Hacking-Kung Fu: Aims and Objectives Part 2

Sunday, May 06, 2012

Quintius Walker


(Hacking-Kung Fu: Aims and Objectives Part 1 Here)

  • He who hacks for blood soon finds it dripping from his own terminal.
  • He who hacks for fame and glory never stays free long enough to hear his songs of  victory sung.
  • He who hacks for gold is already blinded by the glitter and glare of his own greed, all too soon led astray by all things shiny.
  • He who hacks for sport seldom finds the network administrators in a sporting mood.
  • He who hacks for the love of  it must leave what he loves the most behind so he can dance with the one he hates the most.— The Federal Correctional System
  • But he who hacks for security cannot be led astray.

( The above is what I call “ The Hackers Six Movers ” )

First of all, it must be borne in mind that training for Kung-Fu Hacking is very demanding, calling for great discipline; and discipline in this field is defined more by what you do not do rather than what you do. This art calls for great endurance, perseverance, determination, as well as time and effort.

Patience must be your greatest effort. Master Kung-Fu Hackers are not borne over night. As a matter of fact, some of the greatest hackers to date have been quoted as saying that it takes at least a minimum of 10 years before one becomes adept in the art.

But the result is very rewarding, and the extent of your reward depends mainly on how much “ purposeful practice and training ” you have put in. Aimless training and practice, as was stated in part one of Kung-Fu Hacking, is a huge waste of time. It is therefore helpful to have some idea of your aims and objectives.

Aims are general in nature and long-term in perspective, whereas objectives are specific and immediate. How well we have achieved our aims calls for some subjective judgement, whereas the attainment of our objectives can be determined categorically.

A major aim of Kung-Fu Hacking training, for instance, is System Security- or more so being able to secure your own systems. This ability to defend ourselves is a general asset, and has long-term benefits as more and more vulnerabilities become exploitable to the general public. Generally we do not set a specific time frame for acquiring this aim; we adopt the attitude that as long as we keep on learning, practicing, and training, we will enhance our ability to defend ourselves.

As the old adage goes: “ before one can protect others he must first be able to protect himself  ”. We are clear that if we fail to defend ourselves effectively in cyber-warfare, it means that we failed in our aim. Sometimes we may set a time frame for our aim, but the period is usually reckoned in years rather than months.... all the while waiting for someone to try to successfully attack our systems. ( Unless of course we hire a professional penetration team to exploit our systems in order to see where we really stand overall in the realm of security. )

Otherwise it may not be easy for us to measure objectively how well we have achieved our aim. For example, we can say that we have achieved our aim of self-defense if we can effectively defend ourselves against a single attacker; but when we are faced with a group of attackers, let's say, a Hactivist Group that targets our organization for “ whatever reason ” , we may falter.

Hack Cup, with Kung Fu GuyOn the other hand, we may set an objective to acquire the knowledge and skills to defend ourselves against web application attacks within six months.

Or from an offensive security point of view we set the objective to acquire the skills to launch successful attacks against web applications in a six month time frame.

Hence, our objective is specific: for the time being we limit ourselves to defending against these types of attacks or learning how to carry out these types of attacks.. .leaving other types of attacks to be covered by later objectives.

We can go a step further and be more specific by deciding on the types of web application attacks we want to defend against or learn to carry out. As we have set a time frame of six months, our objective is also immediate: we are not pursuing this objective indefinitely. We can easily decide whether we have achieved our objective within our set time.

For example, after six months of training we can ask a few fellow hacking buddies to try to exploit our web applications using the types of attacks we have defined; or we can conversely set up a vulnerable system of our own in a virtual lab and try out these attacks ourselves.

Above all, even though aims and objectives are closely related, an appreciation of the distinction contributes to our monitoring of our Kung-Fu Hacking practice and training. Aims and objectives provide us with direction and purpose in our Kung-Fu Hacking training, thus enabling us to achieve better results more quickly.

“ Test your systems with fire and ice, sand and sea, bile and blood....before your attackers do! ”

Related articles and previously posted:

Cross-posted from Petalocsta

Possibly Related Articles:
Information Security
Testing Methodologies Hacking Training Penetration Testing Exploits Network Security Information Security Cyber Warfare Kung Fu-Hacking
Post Rating I Like this!
Ian Tibble "But the result is very rewarding"...maybe from a hobbyist view, yes, in terms of the self-satisfaction of setting yourself a target and passing it. But in terms of the office space...not at all - there is no kung fu here. Paper aeroplanes - maybe, but martial arts? Not really.

There is an army of automated scanning gurus, adept at entering IP addresses into Nessus and hitting an enter key, and a further army of security managers and CIOs who are quite happy with the status quo of low quality delivery of professional services.

True what you say though, about the time involved. I was a member of a pen test team in Asia Pacific some years ago. There was a question aimed at our lab: "can you train us to do what you do, so we don't have to fly you in to do tests?", to which the answer was "train? Ok, do this...work your usual 8 hour day, then spend every evening of every day studying and practicing for 8 years". The answer was seen as lacking "synergy" by some, by others it was seen as "obstructive", "narcissistic". The answer however, was quite appropriate - mostly because this was how much effort our team lead had put into his career.

Hacking is also more of a state of mind and a way of thinking. Often time a lot is learned on-the-fly during testing, and existing open source tools are re-coded, and so on. Some are up to this, others not. I wouldn't say that just anyone can do this.

"Hackers" by Steven Levy is a good read if one wants to know the mind of a hacker. If you can identify yourself in this book, then you are at least on the way.
Quintius Walker Hey, Ian...thanks for commenting. I definitely see how " in terms of the office space " the result could not be very rewarding; I agree with that. Unless of course, ( hacking being a state of mind and a way of thinking ) one looks upon the office space as their official Dojo.

Overall, (perhaps I failed a bit in my ability to articulate the comparisons between the two arts/disciplines) my intentions with these posts were to draw more focus towards the 'similarities'.

You mentioned the army of scanning gurus which is interesting. Even though I don't totally frown upon automation, one can very easily compare the scanning gurus to the script-kiddies in a sense. However, the method, be it by way of automation or not, becomes water under the bridge if by use of the method it successfully serves the attacker's purpose. Likewise, for some security professionals time is of the essence and the use of automated tools definitely comes to the rescue.

What you said about hacking also being more of a state of mind and a way of thinking brings to light another striking similarity between the two disciplines as one must note that Shaolin Kung Fu at the highest level leads to Zen. And what was it that General Napoleon said about the sword and the mind being the two powers in the world? " In the long run, the sword is always beaten by the mind ".

Again, thanks for your comments, Ian. I'll certainly brush up on my articulation in the future.

Ian Tibble "Unless of course, ( hacking being a state of mind and a way of thinking ) one looks upon the office space as their official Dojo. "

Fair point.

"Likewise, for some security professionals time is of the essence and the use of automated tools definitely comes to the rescue". Automation in vulnerability assessment ...it's a long story (see Chapter 5 of my book).

Sorry for the lack of clarity/articulation also on my behalf - maybe i should have distinguished authenticated from unauthenticated scanning. With the former it's possible to get a decent picture of OS / dbase (not application) vulnerability remotely. With the latter, it's not, but this point is far from being well understood in the industry. Its commonplace to hear analysts talk about "run a scanner against it" ...this is bad when we're talking about critical infrastructure.

Hackers and tools like Nessus (Nessus does authenticated scanning but it's highly limited) - its something like this: they start off by running it against targets and giving a cursory 10 minutes skimming through the output - just in case there's something there that warrants further investigation. They find nothing. After 10 or so engagements, they don't bother any more. They're little more than glorified port scanners really.

Unfortunately, as of Q2 2012, we still don't have anything like a decent authenticated scanner although the offerings are improving.

There isn't a place for ninja skills today, but that is changing in some places and sectors. The key isn't just ninja skills though. It's management of ninjas, and this is where we in infosec have always been at fault. Late 90s - we had ninjas, but no management of ninjas, and we are going to make the same mistake again probably.

A ninja,just like any artist, uses an agent to sell their work and sit between them and the big bad world. This is what we always lacked in infosec...good agents and line managers.

Anyway, good article, and thanks.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.