[ Hacking 101 ] :: [ Lesson 1 ]

This entry is part 2 of 2 in the series [ Hacking 101 ]

Lesson 1: Do You Need A Handle?

Yeah breaker one nine this here’s the Rubber Duck
Uh, you got a copy on me Pig Pen C’mon
Uh yeah Ten-Four Pig Pen fer sure fer sure.
-C.W. McCall, “Convoy”

Long before there were hackers, there were truckers. Truckers understand the need for handles in the Citizens’ Band (CB) radio world. People are coming and going, real names are useless or dangerous, and descriptive terms are a lot easier to remember.

Hackers use handles for some of the same reasons. One legendary hacker promoted the fun fact that a whistle packaged in boxes of Cap’n Crunch cereal emitted exactly the right tone to initiate a free long-distance phone call (phreaking). He will be Captain Crunch essentially forever in the hacker universe. Others created handles by playing with spelling (Phiber Optik, Dzen Hacks), referencing antique space opera (Mentor) or thumping their chest (MafiaBoy). Gigabyte earned her rep over a decade ago; St. Jude died deeply beloved; Susy Thunder was just being kooky (and kicked ass all over DEC).

Do you need a handle? Seriously, what’s the point anymore? Do any of us kid ourselves that we have a secret super-hero identity? Probably not … depending on our reasons for hacking. In the US, most people take privacy and confidentiality and safety for granted. In Europe, the data privacy laws could legitimately be called “ominous,” at least for organizations that had better comply with them. But there are plenty of countries and regions where revealing your identity might be highly dangerous, depending on your politics or religion. So in some cases, an online handle might not be just a good idea, it might be mandatory.

Even in cases where your life isn’t at stake, using a handle is awfully smart. Did you find a vulnerability in your school’s network? Reporting it might be an unpopular move. Found a problem with a vendor’s software? You might be in trouble from the instant you admit you were testing it. You could just report things anonymously (which is harder than you think), but that has one major problem: you don’t establish a reliable communication channel, and you may need one. If authorities know they are at least dealing with a single individual, for instance, any dialog that’s necessary can happen more safely.

Do you believe in free speech? Does your government? You can’t take this for granted, because there are so many shades of “free.” For instance, if you have free speech (in theory), is it safe to exercise it? Why do we have all these whistleblower-protection laws; in fact, why should we even need them?

We need them because free speech often challenges those in power, or those who have an interest in preserving the status quo, or those who have done things they don’t want made public. Any of these situations can be dangerous, or even outright deadly, depending on where you are. A handle lets you establish a consistent character online, and say your piece to your heart’s content. People will come to recognize your positions on issues – or at least the positions your handle (your alter ego) espouses. Speaking from behind a mask also protects you from those who mean well but misunderstand you, or those who flatly mean you ill.

One of the thinks you’re going to do at the end of this lesson is choose a handle. It should mean something to you, even if it’s a misleading meaning (sometimes those are the most clever handles). Tempting as it may be to want to be The Flash, you’re likely to be competing with thousands of 11-year-olds who like that name too. But if you’re interested in anime too, which for a long time came almost exclusively in Flash format, Flash Gundam might have some appeal.

Should you be Deadly Ninja or Silent_Avenger? Uh, are you really a deadly ninja? Because pretending to be one invites the real ninjas to show you the ropes, and the chains and the knives too. I once thought along this line and decided, Okay, I’ll be Fluffy-Bunny, until a friend pointed out that the handle made me sound like a cousin of PedoBear. Thanks, never mind.

Should you make up a name in leet speak (1337)? Like Haxor75 because you’re a hacker born in 1975? Or Sh@d0w? There are about nine hundred “Shadows” out there using different characters for the letters. They end up just sounding pretentious, and ironically those unique spellings help researchers pin handles to individuals.

You can try for something more directly relevant, if that’s safe. Do you teach for a living? How about Professor Thwackum? Do you run a bookstore? How about ExLibris? Just remember to avoid giving away too much. Don’t use the real name of your bookstore, unless you’re deliberately being provocative. In many cases, it’s not going to be safe to provide the least hint who you are.

Should your handle be your email address?

Good God, no. Not unless you have a separate, private, confidential, protected email account just for that identity.

In a larger sense, your various identifiers and names should have one, and only one, function apiece. The login name you use at your company or school should never be the same name as your company email address. (That’s a serious rookie administrator mistake, one you may capitalize on later in your hacking career.) If your login name is Costanza, your email address had better not be costanza@vandelayindustries.com. Unless you really, really want us to come read your email.

Do remember, though: if one of the reasons you’re creating a handle is to report something, you likely need to establish a persistent communication channel with the people you’re reporting the problem to. Anonymous complaints or reports get a lot less credence than reports that are clearly backed up by someone who can be contacted again. At some point, depending on circumstances, you may need to come forward to identify yourself. Normally you’d want to keep private forever, but if the situation warrants it, you might prove you’re the person who made the report by proving you can access the email account used by the whistle-blower.

What you can do with your handle

By now you should be realizing that a handle amounts to an identity. A handle is ideal for the kind of research and communication hackers need. Want to visit that IRC channel where the double-top-secret hacking tools are shared? Or that forum where the seasoned hackers actually answer questions? Will you eventually become an information source yourself? You need a handle for that facet of your life.

Consider the opportunities: you can start a blog or bulletin board of your own. This calls for commitment; you’re going to spend a lot of time on either of these, but they’re also excellent vehicles for enhancing your fame, assuming you give a damn about fame. You could do these to enhance your infamy, too, if that gives you a bigger kick.

You got to keep ‘em separated

Once you’ve established a separate identity, or handle, play this game seriously. When you’re “in character” with your handle, never mention your real self, real job, real school, real employer, real partner – nothing. Get paranoid about this, for reasons you’ll see as you take this course.

This is particularly critical when you’re using your handle to report a vulnerable web site, a leaky server or an exploitable application – especially to your employer, your parent or your teacher.

It’s critical to understand what you’re protecting here. Security training often focuses on the Magical Triad: Confidentiality, Integrity and Availability.

Confidentiality, in our world, means people can’t read your stuff. In the world of cyber security, it means encryption: your data is literally unreadable. In the context of handles, it means communicating via confidential (encrypted) means when you’re using a handle.

Integrity means your data hasn’t been altered, which is awfully important when you are negotiating immunity or proving a point. In our world, we use hashing to prove that data hasn’t been altered.

Availability means your goodies aren’t being blocked by a Denial of Service (DoS) attack, or being kept from you by some other means. Ensuring things are available keeps system admins paying weekly fees to ulcer doctors.

Notice that there’s no mention of Privacy there? Privacy is what you have when nobody knows who you are or what you’re doing. Corporations and governments don’t actually value privacy, at least for you; they want to know everything they can about you. You, on the other hand, may not have been taught sharing as a child, and might not want to be so friendly. Privacy is your friend. Your best friend. Don’t share.

Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn’t want the whole world to know, but a secret matter is something one doesn’t want anybody to know. Privacy is the power to selectively reveal oneself to the world.
-Eric Hughes, “A Cypherpunk’s Manifesto”

Using your handle for fun and reputation

Okay, you may want a sexy handle that’ll attract attention as you gain fame and respect for your hacking activities. Giant-Panda may not strike quite the note that Poltergeist666 might, assuming that your main qualities are persistence and noisiness. The bigger issue is that you’re bragging, though as a certain person once said, “It ain’t bragging if you can do it.” You may find it wiser to conceal exactly what you can do.

Or go ahead and be DeathAdder or whatever you like at the moment, and burn through handles like TV spies burn cell phones. Just remember that some day when you’re the author of some magnificent cyber-universe-shaking exploit that saves the free world you’re going to be stuck with HoseWrangler or whatever you’re using at the moment.

In any case, you may eventually attain the degree of respect that you can safely come out from behind your handle and reveal who you really are. This is actually quite an achievement, one not many hackers actually see.

Do you need multiple handles?

So should you have more than one handle? Depending on your main activities, or the various private activities you engage in, this may be mandatory.

If you’re an uber-geek you’re familiar with Jung’s shadow or shadow aspect, the hidden form(s) of your personality. If you read popular soft porn you’re familiar with Fifty Shades of Gray, with “shades” meaning the different layers of personality of one Mr. Gray. Either way, it’s no surprise we’re all composed of multiple sides, like the facets of a jewel. You may not want to reveal all our shades to everyone.

Depending on the areas you’re working in, you may want multiple handles. You might use some, or all, only once. Just remember: unless you take additional precautions, you might make things easier for someone who’s trying to hunt you down. For instance, many bulletin boards show each user’s IP address; one IP used by many different “users” is a pretty obvious clue that someone’s playing games.

But you may want to segregate your identities in a different way, namely:

Using multiple identities

You could consider each distinct handle you use an identity, but remember: the real purpose of a real handle is to remain anonymous. What I’m talking about here is creating an entire background identity for the handle to point to, openly or secretly.

This technique involves creating email accounts and possibly social media presences. If you’re a genuine spy this is probably worth the time. For us mere mortals, it may be too much work to keep up. It is useful, though, to have a “spam address” for pure junk, and another false identity for all those sites you have to sign up for, and maybe another one for sharing files and other private collaboration. In this scenario these identities are Mike and Joe and Greg, not Dark_Knight.

The point is still this: don’t allow any connection between these accounts. This can be almost supernaturally difficult, so in the real world do the best you can. When you realize your mistakes, you become better at the privacy game for the next round.

Being a ghost

There’s a breed of hacker who doesn’t want fame and will never willingly out themselves. If you’re going to be one of these, you may not have a real handle per se, but you may use handles as layers of curtains between you and the world.

You’re going to have to be a master of secrecy to pull this off. Don’t hang around any venue for long. Don’t use any handle for long. Use technology like VPNs to hide your real IP address, and change servers often.

Even more important is varying your language, style and personality in print. Take it from me: any good English teacher learns to recognize a particular writer very quickly. Use one or two unique words, or the same pattern of misspelling, under more than one handle, and you’ll raise suspicions faster than you’d think.

Being nobody

There’s a cost in privacy every time you post. If you don’t consider every word carefully, you’ll reveal details that can be traced back to you. If you expose the same detail under two different handles, a determined researcher will connect them and potentially build a connection to you.

Kiddies want to brag about what they’ve done. Mafioso don’t know nothin’ and don’t say nothin’. You can decide to be either or neither, though it’s hard to be both. If you’re a true genius you may manage to keep two identities like this separated, but the talkative handle can never brag about the most stunning exploits of the silent persona.


101.1     Do you have a secret hacker identity you conceal from the whole rest of the world? One way or another, you do. So, what is your handle? (Don’t tell me or anyone the answer to this question.)

101.2     Who said “It ain’t bragging if you can do it”? Is that actually exactly what they said? What is this person’s real name? What is their handle?

101.3     Find “A Cypherpunk’s Manifesto”. Read it. Save a copy of it. Think about it for the next 20 years.

101.4     Read this article from the very excellent null-byte, including the comments:


Choose the one single most important sentence in the article.

101.5     Some of the most important stuff you’ll find on the Internet comes in the form of Word docs, Excel spreadsheets and PDFs left laying around on websites. This is a great place to introduce Google Advanced Search Operators, if you’re not using them already. First, see this page:


Next, go to the Wikipedia entry for “List of hackers”. Note that some handles are matched to users, while other users don’t use them – or their handles aren’t known. Pick one of these handles (which in this list, obviously, already has a name associated with it).

Create and run a Google search that finds Word docs for your chosen handle. Try it again for docx files, xls and xlsx files, and pdf files. Do you find anything that connects your chosen handle to a person? Get used to looking beyond the first page of results.

101.6     There actually is a hacker out there who uses the handle nobody. Identify this person. There’s a sort of Unix joke here: who is the “nobody” user on a Unix/Linux/Mac system?

Excellent, well-written hacking lessons: HackingTutorials.org

This entry is part 2 of 11 in the series [ Hacker Night School ]

It might seem funny for School for Hackers to like or endorse another hacking tutorial site, but the truth is that sites like Hacking Tutorials are terrific resources for all of us. This really excellent site features detailed, well-written step-by-step tutorials on up-to-the-minute vulnerabilities and exploits: The Top 10 Wifi Hacking Tools in Kali Linux and Penetration Testing from the Cloud, for instance.

Here at S4H we incorporate materials from the best sources and services we can find, and we encourage students to learn from YouTube videos, HackThisSite.org, root-me.org, and anywhere else you or we can find good stuff. In this case, I strongly recommend taking a tour through the site:


Hacking Windows Login with Sticky Keys, from Starry Sky



Starry keeps cranking out videos for School for Hackers, and we keep working to build some video production expertise. In this short tutorial on hacking Windows login, Starry demonstrates using a bootable CD to get around file system protections, so he can replace the utilman file with cmd.exe.

The hack is a classic Windows Sticky Keys Exploit. Here’s how it works: when you boot and arrive at the Windows login screen, you have a limited group of choices. You can click on your user icon to start the login process. Or you can power down using the icon in the bottom right corner of the screen. Or, look at the bottom left corner. If you use any of Windows’ enhancements for users with limited vision or other issues, you’ve used clicked this button before. But it’s likely you haven’t.

This button provides tools – like large-font, high-contrast visual themes, for one example – are collectively known as “Sticky Keys,” because the keyboard ease-of-use setting actually called “sticky keys” is the core of these tools.

In any case, low-vision and other users are used to clicking the Sticky Keys button and getting an easier-to-use Windows login, provided by a file called utilman. If you somehow get administrative access to a Windows computer, you can replace the OEM utilman with cmd.exe, cleverly renamed – you guessed it – utilman. Now when you click the Sticky Keys button, voila! You get a command prompt – as Administrator!

Depending on restrictions, you may not be able to pull this switch off while a system is live. But if you have physical access to it … the game changes. Starry shows us exactly how this works. Thanks, Starry Sky!

Is hacking eventually going to be your job (you hope)? Know the job search aggregators.

Social Networking

Everyone here knows I invite contributor articles on several topics, including finding jobs and work. What Vanessa Fardi has to say below is useful on several levels. One, the service she reps is Nuevoo, a job search aggregator that’s pretty big around the world, particularly for non-English speakers, and it’s certainly worth looking at.

On a second level, I want all my hacker friends and especially all potential contributors to look at her article: how she opens up her idea, develops it and provides tips; the graphics she includes; the contact information. You might not want to be so up-front about your identity, depending on what you’re writing about on SchoolForHackers.com, but generally, revealing who you are is smart and encourages trust.

For either reason, check it out:

Business Networking 101

Social Networking
Social Networking

We have seen the word a million times in articles, magazines, blogs, even Facebook, but it is very likely we do not have the slightest idea of what “Networking” actually means. We might relate it directly to Facebook and we definitely know it is an important tool when it comes to doing business. But, do we know its actual objective? Networking can be defined as the exchange of information or services among individuals, groups, or institutions, and it specifically refers to the cultivation of productive relationships for employment or business. Now that we finally know what it means, how do we get it done? Should we just go to parties, meetings, benefits and events, talk to people about our company or business, exchange business cards and be sociable? Yes, that is exactly what a networker does. The main idea is to make new contacts with the objective of forming mutually beneficial business relationships. That is it! Now you are an expert on the subject.

Human Networking
Human Networking

There is another aspect we have to consider, why go ahead and do business networking? Some entrepreneurs and business owners actually think business networking is a more cost-effective method of getting new clients than advertising or public relations. Business networking can be conducted in a local business community, or on a larger scale on the Internet. Social networks play a very important role for companies nowadays. Even law firms and oil companies have Facebook and Twitter in order to attract more clients and be able to get the word out there about what they do. Social networks make companies more approachable to the general public and potential future clients. That is the reason why the position of Community Manager has boomed over the last five years. If it is not on Facebook, Twitter, Instagram or LinkedIn, your company literally does not exist.

To be the greatest networker known to man, just follow these simple, yet life changing, tips:

  • Always be honest. No one likes a liar.
  • Carry your business cards with you at all times.
  • Try to meet at least five or more new people at an event.
  • Be friendly.
  • You will need to give to be able to receive. The business relationship works both ways.
  • Go get them!

Your job search starts here: ArgentinaAustralia | AustriaBahrain| Belgium | Brazil | Canada | Chile | China | Colombia | Costa Rica | Czech RepublicDenmark | Ecuador | Egypt | Finland | France | Germany | Greece | Hong Kong |  Hungary | IndiaIndonesia | Ireland | Italy| Israel | Japan | KazakhstanKuwait  | LuxembourgMalaysia| MexicoMorocco  | Netherlands | New Zealand| NigeriaNorway | Oman | Panama | Peru | Philippines | Poland| Portugal | Puerto Rico | Qatar | Romania | Russia | Saudi ArabiaSingapore| South AfricaSouth Korea| Spain | Sweden| SwitzerlandTaiwan| Thailand | Turkey | UK| Ukraine | United Arab EmiratesUruguay| USA | VenezuelaVietnam

Vanessa Fardi / NEUVOO

Team Leader US/CA/LATAM

Email: vanessa@neuvoo.com

Security for Web Developers: 16: Best Practices

Blue Security Goddess

You should:

  1. Change the default user name directly in the database.
  2. Put files that contain login credentials outside your webroot.
  3. Don’t allow writable directories. (With details….)
  4. Don’t allow users to upload anything. Sorry.
  5. Avoid toxic data.
  6. Patch like mad.
  7. Use a security notification plugin like Sucuri (and actually pay attention).
  8. Change your username if the crackers find it.
  9. Consider a scanning service, or at the least a scanning plugin.
  10. Understand the particular security controls built into your programming language. (They all have them.)
  11. Don’t write your own security controls, or your own encryption. Never never never.

Assignment: All Hackers: Learn to Use Git


This is a non-optional skill for anyone who manages systems, runs networks, develops software or hacks on any of these to make them work or break them. 😉

Git (in case you’re a total newb; otherwise skip this) is a code repository, a site where coder teams can work together on projects and check out code like a library (so they don’t save over each others’ revisions).

Assignment 1: Go here. Read this. Understand this. You are going to use it a lot.


Assignment 2: Learn to use CodeAcademy by learning to use Git:


This WILL be required knowledge for the Hacker Skills Test!