On Fri, 18 Feb 2000, jeff andrews wrote:
> >> So if you had three candidates for hire:
> >> 1) Jack Smith, Security Professional, CISSP certified.
> >> 2) John Smith, ex-hacker turned security expert
> >> 3) Dr. Chaos, gray hat hacker in hacker group Anarchy4Life Club
>
> >> Which one would you hire as VP of Security or senior security consultant lead of
>the project to manage your security? Would it be in the 1, 2, 3 order? From a trust
>standpoint, it seems like it would be easier to trust Jack Smith (#1), and then John
>Smith (#2), and how much you trust #2 depends on what kind of hacker was John Smith
>previously. How much do you trust and want to hire #3? The above names are
>intended as fictional characters for example only.
> >(D.) None of the above.
>
> Excellent point. Maybe I should add an additional step of checking the above 3
>candidates for technical competency first, and they all pass, who would you hire?
If I'm a public company, I'd have to have a serious reason for not hiring
#1 and a serious compulsion for hiring #2 or #3. Personally, #2 and #3
(assuming gray hat means 'does some breakins') don't fit my trust model
for business (which is different than my personal trust model.) I
could drink beer with them, I could talk shop with them, but I'd no more
hire them than I would an ex-jewel thief to guard a jewlery shop or a safe
cracker to put in and rekey my safe.
It's a two way street though, I wouldn't expect them to treat me as a
total peer either.
> >There are no hard and fast rules though. I've met sysadmins of the {no
> >illegal acts, no cracking, no 31337 group} variety who told me I was
> >positively moronic for not putting backdoors into systems I administered.
>
> I would think backdoor-ing a system that is owned by the company without permission
>is an illegal act? Maybe I am missing the intent of the backdoor: is it just incase
>something goes wrong because several people have root password, and you may need to
>recover quickly in an emergency, or is it just incase you are fired, you can
>potentially get back at the company?
> I am not a lawyer, but I would say that has good potential of being an issue.
I wouldn't do it with permission, recovery techniques are acceptable to me
in instances where primary access methods no longer work. I think it's
plain wrong to trojan anything.
> >There are a large number of very clueful black and gray hats out there
> >(and not a large number of equally clued INFOSEC people.) I'd rather they
> >had fun and got money doing good things than bad. It probably wouldn't be
> >my money they'd get though.
>
> There's this perception that there's a vast number of really talented gray and black
>hat hackers. I would argue that this number is MUCH smaller (less than 100?) and
>that there is an equal number of good guys in security. How many "Mudge" type people
>exist in the world? You can start to count.. Mudge, Hobbit, Weld Pond, and the names
>and numbers dramatically decrease from there. On the flip side, we have Casper Dik,
>Wietse Venema, Steve Bellovin, Eugene Spafford, etc that are good infosec people who
>are just as much or more technically competent than gray hats, they just don�t post
>and brag about their exploits.
>
Overall, my personal experience has been that those who choose the
underground have a higher clue factor than those who get stuck with the
additional hat of Internet Security Person. I'm not talking about big
names, I'm talking about people in the trenches on both sides. Generals
may win or lose wars, but it's the guy on the ground who's taking and
returning fire.
> Despite this notion that there is a big number (1000�s?) of very technically
>talented black hats and gray hats floating around, my guess is anyone who really
>understands OSes, IP, and can write code is better off joining an Internet company
>and using their talent to become a millionare in stock options, rather than illegally
>hacking and posting exploits for free.
>
(A) Money isn't everyone's primary motivation.
(B) How many of the "big names" do you see rolling the pre-IPO dice?
(C) A lot of black/gray/wannabes are under the age where getting a job is
even an issue.
> The large number of gray hats and black hats are bordering on being script kiddies
>(I'm convinced of this based on the emails I've received on this subject), and with
>the recent hype on gray hats, it will only get worse with more technically
>incompetent people self-proclaiming to be gray hats and wanting to be hired.
>
My definition of script kiddie doesn't include people who can write
serious C code. I'm just going on my own experiences and observations,
which are by no means scientific or rigorous.
> As security startups start to hire gray hats to fill the demand, my guess is they
>are facing a difficult time trying to hire decent talent. They may fall into the big
>Six trap: there's one person who actually knows what they are doing, and that's who
>you initially deal with and hiring the team, and after they are hired, that one
>person spends like %5 of his or her time there and goes on to get more business,
>while a bunch of incompetent or more questionable gray hats try to complete the work.
I don't think the basic tennents of security are such that most gray hats
couldn't do a damn sight better job than the last CNA/MSCSE/CCSE.
> So back to my very original question, with the press and media hyping the gray hat
>model, will companies really hire gray hats? As far as trust goes, how do you trust
>someone who won�t reveal their real name, but only their hacker handle and hacker
>group identification? Will they check the background of these gray hats for
>technical competency?
What value does a real name have in the case of trust? As far as the
media goes, a large number of the journalists I've worked with in the past
(which again isn't a large number- but I worked for a very large media
company until quite recently) have good sources and check them. There's
no telling if the editor will choose their copy though.
> Is this gray hat model really a good business to go after, meaning will companies
>actually pay lots of money, and maybe more black hats should start up gray hat
>companies?
Traditional security companies still won't touch ex/current black hats if
they know about it.
> My guess is time will tell.
If the current state is anything to worry about, traditional companies
don't have too much to worry about. I recently heard a story of a
tradtional security company who got a huge sigh of relief when they told
their customers that their network scans *didn't* include breaking into
the production database and altering tables.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
