HackerOne

Hacker AFK: Jason Haddix

jhaddixtalk

Hackers live varied lives, each as unique as the last. Check out who they are away from keyboard. What you find will surprise you... 


Today's hacker Jason Haddix 

Jhaddix

JXoaT: So, what was your first experience with the word hacker? 

Jason: My first exposure was similar to other people's- I found it through gaming. Like, the "Warez Scene" and understanding that people were trying to crack or cheat games. Some of us come from those roots, but I didn't get too deep into that scene myself. It was definitely my first exposure to the word "Hacker."

JXoaT: It's funny; I'm currently reading a book about the warez scene- and the lineage of it is hard to grasp because of just how diverse their communities are.

Jason: Yeah, there are a ton of different communities. It was a selfish scene- it was looking for free games, cracked games, and software. At that point in the internet, when I was a kid- I just felt like even if I wasn't going to use it, I wanted to own every piece of information on the internet. I just wanted the knowledge. It felt like knowledge was real power. 

JXoaT: When you're not at the keyboard hacking, where are you? 

Jason: Well, I'm a dad of three. So, I'm usually with my family- doing family stuff. Like, attending school, or sporting events for my youngest. You know, just trying to keep them occupied. 

I'm a pretty young dad. So, we play video games together. We have family dinners and watch anime together. My kids are super nerdy- which aligns with my interests, so it's great!

The rest of my spare hobby time is gaming. I'm a big gamer, and I work in the gaming industry. I praise hacking as a career and gaming for keeping me out of the worst roads I could have gone down. 

jhaddix2

JXoaT: How often do you think that happens? That somebody goes down those roads? 

Jason: It depends on the community you fall into, right? A lot of decisions are led by the people around us. It's tribe culture, basically. 

Like, when you learn how to hack- it's addictive. You learn that you have power over these systems, and you can do things on these systems that aren't yours. It makes you feel like you have this superpower. And when you have that power, and you're surrounded by a less-than-savory crowd, you can go down the wrong path.  

Nowadays, people know more and more that being a hacker can mean multiple things. It could mean being an excellent programmer or a great security engineer. I feel there's a little more exposure to the term, but not by much. But a little bit. *laughs*

JXoaT: It's odd to me. When you say "Hacker," nobody thinks "Has a family." Facets like that should be illustrated. Since it's just a single part of who you are- and sure, there's also a mindset. It is someone who is hyper-curious and wants all the info. However, everyone is going to have a different image. 

Jason: Yeah, that is a common thread. It is a curious mindset. There's also the will to bash your head against a wall for a long time until something significant happens. You know? 

That is a key to hacking they don't show in the movies. Characters in the media sit down at a keyboard and instantly get root- when the reality is you're spending a week trying to get root.

Jhaddix

JXoaT: Yeah, I feel the common perception of a hacker's personality is the "Zero Cools" or "Elliot Aldersons" of the world. That is what people highlight. 

Jason: I mean, you have those people who have that identity where all of their time and their job is security or hacking. And there are definitely a lot of people who crave that ethos and image. Which is okay! Do what you want to do. 

If you want to devote your whole life to it, do it. But I'd say most of us are just nerds. We have a ton of nerdy interests. For example, some of my hacker friends are history majors interested in the pyramids or alien buffs who are into Area 51 and Roswell.  

I like to game, but I also enjoy a rave culture. We are not one-dimensional. 

Jhaddix3

JXoaT: How long have you been in the scene?

Jason: I've been in security testing for 15 years and hacking for 17 years.

JXoaT: So, you've had the time to see the development of hacker culture? Where was it when you got into it? I'm curious about where the scene came from and where it is going. 

Jason: When I started, there were the real black hats around early-stage credit card fraud. So, you had the people pressing cards and encoding them, but those needed to be encoded with hacked numbers. 

So, before we had all the security measures we do now, there would be the hackers who were learning web hacking techniques- we are talking early-early 2004-2005 (as early as 2002). Using these web techniques to steal databases of credit card numbers. These people would supply the carders. The carders would then press, emboss, magstripe, and encode everything. 

Then they would send in armies of personal shoppers to pick up merchandise. These might also be the people who made fake ids. 

Eventually, you'd have the software hackers in the warez scene trading information- anything from port activity apps to Windows. 

So, when you'd come to DEFCON, it was still edgy- it was really edgy. Everybody was sort of a black hat. There was no "pure" white hat at the beginning, I think. 

JXoaT: So, it's like you're gray hat or black hat?

Jason: Yea. So, then slowly, over time, it started to progress.  

jhaddixonstage

JXoaT: These are the stories I love to hear the most. The contrast between then and now. For instance, I knew an old college professor who earned a black badge at early DEFCON CTFs; now, he's enjoying time with his Ham Radio and family. 

Was there a clear catalyst for when things changed? 

Jason: Yeah, back then, fewer jobs had security involved. It was when the job market realized you could hire a security engineer- Or really, the big boom was penetration testers.

L0pht led the way. You had a world-class consultancy and people- who even stood up in front of the U.S. Congress and counseled them on deficiencies in cyber security for our government. Really, L0pht was one of the big ones. 

Then you had a ton of other boutique consultancies that were pretty l33t, which led the way for hackers to work legit. Hackers could now get a job, so many people migrated around that time. 

When that switch happened, DEFCON became a touch softer. Then the Black Hat Conference came into the world, a more "Suit" kind of venue. 

Finally, you had the introduction to service exploitations and some web server exploitation, usually due to an Apache bug- or an issue around a paid/open-source piece of software. Following that were custom code vulnerabilities like SQL injection and Cross Site Scripting (XXS). As these came out, more developers migrated to security because they understood the web. 

So, again, it became less edgy because you introduced engineers who had never been black hats into security. But they were interested in the same techniques, inching the Venn diagrams of black and white hat personalities closer and closer together. 

JXoaT: With the infinite complexity of attack surfaces, people are starting to lean into how paramount security is- how much you might need a hacker. I see a lot of jokes about how difficult securing a budget for security is, but do you see that changing?  

Jason: When it comes to securing a budget for a security program, it is easier nowadays. Is there ever enough money to put into a security budget? Probably not- because, as you said, "It's infinitely complex." Everything is constantly changing. There's always new technology, or your business will begin to grow larger and larger. However, as you grow, your business will become harder to secure. 

JXoaT: Would you change the current perspective of what a "Hacker" is? 

Jason: Yeah, I really like the hacker ethos of "What we do." We are creative problem solvers who do a bad thing to protect people or what is traditionally considered harmful (security testing). So, I hope we can reclaim the term more. It has gotten better, but we aren't really there yet. 

For instance, one of my previous job titles was "Director of Penetration Testing." But nothing sounds more silly when you're handing someone a business card that says "Penetration Testing" on it. Right? 

JXoaT: *Laughs* No, yeah, describing that is tough.  

Jason: It's not a great term, right? So, if we could use the term of what we are doing, hacking- I feel that would feel more correct. 

jhaddixonstage    


 

The 8th Annual Hacker-Powered Security Report

HPSR blog ad image