grendel-khan

I had the good luck to chat with a high-school student who was interested in doing the most good she could do with hacker skills. So I wrote the letter I wish someone had written me when I was an excitable, larval pre-engineer. Here it is, slightly abridged.

Hi! You said you were interested in learning IT skills and using them for the greater good. I’ve got some links for learning to code, and opportunities for how to use those skills. There’s a lot to read in here–I hope you find it useful!

First, on learning to code. You mentioned having a Linux environment set up, which means that you have a Python runtime readily available. Excellent! There are a lot of resources available, a lot of languages to choose from. I recommend Python–it’s easy to learn, it doesn’t have a lot of sharp edges, and it’s powerful enough to use professionally (my current projects at work are in Python). And in any case, mathematically at least, all programming languages are equally powerful; they just make some things easier or more difficult.

I learned a lot of Python by doing Project Euler; be warned that the problems do get very challenging, but I had fun with them. (I’d suggest attempting them in order.) I’ve heard good things about Zed Shaw’s Learn Python the Hard Way, as well, though I haven’t used that method to teach myself anything. It can be very, very useful to have a mentor or community to work with; I suggest finding a teacher who’s happy to help you with your code, or at the very least sign up for stackoverflow, a developer community and a very good place to ask questions. (See also /r/learnprogramming’s FAQ.) The really important thing here is that you have something you want to do with the skills you want to learn. (As it is written, “The first virtue is curiosity. A burning itch to know is higher than a solemn vow to pursue truth.”) Looking at my miscellaneous-projects directory on my laptop, the last thing I wrote was a Python script to download airport diagrams from the FAA’s website (via some awful screenscraping logic), convert them from PDFs to SVGs, and upload them to Wikimedia Commons. It was something I was doing by hand, and then I automated it. I’ve also used R (don’t use R if you can help it; it’s weird and clunky) to make choropleth maps for internet arguments, and more Python to shuffle data to make Wikipedia graphs. It’s useful to think of programming as powered armor for your brain.

You asked about ethical hacking. Given that the best minds of my generation are optimizing ad clicks for revenue, this is a really virtuous thing to want to do! So here’s what I know about using IT skills for social good.

I mentioned the disastrous initial launch of healthcare.gov; TIME had a narrative of what happened there; see also Mikey Dickerson (former SRE manager at Google)’s speech to SXSW about recruiting for the United States Digital Service. The main public-service organizations in the federal government are 18F (a sort of contracting organization in San Francisco) and the United States Digital Service, which works on larger projects and tries to set up standards. The work may sound unexciting, but it’s extraordinarily vital–veterans getting their disability, immigrants not getting stuck in limbo, or a child welfare system that works. It’s easy to imagine that providing services starts and ends with passing laws, but if our programs don’t actually function, people don’t get the benefits or services we fought to allocate to them. (See also this TED talk.)

The idea is that most IT professionals spend a couple of years in public service at one of these organizations before going into the industry proper. (I’m not sure what the future of 18F/USDS is under the current administration, but this sort of thing is less about what policy is and more about basic competence in executing it.)

For a broader look, you may appreciate Bret Victor’s “What Can a Technologist Do About Climate Change?”, or consider Vi Hart and Nicky Case’s “Parable of the Polygons”, a cute web-based ‘explorable’ which lets you play with Thomas Schelling’s model of housing segregation (i.e., you don’t need actively bitter racism in order to get pretty severe segregation, which is surprising).

For an idea of what’s at stake with certain safety-critical systems, read about the Therac-25 disaster and the Toyota unintended-acceleration bug. (We’re more diligent about testing the software we use to put funny captions on cat pictures than they were with the software that controls how fast the car goes.) Or consider the unintended consequences of small, ubiquitous devices.

And for an example of what 'white hat’ hacking looks like, consider Google’s Project Zero, which is a group of security researchers finding and reporting vulnerabilities in widely-used third-party software. Some of their greatest hits include “Cloudbleed” (an error in a proxying service leading to private data being randomly dumped into web pages en masse), “Rowhammer” (edit memory you shouldn’t be able to control by exploiting physical properties of RAM chips), and amazing bug reports for products like TrendMicro Antivirus.

To get into that sort of thing, security researchers read reports like those linked above, do exercises like “capture the flag” (trying to break into a test system), and generally cultivate a lateral mode of thinking–similar to what stage magicians do, in a way. (Social engineering is related to, and can multiply the power of, traditional hacking; Kevin Mitnick’s “The Art of Deception” is a good read. He gave a public talk a few years ago; I think that includes his story of how he stole proprietary source code from Motorola with nothing but an FTP drop, a call to directory assistance and unbelievable chutzpah.)

The rest of this is more abstract, hacker-culture advice; it’s less technical, but it’s the sort of thing I read a lot of on my way here.

For more about ethical hacking, I’d be remiss if I didn’t mention Aaron Swartz; he was instrumental in establishing Creative Commons licensing, the RSS protocol, the Markdown text-formatting language, Reddit and much else. As part of his activism, he mass-harvested academic journal articles from JSTOR using a guest account at MIT. The feds arrested him and threatened him with thirty-five years in prison, and he took his own life before going to trial. It’s one of the saddest stories of the internet age, I think, and it struck me particularly because it seemed like the kind of thing I’d have done, if I’d been smarter, more civic-minded, and more generally virtuous. There’s a documentary, The Internet’s Own Boy, about him.

Mark Pilgrim is a web-standards guy who previously blogged a great deal, but disappeared from public (internet) life around 2011. He wrote about the freedom to tinker, early internet history, long-term preservation (see also), and old-school copy protection, among other things.

I’ll leave you with two more items. First, a very short talk, “wat”, by Gary Bernhardt, on wacky edge cases in programming language. And second, a book recommendation. If you haven’t read it before, Gödel, Escher, Bach is a wonderfully fun and challenging read; it took me most of my senior year of high school to get through it, but I’d never quite read anything like it. It’s not directly about programming, but it’s a marvelous example of the hacker mindset. MIT OpenCourseWare has a supplemental summer course (The author’s style isn’t for everyone; if you do like it, his follow-up Le Ton beau de Marot (about language and translation) is also very, very good.)

I hope you enjoy; please feel free to send this around to your classmates–let me know if you have any more specific questions, or any feedback. Thanks!