Slashdot Mirror

← Back to Stories (view on slashdot.org)

School Teaches 'Ethical Hacking'

Posted by ryuzaki0 on from the honorary-mitnick-doctorate dept.

Yardboy writes "A Yahoo! News/Reuters story discusses students in Los Angeles paying $4,000 to attend 'Hacker College' and become 'Certified Ethical Hackers'. Apparently: 'Instructors race through topics like symmetric versus asymmetric key cryptography (symmetric is faster), war dialing (hackers will always call late at night) and well-known TCP ports and services (be wary of any activity on Port 0)', and the president of the college: says 'What we attempt to do in our classes is teach how the hackers think.' Hmmm, perhaps 'Certified Script Kiddie' would be a more accurate designation."

11 of 339 comments (clear)

  1. Lots of companies teaching CEH classes.. by x.Draino.x · · Score: 4, Informative

    Am I missing something? Lots of companies are doing this.. for example: InterfaceTT CEH Information

  2. Re:dumb answer by MadRocketScientist · · Score: 5, Informative

    ICMP is not port 0, it is IP Protocol 1. TCP/UDP port 0 is officially "Reserved"

  3. When did "hacker" change? by ajs · · Score: 4, Informative

    If you're wondering when the word "hacker" came to mean something sinister, the answer is 1987.

    As far as I can tell, it was the the US media that got that ball rolling when they were trying to investigate the 1987 "Internet Worm" released by Robert Morris Jr. The Worm caught the news media off-balance because 1) they did not know what this "internet" thing was 2) there was no terminology for this kind of crime.

    Remember, this was before the World Wide Web (which some of you may not realize is a layer ON TOP OF the Internet, not the same thing), and the news only knew that the military had been connecting computers for research, but even that information was kind of sketchy if you weren't in the thick of it.

    So, they asked around and got some experts on the phone and the word that kept coming up was "hacker". Well, the reporters in question didn't realize that a "hacker" was a fairly old term used by the MIT Tech Model Railroad club and later spread around the word as term for a "productive enthusiast". They just knew that Morris the Younger was a "hacker who broke into thousands of computers", and that was news!

    We've all tried to stop that land-slide ever since because those of us who called ourselves hackers pre-87 are not too thrilled with the perversion of the word's meaning, but at this point it has become clear that it's simply going to be a matter of dialect. In certain circles the word has one meaning and in the rest of society (not just English-speaking society) it has a very different one... oh well.

  4. Similar program already underway by sirdude · · Score: 4, Informative
    ...in Cyberabad/Hyderabad, India. Ankit Fadia, who is India's pet hacker, started up a similar company named e2labs last year.. Not sure how progress has been though..
    E2Labs
    Course Options

    Certified Open Source Security Expert (1 - week) *New
    Computer Forensic Expert (3 - days) *New
    Certified Encryption Expert (1 - week) *New
    Certified Anti-Virus Expert (1 - week) *New
    · 3 months - C.S.S (Certified Security Specialist) Job Oriented
    · 3 months - C.S.S (Certified Security Specialist) Non-Job Oriented
    · 1 month - C.S.P (Certified Security Professional)
    · 1 week - S.S.C.M (Security Specialist in Counter Measures) - Corporates
    The company has priced these courses at Rs 25,000, Rs 75,000 and Rs 1,50,000 for weekly, monthly and three monthly programs respectively 1USD ~= 45.7INR
  5. Re:"Harmless" Hacking by clintp · · Score: 2, Informative

    Or, an analogy that hits home to Slashdot readers...

    This seems akin to having sexual experts who have studied sexual practices, but are still virgins.

    --
    Get off my lawn.
  6. I'm familiar with this course ... by Anonymous Coward · · Score: 4, Informative
    The instructors are actually quite knowledgeable in the field, and the texts, though not anything you couldn't compile with a fair amount of time at SecurityFocus and the like, are pretty good for people who are technically competent but who don't know much about security. The level of knowledge is certainly well above script-kiddie level, and I'd say that it's sufficient for junior security team members. (Disclosure: My company asked me to check out the dog-and-pony show for the class, but neither I nor any of my co-workers attended the full class.)

    Is it worth $4,000? Depends what you're looking for. If you're trying to train up new secteam personnel, it might be a good buy. At the same time, experienced security researchers will find it a solid but not frontier-pushing class, so I wouldn't recommend it to anyone who, say, posts to BugTraq. As well, a lot of specialized platform knowledge also gets passed by, so this doesn't obviate the need to do significant research on your particular installations.

  7. CEH Cert by ignaric · · Score: 2, Informative

    My company sends me to pretty much any security course I want to learn a thing or two and to keep up with the trends. I'm a CISSP and if you've already gotten that far, the CEH is really really basic. You are far better off spending your money on a SANS conference and prepare for a GIAC cert.

  8. Re:great.. by nacturation · · Score: 4, Informative

    But this isnt hacking!! THIS is hacking. What you're refereing to is cracking.

    You know, it's only been within the last few years that I've heard any significant usage of the word "cracker" with regards to computer security. Before that, anyone who broke into a computer system was known as a hacker. Cracking was what you did to software to remove copy protection. Kevin Mitnick refers to himself as a hacker, and he broke into systems long before the politically correct term, cracker, came into usage.

    While it's a nice effort to wish for a distinguishment between the two, the use of the word hacker for those who break into systems has long been established. Let it go, man.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  9. Re:Sounds like by joshmccormack · · Score: 2, Informative

    I know this is painfully obvious, but it's not ehics, it's ethical hacking - which means hacking to test the security of a system with consent.

  10. Re:Not New by KevinKnSC · · Score: 2, Informative
    Actually, the difference is that a degree is an academic title given to a student when they complete a course of study, while a diploma is a piece of paper signifying that the holder has earned a degree.

    Example: I was awarded my degree at commencement, but I had to wait a few weeks for my diploma to arrive in the mail.

  11. CEH vs OPST (from pen-test) by jrl · · Score: 5, Informative
    For me, the value of a class is not in the test or even the certification at the end. The lasting value is in the knowledge and skill set that you refine and take with you back to your job. I also have made lasting relationships from the classmates, students, and instructors that I've met over the years. All of these mean a lot more to me than the "e-i-e-i-o" at the end of my name.

    I gravitated towards ISECOM's OPST/OPSA classes because they fill a role I felt was missing in the security class space. Many non-vendor specific security classes have a very narrow tools based focus. While I agree that knowing how to use your tools in a test is important, I feel knowing why and when to use them is far more important. Knowing the politics involved in testing, going over internationally accepted testing practices, and reviewing regional and national legal regulations are just as much part of the job. These things are not merely important, but are required to be successful in your role as a security tester. In addition to the intensely technical aspects of the testing process, this is what the OPST represents; the "professional" side of security testing. Also, the ISECOM classes teach from ISECOM's Open Source Security Testing Methodology Manual (OSSTMM) which provides a much needed methodical framework to bring a scientific method style to the chaotic world of security testing.

    The CEH class represents the other kind of class. One that is "flashy", "fun", "exciting", but not overly useful to the serious professional. While I have a lot of respect for Clément (one of the instructors for Intense School), I have very little respect for any organization that markets "hacker" classes. This includes the so-called ethical hacking, applied hacking, exposed hacking, grandmother hacking, squirrel hacking, super-duper 3y3 4m 31337 hacking, or any other fancy way of saying "Learn how to think and act like the bad guys".

    While choosing where to spend your time and money, consider the community you are aligning with. If you look at ISACA, SANS, ISC2, ISECOM, etc.. they all have a true dedication to security and the betterment of the global information security community. Contrast the value of being affiliated (via education/certification) with any of those organizations over a piece of paper and a cd of toys.