I completely agree with your statement.
The problem I see is: if you or a friend of you can talk on this level with a
"hacker" to justify his knowledge than you probably do not need a hacker,
because you are one yourself or your friend is one.
If you can not qualify the points you mentionned, then this guy can tell you
anything that sounds somehow reasonable and you end up again with your
"AOL_Ub3rh4cK3r".
The problem I face, is that most companies have ABSOLUTELY no idea what's
going on on their networks and computers. As soon as they have to type in a
few letters on an interface other than WinWord, they are lost. How can such a
company get a real hacker? My opinion is: If they get one, it is simply a
lucky punch.
Alyea <[EMAIL PROTECTED]> writes:
>
> Perhaps I do need to define "hacker" (my definition, not the media's).
> A hacker is someone who continually strives to understand how things
> work and how they should be improved. Commonly, this leads to
> discovering flaws in a system (be it operating systems, software,
> electronics, mechanics, etc). A hacker is NOT the person who downloads
> scripts and "point and click" utilities to circumvent the security of a
> system (though he/she may be the one who writes these tools).
>
> The best security people you will find are or were "hackers." When I
> said "I don't see a problem with HIRING 'hackers,'" I was by no means
> implying that one should search the Internet for someone calling
> him/herself "AOL_Ub3rh4cK3r" and offer him/her a job. It is (usually)
> pretty easy to determine who has a clue and who doesn't (if you are able
> to speak at a technical level with the person). If you (or your
> organization) cannot determine the technical adeptness of a prospective
> hacker/consultant, find a friend/relative/known quantity who is able to
> conduct an interview or outline some questions and answers for you.
> Take notes during an interview and review them with your knowledgable
> source.
>
> Key points to discuss:
>
> - Talk about IP and its inherent weaknesses. If the hacker/consultant
> cannot
> explain them, they probably don't know what they are talking about.
> - Talk about the underlying reasons that an 8 character password on an
> NT/98
> mixed network may not be secure. If the hacker/consultant can't tell
> you
> about the LM hash and simple password cracking techniques (in detail),
> but
> does recommend "longer passwords with lower case and capital letters,
> numbers and special characters," reconsider your contracting options.
> - Talk about port/security scanners. Far too many people run a scan and
> say
> "here are all of your problems." These tools are intended to be
> starting or
> ending points in a security assessment (depending on your point of
> view),
> not the entire assessment.
> - I won't list any more, you get the point.
have fun ...
--
=========================================================================
Peter Bruderer mailto:[EMAIL PROTECTED]
Bruderer Research GmbH Tel ++41 52 620 26 53
Internet Security Services Fax ++41 52 620 26 54
CH-8200 Schaffhausen http://www.bruderer-research.com
=========================================================================
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
