From: Teicher, Mark (Mark) (teicher@avaya.com)
Date: Sun Jan 18 2004 - 15:51:52 EST
If you a good security practitioner originating from a system
administrator background (at least 10 years hands-on experience with
programming experience),SAGE, USENIX, etc, and also take stock in
O'Reilly books. It appears that one would not need to attend an
"Ethical" hacking course or label yourself as a "Ethical Hacker". Since
tome, the term can be misconstrued as one could have been, possibly
been, and still a "hacker" by trade. Look at several companies who
produce security software products, they have research teams that scour
the Internet looking for exploits, and also reading various mailing
lists looking for postings by "hackers" who supposedly wrote a potential
exploits, but yet the exploit code is a joke or has more holes in it
than "Swiss Cheese" The term itself is a poorly chosen one.
I have met several convicted hackers over my career, and some very good
developers who can probably outwit, outsmart, and outcode a majority of
the "hacker" wannabes. But I still wouldn't give the time of a day to a
"Ethical Hacker" who knocks on my door trying to peddle their goods.
/mark
-----Original Message-----
From: DeGennaro, Gregory [mailto:Gregory_DeGennaro@csaa.com]
Sent: Sunday, January 18, 2004 12:53 PM
To: Teicher, Mark (Mark); Rob Shein; Andy Cuff [Talisker];
pen-test@securityfocus.com
Subject: RE: Ethical Hacking Training
Very good statement and you do need to know your enemy.
Just because you're a police officer, soldier, or in our case,
information security engineers, does not mean you or I really know our
enemy and their full or potential capabilities.
Ethical hacking gives us an overview or lets us peer into the cracker's
world. Of course, the classes do not have the latest cracks unless they
have a honey pot running and receiving such traffic. Nor, does it make
us crackers. It is only a look see and not cracker training.
Ethical Hacking is really a coin term for the public and those who do
not know the difference between hacker, wacker, and cracker. The public
only knows or thinks they know what a hacker is. In reality, they have
no clue that a hacker is good and the other two are not.
Also, how do you propose a professional runs pen and vuln tests against
their network to secure holes in their fortifications? There are good
products on in the market; however not everyone can afford them, use
them properly, or the software or device is not totally up to date or
catches everything.
Regards,
Greg DeGennaro Jr., CCNP
Security Analyst
-----Original Message-----
From: Teicher, Mark (Mark) [mailto:teicher@avaya.com]
Sent: Friday, January 16, 2004 7:10 PM
To: Rob Shein; Andy Cuff [Talisker]; pen-test@securityfocus.com
Subject: RE: Ethical Hacking Training
Talisker,
I still have an issue with the term "Ethical hacking" It was a term
born out of the Big Six when they were trying build their security
practices and leverage their existing client base. I still feel the
term is somewhat of slant on those who practice "holistic security" and
actually attempt to help customers improve their network security
posture instead of pointing out the "glaring" hole that those who
practice "Ethical Hacking" like to do.
I have worked in the past with those who preach and teach "Ethical
Hacking" Many of those people have published books exploiting that exact
theme.
Why not spend the time in researching how to correct security exploits
in enforcing secure coding standards and forcing vendors to clean up
their act and making their products work more efficiently and securely.
/mark
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:45 EDT