The long, awkward silence is always the first sign that a previously over-confident hacker realizes he's suddenly become the victim. It happens every time.The malicious hacker had been firing his \u201cion cannon\u201d at my network address trying to overwhelm my home computer and internet connection. I had sent him an email the day before letting him know that I knew who he was, what he did for a living (he was a budding wedding photographer), his name (Rick), and that he was newly married to a beautiful girl. That\u2019s enough to frighten off most hackers, but sometimes, like Rick, they persist.On his private, Tor-protected instant messaging channel, Rick was telling his buddies that he was getting ready to launch an even bigger distributed denial-of-service (DDoS) attack against me. He had been using a child-like hacker tool, but now he was thinking of paying a professional hacking service to attack me.DDoS attacks, where hundreds to hundreds of thousands of otherwise innocent computers and devices can be directed to attack one targeted victim, can be devastatingly hard to stop \u2014 not just for me, but for anyone, nearly any company. The sustained flood of malicious network traffic consisting of billions of unwanted digital bits can knock all but the biggest and richest companies (think Google) off the internet. Once they start, the victim (in this case, me) can be kicked off the internet for several days.I broke into his messaging channel and told him to knock it off. The hesitancy in his reply let me know that I had caught him off guard. He responded by calling me several unprintable names and accused me of being someone already a member of his hacker forum. When I replied that I wasn't, he renewed his taunting and said I would regret breaking into his private forum. I politely asked him to quit trying to attack me because I had to real work to get done.The next night around the same time, I could tell by the sluggishness of my internet connectivity that the threatened DDoS attack was starting to happen. If I didn\u2019t do something soon I was going to be out of commission for days. So, out of pure frustration of having to meet a work deadline, I hacked into his computer.I had identified the computer and software he was using (this is known as \u201cfingerprinting\u201d in the hacker world), and I knew he was using an outdated firewall to protect it. One of my favorite hacker techniques is to break into computers and companies using the very software and devices they think will protect them. So, using a known vulnerability in that firewall, I broke into his computer, modified a file, and left a new script behind. I then connected to him on his messaging channel and told him to check out my work.My \u201cwork\u201d was a file that would have reformatted his computer\u2019s hard drive and destroy everything on it if he rebooted his computer. I had \u201cremarked\u201d the fatal lines out of my script so that it was currently harmless. But I could have removed literally three characters (i.e., rem) and rendered the previously harmless script quite deadly, at least to his computer.The DDoS attack stopped immediately. The obviously humbled remote hacker came back online to the chat channel and incredulously asked, \u201cMan, how did you do that?\u201d Finally, he was talking like a normal human with all the false swagger gone. I replied, \u201cRick, there\u2019s a lot of hackers who are better than you. Stop your malicious hacking and use your skills to do good. Spend more time with your new hot wife. One day you may mess with the wrong guy or agency. This is your wake-up call.\u201dWith that, I dropped the chat channel and started to get to work on my day job. It\u2019s not the first time that I had to do a little offensive hacking to get another hacker to leave me alone, and I\u2019m certainly not the only one with the skills to do so. In fact, the best, smartest hackers I know are the good guys and girls, not the malicious creeps who plague our digital lives. I\u2019m a 30-year computer security veteran, always out fighting the good fight, along with tens of thousands of others just like me. Our adversaries are, on average, less smart than we are.This is not to say that all malicious hackers are dumb. That\u2019s not the case. It\u2019s just that the vast majority aren\u2019t overly bright; they are average. In a given year, I\u2019ll see maybe one or two smart hackers do things that no one else has ever done before. But most malevolent hackers I come across aren\u2019t brilliant or creative. They simply use tools, techniques and services that other smarter hackers previously created. Far from being the mythic hackers that Hollywood celebrates, most are regular, run-of-mill rubes who couldn\u2019t code an emoji icon.If you want to meet a really smart hacker, talk to a cybersecurity defender. They have to be experts in their technology and able to figure out how to stop all the threats that are trying to take it down. They are the hidden Henry Fords and Einsteins of our digital society. While the media is portraying rogue hackers as the smarter element, the defenders are tightening the net and helping to stop and arrest more of them than ever.Right now hacking is almost risk-freeLike the Tommy Gun-toting bank robbers of the early 1900s, hackers today are very successful. The riches of our digital society have been accumulating faster than the needed protections. And the chances of being caught, much less arrested, for cybercrime were nearly zero. A hacker could steal millions of dollars with almost no risk.Rob a real bank and the chances are you\u2019ll get less than $8,000 and you'll probably be arrested (55 percent of bank robbers were identified and arrested in 2014, the latest year for which FBI statistics are available) and go to jail for years. The negative risk\/reward ratio contributes to there being fewer than 4,000 U.S. bank robberies each year.Contrast that with cybercrime. The FBI says it receives over 22,000 cybercrime complaint reports each month, and there are likely many more crimes being committed. The average reported loss is almost $6,500, and from over 269,000 criminal complaints, only 1,500 cases were referred to law enforcement. Although the FBI\u2019s most recent annual reports didn\u2019t include conviction rates, its 2010 report, with a similar number of complaints and referred cases, resulted in just six convictions. That's one jailed cyber criminal for every 50,635 victims, and these are just the cases reported to the FBI.Steal a million dollars online and you\u2019ll enjoy your newfound wealth with almost no worry. The difficulty of collecting legal evidence of the crime, jurisdiction issues (Russia and China are not going to respect United States search warrants and arrest requests anytime soon), and law enforcement\u2019s cybercrime enforcement abilities make it a low-risk venture. And, as I said before, you don't have to be smart to be a successful hacker. Any kid or crime syndicate can do it. All you need to know is a few tricks of the trade.The secret of hackingThe secret to hacking is there is no secret. Hacking is like any other trade, like a plumber or electrician, once you learn a few tools and techniques, the rest is just practice and perseverance. Most hackers find missing software patches, misconfigurations, vulnerabilities, or social engineer the victim. If it works once, it works a thousand times. It\u2019s so easy and works so regularly that most professional penetration testers (i.e., people paid to do legal hacking) quit after a few years because they no longer find it challenging.In my 30 years of professional penetration testing, I\u2019ve hacked into every single company I\u2019ve been hired to legally break into in three hours or less. That includes every bank, government agency, hospital and type of business. I barely got out of high school, and I flunked out of an easy college with a 0.62 grade average. Let\u2019s just say I\u2019m no Rhodes scholar.On a scale of one to ten, with ten being the best, I\u2019m maybe a six or seven, and I can break into nearly anything. I\u2019ve worked with hackers that I\u2019ve thought were tens, and they almost universally think of themselves as average. They can list off the people they think are tens. And so on. This is to say that a lot of people can hack into anything they want to. There\u2019s no official count of hackers in the world, but the number is easily in the upper tens of thousands. Luckily, most of them are on the good side.The people who hack the hackersThe people who fight hackers and their malware creations cover the gambit of computer security jobs, including penetration testers, fixers, policy makers, educators, product developers, security reviewers, writers, cryptographers, privacy advocates, securers, threat modelers, and other computer security wonks in all fields.Here are some of the interesting computer security defenders I cover in my latest book, Hacking the Hackers:Brian KrebsKrebs is a long-time investigative journalist who is famous for bringing down some of the web\u2019s most notorious criminal gangs. He routinely identifies previously anonymous malicious hackers by name, often leading to their arrest. Krebs learned to speak and read Russian so he could track and report on Russian cybercrime companies and syndicates. He is so successful that hackers routinely try to have him arrested by SWAT teams by sending drugs, fake currency and false hostage reports. His best-selling book Spam Nation was a takedown of the Russian spam industry and revealed that sometimes our own legitimate industries are intentionally allowing more cybercrime to occur because it benefits them financially. Anything Brian Krebs writes is worth reading.Bruce SchneierAs the creator of multiple trusted encryption ciphers, Schneier is considered the father of modern computer cryptography. He is the top industry luminary in the computer security field and regularly speaks to Congress and to the biggest media outlets. Today, Schneier is mostly concerned with human issues behind computer security failures. I consider reading anything Schneier writes a mandatory part of any computer security education.Dr. Dorothy DenningProfessor emeritus at the Naval Postgraduate School, Denning was an early computer security pioneer, creating seminal works on computer encryption, intrusion detection, cyberwarfare and access control. She invented the Lattice security model, which underlies many modern access control models. She was concerned about (and writing about) cyberwarfare before there was cyberwarfare.Kevin MitnickThe world\u2019s most famous hacker, once prevented from even using a phone, Mitnick has long been out of prison and gone legit. Today, he is the CEO of his own computer security defense company and regularly writes about the threats of social engineering and privacy invasions. Many former malicious hackers can\u2019t be trusted, but Mitnick is an exception.Michael HowardHoward, and friends, created a secure software programming method known as the Security Development Lifecycle (SDL), which is now used by hundreds of companies around the world to decrease the number of bugs in their software that can be exploited by hackers. Most early SDL critics now use it after years of seeing how well it worked.Joanna RutkowskaPolish computer security expert, Joanna Rutkowska, gained fame for releasing the details of her \u201cBlue Pill\u201d attack, which revealed a hacker method so ingenious and difficult to stop or detect that defenders are still happy that hackers aren\u2019t using it yet. She decided she couldn\u2019t trust any of the publicly available operating systems to be secure enough, so she created her own \u201creasonable secure\u201d OS called QubesOS. The world\u2019s most talented spies and privacy advocates use her operating system.Lance SpitznerSpitzner is considered the father of the modern honeypot. A honeypot is any fake computer asset (e.g., computer, router, printer, etc.) that exists solely to detect malicious hacking activity. Honeypots are considered one of the best defenses any company can deploy for early warning detection. Today, Spitzner works for SANS, one of the world\u2019s most trusted computer security organizations, teaching companies how to successfully respond quickly to malicious computer breaches.Cormac HerleyHerley is a computer security researcher whose craving for data is turning the computer security industry on its ear. Using real data, he is disproving long-held security dogma, such as the effectiveness of long and complex passwords. Herley proved that using long, complex and frequently changed passwords is not only not helpful, it is likely causing more problems than it solves. His research and conclusions are so revolutionary that it is likely going to be ten years before we see the majority of his recommendations being implemented.Michael DubinskyThe constantly attacked state of Israel is known worldwide for turning out very good computer security software. Dubinsky, an Israeli, is a senior product developer for a product that is known for detecting the previously undetectable. His product detects sneaky, otherwise hidden, hackers going after a company\u2019s crown jewels \u2026 and it is getting better faster than the attackers.These smart defenders are part of a massive army of \u201cwhite hat\u201d hackers who are making it harder and harder to maliciously hack each year. A critical mass is starting to build and within the next decade online cybercriminals will likely to become as rare as traditional bank robbers. They will still exist, but there will be far fewer of them and they will be far more likely to be identified and prosecuted.