David Kennedy exhibits many characteristics that are typical of a hacker; but he is by no means a typical hacker.

He started very young by taking apart his Teddy Ruxpin (an early electronic bear-like toy animal known as an ‘Illiop’) to see how it worked. He went on to fail high school, joined the Marines, nearly died in Iraq, worked for the NSA, was a core developer of Metasploit, wrote the Social-Engineer Toolkit, and is now founder and CEO of TrustedSec and co-founder and chief hacking officer at Binary Defense. 

Throughout this hacker evolution and career runs an infectious sense of humor and the almost obligatory neurodiversity.

While young, Kennedy’s family moved around – he had little opportunity to form childhood friendships. At the same time, his ADHD hampered his schoolwork, but helped in other areas. 

“I found my home on computers,” he said. “I started playing early multi-user dimension games [MUDs, the precursors of MMPORGs]. And I found a community of folks. I had my hacker handle [ReL1K], and I started getting into C programming. at that point. So, I became a mod or an admin for one of the larger multi dimensions, and I got into some C programming at that time. I was coding new additions, new expansions onto those games. I found my home in technology, and I could sit in front of a computer for three days straight without sleeping – no problem.”

David Kennedy (@HackingDave), founder and CEO of TrustedSec and co-founder and chief hacking officer at Binary Defense. 

This begs the question: how can a young person (gender is irrelevant here) succeed in teaching himself C programming but fail at schoolwork? “I can’t learn from books,” he said. “I’m not interested in books. It’s just how my brain works.” School, as we all know, is all about ‘book-larning’. 

He couldn’t do that; so, he failed school – not because he was dumb but because he was ADHD. Schools often fail to recognize or accommodate neurodivergence, and intelligent people slip through the educational net – the very intelligent find outlets elsewhere, often in computing and technology because it can be hands-on without books.

“I basically failed out of high school. I had to go to summer school just to pass because I hated reading books. The way that I learn is following the way that my brain works and doing it that way. I could read an article on circumventing ASLR, and it would make no sense to me. But if I get into a debugger and I start looking at how ASLR works, then I would be, “Okay, this is how it works’.”

His was not an uncommon beginning for hackers.

When he left school, he felt he had a choice: college, which he neither wanted nor could afford, or the military. He joined the Marines. “It’s one of the best decisions I ever made. I still view a lot of my success, the way I’m able to hone my skills, the way I’m able to learn, the way I’m able to put things into perspective and overcome challenges – it’s all because I was a Marine.”

Being a Marine is tough. They break you down and build you up into something better. More specifically, however, was his ASVAB (Armed Services Vocational Aptitude Battery) score. He got a very high score, even though he had failed to excel at school. That high score enabled him to choose his own Military Occupational Specialty (MOS). He chose military intelligence.

Being in ‘intel’ does not excuse a Marine from active service, and Kennedy served in both Iraq and Afghanistan. He was attached to Special Forces teams, tasked with gathering information to support missions. He had to get into enemy networks, crack encryption, disrupt the transmissions that detonated IEDs on the fly in an active warzone. He was still only around 20 years of age, and there is little doubt that these experiences shaped his attitude toward hacking.

It wasn’t the cushy job that he had expected, but it did extend to working at Fort Meade with the NSA on more conventional cyberwarfare activities.

In very simple terms, it could be suggested that Kennedy’s ADHD and nomadic childhood channeled him toward technology; while his dislike (or inability) to learn from books channeled him toward ‘breaking’ things as the best way to learn about them – learning from the inside out (what it does) rather than the outside in (reading treatises).

Breaking things is the essence of hacking, although not the most common motivation. For many hackers, the motivation is intense curiosity bordering on obsession to take something apart to see how it works, often coupled with a desire to make it work better or differently.

For Kennedy it is slightly different. His need is to solve a problem – like how to prevent IEDs being triggered remotely. The only way to solve this problem is to break, or hack, the methodology. It is a problem that must be solved rather than software that can be improved or manipulated. 

This subtle difference has further ramifications. Many, but by no means all, young hackers now considered ‘ethical’ hackers will admit to having considered using their skills for personal gain. Not Kennedy. “Never. Not once. Not even a little bit.”

He believes this moral rectitude comes from two separate aspects of his upbringing: firstly, his parents and secondly his experiences in the military. “I had amazing parents who instilled great ethics,” he said. The military experience, including an epiphany in Iraq, fomented the concept of service to the public. “I almost died. I thought – and was pretty certain – I was going to die. I remember looking up at the sky and thinking, if I make it through this, I will treat every single day like it’s a gift and I will try to make the world a better place because there’s so much wrong going on out there.”

Another surprising element in Kennedy’s upbringing is he provided little evidence of playing technological pranks on other kids at school. But any idea that his moral rectitude created a boring, humorless adult dedicated solely to the good of humanity would be far from the truth. The adult Kennedy has a wicked sense of humor.

He gave two examples. For the first, he had been trying to develop a zero-day exploit that used a trampoline attack on memory allocation for remote code execution. But it was only 20% successful. Eighty percent of the time it just blue-screened the machine. But while separately doing a capture the flag at a Louisville InfoSec conference, he noticed the guy running the CTF had left his machine on the network. He tried his zero-day – and it worked.

“I was able to get a shell in his box. It had all the CTF videos on how to complete each CTF itself. I didn’t watch them or anything like that, but I walked over to the organizer with them: ‘Hey, man, these are great videos you posted online.’ He freaked out.” No harm; just a prank.

A second example occurred – it may be more accurate to say it still occurs – in his own company. “We always play pranks on each other here at the office, especially when we have a new exploit or a new way of doing things, and I’m usually the brunt of it. One of the folks backdoored one of our web apps and harvested my credentials – and sent emails supposedly from me to the entire company. We’re always doing that sort of thing. You must have some fun. It keeps things exciting and exhilarating.”

While Kennedy has an unusual approach to hacking, there is one area where he agrees with almost every other hacker included in this series: a strong reluctance to pass moral judgment on any other hacker – whatever color the hat ascribed.

One of his best friends was the late Kevin Mitnick. “He was #1 on the FBI Most Wanted list. He hacked DEC, Motorola, Novell, Nokia, and Sun Microsystems (among others); but he never did it for malicious purposes. It was for the rush, the fun, the excitement, the curiosity. Was that blackhat? He was technically doing it illegally, yes; but it was never for malicious purposes.”

Kennedy went on to suggest that all hackers have a different blend of Mitnick-like curiosity and situational pressure. It is the latter that can cause a veering away from the concept we loosely call ‘ethics’.

“I’ve had the opportunity to talk to blackhats. A lot of times they don’t view themselves as doing anything bad,” he explained. “‘Hey, we’re going after these billion dollar corporations, and who cares? They’re against us anyway, because we’re in Russia and they’re in the United States, and they’re our enemies.”

Is that fundamentally malicious or primarily situational? “I think there’s a lot of different world views that come into this,” he continued. “And I’m not saying what’s right or wrong – to me, there’s a clear right or wrong – but at the same time, I can understand different perspectives based on where people come from. If you look at the Conti Leaks, Conti employed folks from all over the world. They’re paying them, like 200 bucks a month, 300 bucks a month, but this was like mind-blowing money to these hackers, because they had no other avenue or opportunity.”

(For what it’s worth, this author engaged with a phone scammer during attempted social engineering. When asked why he (an Indian or Pakistani) was doing it, he replied, ‘It’s just payback for all the robbery your country perpetrated against my country during the Raj.’)

Ethics, or clarity over right or wrong, is a very situational concept – and most hackers, including Kennedy, believe this.

David Kennedy is a hacker. There is no doubt about that. He has qualities common among hackers, but also many differences. Neurodiversity is one commonality. It is not a requirement for hackers but is a common characteristic. Its symptoms can be alleviated by medication, but Kennedy eschews this route. “It’s my superpower,” he says. It’s what enables him to engage in multiple simultaneous chains of thought (the ADHD side of ASD) but at other times to focus intensely on a single problem over a long period of time when necessary (the Aspergers side of ASD). It also makes him great fun to talk to, if you can keep up.

He has never deviated from a strong built-in moral compass. Many hackers go through an early period best described as ‘shady’ – not simple maliciousness, but early attempts to demonstrate kudos and improve social standing among friends for personal benefit. As an adult, however, Kennedy gets pleasure in playing harmless tricks on other people. He believes that having fun and creativity in work is essential for maintaining peak performance.

He is not motivated by the more common desire to break something apart to be able to remake it better or change its purpose. His motivation is problem-solving. He breaks something apart to find the cause of the problem so that he can solve it – and he must do it this way because he cannot learn from books, essays or technical whitepapers. It’s what we’ve called ‘learning from the inside out rather than the outside in’. (As a young child he took apart his early toy Teddy Ruxpin. He put it back together, but it was never as good as before – he neither changed it nor improved it, perhaps because there was no initial problem associated with it.)

He suggests that joining the military was the best decision he ever made. The aptitude tests helped steer him toward a career in intelligence and technology despite having no academic qualifications (the Gulf War was probably the first time that cyber began to converge with kinetic warfare), while the nature of being a Marine helped cement his desire to help people while instilling self-discipline.

All in all, David Kennedy is best described as a hacker, but he’s not quite a typical hacker.

Related: Hacker Conversations: Tom Anthony and Scratching an Itch Without Doing Harm

Related: Hacker Conversations: Chris Evans, Hacker and CISO

Related: Hacker Conversations: HD Moore and the Line Between Black and White

Related: Hacker Conversations: Casey Ellis, Hacker and Ringmaster at Bugcrowd