hey, i started following you recently and ur bio says ur a hacker? any tips on where to start? hacking seems like a v cool/fun way to learn more abt coding and cybersecurity/infrastructure and i'd like to explore it but there's so much on the internet and like, i'm not trying to get into anything illegal. thanks!

huh, an interesting question, ty!

i can give more tailored advice if you hit me up on chat with more specifics on your background/interests.

given what you've written here, though, i'll just assume you don't have any immediate professional aspirations (e.g. you just want to learn some things, and you aren't necessarily trying to get A Cyber Security Job TM within the next three months or w/e), and that you don't know much about any specific programming/computering domain yet.

(stuff under cut because long)

first i'd probably just try to pick some interesting problem that you think you can solve with tech. this doesn't need to be a "hacking" project at first; i was just messing around with computers for ages before i did anything involving security/exploitation.

if you don't already know how to program, you should ideally pick a problem you can solve via programming. for instance: i learned a lot back in the 2000s, when play-by-post forum RPGs were in vogue.  see, i'd already been messing around, building my own personal sites, first just with HTML & CSS, and later on with Javascript and PHP.   and i knew the forum software everyone used (InvisionPowerBoard) was written in PHP.  so when one of the admins at my RPG complained that they'd like the ability to set multiple profile pictures, i was like, "hey i'm good at programming, want me to create a mod to do that," and then i just... did. so then they asked me to program more features, and i got all the sexy nerd cred for being Forum Mod Queen, and it was a good time, i learned a lot.

(i also got to be the person who was frantically IMed at 2am because wtf the forum is down and there's an inscrutable error, what do??? basically sysadmining! also, much less sexy! still, i learned a lot!)

the key thing is that it's gotta be a problem that's interesting to you: as much as i love making dorky sites in PHP, half the fun was seeing other people using my stuff, and i think the era of forum-based RPGs has passed. but maybe you can apply some programming talents to something that you are interested in—maybe you want to make a silly Chrome extension to make people laugh, a la Cloud to Butt, or maybe you'd like to make a program that converts pixel art into cross-stitching patterns, maybe you want to just make a cool adventure game on those annoying graphing calculators they make you use in class, or make a script for some online game you play, or make something silly with Arduino (i once made a trash can that rolled toward me when i clapped my hands; it was fun, and way easier than you'd think!), whatever.

i know a lot of hacker-types who got their start doing ROM hacking for video games—replacing the character art or animations or whatever in old NES games. that's probably more relevant than the PHP websites, at least, and is probably a solid place to get started; in my experience those communities tend to be reasonably friendly to questions. pick a small thing you want to do & ask how to do it.

also, a somewhat unconventional path, but—once i knew how to program a bit of Python, i started doing goofy junk, like, "hey can i implemented NamedTuple from scratch,” which tends to lead to Python metaprogramming, which leads to surprising shit like "oh, stack frames are literally just Python objects and you can manually edit them in the interpreter to do deliberately horrendous/silly things, my god this language allows too much reflection and i'm having too much fun"... since Python is a lot of folks' first language these days, i thought i'd point that out, since i think this is a pretty accessible start to thinking about How Programs Actually Work under the hood. allison kaptur has some specific recommendations on how to poke around, if you wanna go that route.

it's reasonably likely you'll end up doing something "hackery" in the natural course of just working on stuff. for instance, while i was working on the IPB forum software mods, i became distressed to learn that everyone was using an INSECURE version of the software! no one was patching their shit!! i yelled at the admins about it, and they were like "well we haven't been hacked yet so it's not a problem," so i uh, decided to demonstrate a proof of concept? i downloaded some sketchy perl script, kicked it until it worked, logged in as the admins, and shitposted a bit before i logged out, y'know, to prove my point.

(they responded by banning me for two weeks, and did not patch their software. which, y'know, rip to them; they got hacked by an unrelated Turkish group two months later, and those dudes just straight-up deleted the whole website. i was a merciful god by comparison!)

anyway, even though downloading a perl script and just pointing it at a website isn't really "hacking" (it's the literal definition of script kiddie, heh)—the point is i was just experimenting a lot and trying a lot of stuff, which meant i was getting comfortable with thinking of software as not just some immutable relic, but something you can touch and prod in unexpected ways.

this dovetails into the next thing, which is like, just learn a lot of stuff. a boring conventional computer science degree will teach you a lot (provided you take it seriously and actually try to learn shit); alternatively, just taking the same classes as a boring conventional computer science degree, via edX or whatever free online thingy, will also teach you a lot. ("contributing to open source" also teaches you a lot but... hngh... is a whole can of worms; send a follow-up ask if you want that rant.)

here's where i should note that "hacking" is an impossibly broad category: the kind of person who knows how to fuck with website authentication tokens is very different than someone who writes a fuzzer, who is often quite different than someone who looks at the bug a fuzzer produces and actually writes a program that can exploit that bug... so what you focus on depends on what you're interested in. i imagine classes with names like "compilers," "operating systems," and "networking" will teach you a lot. but, like, idk, all knowledge is god-breathed and good for teaching. hell, i hear some universities these days have actual computer security classes? that's probably a good thing to look at, just to get a sense of what's out there, if you already know how to program.

also be comfortable with not knowing everything, but also, learn as you go. the bulk of my security knowledge came when i got kinda airdropped into a work team that basically hired me entirely on "potential" (lmao), and uh, prior to joining i only had the faintest idea what a hypervisor was? or the whole protection ring concept? or ioctls or sandboxing or threat models or, fuck, anything? i mostly just pestered people with like 800 questions and slowly built up a knowledge base, and remember being surprised & delighted when i went to a security conference a year later and could follow most of the talks, and when i wound up at a bar with a guy on the xbox security team and we compared our security models a bunch, and so on.  there wasn't a magic moment when i "got it", i was just like, "okay huh this dude says he found a ring-0 exploit... what does that mean... okay i think i got that... why is that a big deal though... better ask somebody.." (also: reading an occasional dead tree book is a good idea. i owe my firstborn to Robert Love's Linux Kernel Development, as outdated as it is, and also O'Reilly's kookaburra book gave me a great overview of web programming back in the day, etc.  you can learn a lot by just clicking around random blogs, but you’ll often end up with a lot of random little facts and no good mental scaffolding for holding it together; often, a decent book will give you that scaffolding.)

(also, it's pretty useful if you can find a knowledgable someone to pepper with random questions as you go. finding someone who will actively mentor you is tricky, but most working computery folks are happy to tell you things like "what you're doing is actually impossible, here's why," or "here's a tutorial someone told me was good for learning how to write a linux kernel module," or "here's my vague understanding of this concept you know nothing about," or "here's how you automate something to click on a link on a webpage," which tends to be handier than just google on its own.)

if you're reading this and you're like "ok cool but where's the part where i'm handed a computer and i gotta break in while going all hacker typer”—that's not the bulk of the work, alas! like, for sure, we do have fun pranking each other by trying dumb ways of stealing each other's passwords or whatever (once i stuck a keylogger in a dude's keyboard, fun times). but a lot of my security jobs have involved stuff like, "stare at this disassembly a long fuckin' time to figure out how the program pointer got all fucked up," or, "write a fuzzer that feeds a lot of randomized input to some C++ program, watch the program crash because C++ is a horrible language for writing software, go fix all the bugs," or "think Really Hard TM about all the settings and doohickeys this OS/GPU/whatever has, think about all the awful things someone could do with it, threat model and sandbox accordingly." occasionally i have done cool proof-of-concept hacks but honestly writing exploits can kinda be tedious, lol, so like, i'm only doing that if it's the only way i can get people to believe that Yes This Is Actually A Problem, Fix Your Code

"lua that's cool and all but i wanted, like, actual links and recommendations and stuff" okay, fair. here's some ideas:

microcorruption: very fun embedded security CTF; teaches you everything you need to know as you're doing it.

cryptopals crypto challenges: very fun little programming exercises that teach you a lot of fundamental cryptography concepts as you're going along! you can do these even as a bit of a n00b; i did them in Python for the lulz

the binary bomb lab is hilariously copied by, like, so many CS programs, lol, but for good reason. it's accessible and fun and is the first time most people get to feel like a real hacker! (requires you know a bit of C beforehand)

ctftime is a good way to see when new CTFs ("capture the flag"s; security-focused competitions) are coming up. or, sometimes CTFs post their source code, so you can continue trying them after the CTF is over. i liked Stripe's CTFs when they were going, because they focused on "web stuff", and "web stuff" was all i really knew at the time. if you're more interested in staring at disassembly, there's CTFs focused on that sort of thing too.

azeria has good ARM assembly & exploitation tutorials

also, like, lots of good talks out there; just watching defcon/cansecwest/etc talks until something piques your interest is very fun. i'd die on a battlefield for any of Christopher Domas's talks, but he assumes a lot of specific x86/OS knowledge, lol, so maybe don’t start with that. oh, Julia Evans's blog is honestly probably pretty good for just learning a lot of stuff and really beginner-friendly?

oh and wrt legality... idk, i haven't addressed it here since it hasn't come up in my own work much, tbh. if you're just getting started you're kind of unlikely to Break The Law without, y'know, realizing maybe you're doing something a bit gray-area? and you can cross that bridge when you come to it? Real Hacking TM is way more of a pain-in-the-ass than doing CTFs and such, and you'll learn way more with the latter, so who cares lol just do the fun thing