Reply From: The Dodger <dodger@2600.com>
>Firm uses `ethical hackers' to protect corporate systems
I find it difficult to articulate my exasperation at seeing the term
"ethical hackers" used in this fashion. Someone whose job is testing a
system's or network's security by attempting to break into it is not an
ethical hacker. They are a member of a penetration testing or tiger team.
An ethical hacker is someone who hacks into systems _without_ permission
and then leaves a message for the sysadmin, detailing exactly how he broke
in and suggesting means of securing the system. He doesn't deface
webpages, he doesn't read people's email or private files, he doesn't
rootkit the system and he doesn't use the system as a launching pad to
break into others (e.g. by installing a sniffer). Note that I'm not
saying that being a pen-tester and an ethical hacker aren't mutually
exclusive. It's a subtle but, to me at any rate, important distinction;
probably because I invented the term.
Those of you who can cast your minds back to July '96 may remember the
Navpoint hack, by the Agents of a Hostile Power, which was reported in New
Scientist magazine's Netropolitan column. That was a perfect example of an
ethical hack.
It looks like Secure Computing's marketing/PR department are following
IBM's lead in using the term to describe their pen-test teams. The only
word I think is suitable to describe it, is "lame".
The amount of bullshit^H^H^H^H^H^H^H^Hhyperbole flying around in the
information security industry is absolutely unbelievable. Take the
so-called ICSA (formerly the National computer Security Association) -
this is a perfect example of a company trying to portray itself as
something which it isn't. The name "International Computer Security
Association" implies that this is some form of non-profit organisation,
with membership open to security professionals and consultancies; a bit
like the International Consumer Service Association (www.icsa.com),
perhaps. The truth is somewhat different - the ICSA is a for-profit
company. Period.
I had to explain this recently to an MD of a network services company, who
asked me if I was "a member of the ICSA". It made him look at
ICSA-certified products in a whole new light.
Dodger
PS: This ain't a flame against DT, by the way. I'm sure Jeff wasn't the one
who proposed the use of the term "ethical hackers".
PPS: Any idea what the "National Security Administration" is?
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Mon Dec 21 08:40:19 1998