Forwarded from: Mike Gauthier <mike@a-and-m.net> http://www.newsfactor.com/perl/story/20146.html By Lisa Gill NewsFactor Network December 4, 2002 It is the stuff of IT lore -- a hacker Latest News about hacker is caught breaking into a company's systems and is given two options: Take a job with the company or face prosecution. But are such tactics still in use, or do malicious hackers now face nothing but a career dead end? "It was a trend at one time, when there weren't a lot of security Relevant Products/Services from IBM professionals who had experiences that didn't include brushes with law enforcement," IDC research manager for Internet security software Charles Kolodgy told NewsFactor. Now, though, Kolodgy explained, companies have begun to work more often with sensitive data from financial firms or the government, so their staff are forbidden to have criminal backgrounds. Education as Legit Path In addition, the education available to would-be security gurus has expanded greatly in the last 20 years. More professionals are earning IT degrees and security certifications or gaining experience working for security-focused organizations. Kolodgy pointed to the National Security Agency's designated Centers of Academic Excellence in Information Assurance Education programs at top universities, including Purdue, Carnegie Mellon, George Mason University and the University of Idaho, among others. The program's aim is to improve IT students' education in security measures, and to include higher education in information assurance. Certifications Spring Up In the realm of certification, the SANS Institute's Global Information Assurance Certification (GIAC) and the Certified Information Systems Security Professional (CISSP) certification also serve as credentials for security professionals. "The need to hire someone who has had a run-in with the law is rather limited now because you can get much better people who don't have a history," said Kolodgy. Although certification can be helpful, it is not yet a requirement for obtaining a job, said Gartner security analyst Roberta Witty. Prior experience as a security professional is still a primary consideration -- but experience as a hacker, with a criminal record to prove it, is not desirable. "How can you trust somebody who has broken the law?" Witty said. "I certainly believe that people change stripes, but do you want to risk your business on that one hire?" Gray, White Hats Employable But for those hackers without a checkered past, who spend their free time in pursuit of weakened networks or testing out hacking methods, there is still a future in the security industry, according to Jeff Moss, a.k.a. The Dark Tangent and founder of DefCon, the largest annual hacker convention in the United States. The most recent change is that young hackers now know a job is waiting for them after they finish college, said Moss, whereas several years ago, such job offers were more of a surprise than the norm. The difference, he added, is that hackers now are less likely to reveal their illicit hobby to potential employers, much less their handles. "About two years ago, all the older hackers I know stopped using their handles. Now they go by their real names," Moss told NewsFactor. "Amongst their own group, they still use their own handles, but publicly, when anybody asks, they may not say they're a hacker." Who Gets Hired? In terms of whether companies actually hire hackers, Moss said he has hacker friends in several major companies, regardless of whether or not such organizations claim to employ such people. In most instances, the companies may be unaware they have hired someone who spends his or her off-hours striving to understand security in other systems. "Many companies will only hire white hats, or at most gray hats who don't have anything that looks bad in their history," said IDC's Kolodgy. Moss agreed that companies no longer hire those with a police record. Personally, given two candidates, one with a record and one without, he said he would be inclined to choose the candidate sans a conviction. "Just because they call themselves a hacker doesn't automatically disqualify them," Moss said. "You would want to find out if they've gotten in trouble for it. It's a broad term." Homeland Security Damper That broad terminology has concerned security analysts since President Bush signed the Homeland Security Bill last week. According to a provision of the Cyber Security Enhancement Act, hackers could face life in prison if their actions "recklessly" threaten others' lives. Ryan Russell, an independent security expert and author, said he is concerned that the government and prosecutors may use their new power to intimidate accused hackers into agreeing to plea bargains. But it is not likely that the new legislation will deter hackers and thus reduce the pool of security professionals-to-be, he added. "Realize that you've got people who see themselves as very anonymous," he said. "Hackers don't see themselves as vulnerable or as necessarily doing something wrong, so changes in punishment tend to have little impact on current behavior." Career Path Concern Moss agreed that new potential punishments probably will not have a chilling effect on the behavior of hackers, particularly teenagers -- though it may increase the number of incidents in which they are caught. "It's going to take really smart, rebellious, testosterone-filled teenagers and make them federal felons," said Moss. "Before they get out of high school, you're going to have a bunch of these smart people whose career opportunities [are ruined] -- they'll be flipping burgers for the rest of their lives. "I'm concerned about the whole new generation," he added, "if they make a couple of bad choices and that's it for the rest of their life." -- Mike Gauthier All-purpose lackey "Beer is proof that God loves us and wants us to be happy." - Ben Franklin - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Dec 05 2002 - 02:20:52 PST