Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Take advantage of Black Friday with 15% off sitewide with coupon code "BLACKFRIDAY" on Slashdot Deals (some exclusions apply)". ×

Hacker Boot Camp 161

abb_road writes "Business Week sent a reporter to TechTrain's ethical hacker training camp, where, for $4,300, participants spend five days working towards ICECC's 'Ethical Hacker Certification.' The camp serves companies' increasing needs for home-grown white hats, and covers topics ranging from the non-technical (social engineering and policy creation) to code-level attacks (buffer overflows and sql injections). The tuition seems a bit steep for materials that, as the article notes, are 'freely available over the web'--but where else can you play hacking capture the flag?"
This discussion has been archived. No new comments can be posted.

Hacker Boot Camp

Comments Filter:
  • by American AC in Paris (230456) * on Tuesday April 04, 2006 @01:05PM (#15059958) Homepage
    While "Institute of Certified E-Commerce Consultants" has a nice ring to it, it's a little ambiguous.

    I recommend they switch to "Important-Sounding Portal Site of Certified E-Clipart and Buzzwords". Gah. That site isn't just an eyesore; it's a brainsore. Basically, you send them money, they send you off to a third-party training course, throw you in a database and give you some logos and certificates with important-sounding words. Oh, and you'll be certified. It'll take your resume to the next level (where, presumably, we can find our princess.)

    Ah, but now to the meat of the matter--the legal disclaimer!

    l) Educational Licenses, Accreditation, and State Sanction. The ICECC does not claim to be a college or university nor does it claim accreditation from any 501 bodies, state, or federal government agency or body. The ICECC is not a 501c3 organization and never has claimed to be a tax free or charitable entity. The ICECC may engage in business with charitable organizations or form alliances with charities that operate under 501 but the ICECC operates as a responsible, growing, proprietary, growth oriented, and profit oriented association and company. The ICECC is an independent authority similar to other American Associations. The ICECC grants certificates, certifications, marks, designations, and charters much like hundreds of other legal educational and recognition institutes or associations in the United States. The ICECC strictly follows the criteria of the Ibanez decision in the United States. We encourage all members and certified members to meet all requirements for education, experience, testing, ethics, and continuing education. The ICECC licenses its marks and logos to others. The marks are generally licensed to individuals. The ICECC will license the CEC and other marks and logos to companies, universities, or other uses upon the consent of its board. The ICECC outsourses to other companies for training and education that is provided online. The ICECC does not collect money for the courses, provide the service, teach the class, enter into a contract with the student. THe company providing the education and training is simply using our site as a distribution point. THe ICECC may receive a referral fee, rebate, revenue share, or other payments for providing the website that afforded the sale of the service to the customer. In sum, you accept that we are not responsible for the performance of any education or training contract. We do not hold any of your private information that you submitted to the training, course, or education provider although directory infomation may be exchanged. This information is limited to email address, phone number, name, employer, educational degrees and background. [emphasis mine]

    Makes ya feel all edjumicated already, dunnit?

    Of course, all the above is moot; it fails the sniff test (twice, no less!) on its home page:

    Don't forget to bookmark us! (CTRL-D)

    Trust me, I didn't forget.

    ...as for the course itself, it seems to be little more than a rote lesson in exploiting commonly known weaknesses, such as default passwords and poorly-configured servers. From the BusinessWeek article:

    ALARMING LAPSES. And here's what may be the scariest part: to be a hacker, you don't even have to be a hardcore techie or particularly good at writing code. Take me, for instance. I'm an English major who hasn't written a line of code since third grade when I wrote a BASIC program that quizzed you on state capitals. Camp got started at 9 a.m., and within an hour, I was hacking into fictional banks' Microsoft databases and retrieving credit card numbers.

    It's a matter of knowing tricks and what to look for. For instance, the default Microsoft database user name is "SA" and there's no default password. An alarming number of administrators never change these settings, so once hackers get into a system, they often try this first -- successful

  • by jtaylor00 (670164) on Tuesday April 04, 2006 @01:16PM (#15060077)
    From the Article
    They have to be gainfully employed in the security field and must sign waivers saying they won't use these tricks for ill. For more sophisticated classes there are background and criminal checks.
  • Been there done that (Score:5, Informative)

    by codepunk (167897) on Tuesday April 04, 2006 @01:40PM (#15060313)
    I have been to it, the course ware is fairly extensive but was boring none the less. I cannot see much of the slashdot crowd getting much from it, just a rehash of common knowledge tools and techniques that we pretty much have all heard of.

    Now I was stuck in a room full of MS and MCSE zombies who did not know the difference between
    a TCP and UDP packet. Just listening to the students talk I could feel the grey matter being sucked from my head....sort of like a high school student sitting in on a first grade class.
  • by TechnoGuyRob (926031) on Tuesday April 04, 2006 @01:46PM (#15060358) Homepage
    I am a systems administrator at www.hackthissite.org [hackthissite.org] (HTS), and at HTS, we intend to do just what this camp intends to--but for a nice sum of $0.

    Although we are currently working on a new version of the site (dubbed "HTSv4"), the current place still has plenty of opportunities to gain knowledge in (ethical and legal) areas of computer security, such as XSS injection, SQL injection, buffer overflows, programming, and countless of other topics--all through personal experience with the "missions" on the site.

    I think it is very important for people who are going into computer development of any kind to be aware of these issues. Personal experience and skill in computer security can only be beneficial, and will teach one to code applications that are capable of defense from outside intrusion.
  • by TechnoGuyRob (926031) on Tuesday April 04, 2006 @01:48PM (#15060390) Homepage
    I forgot to mention: hacking "capture the flag", as the article calls it, is our equivalent of Root Thix Box [rootthisbox.org], a competition aimed at controlling a "box" (system) for the longest amount of time through various exploitation means, most of which go beyond the topics covered in the "boot camp."
  • by qw(name) (718245) on Tuesday April 04, 2006 @02:01PM (#15060511) Journal

    Instead of going with that company I would recommend either EC-Council [eccouncil.org] or Vigilar/IntenseSchools [vigilar.com] for your CEH training needs.

    I attended Vigilar's CISSP Boot Camp (Larry Greenblatt was the instructor) and had a very good experience. Passed the test the first time. They strictly adhere to the Code of Ethics of the various certification organizations and their NDAs. They will not tell you what's on the test like certain MS training camps.

  • by karmaflux (148909) on Tuesday April 04, 2006 @02:16PM (#15060634)
    Scroll down, and you get

    Attorneys Search
    Attorney Lawyer Law Firm
    Lawyers & Class Actions
    Louisiana Law

    all with links.

    Further still, you get

    Plastic Surgeon Houston
    Cosmetic Surgeon Houston
    Liposuction Houston
    Cosmetic Surgeon Texas
    Plastic Surgery Texas
    Extreme Makeover Plastic Surgery
    Cosmetic Surgery Pictures Plastic Surgery Houston
    Cosmetic Surgery Houston
    Board Certified Plastic Surgeon
    Facelift Houston
    Plastic Surgeon Houston
    Houston Plastic Surgeon
    Houston Cosmetic Surgeon
    Plastic Surgery PicturesPatronella Surgeon
    Cosmetic Surgery Houston
    Extreme Makever
    Cosmetic Surgery Texas
    Plastic Surgery Texas
    About Plastic Surgery
    Plastic Surgery Before & Afters

    Each one of those is a link, and every single one of them to the same domain.

    This is a spammer site, and every page on the site has a footer labeled "links and sponsorship," also filled with spam links. I feel really bad for the poor suckers who wind up giving them money.

    Also from their TOS:

    Additionally, the ICECC does not guarantee the character, skill, experience, education, ethics, or references of a member or certified member of our group.

    The whole organization is a joke.
  • by dr_dank (472072) on Tuesday April 04, 2006 @02:26PM (#15060725) Homepage Journal
    What about the exceedingly slow save program?

    I want to make sure that whenever I save a file it goes extremely slowly and show's me every percent along the way.

    Those should be avoided. Prolonged exposure to the loud suspenseful music that accompanies just-in-the-nick-of-time saving has been shown to be harmful to your hearing.
  • by pmc (40532) on Tuesday April 04, 2006 @03:15PM (#15061119) Homepage
    While "Institute of Certified E-Commerce Consultants" has a nice ring to it, it's a little ambiguous.

    The submitter has put in the wrong website - The CEH site is at http://www.eccouncil.org/CEH.htm [eccouncil.org]

    It is a penetration testing certification for people who can't do penetration testing.
  • I took the class (Score:3, Informative)

    by Salo2112 (628590) on Tuesday April 04, 2006 @03:18PM (#15061141)
    It wasn't a 5 day 8-hour a day class. It was 12 days from 0800 to 2100(ish) hours with a few breaks during the day.

    It was a chance to play with a lot of nasty stuff on machines that were there for the purpose of breaking in a controlled environment.

    The biggest positive was that someone sent two PHBs to the class to see if it was worth sending techs - they got to see first hand what was out there, what the risks were and ways to help their guys secure their networks. Nothing like people seeing for themselves what their staff is up against.

Put not your trust in money, but put your money in trust.