Comments on: My one day at TRISC

By: Doug Landoll

Doug Landoll — Wed, 26 Sep 2007 03:27:15 +0000

As the author of the “child molestor-to-black hat” opinion let me add to the debate. (To be honest I do see both sides, but debate is fun none-the-less). In the field of security consulting and security testing of corporate systems it is arguably negligent to expose a client’s system to an untrustworthy individual. Yes, everyone makes mistakes, but that doesn’t stop hiring practices such as a) you can’t be a police officer if you have committed a felony b) you can get turned down for a bus driver slot if you have been caught driving druck, or c) you cannot have a job handling money if you have been convicted of embesslement. Such practices are simply a reasonable precaution and a method for increasing the chance that trustworthy individuals are places in trust-needy positions.

As far as sticking an “ex-hacker” in a lab to crank out more exploits, I think they are very well qualified for that position. But if you are a manager or owner of a security consulting practice you need to consider if exposing your clients to a known risk is prudent or defendable.

By: An Information Security Place » Blog Archive » Simple Nomad to talk about fingerprinting IDS/IPS @ IT Security World

Mon, 17 Sep 2007 15:29:21 +0000

[...] more about IDS/IPS evasion and fingerprinting at IT Security World in San Francisco. I wrote about this earlier this year when Simple Nomad presented some of his findings at TRISC. It [...]

By: LonerVamp

LonerVamp — Thu, 17 May 2007 18:23:48 +0000

The child molester-to-black hat is a bit of an extreme comparison.

Honestly, it is accepted that businesses will treat convicted criminals differently, but beyond that, if someone professes to be a black hat in his personal time, that shouldn’t be something he is necessarily judged by.

As for less-than-completely-reputable , you’re right, that’s a lot of talent that could be going to waste (and let’s face it, SOMEONE will snap up talent, including your competitors). But I think the biggest thing is to allow people to change and grow and be less of a villain. We’ve all made mistakes of varying degrees and it just doesn’t sit well with me to say once a hacker (in that awesome negative connotation of the term…ugh) always a hacker. If my parents judged me forever and ever based on my sins as a kid…and so on.

I think our industry is especially sensitive to this since it really takes a mind that knows how to break things to be able to know how to secure them. Can you really secure wireless without knowing how to be bad on a wireless network that you don’t own? That’s arguable, but I really believe (kinda like CTF and other Cyberdefense competitions) that what amounts to field experience goes a long, long way in our area.

Then again, there are those less-than-completely-reputable hackers who will steal from the cupboard when you’re not looking to…buyer beware!