Avoid the Fake Fast Road to Success and Knowledge CyberSecurity edition

I was writing my script and guide for the From Noob to CyberSecurity Pro blog article (and possible video) which I started writing in June.

I wanted to prove a point about how the news makes programming and hacking seem so easy by stating that there are 13 year old hackers/prodigies/programmers.
Then i decided to search on google for similar fake stories since you can't possibily be an expert at such an young age. Leave Mozart be, he had training from the age of 3 and of course at the age of 13 he was proficient. Expertise comes with years of training. No wonder in that!

I ended up finding thousands of references to this young elite penetration testing mega hacker called Tahir

S

Ahsan. He learned to become a hacker at age 12! In only 1 year he was able to haaxooor the world wide web my friends!

I've started writting this article because I believe that we should'nt always believe what the news is reporting. A lot of self inflated ego's out there. Can you really master a field in 1 year?
If you've had previous experience for let's say 10years in a similar field and are dedicated at working 8 hours a day then you can advance in your chosen field quite fast.
But if you have no prior experience then 1 year is not even enough time to grasp the basics.

NOTE: This article contains my personal view. It was written in June as an analysis. I've decided to post it now for the basic concept it contains. Most of the things are still valid today, next year and in 10 years from now. 

It takes time to become good at anything. Mastery is an ongoing process of gaining experience.

Case Study on Cyber Security expertise

Aparentlly Ahsan  "hacked" Google and Microsoft. Oh yeah boy. We have a real hacker.
I was really intrigued to find out how and why,. All i could find was that he might have reported some bugs in some apps.
That was discouraging. Why? Most of the news websites talk as if he really hacked into something.
I'm not downplaying that a bug can be a cause for havock I've seen this happen. However what I'm upset about is that the marketing/branding scheme here seems to misinform what he actually does.

When such a thing happens I usually tend to give it NO importance. But i was intrigued that nothing else existed about him other than the same text repeated over and over again on all the damn websites.
It's like the boy ran an automated script e-mailing everyone with his great achievements.

What made me really dig into this was the fact that he claims that he has learned hacking in only 1 year. From 12 to 13. I have to hand it to him, he is a genious if he managed to learn it so fast.
But by closer inspection and some fiddling around I actually confirmed my initial hunches. It's just a script kiddie who has followed some youtube videos. He has probably read some "elite hacking" books and has installed all the k3wl script kiddies tools to autoh4x0r systems! He seems to have chosen Web Penetration testing as a main theme.
A big congratulations from my part to him since he has chosen a field which will ensure he will always learn new things and hopefully have fun.

I've followed Tahir a bit on hackerone and some sites where he publicly posted his "findings".

It's funny to say but most of the them when he published something and they disclosed the information I started laughing out loud.
I mean this guy is really funny in the way that he has a lot of confidence in what he's reporting. The confidence which usually is lacking in other people.
I wouldn't even have the guts to report these low level things since if I don't have a Proof of Concept that actually works and is able to bring down the server or make changes I'd tend to think any possible fake "vulnerability" is just a waste of time. My time and the developer's time.

My initial view was that he seemed to be on the Fake Fast road to success and knowledge.
I have to hand it to him that he's really smart in the way he goes about everything. Most of the disclosures are on simple XSS or CSRF injection stuff that I'd disconsider from the start because I figured out everyone must possibly already know about this, right? WRONG. Seems he enjoys posting low level things.

Click here to hide the examples

Conclusion(s)

A lot of marketing and branding and I have to hand it to him and whoever is helping him out. He's recieved a lot of attention.
Does he know cyber security? I'd say he memorized a few things and always goes for those. Just like some Managers and HR people use jargon all the time.. I'm curious how he's on the Reverse Engineering stuff. How good he's with Linux and real networking security.
Real threats and vulnerabilities disclosed by this bad boy? Probably 0.
Real high severity threats publicly disclosed by me? 0
Ah, the reasons why I didn't go fulltime in Cyber Security? The world is full of scriptkiddies.
Well if this guy claims to be a Security Researcher and the entrance barrier is so low then I'm probably one too without realizing it! Talking about the Dunning–Kruger effect!
The ONLY reason he got into security research was that from posting 100 bugs he might get 5 of low severity right and make some money to buy games.
Now, I've only analyzed this guy, I'm pretty sure there are hunderds like him doing the SAME things:)
No real security discoveries here. Just in for the $$.
The Fake Fast road to success and knowledge is a path that many people want to take. It's why the self development industry has gotten so much attention and why there are thousands of books written on suc htopics. The truth is that no one is going to become rich nor famous overnight. It takes time, hardwork and dedication.

People look up to those who seem to have it all. Most don't realize that appearances and branding make things look better than they are. When someone is telling you that he's doing awesome he's probably not doing any better than you do.
If you want to achieve something, start preparing and doing the work needed for 1 hour a day, every day at the same time. 1 hour is enough to become proficient in 10 years.
Even if you're 20 right now think that you'll still live to work untill your 70's. That 1 hour a day means that in 20 years you will become an expert. Want to do it faster? Increase the time spent.
Mastery comes to those who  are willing to invest enough time.