Reply From: The Dodger <dodgerat_private> >Firm uses `ethical hackers' to protect corporate systems I find it difficult to articulate my exasperation at seeing the term "ethical hackers" used in this fashion. Someone whose job is testing a system's or network's security by attempting to break into it is not an ethical hacker. They are a member of a penetration testing or tiger team. An ethical hacker is someone who hacks into systems _without_ permission and then leaves a message for the sysadmin, detailing exactly how he broke in and suggesting means of securing the system. He doesn't deface webpages, he doesn't read people's email or private files, he doesn't rootkit the system and he doesn't use the system as a launching pad to break into others (e.g. by installing a sniffer). Note that I'm not saying that being a pen-tester and an ethical hacker aren't mutually exclusive. It's a subtle but, to me at any rate, important distinction; probably because I invented the term. Those of you who can cast your minds back to July '96 may remember the Navpoint hack, by the Agents of a Hostile Power, which was reported in New Scientist magazine's Netropolitan column. That was a perfect example of an ethical hack. It looks like Secure Computing's marketing/PR department are following IBM's lead in using the term to describe their pen-test teams. The only word I think is suitable to describe it, is "lame". The amount of bullshit^H^H^H^H^H^H^H^Hhyperbole flying around in the information security industry is absolutely unbelievable. Take the so-called ICSA (formerly the National computer Security Association) - this is a perfect example of a company trying to portray itself as something which it isn't. The name "International Computer Security Association" implies that this is some form of non-profit organisation, with membership open to security professionals and consultancies; a bit like the International Consumer Service Association (www.icsa.com), perhaps. The truth is somewhat different - the ICSA is a for-profit company. Period. I had to explain this recently to an MD of a network services company, who asked me if I was "a member of the ICSA". It made him look at ICSA-certified products in a whole new light. Dodger PS: This ain't a flame against DT, by the way. I'm sure Jeff wasn't the one who proposed the use of the term "ethical hackers". PPS: Any idea what the "National Security Administration" is? -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:14:07 PDT