Perhaps I do need to define "hacker" (my definition, not the media's).
A hacker is someone who continually strives to understand how things
work and how they should be improved. Commonly, this leads to
discovering flaws in a system (be it operating systems, software,
electronics, mechanics, etc). A hacker is NOT the person who downloads
scripts and "point and click" utilities to circumvent the security of a
system (though he/she may be the one who writes these tools).
The best security people you will find are or were "hackers." When I
said "I don't see a problem with HIRING 'hackers,'" I was by no means
implying that one should search the Internet for someone calling
him/herself "AOL_Ub3rh4cK3r" and offer him/her a job. It is (usually)
pretty easy to determine who has a clue and who doesn't (if you are able
to speak at a technical level with the person). If you (or your
organization) cannot determine the technical adeptness of a prospective
hacker/consultant, find a friend/relative/known quantity who is able to
conduct an interview or outline some questions and answers for you.
Take notes during an interview and review them with your knowledgable
source.
Key points to discuss:
- Talk about IP and its inherent weaknesses. If the hacker/consultant
cannot
explain them, they probably don't know what they are talking about.
- Talk about the underlying reasons that an 8 character password on an
NT/98
mixed network may not be secure. If the hacker/consultant can't tell
you
about the LM hash and simple password cracking techniques (in detail),
but
does recommend "longer passwords with lower case and capital letters,
numbers and special characters," reconsider your contracting options.
- Talk about port/security scanners. Far too many people run a scan and
say
"here are all of your problems." These tools are intended to be
starting or
ending points in a security assessment (depending on your point of
view),
not the entire assessment.
- I won't list any more, you get the point.
Peter Bruderer wrote:
>
> The problem of hiring hackers is the same as hiring consultants. There are a
> lot of them. The problem of getting a hacker is even worse. A consultant can
> show references which can be checked. A very good hacker will not show his
> identity and will not be discovered. How do you have the proof, that you hire
> a really good hacker and not just a bragger?
>
> It is something like: why do elephants have blue eyes? That they can hide
> themselves on a plumtree. Have you ever seen an elephant on a plumtree? No?!
> See how good they can hide themselves on a plumtree!
>
> May beit is a bad translation, but I hope you will get the sense.
>
> Alyea <[EMAIL PROTECTED]> writes:
> >
> > I agree with Peter - I don't see a problem with HIRING "hackers." The
> > problem is when you open a contest to anyone who's interested, there are
> > no contractual agreements and prosecuting for inappropriate access
> > becomes exponentially more difficult.
> >
> > To carry the idea further, the only REAL security assessment you are
> > going to get is going to be from a "hacker" (and this may require a
> > definition of a hacker), not someone who has read alot of books.
> ... snip ...
> > > [Kunz, Peter] And how do you make sure oyu have the right person
> > > with the proper experience?
> > >
> > > cu
> > > -pete
>
> have fun ...
>
> --
> =========================================================================
> Peter Bruderer mailto:[EMAIL PROTECTED]
> Bruderer Research GmbH Tel ++41 52 620 26 53
> Internet Security Services Fax ++41 52 620 26 54
> CH-8200 Schaffhausen http://www.bruderer-research.com
> =========================================================================
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
