Forwarded from: William Knowles <wkat_private> http://www.theage.com.au/articles/2002/08/10/1028158034389.html By Kim Zetter August 13 2002 Next A good hacker is hard to find, or so it seemed during the dot-com boom. Companies, particularly in the United States, were making the rounds of hacker conferences and IRC channels willing to pay $150,000 for a security guru who was still going through his voice change. Even the American assistant secretary of defence showed up last year at the hacker blowout in Las Vegas known as Def Con to recruit "the best of the best" for a cyber-terrorism unit. But as computer security has become more specialised and training has improved, legitimate pros have elbowed aside the teens. So it seems odd that only 43 per cent of Australian organisations would be willing to hire former hackers to help secure their networks; only 14 per cent of US organisations said they would do the same. Perhaps it all depends on who you are calling a hacker. Some of the most respected names in computer security are also some of the most respected names in the hacking community. And many tools used for testing the security of networks (and, well, for cracking them) were designed by hackers. Massachusetts-based security firm @stake is composed of former members of the L0pht hacking group, which developed a password-cracking tool called L0phtCrack. Peiter Zatko (aka Mudge), the company's pony-tailed founder, even testified before the US Congress on computer security. Then there's Chris Goggans (aka Erik Bloodaxe) of Security Design International, who served as editor of the notorious hacker zine Phrack, a cornucopia of illegal tips and tricks. And Rain Forest Puppy (he prefers not to have his real name published), another security pro, has found many holes in Microsoft products and has developed a respectful relationship with that company. But he has also developed an anti-IDS Web scanning tool called Whisker that hackers use to ferret out their prey. Most hackers working in security are either reformed black-hat hackers or people who never dirtied their hats beyond grey. That is, they may have cracked systems but didn't cause destruction or steal data. Or at least they did not get caught doing it. Hackers with a criminal record or who admit to still hacking are rarely trusted with a job these days, although, incredibly, at one time they were. The hiring of the latter type of hackers in the US has, thankfully, fallen out of fashion, says Giga analyst Steve Hunt. "You can hire someone who is an expert at defending resources or who is an expert at violating them. They both have the same fundamental skills. But just one has a professional ethic and a legacy of honour and service." The risks of hiring a known hacker are obvious. But you face the same risks with any disgruntled employee or with a closet hacker who does a little unauthorised sleuthing through your system. Companies that claim to oppose hiring hackers are probably unwittingly hiring them, says William Knowles, editor of security news list InfoSec, who notes that today's hackers have little to distinguish them from traditional security administrators. "A few years ago at Def Con I saw a lot of familiar faces in the hacking crowd, but I didn't know why they were familiar. Then I realised they were the same faces I'd seen at security conferences. Companies have been hiring hackers for years, they just don't realise it," he says. Mario Duarte, a former administrator of the now-defunct Zuma, a San Francisco-based host for e-commerce sites, considered himself brilliant for hiring Optyx a few years back. Optyx was a skinny, 19-year-old hacker with blue hair and ties to Cult of the Dead Cow, makers of a Trojan horse called Back Orifice. Duarte says Optyx was invaluable for showing him holes in Zuma's systems that he was sure didn't exist. But he had sleepless nights over the next couple of months, wondering if the hacker would turn on him. As it happened, it was another hacker hired by Duarte at Optyx's request who proved a liability when a bad attitude and personal problems made it clear the teen didn't belong in a corporate environment. But how do you fire a hacker? Pretty easily, it turned out. Optyx, who took pride in Zuma's servers as his personal domain, made it clear to his departing friend the possible consequences of seeking revenge: "Don't even think about it, dude. I'll hunt you down and kill you." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 06:16:34 PDT