Slashdot Mirror
White Hat Hacker Breaks Silence
Flackboy Kevin writes "The nation's hackers are about to come out of their shells on Friday as one of the most notorious 'good guys' in Manhattan makes a rare-yet-cyber public appearance on USA Today's online chat. Gary Morse, Manhattan's white hat hacker and good friend of every Chief Security Officer in the financial world agreed to an online chat regarding security.
Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."
Do Slashdot editors realize how many security consultancies there are in New York City, even leaving out the credible names like @Stake and IBM?
Do Slashdot editors honestly believe that major financial firms in NYC don't already have a track record of hiring and retaining exceptional security engineers? Do they honestly believe that a major financial needs Gary Morse to tell them what a firewall does for them?
Haven't the Slashdot editors ever seen that silly flash video with "Kimball" and "Dataprotekt"? Heard about the subsequent investor fraud story? Recognized that maybe real security firms don't market themselves on "white hats staying ahead of the evil hackers" hype?
Did the Slashdot editors think of visiting Razorpoint's website, where we find white papers with scintillating security insights like "security is a process" and "here's how to read a CIDR address"? Or notice the lack of advisories, research papers, or bios of credible security researchers on the site?
Maybe these are smart people. Maybe they secretly have Citicorp and Bank of America on their client list.
Or maybe they're just a bunch of wannabes.
Why are we supposed to be interested in this crap?
The idea that people can accurately make a decision on whether or not someone is going to be a quality employee based on whether or not they have done some Blackhat-oriented activities in the past is ludicrous.
It totally depends on the situation. Some people did very illegal things that hurt no one, others did not get caught doing much of anything, have a far cleaner record, and shouldn't be let within 50 miles of a Security operation.
Moral issues are always complex. All people being looked at for a sensitive position, regardless of history, need to be looked at on a case by case basis. Of course someone's past should be taken into consideration, but an in-depth interview and background check is far more productive than simply writing people off based on a title that they may have had at one point in their lives.
dmiessler.com -- grep understanding knowledge
Ok, I may be being dense, and I expect some flameage if I am. 9/11 had lots to do with unsecure aircraft. It had lots to do with media sensationalism. It even had lots to do with structural design! But please explain wtf it had to do with unsecure networks? Did the terrorists hack to get their plane tickets? I know they didn't need to hack to plan it cause the airlines publish their flightlists and times. I know, they hacked their way into flight school right? This assclown is playing on peoples fears and its intensly disgusting. The reason he doesn't have any hackers "from the cold" is that most of them have morals and would refuse to work for one displayed such a gaping lack of them. I hope he gets hacked and they report his REAL earnings to the IRS....
AC, there may be many bright people in New York, but you are not one of them if you overlook this. Some of us might be interesed in asking pointed questions that millions of people will see when the sit in on the USA Today chat this particular consultant is about to have. My questions are, "Would you recomend free software, such as Debian or Red Hat, on the desktop?" and "What makes Microsoft software so insecure?" Other people here could have better questions.
I highly recomend everyone to go and post questions about free software solutions to security problems. The answers he provides will be seen by the chat crowd and may be turned into an article for printed USA Today. There are 750,000 Slashdotters all interested in free software and security? This interest should be reflected in the questions. Follow the link and submit as many good questions as you can think up.
Friends don't help friends install M$ junk.
Listen, his position of not hiring ex-black-hats makes a ton of sense, whether or not ex-black-hats are the best at detecting security flaws.
A person who has been a black hat has been so, specifically because they did not have the moral fortitude to remain on the white side. Now, that can change when there is a profound revelation [Dr. Laura Schlessinger], or when there is a ton of incentive [G.W. Bush], or because they were caught and decided the price was too high [many haxors who have been caught flip in this way] or it can appear to change when convenient [psychotics.]
But the fact is, you don't really know why it changed, and therefore you don't really know if it changed. So you don't let ex-black-hats work for your company, period.
Now, if a black hat did have some profound change, that doesn't mean that there isn't work for him. Assuming that it is not prohibited by court order, he can start donating information to the security watchdog groups, and they can verify the information on their own. If it is illegal for them to be using the internet or interfacing with computers, they can wait until it is again allowed. Or they often can instead put their skills to use building new systems, or writing code for a supposedly secure system -- on paper.
Anyhow, I have no idea whether the claim is true or untrue, that ex-black-hats make good white hats. But Morse's position makes a lot of sense.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's