Hacker Perspective: Milton.Hernandez

My journey toward a life of hacking and cybersecurity began in high school.  I was born in 1966 so that put me in high school in the mid-1980s.  I was always a geek, and back then being a geek didn't mean what it means today.  I was socially awkward and read four years ahead of my grade level.  I read comic books and listened to Kraftwerk.  I had awful hair that I couldn't do anything with and didn't know how to dress.  I was essentially the template by which the character of Maurice Moss of The IT Crowd would be based upon.  And let's not even bring up girls.  I was the poster boy for uncool.

Then my school began to offer computer classes.  After having seen sci-fi movies like Colossus: The Forbin Project, Star Trek (TOS), and Star Wars and all such TV shows, it was the easiest decision to start learning to program in BASIC.  My school had a lab which they filled with Apple II Plus machines.  I should note that I grew up in an inner-city neighborhood and went to an inner-city school, so being drawn to technology and science shined a spotlight on you that you never wanted due to the mindset of most of the kids there, if you know what I mean.  I spent those years working to remain as invisible as possible, and not always being successful at it.

I had a conversation with my guidance counselor, who informed me that I could take classes at other schools to continue feeding my hunger for more computer knowledge.  So I spent the mornings at my own school and in the afternoons on alternate dates, I went to two other schools.  One school had an IBM mainframe (the model number escapes me) but it looked similar to the 1130.  It looked like a large refrigerator lying on its side with a card reading bay.  I learned to program in COBOL and reveled at using the punch card machine and feeding my programs into the card reader.  I'd cross my fingers as I waited for my output to print and occasionally get error messages which meant I had to go back to my stack of cards and find the one that caused the error and make a new one.  Tedious, yes, but I didn't care!  The feeling was electric, and I felt like I was on the inside of something that not many people were in on or even cared about.

The third school also had Apple II Plus machines like my own school, in addition to mainframes.  However, the students there were more advanced than those from my school.  It was there that I began using 8-bit video games and, more importantly, nibble copiers.  This was the time of 8" and 5.25" floppy disks and of Commodore 64 and other home computers.

I felt even more powerful as games were being shared with me with the use of the copier software.  My box of floppies became heavier as I added more Verbatim disks to it with the software I had gotten from the other school and had taken back to my own and found myself a minor celebrity among the other geeks there who hadn't taken advantage of attending other more advanced schools.  You can imagine the looks on the other kids' faces when I brought the 8-bit Strip Poker game and had to move the monitor so that the teachers wouldn't see what we were doing.  All of a sudden, staying at school after 3 pm was largely desired.  This meant I could look at the source code of these games and learn how they were written.  My family wasn't able to afford a Commodore 64 for me, so I had to do all my computing at school.  I began taking my dot matrix printouts and hanging them on my bedroom wall as encouragement to keep my studies up.

School had begun to bore me tremendously.  I didn't care about gym or history or anything else but my rudimentary computer classes.

In my junior year, I was taking geometry.  Yawn.  WarGames had been released that year and I was introduced to the world of hacking.  I knew this was the direction I was meant to take.  The reason I knew this was because I was flunking geometry, and I didn't want to have a bad grade on my record.  So, like David Lightman I cased the school's front office where there was a terminal sitting there just outside the swinging door that led to where the school secretaries sat.  I spent a week studying their lunch schedules and found a window of time where the front office was temporarily empty.

I ran to the terminal and pulled out the wood tray that was pocketed into the desk and found the list of past passwords and the current password.  I logged into the machine, and not thinking that I deserved a D, I changed my grade to a B.  Following this, I was waiting for my report card to arrive in the mail and breathed a heavy sigh of relief when I had escaped being scolded by my parents for what could have been a bad grade.  I went to school the next day with a bounce in my step feeling just like David Lightman for having beat the system.  I didn't tell a soul what I had done.  I didn't want to risk being called upon by however many students who would want me to repeat that action over and over.

Looking back now, I realize that at 16, I had performed my first social engineering attack along with my first black hat hack utilizing a sort of shoulder surf technique.  At this point in my life, I defined hacking as doing something that would somehow provide a gain for myself.  More on this later.

With the nightmare of high school over, I moved on to college and, with that, the emergence of the Internet.  Email and rudimentary web pages were everywhere.

I must confess that my college life took me in a new direction and other interests temporarily replaced my computer studies, but I always believed that everything happens exactly when it's supposed to happen and cannot happen any other way.  I got into music and taught myself to play drums and joined different bands.  I enjoyed all the trappings of musician life that go along with it.  No explanation necessary.

I graduated from college and now it was time to start working.  I stumbled upon old high school computer notes and decided to take the CompTIA A+ course and exam.  I was reborn!

I began my career as a desktop support technician.  I would spend close to 20 years doing this for various companies.  Serving users didn't come without oddities and banalities.  Oddities such as users telling me they were inserting CDs into their desktop machines, only to find out that they were sliding the discs into the space between the tower case and the drive bay.  I'd then open the tower to find numerous discs sitting on top of the motherboard (slaps hand to forehead).  Banalities like people never understanding the proper way to change their network password.  In 2024.

From doing user support, I began to learn to build servers, both domain controllers and file servers.  I began to learn networking, which I would come to learn in time was necessary in regard to learning hacking.  I learned DHCP and DNS and what their functions were for a time, while I was spending a lot of time learning from other techs as well as teaching myself.

Going back to the beginning of what I learned from my first hack, probably the most important thing is that hacking requires that you are constantly learning, especially if you are self-taught.

Following WarGames, the bug for me to learn hacking came with the movie Hackers.  I know, I know, the graphics are nowhere close to real and are actually ridiculous.  (This movie needs a remake.)

However, there are many real-world applications that come from that movie - social engineering, phreaking, CTFs, etc.  Once again, my hunger to learn hacking was energized.  I eventually took and passed the CEH exam.  Following this, I took the CompTIA Pentest+ exam.

Along came cybersecurity sites like TryHackMe and Hack The Box.

It was like a new dawn had emerged in a part of my life that I didn't know I needed until it presented itself.  I began to work through the different rooms for both of those sites, mostly TryHackMe.

Having hit a brick wall insofar as server support and user support, I began to actively pursue a job in cybersecurity.  For three years, I was applying to positions constantly.  The toughest part of cybersecurity is getting your foot in the door.  I can attest that certifications are not enough.  You have to find a way to gain some real-world experience.  I learned this the hard way when I applied for a job as a penetration tester for a European company.

I hadn't practiced enough, but they sent me a link to a VM to which I had to capture a few flags.  I had gained access but was unable to gain privilege escalation.  Thankfully, they were pretty cool about it and told me I could reapply again in the future.

That really lit a fire beneath me.  I began using Kali Linux and Parrot OS, which is truly the first step to any job in cybersecurity.  I hit TryHackMe pretty hard and began to work on the rooms on that site.  Not only this, but I also found that other people were writing walkthroughs of these rooms and posting them on different forums.  I joined an organization called Cyber Threat Intelligence Center, whose purpose was to elevate the status of any aspiring cybersecurity professional and they also helped to raise my profile on LinkedIn.  I would also post my walkthroughs on LinkedIn.  This was the best way for potential employers to see that I could perform the hacks and could explain in detail how I had accomplished these.

I began to follow the head of security at my current office.  We eventually connected.  Over time, he was noticing and "Liking" my walkthroughs.

I joined a mentorship program at my office where I was mentored by the head of compliance.  This was an invaluable experience because it led to my being noticed by the head of security even more.

Eventually, I was invited to take part in a white box internal pen-test of my office, my first real foray into doing such a thing.  I was gaining all the right attention.

I curated my own library of cybersecurity books that I used for study.  I had completely immersed myself in hacker culture.

Along came Mr. Robot, which solidified my need to be in cybersecurity.  I'm sure everyone reading this knows that show inside and out, so I won't go into detail except to say that it is more or less our Holy Grail in terms of how realistic it is.

Shortly after doing that internal pen-test, I was invited to join my company's Security Operations Center (SOC) as an analyst, which is where I stand today.  For me, this is the pinnacle of my career in IT.  Nothing matters more than this.

And now my definition of hacking or what is a hacker has changed.  That 16-year-old kid and what he did is gone.  Being a hacker is about so much more than technology.  The hacker mindset begins with an openness and a curiosity about things.  How to improve your world.  Real hackers are not criminals.  We have an obligation to act in the most ethical way toward everyone within our reach.  We have a purpose in this world and that is to act in and for the common good.  It's about being observant.  It's about being in the moment, in whatever it is that you do.

The first step in hacking is reconnaissance, which is done by using Open-Source Intelligence (OSINT).  Finding freely available information on the Internet.  It is said that "OSINT time is never wasted time."  There is an organization called Trace Labs (www.tracelabs.org).  Their purpose is to crowd-source individuals who are passionate about helping others and using OSINT in order to find missing persons.  They partner with law enforcement, and I'm proud to say that I've participated in their CTFs.  Having done this has given me an interest in anti-human trafficking.  This may lead to the next step in my career.  I'm not quite there yet, but if my past track record is any indication, I'm on my way.

To any aspiring hackers out there, if I can offer any advice, it's this.  Everyone's path is different.  Find what you love and move toward it and don't worry about the timetable.  In my life, I've been late to the party for almost everything I've done.  But I showed up.  Bruce Lee famously said, "We do not rise to our expectations, but fall to our level of training."

So, keep at it.  Be patient with yourself.  Learn a discipline really well before moving on to the next one.  Be humble.  Follow well known hackers on social media.  They will always have insight and may offer advice if you ask.  Practice often.  Even daily.  It will come when it's supposed to come, not a moment before or after.

P.S.  My wife gave me a C64 as a birthday gift.  Forty years after the original was released.  It came when it was supposed to.

#happyhacking, #hacktheplanet

Milton continues his IT career as an advanced response analyst.  He enjoys the occasional libation while posting his videos to his YouTube channel, Booze&Hacking where he goes by the hacker alias "darkhoodie".