Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Certified Ethical Hacker via Self Study 63

ddonzal writes "In his latest column for EH-Net, wireless hacking guru, Dan Hoffman, offers up his experience of attaining the CEH credential (Certified Ethical Hacker). Great read with fantastic advice for budding ethical hackers out there."
This discussion has been archived. No new comments can be posted.

Certified Ethical Hacker via Self Study

Comments Filter:
  • BS (Score:4, Funny)

    by GrAfFiT ( 802657 ) on Wednesday April 19, 2006 @06:10AM (#15155725) Homepage
    "Certified" ethical hacker sounds to me as bulletproof as Suk Imperial Conditioning..
  • by onion2k ( 203094 ) on Wednesday April 19, 2006 @06:11AM (#15155731) Homepage
    The article, or perhaps the course, neglects to mention anything about the "ethical" side of things. It's all well and good to say you're a "Certified Ethical Hacker", but if noone has quizzed you on the ethics of hacking then how could an employer be sure you actually are one?

    In fact, even if you were questioned about the ethics of hacking, you might lie. An unethical person would.

    So it's just a fancy but ultimately meaningless name then. "Certified Hacker" would suffice.

    But do you really need the word "Certified" on a certificate? Isn't that redundant? It's obvious you're certified if you're brandishing a certificate.

    So you could just as well put "Hacker" instead.

    I don't think many employers want to employ a hacker. They're criminals!

    I don't think I'll be taking this course. ;)
    • There is a delusion regarding ethics that an unethical person cannot pretend to be ethical effectively, that is, when given a question about ethics, they might want to lie, but then they wouldn't know what lie is the "ethical" choice. Most research into ethics is tainted by this ad the notion that there is only one true way of ethics.

      In fact, many people are clueless to the fact that the Team Rocket motto starts out with a statement of ethics that Jessie and James stick to, to thier detriment as they comm
      • Every now and again, I'm silly enough to think I've seen just about everything - then a post like yours comes along. It's really not every day that I run across someone using Pokemon to describe ethical concepts... to adults.

        Only on slashdot.......
      • >>There is a delusion regarding ethics that an unethical person cannot pretend to be ethical
        >>effectively, that is, when given a question about ethics, they might want to lie, but then
        >>they wouldn't know what lie is the "ethical" choice.

        Probably a result of reading too much classical Greek philosophy. Socrates and Plato considered ethical truths to be self-evident, and as self-evident as other truths. As in, if someone explains to you the meaning of right action, your consciousness will b
        • Therefore, Quake is more for people that do not exist, QED [wikipedia.org]
        • Ethical behavior is much like flocking behavior, in that it is a baseline to ensure everyone cooperates towards common goals. This implies that the individual shares those goals, and to a much greater extend, the individual is afraid of being abandoned. If, in any given moment, their goals are divergent, ethical behavior is unrequired in that moment and could even be detrimental. Even flocking birds have intellect and consciousness, so why do they always follow each other ? Fear takes over.

          English: if I
        • ``Socrates and Plato considered ethical truths to be self-evident, and as self-evident as other truths''

          Except Socrates considered to be no truths self-evident except that he did not know any truths. If we assume that the early Platonic dialogues are accurate portrayals of Socrates (which a significant minority of scholars would dispute) then we have a picture of Socrates as a man who did not know what virtue is or if it could be taught and went around critically questioning everyone who claimed that it co

          • Socrates did more than just critically question everything. He actually made statements as well. And self-evident is a tricky word. The question of how something can be self-evident if it didn't occur to us beforehand is a long one, with the short answer what I gave, that one's intellect is illuminated, and one instintually knows it is right, without necessarily having a logical premise, argument, and conclusion.

            In the case of the Glaucon, Socrates claims that evil acts harm ones own body, so while one can
            • Self-evident has a very simple meaning. It means that if you understand the concept, you immediately see the truth of it. The premier examples of this are the rules of thought: the principle of identity, the principle of negation, the principle of non-contradiction. That self-evident things are not immediately obvious is hardly a huge controversy.

              Second, the Republic is one of the later Socratic dialogues. It is almost universally acknowledged to be putting forth the views of Plato rather than Socrates. T

              • Sure. It's difficult to differentiate the historic Socrates from Plato's character of Socrates. Hence I said Socrates and Plato. Perhaps Socrates/Plato would have been more clear. Some people write it that way, but it always seems awkward to me.

                But even in the dialogues in which he just calls everything into question, you can sometimes draw a conclusion of what Socrates is trying to get at. Even if he doesn't come out and say it.

                The reason I said that they thought it was self-evident was because when one ac
                • ``Sure. It's difficult to differentiate the historic Socrates from Plato's character of Socrates. Hence I said Socrates and Plato.''

                  Except for the most part it isn't all that difficult to distinguish between the two. On some points, yes, but on most things, it's pretty easy to see where Plato's idealism is being shoehorned into Socrates' mouth. The usual convention is to ``Plato's Socrates'' or ``Plato's charicterization of Soctrates'' when referring to Plato's depiction of Socrates in his later dialogues,
      • ``Most research into ethics is tainted by this ad the notion that there is only one true way of ethics.''

        I have to question just how familiar with the field of ethics you are. Most ethicists understand that there are multiple families of ethical theories. A brief introductory class to ethics will most likely introduce one to ethical theories based on individual virtue (think classical theories such as Aristotle), deontology (duty ethics epitomized by Kant), consequences of actions (such various forms of ut

        • There are two groups of ethical research: Ethics as a philosophy and ethics as people implement it in the real world. The first group is more aware of multiple ethics systems than the latter.
          • Pick up any book on applied ethics, whether on the ethics of medicine or business practices or law or personal relationships, and the vast majority will acknowledge multiple ethical systems. Or you can attend any seminar on ethics for just about any industry and get the same results. If you attend a decent university, regardless of your major you will also have to take at least one course on ethics that discusses various ethical systems.
    • > In fact, even if you were questioned about the ethics of hacking, you might lie. An unethical person would.

      Does anyone else find it funny that the line running at the bottom of /. right now is "There is one way to find out if a man is honest -- ask him. If he says "Yes" you know he is crooked. -- Groucho Marx?
  • Is to not become certified at it, on the grounds that it circumscribes your ethics.
  • by Opportunist ( 166417 ) on Wednesday April 19, 2006 @07:04AM (#15155838)
    You could just as well create a course of "ethical business". Yeah, sure, you could teach the ethics of business. Whether people apply it or not is up to them. Not something that's under your control.

    Don't get me wrong, teaching information is by default never wrong. Knowledge is power. Information is necessary to keep up the fight against the black hats. To abuse the quote from a different group, if information is outlawed, only outlaws will have it.

    But I doubt that you can teach or even "certify" ethics. You have them, or your don't.
    • by MaestroSartori ( 146297 ) on Wednesday April 19, 2006 @07:31AM (#15155909) Homepage
      You have them, or your don't.

      Ethics are not always absolute. Whether an action is ethical or not can depend on context, personal beliefs and so on. You can debate ethics as part of a course of education, or as regards a particular area of life.

      For instance, you might say it is unethical to hack someone's computer without their knowledge. But if the ethical hacker in question works for a law enforcement agency, and is performing the hack legally with all the relevant oversight in order to gain evidence of or to prevent an illegal act, then you could argue whether it's ethical or not.

      You were more correct at the start of your post when you said whether people apply their skills ethically or not is up to them. That's the real issue here - just doing a course in ethical hacking means that the person presumably has knowledge of the ethics issues involved. It doesn't tell you a thing about what they personally believe, or will do with their new-found hacking skill...
      • Ethics are not always absolute.

        That is exactly what's wrong with "certifying" someone as an "ethical" anything. Ethics are completely subjective, and if my personal ethics dictate that such things are okay to do I could be the standard Hollywood identity thief/virus spreader/nuke launcher and still happily and honestly call myself an "ethical hacker."

    • I know how to use nmap - its got a man page, if your employer or its thicko hr rep (that needs a certificate) to say "I CAN USE NMAP!!!!" then how ethical is that hr rep, and company.

      An ethical con ?, like you say - ethical hackers can go unethical - so how ethical is a ethical hacker? was Dan Cuthbert (google it) an unethical hacker because he didnt have a certificate ?

    • teaching information is by default never wrong.

      You're kidding, right?

      So you think that, for instance, Ken Alibek should publicize his anthrax formula for all to see?
      • I've already had one visit by the MiB and don't care to see a repeat performance. But I do think it's safe for me to observe that the more people who understand how weaponized Anthrax actually works, the more secure we are against Anthrax attacks in the future. Just like flight 93, once the passengers were aware of what was actually happening, they brought the flight down and most likely saved hundreds if not thousands of lives. If people had not been brainwashed into just sitting back and letting hijackers
      • Yes. What harm would it do? Those who really want it and also have the means to create it already have it anyway.

        Security by obscurity doesn't work. Someone WILL find it out. And the chances are good that it's more likely to be a "bad" person than a "good" one.

        So what is gained by obscuring information?
        • Okay. So you've no qualms in giving me your CC #, expiry date, full name (as it is on the card), name & 800 # for the issuing bank, the cvv code, the address, your mother's maiden name, your full bank account number, your ssn, and all other pertinent identifying info that bureaocratically describes _you_ ..

          Thanks! :)
          • The formula for anthrax cannot do damage, it can only do damage when manufactured, at which point it becomes a threat. You clearly already have the formula to commit credit card fraud, but you are asking him to provide you with the remaining pieces that would convert mere knowledge into an actual threat. He did not advocate giving manufactured anthrax to people, only that suppressing the formula is a security-by-obscurity strategy.
            • His CC info in my hands won't do any damage. No, really. I //promise// not to use it!
              • If you're trying to make a point, you're doing a poor job of it. A recipe for anthrax cannot be used to victimize someone without an intermediary manufacturing step. CC info can be directly used to victimize someone.

                Think about it this way. You want something from somebody. If you threaten them by saying you have their CC info, they are going to need to take action to prevent you from making use of it, which you could do at any time. If you threaten someone with a recipe for anthrax, they laugh and t

    • You argued that doubted it is possible to ``teach or even "certify" ethics.'' But how would teaching ethics be any different than any other applied field? For example, you can teach the vast majority of people to understand musical theory, but then it is up to the individual to practice a particular instrument to proficiency. But even then, that proficiency can be measured. Ethics can be taught in the same way by teaching one or more ethical theories and then putting the students into situations that test t
    • They are using the term "ethical" to mean "authorized" or "white hat" style hacking, which is unfortunate.

      I teach a course in network security and at times we do talk about vulnerabilites and how to break systems, but I don't teach ethics. I tell students in no uncertain terms that they can use the penetation techniques they learn in class only on systems they own or have authorized, written permission to attack. There is no gray area.
      • You're right to just draw the line and make it clear what's usually acceptable. After all, as you say, it's not an ethics course.

        Still, it would be interesting to see a discussion of computer/hacker ethics - anyone can artificially construct a grey area where hacking without permission saves lives, or examine the legal theory that establishes where the line will be drawn, or talk about why privacy and security are important. And because it's a microcosm of the larger universe of ethics, it would be a genu
    • But I doubt that you can teach or even "certify" ethics. You have them, or your don't.

      In a manner of speaking, everyone has ethics but they're not always the same.

      For example, Bill Clinton's ethics allow him to cheat on his wife. George Bush's ethics allow him to wage an unnecessary war in Iraq. My ethics have allowed me to do things that some people may find unethical.

  • by Anonymous Coward
    SANS [sans.org] offers a number of its track (including the "Incidents Handling" track which is close to CEH) as self study with GIAC certifciation. You either can do plain "self study" where you get the books, or they offer an "@Home" program where you attend classes online.
  • CISSP (Score:3, Insightful)

    by farker haiku ( 883529 ) on Wednesday April 19, 2006 @09:17AM (#15156272) Journal
    - Background Check - For the CISSP, you actually need to prove that you have experience in the various security domains and a form needs to be signed by either another CISSP or an officer in the company for which you work, in order to actually get the certification. I believe EC-Council should also implement a more formal means to verify the integrity of the individuals seeking the CEH.

    Yeah, I guess I'll bring it up here, but what the hell? How do you get into the security field if you can't get the certification the field requires? Anyone know a CISSP in the Missouri area who can sign a letter for me? I just want to take the freaking test.
  • by Anonymous Coward
    Not a single mention so far in all the comments.....

    have we moved on?
  • I took the Computer Hacking Forensics Investigator class from Haja Mohideen the author of the EC-Council books and he is from Singapore and his second (or third) language is English. I agree that the books are a little confusing however when taught by the author they make a lot of sense. Haja knows his stuff and I recommend taking any class taught by him. I am considering the self study guide for the Certified Ethical Hacker cert however I am going to focus on Security+ for now. It is very important tha
  • I got half a paragraph into the article before heading over to bugzilla.mozilla.org and voting for bug 111373 [mozilla.org]: don't allow animated site icons (favicons)

If graphics hackers are so smart, why can't they get the bugs out of fresh paint?