Frank..
Well, the definition is bit dated and as I have stated, "ethical" hackers
are more of a marketing gimmick than anything else. Since, in reality,
there is no certification or training to become or deemed an "ethical"
hacker. So therefore, we are left with organizations attempting to
mislead the public's eye, CEOs, CIOs and other pertitent decision makers
of Fortune 500 companies or lower.
Utilizing convicted felons are most likely not the case since most
convicted hackers cannot touch a keyboard or generate revenue from their
skills ala Kevin Mitnick and others. Persons like Kevin Poulsen can
become correspondents but not be hired as a network security consultant to
conduct network penetration testing. Other well known hackers do not have
criminal records but work in the grey or black hat area of computer
security or are known to hang out in those type of circles. An
organization should decide on how to utilize such a group or individual
people and what finite set of work they will be doing. Other convicted
type ala Randall Schwartz are excellent instructors but cannot work for
particular companies like Intel ever again..
/m
Frank Darden <[EMAIL PROTECTED]>
06/19/00 03:44 PM
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>, Allan
Pratt
<[EMAIL PROTECTED]>
cc: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: RE: [FW1] Issues in hiring a company that employs ex-hackers
or c urrent
hackers
This thread is getting a bit ridicules IMHO. How do you define an "Ethical
hacker?" How does an "Ethical Hacker" prove he/she is ethical? What is an
"ex-hacker"? I suppose the question really should be "Is it advisable to
hire known convicted felons to perform an assessment?" That's the only way
that you would know that you were hiring an ex-hacker. My answer would be
it
depends on what they did. But I think you can find the answer only within
your own company. Ask, the CEO, President, Board of Directors, etc.. what
they think. It is definitely not a good idea to bring convicted felons
into
your organization without SOME BODIES approval at the top.
Frank
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 19, 2000 5:30 PM
To: Allan Pratt
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: Re: [FW1] Issues in hiring a company that employs ex-hackers or
current hackers
Allan,
Why Thank you for your compliment.
As I just discussed with the senior Security management where I work, is
that one should really examine what an organization is after. If the need
to hire "ethical" hackers or x-hackers is to prove to an organization's
management to validate issues that the security group or IT group has
raised concerns about that is ok. It is more of an issue to free up
"budgetary" dollars to start addressing the security concerns of an
organization
I am not sure who is left at the Big Six firms, some of the people have
left for obvious reasons and some others for less obvious reasons. There
are still few good people out there, but finding them and also if they are
available. If they are good, they are most likely unavailable for the
next x months.
Boutique firms is a very interesting term. One of the Partners ( or
almost Partner at the time) informed me that people like myself would do
quite well at a boutique shop versus working for a large Big Six firm. A
Big Six firm InfoSec staff is mostly likely made up of people from
Boutique firms, so therefore his statement never really made any sense.
/m
"Allan Pratt" <[EMAIL PROTECTED]>
06/19/00 09:09 AM
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
cc: [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: Re: [FW1] Issues in hiring a company that employs
ex-hackers or current
hackers
Mark makes a good point.
You need to look for people w/ talent, not companies w/ big billing rates.
I will say that E&Y & PwC had a lot of good people, yet most of the good
ones, the ones that know their stuff, eventually leave to go to more
specialized firms.
As to E&Y, they have imploded in the last year. We used them but they
lost
ALL of their good people. Many went Foundstone or Global Integrity or
other
boutique firms.
We had a meeting w/ E&Y recently and they are running real low (on fumes)
on
talent. We had them in last year and they did do excellent, albeit
expensive work. But all of the senior technical guys as I said are gone.
So we are going to pass on them. As to PwC, we are getting together w/
them
on the 29th, so I can't comment.
Allan
----Original Message Follows----
From: [EMAIL PROTECTED]
To: Clarence <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED], [EMAIL PROTECTED],
Robert McMahon <[EMAIL PROTECTED]>
Subject: Re: [FW1] Issues in hiring a company that employs ex-hackers or
current hackers
Date: Mon, 19 Jun 2000 08:14:44 -0700
Actually
I disagree with your statement. I think there are many ex-hackers or
hackers elite that have gained recognition that they would be a
considerable asset during a penetration study.. Price Waterhouse, Coopers
now PWC , Ernst & Young created their whole business model and selling
methodology preying on the fact that Fortune 500 companies cringe at the
thought of hiring ex-hackers to conduct a intrusion test. The fact of the
matter is that "ethical" hackers are no better than ex-chackers. The
definition of an "ethical" hacker has been written about over ad over
again. For a really great definition of what a hacker is: check out the
www.atstake.com FAQ. They have put together a very simple explanation of
what a hacker is and why they deem it such.
Hiring a Big Six firm to conduct an intrusion study or a Internet
footprint analysis in my mind is much more dangerous than hiring
ex-hackers, probably because I worked for one a while back and thought
their methodology/approach and deliverable was pretty much vapor (lots of
smoke and mirrors) and no real value.
The secret to a successful security assessment is not to point out the
various different ways one can gain access to a particular organization
but how to state recommendations that are specific to the organization on
improving their security posture.
Since my departure from the Big Six world, I have yet to see any
improvements in their methodology, and I have seen severe plagiarism from
PWC to E&Y and other non ethical behavior that tend to make hiring an
ex-hacker a much more pleasurable endeavor, since it is a one time thing.
Hiring a Big Six firm to conduct a penetration analysis is like swimming
with piranha.
/mark
Clarence <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
06/19/00 12:26 AM
To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
cc:
Subject: Re: [FW1] Issues in hiring a company that employs
ex-hackers or current
hackers
I consider this to be a bad practice when there is enough ethical hackers
out there who can do the job with much less worry.
[EMAIL PROTECTED] wrote:
Hello,
We are looking to have a penetration test done on our infrastructure, this
includes the firewall, servers, etc.
Are there any issues I should be concerned with in hiring a company that
employs ex-hackers or current hackers?
Thanks!
allan
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
============================================================================
===
=
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
===
=
============================================================================
====
To unsubscribe from this mailing list, plea! se see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
Clarence Irons, Jr.
Information Security Engineer
Do You Yahoo!?
Send instant messages with Yahoo! Messenger.
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
