White Hat Hacker Breaks Silence

Flackboy Kevin writes "The nation's hackers are about to come out of their shells on Friday as one of the most notorious 'good guys' in Manhattan makes a rare-yet-cyber public appearance on USA Today's online chat. Gary Morse, Manhattan's white hat hacker and good friend of every Chief Security Officer in the financial world agreed to an online chat regarding security. Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."

How sad.

Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."

He's not well regarded because he's good at what he does, or because he's good at what he does without cattering to the overused claim that ex-hackers are best suited at protecting systems?

Frankly I find him a breath of fresh air.

Re:well

[gotscheme]

That's just the thing, though, that I try to explain to my friends. When hackers hold a security person in high "disregard", it isn't that they dislike them. They really respect people the people like Morse because he gives them exactly what they want: a challenge. On the other hand, script kiddies dislike Morse because he makes sure they have to actually use intelligence to execute an attack on public networks.

Won't employ hackers?

[supz]

The comment for the story says: "Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."

Does anyone have any links regarding that? I read the link in the story, and all it gives is some very brief information. I'd just like to see the guys reasoning for not hiring "hackers who have come in from the cold."

Re:Won't employ hackers?

[daveodukeo]

The Razorpoint website doesn't help either. The only mention of the word "ethic" is applicants need a good work ethic...

"Razorpoint is always interested in the best and brightest in the technology security field. If you have five to ten years of hands-on, real world experience, we may have a place for you.

Smart, skilled and self-motivated professionals are desired in the following areas: Security Auditing, Sales/CRM, Firewalls & Intrusion Detection Systems, Application Development, Systems & Network Administration (heterogeneous environments only, no "one OS wonders" please).

Applicants must be U.S. citizens or already have a green card, have excellent communication skills (written and presentation) and provide a track record and references that illustrate an outstanding work ethic and past career successes."

Re:Won't employ hackers?

[LamerX]

True, however, I belive that if someone has had these mishaps would be more experienced and better suited to see that it doesn't happen again.

There are in fact, lots of people who commit crimes that go on in thier lives to council others. Often people who have done something wrong and have turned thier life around, are the best people to council others who are trying to turn thier lives around.

I don't believe that anybody is saying that it's a requirement to do something wrong, to be good at correcting it. They are just saying that typically the person who has done the wrong, is better at knowing how to prevent it because they've had the experience and feel of what the problem was, not had someone tell them what the problem was.

That's the problem with language. You can describe things until you're blue in the face, but you can't ever completely recreate the feelings and surroundings of a situation with your words. Language is always an interpretation, and everyone's interpratation is always different, which is what makes the real experience better.

Re:This guy has no proper java experience

[Nataku564]

Remember people, CAPS LOCK does, in fact, make you smarter. I work at an investment firm in Milwaukee. Most of our computers run windows. However, the main application that the traders use is, in fact, written entirely in Java. The operating system has not limited our ability to use competetor's products in the slightest. We have .NET apps in production right along side the Java based applications. Now if, on the other hand, you mean that Microsoft restricts its tools to its own OS ... well then I fail to see your point. We dont expect Ford to make parts that fit in a Toyota as well. I find it interesting that you choose to find one of the more obscure points in the article and turn it into the start of an MS vs Java offshoot, which is hardly what this article is about. JavaMonk indeed :)

Re:Please mod this up...

[paganizer]

Thanks! I was trying to think of who this reminded me of; Steve Gibson in a Nutty shell (bash flavored).

I do not doubt that there are people out there who have never broken any laws and are decent, if not excellent, security types.
However, since it's been illegal to do ANYTHING with a computer since the DMCA and Patriot Act came out, that type of expert is obviously a breed rapidly approaching death.
If a person is acquiring security skills in this day and age, that person is in the law's eyes a black hat.

It had a lot to do with it...

[Ethelred+Unraed]

IANASC (...security consultant), but ISTR that many firms in the WTC were foolish enough to have the "backup" systems...in the other tower. IOW they assumed that if one tower went blooey, the other one would still be there. So much for redundancy.

The point is physical security, not network security. It's kind of like having all your backup CDs in the same room (or building!) as your computer. Fire, fire, oops, it's all gone.

Also, ISTR that in some cases, with the loss of systems in the WTC, financial networks were left in a state of chaos -- perfect time to be hacked, really.

Cheers,

Ethelred

Re:So what are the underrated ones?

[Fizzl]

Do you actually work in the real world?

Remember, McDonalds doesn't count as we are talking about IT.

CodeMonkey job at video game firm might be boring. Don't know. Don't know anyone personally working in that field. Database app codemonkeying was interesting for as long as I had problems. It got extremely tiresome when I got stuck in the "support" phase.

If you like to trace raw HD dumps and cracking crypto to reveal originator of an instrusion, then the security sector might be just for you. Done that twice. Once with my own box that gor rooted, once with companys server. Both just of sheer curiosity on my own time because I find the above mentioned things interesting and intellectually challenging. Ofcourse, once I would get good at it, I'd prolly get bored of that too.

You don't state what you do for a living. Or even what you'd like to do and what you might find interesting. I have found out that I get bored to one labour pretty quickly.

If you are like me, go work for a contracting firm. I like this. Once I get bored with one job, I just tell that to my superior and we will negotiate another place to work for me.

This far I have had just short contracts varying from 3 months (Porting Symbian code from device to another) to 2 years (my current job as a software integrator.).

You also get an impressive resume quickly ;)

Re:Is this a joke?

[the-dude-man]

I think you were a little harsh on this

This isnt by any means groundbreaking but it is something that is a psdo-event in the security industry...this is not a random firm, it is a leading New York City firm...that being said, no they are not an national/international authority on the subject. This wouldnt be on the scale as something like phil zimmerman having an online chat about asyncronus encryption.

However, it is an oppertunity for smaller people in the security community, and people who arnt even in the security industry to talk to someone who is, at least, a successful member of the community. A Business execuitive Will pay $5,000 to find out they need a linux box with a NAT'ing firewall...i know...i've charged companies that much to just to tell them that. So for some people, this is a major event to get free advice.

If these people were put that Citicorp and Bank Of America on their list of clients, and they wernt clients, there would at least be a public announcment from them that they do not have any affilation....worst case...possibly a lawsuit.

Also, dont expect alot on a proffesional security firm's website....a website for a proffessional security firm has one purpose....attract clients...not divulge information...any firm is not going to want any random script kiddy or a black hat hacker scouting the security surrounding their target to be able to find out weather or not they are a compentent firm, or what areas of security they focus on. Personally, i consider it a disservice to clients to put loads of security infromation up onto a public website. The legitmite people who can deal with this data, and offer intelligent disscusion on it, are going to find out and do it in the many security circles that exist.

Moreover, many firms dont even divulge big things they have discovered to anyone. Thats how they stay on top...they may be a security frim...but they are also a business...they dont exist to make the security world a better place...they are going to want to devlop methods that no one else knows...they are then less likely to be broken...or copied by other firms...all of wich lead to more money for the current firm. That being said, this would really only cover big things....for example, if iptables was found to have a vaunerablility to exploit, and a firm found it and patched it, they would most likely not divulge this, they can make alot more money by not divulging it than by running out in the open about it.

And finaly ...who cares? well alot of people...personally, I am going to attend the chat just to listen and maybe do a little talking...its an interesting thing for many people in the security industry....certianly worthy of front page of slashdot.

Crackers do _not_ make good security experts

[@madeus]

How do you get good at knowing you're being tracked, if you've never been tracked? You don't. So how do you devise a tracking system which a hacker wouldn't detect? You can't.

Utter garbage.

That is completely analogous to saying only a burglar could design a security system, which is the point an earlier poster was making.

There is phrase 'send a thief to catch a thief', which makes for a good Hollywood script, but this is not good everyday practice, which the rest of the world has already worked out. The idea behind the phrase is that the a thief has information that can be useful in catching another thief, but thieves make VERY bad policemen.

Being a hax0r does imbibe you with any knowledge of how to develop secure systems. In the same way that being a successful scam artist does not put you in a good position to design a more secure credit card. Most crackers have no knowledge of using secure systems, break ins that occur usually down to trivial holes, which all non-security orientated developers know how to fix (and code against), these holes occur simply because best practices are not always followed.

Commercial systems designed with security in mind (e.g. trusted operating systems, encrypted networks, systems that use seperate signed keys for all inter-process and inter-host transactions, networks that have hard-wired one way Ethernet links) tend to cost many hundreds of thousands of dollars to build, and require a team with a strong mix of OS, Software Development and Networking knowledge.

Knowing how to defeat a burglar alarm system is a far cry from knowing how to build one, just as knowing how to write microcode to exploit a buffer overflow is a far cry from knowing how to write and develop for a secure environment.

All but the stupidest of employers care vastly more about experience than education.

Crackers break into secure software, they don't have experience in designing secure software. They would make awful systems that would be just a vulnerable but in different ways - developing secure solutions requires a design approach that bears this in mind.

Serious crackers are *not* suitable canidates for security experts.

Re:This guy has no proper java experience

[Cedric+C.+Girouard]

We dont expect Ford to make parts that fit in a Toyota as well.

And while I'm being soooo off topic here, it might not be a bad business decision to start manufacturing cross-compatible car parts.
Think of it. I've done the maths once (for fun) and the cost of rebuilding my car from scratch with parts, would be 5 times higher then to purchase it from the dealer. This means that they take a higher markup on parts, and since they always break down, one company could make massive money just manufacturing parts, and not going through the hell of manufacturing the whole car. The car business is just a way for them to create potential customers for parts.

Secondly, think about the ecologic impact cross-compatible parts would have. You dont need 10 different gas pumps (for example.) you can have only one model that fits 10 different cars. This way you get to reduce the amount of gas pumps on inventory, which will eventually find their way back to nature if they dont get used.

Now for the open-source angle, so I don't get modded down into oblivion... I've seen the advocacy of re-usable code thrown around so many times. Write once, use many, yadi yadi yada... Why not the same for car parts ? There is only so much tuning you can bring to a piece of code. Once you're there, what can you do ? Pull a Microsoft on it, and make sure it won't work with the next version, so they have to purchase your next version which consist of the same exact code, plus the compatibility flag checked in at compile time.

So let's calculate here... -1 Offtopic, +1 insightful, +1 informative, +1 funny, -1 troll, +2 posting bonus, so I should end up at +5 funny or something... Thank god for Slash moderation :D

Smile... You're dying already, it's only a question of time...

On the subject of hats...

The idea of discriminating due to previous hat color
is apalling. I used to be a black hat. I have penetrated corporate america and then some. I have
exploited entire countries. I never went out of my
way for publicity, but some of my exploits were
publicized. I was quoted in a few places. This was
all when I was younger, and not so wise.

I changed.

There is no money in staying a black hat. Eventually, everyone has to eat. The love of the
game never dies, but you have to face reality. I work for a very successful company doing security.
I have taken their policy and general operation
and turned it around in the realm of security. I enjoy my job, it stimulates me, and while they have a good idea of my past, they are cool with it, because they pay me to help protect them from what I used to be. I grew up.

This man who does not hire previous black hats isn't trying to make a statement; he just doesnt want to be upstaged. The only way to be very good at security, is to once have been on the black side of the fence. There are no college credits for exploitation and penetration; these are skills that must be learned under the gun. I have no respect for this man, as his message is wrong. He knows that his livelyhood depends on black hats exploiting systems, so he will not ever give one a chance to change his colors. They will be forced to get a different kind of job, and will stay as a black hat because its the only stimulation they will get.

At least wait until the trial is over and then decide if one is worthy of employment.

For the record, I was never raided or tried in anything, this does not make my once black hat status right, its just the way the chips landed.

Re:Sensible position, whether or not claim is true

[Zathrus]

Posts like this one make me wish we'd criminalize adultery.

Uh, adultery and/or fornication (sex outside of marraige - which generally includes adultery as a subclassification) was illegal in England and most of the US until fairly recently. The most recent US state to repeal it's fornication law is Georgia, and there are still 10 states with it on the book (as of that article). Georgia has a separate adultery law, however, and I believe that still stands.

As best I can tell most states have laws against adultery - either felony or misdemeanor. Having difficulty getting info out of Google on this, and most of the pages I did find are outdated (still listing Georgia as having a fornication law for instance).