The Inside Story: How a Damn Kid Delayed Our Course Release

Warning: This is not the kind of case study you would expect from an established company. If you expect a case study that shows you how great our new course is, youd better close this file because you will be disappointed. This document explains how a boy, dreaming to become a Penetration Tester, pushed back our course release by 6 months! And, yesthat actually made our course the great course it is now.

1 Damn Kids! Theyre All Alike.

When I was just starting out, taking my first steps into web and computer security, The Mentors manifesto was the mantra that every hacker memorized and believed religiously. Its still the best description of what the hacker movement is or, I should say, was at that time. It was a movement that was far removed from any illegal intentions, thriving simply on curiosity for the world of computing.
\/\The Conscience of a Hacker/\/
Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"... Damn kids. They're all alike. But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him? I am a hacker, enter my world... Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me... Damn underachiever. They're all alike. I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..." Damn kid. Probably copied it. They're all alike. I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me... Or thinks I'm a smart ass... Or doesn't like teaching and shouldn't be here... Damn kid. All he does is play games. They're all alike. And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all... Damn kid. Tying up the phone line again. They're all alike... You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert. This is our world now... the world of beauty of the baud. We make use of a service for what could be dirt-cheap if it wasn't run you call us criminals. We explore... and you eLearnSecurity srl 2011 | www.elearnsecurity.com the electron and the switch, the already existing without paying by profiteering gluttons, and call us criminals. We seek

after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike.

by +++The Mentor+++ Written on January 8, 1986 Credit: Phrack - Volume One, Issue 7, Phile 3 of 10

Damn kids; they are all alike. My younger brother is no exception. Yesmy brother. It must be some sort of genetic disease. Apparently, my brother fell victim to the insatiable curiosity typical of the early 90s hackers before him like me. Its the same curiosity that keeps you up all night, browsing the internet and reading tutorials. Its that unrelenting fixation that makes you get bad grades in school or gets your boss pissed off and in your face, scolding your drowsy ass at work the next day. Its more than curiosity; its a mission, a passion. My brother was bitten by the same bug that inspired my true passion to explore the secret realm deep inside the inner sanctum of computers the same passion that compelled you to read this PDF right now. Its in our blood: a hypnotic enchantment for this field, the endless opportunities, and the incredible feelings of discovery that rush through us every time we uncover something new.

2 From the Eyes of a Beginner

Once you become an expert, you have a hard time remembering how it feels to be a beginner. Beginners still have a hard time learning because, well, experts are poor teachers. My brother, being a complete beginner, spent most of his time cultivating his passion for computer security and hacking through trial and error. Sure, resources are much more abundant now compared to what we had in the 90s. There was no Youtube, no Facebook no training course whatsoever. Nowadays, Youtube is full of free video tutorials on how to use every tool imaginable. Still, no matter how many resources hed find online, he had a hard time gaining a deep understanding of the processes involved. He had a hard time leaving his childhood training wheels (aka script-kiddiness) behind and was always depending on someone else for the answers.

eLearnSecurity srl 2011 | www.elearnsecurity.com

As a beginner, learning is a matter of trial and error, going back and forth through different topics without a clear path and wasting time on outdated or unrelated contents. The truth is, 90% of the people get frustrated with the process and give up. My brothers problem was that he lived miles away from me, and I had a hard time explaining things to him by email all the time! Phone calls didnt help much either, by the way. Needless to say, his first steps into the field of hacking were a mixture of aha! moments and unbearable frustration. His passion for hacking and pentesting grew while my staff and I were publishing the Penetration Testing Professional Course, back in 2010. Those were the craziest days of our lives. But, being the persistent pain in the butt that he is, I promised to put together a very small course for him. It would be just a few PDF guides that he could print out and bring to school to read during those boring hours in Latin class. He eagerly accepted my offer, and I began on what I thought would be a couple weeks of work to put the contents together. Well, its not hard to imagine that, due to the success of our professional course and our busy schedule, it actually took me a couple of months to come up with something workable for him. Or at least I thought it was workable

3 CmonYou Know Im Lazy

It wasnt long before I had my own Aha! I wondered to myself: If these guides can help one boys dream come true, why not do this for the thousands of people who would show interest in our courses in the early stages of our operations? It was October, 2010. My staff and I had all the content for this new course ready and put together in nice PDFs. We also had a good number of Flash slides that Ilaria, our e-learning and flash developer, had created for the bosss brother. So the Penetration Testing Student Course was born. Release of the course was scheduled for no later than November, 2010. The course logo and website were ready, and I was about to announce the exact date of release. We gave the course materials to my bro to review, since he was the one we originally designed it for. I was pretty much convinced that those guides would be the best structured hacking tutorials he had ever read. Boy, was I wrong! A few days later I got a text from him saying, Cmon, you know Im lazy! Whats this stuff all about? There was just no way he was going to read through pages and pages of text. Sad but true. He had enough reading to do in school every day. Hmmm. At this point in the story, these were my options: A) Trash my bros dreams and release the course as-is; or, B) Trash my contents and start all over again. Being the short-tempered fiery Italian that I am, option A was definitely my first preference. After talking it over with my brother for a full hour on the phone, the sad reality became evident:

eLearnSecurity srl 2011 | www.elearnsecurity.com

Our contents did not contain all the background skills that a beginner needed BEFORE he could ever understand a thing about security, hacking, attacks, exploits and so on; and Our contents did not contain any tips from instructors that would guide the student through all of the content we had put together.

It was unbelievable how I could manage to forget all the little details and necessary background skills that every single hacking technique depends on. I was taking all of the basics for granted, but a novice would just be fumbling around in the dark! What he was really looking for was guidance. He needed someone to show him the path and give him a direction to follow, not just a few unrelated tutorials or slides to read. Bottom line: We had managed to build an exceptional professional course our flagship, The Penetration Testing Professional Course. But somehow we had forgotten the long process and struggle we went through, back when we were just learning, that brought us from beginner to expert status. The frustration, the highs, the lows, the perseverance and the enlightened guidance we wished we had! At this point I either had to let my brother give up his passion or apply the lesson I just learned from him in a brand new course, built from scratch side by side with HIS guidance.

4 Confessions of a Beginner
Its sad, as professionals, how easily we forget our humble beginnings and the high emotions of those early days, when we manage to launch our first exploit. Its like becoming a skilled lover and then forgetting about the magic of romance. Whether its making love or hacking, the first time you do it you dont understand half of what youre doing, but when its done youre the happiest person in the world because you did it, and you are now privy to much of the mystery and excitement. I didnt want to give up on my challenge, and I didnt want my bro give up on his passion. It was still October, 2010. We trashed the contents, and a completely new course had to be written. This time, for every chapter I wrote, I received a ton of questions from him. I applied all of his suggestions and then answered all of his questions in the content. For each technique, we noted all the necessary background skills required from IP addresses to Firewalls, from Network protocols to HTTP basics. These had to be structured into a completely new section of the course. Additionally, the only text we used in the course was to describe the images. Videos and audio narration were used in place of text. Ilaria, the e-learning developer, had the best time of his young career transforming text into animation and narration and submitting it to my brother, who became the boss of this project. The first draft of the course was looking almost awesome, to use the young bosss words. Why almost? Something was missing: The whys and The am I correct?

Basically, when youre hungry to learn new things you tend to skip the boring stuff and get right to the juice. So, the background skills (mainly about networking and programming in this field) were the most boring and difficult
eLearnSecurity srl 2011 | www.elearnsecurity.com

for him. He found that if we included the reason WHY each piece of background information was useful for his hacking studies, he would devour it as if it were actual hacking, and not boring stuff. Before even beginning to study any preliminary topic such as networking, my brother would know how and when that information would become useful. Guess what? This, and the high interactivity of the course, finally let him get through the boring stuff and have a lot of fun doing it. But still, one final piece was missing. When you are first starting out, you dont see the big picture clearly. You have to guess and make assumptions. But how do you know your guesses and assumptions are right? You need some kind of proof to be convinced that youve mastered the topic you just read and that you can finally move on to the next level of expertise. Thats why we decided to convert all of my brothers questions into self-assessment quizzes at the end of each chapter. Four to eight interactive questions would provide him with a final assurance about the topics he just learned. Failure means that he will have to dive deeper into the subject matter; Success means that he can move ahead to the next topic. Simple and effective.

5 Bro, Ill Outsmart You

With the two final touches taken care, the course had become the guided tour he needed to acquire the necessary confidence to move forward with his studies in the field. He is now able to overcome frustration, to understand what path he is following, what each vulnerability means, why it is there, and what each tool is used for. He now not only understands the technical matters of being a Pentester, but also what it means to be a real Penetration Tester. After having taught thousands of people, I am glad Ive been able to help a complete beginner, my brother, to pursue his passion. Unfortunately, I have also created a competitor and a ton of familiar alerts in my IDS log! Damn kids. They're all alike!

eLearnSecurity srl 2011 | www.elearnsecurity.com