Getting Started as a High School Bug Hunter: Cubed's Hacker AFK

Today's hacker Cubed

JXoaT >>

What was your experience with the word hacker, or what brought you to hacking in the first place?

Cubed >>

So, in elementary school, we had a computer lab. One of the first things I noticed in this class was that I knew more about computers than other kids. So, I used to help out kids with all their computer issues.

I would walk around helping kids with login issues or navigating websites. It was even to the point where teachers eventually asked me for help. So, as time went on, it would be common for teachers from down the hall to grab me for their support issues. That was when I started to realize how different I was in comparison to some people. I had this proficiency with computers. 
 

But– in fourth grade, I got the nickname hacker. I was in a classroom with a substitute teacher, and I showed off a command line prompt to other kids in the class, typing [shutdown /i], which is like some lame script kitty command to shut down another computer in your network. 

It didn't work– I don't think it ever worked. It was a coincidence that whenever I typed that command to shut down a computer, another computer would turn off. The kids who watched me do it freaked, thinking I was a hacker. Eventually, the news reached my teacher. I was a goodie-two-shoes and was never in trouble. So, she was surprised that she had to send me to the principal's office for hacking. I remember her telling me how serious it was that I was hacking. So, I remember that scared me for a while.

JXoaT >>

That's hard! It definitely shows how people default to fear when they hear the word. I'd get weird looks for running the netstat command in random classes when I was learning networking. So there is just a baseline fear that's out there. 

So, where are you when you're AFK?

Cubed >>

Most of the time, I'm in a college lecture. I really enjoy going on walks, believe it or not. I hate being stuck in the house, so I will try to get out in nature when possible. Most of the time, I'm hacking at nighttime– when I'm in my zone. I'd say the majority is spent doing homework.

Once, I found a critical vulnerability, and I was messaging someone on Slack, saying, "Oh, sorry, I have to finish my homework first. I'll submit it later." And he got pretty mad.

He's like, "Oh, I'm waking people up just to take down the site, and you're telling me you have to finish your stupid math homework. Come on, submit it." 😆

JXoaT >>

I love that line you tread between being a student and a hacker.

Cubed >>

The math homework had a deadline, but the critical vulnerability didn't!

JXoaT >>

As a college student, do you feel that universities are teaching helpful information to hackers? Also, do you hear about hacking when you're on campus?

Cubed >>

So I attend a satellite school of a larger university, the University of Michigan. And at least inside my campus, I don't hear much about hacking. But on the main campus, I attend a cybersecurity club– WolvSec. I want to give them a shout-out. They're some of the smartest people I've ever met. I came into the club thinking I was already good at bug bounties, so I thought I would know everything, but it completely humbled me. There are a lot of smart people in different areas of cyber security. 

So yeah, in that regard, for a bigger university, there are more opportunities to hear about hacking. But at least for my smaller campus, not really. 

JXoaT >>

Alright, the move is to go out and find your nearest cyber security group on campus and join them. (If you can't find a security group on campus, why not start one?)

Does the information you learn in your classes help you as a hacker?

Cubed >>

In a way, yeah. My specialty is web security, but I wanted to branch out into binaries and reversing. The main thing that I've learned in my college classes is C++. It is the best thing I could have ever learned to expand my knowledge of how computers work. I'm especially interested in the assembly language course I will take next semester. That's going to help a lot.

Cyber security, when it is taught in colleges, is more of a buzzword. Cyber security is something you learn after you learn how computers work. I find that it is better to learn how computers work in parallel with hacking.

JXoaT >>

It's incredible to see bug bounty hunters coming out of high school and advancing into computer science degrees. What is your experience as a high school bug bounty hunter?

Cubed >>

So, I started out in my sophomore year of high school. I got a 200$ bounty at the time. And I thought that was just the coolest thing in the world. I just spent a year watching videos about bug bounty and reading Hacktivity, reading different people's reports. In my sophomore year, a couple months before COVID, I was in a computer lab for a business class– and I would never do the work. I just used to scroll through Hacktivity. I would just read up on hackers who are getting these huge bugs and sit there, staring at my screen with 200$ in my HackerOne balance, thinking it was the coolest thing ever.

JXoaT >>

I go through Hacktivity sometimes and see some of the crits we have reported, and I'm just like, "GEEZ, How?"

Cubed >>

Yeah, I know! I was so inspired by it. I think COVID made things better; I know that sounds horrible, but the pandemic just gave me a lot of time. So, I spent my days until 4am, watching videos of PoCs (Proof-of-Concept).

JXoaT >>

So, you're talking about Hacktivity reports, a super useful functionality on the HackerOne platform. It is a great way to gain insights into publicly disclosed reports. Did you use Hacktivity more to pump yourself for bug hunting? Or have you found a way to ingest and use material from reports?

Cubed >>

I would look at Hacktivity reports to pump myself up and get inspired, but I did learn a little. What really helped was going on YouTube and searching for a proof of concept video. I would watch and observe where they clicked and what they were typing, and then after that, I would go to Burp Suite documentation for specific vulnerabilities and learn more about why they were impactful. 

So, I'd use both of those. First, I'd watch PoC videos and then go onto Hacktivity to read their impact statement. One of the best pieces of advice I ever got was to study one bug and try it on everything.

JXoaT >>

Wow, that's excellent advice. People can get lost in the sprawl of information out there, just trying to learn everything all at once. So, that advice is critical. 

This next question concerns the LHE we met at, H1-407! What were some of your takeaways from attending one of our live hacking events?

Cubed >>

The first takeaway was, dang– I'm so young. I'm the youngest person here. I'm this little baby compared to all these people here.  I remember when I got the email, and it stated it was a family-friendly event; bring your kids. I was shocked that there were people here with full-on families, and I was just like, "I am the kid." 

So, that was the first takeaway. The second takeaway was about the other hackers. And I really don't know why I had this thought, but I was thinking I'm going to meet these big-time hackers, and they might have an ego because they've already been to all these live hacking events… But, instead, it was the exact opposite. They were the most helpful people and gave me some of the best advice I could have asked for.

The last takeaway is HackerOne went all out. They made everyone feel included because I could bring my sisters with me. Even they felt included. My sisters mentioned this themselves.

JXoaT >>

We set expectations high for these events; a lot of planning on our team goes into ensuring everyone has a time they will remember. 

Cubed >>

As part of this interview, I'd like to give a shout-out to Jaren. I wouldn't be doing anything at HackerOne if it weren't for him. He was the one who brought up HackerOne to me. He and I were in the same data mining community, which is my other start to hacking– so I want him included because he's the reason I'm here.

JXoaT >>

Here's my last question– what advice do you have for hackers your age?

Cubed >>

Don't be a black hat. Get into bug bounty early. If you're into video games and dig modding, it's a good way to turn it into a career. A lot of people get sued for making cheats. Just convert your knowledge into different avenues in hacking, and you'll find yourself on a great path.