Are you a “Real” hacker or just a skiddie?

This is yet another guest post from our good friend Matt Gardenghi! If you enjoy this one, don't forget to check his last one: Trusting the Browser (a ckeditor short story).
------------------
Often, I hear arguments that go like this: real hackers write code and exploits; everyone else is a script-kiddie.

That is a dumb argument from all sorts of levels.  For starters, those who make this observation are usually those who can write code.  Therefore, everyone who can't meet their personal standards/abilities as a coder are "skiddies" who demean the profession.

I find it intriguing that everyone defines the basis for a good pentester by their own capabilities.  Clearly you think that you are good and it's normal to think that everyone will want to be good just like you.  Consequently, they should all do as you do, right?  Wrong.  We need diversity of backgrounds, skills, and opinions.  It's healthy not to inbreed (intellectually or otherwise).

Arrogance is the assumption that I set the standard.  So, let's not be arrogant.  None of us are so good that we objectively define the standard for all other pentesters.

We are all in a process of growing and developing.  We all started as "skiddies" and we all progressed from there.  Instead of drawing people onward in the profession, to many practitioners discourage those coming behind.  The "experienced" testers set the bar equal to their own skills and years of experience or to their skill set when they walked into their first pentesting job.  (Doubt me?  Go look at forums where someone asks what skills are necessary to be a pentester.  Every single answer is different and is based on the author's personal skill set and experiences.)  I may not have a tool in my toolkit that you have.  That doesn't mean I can't get the job done, I just might have to think differently and creatively to solve it in another way.

I took GWAPT from Kevin Johnson and Seth Misenar.  Anyone care to call them skiddies?  They both walked into the field from other professions and lacked the ability to read much code or write much code.  They still don't consider themselves coders; they say that they hack code.  And yet they developed into experienced and qualified testers.  So why would you tell newcomers that they need a CS degree and the ability to read/write shellcode or else they aren't capable of being "good?"  You could be pushing away the next best security guy by telling him that he's not qualified to start.

We don't want everyone to be an expert in the same field.  That leads to a lopsided inbred situation.  Since no one person can be an expert in every field, we need people who specialize in shellcode and exploit writing.  We need others who are experts in working through website security including the process of abusing assumptions.  We need some who have the skillsets to combine and apply the multitude of tools created by others in new and creative ways.  We need to interact and support each other and recognize that we actually need each other and the diverse talents that others bring.

I do think that all users should seek to understand what's going on in an exploit.  No one should fire off an exploit until they know A) it's not backdoored and B) whether it will hurt anything if it goes off badly.

As to those who wear their exploit writing skills on their sleeve?  Go for it.  It gives you a competitive advantage and you earned that.  Just recognize that you aren't the standard for the industry.  Other guys can often do the job competently and may meet the specific needs of the clients more effectively.  There is nothing wrong with that.  (For the record, I don't support people who call VA scans pentests.  That's a different issue.)

I just think that we as an industry, need to recognize that people with differing skill-sets might be better suited to a particular job than we are.  That and everyone has to start somewhere.  So please, how about we stop defining skiddies as anyone missing a piece of our personal toolkit?

6 thoughts on “Are you a “Real” hacker or just a skiddie?

  1. Reply

    Kirth

    Beautifully eloquent. One could say that skiddie-hate is a lot like racism. You judge others by only a pinch of what you know about them (in this case: 'they use tools written by others' or 'they currently have low knowledge of some fields').

    The "real hackers write their own code"-argument is hardly valid and a dumbed down generalisation.

    1. Reply

      Matt Gardenghi Post author

      Heh, I hadn't thought of the racism direction.... But it does come down to people viewing themselves as the standard for acceptability.

  2. Reply

    Aaron W.

    You criticise people for defining their own skill set as being the tools necessary for this industry. However, couldn't you just flip this around and say that people define the skills that they think are necessary, then focus their attention on learning those skills?

    1. Reply

      Matt Gardenghi Post author

      Yes, you could. But being a cynic, I don't think that is accurate.

      There are people who define personal goals and pursue them. Generally though, I suspect that if you read the comments, blogs, mailing list posts etc... you will find that I am correct.

      It could be six one half a dozen the other, but it doesn't read that way to me. Why do you think that it is the reverse? Or are you just prodding to see if I have a better reason than: That's the way I see it?

      :p

  3. Reply

    JershMagersh

    Running through some old posts I guess this was written a while ago, very cool though I liked it a lot. I've gotten a lot of grief from asking questions and trying to learn everything. I've been called a skiddie a ton of times but I really couldn't care less. I've been growing ever since I started getting into IT security and now I'm ahead of those people who once called me a Script Kiddie. Thanks for this, really awesome.

    JM

  4. Reply

    Theo Buchanan

    Great, glad to have the moral boost. God, I'm such a skiddie, I need all the help I can get. Me and my goddamn iMac...

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>