My Journey in & out of the Hacker Community

I decided to write this after telling a few stories to friends at RSA that brought me down memory lane. Since then I have been thinking about my early adventures in computers and the hacking community, and I thought this would be a great way for me to both remember and share them with others. I had a ton of fun writing this and going through old memories and photos. It was cathartic and it's making me want to tinker again! The troubled teen years turned cybersecurity professional is a good progression.

Warez Years - Middle School

Computer games were the reason most teenagers in the early 2000's got into computers. I was no exception; I remember playing Myst, Diablo and GTA 1 & 2 on the PC. I put a lot of hours into video games and consequently trying to install, add modifications, and debug them. I was around 12 at the time, too young to be eligible for work, so I started using the web to acquire new games to play. My parents had a limit on the number they were willing to buy. After exhausting all the free games online, I started to get into warez, which is slang for softwares, and refers to the online community of illicit and illegal software trading. Most of the warez websites served porn advertisements and virii on the regular so I was always trying to hide it from my parents, but eventually the risk was too high for HTTP downloads so I moved to FTP servers, and then finally found IRC (Internet Relay Chat), a popular chat protocol during that period that could also send files over DCC. I learned that there were IRC communities that shared their warez, and they were safer, so I downloaded the mIRC client for Windows and started connecting to different servers I found on the web, learning the IRC commands and how to socialize with people much older than me who had no idea they were talking to a 12 year old.

The really cool thing about IRC and warez was all the operational scripts people were developing to share their software, and the updated file transfer method called XDCC which allowed larger files to be shared. I remember downloading Warcraft 3, on dial-up, from a Canadian server..it took 14 long agonizing days to download. My father was so incredibly pissed at the phone line being tied up, "what if Grandma got sick and fell and couldn't reach us!?!?". Luckily, XDCC has the ability to resume your transfers so to circumvent getting yelled out, I would then start the download at night after my parents went to sleep, and then stop it before I went to school in the morning freeing the phone line up during the day and evening for my parents to not notice but selfishly tying it up if Grandma had a late night emergency (thankfully she did not!). Eventually, an illegal copy of Warcraft 3 was mine and I played until I got bored. Then I moved on from games to learning more about what computers could do for me.

Side note: Not that this needs to be said but as an adult, I happily pay for all movies, albums, games, or media that I consume. I try to buy directly from artists when it's available :)

The Zine Years - 8th Grade

From IRC, I found much more than software. I found a community of people that were programming, causing mischief and hacking. At the time, I came across the coolest book in the world called the Anarchist's Cookbook and tried without much success many of the ways to get free phone calls, or free drinks from a vending machine, and so on. I got both bored and disappointed from the poorly written and thought out book, and moved on to 2600: The Hacker Quarterly magazine to learn more about technology and how to abuse or circumvent it. I would beg my parents to drive me to Barnes & Noble in Evansville, IN every several months, an hour drive, to get the latest issue of the magazine which I found fascinating. Reading it felt like I was part of secret club. I started web development and moved onto learning to program in C, Visual Basic 6, and began running Slackware Linux in the 8th grade.

My parents were not happy with electricity bill but this was my home lab, it grew over several years with multiple desktops, servers, and rack mounted network equipment. All running a Linux distribution, OpenBSD or FreeBSD.

At this time, I made a friend in middle school, who was troubled and anti-social like me, but on a whole different level. Regularly getting suspended, even expelled, and eventually going to juvenile hall and jail several times after 18. I wasn't innocent (more on that). He was incredibly smart though, and funny. He actually had a perfect score in calculus in highschool because he loved math, and failed all his other classes on purpose because he wasn't interested. Anyways, in middle-school we became friends and later perhaps rivals where we were always competing at computers. He was way better at programming than me, better at computers even, and wrote a lot of fun tools to disrupt chats (DoS) on AIM, and Yahoo Messenger. Later he wrote a tool to hide data in ICMP messages which I thought was the coolest thing ever. We learned from each other, started a website together and then after high-school started the Southern Indiana Computer Klub.

He and I always tried to circumvent the schools computer systems. Looking back the admin in the school system was actually pretty good. We had to get creative. I remember my friend elevating with Administrative privileges from the Windows print spooler at one point. I damaged several computers by rebooting into safe mode and running rm -rf equivalent at the time. This is something I am not proud of, and I got pay back when I became and admin many years later. I also booted one of the machines with a password recovery disc to get the credentials which were used in several parts of the network. I did not get caught for those but I did suspended from school for 2 days for telling a student how to set a screensaver message and put a password on it. They had profanity written scrolling across the screen that was going to obviously be seen, and when they were caught I was the accomplice.

Moving along, I remember one of the math teachers in 8th grade asking the class, "Do you know who the best student is at computers?". It wasn't me. At first, it annoyed me, but then it emboldened me and caused me to focus and try harder, learn more. I had something to prove. The stakes have never been so low :) We then split ways, his family moved to another city and we stopped communicating for several years, but found each other again in 12th grade, but before that happened I just lost my computer friend and needed to fill that void so I started to meet other hackers in different cities, online at first.

The Hacker Community Years - High School

I remember hearing all about different hacker conferences on online forums that I wanted to be part of. A place for hackers to get together and share knowledge, it sounded like the best thing ever. BinRev (Binary Revolution) was one of those forums that I spent a good amount of time on and from which I made friends, not just online, but in person. At the time, I was working at the local grocer, bagging groceries, stocking shelves, and checking out customers. It was rural where we lived, there wasn't a lot of opportunity to meet others interested in these sort of things. I saved up money and begged my parents to let me drive to Cleveland, OH to attend my first hacker conference called Notacon. I had enough to get there, get a hotel room for 2 nights, have gas to get back but not enough to eat out so I packed my own food for the trip. I had an amazing time and learned so much from a very welcoming community, who I was much younger than. Several of them appreciated my story and desire to be there. I was introduced to many things there but locksport was one thing that really caught my interest early own. Breaking out of handcuffs and picking locks is something you see in the movies, and I was about to learn how to do it. I met Schuyler Towne, who ended having a History channel episode on lockpicking many years later. I spent some time with him at the conference where he showed me how to pick. I then linked up with the Bloomington FOOLS (Fraternal Order of Lock Sport) at the same conference and met dosman and his crew who where only about 2 hours away from where I lived in Indiana. They were in Bloomington, IN and those guys became my friends for many years. I would drive up to learn about lock picking, ham radio, pager systems, unix, and all sorts of things that they dabbled in. It was starting to feel like I found my people.

I became addicted, always eager for the next convention. I wanted to go every possible one. I couldn't afford to though on my own, luckily my parents were relatively supportive of it. I just had to pay for most of it so I started to find ways to reduce my costs and I started asking on forums for people that I could crash with. Dosman and Adrian Crenshaw (Irongeek), were both always incredibly generous to me, I will never forget that. I hitched rides with them and crashed on their hotel room floors many many times for Notacon, PhreakNIC, Hack3rCon, Hamvention, and more. I got to a point where I was going to ~10 cons a year. Meeting and hanging out with the pros, or those that were to become pros within several years.

I was able to meet many people, and some no doubt, do not remember who I am because I was just a kid, and I didn't stay in touch but whether they know it or not they all left lasting impressions on me and my skills & career development. As an example, I remember meeting Travis Goodspeed several times, when he was working on GoodFET and while he always seemed to be reading a book, he was open and easy to talk to. I asked him so many basic questions but he was really receptive and helpful and he got me interested hardware hacking which sadly, I didn't pursue much outside of several Adafruit and other circuit board kits.

These were not conferences but something else entirely. Conventions may be a better word: a gathering of hackers and tinkerers who shared their knowledge and then partied until the wee hours of the night. There was no corporate sponsorship, it by and for the hackers and tinkerers of that time. It was honestly amazing. I do like the corporate trade-shows as well like RSA, Black Hat, etc. but they're just not as special to me, different purpose; different type of value. More transactional, and we need transactions to grow our businesses.

Below, I added a few pictures from the conventions.

Notacon 6

Notacon was just a great overall conference for learning from fellow tinkerers and hackers.

PhreakNIC 14

PhreakNIC was always a wild time. Hotel room block and rooftop parties, live hacking, and everything that comes with being in a rough part of Nashville.

Hamvention

Hamvention is where you get to haggle for all sorts of old but awesome junk.

Hiatus to Make Music

I took a break from computers. One thing about me that sticks out is that I am a naturally curious person and like to explore many different things. I came across guitar playing from friends at school and took a hiatus on computers (as if it was my paid job) and started practicing guitar 6-8 hours a day. I eventually joined several bands, gigged regularly, recorded & released 2 EPs, bought a van, and went on a small tour across the midwest. I got really interested in the technology side of music: recording, microphones, amplification, etc. and spent a lot of time finding and trading niche equipment. A story for another time. Also, at this time, I was interested in girls and they liked rock and rollers more than they liked computer nerds. The break lasted about 3 years until my last year in high school when I had to start thinking about going to college an getting a job. I am thankful that I did not choose the recording industry, which my teachers and parents talked me out of. Life would have likely turned out very differently.

The band was great fun, I learned to build stage presence, be more social, be more confident, and to work a crowd. The DIY culture that old head punk rockers talk about was real, we were hungry and scrappy. We did our own marketing, merchandise, booked our own shows, made our own special effects; we were effectively learning how to run a small business. It was very valuable. The skills I learned here helped me to eventually run my own company, and be effective in managing open-source projects. It also enabled me to give great presentations. I can command an audience.

The band, called The Win System, named after a ham-radio network on the west coast, continued until my junior year in college. We break up at that point for several reasons I won't get into here.

Vocational Class - High School Senior Year

In my last year of high school, we had a vocational program where you could take a computer course and achieve the CompTIA A+ certification. I joined that program which was excellent. We had an amazing teacher named Buddy Hart who ran that program for several years. It was my respite from school and my chance to feel the spark of computers again. I made several friends and was reunited with my former friend and rival who happened to move back to one of the schools participating in the program. Unfortunately, he dropped out of high school in his last year but we stayed in touch at this point for several years to come. I was the only student to have passed the A+ test out of the class of ~12, but I knew he would have passed as well. I imagine the rates have increased since then.

This is what I needed though, to get back on track to my primary interest. I was able to nerd out on computers, and get my groove back. Though, I didn't spend as much time because I was still playing music, writing songs, and gigging but it gave me a path to approach for college, as I knew what I wanted I to go to school for.

College Years

When I started college, for Computer Networks and Information Security, at a trade-school, I was extremely focused on learning but also still an angsty adult. Let's be clear, I was barely an adult. Maturity hit me much later than my peers. I had long debates with the professors on the intricacies of TCP/IP or the init system in GNU/Linux OS which I was right nearly every time but that doesn't make the approach right. I cared so much about being right. Thankfully now I don't care at all which if you're reading this and are in a leadership position or married, you know how little that matters: in fact, being right is detrimental, it prohibits you from solving problems with others. In short, the professors hated me; and looking back, I hated me a little too. I often used the school's network as my playground for learning, with no malicious intent. I feel like I need to call that out here. I used the playground for 2 years, but at one point I was running a very aggressive network scan and a set of AV endpoints on student machines started creating alerts about malicious activity on the network. Several of them knew it was me (who else among the class?), and were more curious than anything but one student who I didn't jive with at the time, reported me. I remember being called into the office where I was being filmed, and grilled with questions to determine whether I was going to be expelled from school. Thankfully, they agreed that I was using this is a learning exercise and not trying to damage school property, which is true. That could have been another life-changing moment, but for the worst had I gotten expelled. This further entrenched their disdain for me.

Though, the school wasn't my only playground, so was the city and neighboring towns. I was regularly wardriving, mapping the WiFi spots across the county, dumpster diving for old gear and plans at businesses (especially big box stores), wardialing for modems to connect to, finding computers to exploit, and much more that I am not going into detail on. Thankfully, I managed to stay out of trouble. I feel very lucky for that, and even though I don't condone any of that now, those were valuable experiences for me at the time.

Below is a picture of the antenna I used from my car when wardriving around the town to map out all the residential and business Wifi networks I could leverage.

Remember my friend and rival? We stayed in touch at this point. He was in jail and I would print out copies of the Phrack zine at school, and mail them to him in jail for reading material so he could keep his mind sharp on all the latest exploitation methods and research. I printed all 60 something issues at the time, and I also read through about 30 of them, from the beginning because the culture and history was pretty interesting to me. I always love the Phrack interviews of hackers. Faculty members at the school noticed the additional printer expenses, or the high number of jobs (or length of the jobs) and I was caught, banned from the printer for a while.

One of the great lessons I had in school was from one of professors Marty Richey, who taught us the business side of IT; that as IT professionals, we serve a business enabler function, and we have to focus on driving productivity, and demonstrating an ROI. This was one of the most invaluable lessons I had in my life. Of all the professional lessons, this one really resonated with me and thankfully has been one of the things I am always focused on when making decisions. That professor, Marty, also owned a successful IT business in Evansville, IN and was hiring for a technical position, and I really wanted that position. I was trying to get my first job in IT so I talked to him about it. He was honest with me and told me that I had more than enough skills to do the actual job but he couldn't put me in front of people because of my attitude. Fair but dissapointing. Looking back, that was incredibly kind, life-changing feedback. I started to flip my script after that. I got myself in order, focused on professionalism, and my school work; I did what I could to get experience, starting with word of mouth IT side-jobs for local business whose printers topped working or computers were too slow.

I graduated, grew up a bit more, and felt ready and eager to join the workforce. I learned how to construct bridges instead of burning them and was starting to come into my own as a person and early professional.

Unix Admin Years - Early 20's

My first job was in technical support which I knew was a stepping-stone. There wasn't a lot of support calls, so when I wasn't taking them, I was studying the FreeBSD manual. Little did I know, 4 months later there would be a unix system admin job that opened up near me. It just so happened that I loved *nix operating systems. I would spend most of my days reading about them and using them build and host services in my home lab. I applied for the job, had 2x interviews, and came in for my 3rd and they went ahead and put me to work to debug an issue on a machine which I had no problem solving. I walked out that day as a unix admin with salary, responsibility, excitement, and purpose. I felt like a reached the peaked already, it's all I ever wanted, but at that time I really had no idea how high the mountain actually was.

I loved that job and I took the role very seriously. I was doing system admin work on AIX, Linux, FreeBSD, MacOS, and several other operating systems. I was using those systems to run the business and also securing them to reduce the organization's cyber risk. After learning about several previous security incidents before I joined the company, I turned that place into a productive Fort Knox. It reinvigorated my interest in computer and cybersecurity. I started getting back to programming, reading tech books, writing tech articles, and developing my open-source tools that I would use at work. I also started to contribute back to many different projects like SecurityOnion, Netsniff-NG, and others. I started a Linux User Group and a cyberpunk group called the Southern Indiana Computer Klub, and was in full force: networking, teaching, attending conferences again (but this time work was paying for them). I was living the life!

As part of the unix role, I also managed the network, working on Cisco routers and switches and many other devices. Outside of *nix OSs, network traffic and network security monitoring was my other passion. I began learning everything I could and developed out a Network Security Monitoring system at work, which led me into my next era of being a packet junkie. Richard Steven's TCP/IP Illustrated and the Douglas Comer & David Stevens' series of books, Internetworking with TCP/IP, were effectively my Bible and Quran. Richard Bejtlich's books were also very instrumental to me for the security aspect of network traffic.

I was obsessed with network traffic. It was the purest form of log.

Hack3rCon Black Badge & Conference Roadshow

I went to Hack3rCon for the first time. I rode in a van with Martin Bos (Backtrack / Kali Linux maintainer at the time) and Adrian Crenshaw, we had a 6 hour ride together. For the last day of the conference there was a Network King of the Hill (NKOT) contest that I participated in, my first one, and I ended up winning! The NKOT was a vulnerable lab where the winner is the one who is able to compromise & persist in the environment the most. I'm blanking from memory a bit on the details but I remember ARP Poison Routing the subnet to get people focusing on separate host while I compromised a Linux bot, and then immediately set up iptables rules to block out the other participants with exception of a few IPs that I made sure to use. I made it persistent with an init script so when they rebooted the system which they had to do a few times, the other participants were not going to be able to have a chance to own it.

I took home the black badge and had a lot of people talk to me and made friends with one particular guy named Rob Dixon who is a great dude and was supportive of me for many years. He encouraged me to do my first conference talk which I wasn't going to do without that encouragement. While I was still extremely nervous he booked me a slot for the talk at the next Hack3rCon. It was official so I spent the next 6 months doing research on how packets were processed from hardware to software, where BPF filters were applied, between userland and kernel space, and used that knowledge to develop a performant system that others can implement as the start of their network monitoring program.

I poured through academic papers, kernel source code, net-dev mailing lists and more to develop my conference talk track. Like I said, I was extremely nervous, and wanted to make sure I knew everything I could to have confidence in giving the talk. It was definitely overkill, looking back, it was way over most people's heads but it was something I was very proud of and it solidified my knowledge in that area as a bit of an expert. I had several universities reach out to repurpose some of my content which was icing on the cake. I began to write more articles on packet capture tools and even started a focus group called OpenNSM (Open Network Security Monitoring Group) and created a free Youtube series on Network Security Monitoring, all a few years later. Unfortunately due to job changes at that time, I never completed it :(

The talk was titled "What's Under Your Hood: Implementing a Network Traffic Monitoring System" and it went really well, I started to get e-mails from people looking for guidance or more information and I was invited back to speak again, and at several other conferences. I. was now on the conference presentation circuit, giving talks at several different conferences across the U.S. and also giving workshops on NSM / packet capture at universities.

After that, I made the next logical step and started working on existing open-source network monitoring projects including SecurityOnion, Netsniff-NG, Bro/Zeek, as well as a few other tools that I developed like ISLET to teach these tools. I evangelized many of these tools at conferences and articles online, I was doing a lot of evangelism for the open-source community, eventually presenting open-source focused conferences like MOSSCon and LinuxFest. If there's anything I know how to do it's how to keep very busy, which is a blessing and curse. My father has the same issue, he cannot not do something.

Startup Years - Mid 20's

Fast-Forward: After several years of attending & contributing to conferences, research, and open-source tools when I was mostly single, I got married and joined a startup called Komand. It was a life-changing opportunity to build something from the ground up with a group of passionate people, and also be able to have a successful exit. I worked 12-16 hours days for about a year and half and I was burnt out. I had no time for things outside of my job, barely enough for my marriage but we made it work. I was learning new, highly valuable skills on the fly but I had leave the hacker community. I didn't have time for it. I dropped all the things I was interested in including open-source projects, user groups and stopped creating OpenNSM content and could no longer run the group. Sadly it died; I didn't have a successor (there's a lesson in here too). I also did not stay in touch with my former friends which I do regret. I was in my own startup bubble. Couldn't see much beyond it. It was the only mission I had.

Eventually Rapid7 acquired Komand, which was a nice windfall for us (leadership team). After that happened, I was leading a software engineering team at Rapid7, and learning everything I could about people management. Then I moved into product management, become a product leader, and eventually owned a whole product line / business unit. Constantly learning without much thought or interest in my former roots; more focused on leadership, management, business, systems awareness. Life was great, but eventually I started to get a handle on everything and doing it all pretty well, and now I am at a point where I am starting to long for the community again, especially as I see the practitioner community in Tampa grow. Now I don't want to be a practitioner, but I want to be in the thick of it, or in the know, somehow. I've been thinking about building out a test lab to start building my chops again. The challenge is the time; work, family, and other hobbies.

I will see how this all plays out. It's been fluid for me, going in and out of the community at different times based on what's going on in my life. It's natural, and a natural end of an era.

That's Just the Beginning

What you have briefly read, were some of the most formative moments in my young adult life that gave me the lessons, direction, skills, and growth I needed to get where I am today. Note that I left a lot of things out for brevity, discretion, and because I can't remember it all. I cared less about the exact timeline and more about the events that shaped me. Everyone has their own journey, and I wouldn't change anything about mine, except perhaps being nicer but maybe then I wouldn't have had that ass-kicking feedback from Professor Richey? I've had many many moments of growth since then of course. We don't stop learning unless we choose to. I love learning, it's what makes life interesting and exciting.

I want to give a shout out to my mentors and friends who were instrumental during this period of my life. There many others but these were the ones that I remember most.

• Nick Schipp

• Nathan Heald

• Rob Dixon

• Adrian Crenshaw

• Buddy Hart

• Marty Richey

• Matt Scheurer

• Brian Blankenship

• Martin Bos

• David Kennedy

• Jon Klem

• Mike Downey

• Keith Pachulski

• Brian Martin

• Zach Schwenk

To wrap up, I've had an amazing more 10 years, built from the support and the experiences I had written here. These led me to learn cybersecurity at scale for the National Center for Supercomputing, publish academic research, run my own cybersecurity consultancy, develop cyber tools that have been used in the industry, help build a startup from the ground up, lead business units of ~100 people, be responsible for major product launches, serve as a board advisor and startup mentor, among many many other things. I am currently a product strategist, at Rapid7, leading Inorganic Growth (M&A and Partnership) initiatives to further our innovation around the most pressing cyber problems our customers are facing. I get to talk to founders every single week, and evaluate their tech and team..and I love it! I don't know what the next era is but I welcome it.