Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hacker Boot Camp

Zonk posted more than 8 years ago | from the sounds-like-a-fun-weekend dept.

161

abb_road writes "Business Week sent a reporter to TechTrain's ethical hacker training camp, where, for $4,300, participants spend five days working towards ICECC's 'Ethical Hacker Certification.' The camp serves companies' increasing needs for home-grown white hats, and covers topics ranging from the non-technical (social engineering and policy creation) to code-level attacks (buffer overflows and sql injections). The tuition seems a bit steep for materials that, as the article notes, are 'freely available over the web'--but where else can you play hacking capture the flag?"

cancel ×

161 comments

Hmm? (5, Funny)

SirTalon42 (751509) | more than 8 years ago | (#15059937)

"but where else can you play hacking capture the flag?"

The internet, like all the other hackers are already doing?

Or perhaps..... (1)

there_can_be_only_on (746071) | more than 8 years ago | (#15060050)

Defcon? Anyone? Anyone......

that was my first thought (1, Insightful)

JeanBaptiste (537955) | more than 8 years ago | (#15060078)

how completely useless. if you want to be a hacker, you go learn how to be a hacker on your own, on the internets. if you have to go to a school for it, you probably weren't meant to hack into much of anything in the first place.

Re:that was my first thought (2, Insightful)

compro01 (777531) | more than 8 years ago | (#15060701)

you might know exactly what you're doing, but without a certification, most employers won't know that and you have no proof.

and plus the whole thing prevents you from having to risk getting a criminal record during your "practise".

Re:Hmm? (1)

thedletterman (926787) | more than 8 years ago | (#15060089)

defcon is definately alot cheaper.. and probably better education.

Defcon (4, Insightful)

evenprime (324363) | more than 8 years ago | (#15060233)

You can play at defcon, but the level of the competition would probably be a bit intimidating for people who attend a boot camp.

What are the entry requirements? (1)

liliafan (454080) | more than 8 years ago | (#15059946)

I didn't see anywhere that mentioned any kind of entry requirements to get on the program, hopefully they will require company sponsorship to get on the course or else anyone that can get together the cash can learn these techniques.

I for one would prefer not to welcome our script kiddie / real hacker overlords.

Re:What are the entry requirements? (3, Informative)

jtaylor00 (670164) | more than 8 years ago | (#15060077)

From the Article
They have to be gainfully employed in the security field and must sign waivers saying they won't use these tricks for ill. For more sophisticated classes there are background and criminal checks.

Re:What are the entry requirements? (1)

liliafan (454080) | more than 8 years ago | (#15060269)

okay so I missed that thanks :p

Re:What are the entry requirements? (3, Insightful)

0racle (667029) | more than 8 years ago | (#15060259)

Anyone can learn these tricks at any time anywhere. They don't need to go to a school to find them. If you think someone going to a boot camp is going to become some 1337 h4x0r, well you might as well also start advocating destroying the internet.

Re:What are the entry requirements? (1)

liliafan (454080) | more than 8 years ago | (#15060359)

My concern is more along the lines of what they think they have learnt, yes I already know my networks are basically secure I know breaking into my networks is going to get most people prison time (DoD), however, I don't want the people going on these course to think they know something and start attempting to break into my networks and end up throwing packets at my networks causing me to have to spend even more time assessing for real threats, hence my original statement "script kiddies / real hacker".

Thinking you know something is wayyyyy more dangerous than actually knowing something.

Re:What are the entry requirements? (5, Funny)

dr_dank (472072) | more than 8 years ago | (#15060408)

Anyone can learn these tricks at any time anywhere. They don't need to go to a school to find them.

Agreed. I'm about to cost these bastards lots of money by giving away their secrets. Gang, listen closely. First, watch the film Hackers a few times and try to dress as they do. Nothing shows up a non-hacker faster than one out of uniform.

Next, install any CLI-based OS. DOS, Linux, doesn't matter.

Now that you have a command prompt (with the blinking cursor, nothing else will do), you can hack anything! Type in a command like "reroute airtraffic > Boise" and watch all of those jets turn around. Steal the latest hollywood flick with "download harrypotter.movie now" Want to make your idiot neighbors power blink in and out, spelling "I am t3h fag0rz" in morse code? Go right ahead. You're only limited by your imagination.

DISCLAIMER: I am not responsible for the misuse of the preceding information.

Re:What are the entry requirements? (5, Funny)

Your Pal Dave (33229) | more than 8 years ago | (#15060452)

Wouldn't you also need a keyboard which beeps with every keystroke and a monitor which projects shapes onto your face as you work?

Re:What are the entry requirements? (5, Funny)

databyss (586137) | more than 8 years ago | (#15060556)

What about the exceedingly slow save program?

I want to make sure that whenever I save a file it goes extremely slowly and show's me every percent along the way.

Oh, and it has to flash every bit of data on screen as it saves. I'm sure it'll work out some sort of proper layout too.

Otherwise, how would I know it's actually saving the proper data?

Re:What are the entry requirements? (2, Informative)

dr_dank (472072) | more than 8 years ago | (#15060725)

What about the exceedingly slow save program?

I want to make sure that whenever I save a file it goes extremely slowly and show's me every percent along the way.


Those should be avoided. Prolonged exposure to the loud suspenseful music that accompanies just-in-the-nick-of-time saving has been shown to be harmful to your hearing.

Re:What are the entry requirements? (1)

pedalman (958492) | more than 8 years ago | (#15061066)

Don't forget the ability to play "Global Thermonuclear War" http://en.wikipedia.org/wiki/WarGames [wikipedia.org]

Re:What are the entry requirements? (0)

Anonymous Coward | more than 8 years ago | (#15060978)

I'm from Boise.. Thanks for that. Made my day.
-slicenglide.

Re:What are the entry requirements? (1)

finity (535067) | more than 8 years ago | (#15061084)

Hey, Hackers rocks! Also, I told you not to tell anyone else about the reroute script I've been working on...

Re:What are the entry requirements? (2, Informative)

qw(name) (718245) | more than 8 years ago | (#15060511)

Instead of going with that company I would recommend either EC-Council [eccouncil.org] or Vigilar/IntenseSchools [vigilar.com] for your CEH training needs.

I attended Vigilar's CISSP Boot Camp (Larry Greenblatt was the instructor) and had a very good experience. Passed the test the first time. They strictly adhere to the Code of Ethics of the various certification organizations and their NDAs. They will not tell you what's on the test like certain MS training camps.

Re:What are the entry requirements? (1)

rob1980 (941751) | more than 8 years ago | (#15060891)

That's like saying everyone who enrolls in karate classes is doing it so they can go down the street beating the hell out of people.

Re:What are the entry requirements? (1)

liliafan (454080) | more than 8 years ago | (#15060971)

That's like saying everyone who enrolls in karate classes is doing it so they can go down the street beating the hell out of people.
No not really did you take the time to read the entire thread or did you just decide to jump right in?

::groan:: Please make this go away. (5, Interesting)

XorNand (517466) | more than 8 years ago | (#15059949)

Is it just me, or does the very name "certified ethical hacker" seem like an utterly stupid, attention-whoring term? It reminds me of the kids who hang out on IRC asking "How do I hack someone's computer if I have their IP address?". People don't go to "certified ethicial arsonists" bootcamps, they study fire science at an accredited school.

It sounds like this bootcamp just teaches people a handful of tricks that can be used to impress hiring managers. (Mentioned in the article: The default MS SQL login is "sa" with no password. Well, that's tidbit is not going to do you much good if you're assesing any version of SQL Server released within the past six years.) Do they explain the difference between a frame, packet, and datagram? All specifics and no theory.

Re:::groan:: Please make this go away. (2, Insightful)

utlemming (654269) | more than 8 years ago | (#15060009)

How about the employability of having a cert saying your an ethical hacker? Depending on your level within a company, couldn't such a cert cause you employment problems? I am just thinking about the low network guy that gets the cert, and his boss firing him for security concerns.

Re:::groan:: Please make this go away. (3, Funny)

darkmeridian (119044) | more than 8 years ago | (#15060099)

I LMAO when the article described a vulnerability to a "sequel injection". I think he meant http://www.google.com/search?q=sql+injection&start =0&ie=utf-8&oe=utf-8&client=firefox-a&rls=org.mozi lla:en-US:official>SQL injection. Still, can you imagine an injection of Basic Instinct II? That's scarier than a SQL injection.

Re:::groan:: Please make this go away. (2, Insightful)

lbmouse (473316) | more than 8 years ago | (#15060132)

ICECC's 'Ethical Hacker Certification.'
...that and $6.50 will get you a cup of coffee at Starbucks.

Re:::groan:: Please make this go away. (4, Interesting)

bluelip (123578) | more than 8 years ago | (#15060198)

I've been this training. We hand our hands held while having ethereal, nmap, and such tools demonstrated. It's a total waste of money for a technical person.

It may be useful to scare management into securing their networks though.

For better training, check out http://pulltheplug.org/ [pulltheplug.org] and the dozens of other "war games" out there.

Re:::groan:: Please make this go away. (3, Interesting)

numacra (805808) | more than 8 years ago | (#15061134)

True - We have many challenges... Here's a breakdown of our wargames for people who are interested:

http://vortex.labs.pulltheplug.org/ [pulltheplug.org] vortex deals with basic exploitation... buffer overflows/fmt strings etc..
http://semtex.labs.pulltheplug.org/ [pulltheplug.org] Semtex is for people who want network challenges (not neccessarily exploitation)
http://www.pulltheplug.org/wargames/catalyst/ [pulltheplug.org] Reverse Engineering and Binary Analysis - the server is down but you can get the levels via the page.
http://www.pulltheplug.org/wargames/blackhole/ [pulltheplug.org] Remote Exploitation - the server is down but you can get the levels via the page
http://blacksun.labs.pulltheplug.org/ [pulltheplug.org] our newest wargame - deals with defeating hardened hosts... (PaX etc...)

our IRC network has quite a few people who play the wargames (irc.pulltheplug.org #social)
(ok i'm done with this shameless plug :))

Re:::groan:: Please make this go away. (1)

hotdiggitydawg (881316) | more than 8 years ago | (#15060529)

Yet another bad analogy... If you must use it, I would suggest that "hacker" maps to "pyromaniac", whereas "cracker" maps to "arsonist".

Re:::groan:: Please make this go away. (1)

kadathseeker (937789) | more than 8 years ago | (#15060566)

I think a black hat would be an arsonist (ill-intent), a grey hat would be a pyromaniac (depends on how sane/careful they are), white hat would be a pyrotechnician (Rammstein concerts kick ass).

That's a better analogy.

Keep in mind though ... (1)

apankrat (314147) | more than 8 years ago | (#15061024)

Just remember that ICECC is a pre-requirement for entering Advanced Social Engineering
course offered by not-so-ethical hacker training facility next door. :)

Re:::groan:: Please make this go away. (1)

pedalman (958492) | more than 8 years ago | (#15061096)

"It sounds like this bootcamp just teaches people a handful of tricks that can be used to impress hiring managers."
Paper MCSE, anyone?

Poseurs, mostly (1, Interesting)

wsanders (114993) | more than 8 years ago | (#15061137)

Really, you ought to know all this stuff as part of your job if you are a sysadmin or a developer, just like a police detective knows all the easy ways to commit crimes.

Sooner or later you are going to work with some dumb ass and it will be your responsibility to (tactfully) demonstrate all the security holes they have introduced in their code.

Standlaone so-called "security experts" are all useless poseurs. Twice now I have encountered "ethical hackers" in the job, hired by high-up muckety mucks, who told me "we like totally 0wned you systems d00d" and then refused to disclose to me what they had done. My logs said nothing, nobody took any action, and as far as I could tell it was all bullshit.(I owned all the servers, routers, and firewalls, so I should have known.)

I've only encountered one "security expert" who could ever actually demonstrate a non-obvious exploit to me, and that was in the Solaris 2.5 days.

"Ethical hacking" is core competency of any experienced system administrator. I'm amazed that there are so many senior sysadmins out there who don't or can't lock down their systems, or think that security is some kind of separate thing from system administration. I'd never hire any of them.

Institute To Blow Smoke Into Uncomfortable Places (5, Informative)

American AC in Paris (230456) | more than 8 years ago | (#15059958)

While "Institute of Certified E-Commerce Consultants" has a nice ring to it, it's a little ambiguous.

I recommend they switch to "Important-Sounding Portal Site of Certified E-Clipart and Buzzwords". Gah. That site isn't just an eyesore; it's a brainsore. Basically, you send them money, they send you off to a third-party training course, throw you in a database and give you some logos and certificates with important-sounding words. Oh, and you'll be certified. It'll take your resume to the next level (where, presumably, we can find our princess.)

Ah, but now to the meat of the matter--the legal disclaimer!

l) Educational Licenses, Accreditation, and State Sanction. The ICECC does not claim to be a college or university nor does it claim accreditation from any 501 bodies, state, or federal government agency or body. The ICECC is not a 501c3 organization and never has claimed to be a tax free or charitable entity. The ICECC may engage in business with charitable organizations or form alliances with charities that operate under 501 but the ICECC operates as a responsible, growing, proprietary, growth oriented, and profit oriented association and company. The ICECC is an independent authority similar to other American Associations. The ICECC grants certificates, certifications, marks, designations, and charters much like hundreds of other legal educational and recognition institutes or associations in the United States. The ICECC strictly follows the criteria of the Ibanez decision in the United States. We encourage all members and certified members to meet all requirements for education, experience, testing, ethics, and continuing education. The ICECC licenses its marks and logos to others. The marks are generally licensed to individuals. The ICECC will license the CEC and other marks and logos to companies, universities, or other uses upon the consent of its board. The ICECC outsourses to other companies for training and education that is provided online. The ICECC does not collect money for the courses, provide the service, teach the class, enter into a contract with the student. THe company providing the education and training is simply using our site as a distribution point. THe ICECC may receive a referral fee, rebate, revenue share, or other payments for providing the website that afforded the sale of the service to the customer. In sum, you accept that we are not responsible for the performance of any education or training contract. We do not hold any of your private information that you submitted to the training, course, or education provider although directory infomation may be exchanged. This information is limited to email address, phone number, name, employer, educational degrees and background. [emphasis mine]

Makes ya feel all edjumicated already, dunnit?

Of course, all the above is moot; it fails the sniff test (twice, no less!) on its home page:

Don't forget to bookmark us! (CTRL-D)

Trust me, I didn't forget.

...as for the course itself, it seems to be little more than a rote lesson in exploiting commonly known weaknesses, such as default passwords and poorly-configured servers. From the BusinessWeek article:

ALARMING LAPSES. And here's what may be the scariest part: to be a hacker, you don't even have to be a hardcore techie or particularly good at writing code. Take me, for instance. I'm an English major who hasn't written a line of code since third grade when I wrote a BASIC program that quizzed you on state capitals. Camp got started at 9 a.m., and within an hour, I was hacking into fictional banks' Microsoft databases and retrieving credit card numbers.

It's a matter of knowing tricks and what to look for. For instance, the default Microsoft database user name is "SA" and there's no default password. An alarming number of administrators never change these settings, so once hackers get into a system, they often try this first -- successfully.

Here's another trick. Put a single quote mark in the user name line of a password. If you get a particular error message, you know that site is vulnerable to a technique of stealing database contents called "sequel injection." "Pretty cool, huh?" Whitaker says to the stunned crew. "You guys want to see some more scary stuff?"

Later, they cover how to use a pre-existing trojan. If this is what passes for "hacking school" then assembling an IKEA bookshelf is carpentry.

Re:... Into Uncomfortable Places (1)

gold23 (44621) | more than 8 years ago | (#15060165)

You mean, like, the back seat of a Volkswagen Beetle?

Re:Institute To Blow Smoke Into Uncomfortable Plac (0)

Anonymous Coward | more than 8 years ago | (#15060309)

Me thinks the reporter got p0wned.

Re:Institute To Blow Smoke Into Uncomfortable Plac (2, Funny)

kumichou (468416) | more than 8 years ago | (#15060462)

> It'll take your resume to the next level (where, presumably, we can find our princess.)

"Thank you Mario! But your certificate is in another castle!"

You left out the best part! (2, Informative)

karmaflux (148909) | more than 8 years ago | (#15060634)

Scroll down, and you get

Attorneys Search
Attorney Lawyer Law Firm
Lawyers & Class Actions
Louisiana Law


all with links.

Further still, you get



Plastic Surgeon Houston
Cosmetic Surgeon Houston
Liposuction Houston
Consultation
Cosmetic Surgeon Texas
Plastic Surgery Texas
Extreme Makeover Plastic Surgery
Cosmetic Surgery Pictures Plastic Surgery Houston
Cosmetic Surgery Houston
Board Certified Plastic Surgeon
Facelift Houston
Plastic Surgeon Houston
Houston Plastic Surgeon
Houston Cosmetic Surgeon
Plastic Surgery PicturesPatronella Surgeon
Liposuction
Cosmetic Surgery Houston
Extreme Makever
Cosmetic Surgery Texas
Plastic Surgery Texas
About Plastic Surgery
Plastic Surgery Before & Afters


Each one of those is a link, and every single one of them to the same domain.

This is a spammer site, and every page on the site has a footer labeled "links and sponsorship," also filled with spam links. I feel really bad for the poor suckers who wind up giving them money.

Also from their TOS:

Additionally, the ICECC does not guarantee the character, skill, experience, education, ethics, or references of a member or certified member of our group.


The whole organization is a joke.

Re:Institute To Blow Smoke Into Uncomfortable Plac (2, Informative)

pmc (40532) | more than 8 years ago | (#15061119)

While "Institute of Certified E-Commerce Consultants" has a nice ring to it, it's a little ambiguous.

The submitter has put in the wrong website - The CEH site is at http://www.eccouncil.org/CEH.htm [eccouncil.org]

It is a penetration testing certification for people who can't do penetration testing.

to name a few.. (0)

Anonymous Coward | more than 8 years ago | (#15059960)

"The tuition seems a bit steep for materials that, as the article notes, are 'freely available over the web'--but where else can you play hacking capture the flag?"

Defcon, Hope, Toorcon etc etc etc

4 Grand? (4, Insightful)

hairykrishna (740240) | more than 8 years ago | (#15059965)

4 grand for that? I wouldn't classify that as 'ethical'!

But.... (1)

RagingFuryBlack (956453) | more than 8 years ago | (#15059966)

That doesn't differ from my daily routine anyways. Why pay 4300 for something I already do for free over the summer?

Like all education... (1)

linguizic (806996) | more than 8 years ago | (#15059980)

...you pay tons of money to get a piece of paper that lets you join a club.

Higher education is just another form of hazing. You say that you've read the assignment, (the teacher) says "Fuck you, prove it!". --David Mamet

"Certification"?? (3, Insightful)

ktappe (747125) | more than 8 years ago | (#15059991)

1. $4300 isn't chump change--someone is making a bundle on this.

2. Who out there is going to accredit this "certfication" to be sure it's worth more than the paper it's printed on?

3. Isn't one of the fundamental concepts of "hacking" to be anti-establishment? To break the rules and sock it to the man? Getting certified is about as establishment as you can get.

-Kurt

One thing they didn't mention... (1)

Billosaur (927319) | more than 8 years ago | (#15060018)

...is whether they had to shave their heads or were subject to violent hazing. Doesn't seem like boot camp otherwise.

Re:One thing they didn't mention... (1)

Alex P Keaton in da (882660) | more than 8 years ago | (#15060506)

or were subject to violent hazing
There is almost none of that, if any, in the military- I never saw any. All you are showing with that statement is that your knowledge of the military comes entirely from Full Metal Jacket...
That being said,
Marines go to boot camp, everyone else goes to Basic. Reminds me of a girl at work who always talks about her "cardio bootcamp" and how hardcore she is. I explained to her that when I went through Basic, it was a bit more than putting on spandex for two hours three days a week and doing the stair climber.
Anyhow, bootcamp is a marketing term used by some organizations/programs to imply toughness, militaryness (yes I know that isn't a word, I am using it for sarcastic value) and coolness, nothing more.
What sounds cooler to the average 18 year old wanna be hacker- "Computer Camp" or "Hacker Bootcamp"
And by the way, if you want to make something like Basic or Bootcamp, make sure that the theme is hurry up and wait. Like on fire qualifying days, when you want 4 hrs to shoot for 5 minutes....

just like "ninja training camp" (4, Funny)

blue_adept (40915) | more than 8 years ago | (#15060020)

you spend a week learning all the "Secret Ninja Moves" and when you're done, you're a real life ninja. ... right? r-right?

Re:just like "ninja training camp" (0)

Anonymous Coward | more than 8 years ago | (#15060075)

You spend a week learning all the "Secret Ninja Moves" and when you're done, you're a real life ninja. ... right? r-right?

Why bother when I can go to Pirate Training Camp and kick your ninja ass?

Ethics in just 5 days? (3, Insightful)

Pedrito (94783) | more than 8 years ago | (#15060026)

Sorry, but people can't really learn ethics in a 5 day camp. Ethics begin at home and in early childhood. It comes from the people who raise you and the people you're around as you grow. A 5 day camp is going to have absolutely no impact on your ethics. By the time you're old enough to go to a hacker camp, your ethics (or lack thereof) are firmly established. 5 days of camp is simply going to give them some new skillz to use ethically or unethically.

Re:Ethics in just 5 days? (2, Insightful)

MobileTatsu-NJG (946591) | more than 8 years ago | (#15060320)

"Sorry, but people can't really learn ethics in a 5 day camp. Ethics begin at home and in early childhood. It comes from the people who raise you and the people you're around as you grow."

So, let me see if I understand what you're saying: If a teacher makes a list of situtaions that are both ethical and non-ethical, and teaches his pupil which is right and which is wrong, this will have absolutely no effect...? Are you sure you're not over-generalizing here?

Re:Ethics in just 5 days? (1)

pla (258480) | more than 8 years ago | (#15060386)

5 days of camp is simply going to give them some new skillz to use ethically or unethically.

I started off thinking I would disagree with you, but by the end, I find I agree 100%.

I would just add one point to what you wrote...

Ethics depends heavily on situation as well as background. In some situations "ethics" means "follow the law", in others it means "screw the law, do the right thing", and in still others it means picking the least unethical course of action from a whole range of shady options.

On top of that, although some people would argue that ethics has absolute standards, I would disagree and say that ethics also depends on your point of view. Simple example: should I call in sick from work (assuming I have no more personal or vacation days) to take my mother to her doctor's appointment?


But regardless, a five day course won't teach you any of that. It will just hand you a small bag of skeleton keys to try should you come across an inconveniently locked door. And in this case, you can already get all those keys, and more, for free on the web.

Not About Learning Ethics (1)

iamlucky13 (795185) | more than 8 years ago | (#15060508)

It sounds to me like the course assumes you bring good ethics to it. It's not about learning ethics. It's for learning about security vulnerabilities by exploiting them. The idea is that the pupils then can go out and test their own networks or those of a client with what they learned, as a service. They title it ethical hacking because it is to be done with the permission of the victim in the interest of finding and subsequently eliminating potential security holes. If someone came to the class with ill intent, of course, they could use this knowledge unethically. This is probably why they require students show proof of gainful employment, although none of this is exactly top secret.

According to another poster somewhere in this discussion, the class isn't very advanced, and basically useless to anyone who already has a decent but more general training.

bet they become spammers (2, Funny)

mike_bolton (965986) | more than 8 years ago | (#15060028)

and all those popups will read - get your ethical hacking certificate for 2k! Just click on the monkey - I did!

Free time (1)

punkr0x (945364) | more than 8 years ago | (#15060030)

"a classroom full of middle-aged high-tech system administrators." If they get their company to send them to hacking school for a day, they have more free time for pr0n in the evenings! Brilliant.

Bail Money (1)

Joebert (946227) | more than 8 years ago | (#15060033)

The tuition seems a bit steep for materials that, as the article notes, are 'freely available over the web'


Reservations for the State Correctional Facilities maybe ?

ReBoot Camp (4, Funny)

digitaldc (879047) | more than 8 years ago | (#15060038)

Business Week sent a reporter to TechTrain's ethical hacker training camp, where, for $4,300, participants spend five days working towards ICECC's 'Ethical Hacker Certification.'

As opposed to the 'Unethical Hacker Certification' where companies pay you $43,000.00 or more to stop disabling their websites.

Heh (4, Funny)

JavaLord (680960) | more than 8 years ago | (#15060058)

From the article:

you know that site is vulnerable to a technique of stealing database contents called "sequel injection."

Is this an attack based on the recent star wars trilogy? Someone should inform the author it's still written "SQL injection" despite how it sounds.

Oblig. Mon Calamari (3, Funny)

digitaldc (879047) | more than 8 years ago | (#15060115)

Is this an attack based on the recent star wars trilogy?

Yes, I believe the famous last words were, 'It's a trap!'

Screening (1)

punkr0x (945364) | more than 8 years ago | (#15060102)

companies like his screen candidates carefully. They have to be gainfully employed in the security field and must sign waivers saying they won't use these tricks for ill.
Or, they could be a reporter who just wants to write a cool story and maybe detail a few of the hacks that "an English major who hasn't written a line of code since third grade" can do. You know, just in case some of his readers can't afford the class, but really want to be ethical hackers. It's all cool.

Ethical Hacker Certification... (2, Insightful)

creimer (824291) | more than 8 years ago | (#15060104)

The new paper MSCE certification for the 21st century.

Re:Ethical Hacker Certification... (0)

Anonymous Coward | more than 8 years ago | (#15060727)

Kind of like the CISSP...

Isn't this a bit over nerdy (1)

iXiXi (659985) | more than 8 years ago | (#15060108)

Wouldn't this be like wearing a "Certified Trained Sexual Dynamo Boyfriend" t-shirt into a singles bar. A little to nerdy for me.

Re:Isn't this a bit over nerdy (2, Funny)

KoKopuffz (704063) | more than 8 years ago | (#15060212)

I want that T-shirt. And on the back I could put 1337 L0v3 5k1llz!

Re:Isn't this a bit over nerdy (1)

livewire98801 (916940) | more than 8 years ago | (#15060622)

or. . .

I less than three you

Certified Ethical Hacker? (4, Interesting)

Malor (3658) | more than 8 years ago | (#15060166)

A more accurate label would be "Five Day Script Kiddie Class".

Having just been to a class... (1)

Epi-man (59145) | more than 8 years ago | (#15060174)

Having just attended a SANS class [sans.org] (one week, tons of fun, learned a boatload), I would highly recommend them. Not everything there is available on the web (well, sort of, but the stories from the storm center certainly aren't). The course I took was taught by Ed Skoudis, easily one of the best lecturers I have even seen. At the end, yes, we got to play capture the flag.

Re:Having just been to a class... (1)

skinfaxi (212627) | more than 8 years ago | (#15060362)

I got to go to Ed's workshop recently, too. It was very interesting stuff, lots of good advice, and a lot cheaper than $4300!

Re:Having just been to a class... (1)

BunnyClaws (753889) | more than 8 years ago | (#15060962)

I would recommend the Hacking and Exploit class taught by Skoudis as well. He is a great lecturer keeps the class interesting and the capture the flag at the end of the week is a great time. Plus they provide beer for the night time labs.

Be very cautious (1, Funny)

Anonymous Coward | more than 8 years ago | (#15060181)

Some hackers have actually died at boot camp when the staff tried to beat the ethics into uncooperative programmers.

sounds more like (1)

seabreezemm (577723) | more than 8 years ago | (#15060183)

they are getting jacked then learning to hack.

Re:sounds more like (2, Insightful)

qwijibo (101731) | more than 8 years ago | (#15061087)

I thought that was the point. Just like all of the people who have seminars on how to get rich. The moral of the story is that if you want to be rich and famous, you need to exploit the hopes of people who are too stupid to realize that it's a scam.

Another option (3, Funny)

wjcofkc (964165) | more than 8 years ago | (#15060210)

AOL has some chat rooms with hundreds of the very best hackers in the whole wide world answering questions and handing out all kinds of scripts 24/7. You have to be very smart and a real hacker to run a script from an AOL hacker chatroom.

Re:Another option (1)

Josh teh Jenius (940261) | more than 8 years ago | (#15060283)

Don't feel bad. This comment was too hysterical for these bitter sys admins.

I laughed though.

SANS (3, Insightful)

DaPh00z (840056) | more than 8 years ago | (#15060227)

This appears to be similar to the highly regarded SANS GIAC Certified Incident Handler (GCIH) Course, SEC-504: Hacker Techniques, Exploits & Incident Handling [giac.org] , which I attended a while back. The SANS course was excellent and is often taught by Ed Skoudis. Its challenging, but also very worthwhile. They cover how to create an Incident Handling team and then launch in to Reconnaissance, Scanning, Exploits, Keeping Access, and Covering Your Tracks. It would take too long to list out all of the different tools and tactics that they covered, but it's pretty comprehensive.
It's a great course, and I highly recommend it to anyone involved in computer security. The insight into how attackers target, gather information, compromise, and maintain access on systems has been invaluable in understanding how to then try and close the holes and mitigate the risks. You'll never be 100% invulnerable on a machine or network that you actually use for anything, but if you know how to think like an attacker and what the current tools are capable of, then you'll be able to fix most of it.

Re:SANS (0)

Anonymous Coward | more than 8 years ago | (#15060374)

What is so different then attending his class or reading his book entitled "Counter-Hack"?

Re:SANS (0)

Anonymous Coward | more than 8 years ago | (#15060449)

The truth is, not much. Having attended SANS track 4 and read Counter Hack, I am confident with saying that the content is mostly the same. The price difference, however, is another thing. The book is probably worth about $20-30. The course will run participants somewhere between $600 and $3000, depending on who they are.

Hacking is a lot like life... (2, Insightful)

Josh teh Jenius (940261) | more than 8 years ago | (#15060243)

As a reformed "script kiddie", who once ran havok on your servers back in the 90's (sorry about that by the way) I must tell you that stories like this make me laugh. In my experience, the essence of all "hacking" is the same: the pursuit of an answer to a question.

Eventually, I discovered that the "real" hackers grew-up and got "real" jobs, so I did the same. However, like most hardcore IT people I know (not the MCSE morons), this inquisitive nature still lies at the heart of...well...me (whatever that is).

Point being: like life, hacking can't be taught, it must be experienced.

And just like life, it can be experienced 2nd-hand (via books or "training"), or, we can grow balls and go make some mistakes ourselves. The "wackos" like me will always opt for option B, and computers have nothing to do with this.

Re:Hacking is a lot like life... (1)

z4pp4 (923705) | more than 8 years ago | (#15060733)

Point being: like life, hacking can't be taught, it must be experienced.

AMEN!!

The only problem that most people don't realize is that there is a difference between perception and reality:
In reality, Bluetooth is a standard for radio communications between mobile accessories. The perception of the common man however (and back me up here), is that "the Bluetooth" is the Wireless headset that comes bundled with a cellular phone.

Likewise, if you are a "penetration tester" (sic... fortunate pun), it looks better on a tender document for a government job if you are a "Certified Ethical Hacker", versus the guy that knows what he is doing but does not have the paper behind him. Anyways, how would you compare information security services if they cannot be measured according to at least some form of baseline standard? These requirements are ALREADY stated in the tender RFP's. Who are you to argue with a potential client?

I'll do ya one better. (2, Funny)

Rob T Firefly (844560) | more than 8 years ago | (#15060256)

For the paltry sum of only $1000US, I'll send you a genuine Certificate of Ethical Hacking, Keytar Playing, and Being Good To Your Mom.

I'll even load my ink-jet printer with the impressive expensive paper.

hmm (1)

misfit815 (875442) | more than 8 years ago | (#15060263)

Not to stray too far off topic, but didn't all this 'boot camp' crap start when cable channels like Discovery began airing stuff like this [discovery.com] and 30yo adolescents far and wide thought that one Hell Week of any sort and they could be Authorized Bad-Ass Certified Hacker Ninjas?

"Yeah (sniff), I coulda been a F-16 pilot, but I couldn't pass the vision screening, so I became an MCSE instead."

Screw the $4300 (1)

tachyon13 (963336) | more than 8 years ago | (#15060266)

The only reason why you would spend this amount of money to obtain a cert. is because you are not qualified/knowledgable enough pass it in the first place.

If you really knew what you were doing, you would pay the $250 to take the test (http://www.eccouncil.org/312-50.htm [eccouncil.org] ) and be able to pass either on your own accord, or with the help of books or freely available study guides.

Anything more than a few hours of your time and some decently written books is a waste of money.

safety issues (0)

Anonymous Coward | more than 8 years ago | (#15060272)

An instructor at one of my MCSE classes also taught the CEH class and told us that in order to take the class you have to sign agreements with the FBI agreeing not to use your skills for unethical behavior. The class material is freely available for download all over the place, so yes, the price does seem a little steep, but if that cert lands you a job then it's all worth it.

certified ethical hacker (1)

recharged95 (782975) | more than 8 years ago | (#15060307)

Basically this creates a job security option in the field of hacking, which definitely is not a stable employment environment currently.

Otherwise, the training could be a prelude to the rise of corporate hacking warfare: corporate to corporate hacking. Basically just because you took white hat training doesn't mean you can't use those skills in a black hat environment against other companies. White hat or black hat, the temptation to hack other systems (just not your company's) is great cause hacking is all about experiementation.

Been there done that (4, Informative)

codepunk (167897) | more than 8 years ago | (#15060313)

I have been to it, the course ware is fairly extensive but was boring none the less. I cannot see much of the slashdot crowd getting much from it, just a rehash of common knowledge tools and techniques that we pretty much have all heard of.

Now I was stuck in a room full of MS and MCSE zombies who did not know the difference between
a TCP and UDP packet. Just listening to the students talk I could feel the grey matter being sucked from my head....sort of like a high school student sitting in on a first grade class.

ethics (0)

Anonymous Coward | more than 8 years ago | (#15060318)

you can teach the techniques but you can't certify their ethics....

More Like Script Kidee Camp (1)

hagrin (896731) | more than 8 years ago | (#15060341)

The author states himself in TFA that he has no programming experience since the 3rd grade. Therefore, can this really be considered "hacker" camp?

In addition, the teacher showed the class SQL injection techniques, etc. However, wouldn't their time be better spent learning penetration testing techniques and how to use certain applications like Nessus? I don't see how learning how to package "Beast" with a screensaver really teaches anyone anything worth over 4 thousand dollars.

Re:More Like Script Kidee Camp (1)

DextroShadow (957200) | more than 8 years ago | (#15060523)

It is a common misconception that you have to be a coder to be a "hacker". You don't have to be a coder, but you do have to understand underlaying theory about how a program works to do what it does, especially when it comes to memory allocation.

"Hacking" exercises... (4, Informative)

TechnoGuyRob (926031) | more than 8 years ago | (#15060358)

I am a systems administrator at www.hackthissite.org [hackthissite.org] (HTS), and at HTS, we intend to do just what this camp intends to--but for a nice sum of $0.

Although we are currently working on a new version of the site (dubbed "HTSv4"), the current place still has plenty of opportunities to gain knowledge in (ethical and legal) areas of computer security, such as XSS injection, SQL injection, buffer overflows, programming, and countless of other topics--all through personal experience with the "missions" on the site.

I think it is very important for people who are going into computer development of any kind to be aware of these issues. Personal experience and skill in computer security can only be beneficial, and will teach one to code applications that are capable of defense from outside intrusion.

Re:"Hacking" exercises... (1, Informative)

TechnoGuyRob (926031) | more than 8 years ago | (#15060390)

I forgot to mention: hacking "capture the flag", as the article calls it, is our equivalent of Root Thix Box [rootthisbox.org] , a competition aimed at controlling a "box" (system) for the longest amount of time through various exploitation means, most of which go beyond the topics covered in the "boot camp."

Re:"Hacking" exercises... (1)

eln (21727) | more than 8 years ago | (#15060740)

That's all well and good, but your pitiful techniques pale in comparison to your competitor's awesome sequel injection technique: a technique so advanced that no one has ever heard of it before!

I'm sorry, I can't believe you're legit until you can manage to impress a techno-illiterate English major reporter with your l33t skillz.

For $4300 (1)

g0bshiTe (596213) | more than 8 years ago | (#15060426)

"but where else can you play hacking capture the flag?"

for the price of tuition you and a friend could buy some serious hardware and go at each other.

I would sign up on their website (1)

Zabu (589690) | more than 8 years ago | (#15060477)

But it had an SQL error injected
Silly post-grad hackers :)
http://www.techtrain.com [techtrain.com]

NT350 at Herzing (3, Interesting)

RingDev (879105) | more than 8 years ago | (#15060522)

My NT350 class at Herzing School of Technology (a traditional brick and mortar tech school with a new online branch) taught by Curt Gibeau (sp?) was like this. Only my tuition was $1200 I think, and the course was 16 three hour night classes. We were broken into groups (2-3 net-workers and 1 programmer in each group). Each group was given standard enterprise requirements (AD, email, file storage, database, web server, client machine). We could use what ever OSs and software packages we liked, and we could run up to 5 machines. Over the course of the class we went over security theory and specifics for demonstrations, and then we would break into groups to work on building and securing our group enterprises.

In the end we didn't have quite as much attack time as we had hoped, and a lot of vectors were blocked off because we all knew we were going to be attacked and there was no real life activity on the networks. So everyone was was scrounging each others networks for any mistakes or missed patches. Some people had honey pots, some people hosted exploiting web pages, but for the most part, there was little damage. But we all learned a lot about securing networks and servers, and different ways to minimize risks.

All in all, definitely a class that was worth taking. I would recommend it to anyone in range of a Herzing campus, but the Teacher I had is no longer teaching (he's a full time network admin for the school now) and I have no idea how the class is arranged any more.

-Rick

Hacking Capture the Flag (1)

vindale (239738) | more than 8 years ago | (#15060642)

More fun than a nice game of chess. Not nearly as much fun as Global Thermonuclear War.

Anybody else notice the number of ads for "Certified Ethical Hacker" showing up with the story? Love that contextual advertising.

Why does this money making scam get airplay on /.? (1, Interesting)

Anonymous Coward | more than 8 years ago | (#15060663)

Anyone who's paid $4300 to attend this 'event' is a fucking moron who should work anywhere but IT

My College Offered a Class Like This... (0)

Anonymous Coward | more than 8 years ago | (#15060685)

For a hell of a lot less. And it was considered a viable elective for my major, Computer Science. We were taught pretty much the same things, but mostly geared toward Unix/Linux since the prof was an OS Guru of sorts. It was a great class. I'd take it again in heartbeat. The college? Wright State University in Dayton, OH. Whoda thunk?

Re:My College Offered a Class Like This... (2, Interesting)

stinerman (812158) | more than 8 years ago | (#15060834)

I currently attend WSU. Dr. Mateti is certainly a great professor (he says after changing majors after taking Mateti's OS course) and did push hard for an "ethical hacking" class. I was going to take it before I changed my major, but I heard from several friends that they learned more in that class than any other class they took at WSU.

For anyone interested in the class (CEG 429), Dr. Mateti licenses all his lecture notes [wright.edu] under the Open Publication License [opencontent.org] .

oxymoron (0)

Anonymous Coward | more than 8 years ago | (#15060996)

i'm sorry, did someone just say 'ethical hacking' and 'serving companies' in the same breath? ri-i-i-ght....

ICECC's 'Ethical Hacker Certification.' (0)

Anonymous Coward | more than 8 years ago | (#15061010)

I don't know anything about these guys (the cert mentioned in the post not even on the site). http://www.icecc.com/ [icecc.com] But it's not the same as: http://www.eccouncil.org/CEH.htm [eccouncil.org] And can be had for about 2k less at other training places. I'm always amazed at the hostile reactions to the name of this cert. Would it make any feel better if it was called Certified Ethical Pen-Tester? Cause that's what it really is, learning the methodology for pen-testing, which like everything else *could* be learned for free, but hey thrash away on your keyboard in outrage if it makes you feel better.

I took the class (2, Informative)

Salo2112 (628590) | more than 8 years ago | (#15061141)

It wasn't a 5 day 8-hour a day class. It was 12 days from 0800 to 2100(ish) hours with a few breaks during the day.

It was a chance to play with a lot of nasty stuff on machines that were there for the purpose of breaking in a controlled environment.

The biggest positive was that someone sent two PHBs to the class to see if it was worth sending techs - they got to see first hand what was out there, what the risks were and ways to help their guys secure their networks. Nothing like people seeing for themselves what their staff is up against.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...