Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×

Hacker Boot Camp 161

Posted by Zonk from the sounds-like-a-fun-weekend dept.
abb_road writes "Business Week sent a reporter to TechTrain's ethical hacker training camp, where, for $4,300, participants spend five days working towards ICECC's 'Ethical Hacker Certification.' The camp serves companies' increasing needs for home-grown white hats, and covers topics ranging from the non-technical (social engineering and policy creation) to code-level attacks (buffer overflows and sql injections). The tuition seems a bit steep for materials that, as the article notes, are 'freely available over the web'--but where else can you play hacking capture the flag?"
This discussion has been archived. No new comments can be posted.

Hacker Boot Camp More

Hacker Boot Camp

Comments Filter:

  • Hmm? (Score:5, Funny)

    by SirTalon42 ( 751509 ) on Tuesday April 04, 2006 @02:03PM (#15059937)
    "but where else can you play hacking capture the flag?"

    The internet, like all the other hackers are already doing?
    • Defcon? Anyone? Anyone......
    • how completely useless. if you want to be a hacker, you go learn how to be a hacker on your own, on the internets. if you have to go to a school for it, you probably weren't meant to hack into much of anything in the first place.
      • you might know exactly what you're doing, but without a certification, most employers won't know that and you have no proof.

        and plus the whole thing prevents you from having to risk getting a criminal record during your "practise".
      • If my employer would give me a week to hang out at the house and tinker/learn then I'd be all over it, but they won't. They will however send me to training wherein I'll be out of town and the majority of my duties will be delegated so I can learn on my own without much distraction. Works for me.
    • defcon is definately alot cheaper.. and probably better education.

    • Defcon (Score:5, Insightful)

      by evenprime ( 324363 ) on Tuesday April 04, 2006 @02:32PM (#15060233) Homepage Journal
      You can play at defcon, but the level of the competition would probably be a bit intimidating for people who attend a boot camp.

      • Re:Defcon (Score:3, Interesting)

        by Zeinfeld ( 263942 )
        You can play at defcon, but the level of the competition would probably be a bit intimidating for people who attend a boot camp.

        Most people attending the course would not know that you have to prepare for DEFCON by imaging your hard drive, then reimage the machine and flash the BIOS when you return. When I go to BlackHat I draw an old machine that has been decomissioned.

        $4,300 is the going rate for training, if anything slightly low. You can find all the information on the Web but only if you know what

  • I didn't see anywhere that mentioned any kind of entry requirements to get on the program, hopefully they will require company sponsorship to get on the course or else anyone that can get together the cash can learn these techniques.

    I for one would prefer not to welcome our script kiddie / real hacker overlords.
    • From the Article
      They have to be gainfully employed in the security field and must sign waivers saying they won't use these tricks for ill. For more sophisticated classes there are background and criminal checks.

    • Re:What are the entry requirements? (Score:4, Insightful)

      by 0racle ( 667029 ) on Tuesday April 04, 2006 @02:35PM (#15060259)
      Anyone can learn these tricks at any time anywhere. They don't need to go to a school to find them. If you think someone going to a boot camp is going to become some 1337 h4x0r, well you might as well also start advocating destroying the internet.
      • My concern is more along the lines of what they think they have learnt, yes I already know my networks are basically secure I know breaking into my networks is going to get most people prison time (DoD), however, I don't want the people going on these course to think they know something and start attempting to break into my networks and end up throwing packets at my networks causing me to have to spend even more time assessing for real threats, hence my original statement "script kiddies / real hacker".

        Thin
        • And again, there are kids doing that right now with information they learned for free by using Google. Should we start making it so that you can only use Google if they have a corporate sponsor?

          My entire point is some boot camp isn't going to create a monster that knows or thinks they know things. All they are doing is passing on freely available information and a sheet of paper to those silly enough to pay for it.

      • Re:What are the entry requirements? (Score:5, Funny)

        by dr_dank ( 472072 ) on Tuesday April 04, 2006 @02:50PM (#15060408) Homepage Journal
        Anyone can learn these tricks at any time anywhere. They don't need to go to a school to find them.

        Agreed. I'm about to cost these bastards lots of money by giving away their secrets. Gang, listen closely. First, watch the film Hackers a few times and try to dress as they do. Nothing shows up a non-hacker faster than one out of uniform.

        Next, install any CLI-based OS. DOS, Linux, doesn't matter.

        Now that you have a command prompt (with the blinking cursor, nothing else will do), you can hack anything! Type in a command like "reroute airtraffic > Boise" and watch all of those jets turn around. Steal the latest hollywood flick with "download harrypotter.movie now" Want to make your idiot neighbors power blink in and out, spelling "I am t3h fag0rz" in morse code? Go right ahead. You're only limited by your imagination.

        DISCLAIMER: I am not responsible for the misuse of the preceding information.

    • Instead of going with that company I would recommend either EC-Council [eccouncil.org] or Vigilar/IntenseSchools [vigilar.com] for your CEH training needs.

      I attended Vigilar's CISSP Boot Camp (Larry Greenblatt was the instructor) and had a very good experience. Passed the test the first time. They strictly adhere to the Code of Ethics of the various certification organizations and their NDAs. They will not tell you what's on the test like certain MS training camps.

  • ::groan:: Please make this go away. (Score:5, Interesting)

    by XorNand ( 517466 ) * on Tuesday April 04, 2006 @02:05PM (#15059949)
    Is it just me, or does the very name "certified ethical hacker" seem like an utterly stupid, attention-whoring term? It reminds me of the kids who hang out on IRC asking "How do I hack someone's computer if I have their IP address?". People don't go to "certified ethicial arsonists" bootcamps, they study fire science at an accredited school.

    It sounds like this bootcamp just teaches people a handful of tricks that can be used to impress hiring managers. (Mentioned in the article: The default MS SQL login is "sa" with no password. Well, that's tidbit is not going to do you much good if you're assesing any version of SQL Server released within the past six years.) Do they explain the difference between a frame, packet, and datagram? All specifics and no theory.

  • Institute To Blow Smoke Into Uncomfortable Places (Score:5, Informative)

    by American AC in Paris ( 230456 ) * on Tuesday April 04, 2006 @02:05PM (#15059958) Homepage
    While "Institute of Certified E-Commerce Consultants" has a nice ring to it, it's a little ambiguous.

    I recommend they switch to "Important-Sounding Portal Site of Certified E-Clipart and Buzzwords". Gah. That site isn't just an eyesore; it's a brainsore. Basically, you send them money, they send you off to a third-party training course, throw you in a database and give you some logos and certificates with important-sounding words. Oh, and you'll be certified. It'll take your resume to the next level (where, presumably, we can find our princess.)

    Ah, but now to the meat of the matter--the legal disclaimer!

    l) Educational Licenses, Accreditation, and State Sanction. The ICECC does not claim to be a college or university nor does it claim accreditation from any 501 bodies, state, or federal government agency or body. The ICECC is not a 501c3 organization and never has claimed to be a tax free or charitable entity. The ICECC may engage in business with charitable organizations or form alliances with charities that operate under 501 but the ICECC operates as a responsible, growing, proprietary, growth oriented, and profit oriented association and company. The ICECC is an independent authority similar to other American Associations. The ICECC grants certificates, certifications, marks, designations, and charters much like hundreds of other legal educational and recognition institutes or associations in the United States. The ICECC strictly follows the criteria of the Ibanez decision in the United States. We encourage all members and certified members to meet all requirements for education, experience, testing, ethics, and continuing education. The ICECC licenses its marks and logos to others. The marks are generally licensed to individuals. The ICECC will license the CEC and other marks and logos to companies, universities, or other uses upon the consent of its board. The ICECC outsourses to other companies for training and education that is provided online. The ICECC does not collect money for the courses, provide the service, teach the class, enter into a contract with the student. THe company providing the education and training is simply using our site as a distribution point. THe ICECC may receive a referral fee, rebate, revenue share, or other payments for providing the website that afforded the sale of the service to the customer. In sum, you accept that we are not responsible for the performance of any education or training contract. We do not hold any of your private information that you submitted to the training, course, or education provider although directory infomation may be exchanged. This information is limited to email address, phone number, name, employer, educational degrees and background. [emphasis mine]

    Makes ya feel all edjumicated already, dunnit?

    Of course, all the above is moot; it fails the sniff test (twice, no less!) on its home page:

    Don't forget to bookmark us! (CTRL-D)

    Trust me, I didn't forget.

    ...as for the course itself, it seems to be little more than a rote lesson in exploiting commonly known weaknesses, such as default passwords and poorly-configured servers. From the BusinessWeek article:

    ALARMING LAPSES. And here's what may be the scariest part: to be a hacker, you don't even have to be a hardcore techie or particularly good at writing code. Take me, for instance. I'm an English major who hasn't written a line of code since third grade when I wrote a BASIC program that quizzed you on state capitals. Camp got started at 9 a.m., and within an hour, I was hacking into fictional banks' Microsoft databases and retrieving credit card numbers.

    It's a matter of knowing tricks and what to look for. For instance, the default Microsoft database user name is "SA" and there's no default password. An alarming number of administrators never change these settings, so once hackers get into a system, they often try this first -- successful

  • 4 Grand? (Score:5, Insightful)

    by hairykrishna ( 740240 ) on Tuesday April 04, 2006 @02:05PM (#15059965)
    4 grand for that? I wouldn't classify that as 'ethical'!
  • That doesn't differ from my daily routine anyways. Why pay 4300 for something I already do for free over the summer?
  • ...you pay tons of money to get a piece of paper that lets you join a club.

    Higher education is just another form of hazing. You say that you've read the assignment, (the teacher) says "Fuck you, prove it!". --David Mamet
    • Uh huh. While potentially possible, I don't think it would be an easy feat to teach yourself computational fluid dynamics or all of the other stuff in the aerospace field. As with all education, the quality of the instructors makes quite a difference. I certainly am glad I had help getting started in linux. I could have figured it all out on my own, eventually. But having someone point me in the right direction was a good thing.

  • "Certification"?? (Score:3, Insightful)

    by ktappe ( 747125 ) on Tuesday April 04, 2006 @02:08PM (#15059991)
    1. $4300 isn't chump change--someone is making a bundle on this.

    2. Who out there is going to accredit this "certfication" to be sure it's worth more than the paper it's printed on?

    3. Isn't one of the fundamental concepts of "hacking" to be anti-establishment? To break the rules and sock it to the man? Getting certified is about as establishment as you can get.

    -Kurt

  • ...is whether they had to shave their heads or were subject to violent hazing. Doesn't seem like boot camp otherwise.
    • or were subject to violent hazing
      There is almost none of that, if any, in the military- I never saw any. All you are showing with that statement is that your knowledge of the military comes entirely from Full Metal Jacket...
      That being said,
      Marines go to boot camp, everyone else goes to Basic. Reminds me of a girl at work who always talks about her "cardio bootcamp" and how hardcore she is. I explained to her that when I went through Basic, it was a bit more than putting on spandex for two hours three da
      • Marines go to boot camp, everyone else goes to Basic

        Not when I was in Uncle Sam's Navy it wasn't. It was Boot Camp, pure and simple. The USMC boot camp is the hardest physically, the USN's the hardest mentally. Maybe that's why the other branches just have Basic Training instead of Boot Camp.

  • just like "ninja training camp" (Score:5, Funny)

    by blue_adept ( 40915 ) on Tuesday April 04, 2006 @02:11PM (#15060020)
    you spend a week learning all the "Secret Ninja Moves" and when you're done, you're a real life ninja. ... right? r-right?

  • Ethics in just 5 days? (Score:4, Insightful)

    by Pedrito ( 94783 ) on Tuesday April 04, 2006 @02:11PM (#15060026)
    Sorry, but people can't really learn ethics in a 5 day camp. Ethics begin at home and in early childhood. It comes from the people who raise you and the people you're around as you grow. A 5 day camp is going to have absolutely no impact on your ethics. By the time you're old enough to go to a hacker camp, your ethics (or lack thereof) are firmly established. 5 days of camp is simply going to give them some new skillz to use ethically or unethically.
    • "Sorry, but people can't really learn ethics in a 5 day camp. Ethics begin at home and in early childhood. It comes from the people who raise you and the people you're around as you grow."

      So, let me see if I understand what you're saying: If a teacher makes a list of situtaions that are both ethical and non-ethical, and teaches his pupil which is right and which is wrong, this will have absolutely no effect...? Are you sure you're not over-generalizing here?
      • If someone has the intelligence and skill to be able to hack effectively, it's very unlikely that they'll be terribly influenced by a "teacher" that they more than likely don't respect.
    • 5 days of camp is simply going to give them some new skillz to use ethically or unethically.

      I started off thinking I would disagree with you, but by the end, I find I agree 100%.

      I would just add one point to what you wrote...

      Ethics depends heavily on situation as well as background. In some situations "ethics" means "follow the law", in others it means "screw the law, do the right thing", and in still others it means picking the least unethical course of action from a whole range of shady options.

      O
    • It sounds to me like the course assumes you bring good ethics to it. It's not about learning ethics. It's for learning about security vulnerabilities by exploiting them. The idea is that the pupils then can go out and test their own networks or those of a client with what they learned, as a service. They title it ethical hacking because it is to be done with the permission of the victim in the interest of finding and subsequently eliminating potential security holes. If someone came to the class with ill in
  • and all those popups will read - get your ethical hacking certificate for 2k! Just click on the monkey - I did!
  • "a classroom full of middle-aged high-tech system administrators." If they get their company to send them to hacking school for a day, they have more free time for pr0n in the evenings! Brilliant.
  • The tuition seems a bit steep for materials that, as the article notes, are 'freely available over the web'


    Reservations for the State Correctional Facilities maybe ?

  • ReBoot Camp (Score:5, Funny)

    by digitaldc ( 879047 ) * on Tuesday April 04, 2006 @02:13PM (#15060038)
    Business Week sent a reporter to TechTrain's ethical hacker training camp, where, for $4,300, participants spend five days working towards ICECC's 'Ethical Hacker Certification.'

    As opposed to the 'Unethical Hacker Certification' where companies pay you $43,000.00 or more to stop disabling their websites.

  • Heh (Score:5, Funny)

    by JavaLord ( 680960 ) on Tuesday April 04, 2006 @02:15PM (#15060058) Journal
    From the article:

    you know that site is vulnerable to a technique of stealing database contents called "sequel injection."

    Is this an attack based on the recent star wars trilogy? Someone should inform the author it's still written "SQL injection" despite how it sounds.

    • Oblig. Mon Calamari (Score:4, Funny)

      by digitaldc ( 879047 ) * on Tuesday April 04, 2006 @02:20PM (#15060115)
      Is this an attack based on the recent star wars trilogy?

      Yes, I believe the famous last words were, 'It's a trap!'

    • I knew I wouldn't be the only one to catch this. What a dumbass. This cat should've been prevented from taking the course as a matter of principle.

    • Someone should inform the author it's still written "SQL injection" despite how it sounds.

      And yet when people pronounce SQL 'sequel' it makes my skin crawl. I'm usually not particular about how people pronounce acronyms, but for some reason whenever I hear that I immediately jump to the conclusion that the speaker is an idiot. Not a true assertion, I know, but I can't shake the feeling.
  • companies like his screen candidates carefully. They have to be gainfully employed in the security field and must sign waivers saying they won't use these tricks for ill.
    Or, they could be a reporter who just wants to write a cool story and maybe detail a few of the hacks that "an English major who hasn't written a line of code since third grade" can do. You know, just in case some of his readers can't afford the class, but really want to be ethical hackers. It's all cool.

  • Ethical Hacker Certification... (Score:3, Insightful)

    by __aaclcg7560 ( 824291 ) on Tuesday April 04, 2006 @02:18PM (#15060104)
    The new paper MSCE certification for the 21st century.
  • Wouldn't this be like wearing a "Certified Trained Sexual Dynamo Boyfriend" t-shirt into a singles bar. A little to nerdy for me.

  • Certified Ethical Hacker? (Score:5, Interesting)

    by Malor ( 3658 ) on Tuesday April 04, 2006 @02:26PM (#15060166) Journal
    A more accurate label would be "Five Day Script Kiddie Class".

  • Having just attended a SANS class [sans.org] (one week, tons of fun, learned a boatload), I would highly recommend them. Not everything there is available on the web (well, sort of, but the stories from the storm center certainly aren't). The course I took was taught by Ed Skoudis, easily one of the best lecturers I have even seen. At the end, yes, we got to play capture the flag.

  • Be very cautious (Score:1, Funny)

    by Anonymous Coward
    Some hackers have actually died at boot camp when the staff tried to beat the ethics into uncooperative programmers.

  • Another option (Score:3, Funny)

    by wjcofkc ( 964165 ) on Tuesday April 04, 2006 @02:30PM (#15060210)
    AOL has some chat rooms with hundreds of the very best hackers in the whole wide world answering questions and handing out all kinds of scripts 24/7. You have to be very smart and a real hacker to run a script from an AOL hacker chatroom.

  • SANS (Score:3, Insightful)

    by DaPh00z ( 840056 ) * on Tuesday April 04, 2006 @02:31PM (#15060227)
    This appears to be similar to the highly regarded SANS GIAC Certified Incident Handler (GCIH) Course, SEC-504: Hacker Techniques, Exploits & Incident Handling [giac.org], which I attended a while back. The SANS course was excellent and is often taught by Ed Skoudis. Its challenging, but also very worthwhile. They cover how to create an Incident Handling team and then launch in to Reconnaissance, Scanning, Exploits, Keeping Access, and Covering Your Tracks. It would take too long to list out all of the different tools and tactics that they covered, but it's pretty comprehensive.
    It's a great course, and I highly recommend it to anyone involved in computer security. The insight into how attackers target, gather information, compromise, and maintain access on systems has been invaluable in understanding how to then try and close the holes and mitigate the risks. You'll never be 100% invulnerable on a machine or network that you actually use for anything, but if you know how to think like an attacker and what the current tools are capable of, then you'll be able to fix most of it.

  • As a reformed "script kiddie", who once ran havok on your servers back in the 90's (sorry about that by the way) I must tell you that stories like this make me laugh. In my experience, the essence of all "hacking" is the same: the pursuit of an answer to a question.

    Eventually, I discovered that the "real" hackers grew-up and got "real" jobs, so I did the same. However, like most hardcore IT people I know (not the MCSE morons), this inquisitive nature still lies at the heart of...well...me (whatever that i

    • Sorry, but that's just a little bit elitist. I agree that real life experience in anything makes you more knowledgeable than just reading books. But everyone has to start somewhere.

      People who get on the bandwagon early are not necessarily better than people who get on the same bandwagon later. And by the time the later people get on, some of the people who got on early have written books, allowing the latecomers to benefit from their knowledge, get a jump start, and hopefully expand the overall knowledge

  • I'll do ya one better. (Score:3, Funny)

    by Rob T Firefly ( 844560 ) on Tuesday April 04, 2006 @02:35PM (#15060256) Homepage Journal
    For the paltry sum of only $1000US, I'll send you a genuine Certificate of Ethical Hacking, Keytar Playing, and Being Good To Your Mom.

    I'll even load my ink-jet printer with the impressive expensive paper.

  • Not to stray too far off topic, but didn't all this 'boot camp' crap start when cable channels like Discovery began airing stuff like this [discovery.com] and 30yo adolescents far and wide thought that one Hell Week of any sort and they could be Authorized Bad-Ass Certified Hacker Ninjas?

    "Yeah (sniff), I coulda been a F-16 pilot, but I couldn't pass the vision screening, so I became an MCSE instead."

  • The only reason why you would spend this amount of money to obtain a cert. is because you are not qualified/knowledgable enough pass it in the first place.

    If you really knew what you were doing, you would pay the $250 to take the test (http://www.eccouncil.org/312-50.htm [eccouncil.org]) and be able to pass either on your own accord, or with the help of books or freely available study guides.

    Anything more than a few hours of your time and some decently written books is a waste of money.
  • Basically this creates a job security option in the field of hacking, which definitely is not a stable employment environment currently.

    Otherwise, the training could be a prelude to the rise of corporate hacking warfare: corporate to corporate hacking. Basically just because you took white hat training doesn't mean you can't use those skills in a black hat environment against other companies. White hat or black hat, the temptation to hack other systems (just not your company's) is great cause hacking is a

  • Been there done that (Score:5, Informative)

    by codepunk ( 167897 ) on Tuesday April 04, 2006 @02:40PM (#15060313)
    I have been to it, the course ware is fairly extensive but was boring none the less. I cannot see much of the slashdot crowd getting much from it, just a rehash of common knowledge tools and techniques that we pretty much have all heard of.

    Now I was stuck in a room full of MS and MCSE zombies who did not know the difference between
    a TCP and UDP packet. Just listening to the students talk I could feel the grey matter being sucked from my head....sort of like a high school student sitting in on a first grade class.
    • I'm curious, making a horribly wild assumption that you know your stuff fairly well based on your low UID...what made you decide to take this course? I guess to put it bluntly (but please don't take this the wrong way), I'm wondering why you decided to pay $4k for a class that seems like somewhat of a joke. I mean...if it was at your employers expense, then hey, why not...but I'm just sayin...

      But I really am curious as to your reason for taking it in the first place.

  • The author states himself in TFA that he has no programming experience since the 3rd grade. Therefore, can this really be considered "hacker" camp?

    In addition, the teacher showed the class SQL injection techniques, etc. However, wouldn't their time be better spent learning penetration testing techniques and how to use certain applications like Nessus? I don't see how learning how to package "Beast" with a screensaver really teaches anyone anything worth over 4 thousand dollars.

  • "Hacking" exercises... (Score:5, Informative)

    by TechnoGuyRob ( 926031 ) on Tuesday April 04, 2006 @02:46PM (#15060358) Homepage
    I am a systems administrator at www.hackthissite.org [hackthissite.org] (HTS), and at HTS, we intend to do just what this camp intends to--but for a nice sum of $0.

    Although we are currently working on a new version of the site (dubbed "HTSv4"), the current place still has plenty of opportunities to gain knowledge in (ethical and legal) areas of computer security, such as XSS injection, SQL injection, buffer overflows, programming, and countless of other topics--all through personal experience with the "missions" on the site.

    I think it is very important for people who are going into computer development of any kind to be aware of these issues. Personal experience and skill in computer security can only be beneficial, and will teach one to code applications that are capable of defense from outside intrusion.
    • I forgot to mention: hacking "capture the flag", as the article calls it, is our equivalent of Root Thix Box [rootthisbox.org], a competition aimed at controlling a "box" (system) for the longest amount of time through various exploitation means, most of which go beyond the topics covered in the "boot camp."
    • That's all well and good, but your pitiful techniques pale in comparison to your competitor's awesome sequel injection technique: a technique so advanced that no one has ever heard of it before!

      I'm sorry, I can't believe you're legit until you can manage to impress a techno-illiterate English major reporter with your l33t skillz.
  • "but where else can you play hacking capture the flag?"

    for the price of tuition you and a friend could buy some serious hardware and go at each other.

  • NT350 at Herzing (Score:4, Interesting)

    by RingDev ( 879105 ) on Tuesday April 04, 2006 @03:02PM (#15060522) Homepage Journal
    My NT350 class at Herzing School of Technology (a traditional brick and mortar tech school with a new online branch) taught by Curt Gibeau (sp?) was like this. Only my tuition was $1200 I think, and the course was 16 three hour night classes. We were broken into groups (2-3 net-workers and 1 programmer in each group). Each group was given standard enterprise requirements (AD, email, file storage, database, web server, client machine). We could use what ever OSs and software packages we liked, and we could run up to 5 machines. Over the course of the class we went over security theory and specifics for demonstrations, and then we would break into groups to work on building and securing our group enterprises.

    In the end we didn't have quite as much attack time as we had hoped, and a lot of vectors were blocked off because we all knew we were going to be attacked and there was no real life activity on the networks. So everyone was was scrounging each others networks for any mistakes or missed patches. Some people had honey pots, some people hosted exploiting web pages, but for the most part, there was little damage. But we all learned a lot about securing networks and servers, and different ways to minimize risks.

    All in all, definitely a class that was worth taking. I would recommend it to anyone in range of a Herzing campus, but the Teacher I had is no longer teaching (he's a full time network admin for the school now) and I have no idea how the class is arranged any more.

    -Rick

  • I took the class (Score:3, Informative)

    by Salo2112 ( 628590 ) on Tuesday April 04, 2006 @04:18PM (#15061141)
    It wasn't a 5 day 8-hour a day class. It was 12 days from 0800 to 2100(ish) hours with a few breaks during the day.

    It was a chance to play with a lot of nasty stuff on machines that were there for the purpose of breaking in a controlled environment.

    The biggest positive was that someone sent two PHBs to the class to see if it was worth sending techs - they got to see first hand what was out there, what the risks were and ways to help their guys secure their networks. Nothing like people seeing for themselves what their staff is up against.
  • Ok, but first I need to leverage my botnet to extort the money I need for the price of admission.

  • I hate these classes (Score:3, Interesting)

    by Jaime2 ( 824950 ) on Tuesday April 04, 2006 @07:42PM (#15062424)
    I worked at a training center through the whole dot-com bubble and up until recently. We had a ton of security classes, some of them excellent. However, anything with the term "hacker" was easier to sell. The students had a lot of fun, but they really didn't learn as much as with a more traditional approach. I the first generation of these clases they learned stuff like ping-of-death. For those who don't know, it's a tool that won't work on anything that's been invented after or patched since 1996. The students got to crash a horribly managed system, but gainde no useful skills doing so.

    From the article -- in the first half day ($500 of his tuition), the reporter learned how to "hack" into a database that was completely unsecure. If the admin had even bothered to apply SQL Server service pack 3 (release two years ago), it would have warned him of the problem and forced him to fix it. The admin would also have to make a second horrible mistake of opening port 1433 to the Internet.

    How would this lesson help the student secure his own network? If his SQL admin are leaving sa's password blank, they should be fired, not trained. As for the SQL injection stuff -- I teach every one of by web development students about it when we learn about connecting to databases. Teaching the security guy about it is STUPID. Do you teach your kids to lock the house, or do you hire a home security service to come and lock it every time you leave? SQL injection needs to be dealt with at the point of the problem -- so does database management and every other problem addressed in these courses.

    Network security professionals should be learning about reducing attack surfaces and implementing security policies. They should learn how to defend against the problems of 2007, not 2005. All these "ethical hacker" classes do is scare the uninformed and provide a week long vacation for hard-core techies.

    Another interesting side-effect of these classes is that students generally learn about technologies that have common problems. It's highly unlikely that a "certified ethical hacker" has experience with two-factor authentication, L2TP vpns, or Kerberos. But hey, they know how to crack an FTP server!!!! I'm going to hire one of these guys right now to fix my network.
  • Why is called an ethical Hacker certificate? I thought this activity was called Cracking...
  • "Hacker" is not a technical term. The word is meaningless. I have heard of the following refered to as "hacks" or "hackers" : cab drivers, writers, and prison guards - not to mention smokers and hacky-sack players.

    In the IT realm "hacker" has strongly negitive conitations, no matter if you say "ethical" or not.

    If by "ethical hacker" you mean specialist in penetration testing, then call it that.

Slashdot Top Deals

What is research but a blind date with knowledge? -- Will Harvey

Close