I had a good time at TRISC yesterday. It was cool to meet up with Martin and Cutaway again. We had a good time in just the short time we got to hang out, and we even managed to record a couple of videos for Podtech.
There were some interesting talks yesterday. One highlight of the day was meeting Mark Loveless, a.k.a. Simple Nomad. Martin has met him and interviewed him before, so he introduced me. He had an interesting talk and quick demo on techniques for evading IDS / IPS systems. It was really cool hearing about his attempts at fingerprinting IDS / IPS systems.
There was also a pretty cool talk about translating vulnerability assessments by Doug Landoll. The questions during and after his talk really highlighted how people still don’t know the difference between a vulnerability assessment and a risk assessments and a gap analysis. That still amazes me.
After Doug’s talk, he stopped me in the hall to ask me what I thought about the Certified Ethical Hacker certification. I expressed some disdain for the cert by a sour look on my face, and he quickly agreed with my opinion. But it turns out that our dislike for the cert were coming from different angles. I don’t like it because I don’t like the furthering of the negative definition of the term “hacker”. He doesn’t like it because he doesn’t want to introduce anyone to a client that has the term “hacker” associated with them. He realized that the term had been hijacked, but he was looking at it from the aspect of the CEO / CFO who didn’t know any better. I can see where he is coming from because that term can negatively affect business. But I also think it incumbent upon us who really know what a hacker is supposed to be to help make the term a positive one again. Doug and I also had some disagreement about whether or not companies should hire less-than-completely-reputable hackers because of their skills. He made good points (like letting ex-child molesters watch your kids – good one Doug), but I still think that much talent is bad to waste. And child molesters are sick, twisted people. Black and gray hats aren’t mentally ill by definition.
About my talk, I think it went really well. It furthered my suspicions that a lot of people have no idea what blogs can do for them when it comes to gathering useful information. Almost all of the group (about 25 people – small conference) did not read blogs. Amazing.
Anyway, I will post some more stuff about my talk later. I have some meetings to go to.
Vet
As the author of the “child molestor-to-black hat” opinion let me add to the debate. (To be honest I do see both sides, but debate is fun none-the-less). In the field of security consulting and security testing of corporate systems it is arguably negligent to expose a client’s system to an untrustworthy individual. Yes, everyone makes mistakes, but that doesn’t stop hiring practices such as a) you can’t be a police officer if you have committed a felony b) you can get turned down for a bus driver slot if you have been caught driving druck, or c) you cannot have a job handling money if you have been convicted of embesslement. Such practices are simply a reasonable precaution and a method for increasing the chance that trustworthy individuals are places in trust-needy positions.
As far as sticking an “ex-hacker” in a lab to crank out more exploits, I think they are very well qualified for that position. But if you are a manager or owner of a security consulting practice you need to consider if exposing your clients to a known risk is prudent or defendable.
The child molester-to-black hat is a bit of an extreme comparison.
Honestly, it is accepted that businesses will treat convicted criminals differently, but beyond that, if someone professes to be a black hat in his personal time, that shouldn’t be something he is necessarily judged by.
As for less-than-completely-reputable , you’re right, that’s a lot of talent that could be going to waste (and let’s face it, SOMEONE will snap up talent, including your competitors). But I think the biggest thing is to allow people to change and grow and be less of a villain. We’ve all made mistakes of varying degrees and it just doesn’t sit well with me to say once a hacker (in that awesome negative connotation of the term…ugh) always a hacker. If my parents judged me forever and ever based on my sins as a kid…and so on.
I think our industry is especially sensitive to this since it really takes a mind that knows how to break things to be able to know how to secure them. Can you really secure wireless without knowing how to be bad on a wireless network that you don’t own? That’s arguable, but I really believe (kinda like CTF and other Cyberdefense competitions) that what amounts to field experience goes a long, long way in our area.
Then again, there are those less-than-completely-reputable hackers who will steal from the cupboard when you’re not looking to…buyer beware!