Programmers need to think like hackers
gexos.orgGreat, another "hackers are cyber criminals" blog.
Btw, every section is numbered "1." on my Android's Chrome.
> "hackers are cyber criminals"
That got me too. Stop using hacker to mean criminals and vandals, please. The word has a very rich and positive history [0]: it's much better to draw peoples' attention to that:
> The act of engaging in activities in a spirit of playfulness and exploration is termed "hacking". The defining characteristic of a hacker is not the activities performed themselves (e.g. programming), but the manner in which it is done.
>> What they had in common was mainly love of excellence and programming. They wanted to make their programs that they used be as good as they could. They also wanted to make them do neat things. They wanted to be able to do something in a more exciting way than anyone believed possible and show "Look how wonderful this is. I bet you didn't believe this could be done."
Same here... looks like he wrapped every entry in <ol></ol>, so not a rendering bug, just poorly-written.
Clearly needs some thinking like hackers!
I expect everyone will see that "1.". The site creates an <ol> around each bullet so it will start from 1 each time.
Could have told the ol to start from an increasing offset each time, but the author is too busy thinking like a hacker.
This seems really obvious, but I'm glad someone is saying it. I think there's a trend of "Teach everyone to code" like a vocational thing that misses the extent to which coding is nothing like e.g. plumbing. As in, with plumbing, the best way to do things is much more generally known and teachable.
Sure, though the analogy has limits - there are a few different kinds of plumbing, PEX, copper pipe, etc. but hundreds of languages, each with thousands of libraries, frameworks, platforms. Plumbers might be more slapdash if their work wasn't subject to inspection (with implications for licensing, and insurance), which doesn't apply to software either (but maybe should!)
Just don't be a cheap date. I'm hardly any kind of "hacker". I'm barely a "programmer".
But if I'm in a conference room, and I see some little embedded computer powering something, my mind immediately starts going "Oooo, wut that? Does it run something unixy? I wonder if it connects to the same network as the main office. I could probably borrow its little flash memory disk without anyone noticing for a day or so. I bet I could put a program to open a reverse shell for me so that I can just peacefully chill behind the firewall anytime I want."
Etc, etc etc. I can't help it. I'm curious! I'm also not very driven and highly nervous. But what if I were driven and brazen, but also very curious?
Put important things behind a firewall, and make sure that firewall is correlated to a physically secure location. Password protect systems that need protection. Encrypt things that are critical and confidential. Limit the number of people who have unrestricted access. Divide your network so that more public services only communicate with more secure backend service as little and as securely as possible. Don't hire people you don't trust. Compensate the people you hire well. Be ethical so that people generally won't delight in your downfall.
And then live your life! Lol.
>> Etc, etc etc. I can't help it.
Totally! I can't help it either. I dont' really think I'm that clever either, it's just a personality thing. You just want to know how things work, especially when they seem trivially flawed at first glance and you wonder if anyone has bothered to check! The thing that got me yesterday was my building's security gate.
When you swipe your prox card, it plays a tone pair that sounds exactly like a DTMF tone, and then the latch opens. I had one of those forehead-smacking moments where you can't believe you didn't notice that already, and then the rabit hole:
Any sound would do to alert the human that the gate was opening, so why are they using this one? Hey, there's totally a dial pad next to it! Is the security gate really made out of POTS telephone parts? Is it some wierd fake legacy compatibility thing that's just made out of software? If it actually listens to itself to open the gate, then is it subject to a trivial playback attack, like the dictaphone scene from Wargames? Does it have real phone number? IP?
No _way_ it could be that easy, right? Right??! That would be soooo dumb I'm sure that wouldn't work, but omg I have to go down there _right_ now and find out! Hmm, wait there's also a security camera and this is a really stupid reason to get arrested... <takes some deep breaths and tries to control self>
It's easy to think, naively, that someone should do something about this, I'm someone, and they would rather hear it from the good guys. But that often turns out not to be true.
Also, it seems like it's really hard to sell security mindset as a candidate for a dev job. I spent a fair amount of time on formal software and systems security coursework, but I couldn't really figure out how to market that to an employer. It seems like most management thinks of security as an IT or Devops task or something that isn't a developer's job, and other devs think of security a separate role, occupied by the person that just says "no" to all kinds of things.
I hope this isn't generally the case, because I think this stuff is really important and I want to help. I'm just not sure how get there from here...
So I've only recently started working in tech, but one thing I would say is that solid linux system administration skills are what helped me land my current job and succeed in it. I've also done a fair amount of frantic googling, and I've been learning a lot on the job. I was also turned down for like 5+ sys admin positions at data centers.
Find a smaller company who has a more relaxed hiring process and sound smart. Be fluent in bash, python, and write at least one or two small programs in C so that you understand how to build such projects from source, how headers work, etc.
Then, work like hell to close the gaps in your knowledge. The job will provide you a constant drip of new things to frantically learn about, which is the thing I've appreciated the most about this opportunity. I really feel my skills growing just because I'm using them to feed myself.
thanks for the reply. you would probably laugh out loud if you knew my background, but i don't really want to cop to this explicitly, in one post, and in public on HN.
even so, you have absolutely lapped me in this particular race. at any rate, i will reflect on these suggestions. this is one of those times i wish there was a PM feature here. oh well. do you mind if i ask who you work for and (approximately?) where you are? np if you don't wish to answer that, but it would be interesting to me. cheers.
> Programming is a complex task that includes five steps: problem identification, solution design, coding, testing and reporting.
Perhaps it's because of different terminology, but I'm already somewhat lost on the first sentence of the article. What does reporting mean in this context?
In principle yes, but the objectives (constructive/destructive) produce different satisfaction. A programmer on a sizable team might not have the same commitment as one on a smaller team. He/she may think so, but it’s almost always, not the case.
I’m speaking from experience.
is this a listicle? i don't really understand what the purpose of this article is. What makes hackers mindset useful to programmers? what makes these points the valuable takeaways. Not asking hn, it just seems missing from the article
I'd like to start reading more about engineering than hacking
This article missis its own opportunity.
Most of what this article talk about can be learned in a couple of days. Get familiar with ZAP, a proxy to replay and modify http request useful to test webapps for things like XSS, sql injections, Maltego, a fancy port and networks scanner, and some other tools you or a 12 year old can learn from youtube.
Seriously this hacking things is overrated and shift-left-security is a joke with the same punchline as DevOps, more best practices mandated by consultant that don't do the actual work, for engineers to follow instead of giving them the space to think about a good problem/solution fit.