want people to know how good they are
at what they do.
They hide that and they will emphasize other parts
of their life, like they might even advertise
a completely different profession on the outside
to the world, not even letting people know
that they're even a hacker.
So now, other people are they are they proud
of being a hacker and out there advocating
for the community?
Sure, absolutely.
But does that mean that they're not a real hacker?
No, not at all.
We need people out there advocating for the hacker community.
We need people out there letting companies know
that they need to pick up their fucking game
and do some real security.
We need to let governments know that hey,
you've got an emergency management system
that anybody with freaking two cents worth of knowledge
could fucking exploit.
Maybe the government should get off its ass
and fucking do something.
You only had two years, but hey, did you do anything?
No, because we move at the speed of government.
Well, now it's out there, everybody fucking knows.
Maybe they'll do something now.
Otherwise, you're gonna have tornado gaur alarms
going off every four hours.
Not so good.
But what's the stop it?
Morality.
A fear of jail, not wanting to get caught.
There's a number of things.
So what makes a real hacker, in my experience,
it's going to be someone who is knowledgeable,
understands the tools they use
and what the effects are of those tools.
And then what they can do with it after they get in.
Now, are all hackers computer experts?
No, are all hackers hardware experts?
No, we got people out there
that all they do is social engineering.
Are they real hackers?
Yeah, they can get into literally any organization
with just a phone call.
Are they a real hacker?
Yeah, absolutely.
They are a real hacker.
People who sit there and put down social engineers
saying, oh, they're not real hackers.
That's like telling a podiatrist,
they're not a fucking doctor.
Yes, yes, they are.
They just work on something that you don't think
is important or isn't technical enough for you.
For you, maybe only a brain surgeon is a real doctor.
And if you're not a brain surgeon,
then you're not a fucking doctor.
In which case, we're back to that initial argument
of what is a real feel in the fucking blank.
So, what is a hacker?
Yes, what is a real hacker?
Not a valid question.
So, if anyone sits there and says,
oh, I'm the only real hacker that's here.
Chances are, they're not.
They're not and they're probably the only one
who isn't a hacker.
But that's just my experience.
And just wanted to add a little bit more for context
so that people understand.
And when you ask this question,
what is a real hacker?
The answer to that is yes.
Same as what's a real doctor?
Yes, what's a real lawyer?
Yes, but what is a good lawyer?
What is a good doctor?
What is a good hacker?
Those are skills and verifiable skills.
And the ability to use them in a way that is constructive.
Now, is that constructive good or bad?
That's not this argument.
I'm not here saying that.
But the thing is, can you use those tools effectively
and understand what they do?
If the answer is yes, then yeah, welcome to the club.
You're a real hacker.
If on the other hand, you think you're the only hacker
and nobody else is?
Well, chances are, you are not even on the road
to becoming a hacker.
You've just fallen into some weird soup
and I would recommend going and seeing a psychologist
because you probably need some help
and probably a lot of drugs and a few hugs.
And if your mom's not there to give you a hug,
go find somebody else to give you a fucking hug
because that's what you need.
Stop crying for attention
and telling other people they're stupid.
So, what do you think a real hacker is?
Based on what you said, definitely,
how knowledgeable they are
and how it necessarily, you see,
how much experience they are.
Like, I can't really think of anything else,
but definitely knowledge is a part of that.
And that's the thing, my friends, knowledge.
People when they go to med school,
some people study harder than others.
Some people learn things better than others.
Some people retain the information better than others.
Knowledge, knowledge is what makes someone better
than someone else at any given task.
What is your knowledge and your proficiency
with that knowledge?
We have knowledge and we have the amount of time
that you've been using that knowledge.
So, these are things to consider, knowledge and time.
And that's really what separates anybody from anybody else,
anybody else in any given field.
Well, what's a better librarian?
Well, obviously, the librarian that knows more
is probably gonna be a better librarian
and if they have more experience
and if they have a good work ethic,
you might know a lot of shit
but have a horrible work ethic.
Are you gonna be a good anything?
No, are you probably still gonna find a paycheck?
Yeah, but we got plenty of people
that collect a fucking paycheck.
We don't need that.
We need people that are actually good at what they do
and are willing to do the work to get the paycheck
that you're being offered.
It's just that simple.
So, what is a real hacker?
Yes, if you are the only real hacker in the room,
well, you're not probably.
That's probably very well said.
You're not a real hacker.
And there you go.
That's my two cents.
I hope you all have a wonderful and glorious week
and try to remember.
Let's focus on being the best that we can be
at whatever it is that we have chosen to do.
Whether it's being a taxi driver
or a brain surgeon or a hacker,
focus, learn, practice, commit.
And let's all become better than we were yesterday.
Everybody should be striving to be a little bit better
today than they were yesterday.
Think of your future self and say,
hey, future self, I'm gonna do you a favor
and become smarter today so that you'll be better tomorrow.
And hopefully, you all will be better tomorrow as well.
So, with that, I'm gonna say good night.
Y'all have a good one.
Cheerio!
You have been listening to Hacker Public Radio
at Hacker Public Radio, doesn't work.
Today's show was contributed by a HBR listener
like yourself.
If you ever thought of recording broadcast,
you click on our contribute link
to find out how easy it really is.
Hosting for HBR has been kindly provided by
an honesthost.com, internet archive, and rsync.net.
On the Sadois status, today's show is released
under Creative Commons Attribution 4.0 International License.