Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security The Internet

White Hat Hacker Breaks Silence 425

Flackboy Kevin writes "The nation's hackers are about to come out of their shells on Friday as one of the most notorious 'good guys' in Manhattan makes a rare-yet-cyber public appearance on USA Today's online chat. Gary Morse, Manhattan's white hat hacker and good friend of every Chief Security Officer in the financial world agreed to an online chat regarding security. Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."
This discussion has been archived. No new comments can be posted.

White Hat Hacker Breaks Silence

Comments Filter:
  • by ralphart ( 70342 ) on Thursday May 08, 2003 @10:53PM (#5916271)
    Bash, Korn or Csh?

    Inquiring minds want to know.
  • How sad. (Score:4, Interesting)

    by Anonymous Coward on Thursday May 08, 2003 @10:55PM (#5916293)
    Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."

    He's not well regarded because he's good at what he does, or because he's good at what he does without cattering to the overused claim that ex-hackers are best suited at protecting systems?

    Frankly I find him a breath of fresh air.
    • how much you want to bet he's either overrated or black hat when he goes home at night.
    • by MickLinux ( 579158 ) on Friday May 09, 2003 @01:32AM (#5916810) Journal
      Listen, his position of not hiring ex-black-hats makes a ton of sense, whether or not ex-black-hats are the best at detecting security flaws.

      A person who has been a black hat has been so, specifically because they did not have the moral fortitude to remain on the white side. Now, that can change when there is a profound revelation [Dr. Laura Schlessinger], or when there is a ton of incentive [G.W. Bush], or because they were caught and decided the price was too high [many haxors who have been caught flip in this way] or it can appear to change when convenient [psychotics.]

      But the fact is, you don't really know why it changed, and therefore you don't really know if it changed. So you don't let ex-black-hats work for your company, period.

      Now, if a black hat did have some profound change, that doesn't mean that there isn't work for him. Assuming that it is not prohibited by court order, he can start donating information to the security watchdog groups, and they can verify the information on their own. If it is illegal for them to be using the internet or interfacing with computers, they can wait until it is again allowed. Or they often can instead put their skills to use building new systems, or writing code for a supposedly secure system -- on paper.

      Anyhow, I have no idea whether the claim is true or untrue, that ex-black-hats make good white hats. But Morse's position makes a lot of sense.

      • by cyril3 ( 522783 ) on Friday May 09, 2003 @02:15AM (#5916932)
        It is just as easy to say that any white hat is merely a really smart black hat who hasn't been caught yet and the reason why you wouldn't hire them is that they aren't very good at black hatting.

        If, as you say, black hats arise from white hats who specifically ... did not have the moral fortitude to remain on the white side how can anyone be sure that any given white hat will never turn to the black side if the incentive/threat is great enough.

        if a black hat did have some profound change,

        You make it sound like they are evil incarnate. If the BH you are looking at did time for money crimes or e-vandalism maybe you'de think twice about trusting them but if it was pure challenge based hacking maybe a blanket no-hire wastes talent.

        Seems to make more sence to hire good people who haven't shown any serious criminal activity and then watch them very closely white and black.

      • by Anonymous Coward on Friday May 09, 2003 @03:57AM (#5917154)
        I agree with this wholeheartedly. This is why before I hire anyone I always track down and interview several of their public school classmates to find out if they were ever thought to have stolen anything, if they were ever unpopular or made fun of (might have latent resentment).

        I try to find teachers they had to find out if they were ever given detentions or didn't do their homework -- who knows why someone who used to refused to do their homework started doing their work, they could stop again at any time!

        Especially, I try to discover if they were ever caught masturbating. The last thing I want to do is hire a masturbator.
      • Now, that can change when there is a profound revelation [Dr. Laura Schlessinger], or when there is a ton of incentive [G.W. Bush]

        I can picture it now, GWB the "black hat" cowboy coming to town with a sinister motive. Then some nasty terrorist mexicans run a dilligence into the towns two water towers. This somehow gives GWB incentive to go "white hat". Yes, it does make a lot of sense.

      • by merlyn ( 9918 ) on Friday May 09, 2003 @04:39AM (#5917234) Homepage Journal
        So what do you do with someone like me, who is arguably (and been accepted for the most part as) a white hat, and yet has been convicted under what some would argue are messed-up laws [lightlink.com] as if a black hat?

        Would you hire me?

        Or would you merely stop at the apparent conviction as if that's the only ruling authority?

        • by NDPTAL85 ( 260093 ) on Friday May 09, 2003 @07:16AM (#5917640)
          You aren't looking at it from the right angle.

          Look at it from the company's point of view. YOU are a liability if you have a criminal record. If you ever do anything wrong while working there their cleints who may be victimized by you will ask your boss "Why did you hire someone with a KNOWN criminal record for hacking?"

          Then once your boss gets sued he'd be liable for damages since he'd lose insurance coverage for hiring a known convicted hacker.

          Do you understand it now?
          • by maxpublic ( 450413 ) on Friday May 09, 2003 @03:30PM (#5921813) Homepage
            YOU are a liability if you have a criminal record.

            Funny, I thought it was a criminal nature was a requirement for advancement into management these days.

            Not to mention politics. You do know that almost 50% of Congress has a criminal record? And that our own President was a criminal (drug user) at one point? The fact that he wasn't convicted and sent to jail does nothing to diminish the crime itself.

            Max
  • Is this a joke? (Score:5, Insightful)

    by Anonymous Coward on Thursday May 08, 2003 @11:01PM (#5916321)
    Why is Slashdot posting advertisements from random security consultants?

    Do Slashdot editors realize how many security consultancies there are in New York City, even leaving out the credible names like @Stake and IBM?

    Do Slashdot editors honestly believe that major financial firms in NYC don't already have a track record of hiring and retaining exceptional security engineers? Do they honestly believe that a major financial needs Gary Morse to tell them what a firewall does for them?

    Haven't the Slashdot editors ever seen that silly flash video with "Kimball" and "Dataprotekt"? Heard about the subsequent investor fraud story? Recognized that maybe real security firms don't market themselves on "white hats staying ahead of the evil hackers" hype?

    Did the Slashdot editors think of visiting Razorpoint's website, where we find white papers with scintillating security insights like "security is a process" and "here's how to read a CIDR address"? Or notice the lack of advisories, research papers, or bios of credible security researchers on the site?

    Maybe these are smart people. Maybe they secretly have Citicorp and Bank of America on their client list.

    Or maybe they're just a bunch of wannabes.

    Why are we supposed to be interested in this crap?

    • by moogla ( 118134 ) on Thursday May 08, 2003 @11:18PM (#5916403) Homepage Journal
      I had the same feeling, it was a particular feeling in the back of my throat; of course I didn't know why I felt turned off by the article.

      I guess it seems kind of hokey. The guys who KNOW security tend to not be so outward about it.
    • Re:Is this a joke? (Score:4, Informative)

      by scubacuda ( 411898 ) <<moc.liamg> <ta> <aducabucs>> on Thursday May 08, 2003 @11:42PM (#5916487)
      Here [razorpointsecurity.com] are their whitepapers.

      Kinda boring, actually...
      • Re:Is this a joke? (Score:5, Insightful)

        by ipfwadm ( 12995 ) on Friday May 09, 2003 @12:00AM (#5916551) Homepage
        Here are their whitepapers.
        Kinda boring, actually...


        My favorite was the ports list. It started out as a nice copy of /etc/services. The good part is the last third, the "Security Backdoor/Trojan Ports." I learned that ports such as 21, 22, 23, 25, and 80 are "hostile ports" that are "mostly used for backdoor or trojan programs." I can just see some management cl00bie saying "oh shit, our webserver is listening on port 80, we must have been hacked!" Though I suppose given sendmail's security history, maybe it should be considered a backdoor ;-)
        • No kidding.

          I hang out on the cisco's firewall support board. Some guy wanted to know how to stop people via his PIX from being able to telnet into port 25 and type commands like "mail to", "helo", etc. to his mailserver. Yikes.

          ostiguy
    • by scubacuda ( 411898 ) <<moc.liamg> <ta> <aducabucs>> on Thursday May 08, 2003 @11:44PM (#5916495)
      Recognized that maybe real security firms don't market themselves on "white hats staying ahead of the evil hackers" hype?

      Maybe the title should instead be "White Hat Hacker Breaks Wind"

    • by twitter ( 104583 ) on Friday May 09, 2003 @12:30AM (#5916656) Homepage Journal
      An anonymous coward bitches and moans and asks, " Why is Slashdot posting advertisements from random security consultants?" He then points out how many smart people there are in New York City and concludes by asking, "Why are we supposed to be interested in this crap?"

      AC, there may be many bright people in New York, but you are not one of them if you overlook this. Some of us might be interesed in asking pointed questions that millions of people will see when the sit in on the USA Today chat this particular consultant is about to have. My questions are, "Would you recomend free software, such as Debian or Red Hat, on the desktop?" and "What makes Microsoft software so insecure?" Other people here could have better questions.

      I highly recomend everyone to go and post questions about free software solutions to security problems. The answers he provides will be seen by the chat crowd and may be turned into an article for printed USA Today. There are 750,000 Slashdotters all interested in free software and security? This interest should be reflected in the questions. Follow the link [usatoday.com] and submit as many good questions as you can think up.

      • "Would you recomend free software, such as Debian or Red Hat, on the desktop?"
        This is not relevant to a discussion about security. This is an attempt to slip ideology into a technical discussion. Back away.
        • "Would you recomend free software, such as Debian or Red Hat, on the desktop?"

          This is not relevant to a discussion about security. This is an attempt to slip ideology into a technical discussion. Back away.

          It's probably an inappropriate question only because it is too specific, imho. One of the first things I'd probably ask a guy or girl who is known for his experience and expertise in security would definitely be something along the lines of:

          "Given the increasing interest of the business world ab

      • IOW...

        Would you recomend free software if it were known to be coded by someone with a record of putting malicious back doors in their programs?? Even if they swear up and down that they're reformed and don't do such naughty things anymore??

        I know I'd look upon it with deep suspicion, at the very least. And not let it touch any computer other than a goat box.

    • I think you were a little harsh on this

      This isnt by any means groundbreaking but it is something that is a psdo-event in the security industry...this is not a random firm, it is a leading New York City firm...that being said, no they are not an national/international authority on the subject. This wouldnt be on the scale as something like phil zimmerman having an online chat about asyncronus encryption.

      However, it is an oppertunity for smaller people in the security community, and people who arnt
  • Morse Code? (Score:5, Funny)

    by sTavvy ( 669239 ) on Thursday May 08, 2003 @11:01PM (#5916325)
    "Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers " keep in mind things have changed a lot since he devoloped his 'code' sends out a "dot dot dot - dash dash dash - dot dot dot - i'm being hacked!!! " the first bit was SOS in morese code if you didn't know Steve
  • by Dag Maggot ( 139855 ) on Thursday May 08, 2003 @11:05PM (#5916344) Homepage

    Here is the text of a recent interview with the
    reclusive security wonk from Crain's New York Business.

    On the job with...

    Gary Morse
    Founder and CEO
    Razorpoint Security

    Keeping a company's computer systems and networks secure from intruders used to be the responsibility of mid-level IT managers. But after the Sept. 11 attacks, the job landed on the desk of company CEOs. Executives in all sorts of industries woke up to the fact that security--of everything from the front door to the mailroom PC--has to be a top management concern.

    The new consciousness has proved a boon for companies like Razorpoint Security, which was founded in Manhattan in 2000 and saw its business take off after the attacks. Razorpoint tests just how secure a company's network is by trying to hack into it. The company then does the follow-up work of fixing problems and performing regular network audits. Crainsny.com's Judy Messina talks with Razorpoint founder and CEO Gary Morse.

    Crainsny.com: Describe what Razorpoint does.

    Gary Morse: In the simplest terms, you can think of us as professional hackers. We're tech professionals who in the past have built large-scale networks, including major sites on the Internet. That helps us know where the pitfalls in systems are and how to break things. Once we find vulnerabilities, we demonstrate them in a very comprehensive report. If we're able to crack passwords, for example, we'll show the list of passwords or a screen shot of them. We want to drive the point home.

    Then, one of the three things happens. The company has trained staff who are capable of fixing the problems and they use our report as a roadmap. Others ask us to do the remediation for them. In the third category, and this is coming up more and more, is the client who is overwhelmed and understaffed, and we go in and act as their temporary IT security arm for a while.

    Crainsny.com: How do you convince executives that their networks are vulnerable?

    Gary Morse: At one firm half the executive board wanted to bring us in and the other half was on the fence. They had all the buzzwords, the firewalls, all the security products you're supposed to have. But when they finally hired us, in less than one week we had control of every device on their network - every server, every desktop computer, every laptop. We even logged on to the system as the president and we wrote an email in his name. The screen shot of that email was one of the prominent pieces in our presentation to the executive board. We had to break the report in two pieces it was so big.

    Crainsny.com: What are the most common holes you find in computer systems?

    Gary Morse: There's everything from the seemingly insignificant to the colossally devastating. You can have a poorly configured web server or mail server sitting next to a server with financial information. One time, we found a fax machine talking to a phone system so that a document on somebody's work station was being sent over the network as if it were being faxed. Somebody had set up the connection and forgot about it.

    Crainsny.com: What do companies need to do to make their systems secure?

    Gary Morse: They need to think about what services they truly need in order to be online. Security is a process not a product. There is no shrink wrapped thing you take off a shelf and install. New vulnerabilities are coming out every hour.

    Crainsny.com: What changes did you see after 9/11?

    Gary Morse: We saw more security awareness. The bar was raised quite a bit. People who had been on the fence about doing regular security audits were certainly calling us a lot more than we were calling them. The year 2002 was a big year for us. We grew roughly 300%.

    Crainsny.com: You said new vulnerabilities are surfacing every day. What should companies be preparing themselves for?

    Gary Morse: Web and web application vulnerabilities and wireless security issues are going to be concerns. In the past year, a lot of w

    • by Anonymous Coward on Thursday May 08, 2003 @11:53PM (#5916527)
      Ok, I may be being dense, and I expect some flameage if I am. 9/11 had lots to do with unsecure aircraft. It had lots to do with media sensationalism. It even had lots to do with structural design! But please explain wtf it had to do with unsecure networks? Did the terrorists hack to get their plane tickets? I know they didn't need to hack to plan it cause the airlines publish their flightlists and times. I know, they hacked their way into flight school right? This assclown is playing on peoples fears and its intensly disgusting. The reason he doesn't have any hackers "from the cold" is that most of them have morals and would refuse to work for one displayed such a gaping lack of them. I hope he gets hacked and they report his REAL earnings to the IRS....
      • by Ethelred Unraed ( 32954 ) on Friday May 09, 2003 @03:15AM (#5917074) Journal

        IANASC (...security consultant), but ISTR that many firms in the WTC were foolish enough to have the "backup" systems...in the other tower. IOW they assumed that if one tower went blooey, the other one would still be there. So much for redundancy.

        The point is physical security, not network security. It's kind of like having all your backup CDs in the same room (or building!) as your computer. Fire, fire, oops, it's all gone.

        Also, ISTR that in some cases, with the loss of systems in the WTC, financial networks were left in a state of chaos -- perfect time to be hacked, really.

        Cheers,

        Ethelred

        • IANASC (...security consultant), but ISTR that many firms in the WTC were foolish enough to have the "backup" systems...in the other tower.

          Scold them all you want with the benefit 20/20 hindsight, but I'm guessing that if someone told you on Sep. 10 that this scheme was unsecure because both towers were going to be levelled, you would have laughed him out of the room. Just like everyone else in the world.

          • Scold them all you want with the benefit 20/20 hindsight, but I'm guessing that if someone told you on Sep. 10 that this scheme was unsecure because both towers were going to be levelled, you would have laughed him out of the room. Just like everyone else in the world.

            Except that the WTC had been the target of terrorist attacks before, with the goal of toppling (or at least damaging) both towers. If someone had suggested the idea before the first attack, then yes, I'd have been skeptical.

            Cheers,

            Ethelr

        • Foolish? Oh come on, who thought BOTH towers would go down after a terrorist attack? And they save money by not having to maintain a remote location and while using the same staff. If you're Citibank, or Chase Manhattan, yes it would have been stupid. (And note, neither had that arrangement.) But a mid-sized investment firm? Who's got money to throw around for a backup control center? Next you'll be telling me that a Wall Street trading firm should have their backup site in London, England, because N
      • If you look at 9/11 as purely a terrorist act using airplanes, then yes, its facetious hyperbole. But you could have sat down and thought about 9/11 in a metaphorical context. It was a tragedy that could have been avoided and was not because of careless complacency; now the statement makes more sense. I'm sure large companies started to realize they could be next in line. Also, I'm sure he's telling the truth that after 9/11/01, the computer security business skyrocketed. There were many news articles talking about computer "terrorists" infiltrating computer infrastructures to sabotage public works, or even the internet itself. Its hardly fair to castigate a guy for reciting fact.

        Normally, I would agree with your assessment of Morse a fearmongering assclown. Except, I know that computer security is thought of as a joke, never taken seriously, and worst of all, procedures and tools are put in place by people who really do not understand the nature of system security. It is the digital equivalent of a 9/11, except its unlikely to have quite the same repercussions. There is nothing moral about a hacker that chooses not to work in computer security because they think that the act of preventing illegal hacking into systems is somehow wrong. In the real world, people work for employers they don't like. To not support their families is irresponsible and childish.
      • by albanac ( 214852 ) on Friday May 09, 2003 @06:49AM (#5917528) Homepage Journal
        Ok, I may be being dense, and I expect some flameage if I am. 9/11 had lots to do with unsecure aircraft. It had lots to do with media sensationalism. It even had lots to do with structural design! But please explain wtf it had to do with unsecure networks?

        It didn't have anything *directly* to do with insecure networks, that I've ever heard about. However, the date 9/11 had a great deal of indirect effect on security consultants. Security/anti-terrorism/stopping people from kicking your ass has become *the* most discussed concept in the western world since that date. The Office of Homeland Security. Iraq represented a threat to US Security. Hackers present a Security threat. Apologies for sounding like Illiad but that's what has actually happened in the public eye over the last two years. The profile of security as a profession has gone through the roof.

        I imagine that is why they asked the question.

        ~cHris
  • by Anonymous Coward on Thursday May 08, 2003 @11:13PM (#5916381)
    he is an expert in attack/penetration testing
    Um...was he ever in jail? :-D tat tat ta
  • by supz ( 77173 ) on Thursday May 08, 2003 @11:21PM (#5916412) Homepage
    The comment for the story says: "Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."

    Does anyone have any links regarding that? I read the link in the story, and all it gives is some very brief information. I'd just like to see the guys reasoning for not hiring "hackers who have come in from the cold."
    • by freeweed ( 309734 ) on Thursday May 08, 2003 @11:33PM (#5916457)
      His reasoning is probably the same as why you need a criminal background check to do almost any real-world security work (ie: non-computer related).

      Want to be a security guard? Nope, sorry, not if you have a B&E record. Want to be a police officer? Couple of murder convictions? I don't think so. And so on.

      The rest of society has already figured this out. Ex-criminals can be useful for information, but it's not very often that they get put into positions of *trust*. I sure wouldn't want someone who's already proven their disregard for security controls designing them.
      • by shamilton ( 619422 ) on Thursday May 08, 2003 @11:59PM (#5916546)
        A B&E record only lasts seven years (IIRC) so it seems that society has actually figured out that people CAN turn around. People CAN grow up. Amazing eh?

        Furthermore, the hacker who grew up retains his knowledge. The hacker who has never broken into a Real System cause mommy said she'd take away his computer privileges simply cannot know all the details.

        How do you get good at knowing you're being tracked, if you've never been tracked? You don't. So how do you devise a tracking system which a hacker wouldn't detect? You can't.

        All but the stupidest of employers care vastly more about experience than education.
        • That's positively absurd logic. That's like saying the people who design home security systems for a living should have been criminals at some point in their lives. Or that people who design buildings should have experienced structural collapse, just so they know what it feels like and they don't screw it up.

          See, in humans, we've got this thing called language, which can be used to symbolically represent situations. We've also got this new concept called "imagination".

          I don't know, but I think you'd have
          • True, however, I belive that if someone has had these mishaps would be more experienced and better suited to see that it doesn't happen again.

            There are in fact, lots of people who commit crimes that go on in thier lives to council others. Often people who have done something wrong and have turned thier life around, are the best people to council others who are trying to turn thier lives around.

            I don't believe that anybody is saying that it's a requirement to do something wrong, to be good at correcting it
        • by freeweed ( 309734 ) on Friday May 09, 2003 @12:22AM (#5916625)
          A B&E record only lasts seven years (IIRC) so it seems that society has actually figured out that people CAN turn around. People CAN grow up. Amazing eh?

          Yup, some people CAN change. Fact is, most crimes are commited by repeat offenders. Most people DON'T change, and have fun applying for the CIA job with your supposedly-erased-due-to-it-being-7-years-old criminal record.

          The hacker who has never broken into a Real System cause mommy said she'd take away his computer privileges simply cannot know all the details.

          How do you get good at knowing you're being tracked, if you've never been tracked? You don't. So how do you devise a tracking system which a hacker wouldn't detect? You can't.


          Now come on, grow up. You want to break into a system? Set one up. Crack it. Next, get a friend to set one up, not tell you what he did, then crack it. And so on. You want to elude detection? Install Snort, and try to elude it. Etc.

          You don't think Locksmiths are trained for their job by breaking into unsuspecting homeowners, do you? Or alarm companies enhance their products by comitting B&Es?
          • You and this post's uncle make about the same point, but you're missing mine. I'm not saying you HAVE to have been a black hat to be a good white hat. I'm saying, if you were a black hat, you are in every way better off than if you have always been a white hat. You've seen both sides of things. You know the mentality.

            There are also heuristics: the desire to break into systems, to trespass and have the rules not apply, are going to go hand in hand with somebody who puts huge amounts of effort into learning
          • Uhm, we are talking about breaking into computer systems here. We aren't talking about repeat rapists and repeat murders. Violent offenses are usually the ones which are reapeated the most, and most violent offenders have serious mental, or psychological issues.

            Usually people cracking computers aren't doing it because they were victimized, or because of some trauma, which is mostly true for violent criminals. They do it for the thrill, or for the knowledge, or just because they want to know whats on the ot
            • "Besides, setting up your own system to break into? Isn't that the same as picking someone elses system to break into?"

              Not at all, if you really think so, then you have a view very contrary to popular morality, and legal morality. I can shoot and kill someone with a gun, but in one situation walk away a hero, and in another go to jail as a murderer. Suppose:

              I am walking along, armed. I decide to turn down a back alley, there is a man and a woman there, the man has one arm around the woman. The man is also
          • You don't think Locksmiths are trained for their job by breaking into unsuspecting homeowners,

            They don't, because their job is not to ensure physical security on a site. Its to install locks. And shockingly, they spend a good chunk of their time breaking into safes, cars, and buildings. Sometimes people lock themselves out, or don't possess combinations or keys.

            Or alarm companies enhance their products by comitting B&Es?

            They do, but usually in their own labs. But I'm sure at a large, e

        • by @madeus ( 24818 ) <slashdot_24818@mac.com> on Friday May 09, 2003 @07:15AM (#5917633)
          How do you get good at knowing you're being tracked, if you've never been tracked? You don't. So how do you devise a tracking system which a hacker wouldn't detect? You can't.

          Utter garbage.

          That is completely analogous to saying only a burglar could design a security system, which is the point an earlier poster was making.

          There is phrase 'send a thief to catch a thief', which makes for a good Hollywood script, but this is not good everyday practice, which the rest of the world has already worked out. The idea behind the phrase is that the a thief has information that can be useful in catching another thief, but thieves make VERY bad policemen.

          Being a hax0r does imbibe you with any knowledge of how to develop secure systems. In the same way that being a successful scam artist does not put you in a good position to design a more secure credit card. Most crackers have no knowledge of using secure systems, break ins that occur usually down to trivial holes, which all non-security orientated developers know how to fix (and code against), these holes occur simply because best practices are not always followed.

          Commercial systems designed with security in mind (e.g. trusted operating systems, encrypted networks, systems that use seperate signed keys for all inter-process and inter-host transactions, networks that have hard-wired one way Ethernet links) tend to cost many hundreds of thousands of dollars to build, and require a team with a strong mix of OS, Software Development and Networking knowledge.

          Knowing how to defeat a burglar alarm system is a far cry from knowing how to build one, just as knowing how to write microcode to exploit a buffer overflow is a far cry from knowing how to write and develop for a secure environment.

          All but the stupidest of employers care vastly more about experience than education.

          Crackers break into secure software, they don't have experience in designing secure software. They would make awful systems that would be just a vulnerable but in different ways - developing secure solutions requires a design approach that bears this in mind.

          Serious crackers are *not* suitable canidates for security experts.
      • Ever see the movie "Catch Me If You Can"? If not, I suggest you find out about the person the movie was based on and you'll see why your wrong. I will never believe that a person that has done bad things in the past will always be that kind of person (unless they are mentally ill).
      • The rest of society has already figured this out. Ex-criminals can be useful for information, but it's not very often that they get put into positions of *trust*. I sure wouldn't want someone who's already proven their disregard for security controls designing them.

        It's not quite that simple. The reason you don't hire a hacker to be a security consultant or a bank robber to be a security guard is that the connection between the two, in terms of the skills required, is tenuous at best. Yes, a cracker will
    • For the ignorant me. What is the definitition of "coming in from the cold"?
    • The Razorpoint website [razorpointsecurity.com] doesn't help either. The only mention of the word "ethic" is applicants need a good work ethic...

      "Razorpoint is always interested in the best and brightest in the technology security field. If you have five to ten years of hands-on, real world experience, we may have a place for you.

      Smart, skilled and self-motivated professionals are desired in the following areas: Security Auditing, Sales/CRM, Firewalls & Intrusion Detection Systems, Application Development, Systems & Net

    • Does anyone have any links regarding that? I read the link in the story, and all it gives is some very brief information. I'd just like to see the guys reasoning for not hiring "hackers who have come in from the cold."

      Same reason the rape crisis center isn't returning calls from Mike Tyson.
  • by danielrm26 ( 567852 ) on Thursday May 08, 2003 @11:30PM (#5916447) Homepage
    The idea that people can accurately make a decision on whether or not someone is going to be a quality employee based on whether or not they have done some Blackhat-oriented activities in the past is ludicrous.

    It totally depends on the situation. Some people did very illegal things that hurt no one, others did not get caught doing much of anything, have a far cleaner record, and shouldn't be let within 50 miles of a Security operation.

    Moral issues are always complex. All people being looked at for a sensitive position, regardless of history, need to be looked at on a case by case basis. Of course someone's past should be taken into consideration, but an in-depth interview and background check is far more productive than simply writing people off based on a title that they may have had at one point in their lives.
    • I'm not sure I agree with you.

      I think you're adopting a point of view like this: trait consistency is better explored through interview and business conversations than it is through similar situations in the past.

      I think that point of view is wrong.

      Personally, I'd be looking for honest and repuutable in a Software Engineer to protect my business, and an interview might not tell me that. Background checks are little more than a formality these days - there's very little one can do about making sure someon
  • by Max Romantschuk ( 132276 ) <max@romantschuk.fi> on Thursday May 08, 2003 @11:40PM (#5916484) Homepage
    It's cracker dammit...
  • by euxneks ( 516538 ) on Thursday May 08, 2003 @11:54PM (#5916532)
    Look forward to script kiddies among others trying to hack the broadcast to gain noteriety.

    I think this will be interesting to watch too.
  • White hat? (Score:2, Funny)

    by Ballresin ( 398599 )
    So is there a similar type of thing going on with hackers as there is with general employment?

    White Hat Hackers
    Blue Hat Hackers
    Labor Union Hat Hackers
    Slave Labor Hat Hackers?

    (Refering to the entire "white collar" idea...)
  • Cracker (Score:2, Informative)

    by mikeg22 ( 601691 )
    The word is "cracker" not "hacker" I'm neither but at least I know the difference. Thanks a bunch.
  • by Anonymous Coward on Friday May 09, 2003 @12:37AM (#5916677)
    The 2 most overrated fields in IT are definatly

    1) Security

    2) Video Games

    Both are fucking boring as fuck. I know every kid these days goes into college dreaming of becoming a leet d00d with his Information Systems degree and become a uberleet securitah master. Either that or they want to get a CS degree and then instantly get the job they are guaranteed as a code monkey for some video game firm (shea).

    Both of those fields fucking suck. Security, once you leave the leet hacker intrigue CIA espionage fantasy shit back in the dorm after you graduate you'll realize what you do is fucking boring ass shit thwarting scumbag employees and stupid script kiddies. Ooohhh FUN! And guess what in the video game industry you don't actually play the god damn games you just code monkey it up for the designers, JUST ANOTHER CODING JOB. BORING.

  • So I did some checking. A google for razorpoint security [google.com] got 63 matches. Almost every one that was actually talking about the company was also listed on the news page at razorpointsecurity.com [razorpointsecurity.com]. Every single one of them is a small blurb from Gary Morse. A google for razorpoint security -"gary morse" [google.com] got 41 matches, which fell into the categories 'unrelated' (the majority), and 'links to razorpoints website' (maybe 5). So it appears he's got a one-man company.

    From those articles, his qualifications seem to consists of 'Runs netstumbler (or something similar) on a zaurus, knows the basics of making strong passwords, and reads press releases from real security companies.' Which, admittedly, makes him better than half the corporate IT world, but still isn't exactly impressive,

    So then, out of curiosity, I checked the domain of 'Flackboy Kevin', the submitter of this story. His email is at yeahwhatever.com [slashdot.org], which points to something called 'RLM'. RLM is a PR agency. And guess who's on their clients list. That's right, Razorpoint Security. (They're listed under 'Professional Services' instead of 'Technology', if you're looking.)

    So, with that in mind I've come up with this basic plan for making yourself an internet security 'expert':

    1. Buy a Zaurus
    2. Run Netstumbler (or kismet or wellenreiter or whatever.) on it. You have now completed the 'Wireless Security' qualification.
    3. Learn to use nmap, SATAN, and maybe a couple other vulnerability scanners. (Optional, but makes your reports more impressive.)
    4. Read a few security articles. You have now completed the 'LAN Security' qualification.
    5. Read security company's press releases. (Gary chose Checkpoint.) You have now completed the 'Security Industry Expert' qualification. (If you have completed all 3 qualifications, you are permitted to claim '20 years experience.')
    6. Make up impressive sounding business experience. (To make this seem less suspicious, and unverifiable, use nameless industry descriptions like 'multi-national european information network' and 'international transportation industry'. Or claim secret government work, that's sufficiently unverifiable.)
    7. Hire a PR firm to drop your name to news agencies. It would be better if you hired one smart enough not to astroturf using a domain that points to their website.
    8. Profit?

    Now, I could be totally off base and he could be the be-all-end-all of security for all I know, but he sure as hell doesn't come across that way.

    • Very nice. Mod up. (Score:3, Interesting)

      by Adam9 ( 93947 )
      After reading some of the other posts of skepticism, which made me skeptic, you definitely confirmed it. Very nice. I thnik that whole "secrecy" of the company that the submitter claimed is a cloud of smoke. If I had mod points I'd start overrating the posts above this and mod'ing this up.
    • by MickLinux ( 579158 ) on Friday May 09, 2003 @01:46AM (#5916841) Journal
      This is indeed interesting, especially since if he is setting all this up, he already knows how to work the marketing system. Also, it implies that he must already have money, from some other source. If he knows that, then the question is, what is that source, and what is his purpose?

      Since he's trying to gain publicity as a "security expert", it would seem that his purpose is publicity in the security field. That, in turn, is a political goal.

      So then we need to ask, what political goals, involving security, would he be after? Would this be new laws? How about a cushy government contract, a la Schindler in Schindler's List? To find this information out, one again needs to look at the source of the money with which he hired the PR firm.

      Anyone familiar enough with the web and obtaining informaton, willing to search out a bit more info, and speculate?
    • by iamdrscience ( 541136 ) on Friday May 09, 2003 @01:52AM (#5916864) Homepage
      Holy shit. It's posts like that that make me wish post scores on slashdot could go up past 5 to point at which your post becomes a giant flashing self respawning pop-up on the main page requiring everybody who visits slashdot to read it.
    • by Anonymous Coward
      Looks like Kevin could be the same person at this url: http://www.yeahwhatever.com/who_we_are/index.php?i d=15 [yeahwhatever.com]

      If you want his phone number, you're going to have to google it yourself. Nice PR coup, though. But I'd be pissed off if I was tricked like that.

    • by Anonymous Coward on Friday May 09, 2003 @02:33AM (#5916988)
      Yes, this guy is almost certainly a fraud. Now, why not see if we can get the real story posted hear on slashdot. The real story of course being that this guy was able to set up a USA today online chat, an interview with Crains, and get a story about him posted to slashdot, all apparently with no verifiable credentials of any kind. I have already submitted the story to slashdot, I suggest you all do the same.
    • Note that in addition to all of the things that you checked out (which I verified -- anyone who doesn't believe Jade E. 2 can verify this information for themselves) there is NO Slashdot user by the name of 'Flackboy Kevin'. This can be easily verify by checking the URLs http://slashdot.org/~Flackboy%20Kevin [slashdot.org] and http://slashdot.org/~FlackboyKevin [slashdot.org] (the second one's just for good measure).

      Which leads to me to believe that Slashdot is getting paid to run this article, which is, in effect then -- spam. Now I'm not going to outright accuse them, but you gotta admit this is rather suspicious, guys.

      Any of the /. editors care to elaborate on this?

      • by kill-hup ( 120930 ) on Friday May 09, 2003 @07:48AM (#5917781) Homepage
        The part about no such Slashdot user is easy to explain. When you submit a story, the system asks you for your name and a URL/Email address. When (if) the story gets posted, it is these valued that appear in the "So-an-so writes:" lead.

        One of my earlier issues with this is that it's simple to impersonate someone else (ie: post a pro-Microsoft story as a user who's known for being anti-Microsoft).

        Anyway, this could be one giant astroturf sessions but it's not certain that the Slashdot editors are in on it.

    • by Eric Savage ( 28245 ) on Friday May 09, 2003 @07:56AM (#5917819) Homepage
      The sad thing is that the work Jade E. 2 just did is more than what is required to break into alot of networks out there.
  • I just hope this might go someway of educating people about why hackers can be good as well as bad Normal Joe Bloggs on the street considers hackers to be bad and breaking into systems, stealing details etc. However they don't tend to realise that people who find these security holes that are patched normally have to have the same skill set.

    I'm a strong believer in that to know how to defend you know how to attack. This is a nice example of that

    R.
  • by Andrew Lockhart ( 4470 ) on Friday May 09, 2003 @02:13AM (#5916923) Homepage
    Eerily this Gary Morse guy reminds me of John Vranesevich [antionline.com].
  • by Anonymous Coward on Friday May 09, 2003 @07:33AM (#5917714)
    The idea of discriminating due to previous hat color
    is apalling. I used to be a black hat. I have penetrated corporate america and then some. I have
    exploited entire countries. I never went out of my
    way for publicity, but some of my exploits were
    publicized. I was quoted in a few places. This was
    all when I was younger, and not so wise.

    I changed.

    There is no money in staying a black hat. Eventually, everyone has to eat. The love of the
    game never dies, but you have to face reality. I work for a very successful company doing security.
    I have taken their policy and general operation
    and turned it around in the realm of security. I enjoy my job, it stimulates me, and while they have a good idea of my past, they are cool with it, because they pay me to help protect them from what I used to be. I grew up.

    This man who does not hire previous black hats isn't trying to make a statement; he just doesnt want to be upstaged. The only way to be very good at security, is to once have been on the black side of the fence. There are no college credits for exploitation and penetration; these are skills that must be learned under the gun. I have no respect for this man, as his message is wrong. He knows that his livelyhood depends on black hats exploiting systems, so he will not ever give one a chance to change his colors. They will be forced to get a different kind of job, and will stay as a black hat because its the only stimulation they will get.

    At least wait until the trial is over and then decide if one is worthy of employment.

    For the record, I was never raided or tried in anything, this does not make my once black hat status right, its just the way the chips landed.
  • by Anonymous Custard ( 587661 ) on Friday May 09, 2003 @07:56AM (#5917813) Homepage Journal
    From USA Today: Chat with Gary about keeping your computer safe from hacking and viruses.

    Yeah, I'm sure Manhattan's uber-elite white hat hacker wants to spend his time answering questions like "I can't find my email. Did a hacker take it, or does my computer just hate me?"

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...