Become a fan of Slashdot on Facebook


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Education Software

School Teaches 'Ethical Hacking' 339

Yardboy writes "A Yahoo! News/Reuters story discusses students in Los Angeles paying $4,000 to attend 'Hacker College' and become 'Certified Ethical Hackers'. Apparently: 'Instructors race through topics like symmetric versus asymmetric key cryptography (symmetric is faster), war dialing (hackers will always call late at night) and well-known TCP ports and services (be wary of any activity on Port 0)', and the president of the college: says 'What we attempt to do in our classes is teach how the hackers think.' Hmmm, perhaps 'Certified Script Kiddie' would be a more accurate designation."
This discussion has been archived. No new comments can be posted.

School Teaches 'Ethical Hacking'

Comments Filter:
  • Gasp! (Score:3, Funny)

    by Anonymous Coward on Monday June 28, 2004 @02:32PM (#9552916)
    Better watch out, article submitter! Me and my friends are totally gonna DDOS you now!!!!
  • [cynical] (Score:3, Insightful)

    by Maradine ( 194191 ) * on Monday June 28, 2004 @02:32PM (#9552919) Homepage
    And I think I speak for all the CISSPs in the room when I say . . .


    Thanks, I'll take self-study and put the four grand down on an M3. Sellout? You betcha. *grin*
    • Re:[cynical] (Score:5, Interesting)

      by Sielle ( 785160 ) on Monday June 28, 2004 @02:38PM (#9553007)
      Out of the 5 people I personally know that have taken classes like this, 4 of them have continued on to go after their GIAC/CISSP certifications. If a class like this gets people started, I'm all for it. I just worry about the people that think something like this is all they need.
      • Re:[cynical] (Score:5, Insightful)

        by Maradine ( 194191 ) * on Monday June 28, 2004 @02:49PM (#9553136) Homepage

        Education is extremely important in this segment, no doubt. What concerns me is the "boot camp" format of these particular gigs, as well as the entry fee.

        $4000 is an awful lot of money for a Common Body of Knowledge -- especially since its all available from the Internet.

        I have nothing but encouragement for those who wish to enter the field. But save your money. Hell, drop sixty bucks and go to defcon.
        • Re:[cynical] (Score:5, Insightful)

          by upside ( 574799 ) on Monday June 28, 2004 @03:34PM (#9553655) Journal
          My take on courses is: yes, you can learn the same stuff if you take the time. However, your boss is unlikely to give you time during work hours to study. When the employer has to pay muchos buckos for it he gets a warm fuzzy feeling that you are doing something worthwhile.
        • Re:[cynical] (Score:5, Insightful)

          by lukewarmfusion ( 726141 ) on Monday June 28, 2004 @03:34PM (#9553662) Homepage Journal
          99% of the stuff I learned in a college classroom was available on the Internet. Putting it together right demands something more than just a Google search.

          Other things I got from college:
          A class ring
          Life experience (studied abroad, lived in a dorm)
          Relationships with professors - having connections with people in your field is a good thing

          I went to a school that runs around $30,000/year. It was worth every penny.
          • Re:[cynical] (Score:4, Insightful)

            by 1lus10n ( 586635 ) on Monday June 28, 2004 @04:26PM (#9554186) Journal
            Things I have gotten from Working since I was 18:

            Credibility, people KNOW I can do this for a living. They dont have to worry about weather I can actually do the work.
            Several awards from my employer.
            Real Life experience.
            Proffesional contacts. Tons and Tons of them.

            And I dont have 60k in debt, and wont be paying off school bills for the rest of my life. I have enough experience to walk into higher level jobs and skip the "entry" level BS.

            Life is not lived on a Piece of paper that was givin to you by some organisation that is known as a "school".
            • Re:[cynical] (Score:5, Insightful)

              by admdrew ( 782761 ) on Monday June 28, 2004 @04:58PM (#9554535) Homepage

              College can more useful in opening doors than it is as a tome of information. As you said, you may have learned quite a bit from your on the job training, are in contact with numerous people in your field, and do not suffer the financial hardships of a recent college graduate. Unfortunately you may have a hard time competing with those who have a higher education background, especially if they've worked while going to school (like many of us do).

              [A potential employer does not] have to worry about weather [sic] I can actually do the work.

              Graduating from college with very good grades requires a lot of work, something any employer knows. If an applicant finishes with a 4.0 GPA, it can be safely assumed that they can "actually do the work."

              What you say is a little alarming; your assumption that college is entirely worthless when compared to a high school job is entirely unfounded.

              Oh, and before you apply anywhere in the future, work on that spelling and grammar ;)

              • Re:[cynical] (Score:3, Interesting)

                by clymere ( 605769 )
                I agree with the "foot in the door" thing.

                I'm in college right now, and taking a class on Apache. My progessor is teaching a class full of us to run X-Windows in Linux as root. Because "its easier."

                These people will be running your servers someday everyone. Clearly a college degree is no guarantee that you'll know what you're doing.
            • Re:[cynical] (Score:3, Insightful)

              by servognome ( 738846 )
              Credibility, people KNOW I can do this for a living. They dont have to worry about weather I can actually do the work.
              What a college degree gives you though is more flexibility. You have proven you can do a particular job and do it well, but it is much more difficult for you to find a job that might require things outside your current skillset. A college degree shows employers you are able to expand your knowledge outside your core competency.
              Several awards from my employer.
              In college you can get y
    • Hey, I think this is a great idea. I think that every hacker should get the certified ethical hacker badge.

      BTW, I will be selling the answers to the certified ethical hacker exam on my site for selling answers to the MCSE exams and other equally important certificates.

  • Not New (Score:5, Interesting)

    by Doesn't_Comment_Code ( 692510 ) on Monday June 28, 2004 @02:32PM (#9552930)
    The name of the certificate is new, but the concepts are not novel.
    We went through an entire class about computer ethics. We had to to get a Computer Science degree. And since it was an actual Computer Science degree, we learned all about security and machine language and what have you... basically everyting you would learn in this course.

    This program seams like a stripped down version of computer science for people who are only interested in security related work.
    • Seems expensive (Score:5, Insightful)

      by senzafine ( 630873 ) on Monday June 28, 2004 @02:39PM (#9553023) Homepage
      $4,000 seems a bit expensive. I'm not seeing the true benefit of having a "Certified Hacker Certificate"? I think the days of getting a job out of highschool because you took a hacking course are over (if they ever existed in the first place).

      Right now the University of Cincinnati is about $8,000 for a year. And I thought that was expensive.

      Seems trendy to me...I just don't see hacker courses having much of a true impact on security.

      But kudos to whoever is making money off the idea. Wish I would have thought of it.
      • by Doesn't_Comment_Code ( 692510 ) on Monday June 28, 2004 @02:56PM (#9553206)
        Be careful with dynamic memory.

        Watch for stack overflows.

        Always restrict access as much as possible.

        Use the strongest encryption available depending on the sensitivity of your data.

        Turn off all services that you don't use.

        Don't set your root password to root.

        Assume every user has bad motives.

        Plan for the worst.

        Send $4000 and a self addressed, stamped envelope with your name as you would like it to appear on your certificate.
    • You might be able to strip down a CS course if your only interested in Administering systems, but wouldn't someone who is interested in Security related work require at least more then a working knowledge of all of the different parts of what makes up a Networked system from design to implementation so they could actually understand how these parts are conspiring to create an insecure environment? Its going to be the MCSE's of security, secure on paper but leaving a lot to be desired.
      • Re:Not New (Score:5, Insightful)

        by Doesn't_Comment_Code ( 692510 ) on Monday June 28, 2004 @02:47PM (#9553110)
        Yeah, I was thinking of all the math that's involved in cryptography. And to really know what you're talking about, you should probably understand the guts of networking, tcp/ip and ethernet inside and out. You should know machine language pretty well too.

        The most difficult part about security is that you aren't learning how something is supposed to act. That's the easy part. That's what every programmer does (and what I do mostly). But to really do security, you have to know what could happen and how something might work if manipulated. That's really, really hard when you think about all the possibilities!

        I just can't imagine squeezing that all in to a short certificate class.
    • Re:Not New (Score:4, Insightful)

      by RAMMS+EIN ( 578166 ) on Monday June 28, 2004 @02:44PM (#9553068) Homepage Journal
      All about machine language and security as mandatory part of the program?! Where did you get that degree? I want to go there too! Around here, universities teach you some high level language, how to comment your code, and writing a few apps and a few parsers.

      You can do the real stuff, but it's all optional, giving me the feeling that I can as well kiss the university goodbye and study for myself - which is, in fact, how I learned everything I know about computers and programming. And I mean everything. The only reason I still attend university is that I want to get the diploma, but I'm not even sure how much people are going to care about that if you don't really need to have any deep knowledge and experience to get it.
      • Where did you get that degree?

        I went to Drake. They have one or two really good professors who teach you everything, and help when you want to learn something on your own. I hope those professors never leave!

        I got thrown into assembly language my first semester of college. Boy was I in for a world of hurt! But I learned a of a lot in that world.
    • Re:Not New (Score:3, Insightful)

      by stephanruby ( 542433 )
      This program seams like a stripped down version of computer science for people who are only interested in security related work.

      No, this program seems like a stripped down version of computer security for people who are only interested in the stupid media-prestige that the term "hacker" might bestow.

  • Oh man... (Score:5, Funny)

    by RegalBegal ( 742288 ) <regalbegal&gmail,com> on Monday June 28, 2004 @02:33PM (#9552937) Homepage
    First day. 2day kidZ, w3 LeRN 2 HaX0R t3H g00d w^y...w00t. OMG. RTFB.
  • by Anonymous Coward on Monday June 28, 2004 @02:34PM (#9552944)
    What they don't tell you until the PhD course is that it's always late at night somewhere.
  • Hmmm (Score:5, Funny)

    by Neil Blender ( 555885 ) <> on Monday June 28, 2004 @02:34PM (#9552946)
    Sounds like they are social engineering people out of $4,000.
  • by x.Draino.x ( 693782 ) on Monday June 28, 2004 @02:34PM (#9552949)
    Am I missing something? Lots of companies are doing this.. for example: InterfaceTT CEH Information []
  • great.. (Score:5, Insightful)

    by Anonymous Coward on Monday June 28, 2004 @02:34PM (#9552953)
    Now we have SCHOOLS that teach that "hacking" means breaking into computer systems

    • Re:great.. (Score:2, Interesting)

      by umrgregg ( 192838 )
      But this isnt hacking!! THIS [] is hacking. What you're refereing to is cracking.
      • Re:great.. (Score:5, Informative)

        by nacturation ( 646836 ) <nacturation AT gmail DOT com> on Monday June 28, 2004 @02:56PM (#9553205) Journal
        But this isnt hacking!! THIS is hacking. What you're refereing to is cracking.

        You know, it's only been within the last few years that I've heard any significant usage of the word "cracker" with regards to computer security. Before that, anyone who broke into a computer system was known as a hacker. Cracking was what you did to software to remove copy protection. Kevin Mitnick refers to himself as a hacker [], and he broke into systems long before the politically correct term, cracker, came into usage.

        While it's a nice effort to wish for a distinguishment between the two, the use of the word hacker for those who break into systems has long been established. Let it go, man.
        • Cracker (Score:3, Funny)

          by mfh ( 56 )
          > You know, it's only been within the last few years that I've heard any significant usage of the word "cracker" with regards to computer security.

          It usually means dumbass white motherfucker where I'm from.
    • Re:great.. (Score:5, Interesting)

      by Anonymous Cowtard ( 573891 ) on Monday June 28, 2004 @02:55PM (#9553196)
      Sorry man, but the word is used to mean malicious computer access [] as well. Words take on the meaning that the majority use them for.
  • by mikael ( 484 ) on Monday June 28, 2004 @02:35PM (#9552958)
    I wonder how long before they offer the qualification of "Certified Pointy Haired Boss"?
  • I remember when the CEH [] first came out. They may work as a simple start, but they shouldn't be considered a stoping point to learning.
  • Sounds like (Score:3, Insightful)

    by Creepy Crawler ( 680178 ) on Monday June 28, 2004 @02:35PM (#9552960)
    A really sucky "school"..

    You teach ethics, not "hacking ethics". Sounds like a money grab for gullible script kiddies.

    I shoudlve thought of it first.
    • Re:Sounds like (Score:3, Informative)

      I know this is painfully obvious, but it's not ehics, it's ethical hacking - which means hacking to test the security of a system with consent.
  • by liquidsin ( 398151 ) on Monday June 28, 2004 @02:35PM (#9552966) Homepage
    Sporting long sideburns, a bushy goatee and black baseball cap, instructor Ralph Echemendia has a class...

    He wears a black hat, and we're expected to believe that he's teaching ethical hacking? It's a cover! He's building an army! TERRORISTS!!!
  • I'm Waiting (Score:5, Funny)

    by stinkyfingers ( 588428 ) on Monday June 28, 2004 @02:36PM (#9552973)
    Wake me up when they offer Ethical Racketeering, Ethical Pimping, and Ethical Congressional Campaigning.
  • My $5 (Score:4, Funny)

    by Doesn't_Comment_Code ( 692510 ) on Monday June 28, 2004 @02:36PM (#9552978)
    I'm offering 5 dollars to help a poor Microsoft programmer attend this school, where he will learn how hackers think in order to stop them. Maybe if we all contribute to the pool, we'll have easier lives.
    • Or, at the very least, less money.

      Plus, the Microsoft programmers will come out of the same school of hacking as their clueless boss, and then get our jobs.

      So, at the very least, MUCH less money.

  • by Scoria ( 264473 ) <> on Monday June 28, 2004 @02:36PM (#9552983) Homepage
    4r3 7h3y c3r71f13d 1n 1337sp34k? j00 c4n't b3 4 h4x0r w17h0u7 1337sp34k. ;-)
  • by Gyorg_Lavode ( 520114 ) on Monday June 28, 2004 @02:36PM (#9552985)
    This is an outrage to all of us who toiled for years to become script kiddies and received no formal documentation of our accomplishments.
    • by phyruxus ( 72649 ) <jumpandlink&yahoo,com> on Monday June 28, 2004 @02:46PM (#9553097) Homepage Journal
      Nature creates man.

      Man creates computer, internet.

      Intelligent, misunderstood youths discover internet, realize they've been lied to, strung along, generally mistreated. Youths show the guts and brains to learn without teachers.

      Feds discover internet, realize there are children smarter and more skilled than them, throw beauracratic temper-tantrum, track down said kids (well, some of 'em) and bust them, refuse leniency.

      Feds realize this "internet thingy" is more important than they though, and worse, there are kids in other countries who not only have mad skillz, but also actively hate america. Feds shit bricks.

      Gov't, realizing it has cut off it's left testicle, tries to fill the gap with "Ethical hackers", ie, tries to create what it had in the first place.

      Jeezus F Kryst on a surfboard, why didn't you just train the @#(*&^*(@# hackers in ethics in the first place? You can't teach curiosity, autodidactism or problem solving.

      Nature laughs, goes back to being inscrutable.

      Way to go.

      • by CAIMLAS ( 41445 ) on Monday June 28, 2004 @03:40PM (#9553712) Homepage
        Don't think yourself so superior.

        Problem solving is just as trainable ability as any type of mathematics or programming. It requires critical thinking, and often a good handle on the deductive and inductive trains of thought. If you're a good problem solver, chances are you had someone in your youth that prompted and prodded you to think about things in different lights, and thus why you can think critically.
  • by Anonymous Coward on Monday June 28, 2004 @02:37PM (#9552988)
    ...of self knowledge and recognized accomplishment amongst your peers that only MCSEs have enjoyed up to now.
  • by artlu ( 265391 ) <artlu@a[ ] ['rtl' in gap]> on Monday June 28, 2004 @02:37PM (#9552989) Homepage Journal
    The problem with teaching Comp Sci, let alone "hacking," is the methodology in which the teachers teach. The only way I ever learned any type of programming was when someone said, "Go build an application that simulates RSA cryptography." 12 C++ files later I learned more then I did in 2 years of "intro" classes. The same goes for this as well, these kids wont get much more out of these classes then learning to use some scripts or demon dial or whatever.

    They should get a project that entitles building some sort of application which can be relseased to the Open Source community.

    Wow, war dialing, early 90s, wow.

    GroupShares Inc. [] - A Free Online Investment Community.
    • "Go build an application that simulates RSA cryptography." And in GW too!

      Input "Plaintext";x$: Print "Cyphertext:": for i = 1 to len(x$): print(chr$(int(rnd()*256)+1);: next: Print

      Simulated enough for ya? ;)
  • "Harmless" Hacking (Score:5, Insightful)

    by gbulmash ( 688770 ) * <semi_famous AT yahoo DOT com> on Monday June 28, 2004 @02:37PM (#9552990) Homepage Journal
    Puts me in mind of The Guide to Mostly Harmless Hacking [].

    Learning how to defend against getting hacked by learning how to hack is nothing novel. It sounds like a great idea on the surface, because it gives you the tools to probe your own weaknesses the way your attackers will. But you're always going to have to keep up with the latest methods, scripts, etc. IMO, A net admin who isn't at least a hobbyist hacker probably won't get much from a hacking bootcamp except a false sense of security.

    - Greg

    • by Doesn't_Comment_Code ( 692510 ) on Monday June 28, 2004 @02:42PM (#9553046)
      Many computer security companies hire converted hackers. But others refuse, saying that anyone with that bad seed can't every be trusted. They only hire people who have studied hacking, but have never been a hacker (like graduates of this school).

      Like you said, it sounds like a good idea, but there are going to be weak points in your staff if they don't really know what they're doing. For instance, I've studied security from books, and I'm pretty adept at defending my computer. But I know there's a lot that I don't know that I would know if I hacked computers on a regular basis.
      • by clintp ( 5169 )
        Or, an analogy that hits home to Slashdot readers...

        This seems akin to having sexual experts who have studied sexual practices, but are still virgins.
      • by wwest4 ( 183559 ) on Monday June 28, 2004 @04:18PM (#9554106)
        > others refuse, saying that anyone with that bad seed can't every be trusted

        I've always seen this argument (the Spafford argument, if you will) as weak. You can't really trust anyone absolutely. A past offense doesn't guarantee a future offense any more than a lack of past offense guarantees future ones.

        Any system should have a set of checks and balances for the admins & security guys as well. You don't want anyone holding all the keys on principle. That way, you're mitigating any risk by hiring someone who you know has trust issues.
  • by qtothemax ( 766603 ) on Monday June 28, 2004 @02:37PM (#9552999)
    ...although $4000 sounds a little steep. Most hackers are probably self trained, as in $0. Every corporate network better have someone involved in its design and maintainance that has some knowledge of hacking though, or else it will be a sitting duck. I had a professor that was a consultant who hacked companies to discover thier vulnerabilities. Obviously nothing malicious, and he told them about everything he gained access to and fixed it. Sounds like one hell of a fun job.
  • by JohnFromCanada ( 789692 ) on Monday June 28, 2004 @02:38PM (#9553005)
    Recent graduates of the 'Hacker College' realize that their diploma is virtually worthless in the real world and come to realize that they were just socially enginered out of $4000 dollars.
  • A white hat (Score:4, Funny)

    by slasher guy ( 624616 ) on Monday June 28, 2004 @02:38PM (#9553015) Journal
    Do they get a white hat [] with the certificate?
  • by mrhandstand ( 233183 ) on Monday June 28, 2004 @02:38PM (#9553016) Journal
    is never good or evil. If the students are atttending for the right reasons, then this will help them understand the basics of how script kiddies work. And what do the current stats tell us about most attacks? That they are unsophisticated and are run by people who have little deep knowledge of systems. So this course wil (theoretically) allow them to better protect against the majority of attacks. If the students are attending for the wrong reasons, then they spent $4k for what a day or two of googling and reading would have gotten them. BFD.
    • They're much better off taking one of the @stake classes []. They don't pretend to teach you how to be a 'hacker', but how to secure your systems. They do show several (four or five) outdated scriptkiddy hacks, but mostly, the focus is making people aware of issues and giving them a toolkit to try and secure it.

      I wish it had been a /little/ more technical, but in their defense, we did spend 90% of the time actually doing lab exersizes, and I did take some good stuff away from it. My boss, who is our director
    • but it's not. we had a "security professional" at work go through this program. what he came out with was more basic that what you could get by reading any "hacking exposed" book.

      I asked him during lunch about how his new security measures on the network were working....

      he mentioned a bunch of things until I interrupted with... "so you sweep the building on a regular basis for keyloggers? how about devices on the network that you were not notified of? Is that HP laserjet 4400 at REALLY a
  • Sounds like... (Score:2, Insightful)

    by robslimo ( 587196 )
    more of an course to help corporate types to be better aware of and combat cracking (note usage of correct word here) techniques. Your typical 'script kiddie' ain'ta gonna blow $4000 on a course on cracking; he's gonna hang out on IRC and cracking/warez sites to try and mooch some free advice and 'proggies'.

    IMO, a network admin ought to all ready know the tricks of the trade and keep him/herself up to date on the tech. But I guess this course probably does provide a good service to some... seen waaaaay t
  • yeah right.... (Score:5, Insightful)

    by evenprime ( 324363 ) on Monday June 28, 2004 @02:39PM (#9553020) Homepage Journal
    I haven't read it yet, but I'm rather skeptical. It seems like $4000 dollars and a few weeks in the classroom teaches you how to run sploits you download from packetstorm. It doesn't make you suddenly become skeptical of everything a vendor tells you, or make it become a habit to run a sniffer with watchtemp when you install software on your test lan. It doesn't make you enjoy reading bugtraq.

    There's a heck of a lot more to "hacking" than what they can teach you....think "lifestyle"
  • Computer Ethics? (Score:5, Interesting)

    by AviLazar ( 741826 ) on Monday June 28, 2004 @02:39PM (#9553022) Journal
    Anyone who is smart enough to hack, is smart enough (save for those with mental problems) to realize the difference between right and wrong.
    Anyone who wants to take an ethics class obviously has some ethics (what you think someone lacking morales will be taking an ethics class to hope improving himself)???
    What they should offer is a class that teaches non-techies what is a hacker - so they learn that not all hackers are evil people bent on ruling the world (not there is anything inherently wrong with this..I mean if I ran the world, it would be a much better place - for you and me....well more me, but it's all good)
    • Anyone who is smart enough to hack, is smart enough (save for those with mental problems) to realize the difference between right and wrong.

      But anyone who is dumb enough to be a script kiddie and call himself a hacker is dumb enough to not realize the difference between right and wrong.
      • As much as we like to make fun of script kiddie's, they are not THAT dumb. It still takes a level of intelligence to run a script. It is not something that is so basic. It may be as easy as double clicking on an exe file, but you need to find that file.
        *I* cannot put down the intelligence of a script kiddie to the level of someone who is mentally retarded or a four year old (and even four year olds have a basic sense of write or wrong).
    • by techno-vampire ( 666512 ) on Monday June 28, 2004 @03:02PM (#9553276) Homepage
      Anyone who wants to take an ethics class obviously has some ethics (what you think someone lacking morales will be taking an ethics class to hope improving himself)???

      Well, a smart but unpricipled cracker might take the course to learn how to "talk the talk" and make himself sound ethical. That would help him social engeneer himself into a security job where he can get paid to crack into systems and steal data while claiming to be looking for vulnerabilities to patch.

    • Anyone who is smart enough to hack, is smart enough (save for those with mental problems) to realize the difference between right and wrong.

      Wrong! This is based on an old model of "smart", that there is a single, linear measure of intelligence, one's IQ. Newer research suggests that people have different capabilities in different degrees; this is broadly known as Multiple Intelligences [].

      People with high interpersonal and intrapersonal intelligence will have a native advantage in understanding ethics. This
  • by ajs ( 35943 ) <ajs@aj s . c om> on Monday June 28, 2004 @02:40PM (#9553026) Homepage Journal
    If you're wondering when the word "hacker" came to mean something sinister, the answer is 1987.

    As far as I can tell, it was the the US media that got that ball rolling when they were trying to investigate the 1987 "Internet Worm" released by Robert Morris Jr. The Worm caught the news media off-balance because 1) they did not know what this "internet" thing was 2) there was no terminology for this kind of crime.

    Remember, this was before the World Wide Web (which some of you may not realize is a layer ON TOP OF the Internet, not the same thing), and the news only knew that the military had been connecting computers for research, but even that information was kind of sketchy if you weren't in the thick of it.

    So, they asked around and got some experts on the phone and the word that kept coming up was "hacker". Well, the reporters in question didn't realize that a "hacker" was a fairly old term used by the MIT Tech Model Railroad club and later spread around the word as term for a "productive enthusiast". They just knew that Morris the Younger was a "hacker who broke into thousands of computers", and that was news!

    We've all tried to stop that land-slide ever since because those of us who called ourselves hackers pre-87 are not too thrilled with the perversion of the word's meaning, but at this point it has become clear that it's simply going to be a matter of dialect. In certain circles the word has one meaning and in the rest of society (not just English-speaking society) it has a very different one... oh well.
    • by ajs ( 35943 ) <ajs@aj s . c om> on Monday June 28, 2004 @02:48PM (#9553121) Homepage Journal
      And one note on Mr Morris, who I actually respect a fair amount for his successful bid to bring computer security into the spotlight. I don't advocate writing worms or viruses (the so-called Internet Worm actually classified as both, depending on which attack vector it was using at the time), but in the case of Morris' program, his intent was a reasonable one, even if his actions were not. For that, he deserves a nod: he took a big fall in order to get us to stop pretending holes didn't exist, and CERT was formed as a direct response to his actions.

      I know, he also cost us a huge amount of lost productivity, but can you imagine the chaos that someone who DID have malicious intentions would have caused just five years later?! We took that hit to productivity because there was a problem, and though people like Bob Page (who wrote one of the better papers on the worm, and was in charge of sysadmin at my school at the time) were not amused, I do think they were better off in the long term.

      Now, if Morris' code hadn't had that fatal bug that caused it to replicate out of control.... heh ;-)
  • The world needs more hall-of-famer quarterbacks, and they're recruiting 5yr old peewee footballers.

    For you apologists out there, keep in mind that I myself would only charge $2000, and you'd be at least twice as non-lame as these jokes.
  • by The_Rippa ( 181699 ) * on Monday June 28, 2004 @02:41PM (#9553040)
    And paid for it with credit card numbers I stole from various hotmail accounts.
  • by cdavies ( 769941 ) on Monday June 28, 2004 @02:43PM (#9553058) Homepage
    Woah. If the course is lectured by Angelina Jolie, I'll cough up my 4KUSD in about 3 seconds flat ;)
  • I got next! (Score:5, Interesting)

    by Otter ( 3800 ) on Monday June 28, 2004 @02:44PM (#9553070) Journal
    I'm now crafting my article submission about this Economic Times article [] about the "EC-Council" holding a similar program in -- brace yourself -- India! It looks like the career window for being a "certified ethical hacker" is only a couple of weeks wide.

    (BTW, doesn't this "Economic Times" look like a pretty shameless rip of the Financial Times? I wonder if their print edition is salmon-colored.)

  • by sirdude ( 578412 ) on Monday June 28, 2004 @02:44PM (#9553072) Cyberabad/Hyderabad, India. Ankit Fadia [], who is India's pet hacker, started up [] a similar company named e2labs [] last year.. Not sure how progress has been though..
    Course Options

    Certified Open Source Security Expert (1 - week) *New
    Computer Forensic Expert (3 - days) *New
    Certified Encryption Expert (1 - week) *New
    Certified Anti-Virus Expert (1 - week) *New
    &#183; 3 months - C.S.S (Certified Security Specialist) Job Oriented
    &#183; 3 months - C.S.S (Certified Security Specialist) Non-Job Oriented
    &#183; 1 month - C.S.P (Certified Security Professional)
    &#183; 1 week - S.S.C.M (Security Specialist in Counter Measures) - Corporates
    The company has priced these courses at Rs 25,000, Rs 75,000 and Rs 1,50,000 for weekly, monthly and three monthly programs respectively 1USD ~= 45.7INR
  • "from the honorary-mitnick-doctorate dept."

    Strange ... the article title states 'Ethical Hacking' ...
  • Cracking... (Score:5, Funny)

    by umrgregg ( 192838 ) on Monday June 28, 2004 @02:46PM (#9553104) Homepage
    This [] is true 'ethical' hacking. And you don't even have to go to school to learn it. Well never mind, you have to go to school...
  • by Anonymous Coward on Monday June 28, 2004 @02:47PM (#9553111)
    The instructors are actually quite knowledgeable in the field, and the texts, though not anything you couldn't compile with a fair amount of time at SecurityFocus and the like, are pretty good for people who are technically competent but who don't know much about security. The level of knowledge is certainly well above script-kiddie level, and I'd say that it's sufficient for junior security team members. (Disclosure: My company asked me to check out the dog-and-pony show for the class, but neither I nor any of my co-workers attended the full class.)

    Is it worth $4,000? Depends what you're looking for. If you're trying to train up new secteam personnel, it might be a good buy. At the same time, experienced security researchers will find it a solid but not frontier-pushing class, so I wouldn't recommend it to anyone who, say, posts to BugTraq. As well, a lot of specialized platform knowledge also gets passed by, so this doesn't obviate the need to do significant research on your particular installations.

  • Ethical what now? (Score:3, Insightful)

    by Alaren ( 682568 ) on Monday June 28, 2004 @02:47PM (#9553113)

    "So... after you get your A+, Network+, CNA, MCSE, and CEH..."


    "That's the Certified Ethical Hacker certification."

    Well that's just great. Now instead of learning to be (as the submitter suggests) a script kiddie from your IRC buddies, you can go to school for it. I'm not saying this is a bad idea--indeed, I strongly support the idea of learning something useful and marketable. But what gives them the idea that training people in a "legitimate" setting means they will do ethical things with that training? In other words, the program sounds great, but where do they get off using the word "ethical?"

    It just seems like another extension of the "cracker versus hacker" or "white hat versus black hat" distinction. Guess someone saw some racial subcontext and now we've got "ethical hacker." The media and the bleating masses want some title they can apply to distinguish between the people with skills and the people with "$k!llz0rz." Well, newsflash, it doesn't work that way.

    I'd like to know how many CEOs were forced to take a "business ethics" class. Most of them, I imagine. One of my ethics professors liked to note that "business ethics" was just a class on how to justify to the media and the shareholders actions you wanted to take regardless.

    Same thing with this. They are training network engineers with an emphasis in intrusion countermeasures. It should be (and probably is!) an amoral program presenting the facts and the information. What people choose to do with their education will determine whether they are "ethical hackers" or not. The name of the program is irrelevant.

  • script kiddie? (Score:5, Insightful)

    by MattW ( 97290 ) <> on Monday June 28, 2004 @02:48PM (#9553132) Homepage
    Script kiddies don't need to know why symmetrical encryption is faster... they just need to know how to subscribe to Bugraq.
  • Crap (Score:3, Insightful)

    by freaksta ( 524994 ) on Monday June 28, 2004 @02:54PM (#9553184) Homepage
    Old news :( Honestly please stop posting this crap. Not only is it old news, but its really alot of poo poo. Try reading Phrack or other underground zines. There are tons of entry level zines and zines that are for more advanced users (phrack). Save yourself $4000 and do it from the confort of your own home. If you want to know how hackers think, try speding some time on undernet. You get the feeling real quick :) This is not a flame.
  • CEH Cert (Score:2, Informative)

    by ignaric ( 549420 )
    My company sends me to pretty much any security course I want to learn a thing or two and to keep up with the trends. I'm a CISSP and if you've already gotten that far, the CEH is really really basic. You are far better off spending your money on a SANS conference and prepare for a GIAC cert.
  • by handy_vandal ( 606174 ) on Monday June 28, 2004 @02:58PM (#9553227) Homepage Journal
    (1) Do as I say, not as I do.

    (2) Do it to someone else, not to me.

    (3) You learned this from someone else, not from me.

  • by CdBee ( 742846 ) on Monday June 28, 2004 @03:00PM (#9553246)
    Well, actually it was a UK course teaching the same curriculum, it seems.

    Shortly afterward, the fucker got fired for gross misconduct, and hacked our company's servers using backdoors that he'd personally set up. So no, I'm not too impressed by people teaching this.....
  • About time (Score:2, Insightful)

    ...but if you think about, it was just a matter of time before something like this caught on. In CS/CE, the measure of how big of a man/woman you are is how many certs you have to your name (at least it is in quite a few corportate environemnts). Soon enough, we'll see job postings that see "CEH preferred".

    Though as it was already pointed out, this is an excellent example of social engineering. They ought to give kickbacks to Mitnik for every fool who enrolls in the class.

  • 75% of the graduating class is under house arrest for hacking back into the schools' cc merchant account servers and getting their $4000 back. The other 25% also stole back their money, but couldn't be traced, and are presumed at large.
  • by krinsh ( 94283 ) on Monday June 28, 2004 @03:01PM (#9553264)
    You WILL NOT learn hacking, even in the context that they're teaching (subverting the security of computer systems), in a class. You may learn about all kinds of tools; and about steps and techniques to attempt to break into computers, but the real work is not in a classroom. I still believe this after taking SANS Track 4; which was excellent training, but did not drop me back on the street with the ability to be pen tester extraordinaire. It's like the commercial says: you get good with practice. I think that's part of the reasoning behind SANS's practical papers for their certifications - so you research, and PRACTICE, and learn things by doing. Now, let me add yet another disclaimer to my posts - practicing does not mean going out and writing malicious code and breaking into sites. Practice means taking your own little air-gapped network and exploring every aspect of the art that you have time and aptitude to learn. Real hacking, the essence, and I'm not trying to start a definition war here; is trying everything you can and learning everything you can - for good or for evil now; but you get the point.
  • Perhaps the real reason for this class is simply to collect a large mass of 1337 Do0d5 in once place for their eventual "disposal"

    --Shhhh....don't tell anyone.
  • by Anonymous Coward on Monday June 28, 2004 @03:03PM (#9553284)
    The course seems pretty expensive and probably not exactly ideal, but it's a bit more than just script-kiddiesm. Unless, of course, the tests look like this:

    Q: You are the IT manager of an online business. The owner is pleased to announce that the business has enjoyed rapid growth, and has asked you to prepare an outline of system upgrades and estimated costs to deal with an estimated 8,000 daily visitors consuming approximately 320KB, with the number of visitors doubling every six months. What are your main concerns likely to be? (circle all that apply)
    a) Cost of expanded bandwidth utilization
    b) Maintenance issues associated with a medium-sized server farm, as well as software concerns regarding your web application and load balancing
    c) Continued self-hosting via the corporate T1 line vs. co-location
    d) wtf ???? ummm just run linux+apache d00d !!!!!

    Q: You are a consultant, hired to evaluate the security and efficiency of a small business's server configuration. Your employer, inexperienced with both the technology itself as well as online business in general, has hinted to you that he's not certain how competent his system administrator Simon is. In evaluating the systems, you discover that Simon has misappropriated the server budget to upgrade his desktop system to play Unreal Tournament 2k4, and has left the actual servers themselves equipped with 386s and faulty hard disks. As you were confronting him about this in the server room, he excused himself from the room to fetch "documentation" while his young and pimply-faced apprentice tripped the halon fire extinguishers. What should your reaction be?

    a) Immediately contact the police.
    b) Inform the manager, and urge him to speak with the apprentice's parents about a possible intervention.
    c) Return a favorable report after realizing that you have become tangled with things far larger than you, and never interfere with those servers again.
    d) whats a halon fire

    Q: A company has suffered a break-in. Not having a security professional on-hand, they have turned to you as a forensics consultant to help them assess the damage, identify the point of origin, and take appropriate response measures. What will your first action be?

    a) Request a list of all servers on the network with their operating systems, as well as servers and version numbers.
    b) Unplug the servers.
    c) Inquire if there is any way an employee could have accessed the servers.
    d) Ask your friends on EFNet if they did it.

  • So they're teaching skills. That's not ethics. "Ethical" hacking, if there is such a thing, requires action, not just a skill set. So the ethical part is how you use your skills.
  • by morcheeba ( 260908 ) * on Monday June 28, 2004 @03:24PM (#9553529) Journal
    after the Sept. 11, 2001, attacks on the World Trade Center and the Pentagon, the company expanded its focus to information security courses.

    That makes no sense. I could see them expanding in the wake of some vicious worm or virus [], but they might as well take their inspiration from Chechnya. It makes it seem like they are in the business to trade on fear-of-hackers rather than to provide real security. Not that that's a bad marketing angle, but just one I'd have moral issues using.
  • by jrl ( 4989 ) on Monday June 28, 2004 @04:10PM (#9554010)
    For me, the value of a class is not in the test or even the certification at the end. The lasting value is in the knowledge and skill set that you refine and take with you back to your job. I also have made lasting relationships from the classmates, students, and instructors that I've met over the years. All of these mean a lot more to me than the "e-i-e-i-o" at the end of my name.

    I gravitated towards ISECOM's [] OPST []/OPSA [] classes because they fill a role I felt was missing in the security class space. Many non-vendor specific security classes have a very narrow tools based focus. While I agree that knowing how to use your tools in a test is important, I feel knowing why and when to use them is far more important. Knowing the politics involved in testing, going over internationally accepted testing practices, and reviewing regional and national legal regulations are just as much part of the job. These things are not merely important, but are required to be successful in your role as a security tester. In addition to the intensely technical aspects of the testing process, this is what the OPST represents; the "professional" side of security testing. Also, the ISECOM classes teach from ISECOM's Open Source Security Testing Methodology Manual (OSSTMM []) which provides a much needed methodical framework to bring a scientific method style to the chaotic world of security testing.

    The CEH class represents the other kind of class. One that is "flashy", "fun", "exciting", but not overly useful to the serious professional. While I have a lot of respect for Clément (one of the instructors for Intense School), I have very little respect for any organization that markets "hacker" classes. This includes the so-called ethical hacking, applied hacking, exposed hacking, grandmother hacking, squirrel hacking, super-duper 3y3 4m 31337 hacking, or any other fancy way of saying "Learn how to think and act like the bad guys".

    While choosing where to spend your time and money, consider the community you are aligning with. If you look at ISACA [], SANS [], ISC2 [], ISECOM [], etc.. they all have a true dedication to security and the betterment of the global information security community. Contrast the value of being affiliated (via education/certification) with any of those organizations over a piece of paper and a cd of toys.

  • school name (Score:3, Funny)

    by auroran ( 10711 ) on Monday June 28, 2004 @04:35PM (#9554272)
    hmmm i wonder what the school's called
    maybe "0wnz U"?
  • by LuxFX ( 220822 ) on Monday June 28, 2004 @04:41PM (#9554328) Homepage Journal
    'What we attempt to do in our classes is teach how the hackers think.' Hmmm, perhaps 'Certified Script Kiddie' would be a more accurate designation.

    Except then it would be "What we attempt to do in our classes is teach how the script kiddies think." And putting the words "think" and "script kiddie" next to each other like that creates a paradox. Impossible to comprehend, much less teach.

Keep the number of passes in a compiler to a minimum. -- D. Gries