Thursday, March 5, 2009



“As with any type of competition, 'smack' talk became prevalent in online gaming. Phrases such as 'I am elite' became common place, and somewhere down the line l33t speak crept in, reforming the phrase into '1 4m 3l1t3' in order to demonstrate that the speaker was a hacker and someone to be feared. It was further exaggerated by purposeful bad spelling and eventually wound up as something like this, '1 4m 3l33t!' and simplified to, '1 4m 133t'. Hence the name 'l33t speak'.”

JahBreeze. “Urban Dictionary: l33t.” Urban Dictionary.  18 Nov 2005

In the past I have asked clients, colleagues, and security professionals what the slang word in the hacking community known as ‘l33t’ suggests to them. Many times I have heard the response “To be l33t or elite in the security community, an individual has to be able to perform exploit development.” Although I will not argue that exploit development is very important within the security community and without these professionals I would not be able to perform my job as a penetration tester as successfully as I currently do, in many ways I disagree with this statement.

For those who aren’t familiar with the term ‘exploit development’, in the simplest form, it is the ability to find flaws or vulnerabilities in software or hardware and then develop code, usually in form of a script, to exploit that specific vulnerability. The question becomes, are all exploit developers l33t? It all depends on one’s definition of the word, but I certainly do not think so. Exploit developers contain a certain skill set which allows them to be good at what they do, which in this case, is exploit development. This is no different than receptionists being good at what they do. Can everyone perform exploit development? Certainly not, but not everyone can be a receptionist either.

Exploit development is certainly a skill that can be obtained by individuals who have the aptitude to learn the material. In other words, most exploit developers are not born into it. Like most professions, exploit developers study and learn the material until they obtain a certain skill set which allows them to be good at what they do. With that said, who really deserves to be l33t? Again, it is all in one’s definition of the word. Do I think I am l33t? Absolutely not! I perform my job as a pen tester well but this too is a skill or profession that can be taught to a willing individual.

The individuals who deserve this title, in my opinion (emphasis on “my opinon”) are those that discover new attacks. Individuals such as Robert Morris or Kevin Mitnick who, back in the day, discovered a weakness in the TCP protocol and went on to exploit this weakness. Perhaps, the security researchers that discovered the weakness in WEP could be considered l33t. This is a skill set that in most cases cannot be taught but requires thinking outside the box along with putting many pieces of the puzzle together in order to discover new ideas that aren’t previously known. Many exploit developers are using the same tricks and tactics as their predecessors have to discover and exploit vulnerabilities. This is not to say that one can’t be an l33t exploit developer, but simply being an exploit developer does not make one l33t.

In summary, the security community is composed of many security professionals, all of which have unique areas of expertise. Without all of these skill sets working in unison, the security community would not be as effective as it currently is. Each skill set has, so called l33t individuals, but by simply possessing one skill set as opposed to another does automatically qualify and individual as l33t.

No comments: