May 31 2005
Well, Duh!
SC Magazine: Don’t hire hackers, warns professor
Being a CISSP, I place a certain amount of value in the ethics of security practitioners and have agreed to follow a well defined Code of Ethics. In the same manner, someone who is portraying themselves as a hacker is also saying they subscribe to a certain ethical framework. Do you really want to hire someone who consciously identifies themselves with that morality?
That being said, under the right circumstances, I might give a ‘reformed hacker’ a chance at a job in security. Everyone has made mistakes in their past (yes, even me :-)), and someone who is making a real effort at betttering themselves deserves a second chance. I’d be much more careful about giving that person much system control, but I’d be willing to give them a second chance, under the right circumstances.
I realize that the word ‘hacker’ has a tremendous amount of connotations in popular culture today, many of which are counter to the original meaning. But the meanings currently in use by the general populace probably have more bearing than the original meaning. And that meaning includes the will to perform malicious acts on computers.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
5 Responses to “Well, Duh!”
Yes thats very true.The very mention of the word “hacker” raises eyebrows.I do believe though there a differentiation between the white hats & the black hats.
McKeay.. great blog,
I was at Barnes & Nobles the other day looking for Kyle Rankin’s book, Knoppix Hacks and I noticed hacking is quite the buzz word. It seems every conceivable category of Information Technology now has a book followed by (or proceding) the words hack, hacking, hacker’s guide ect. O’reily has a whole series on hacks (great books): http://www.oreilly.com/hacks/
There is even a book called, “Understanding God’s Will: how the HACK the equation” — (Not from O’reily)
I believe the reason for this is because hacking is cool. Its like the new and very necessary quick fix tool among this era of information overload and technical bombardment.
Many of the most famous and infamous player in this new Information Age have been Hackers. Just to name a few: William H. Gates III, KBE, Blake Ross (19 year old creator of FireFox), Linus Trivalds, Klaus Knopper (creator of Knoppix), the Woz, Paul Allen, Kevin Mitnic, Jeff Moss (creator of Defcon), all the creators of Unix, Bill Joy…
The word hacker has been hi-jacked. Its real meaning has been… hacked. That is why I was over joyed when I was introduced to the Certified Ethical Hacker certification. I have yet to take the cert. I plan on using the CISSP to prepare me for it… it is difficult from what I’ve seen in the Sample tests. I hope this cert gains enough credibility to take the concept of the true hacker back in mind of the Business owners.
I went to Defcon in 2003 (11 I think) and I learned a lot there. For one thing, not all hackers are evil Sasser Worm creators or apart of the “Hang Up Team” (a truly, TWISTED bunch of Russian hackers). Many of the Hackers speaking were hackers in the original since of the word. In fact, they were do-gooders! They would find exploits and try and report them imediately to the owner of the software or hardware. The biggest problem was that they companies like Microsoft and Oracle would not listen to them. They are often refered to as Gray Hats. Almost like vigilantes, where as White Hats can be considered people like you and me (mercenaries working for companies), and Black Hats just cyber criminals.
I think the concept of what a hacker is is being transformed. Why a company would hire an Internationally know Black Hat and publicize it is, to me, not smart money. I bet it would even negatively effect the stock.
I love the ‘Hacks’ books from O’reilly. They’ve probably done more to regain the original meaning of hack and hacker than all of the protests by security professional combined. I have 4 or 5 of the ‘Hacks’ books sitting on my work and home bookshelves. Have you checked out Make magazine? (http://www.makezine.com/)
I wish we could regain the original meaning of the word, but I fear it’s a pointless battle. To the average Joe in America today, hackers will always and forever be the evil creators of viruses and trojans. Not that Joe could tell the difference between the two.
I don’t know if you remember it, but last year the guy who wrote the Sasser and Netsky viruses was hired by a German AV company (http://www.enn.ie/news.html?code=9554015). I know at least one German CISSP who was very upset at this idea, and let them know it. I also seem to remember that his employment didn’t last long, but I couldn’t find a link to that news. So at least one company was willing to hire a hacker knowingly and publicly.
People don’t want to have to worry about the complexity of the shade of a hacker. Black, gray or white hat, if you say you’re a hacker, they assume you’re after their bank account number. I’ll stick with calling myself a Security Professional, rather than trying to borrow from the ‘hacker mystique’ for publicity.
Regardless of how the majority of the general public sees the concept of “hacking,” it is my oppinion that an Information Security professional should know how to hack.
Not knowing what can be exploited and how is like a cop not knowing anything about what a thief would be after or how they could break in. Most Security Professionals I talk to just DO NOT understand this and I’m not sure the majority ever will.
When I posted the link to the article, I was thinking about the word ‘hacker’ as the HR person and/or the hiring manager might interperet it. Most HR people know little or nothing about IT in general, let alone the intracacies of security, and many IT managers might not be any better. And those people are the gatekeepers, the ones who either get you the interview in the first place or keep you from ever being seen. Why would an HR person ever want to hire someone who styles themselves a hacker? That’s like hiring someone to be a cop who is a convicted felon. Yeah they know the in’s and out’s of the system, but from the wrong side.
And to continue your simile of the police, security professionals come in all levels of technical expertise and competence. Take a look at your local police department; I’d be willing to be somewhere between 50% and 80% of the force wouldn’t have the faintest idea how to conduct an investigation. They’re the administrators, the traffic cops, the guy who controls the evidence locker. They’re all cops, but their area of responsibility never brings them into contact with real criminals, and it shouldn’t. The percentage of police officers who can and should be leading investigations is actually pretty small. The same goes for security professionals.
On the other hand, anyone calling himself (herself) a security professional really should have some idea of the basic underlying concepts for security. Unluckily, there’s no ’security acadamy’ or even a commonly agreed upon body of knowledge to study, though the CISSP and several other certificates are starting to come close.
By the way, I’ve also met quite a number of ‘hackers’ who would have a hard time with any tool that didn’t include a GUI and well written instructions. The number of people who really deserve the title are few and far between. I can hack a Linux server together fairly well, build a Windows system in several hours, and do a fair job of disecting packet captures. On the other hand, I couldn’t write anything more complex than a shell script if my life depended on it. Well, maybe, but it’s been a few years.
Be carefull of taking to narrow a view of what constitutes a ’security professional’. You might be in danger of falling into the same trap we’ve run into over the term ‘hacker’. Administrators and people who can interact with the ‘C’ level officers are just as important as the IDS analysts and the code slingers. Just not as technical.