--- Paul Robertson <[EMAIL PROTECTED]> wrote:
>On Fri, 18 Feb 2000, jeff andrews wrote:
>
>> So if you had three candidates for hire:
>> 1) Jack Smith, Security Professional, CISSP certified.
>> 2) John Smith, ex-hacker turned security expert
>> 3) Dr. Chaos, gray hat hacker in hacker group Anarchy4Life Club
>>
>> Which one would you hire as VP of Security or senior security consultant lead of
>the project to manage your security? Would it be in the 1, 2, 3 order? From a trust
>standpoint, it seems like it would be easier to trust Jack Smith (#1), and then John
>Smith (#2), and how much you trust #2 depends on what kind of hacker was John Smith
>previously. How much do you trust and want to hire #3? The above names are
>intended as fictional characters for example only.
>
>(D.) None of the above.
Excellent point. Maybe I should add an additional step of checking the above 3
candidates for technical competency first, and they all pass, who would you hire?
>There are no hard and fast rules though. I've met sysadmins of the {no
>illegal acts, no cracking, no 31337 group} variety who told me I was
>positively moronic for not putting backdoors into systems I administered.
I would think backdoor-ing a system that is owned by the company without permission is
an illegal act? Maybe I am missing the intent of the backdoor: is it just incase
something goes wrong because several people have root password, and you may need to
recover quickly in an emergency, or is it just incase you are fired, you can
potentially get back at the company?
I am not a lawyer, but I would say that has good potential of being an issue.
>
>It is important to point out that it's possible to be good at security
>without having a questionable background. IP doesn't change depending on
>who's looking at it, and neither do OS'.
>
>There are a large number of very clueful black and gray hats out there
>(and not a large number of equally clued INFOSEC people.) I'd rather they
>had fun and got money doing good things than bad. It probably wouldn't be
>my money they'd get though.
There's this perception that there's a vast number of really talented gray and black
hat hackers. I would argue that this number is MUCH smaller (less than 100?) and that
there is an equal number of good guys in security. How many "Mudge" type people exist
in the world? You can start to count.. Mudge, Hobbit, Weld Pond, and the names and
numbers dramatically decrease from there. On the flip side, we have Casper Dik, Wietse
Venema, Steve Bellovin, Eugene Spafford, etc that are good infosec people who are just
as much or more technically competent than gray hats, they just don�t post and brag
about their exploits.
Despite this notion that there is a big number (1000�s?) of very technically talented
black hats and gray hats floating around, my guess is anyone who really understands
OSes, IP, and can write code is better off joining an Internet company and using their
talent to become a millionare in stock options, rather than illegally hacking and
posting exploits for free.
The large number of gray hats and black hats are bordering on being script kiddies
(I'm convinced of this based on the emails I've received on this subject), and with
the recent hype on gray hats, it will only get worse with more technically incompetent
people self-proclaiming to be gray hats and wanting to be hired.
As security startups start to hire gray hats to fill the demand, my guess is they are
facing a difficult time trying to hire decent talent. They may fall into the big Six
trap: there's one person who actually knows what they are doing, and that's who you
initially deal with and hiring the team, and after they are hired, that one person
spends like %5 of his or her time there and goes on to get more business, while a
bunch of incompetent or more questionable gray hats try to complete the work.
So back to my very original question, with the press and media hyping the gray hat
model, will companies really hire gray hats? As far as trust goes, how do you trust
someone who won�t reveal their real name, but only their hacker handle and hacker
group identification? Will they check the background of these gray hats for
technical competency?
Is this gray hat model really a good business to go after, meaning will companies
actually pay lots of money, and maybe more black hats should start up gray hat
companies?
My guess is time will tell.
Thanks,
-- JA
Jeff Andrews,
Senior Security Engineer
_____________________________________________________________
Email Powered by Everyone.net
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
