Ask HN: What do I need to learn to be useful as a hacker to defend my country?

119 points by axiosgunnar ↗ HN
The Ukrainians have called on the "hacker underground" to defend against Russia: https://news.ycombinator.com/item?id=30462219

Everyone of us here has above average computer skills, but most of us don't have offensive or defensive cyber warfare skills.

We have all seen how quickly war can break out.

What does one need to know to be of value to one's military, should the need ever arise?

What skills would they be looking for?

How can I acquire those skills?

55 comments

[ 8.2 ms ] story [ 109 ms ] thread
learning Metasploit would be a good start
You should connect with your country's leadership to put the pressure where it belongs here. You are a citizen showing interest in supporting your nation. So they need to be able to offer you training starting from the basic frameworks, usually the "why" and "what" and later down to the "how" and "when".

As part of that training, they should be showing you which skills they want, how they can be acquired, and so on.

This is also important because you need institutional legal support and an objective ethics framework to affiliate with. Otherwise one misstep and you can end up looking like a vigilante even though you had the best intentions. Or you could end up ready to take action yet without the infrastructure or other resources that would be needed to carry out your work in a wartime environment.

If they can't meet that minimum bar it's a non-starter IMO. You are left to your subjective estimations of what is needed and are without formal support. Contact your representatives and hold them to it.

Edit: Is op from UKR? I can't tell--if so the first priority is connection with community of experts no matter how small.

I mean his countries leadership is a little busy at the moment...
Consider joining intelligence agency and working there for some time to learn.

Probably the best education you can get anywhere.

Other than that, working as a pentester. Again, you can learn from online sources, but if you are a competent programmer, why not cold approach asking you would like to work in cyber security

The time to start a campaign against Russia on behalf of Ukraine was weeks ago. It’s too late now, like calling up the national guard hours before a massive shock and awe blitzkrieg campaign. Zelensky should have been making these appeals a long time ago but was delusional.
That seems harsh, Russia was actively looking for any excuse and those might be good enough. The fact they still attacked could look obvious now but that’s hindsight.
Was Zelensky delusional 10 months ago when he requested NATO speed up Ukraine's membership plan?

https://youtu.be/admHGiHGnYY

NATO has decided it was fine with letting Russia have Ukraine with the expectation that Russia would not invade other countries. I swear I've heard this before in a history class.

Yes, 10 months ago and the time surrounding it, Ukrainian membership has never been viable politically or militarily so Zelensky should have seen the writing on the wall. What is sad is that NATO would allow war to happen in order to maintain the hypothetical capacity to admit a country that may no longer exist. If NATO appeasement wouldn't have contained Putin it would be nice to at least have him on record saying he is invading for other reasons.
Here’s the UK’s cyber reservist list of desirable skills:

https://www.gov.uk/government/organisations/joint-forces-com...

Are any of those listed qualifications valuable? I already know that Prince2 isn’t going to be the bulwark against an invasion.
I see many security certifications in that list that are useful (e.g. OSCP). You focused on the least useful of those.
AXELOS has a very bad track record.

Learning and getting certified by a company that botched ~80% of their projects... indeed not a good idea.

I have an ITIL certification and I can honestly say it was the most useless 3 or 4 days (I don't even remember) of my entire professional life. Absolute rubbish, it was either completely made up / false, or such a basic level of common sense it makes you wonder how anyone got paid to write it down in the first place. The certification never expires but I haven't had it on my resume since I left that job.
Do not underestimate the power of open source intelligence gathering and well executed social engineering.
Lots of great things being shared here. We never know if OP is actually Russian and aiming to do the opposite of claimed -- nevertheless let's share what we'd normally share anyways.

Adding on to what others have said I would say start with this. To be a useful "hacker" to *defend* your country start with ensuring you are not immediately exploitable yourself & then repeat for others close to you. A incomplete shortlist off the top of my head

1. Ensure all your devices are secured including great passwords, updates applied, minimal/no ports expose

2. Secure your financial instruments w/ great passwords and multifactor options. physical devices like yubikey is (afaik) top of the line, other styles are an improvement over nothing.

3. Create backups of important things so you're unlikely to be blackmailed by ransomware

(others, what am I missing?)

(comment deleted)
The place I would start is not with offensive skills, but on the defensive side. Learn how to:

- Know when you might be introducing software vulnerabilities

- Find and repair bugs that might turn into vulnerabilities (things like static analysis and fuzzing, but also identifying code smells and where to inspect)

- Identify and avoid phishing attempts

- Identify (and, ideally, mitigate) places where resource exhaustion attacks are likely to be most effective

- Identify (and, ideally, mitigate) places where a process is dependent on external infrastructure that is controlled by another party

- Teach others how to do these things

These things are of high value in the day to day life of a software developer anyway, and there are lots of reputable resources available to learn and practice. In the future, if it turns out that you need offensive skills, that will work out OK too -- there's quite a bit of overlap, though not 100% overlap.

All of 0 of these skills will help the current situation as this developer probably does not control any of the critical software himself. This sounds like a great list if you're CTO currently building software for critical infrastructure and have the power to enforce trainings across the org.
It's increasingly difficult to tell what's going to be critical infrastructure and what isn't. The same is true in the real world; a defender or a belligerent alike might hope that the grain mill in the village will be functional when winter rolls in. Whether it is or not could depend on the work of someone who isn't even aware of the concept of a job title.
I'd understood from the OP (though granted this is not explicit) that they are not so much looking to help Ukraine with their current conflict, as looking to learn skills that may be useful if they are asked to aid in some future conflict. Frankly, if you want to help the Ukrainian people right now, it would be better to use your computer skills to earn some money and donate it to a humanitarian NGO.

If, on the other hand, you're looking to start down a path that might have you doing useful things in a similar situation in 2032, this seems to me like a reasonable place to start.

Cyber defense is generally a joke. The people who know how to do it knew how before they ever joined the military. The bar is so low for security for pretty much everything that simply showing up to run a Nessus scan and patching basic firewall rules is considered advanced in most quarters. I don't see any path towards helping that isn't a giant waste of time.
Find a system or a piece of software, use it a lot (look at source code if you have it) and then ask yourself how you can break it. That's the key to becoming a great hacker.

If you don't understand a piece of software (and I mean really understand it) you probably can't break it in a meaningful way. You may accidentally break it, but your lack of understanding how it actually works will prevent you from further exploiting it.

Just my 2 cents. Hope it helps.

How to stay anonymous.
... Including never posting this question to HN!
A lot of people are mentioning software security vulnerability scanning, patching bugs quickly, etc - all extremely important but these measures are better executed continuously and hard to do quickly.

The quickest way to block cyberattacks with measurable security benefit is probably through network controls. ACLs, segmentation, firewalls, IDS/IPS, etc. You can deploy these and block a lot of attacks right off the bat. Looking into AD security, GPO, anything that can deploy configuration to your entire environment is common to exploit and important to lock down. Those are the kinds of measures that have really measurable impact and help prevent the kind of catastrophe that state-sanctioned operations create.

Work for the government or a military contractor.
At the end of the day firearm training is probably more valuable than anything else in Ukraine right now. Taking pot shots from a distance at groups of troops can cause them to seek cover and slow down their progression. I think that's about the best you can do as 1 - 4 people. Look to the Vietnamese or Taliban on how to defeat a larger better equiped force with a smaller less equiped one.
Way to give advice that is guaranteed to get them killed. Bravo
(comment deleted)
The world is not an RPG video game, you likely can't just strictly "improve" yourself up to any given standard (no matter what any employer or teacher tells you - they're just trying to buy time as you sit in their classroom or accept a lower paycheck than you are worth). Experience is key, and it ISN'T best measured in years - you can likely put in more time than anybody on something given that you seem like a young kid who's eager.

That being said, and now that it's clear that you aren't just going to push a number higher until you can send all of your cyber zerglings into the enemy's virtual mineral line, this is a good process to follow for finding serious vulnerabilities - exploiting them should be trivial if you have a good enough understanding of the system:

- Think of a system in use, at any layer of the stack. This could be a specific web application in use by the enemy, a runtime that's used by some applications of theirs, or a memory/cache model on a CPU architecture that's flawed or anything like that

- Learn enough about that system that you can understand any inner working of it

- Painstakingly look through areas where you, just via inference, can tell that there could be some sort of vulnerability - key areas to focus on are something that is something downstream to user input, or something similar.

All of that is to say that, if you aren't already "useful", your country is probably going to have a regime change before you can find anything strictly useful.

If there's something simple enough that someone who's relatively unexperienced can do it, then it's probably automated.

OR - use a bunch of stolen credit cards you bought online for $3 each to rent a few VPS' (maybe come up with some consolidation solution to more easily make accounts and setup SSH boxes) and throw as much layer 4 traffic at Russian endpoints as you can :-).

In the short term, low intensity large scale "offensive" action is probably the course to take with most potential return. Just poke with as many Russian server/service as possible. Since your country has a high risk of being (unfortunately) under Russian control soon, take some minimal precautions to cover your traces.

This is basically the same principle as international sanctions. Try to make everything harder for Russia and (unfortunately) for Russian people. Playing people's opinion against their leader. You can do the same in Belarus that saw civil unrest recently, mobilizing Russian soldiers.

That's what I was suggesting with my little addendum at the bottom. Would honestly like to try it, if someone would like to pay my mortgage + fooooood costs with VC bucks for a few years.
The "lower" you get down the stack the more valuble youll be. You have to understand the fundimentials of how software works in order to reverse engineer it and start "hacking"
I strongly believe that one needs several years to achieve the skill level to become useful in that field. Unless you are looking for a job for life, starting now is a few years too late. Other comments provided info on how to start.

I also think that tanks, fighter planes and helicopters are pretty hard to defend via hacking; it's like defending a password against a 5$ wrench used to hit you repeatedly.

Look at CSPM (cloud security posture management) solutions, it ensures there aren't any silly holes in your cloud like open S3 buckets etc, as well as ensuring pretty advanced organization specific custom policies. Look at Prisma, Wizio, Crowdstrike Horizon, etc.
- opsec (your neighbors will rat you out as a bargaining tool to save themselves)

- python, C, and assembler

- Gnuradio / HackRF (direction finding, spoofing/replay, jamming, etc)

- basic electronics

- basic model rocketry / pyrotechnics

- basic lock picking, escapes, first aid and wound care etc

- some off the shelf malware / botnet / RAT kits and usb installers, metasploit, etc.

From nothing to developing new zero day probably isn't going to happen during this conflict, and best hack will be using skills to get out of the country.

Cyber warfare attack is when you damage critical infrastructure of enemy

And cyber defense:

"... in cyberspace, it is much easier to attack than to defend. The primary defense we have against military attacks in cyberspace is counterattack and the threat of counterattack that leads to deterrence."

It is extremely useful, if you have the time to spend on it, to investigate and help repair any open source vulnerabilities you can. The cleaner underlying libraries are the better all of our defenses get - it's not as glamorous as being a 1337 h4x0r but contributing to a core library provides an immense amount of value.