Slashdot Mirror

← Back to Stories (view on slashdot.org)

White Hat Hacker Breaks Silence

Posted by CowboyNeal on from the lockin-it-down dept.

Flackboy Kevin writes "The nation's hackers are about to come out of their shells on Friday as one of the most notorious 'good guys' in Manhattan makes a rare-yet-cyber public appearance on USA Today's online chat. Gary Morse, Manhattan's white hat hacker and good friend of every Chief Security Officer in the financial world agreed to an online chat regarding security. Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."

8 of 374 comments (clear)

  1. How sad. by Anonymous Coward · · Score: 4, Interesting

    Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."

    He's not well regarded because he's good at what he does, or because he's good at what he does without cattering to the overused claim that ex-hackers are best suited at protecting systems?

    Frankly I find him a breath of fresh air.

  2. Re:well by gotscheme · · Score: 3, Interesting

    That's just the thing, though, that I try to explain to my friends. When hackers hold a security person in high "disregard", it isn't that they dislike them. They really respect people the people like Morse because he gives them exactly what they want: a challenge. On the other hand, script kiddies dislike Morse because he makes sure they have to actually use intelligence to execute an attack on public networks.

  3. Won't employ hackers? by supz · · Score: 4, Interesting

    The comment for the story says: "Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."

    Does anyone have any links regarding that? I read the link in the story, and all it gives is some very brief information. I'd just like to see the guys reasoning for not hiring "hackers who have come in from the cold."

    --

    SuPz.orG

  4. Re:Please mod this up... by paganizer · · Score: 4, Interesting

    Thanks! I was trying to think of who this reminded me of; Steve Gibson in a Nutty shell (bash flavored).

    I do not doubt that there are people out there who have never broken any laws and are decent, if not excellent, security types.
    However, since it's been illegal to do ANYTHING with a computer since the DMCA and Patriot Act came out, that type of expert is obviously a breed rapidly approaching death.
    If a person is acquiring security skills in this day and age, that person is in the law's eyes a black hat.

    --
    Why, yes, I AM a Pagan Libertarian.
  5. It had a lot to do with it... by Ethelred+Unraed · · Score: 4, Interesting

    IANASC (...security consultant), but ISTR that many firms in the WTC were foolish enough to have the "backup" systems...in the other tower. IOW they assumed that if one tower went blooey, the other one would still be there. So much for redundancy.

    The point is physical security, not network security. It's kind of like having all your backup CDs in the same room (or building!) as your computer. Fire, fire, oops, it's all gone.

    Also, ISTR that in some cases, with the loss of systems in the WTC, financial networks were left in a state of chaos -- perfect time to be hacked, really.

    Cheers,

    Ethelred

    --
    Everyone wants to be Ethelred. Even I want to be Ethelred.
  6. Re:So what are the underrated ones? by Fizzl · · Score: 4, Interesting

    Do you actually work in the real world?

    Remember, McDonalds doesn't count as we are talking about IT.

    CodeMonkey job at video game firm might be boring. Don't know. Don't know anyone personally working in that field. Database app codemonkeying was interesting for as long as I had problems. It got extremely tiresome when I got stuck in the "support" phase.

    If you like to trace raw HD dumps and cracking crypto to reveal originator of an instrusion, then the security sector might be just for you. Done that twice. Once with my own box that gor rooted, once with companys server. Both just of sheer curiosity on my own time because I find the above mentioned things interesting and intellectually challenging. Ofcourse, once I would get good at it, I'd prolly get bored of that too.

    You don't state what you do for a living. Or even what you'd like to do and what you might find interesting. I have found out that I get bored to one labour pretty quickly.

    If you are like me, go work for a contracting firm. I like this. Once I get bored with one job, I just tell that to my superior and we will negotiate another place to work for me.

    This far I have had just short contracts varying from 3 months (Porting Symbian code from device to another) to 2 years (my current job as a software integrator.).

    You also get an impressive resume quickly ;)

    --
    Bot Assisted Blogging
  7. Crackers do _not_ make good security experts by @madeus · · Score: 4, Interesting

    How do you get good at knowing you're being tracked, if you've never been tracked? You don't. So how do you devise a tracking system which a hacker wouldn't detect? You can't.

    Utter garbage.

    That is completely analogous to saying only a burglar could design a security system, which is the point an earlier poster was making.

    There is phrase 'send a thief to catch a thief', which makes for a good Hollywood script, but this is not good everyday practice, which the rest of the world has already worked out. The idea behind the phrase is that the a thief has information that can be useful in catching another thief, but thieves make VERY bad policemen.

    Being a hax0r does imbibe you with any knowledge of how to develop secure systems. In the same way that being a successful scam artist does not put you in a good position to design a more secure credit card. Most crackers have no knowledge of using secure systems, break ins that occur usually down to trivial holes, which all non-security orientated developers know how to fix (and code against), these holes occur simply because best practices are not always followed.

    Commercial systems designed with security in mind (e.g. trusted operating systems, encrypted networks, systems that use seperate signed keys for all inter-process and inter-host transactions, networks that have hard-wired one way Ethernet links) tend to cost many hundreds of thousands of dollars to build, and require a team with a strong mix of OS, Software Development and Networking knowledge.

    Knowing how to defeat a burglar alarm system is a far cry from knowing how to build one, just as knowing how to write microcode to exploit a buffer overflow is a far cry from knowing how to write and develop for a secure environment.

    All but the stupidest of employers care vastly more about experience than education.

    Crackers break into secure software, they don't have experience in designing secure software. They would make awful systems that would be just a vulnerable but in different ways - developing secure solutions requires a design approach that bears this in mind.

    Serious crackers are *not* suitable canidates for security experts.

  8. On the subject of hats... by Anonymous Coward · · Score: 3, Interesting

    The idea of discriminating due to previous hat color
    is apalling. I used to be a black hat. I have penetrated corporate america and then some. I have
    exploited entire countries. I never went out of my
    way for publicity, but some of my exploits were
    publicized. I was quoted in a few places. This was
    all when I was younger, and not so wise.

    I changed.

    There is no money in staying a black hat. Eventually, everyone has to eat. The love of the
    game never dies, but you have to face reality. I work for a very successful company doing security.
    I have taken their policy and general operation
    and turned it around in the realm of security. I enjoy my job, it stimulates me, and while they have a good idea of my past, they are cool with it, because they pay me to help protect them from what I used to be. I grew up.

    This man who does not hire previous black hats isn't trying to make a statement; he just doesnt want to be upstaged. The only way to be very good at security, is to once have been on the black side of the fence. There are no college credits for exploitation and penetration; these are skills that must be learned under the gun. I have no respect for this man, as his message is wrong. He knows that his livelyhood depends on black hats exploiting systems, so he will not ever give one a chance to change his colors. They will be forced to get a different kind of job, and will stay as a black hat because its the only stimulation they will get.

    At least wait until the trial is over and then decide if one is worthy of employment.

    For the record, I was never raided or tried in anything, this does not make my once black hat status right, its just the way the chips landed.