School Teaches 'Ethical Hacking' 339
Yardboy writes "A Yahoo! News/Reuters story discusses students in Los Angeles paying $4,000 to attend 'Hacker College' and become 'Certified Ethical Hackers'. Apparently: 'Instructors race through topics like symmetric versus asymmetric key cryptography (symmetric is faster), war dialing (hackers will always call late at night) and well-known TCP ports and services (be wary of any activity on Port 0)', and the president of the college: says 'What we attempt to do in our classes is teach how the hackers think.' Hmmm, perhaps 'Certified Script Kiddie' would be a more accurate designation."
Gasp! (Score:3, Funny)
[cynical] (Score:3, Insightful)
hahahahahaha!
Thanks, I'll take self-study and put the four grand down on an M3. Sellout? You betcha. *grin*
Re:[cynical] (Score:5, Interesting)
Re:[cynical] (Score:5, Insightful)
Education is extremely important in this segment, no doubt. What concerns me is the "boot camp" format of these particular gigs, as well as the entry fee.
$4000 is an awful lot of money for a Common Body of Knowledge -- especially since its all available from the Internet.
I have nothing but encouragement for those who wish to enter the field. But save your money. Hell, drop sixty bucks and go to defcon.
Re:[cynical] (Score:5, Insightful)
Re:[cynical] (Score:5, Insightful)
Other things I got from college:
Credibility
A class ring
Life experience (studied abroad, lived in a dorm)
Friends
Relationships with professors - having connections with people in your field is a good thing
I went to a school that runs around $30,000/year. It was worth every penny.
Re:[cynical] (Score:4, Insightful)
Credibility, people KNOW I can do this for a living. They dont have to worry about weather I can actually do the work.
Several awards from my employer.
Real Life experience.
Friends
Proffesional contacts. Tons and Tons of them.
And I dont have 60k in debt, and wont be paying off school bills for the rest of my life. I have enough experience to walk into higher level jobs and skip the "entry" level BS.
Life is not lived on a Piece of paper that was givin to you by some organisation that is known as a "school".
Re:[cynical] (Score:5, Insightful)
College can more useful in opening doors than it is as a tome of information. As you said, you may have learned quite a bit from your on the job training, are in contact with numerous people in your field, and do not suffer the financial hardships of a recent college graduate. Unfortunately you may have a hard time competing with those who have a higher education background, especially if they've worked while going to school (like many of us do).
Graduating from college with very good grades requires a lot of work, something any employer knows. If an applicant finishes with a 4.0 GPA, it can be safely assumed that they can "actually do the work."
What you say is a little alarming; your assumption that college is entirely worthless when compared to a high school job is entirely unfounded.
Oh, and before you apply anywhere in the future, work on that spelling and grammar ;)
Re:[cynical] (Score:3, Interesting)
I'm in college right now, and taking a class on Apache. My progessor is teaching a class full of us to run X-Windows in Linux as root. Because "its easier."
These people will be running your servers someday everyone. Clearly a college degree is no guarantee that you'll know what you're doing.
Re:[cynical] (Score:3, Insightful)
This may come as a shock, but language rules were not invented just for "term papers".
Why some people feel proper English is optional, I will never know. More often than not, it's used to excuse a lack of English skills.
Mistakes happen. An attitude that it doesn't matter except for "term papers", however, shouldn't.
Re:[cynical] (Score:3, Insightful)
What a college degree gives you though is more flexibility. You have proven you can do a particular job and do it well, but it is much more difficult for you to find a job that might require things outside your current skillset. A college degree shows employers you are able to expand your knowledge outside your core competency.
Several awards from my employer.
In college you can get y
Certified Ethical Hacker Exam (Score:2)
Hey, I think this is a great idea. I think that every hacker should get the certified ethical hacker badge.
BTW, I will be selling the answers to the certified ethical hacker exam on my site for selling answers to the MCSE exams and other equally important certificates.
Re:Certified Ethical Hacker Exam (Score:2)
Not New (Score:5, Interesting)
We went through an entire class about computer ethics. We had to to get a Computer Science degree. And since it was an actual Computer Science degree, we learned all about security and machine language and what have you... basically everyting you would learn in this course.
This program seams like a stripped down version of computer science for people who are only interested in security related work.
Seems expensive (Score:5, Insightful)
Right now the University of Cincinnati is about $8,000 for a year. And I thought that was expensive.
Seems trendy to me...I just don't see hacker courses having much of a true impact on security.
But kudos to whoever is making money off the idea. Wish I would have thought of it.
Re:Seems expensive (Score:5, Funny)
Watch for stack overflows.
Always restrict access as much as possible.
Use the strongest encryption available depending on the sensitivity of your data.
Turn off all services that you don't use.
Don't set your root password to root.
Assume every user has bad motives.
Plan for the worst.
Send $4000 and a self addressed, stamped envelope with your name as you would like it to appear on your certificate.
Re:Seems expensive (Score:3, Funny)
Re:Not New (Score:2)
Re:Not New (Score:5, Insightful)
The most difficult part about security is that you aren't learning how something is supposed to act. That's the easy part. That's what every programmer does (and what I do mostly). But to really do security, you have to know what could happen and how something might work if manipulated. That's really, really hard when you think about all the possibilities!
I just can't imagine squeezing that all in to a short certificate class.
Re:Not New (Score:4, Insightful)
You can do the real stuff, but it's all optional, giving me the feeling that I can as well kiss the university goodbye and study for myself - which is, in fact, how I learned everything I know about computers and programming. And I mean everything. The only reason I still attend university is that I want to get the diploma, but I'm not even sure how much people are going to care about that if you don't really need to have any deep knowledge and experience to get it.
Re:Not New (Score:2)
I went to Drake. They have one or two really good professors who teach you everything, and help when you want to learn something on your own. I hope those professors never leave!
I got thrown into assembly language my first semester of college. Boy was I in for a world of hurt! But I learned a of a lot in that world.
I am not a native speaker :-) (Score:2)
I might have been better off if I had done more investigation, indeed, but there are a couple of issues that complicate things. The college I attended gave me a BA degree, and few of the courses I took were CS courses (they didn't really
Re:Not New (Score:3, Insightful)
No, this program seems like a stripped down version of computer security for people who are only interested in the stupid media-prestige that the term "hacker" might bestow.
Oh man... (Score:5, Funny)
Hackers will always call late at night (Score:5, Funny)
Re:Hackers will always call late at night (Score:2)
Hmmm (Score:5, Funny)
Lots of companies teaching CEH classes.. (Score:4, Informative)
great.. (Score:5, Insightful)
Re:great.. (Score:2, Interesting)
Re:great.. (Score:5, Informative)
You know, it's only been within the last few years that I've heard any significant usage of the word "cracker" with regards to computer security. Before that, anyone who broke into a computer system was known as a hacker. Cracking was what you did to software to remove copy protection. Kevin Mitnick refers to himself as a hacker [slashdot.org], and he broke into systems long before the politically correct term, cracker, came into usage.
While it's a nice effort to wish for a distinguishment between the two, the use of the word hacker for those who break into systems has long been established. Let it go, man.
Cracker (Score:3, Funny)
It usually means dumbass white motherfucker where I'm from.
Re:great.. (Score:5, Interesting)
With titles like those... (Score:5, Funny)
Re:With titles like those... (Score:3, Funny)
These degrees are there to ensure only stupid people ge management roles.
Certs like this have been around for a while now. (Score:2, Interesting)
Sounds like (Score:3, Insightful)
You teach ethics, not "hacking ethics". Sounds like a money grab for gullible script kiddies.
I shoudlve thought of it first.
Re:Sounds like (Score:3, Informative)
First line of the story (Score:5, Funny)
He wears a black hat, and we're expected to believe that he's teaching ethical hacking? It's a cover! He's building an army! TERRORISTS!!!
I'm Waiting (Score:5, Funny)
My $5 (Score:4, Funny)
Re:My $5 (Score:2)
Or, at the very least, less money.
Plus, the Microsoft programmers will come out of the same school of hacking as their clueless boss, and then get our jobs.
So, at the very least, MUCH less money.
But the real question is (Score:5, Funny)
Re:But the real question is (Score:5, Funny)
Re:But the real question is (Score:4, Interesting)
frist and lsat ltteer is at the rghit pclae. The rset can be a
toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae we do
not raed ervey lteter by it slef but the wrod as a wlohe.
Re:But the real question is (Score:3, Funny)
Wait... I didn't even hesitate when reading that...
*shudder* Mommy?
Re:But the real question is (Score:4, Funny)
Re:But the real question is (Score:5, Funny)
This is an outrage... (Score:5, Funny)
Wash, rinse, repeat (Score:5, Insightful)
Man creates computer, internet.
Intelligent, misunderstood youths discover internet, realize they've been lied to, strung along, generally mistreated. Youths show the guts and brains to learn without teachers.
Feds discover internet, realize there are children smarter and more skilled than them, throw beauracratic temper-tantrum, track down said kids (well, some of 'em) and bust them, refuse leniency.
Feds realize this "internet thingy" is more important than they though, and worse, there are kids in other countries who not only have mad skillz, but also actively hate america. Feds shit bricks.
Gov't, realizing it has cut off it's left testicle, tries to fill the gap with "Ethical hackers", ie, tries to create what it had in the first place.
Jeezus F Kryst on a surfboard, why didn't you just train the @#(*&^*(@# hackers in ethics in the first place? You can't teach curiosity, autodidactism or problem solving.
Nature laughs, goes back to being inscrutable.
Way to go.
Re:Wash, rinse, repeat (Score:4, Insightful)
Problem solving is just as trainable ability as any type of mathematics or programming. It requires critical thinking, and often a good handle on the deductive and inductive trains of thought. If you're a good problem solver, chances are you had someone in your youth that prompted and prodded you to think about things in different lights, and thus why you can think critically.
Your CEH cert will give you the pride... (Score:5, Funny)
Just Like Anything Else... (Score:5, Insightful)
They should get a project that entitles building some sort of application which can be relseased to the Open Source community.
Wow, war dialing, early 90s, wow.
GroupShares Inc. [groupshares.com] - A Free Online Investment Community.
Re:Just Like Anything Else... (Score:2)
Input "Plaintext";x$: Print "Cyphertext:": for i = 1 to len(x$): print(chr$(int(rnd()*256)+1);: next: Print
Simulated enough for ya?
"Harmless" Hacking (Score:5, Insightful)
Learning how to defend against getting hacked by learning how to hack is nothing novel. It sounds like a great idea on the surface, because it gives you the tools to probe your own weaknesses the way your attackers will. But you're always going to have to keep up with the latest methods, scripts, etc. IMO, A net admin who isn't at least a hobbyist hacker probably won't get much from a hacking bootcamp except a false sense of security.
- Greg
Re:"Harmless" Hacking (Score:5, Insightful)
Like you said, it sounds like a good idea, but there are going to be weak points in your staff if they don't really know what they're doing. For instance, I've studied security from books, and I'm pretty adept at defending my computer. But I know there's a lot that I don't know that I would know if I hacked computers on a regular basis.
Re:"Harmless" Hacking (Score:3, Informative)
This seems akin to having sexual experts who have studied sexual practices, but are still virgins.
Re:"Harmless" Hacking (Score:4, Insightful)
I've always seen this argument (the Spafford argument, if you will) as weak. You can't really trust anyone absolutely. A past offense doesn't guarantee a future offense any more than a lack of past offense guarantees future ones.
Any system should have a set of checks and balances for the admins & security guys as well. You don't want anyone holding all the keys on principle. That way, you're mitigating any risk by hiring someone who you know has trust issues.
Knowledge of hacking is important... (Score:3, Interesting)
In other news. . . (Score:5, Funny)
A white hat (Score:4, Funny)
Remember that information... (Score:5, Insightful)
Re:Remember that information... (Score:2, Interesting)
I wish it had been a
Re:Remember that information... (Score:3, Interesting)
I asked him during lunch about how his new security measures on the network were working....
he mentioned a bunch of things until I interrupted with... "so you sweep the building on a regular basis for keyloggers? how about devices on the network that you were not notified of? Is that HP laserjet 4400 at 10.165.1.223 REALLY a
Sounds like... (Score:2, Insightful)
IMO, a network admin ought to all ready know the tricks of the trade and keep him/herself up to date on the tech. But I guess this course probably does provide a good service to some... seen waaaaay t
yeah right.... (Score:5, Insightful)
There's a heck of a lot more to "hacking" than what they can teach you....think "lifestyle"
Computer Ethics? (Score:5, Interesting)
Anyone who wants to take an ethics class obviously has some ethics (what you think someone lacking morales will be taking an ethics class to hope improving himself)???
What they should offer is a class that teaches non-techies what is a hacker - so they learn that not all hackers are evil people bent on ruling the world (not there is anything inherently wrong with this..I mean if I ran the world, it would be a much better place - for you and me....well more me, but it's all good)
Re:Computer Ethics? (Score:2)
But anyone who is dumb enough to be a script kiddie and call himself a hacker is dumb enough to not realize the difference between right and wrong.
Re:Computer Ethics? (Score:2)
*I* cannot put down the intelligence of a script kiddie to the level of someone who is mentally retarded or a four year old (and even four year olds have a basic sense of write or wrong).
Re:Computer Ethics? (Score:4, Insightful)
Well, a smart but unpricipled cracker might take the course to learn how to "talk the talk" and make himself sound ethical. That would help him social engeneer himself into a security job where he can get paid to crack into systems and steal data while claiming to be looking for vulnerabilities to patch.
Re:Computer Ethics? (Score:2)
Wrong! This is based on an old model of "smart", that there is a single, linear measure of intelligence, one's IQ. Newer research suggests that people have different capabilities in different degrees; this is broadly known as Multiple Intelligences [thomasarmstrong.com].
People with high interpersonal and intrapersonal intelligence will have a native advantage in understanding ethics. This
When did "hacker" change? (Score:5, Informative)
As far as I can tell, it was the the US media that got that ball rolling when they were trying to investigate the 1987 "Internet Worm" released by Robert Morris Jr. The Worm caught the news media off-balance because 1) they did not know what this "internet" thing was 2) there was no terminology for this kind of crime.
Remember, this was before the World Wide Web (which some of you may not realize is a layer ON TOP OF the Internet, not the same thing), and the news only knew that the military had been connecting computers for research, but even that information was kind of sketchy if you weren't in the thick of it.
So, they asked around and got some experts on the phone and the word that kept coming up was "hacker". Well, the reporters in question didn't realize that a "hacker" was a fairly old term used by the MIT Tech Model Railroad club and later spread around the word as term for a "productive enthusiast". They just knew that Morris the Younger was a "hacker who broke into thousands of computers", and that was news!
We've all tried to stop that land-slide ever since because those of us who called ourselves hackers pre-87 are not too thrilled with the perversion of the word's meaning, but at this point it has become clear that it's simply going to be a matter of dialect. In certain circles the word has one meaning and in the rest of society (not just English-speaking society) it has a very different one... oh well.
Re:When did "hacker" change? (Score:5, Interesting)
I know, he also cost us a huge amount of lost productivity, but can you imagine the chaos that someone who DID have malicious intentions would have caused just five years later?! We took that hit to productivity because there was a problem, and though people like Bob Page (who wrote one of the better papers on the worm, and was in charge of sysadmin at my school at the time) were not amused, I do think they were better off in the long term.
Now, if Morris' code hadn't had that fatal bug that caused it to replicate out of control.... heh
Great. (Score:2)
For you apologists out there, keep in mind that I myself would only charge $2000, and you'd be at least twice as non-lame as these jokes.
I signed up for this class (Score:5, Funny)
Like "Hackers"? (Score:5, Funny)
I got next! (Score:5, Interesting)
(BTW, doesn't this "Economic Times" look like a pretty shameless rip of the Financial Times? I wonder if their print edition is salmon-colored.)
Similar program already underway (Score:4, Informative)
Mitnick? (Score:2)
Strange
Cracking... (Score:5, Funny)
I'm familiar with this course ... (Score:4, Informative)
Is it worth $4,000? Depends what you're looking for. If you're trying to train up new secteam personnel, it might be a good buy. At the same time, experienced security researchers will find it a solid but not frontier-pushing class, so I wouldn't recommend it to anyone who, say, posts to BugTraq. As well, a lot of specialized platform knowledge also gets passed by, so this doesn't obviate the need to do significant research on your particular installations.
Re:I'm familiar with this course ... (Score:2, Interesting)
From the writeup it sounds like it's mostly corporate/gov't/military types looking to get a look at The Enemy from the inside.
Comment removed (Score:3, Insightful)
script kiddie? (Score:5, Insightful)
Crap (Score:3, Insightful)
CEH Cert (Score:2, Informative)
Ethics in Three Simple Lessons (Score:5, Funny)
(2) Do it to someone else, not to me.
(3) You learned this from someone else, not from me.
-kgj
My company sent the IT manager on this course (Score:4, Interesting)
Shortly afterward, the fucker got fired for gross misconduct, and hacked our company's servers using backdoors that he'd personally set up. So no, I'm not too impressed by people teaching this.....
About time (Score:2, Insightful)
Though as it was already pointed out, this is an excellent example of social engineering. They ought to give kickbacks to Mitnik for every fool who enrolls in the class.
In other news... (Score:5, Funny)
I can speak to this topic in a strong way... (Score:5, Insightful)
A Social-Hacking Honeypot? (Score:2, Funny)
--Shhhh....don't tell anyone.
Not script kiddies (Score:5, Funny)
Q: You are the IT manager of an online business. The owner is pleased to announce that the business has enjoyed rapid growth, and has asked you to prepare an outline of system upgrades and estimated costs to deal with an estimated 8,000 daily visitors consuming approximately 320KB, with the number of visitors doubling every six months. What are your main concerns likely to be? (circle all that apply)
a) Cost of expanded bandwidth utilization
b) Maintenance issues associated with a medium-sized server farm, as well as software concerns regarding your web application and load balancing
c) Continued self-hosting via the corporate T1 line vs. co-location
d) wtf ???? ummm just run linux+apache d00d !!!!!
Q: You are a consultant, hired to evaluate the security and efficiency of a small business's server configuration. Your employer, inexperienced with both the technology itself as well as online business in general, has hinted to you that he's not certain how competent his system administrator Simon is. In evaluating the systems, you discover that Simon has misappropriated the server budget to upgrade his desktop system to play Unreal Tournament 2k4, and has left the actual servers themselves equipped with 386s and faulty hard disks. As you were confronting him about this in the server room, he excused himself from the room to fetch "documentation" while his young and pimply-faced apprentice tripped the halon fire extinguishers. What should your reaction be?
a) Immediately contact the police.
b) Inform the manager, and urge him to speak with the apprentice's parents about a possible intervention.
c) Return a favorable report after realizing that you have become tangled with things far larger than you, and never interfere with those servers again.
d) whats a halon fire
Q: A company has suffered a break-in. Not having a security professional on-hand, they have turned to you as a forensics consultant to help them assess the damage, identify the point of origin, and take appropriate response measures. What will your first action be?
a) Request a list of all servers on the network with their operating systems, as well as servers and version numbers.
b) Unplug the servers.
c) Inquire if there is any way an employee could have accessed the servers.
d) Ask your friends on EFNet if they did it.
Not Able to Call This "Ethical" (Score:2, Interesting)
WTF - WTC motivation (Score:5, Insightful)
That makes no sense. I could see them expanding in the wake of some vicious worm or virus [vnunet.com], but they might as well take their inspiration from Chechnya. It makes it seem like they are in the business to trade on fear-of-hackers rather than to provide real security. Not that that's a bad marketing angle, but just one I'd have moral issues using.
CEH vs OPST (from pen-test) (Score:5, Informative)
I gravitated towards ISECOM's [isecom.org] OPST [opst.org]/OPSA [opsa.org] classes because they fill a role I felt was missing in the security class space. Many non-vendor specific security classes have a very narrow tools based focus. While I agree that knowing how to use your tools in a test is important, I feel knowing why and when to use them is far more important. Knowing the politics involved in testing, going over internationally accepted testing practices, and reviewing regional and national legal regulations are just as much part of the job. These things are not merely important, but are required to be successful in your role as a security tester. In addition to the intensely technical aspects of the testing process, this is what the OPST represents; the "professional" side of security testing. Also, the ISECOM classes teach from ISECOM's Open Source Security Testing Methodology Manual (OSSTMM [osstmm.org]) which provides a much needed methodical framework to bring a scientific method style to the chaotic world of security testing.
The CEH class represents the other kind of class. One that is "flashy", "fun", "exciting", but not overly useful to the serious professional. While I have a lot of respect for Clément (one of the instructors for Intense School), I have very little respect for any organization that markets "hacker" classes. This includes the so-called ethical hacking, applied hacking, exposed hacking, grandmother hacking, squirrel hacking, super-duper 3y3 4m 31337 hacking, or any other fancy way of saying "Learn how to think and act like the bad guys".
While choosing where to spend your time and money, consider the community you are aligning with. If you look at ISACA [isaca.org], SANS [sans.org], ISC2 [isc2.org], ISECOM [isecom.org], etc.. they all have a true dedication to security and the betterment of the global information security community. Contrast the value of being affiliated (via education/certification) with any of those organizations over a piece of paper and a cd of toys.
school name (Score:3, Funny)
maybe "0wnz U"?
that would create a paradox (Score:3, Funny)
Except then it would be "What we attempt to do in our classes is teach how the script kiddies think." And putting the words "think" and "script kiddie" next to each other like that creates a paradox. Impossible to comprehend, much less teach.
Re:dumb answer (Score:5, Informative)
Dumber answer (Score:2)