Your statements are not exactly true, but it is much tougher market for
those who are x-gray/black hat hackers and ever harder so working for a
company who promotes white hat hackers. There are very few people left in
the Information Security field that are still very hands-on technical and
who are willing to risk it all to prove a major point. It really is a
combination of #1 and #2 that are making the mark in the information
security field. #3 are the ones who are mentioned in the paper the most,
but #3's or are those people who are let go from a major hardware company
due to them releasing some sort of software named after the devil, then
getting offered a job at pre-IPO ISP startup.. But those are rare cases
when #3 are legitimized #1's usually end up founding some type of
intrusion detection company that is not a ice cream sundae topping or a
floor wax but say it is.. :) Oops, getting back to a point, it is very
hard to hire a info sec person from the Big Six these days since most of
the Big Six type companies are being investigated by the SEC. So who do
you choose.. That is decision for the well-informed.
/m
"Paul D. Robertson" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
02/18/00 06:10 PM
To: jeff andrews <[EMAIL PROTECTED]>
cc: [EMAIL PROTECTED]
Subject: Re: Gray hats vs. ex-hacker
On Fri, 18 Feb 2000, jeff andrews wrote:
> >> So if you had three candidates for hire:
> >> 1) Jack Smith, Security Professional, CISSP certified.
> >> 2) John Smith, ex-hacker turned security expert
> >> 3) Dr. Chaos, gray hat hacker in hacker group Anarchy4Life Club
>
> >> Which one would you hire as VP of Security or senior security
consultant lead of the project to manage your security? Would it be in the
1, 2, 3 order? From a trust standpoint, it seems like it would be easier
to trust Jack Smith (#1), and then John Smith (#2), and how much you trust
#2 depends on what kind of hacker was John Smith previously. How much do
you trust and want to hire #3? The above names are intended as fictional
characters for example only.
> >(D.) None of the above.
>
> Excellent point. Maybe I should add an additional step of checking the
above 3 candidates for technical competency first, and they all pass, who
would you hire?
If I'm a public company, I'd have to have a serious reason for not hiring
#1 and a serious compulsion for hiring #2 or #3. Personally, #2 and #3
(assuming gray hat means 'does some breakins') don't fit my trust model
for business (which is different than my personal trust model.) I
could drink beer with them, I could talk shop with them, but I'd no more
hire them than I would an ex-jewel thief to guard a jewlery shop or a safe
cracker to put in and rekey my safe.
It's a two way street though, I wouldn't expect them to treat me as a
total peer either.
> >There are no hard and fast rules though. I've met sysadmins of the {no
> >illegal acts, no cracking, no 31337 group} variety who told me I was
> >positively moronic for not putting backdoors into systems I
administered.
>
> I would think backdoor-ing a system that is owned by the company without
permission is an illegal act? Maybe I am missing the intent of the
backdoor: is it just incase something goes wrong because several people
have root password, and you may need to recover quickly in an emergency,
or is it just incase you are fired, you can potentially get back at the
company?
> I am not a lawyer, but I would say that has good potential of being an
issue.
I wouldn't do it with permission, recovery techniques are acceptable to me
in instances where primary access methods no longer work. I think it's
plain wrong to trojan anything.
> >There are a large number of very clueful black and gray hats out there
> >(and not a large number of equally clued INFOSEC people.) I'd rather
they
> >had fun and got money doing good things than bad. It probably wouldn't
be
> >my money they'd get though.
>
> There's this perception that there's a vast number of really talented
gray and black hat hackers. I would argue that this number is MUCH
smaller (less than 100?) and that there is an equal number of good guys in
security. How many "Mudge" type people exist in the world? You can start
to count.. Mudge, Hobbit, Weld Pond, and the names and numbers
dramatically decrease from there. On the flip side, we have Casper Dik,
Wietse Venema, Steve Bellovin, Eugene Spafford, etc that are good infosec
people who are just as much or more technically competent than gray hats,
they just don't post and brag about their exploits.
>
Overall, my personal experience has been that those who choose the
underground have a higher clue factor than those who get stuck with the
additional hat of Internet Security Person. I'm not talking about big
names, I'm talking about people in the trenches on both sides. Generals
may win or lose wars, but it's the guy on the ground who's taking and
returning fire.
> Despite this notion that there is a big number (1000's?) of very
technically talented black hats and gray hats floating around, my guess is
anyone who really understands OSes, IP, and can write code is better off
joining an Internet company and using their talent to become a millionare
in stock options, rather than illegally hacking and posting exploits for
free.
>
(A) Money isn't everyone's primary motivation.
(B) How many of the "big names" do you see rolling the pre-IPO dice?
(C) A lot of black/gray/wannabes are under the age where getting a job is
even an issue.
> The large number of gray hats and black hats are bordering on being
script kiddies (I'm convinced of this based on the emails I've received on
this subject), and with the recent hype on gray hats, it will only get
worse with more technically incompetent people self-proclaiming to be gray
hats and wanting to be hired.
>
My definition of script kiddie doesn't include people who can write
serious C code. I'm just going on my own experiences and observations,
which are by no means scientific or rigorous.
> As security startups start to hire gray hats to fill the demand, my
guess is they are facing a difficult time trying to hire decent talent.
They may fall into the big Six trap: there's one person who actually knows
what they are doing, and that's who you initially deal with and hiring the
team, and after they are hired, that one person spends like %5 of his or
her time there and goes on to get more business, while a bunch of
incompetent or more questionable gray hats try to complete the work.
I don't think the basic tennents of security are such that most gray hats
couldn't do a damn sight better job than the last CNA/MSCSE/CCSE.
> So back to my very original question, with the press and media hyping
the gray hat model, will companies really hire gray hats? As far as trust
goes, how do you trust someone who won't reveal their real name, but only
their hacker handle and hacker group identification? Will they check the
background of these gray hats for technical competency?
What value does a real name have in the case of trust? As far as the
media goes, a large number of the journalists I've worked with in the past
(which again isn't a large number- but I worked for a very large media
company until quite recently) have good sources and check them. There's
no telling if the editor will choose their copy though.
> Is this gray hat model really a good business to go after, meaning will
companies actually pay lots of money, and maybe more black hats should
start up gray hat companies?
Traditional security companies still won't touch ex/current black hats if
they know about it.
> My guess is time will tell.
If the current state is anything to worry about, traditional companies
don't have too much to worry about. I recently heard a story of a
tradtional security company who got a huge sigh of relief when they told
their customers that their network scans *didn't* include breaking into
the production database and altering tables.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal
opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
