So You Want to Be an InfoSec Professional…
In August, some of the Labs team chatted on an AMA on Reddit. One of the most common questions we got was, “How did you get started in infosec, and how do I get started?”
Our most common answer within the team was, “Hacking video games!”, which drew some much-deserved ire from our fellow gamers. But beyond that, we all got our start in different ways with different specialties. Two of our senior Labs hackers shared their stories:
Mark Loveless (@simplenomad)
My first real hacking experience was on the family Apple ][, which had a modem. I used my Dad’s X.25 account to start exploring systems by trial and error. A lot of systems had splash screens that would say things like “use ‘guest’ and ‘password’ if you don’t have an account” or some other instruction to allow access. Encountering systems that didn’t have this message required accounts and passwords you’d have to just guess. I actually had no idea this was considered “hacking.” In the process of looking around on various systems and local BBSs, I stumbled into the underground.
That helped immensely, as I’d really gotten into breaking copy protection on floppy disks for pirating software. I developed this interest because my dad was in what was, in essence, a warez group as part of his job. There was plenty of info on this on various BBSs, but the best info was on the hacker BBSs.
Back then, for some lost reason I used a different handle on every system. As it turns out, Operation Sundevil missed me, probably in part because of this habit. I eventually settled on the handle “Simple Nomad” when I got onto Hacker’s Haven in the 303 area code, and stuck with that.
Between USENET, IRC and security conferences, way back last century I eventually met in-person many hackers I knew, including Dug Song. I was there when security companies starting snarfing up hackers and forming research departments, where I met Steve Manzuik. Eventually, everyone got all serious and the fun was sucked out of security research — until I found out from Steve that Duo was hiring and wanted to put the fun back into hacking. Yay!
Steve Manzuik (@hellNbak_)
As a little kid, I was already annoying my parents by taking apart things like our TV and VCR, but I didn’t get my first computer until I was around 10 years old. This was back in the 8086-and-5 ¼-inch-floppy-disk days. In my small town there were only two or three other kids that had computers, but we immediately began comparing high scores to our favorite games.
Very quickly this turned into, “Who can cheat the best at our favorite games?,” and we pooled our money together to buy whatever game we were interested in and then attempted to copy it. Even back then, software companies would attempt to protect their titles from piracy, but I quickly learned that I was pretty good at figuring out ways around it, even building a hardware device that plugged into the floppy drive controller that helped in some of the more extreme cases.
It wasn’t long before I discovered a few hacking-themed BBSs, which led to finding some of the amazing text files back then from old phreaking groups like Legions of Doom. This further sparked my interest, and I read every text file I could get my hands on. Back then, I’d actually print them up on my dot matrix printer so I could read them offline.
My first job out of high school was in IT, but I always maintained an interest in all things security and hacking. In the 90s, I met a hacker who back then was the person to talk to about hacking Novell Netware systems, which I was working with a lot in my job. We ended up getting along and learning from each other until one day he told me about an open position on one of the early research teams — BindView RAZOR. I jumped at the chance to take my first real security job, and since then I haven’t looked back. Incidentally, this hacker was a much younger Simple Nomad, whose story you just read.
For me, the best way I learned and gained the skills that I use in my job today was by spending a lot of time reading and experimenting with technology. Obviously, in this day and age, one has to be careful to not cross any lines when experimenting, but luckily we have the ability to run virtual environments to use as targets, rather than real-world systems.
Where to Learn More
The common thread here, and in most of our individual stories, is a desire to tinker and try to break things to better understand them. That, combined with being a part of a hacker community that educates and supports n00bs, helped our security researchers ultimately find similar paths that have converged at Duo, where they’re doing awesome things like finding serious vulnerabilities in Windows OEM, playing with public Wi-Fi, and attempting the first Push authentication from the boundary of space.
A great resource to get your feet wet in infosec is Diogo Felix’s Awesome Infosec list. That list’s Related Awesome Lists section links to various specializations and related concepts.
Have questions? Interested, but you need inspiration for a project? Stuck on a step of your n00b projects? We had a blast doing the AMA, and we’d love to keep the conversation going with you at community.duo.com.