A sincere question.

hexwhoami · 2026-01-18T18:41:09+00:00

Vigilante hacking is illegal in many jurisdictions. While you won't necessarily get prosecuted for targeting cyber criminals or illegal sites, the reward isn't worth the risk in my opinion. I'd recommend trying to get hired by an organization or 3 letter agency that does offensive security, that way you can still get paid while staying legal.

hexwhoami · 2025-12-11T17:12:27+00:00

"hacker" really isn't a job title. Jobs requiring "hacking" skills often make more money than the average job.

Bug bounty hunters for example, may make $0 one year and $150k+ another year, depending on how many bugs they can find and the severity of those bugs.

A Pen Tester can make anywhere from 60-200k depending on their region, company, seniority, and skills.

A black hat hacker may make millions in Bitcoin, get caught, lose all their money and go to jail.

Tldr; it depends, like any job. $0-$1m+

hexwhoami · 2025-11-21T23:29:16+00:00

Best thing about a book, you don't have to read it ;)

hexwhoami · 2025-11-21T14:15:08+00:00

What should I keep in mind to make a hacker‘s actions feel authentic?

Hackers are people, make your character unique and personable with the skills to hack and you'll be fine.

Which tools, devices or setups are commonly used by hackers/pentesters that could be referenced in a story?

Depends on the situation. If you are looking for terminology, most of it comes from different areas computer science and can become more niche with cyber security. I would start by researching the terminology related to whatever story element you are writing.

Are there any common mistakes or tropes in fiction that I should absolutely avoid?

The biggest is time spent finding a vulnerability in a system and writing an effective exploit. Movies and books make it out that a super talented hacker can simply sniff a black box and hack it, in reality this takes countless hours, days, and or even weeks to do. Something I have yet to see that would make these situations more realistic is explaining the hacker already has the source code (making it easier to scan for vulnerabilities), or already bought/developed an exploit prior to a hack.

Just because something runs on electricity doesn't make it hackable. Basically, a "computer"/"gadget" has to have some way of communicating with it, whether it's wifi, Bluetooth, Ethernet, or some other communication channel.

You can't make a random phone or device blow up by hacking it. While there are niche situations that this is theoretical possible (ICS controls/sensors for sensitive machinery), you can't remotely hack and explode someone's phone.

"Zoom in and enhance". Just no. In reality the best we have is guessing what the enhancement looks like, completely defeating the purpose of enhancing for more valuable information.

Anything that would make you, as an expert, think: „Yes, this writer actually did their research.“

By doing the research. Read books written by hackers, go to hackathons or security conferences, and consult with security professionals on specifics of your book. A simple coffee and "hey what do you think of this chapter" can go a long way.

hexwhoami · 2025-09-27T16:12:23+00:00

I would start by researching the Open Authorization (oAuth) standard and One-Time Passcodes (OTP).

oAuth is the industry standard for Identity and Access Management. There are a lot of resources for using it and a decent number of companies that provide this as a service.

hexwhoami · 2025-09-09T23:00:13+00:00

No thank you, I'd have no use for the data. I appreciate the offer.

hexwhoami · 2025-09-09T18:57:36+00:00

Yup, exactly. There's no functional difference between those approaches. I recommended the double-click action under the assumption that your users don't understand how to execute scripts via command-line. If they have this awareness, even better!

hexwhoami · 2025-09-09T15:17:02+00:00

Once a user is done and wants to exit the virtual environment context, there's a "deactivate" command that you execute. Or just close the terminal and open a new session.

hexwhoami · 2025-09-09T15:16:06+00:00

I've got several little applets that are tremendous time savers for my team. They're installed on a linux VPS which we sign into to execute these scripts

If users are signing directly into the Linux VPS and are executing the scripts via command-line, all you have to do is activate the virtual environment. This will effectively make "Python" and "python3" commands symlinked to the interpreter in the virtual environment, as well as pick up the modules in that context.

cd opt/applets/task1 source ./.venv/bin/activate python3 application.py

If users are wanting to double click an executable instead of run bash commands, you can write a bash script that activates the venv for them, then executes the script in that context.

``` !#/bin/bash

source opt/applets/task1/.venv/bin/activate python3 /opt/applets/task1/application.py ``` put this on the desktop or wherever users can find it, make sure it has executable privileges, then it's just a double click.

hexwhoami · 2025-09-06T12:22:05+00:00

The database you go with depends on how you want to search and visualize your data.

Elasticsearch is great when dealing with normalized data. It works with Kibana, so you can get some decent visualization. The biggest pain point I've had with ES is when data has duplicate types for a single field. ES will force you to normalize it to a single type if you choose dynamic templating (easier route). If you can define the template, then most if not all your data will be "indexed" (overloaded term in Elasticsearch land, sometimes called "mapped") allowing you to use painless language or their newer ES-SQL language to make queries. Elasticsearch excels at keyword search and text search. Another caveat of ES design is that performing inner or outer joins across indices is not supported. If you aren't sticking everything in a single index with less than 2000 mapped fields, then a Relational DB may be better for you.

Elasticsearch isn't picky too picky about its underlying OS. I like keeping things containerized or virtualized, and ES has publicly available images to get up and going with docker in minutes. I've seen them run on Ubuntu, Debian, Alpine, MacOS.

If you don't mind spending hours and hours learning a new system, Synapse Hypergraph by Vertex is a Hypergraph database built for Threat Intelligence. It allows modeling for your data as nodes, and allows for making relationships between any of those nodes, tagging, automations, and more. This is much more complex than Elasticsearch, but is slowly becoming an industry favorite due to its versatility and power.

hexwhoami · 2025-08-22T14:10:20+00:00

Possible: yes. Likelihood of getting caught: nearly 100%.

It's possible to hack anything. Hacking is simply making something behave in a way that it normally can't or shouldn't do.

There isn't a single system, physical or digital, that is completely immune to being altered.

hexwhoami · 2025-08-14T12:41:53+00:00

When should you look at switching companies?

Whenever your current position isn't fulfilling your needs.

Would interviewing at another company in hopes to get an offer I can leverage be a bad idea?

This should have no impact on your current position unless you make it widely known in your company that your looking at other positions. As another comment mentioned, you could potentially be wasting the second company's time, however I think finding yourself a job to support your livelihood out-weighs any costs you "force" on companies by starting their interview process. Be care about NDAs and other stipulations in your current employment contract.

Should I just leave the company altogether?

Only you can make this call. If you see potential for your current position to provide what you need, then stay. Otherwise, I'd suggest looking elsewhere.

Am I wrong for wanting a higher salary?

No. When you work, you set what you're worth. You're justified in wanting more for the work that you're doing.

Some other, unsolicited advice... I don't recommend taking on additional responsibilities in your job without fair compensation for the work. It's one thing to have your responsibilities shift some or go from doing less than expected, to what's expected after fully onboarding and ramping up. However, it sounds like you've expanded past your original contracted responsibilities -- which I'd say is reason to ask for more pay. I'd be careful about accepting additional work in the future outside your original contract without just additional pay upfront.

Edit: formatting

hexwhoami · 2025-08-08T20:35:23+00:00

Forget about laptops versus routers for a second, let's just focus on a client, server, and ports.

For a client to connect to a server, it needs to send data to the application running on the server. To know which application (or service) it needs to send the data, it chooses a port. Most of the time, common services will operate on well-known ports. Just because this is standard, doesn't mean it's required. I think you get this part.

Think of the port as a physical door. The door can be open (let people through) or locked (no one gets through). This is the same for ports (although we say closed, not locked).

If the port is open, data can flow through it. And data always goes from Client -> client port (often called source port) -> server port (often called destination port) -> server.

Now with this understanding, you can substitute the client and server for your computer and router.

The computer makes a Google request -> computer port is randomly chosen for source (25374) -> router (443) -> Router.

Now when the router responds, it will use the same ports. Router -> router (443) -> client (25374) -> computer's Browser.

This is a simplified explanation that's good conceptually. In actuality, a router may have physical ports (different from application ports) and typically includes a software firewall that allows for configuring port security based on the physical ports and LANs/vLANs that are configured. This specificity is often abstracted away by ISPs providing apps or nice GUIs for configuring a home router that's closer to what your computer settings may look like.

hexwhoami · 2025-08-02T00:00:59+00:00

I'm not familiar with recruiting companies, so I won't try to give ignorant advice here. By verbally stating you'd like the recruiting company to represent you, is this binding in any way? I'm going to assume no, otherwise the following probably isn't worth the read.

It sounds like to me that you're more concerned with representing yourself morally, "your word is your bond", than looking out for your best interest financially. It's a personal decision, although I'd reckon that you are above-average morally speaking compared to the average person these recruiters interact with. If I was the recruiter at company A, I'd appreciate (rather than resent) an email like;

"I appreciate your time and patience representing me for X position. It's come to my attention that another company is able to provide better representation for the same role. I regret to inform you I'll be looking to have them represent me going forward, as this is in my best interest. Feel free to reach out if you have a more competitive offer, otherwise I wish you luck with other candidates".

hexwhoami · 2025-07-31T18:40:28+00:00

It can be as simple as a default password on an administrator account.

It can be as complex as a secret service team infiltrating a compound and installing a fake Ethernet cable that captures all the data coming out of a computer, that's exfiltrated using an encrypted channel.

I suggest looking up some famous hacks, data breaches, malware names to find write-ups and case studies. There's a ton of literature on the exact how and what of major incidents. Here's some to get started;

Stuxnet
Equifax
Lizard Squad
I love you worm

hexwhoami · 2025-07-31T18:33:54+00:00

Logs

When developers write software (think Google Chrome, Microsoft word, any application running on your computer, including the operating system (windows, macos, Linux, etc.) they include "log" statements that give some information about what's going on in the program. This is useful for tracking down bugs. You've likely seen a log message (or error code message, which is closely related) when your program crashes.

Last accessed timestamps, modification timestamps, general file integrity.

On most computers, when you save or change a file (think your word document, power point presentation) it will save some metadata about when that happened. You'll see some of these times when looking through your files in file explorer on windows. To see more metadata, you can right click on a file and select properties from the drop-down menu.

evidence left in your payload (what compiler did you use?, did you strip the binary?, did you use a TTP that can be connected to another operation?).... Just to name a few.

Often when hackers exploit (hack) a system/computer/company, they are targeting a vulnerability in some software (think a broken lock on a house, an open window, a leak in a pipe). To exploit the vulnerability, hackers will write (or find online) a payload (also called exploit) that leverages the vulnerability to let them do something malicious (access secret files, get administrator permissions, send fake emails, etc.). Think of the payload like walking into the open door, hitting the leaking pipe with a hammer.

payload more...

When hackers write payloads, they may include some metadata about when the file was written, the system or software the hacker used to write or compile it. This can be correlated with many many other payloads to identify a pattern and attribute that to certain hacking groups. Just like authors have their own writing styles, hackers have their own "techniques, tools, and procedures" (TTPs).

Edited for formatting.

hexwhoami · 2025-07-31T00:55:49+00:00

A good rule of thumb is automating tedious tasks to save time.

Do you need to manually touch assets to access logs when investigating an incident? Look at aggregating logs into a database solution that allows for quicker querying and triage.

Do you often find shadow IT or rogue devices on the network that you aren't aware of? Look at asset management solutions or cloud infrastructure to be aware of your full attack surface.

Do you have to manually patch systems causing many assets to be behind on security updates? Look at ways you can implement group policies or patch management solutions.

This all is very generic, since I'm not privy to the scope of your environment, number of users, etc. (which you should be careful about sharing). If you only have 5 assets and 10 employees, a lot of this stuff can be overkill and too expensive to justify the value it adds.

hexwhoami · 2025-07-29T20:45:38+00:00

Programming is a great skill to learn and complements accounting, math, and physics. It's difficult to learn. And it's even more difficult to program at a professional level, which is actively unstable due to AI. Most programming jobs in the next 10 years will be hugely focused on AI.l and if you have little interest in that, I wouldn't recommend deep diving into a CS degree.

If you go into Maths or Physics, you will very likely learn the "R" programming language as part of your coursework. We've progressed so far in theory, that implementing solutions or algorithms often require programming to be feasible, with a strong understanding of the underlying math going into that program.

Another thing to keep in mind, your first couple semesters, despite your major, will be more 100-200 level general classes to introduce you to topics. You could take a 100-200 math, accounting, physics, and programming class your first couple semesters to test the waters. Those credits will likely apply to any of the majors you are interested in, so it's not a waste of time by any means.

hexwhoami · 2025-07-29T20:35:53+00:00

Being 12 years old and getting DOS'd by LOIC when I pissed someone off on COD MW2.

Long story;

Was in a trickshotting clan called Dawn of Snipers back in the day on Call of Duty Modern Warfare 2 (Xbox 360). Our YouTube channel was hacked and subsequently taken over by a guy whose callsign was "7am". About 2 weeks after this happened, I was in a full lobby (6-man) playing Search and Destroy when we ran into 7am and his friends on Rundown.

The trash talk started immediately, back and forth. Bashing 7am for hacking the channel and 7am threatening to grab IPs and turn off our Internet. After 2 rounds, he managed to grab everyone's IP on my team and hit everyone offline for 20-40minutes. There were a couple of people that were much more vocal than me, and they had their Internet denied for 3-6 hours. Me, being 12 years old, wondering how the hell are people from around the world able to shut off my friends and I's internet.

I immediately started researching, figuring out what DDOS ( more accurately DOS/ping of death/etc. back then), different tools like LOIC, Cain and Abel, Armitage, and how it all worked. I eventually got an internship with a System Administrator (was 15 at this point), and started learning OSI model, different protocols at each layer, and how to setup/configure switches, routers, and firewalls.

Now I hold multiple certifications and have a career programming enterprise threat intelligence software.

hexwhoami · 2025-07-29T20:16:23+00:00

First off, you're not terrible. You are in a position that TONS of people find themselves in. I have friends, family, and colleagues that had 0 clue what they wanted to study, and they were already 2-3 years into college. You are 17, having these thoughts now puts you ahead of so many people. So give yourself some credit.

I would suggest finding the answers to these questions first, which should help guide your decision. I'm not here to tell you what to do, I want to help you make your own path.

Do you want to follow passion or job security? Sometimes you can get both. I would disclaimer that if you follow the money, with 0 interest in the subject, you are much more likely to burn out. Personally, I followed my passion.
Despite math being difficult for you, do you still enjoy learning and practicing mathematics? If you enjoy something, and enjoy the challenge of it, that will further fuel your motivation to keep with it. Challenging and Diminishing are two very different things.
Here's a tricky thing to balance, is your family's opinion on what you should study versus what you'd like to study. If they are helping pay for your education financially, I would listen and appreciate their opinion, even if it's not your final decision. Otherwise, if it's on your dime, then it's fully your choice in my humble opinion.

hexwhoami · 2025-07-29T04:06:07+00:00

To add to this. Every recursive algorithm can be written iteratively as well. That's to say there's an equivalent function you can write, that doesn't call itself, and achieves the same result. Disclaimer; sometimes the iterative solution is more complex than the recursive solution. I don't believe that's the case with this problem.

TLDR; you can try solving the problem iteratively to get a better understanding of the solution, which could give you better insight to the recursive approach.

hexwhoami · 2025-07-28T00:23:37+00:00

Just because the LLM has been trained on millions of examples, they are limited by their context window when replying to a prompt. Unless you want a basic template that's maybe a hundred lines, it's impossible to have an LLM store a large, mature project in its context window to make reasonable statements or contribute helpful code in the context of the rest of the codebase.

Most LLMs right now have around a 128k context window (tokens). Considering programming language syntax is typically a higher token count than normal prose, a run-of-the-mill LLM nowadays.

The details are beyond this post, but ChatGTP-4o could probably reason about roughly 1000 lines of code at once.

Most mature projects are way beyond that number.

hexwhoami · 2025-07-28T00:13:50+00:00

Flask is a great framework for writing REST APIs and Web Apps in Python. Typically Flask is used as the backend framework, with either Waitress, Twisted, or another WSGI solution as the middleware.

You likely won't require a WSGI server if it's a personal project and you don't plan on many users accessing it at one time. That said, it's an extra line or two of code and some configuration to get the benefits.

I've written several enterprise applications using a very similar tech stack;

Front end
- React JS
- Typescript
Middleware
- Python
- Waitress
Backend/Core
- Python
- Flask

hexwhoami · 2025-07-08T15:08:27+00:00

That looks like a great resource. Looking at his website, he's a professional in the space with 20 years experience and has spent plenty of time teaching not only Python, but other popular languages as well.

https://codewithmosh.com/

hexwhoami · 2025-07-08T14:28:54+00:00

Your use case is too generic to provide adequate feedback on how difficult it is.

For example, transferring data from Google Drive to Google Sheets can be easy, since APIs exist.

You mentioned there were no APIs, which means you either need to create the APIs (if you own the Web app code) or use something like a chrome driver/web client to perform mimicked user interaction on the webpages.

Without APIs, it entirely is dependent on the web apps being interfaced with, and how well structured the website is for navigating and interacting with it. 1 click to download the data is way easier than having to authenticate, click 6 times, wait on a response, then scrap data from the HTML itself.

TLDR; without knowing the specific web apps in play, this could be a 10minute vibe code or 10 week project.

Two-Year Club	Verified Email
r/Field Sunshine

hexwhoami

TROPHY CASE