Do not work as a Hacker - A Warning to you all
Hey rootcat, how can I start to learn hacking?
Hello Mr. Rootcat, can you recommend a starting point, for me to learn penetration testing?
Hola señor rootcat, can you help me land a job as a red teamer?
Buddy, don’t! I’m warning you! Just don’t, I spray you with a water bottle!
Let’s get one thing strait, this will not be a well-structured and thought-out, or balanced blogpost, this will just be a one-take rant with some fun and a little madness. I’m not actually bitter or do fully regret my career choices. But we seriously need to stop glamorizing.
Look, it feels like it’s about 30 degrees Celsius in my flat, and no, I will not convert this to Fahrenheit, grow up, use SI units! I’m sick with a summer cold, which stopped me from going to a rave, so I’m pissed and ready to share some actual truths with you.
Don’t work as a Hacker, Pentester, or Red Teamer. There are downsides to this, you go mental. Just look at me, does this look sane to you:
What do you mean, nobody told you?
Oh yeah, the money can be good, but oh boy- do you like to stay sane? Enjoy a good worldview and love for society? Do you have, what’s it called again, ah yes hope, do you know that feeling? Then this job is not for you, I beg you, just do something else.
This path, it does things to you.
It’s about as subtle as the beginning of a Brutalism3000 gig, and makes you feel like 2 lines of pep, snorted from a pink iPhone of an exchange student from Barcelona, right before madattack starts blasting raggatek in your ears at 4am, in a dark cellar and you have no idea where the door is.
Sounds like fun to you? Yes, and that was a good night actually, but if you do this too much you go insane.
But I digress, so what’s so bad about it, really?
Well, if you commit to the hacker career path, you will find yourself in a different world, seeing a different cynical reality, surrounded by pathological liars and snake oil salespeople. A world where nothing gets even remotely better and the only actual change you can observe over the years, is in the different wordings of NDAs you sign.
You will see shit and you will have daily experiences that will leave you changed, like you touched the warp. Now, my fellow heretic, if you pierce the veil and look behind the curtain, it is definitely interesting, but be aware of the dangers and permanent changes to your mind and soul. Sure, there are great stories to be found, secrets to be uncovered, and yes there is great beat, but you pay a great cost.
And no, there will not be some twist at the end, where hope comes back, this is my rant - and hope can’t come cause you could not beat that level in Baldurs Gate, or she is at a psytrance festival, full of ketamine and lost her phone, while trying to pick a healing crystal, pick your own headcanon.
The cycle of madness
So, when I was about 10 years old, in an age before Instagram, back when industrial 8Bit filled the ancient Swabian woods, I would help people with their computer problems. For money.
These would often go like this:
Hans-Jörg: Hi rootcat, I set a password for this new Windows NT workstation, but now I have forgotten it, can you help please?
Me types in Password1, or Winter1994, or just the name of his overpriced car or football team, and that’s it, that’s the hack. Nothing changed, you still do it like this.
Today Hans-Jörg is a thought leader on LinkedIn, who talks to his 19k followers about the AI revolution in cyber, he has a bunch of security certificates and is a central and important dude in his company, where he is now a senior project manager.
After guessing his password to be Borussia2020! or MercedesG63! or some shit, you are in, just look in their shares for more Passwords in Excel files and you are basically done. There are a lot of Hans-Jörgs in every industry, so this shit gets boring at some point.
You hack something for 15 minutes and then you start explaining it to people the next 15 weeks, and it’s always the same. Nearly no org, has actual good security, only compliance, snake oil or LinkedIn buzzwords. You either talk to technical people, who know everything is fucked and tell you it’s because their project manager believes 9 pregnant women can produce a baby in 1 month, or you talk to the project manager or often worse - higher ups.
Understand you spend your time, talking to people who insist they know security, which means they have never done, or even seen an actual hack, and you are probably the first real hacker they talk to in their lifetime.
No org actually has a grip on their data, accounts, or assets and all of them either know they should have implemented some sort of right and access management decades ago, or they live in a complete detached place of reality and pure denial.
When talking to the denial group, you feel like you start to rehearse the dance fight with Annakin every day on superloop, where Coleman Trebor gets shot the same way every day, only it’s the project lead, and he never ever learns. He thinks, they need to employ more agile AI-mobile quantum computing and implement zero trust, while they get blaster shoot to the face by a 15-year-old - stoned out of his mind, but able to perceive reality, who just hacks them from his couch in Krasnoyarsk and drops the ransomware.
Sometimes I feel like, I’m having discussions with seven climate change deniers tripping balls on acid, about whether or not the Moon is real.
And then there are those who know and understand, these are the worst, cause you relate and feel for them. They know it’s all shit, but what are they gonna do, start from zero again? Tell their CEOs, the whole company should shut down, because every IT process is simply bad and we need to do it all again, it will take about 5 years if they have the best people working on it. But the best people at this point, have fled such companies and are now planting salad in a garden collective, and slowly regain their sanity.
What do you think happens, after you hacked a big enough org and shown them how their core processes can be abused, the same processes - mind you people got bonuses for, cause they delivered them only weeks after schedule and some of them even work to some degree. The very same processes, software or project they sell to their customers, or the core IT of their entire business model.
You think the CEO steps back and says: We just learned we have built a shitty company with shitty IT and have actually no idea what we are doing, even though the technical people warned us every day.
Yeah right, so we all collectively forget we just had this talk at all.
Sometimes after an especially devastating redteaming/pentest, where you guessed Hans-Jörgs Password and then owned the whole IT, exactly nothing happens. Sometimes it gets buried, or its whole existence denied. Acknowledgment of the found flaws would otherwise result in questions of responsibility, it would mean accountability, change and a fundamentally different approach to how things are done, besides a shit ton of work.
You think any big organization really does this? You think anyone thanks you for that revelation?
The more fundamentally you have shown the core flaws of an org, the more likely it is to actually not react at all.
And now, slowly read the sentence above again and let the full truth and dread set in as you understand, what the implications of this truly mean for us all.
But, the cool techniques
Sure, there are also fancy techniques and in the beginning of the job it seems there is so much variation. But you do this for a while and actually it repeats itself, like all the time. Oh, this is an RCE for Exchange, ….. or look if you send this string to Citrix it will then …., uff!
Every fucking year. Nothing ever changes. The same vulns just get recycled and remade like 90s blockbuster movies. Nothing ever gets fixed or better. Not even a little.
Back in about 1995, on Windows NT, you could plug a printer in or out and this would then allow you to select a driver for the printer. This could be done on the login screen, it would then open the explorer with system permissions, letting you search for the print driver. So, bypassing the login screen and giving you elevated permissions. Stupid right?
I just done a variation of this, this year. It’s been almost 30 years! You will do the same shit over and over again, tell people about it, watch it go away for a time and come back again.
There is probably not a single vulnerability, from let’s say the 90s, that ever got fixed permanently and has not returned since then. You think we would be done with XSS, passwords, stupid bypasses, but no, it’s on a never-ending repeat. Same shit different day.
But rootcat listen you do a lot of cloud shit, that was not there in 1994. True, and you get the occasional glimpse of something new, but most of the time the vulns are just- well that shouldn’t be in the Internet or, we did not know how to configure that, or the ever classic, we actually have no rights and permission management. Mostly it’s the non-existence of basics or thought-out processes.
If you truly start to understand that we as a society seem to be incapable of even fixing just one (1) reoccurring vulnerability, this will drive you so mad, you unironically will be dancing to Star Wars Meme Songs, cause the beat is real catchy. And oh please, do not under any circumstances deduce what that means for the future of society, or you will be in the main cast of Don’t Look Up.
Make sure everybody has Zimas.
The perils of knowledge
Because it is your job to hack, systems and processes, you become the Harbinger of Doom, the Queen of Blades, the Chosen of Khorne and Chairman Meow of Digital Catslaps. That means all you see every day, are the flaws. You never get to built anything, you just destroy and bring the payne.
That will change your view, cause you start most projects in the beginning with people explaining their tech stacks, their thoughts and what they have implemented to secure this and why this data is super secure. Then you hack that and steal that data.
Every time? No. But most of the time, and it’s hard not to become cynical about it. You are there to provide a reality check for complex systems, which have been constructed by people who believe in sprints, stand-up meetings, have agile rituals and ask Chatgpt for advice - Mindless rituals, Software-Homeopathy and AI-Hallucinations. Of course, these systems, who have been conceived by minds no longer connected to reality, will fail a real-life attack.
Even worse, you will see so much variation of companies, systems and processes and most do simply not even work. I’m not talking security here; they just do not work as intended. Sooner or later, you will find yourself in a world, were you start to assume that most of what you are told, is either a lie, really dumb or that their stuff flat out does just not work like they think it does.
A lot of regular working folk, know at least one process in their company right now, that is broke, really unsafe and stupid, but they assume - cause they still have hope - that somewhere else, it is done better. Surely in banking, health care, the state, aerospace or the defense industry, things are better. Somewhere, they must be better, right?
You do not have that luxury anymore, and once you have seen how broken most things actually are, it is hard to unsee and regain that hope. The warp-taint has you now.
Explain why you don’t steal shit
The only things you maybe actually create are scripts for other hackers, some exploits and the likes. For a moment this feels good, the process of building something.
Till people write you emails, detailing a technical problem, while clearly doing some illegal shit with it. Some just plainly ask you for help to hack something. Sometimes I get weird and possible scary ones, like: please help I need to see if my girlfriend is actually okay, I have not heard from her in a week, can you hack her iPhone?
Or you get CEOs just flat out ask you to commit crimes for them. Why are you acting so weird? I just asked, if you could hack the go-life of our competitor, since you are a professional hacker, what’s your rate?
And not just per mail, or anonymous, literally in person. I had this one company leader actually do this, after I had done a project for them. He was calling from his car, cursing at people who were not driving fast enough, he could not understand why I did not want to do that. Some CEOs let me tell you have totally different morality, view of the law and ethics than regular folk - and that’s putting it nicely.
But you get other people also, who are surprised when you not suddenly turn criminal just cause you can hack. They ask you why you’re not out there extorting companies for big money, you know because you got the skills, dummy.
As if all that is stopping you from stealing your neighbors TV, when he is on vacation, is your lack of skill on how to smash a window! Really, that is all that’s keeping you? That and maybe you think you might get caught? Get outa here!
And let’s not let even start with the whole actual criminal underground, let’s not even go there, or this post will never end. I shall not speak about: the madness of the ransomware-scenes, all the porn you find on executives laptops, the shit you find in peoples emails, or how you start to feel when underground kingpins like your cat meme on X.
Oh, and I should also not even start on all the players/vendors in the industry, the false promises, the absolute incompetence of security vendors, the total confusion and utter madness of who did a hack and what even is an advanced persistent threat.
I just say this, if you write a shell today and then someone sends it to Trendmicro, Crowstrike, Palo Alto and the likes, you can then expect them to write a blogpost about it the next days.
In this post you will get assigned a name like clowny bear, dancing unicorn spider or some shit and congratulations you are now an APT. People will put you in talks, podcasts, LinkedIn posts, paid threat intelligence platforms, and tell stories about your connections to other underground mafias, all with absolute zero evidence and the whole industry is just cool with that. It’s fine.
One day you will get insights and realize that almost every single time a press statement says: No data has been taken, the defense acted swift and secure, our established security guidelines enables us … - that you are just two clicks away from the full leak, if you know where to look. Often you find the leaks first, then the press statement claiming the leak does not exist.
When you have seen a teenage hacker, life streaming his hack on discord, tweeting the sensitive data to the company as he is hacking, all the while the very same company is out there claiming this is not happing; well, let’s just say that does something to you.
And before you know it, you’re digging in the ransomware-leaks of the sub-contractor from your provider of additional dental insurance, to search for your own banking data. Do you have to change credit cards again or can it wait, till the next leak?
And all the while you will be listening to hardcore dutch rap, cause the only thing that keeps you somewhat sane at this point, is you singing: De hele nacht, we gaan Thunder!
Buddy ask yourself, you really want all that?