Ashkan Hosseini launched his first malware attack when he was 11 years old.
He put malware on a CD-ROM containing family photos and deleted everything off his family members’ computers.
As punishment, Hosseini wasn’t allowed to use a computer for a whole summer. Now, the 23-year-old is an intern for malware researcher Amanda Rousseau, who works for security firm Endgame. She’s been in the cybersecurity industry for almost eight years and investigates malware attack techniques.
Rousseau gets messages from young people who were once in Hosseini’s position: Smart kids manipulating code to do serious damage.
They ask her for advice — through direct messages on Twitter via @malwareunicorn and other chat platforms — about how to create malware and hack accounts or computers.
She tells them the same thing every time: “Don’t.”
“I can teach you how to reverse [engineer], but I am not going to teach you how to hack,” she said. “Not because I can’t, but [because] morally, I won’t.”
The concept of reverse engineering is to take apart the code and composition of something, like malware, to figure out it works.
Amanda Rousseau, a malware researcher at security firm Endgame, helps teen hackers use their skills to build careers
Rousseau says other experts in the field are frequently asked similar questions from young hackers, but some are more comfortable than others answering.
The teens she talks to are often active in toxic online environments like anonymous chat rooms where people encourage illegal behavior for fun, money, or notoriety.
But Rousseau suggests those interested in hacking consider a career in information security, an industry expected to have a talent shortage over the next five years.
Rousseau, who formerly worked with the U.S. Department of Defense, says she doesn’t want to see kids get arrested for stupid mistakes.
“I know how the consequences can ruin lives,” she said.
Hosseini spread malware to family computers for fun, but he soon realized the consequences.
“I never did it again,” he told CNN Tech. “My relatives were crying on the phone. But my parents said if you’re interested, we ‘can buy you programming books.'”
Hosseini was lucky. If the malware had gone further than the family circle, he could have been prosecuted like other young hackers.
Earlier this year, 23-year-old Andrew Otto Boggs was sentenced to two years in prison for hacks targeting U.S. officials. As a part of a hacking group, he gained access to online accounts belonging to government officials and computer systems, and harassed the victims and their families.
An anonymous researcher, who goes by the handle @one_researcher on Twitter, is among the teens Rousseau has mentored on the social network. The 19-year-old, who asked to be identified only by the handle, got in trouble with law enforcement agencies for allegedly launching distributed denial of service attacks on two websites.
Rousseau worked with him to reverse-engineer malware code and continues to advise him on career opportunities.
Rousseau believes a mentor or adult adviser already in the industry — on the right side of the law — is necessary. She encourages young people interested in security to attend local hacking meetups and tech events to get to know more people in the field. Twitter is a good place to start following individuals and opportunities in the community, she suggests.
“A lot of these kids discover [hacking] on their own, find groups online and are anonymous among other anonymous people,” she said. “But they should meet face-to-face with others in their community.”
Andrew Morris, cofounder of security firm Animus, Inc., echoes the importance of having a mentor. As a teen, he hacked to escape personal issues in his home life.
“Initially, I tried to backdoor my friends’ computers and then moved on to stuff like my high school district’s computers or local organization websites,” Morris said.
A backdoor is a secret way to access someone’s computer.
Morris, now 24, eventually developed ethical concerns about illegal hacking. He became a pentester — an “ethical hacker” companies hire to test the security of their systems. Morris recently started his own cybersecurity company.
“You can’t hack your way out of [bad] interpersonal relationships or emotional or mental problems,” he said. “But you can build an amazing career with it.”
CNNMoney (New York) First published July 12, 2017: 11:48 AM ET