And if security is your ultimate interest, I really don’t think JavaScript is the best choice. How about Ruby? It’s still used quite often in web apps (so you can build simple things right away), and the Metasploit framework is built around it so you can study the source code of hundreds of actual exploits. Plus it has the awesomest beginner’s guide ever (if you like quirky and comical): Why’s Poignant Guide to Ruby
You guys are awesome 
I just started reading C++ How to Program, 8/e, Early Objects Version–Deitel
How exciting
That’s a good approach too. But anything that gets him coding will help.
And if you want to know the “right way” to code something, ask me. My way is best.
Surely those who know more than me will be able to confirm or infirm this: Is phishing a significant part of hacking? There are of course random spam emails which attempt to do this but is phishing still used for important selected hacking targets?
As the original question has been nicely answered and hopefully there are still some good programming types reading the responses, can I perhaps piggyback in a related question?
My nephew is 14 and quite computer savvy (at least as a user), and talks about being interested in pursuing a career in game design / creation, perhaps. What would be the best languages to learn now to set him in good stead for potentially getting into that field? I assume (with no real knowledge) that a lot of the big game designers will have their own specific systems and programs the game are created in, but any advice on where best to start would be much appreciated; thanks.
Time to don the asbestos suit.
There are lots of opinions about learning to code, and what language to start in. But one that I will advise to stay as far way from as possible, unless you be permanently ruined, is C++. Take that from someone who is black belt level C++ and has hacked it for a living for many years. It is a language that should have been strangled at birth. (Something that has bee said about Javascript too actually.) C++ has the advantage that a lot of open source code is in it, and it is the default language for hacking Linux. It has the disadvantage of providing just about every feature it has in a flawed manner. Anyone can cut code in C++ once they know how to program, but trying to learn to program in C++ is not a joy.
I while ago I was discussing the choice of teaching language with some old colleges. They had just decided to change language - dropping Java. With some horror I discovered that they had actually chosen C++. Despite a lot of very poor experiences in other universities. (Some idiotic arguments about a “real programming” language was used.) My thoughts were simple. There is no one good learning language. A rounded programmer needs to understand very clearly coding for bare metal, all the way up to very high level abstractions. Languages that claim to do it all are simple lying. So my answer was that they should teach C and Python. I still stick with that. C is a perfectly good glorified assembler, and will teach you everything you need to know about bits and bytes, and allow you to code to the metal. Python is great for crafting complex code quickly, and it provides the code capabilities for coding in many styles and paradigms. If you want OO code style, it has it - and it makes it explicit what is going on (unlike C++ that simply lies.) All IMHO.
(Removes asbestos suit. Retires to bed.)
Hacking is a noble art.
A hack is an elegant, neat, even beautiful bit of code that achieves something difficult. A hacker is someone who is capable of crafting such code.
Sometime in the 80’s the term got misapplied to people who used technical skills to break into computer systems. Sometimes these skills might involve a hack or two. “Cracker” was once proposed as a better term, but it never really caught on.
Phishing is simply a modern form of mail fraud. There is no technical knowledge required at all for this. A lot of fraud is based upon social engineering, as have been a lot of security attacks on computer systems. No surprise here. The spooks have been doing this for centuries. As do a lot of salesmen.
Yes. In fact it has become more important, not less. Highly targeted phishing attacks are now commonplace. “Spear phishing” Here a phishing lure can be automatically crafted to fit the recipient very precisely. Your LinkedIn profile is a good place for such things to start. Automatically crafted conference invitations that appeal exactly to your interests, with links that lead to malware filled sites. And so on.
To Francis Vaughan:
What’s your opinion of learning on ANSI-C rather than C++? In the early 90s I had a background in BASIC and Pascal but everyone was using C. I found myself at a job with a lot of freetime with the UNIX server and I bought “UNIX in a Nutshell” and the “C Programming Language” by Kernighan and Ritchie. I eventually built a database with UNIX-C and it seemed to me that saying I knew ANSI-C was a lot better in the field than C++ but I soon moved into teaching and never got a chance to see if learning ANSI-C would really pay off.
I’ve often heard or read the opinion (in certain circles at least) that ANSI-C is the real thing that is in demand, and that C++ is shit. So I know that the sentiment is out there. More generally, I’ve read the opinion in various places that OOP in general hasn’t proved to be all that it was advertised to be.
Ever since Pascal first blighted out planet (circa early 1970’s), I’ve thought it was an utter abomination, the mass promulgation of which by the academic Computer Science community set back the progress in the field by 50 years. Kernighan agrees.
Even considering its “quirks”, isn’t C++ still pretty much considered need-to-know in the industry?
C++ seems to be very mainstream now. I know the company that I work for has transitioned a lot of the software development from C to C++.
You don’t get to be a hacker by learning one computer language. It doesn’t matter what you start with, you need a baseline to understand the principles that will be shared by all languages, and those that have unique methodologies of their own. The hacker doesn’t code for the simple accomplishment of a single goal, he codes to increase his knowledge.
For the hacker, it is not the end, it is the way. It’s Zen-like.
K&R is a classic book, and considered by many to be one of the great books of programming, as well as being an exemplar of how to write such books. C is rather a niche language now for mainstream coding. What sets the mainstream languages apart is the infrastructure that surrounds them. The libraries, the integrated environments, and support for coding in the large. C is limited in this respect. Now you get C#, if you code for Windows, C++ if you code for Linux, and Objective C if you code for Apple. (Although MS are backpedalling a bit here.) All claim to be OO, although only Objective C looks like a real OO language. Objective C and C# are proper managed environments, something that makes for a big difference. C++, like C still requires hand coded memory management. C++ also inherits C’s low level include system, and doesn’t have a proper interface management system.
C is great as a purist clean and simple language. What you see is what you get. It has a few annoying quirks, but all languages have their share of those. But you won’t see many new projects starting out with C.
Years ago a college remarked that C++ was a language that had all of C’s disadvantages and none of the advantages of an OO language.
If you can code in C, and have a reasonable understanding of data structures, algorithms, and some simple theory, I can teach you to code in an OO style, and get you coding in C++ in a day. The same lessons will translate to Python, Objective C etc. Trying to learn OO directly in C++ will do your brain in, and trying to unlearn the weird quirks of C++ to code in another language will not be fun.
There’s a lot of focus on programming here, and it is important to know, but I think for hacking (meaning: finding security exploits), more important is the knowledge of how computers and especially operating systems and the software backing popular apps work.
If you know how SQL databases work, and how web apps interface with them, there are dozens of exploits you can find with no programming whatsoever. Just by formatting a string correctly and putting it in a URL query string or cookie or POST field.
The OP isn’t asking about cracking (which is commonly erroneously referred to as hacking). Check out the above “How to become a hacker” link for a good description of what a hacker is. Short description–hackers make things, crackers break them. Granted some hackers are also crackers, but most crackers don’t have a hacker bone in their bodies.
On a side note there are some who would argue that being a hacker, like being cool, is something you cannot aspire to, and that the label can only be applied by others.
Did you read the thread? The OP specifically mentioned Pwn2Own in the first post, and subsequently explained that s/he wants to work “offense and defense for security for the government”.
Without getting into an argument about descriptivist vs prescriptivist use of the term “hacker”, it’s obvious that s/he IS interested in breaking things too, albeit in a relatively white-hat (or at least legal) fashion.
beyondimagination07, are you still there? Have you written and run your first JavaScript (or whatever language) program yet? Even if it does no more than display “Hello, World!” somewhere? Every hacker’s gotta start somewhere!
How to become a hacker ?
Be born as a “script kiddie” … and grow up…
Seriously, there are script kiddies… You learn by downloading and downloading , and understanding the examples provides.
The difference is that a “script kiddie” only uses the exampled providers, the hacker then develops something new…
I once acted like a hacker. I needed to hack two linux servers. So I learn the FTP server versions and then altavistad (I mean googled… no … searched… you get it ?) the exploit code for each version…
They were my employers own remote servers that I was locked out of.
The servers were firewalled so that only company IP addresses could get to them., hence the disinterest in watching out for exploits.
So that gives you a clue how to operate.
As a system admin… Try to find out about the complete list of weaknesses of your versions, and mitigate the weaknesses as best you can. (fully, or block the hacker getting administrative access , or to make an alarm system that just detects the intrusion by that method… )