Re: [ISN] Firm uses 'ethical hackers' to protect corporate systems

From: mea culpa (jerichoat_private)
Date: Sat Dec 19 1998 - 18:42:23 PST

  • Next message: mea culpa: "[ISN] Upcoming Security Conferences"

    Reply From: The Dodger <dodgerat_private>
    
    >Firm uses `ethical hackers' to protect corporate systems
    
    I find it difficult to articulate my exasperation at seeing the term
    "ethical hackers" used in this fashion. Someone whose job is testing a
    system's or network's security by attempting to break into it is not an
    ethical hacker. They are a member of a penetration testing or tiger team. 
    
    An ethical hacker is someone who hacks into systems _without_ permission
    and then leaves a message for the sysadmin, detailing exactly how he broke
    in and suggesting means of securing the system. He doesn't deface
    webpages, he doesn't read people's email or private files, he doesn't
    rootkit the system and he doesn't use the system as a launching pad to
    break into others (e.g.  by installing a sniffer). Note that I'm not
    saying that being a pen-tester and an ethical hacker aren't mutually
    exclusive. It's a subtle but, to me at any rate, important distinction;
    probably because I invented the term. 
    
    Those of you who can cast your minds back to July '96 may remember the
    Navpoint hack, by the Agents of a Hostile Power, which was reported in New
    Scientist magazine's Netropolitan column. That was a perfect example of an
    ethical hack. 
    
    It looks like Secure Computing's marketing/PR department are following
    IBM's lead in using the term to describe their pen-test teams. The only
    word I think is suitable to describe it, is "lame". 
    
    The amount of bullshit^H^H^H^H^H^H^H^Hhyperbole flying around in the
    information security industry is absolutely unbelievable. Take the
    so-called ICSA (formerly the National computer Security Association) -
    this is a perfect example of a company trying to portray itself as
    something which it isn't. The name "International Computer Security
    Association" implies that this is some form of non-profit organisation,
    with membership open to security professionals and consultancies; a bit
    like the International Consumer Service Association (www.icsa.com),
    perhaps. The truth is somewhat different - the ICSA is a for-profit
    company. Period. 
    
    I had to explain this recently to an MD of a network services company, who
    asked me if I was "a member of the ICSA". It made him look at
    ICSA-certified products in a whole new light. 
    
    Dodger
    
    PS: This ain't a flame against DT, by the way. I'm sure Jeff wasn't the one
    who proposed the use of the term "ethical hackers".
    
    PPS: Any idea what the "National Security Administration" is?
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:14:07 PDT