School Teaches 'Ethical Hacking'

Yardboy writes "A Yahoo! News/Reuters story discusses students in Los Angeles paying $4,000 to attend 'Hacker College' and become 'Certified Ethical Hackers'. Apparently: 'Instructors race through topics like symmetric versus asymmetric key cryptography (symmetric is faster), war dialing (hackers will always call late at night) and well-known TCP ports and services (be wary of any activity on Port 0)', and the president of the college: says 'What we attempt to do in our classes is teach how the hackers think.' Hmmm, perhaps 'Certified Script Kiddie' would be a more accurate designation."

[cynical]

[Maradine]

And I think I speak for all the CISSPs in the room when I say . . .

hahahahahaha!

Thanks, I'll take self-study and put the four grand down on an M3. Sellout? You betcha. *grin*

Re:[cynical]

[Maradine]

[/cynical]

Education is extremely important in this segment, no doubt. What concerns me is the "boot camp" format of these particular gigs, as well as the entry fee.

$4000 is an awful lot of money for a Common Body of Knowledge -- especially since its all available from the Internet.

I have nothing but encouragement for those who wish to enter the field. But save your money. Hell, drop sixty bucks and go to defcon.

Re:[cynical]

[upside]

My take on courses is: yes, you can learn the same stuff if you take the time. However, your boss is unlikely to give you time during work hours to study. When the employer has to pay muchos buckos for it he gets a warm fuzzy feeling that you are doing something worthwhile.

Re:[cynical]

[lukewarmfusion]

99% of the stuff I learned in a college classroom was available on the Internet. Putting it together right demands something more than just a Google search.

Other things I got from college:
Credibility
A class ring
Life experience (studied abroad, lived in a dorm)
Friends
Relationships with professors - having connections with people in your field is a good thing

I went to a school that runs around $30,000/year. It was worth every penny.

Re:[cynical]

[1lus10n]

Things I have gotten from Working since I was 18:

Credibility, people KNOW I can do this for a living. They dont have to worry about weather I can actually do the work.
Several awards from my employer.
Real Life experience.
Friends
Proffesional contacts. Tons and Tons of them.

And I dont have 60k in debt, and wont be paying off school bills for the rest of my life. I have enough experience to walk into higher level jobs and skip the "entry" level BS.

Life is not lived on a Piece of paper that was givin to you by some organisation that is known as a "school".

Re:[cynical]

[admdrew]

College can more useful in opening doors than it is as a tome of information. As you said, you may have learned quite a bit from your on the job training, are in contact with numerous people in your field, and do not suffer the financial hardships of a recent college graduate. Unfortunately you may have a hard time competing with those who have a higher education background, especially if they've worked while going to school (like many of us do).

[A potential employer does not] have to worry about weather [sic] I can actually do the work.

Graduating from college with very good grades requires a lot of work, something any employer knows. If an applicant finishes with a 4.0 GPA, it can be safely assumed that they can "actually do the work."

What you say is a little alarming; your assumption that college is entirely worthless when compared to a high school job is entirely unfounded.

Oh, and before you apply anywhere in the future, work on that spelling and grammar ;)

Re:[cynical]

[servognome]

Credibility, people KNOW I can do this for a living. They dont have to worry about weather I can actually do the work.
What a college degree gives you though is more flexibility. You have proven you can do a particular job and do it well, but it is much more difficult for you to find a job that might require things outside your current skillset. A college degree shows employers you are able to expand your knowledge outside your core competency.
Several awards from my employer.
In college you can get your name on publications, get rewards from companies in the form of scholarships, and research grants (and companies do keep in mind who they gave money to when they are hiring)
Real Life experience.
You can also get alot of experience in school if you're willing to put in the time. You have 16-20 hours a week of class, which leaves you plenty of time for hands on activities like helping grad students with research, taking a job running one of the campus networks, getting involved in a technical club (like solar powered car), etc.
Friends
You can get those in college too, and there are more women ;)
Proffesional contacts. Tons and Tons of them.
You can get an excellent network in college, internships, co-ops (definately a foot in the door), contacts in companies who donate to your research, and alumni
And I dont have 60k in debt, and wont be paying off school bills for the rest of my life
Yes it is true :(

Re:[cynical]

[AvantLegion]

I suppose if I was writing a term paper I might give a damn. ;-)

This may come as a shock, but language rules were not invented just for "term papers".

Why some people feel proper English is optional, I will never know. More often than not, it's used to excuse a lack of English skills.

Mistakes happen. An attitude that it doesn't matter except for "term papers", however, shouldn't.

great..

Now we have SCHOOLS that teach that "hacking" means breaking into computer systems

Sounds like

[Creepy+Crawler]

A really sucky "school"..

You teach ethics, not "hacking ethics". Sounds like a money grab for gullible script kiddies.

I shoudlve thought of it first.

Just Like Anything Else...

[artlu]

The problem with teaching Comp Sci, let alone "hacking," is the methodology in which the teachers teach. The only way I ever learned any type of programming was when someone said, "Go build an application that simulates RSA cryptography." 12 C++ files later I learned more then I did in 2 years of "intro" classes. The same goes for this as well, these kids wont get much more out of these classes then learning to use some scripts or demon dial or whatever.

They should get a project that entitles building some sort of application which can be relseased to the Open Source community.

Wow, war dialing, early 90s, wow.

GroupShares Inc. - A Free Online Investment Community.

Re:Just Like Anything Else...

Uhh what you describe is in no way "computer science". It's software engineering.

Computer science is about MATH. Period. If you're coding, it's almost certainly not computer science.

"Computer science is no more about computers than astronomy is about telescopes." -- Edsger Dijkstra

Re:Just Like Anything Else...

Saying that computer science is about math is an insult to mathematicians.

"Harmless" Hacking

[gbulmash]

Puts me in mind of The Guide to Mostly Harmless Hacking.

Learning how to defend against getting hacked by learning how to hack is nothing novel. It sounds like a great idea on the surface, because it gives you the tools to probe your own weaknesses the way your attackers will. But you're always going to have to keep up with the latest methods, scripts, etc. IMO, A net admin who isn't at least a hobbyist hacker probably won't get much from a hacking bootcamp except a false sense of security.

- Greg

Re:"Harmless" Hacking

[Doesn't_Comment_Code]

Many computer security companies hire converted hackers. But others refuse, saying that anyone with that bad seed can't every be trusted. They only hire people who have studied hacking, but have never been a hacker (like graduates of this school).

Like you said, it sounds like a good idea, but there are going to be weak points in your staff if they don't really know what they're doing. For instance, I've studied security from books, and I'm pretty adept at defending my computer. But I know there's a lot that I don't know that I would know if I hacked computers on a regular basis.

Re:"Harmless" Hacking

[wwest4]

> others refuse, saying that anyone with that bad seed can't every be trusted

I've always seen this argument (the Spafford argument, if you will) as weak. You can't really trust anyone absolutely. A past offense doesn't guarantee a future offense any more than a lack of past offense guarantees future ones.

Any system should have a set of checks and balances for the admins & security guys as well. You don't want anyone holding all the keys on principle. That way, you're mitigating any risk by hiring someone who you know has trust issues.

Remember that information...

[mrhandstand]

is never good or evil. If the students are atttending for the right reasons, then this will help them understand the basics of how script kiddies work. And what do the current stats tell us about most attacks? That they are unsophisticated and are run by people who have little deep knowledge of systems. So this course wil (theoretically) allow them to better protect against the majority of attacks. If the students are attending for the wrong reasons, then they spent $4k for what a day or two of googling and reading would have gotten them. BFD.

Sounds like...

[robslimo]

more of an course to help corporate types to be better aware of and combat cracking (note usage of correct word here) techniques. Your typical 'script kiddie' ain'ta gonna blow $4000 on a course on cracking; he's gonna hang out on IRC and cracking/warez sites to try and mooch some free advice and 'proggies'.

IMO, a network admin ought to all ready know the tricks of the trade and keep him/herself up to date on the tech. But I guess this course probably does provide a good service to some... seen waaaaay to many fresh IT grads who may have aced all their classes but still manage to get out in the real world without really knowing how it all works.

yeah right....

[evenprime]

I haven't read it yet, but I'm rather skeptical. It seems like $4000 dollars and a few weeks in the classroom teaches you how to run sploits you download from packetstorm. It doesn't make you suddenly become skeptical of everything a vendor tells you, or make it become a habit to run a sniffer with watchtemp when you install software on your test lan. It doesn't make you enjoy reading bugtraq.

There's a heck of a lot more to "hacking" than what they can teach you....think "lifestyle"

Seems expensive

[senzafine]

$4,000 seems a bit expensive. I'm not seeing the true benefit of having a "Certified Hacker Certificate"? I think the days of getting a job out of highschool because you took a hacking course are over (if they ever existed in the first place).

Right now the University of Cincinnati is about $8,000 for a year. And I thought that was expensive.

Seems trendy to me...I just don't see hacker courses having much of a true impact on security.

But kudos to whoever is making money off the idea. Wish I would have thought of it.

Re:Not New

[RAMMS+EIN]

All about machine language and security as mandatory part of the program?! Where did you get that degree? I want to go there too! Around here, universities teach you some high level language, how to comment your code, and writing a few apps and a few parsers.

You can do the real stuff, but it's all optional, giving me the feeling that I can as well kiss the university goodbye and study for myself - which is, in fact, how I learned everything I know about computers and programming. And I mean everything. The only reason I still attend university is that I want to get the diploma, but I'm not even sure how much people are going to care about that if you don't really need to have any deep knowledge and experience to get it.

Wash, rinse, repeat

[phyruxus]

Nature creates man.

Man creates computer, internet.

Intelligent, misunderstood youths discover internet, realize they've been lied to, strung along, generally mistreated. Youths show the guts and brains to learn without teachers.

Feds discover internet, realize there are children smarter and more skilled than them, throw beauracratic temper-tantrum, track down said kids (well, some of 'em) and bust them, refuse leniency.

Feds realize this "internet thingy" is more important than they though, and worse, there are kids in other countries who not only have mad skillz, but also actively hate america. Feds shit bricks.

Gov't, realizing it has cut off it's left testicle, tries to fill the gap with "Ethical hackers", ie, tries to create what it had in the first place.

Jeezus F Kryst on a surfboard, why didn't you just train the @#(*&^*(@# hackers in ethics in the first place? You can't teach curiosity, autodidactism or problem solving.

Nature laughs, goes back to being inscrutable.

Way to go.

Re:Wash, rinse, repeat

[CAIMLAS]

Don't think yourself so superior.

Problem solving is just as trainable ability as any type of mathematics or programming. It requires critical thinking, and often a good handle on the deductive and inductive trains of thought. If you're a good problem solver, chances are you had someone in your youth that prompted and prodded you to think about things in different lights, and thus why you can think critically.

CSK

Certified script kiddie for sure.

I mean the real certified ethical hacker degree exists for a long while and it's called computer science.

A fool and its gold...

Re:Not New

[Doesn't_Comment_Code]

Yeah, I was thinking of all the math that's involved in cryptography. And to really know what you're talking about, you should probably understand the guts of networking, tcp/ip and ethernet inside and out. You should know machine language pretty well too.

The most difficult part about security is that you aren't learning how something is supposed to act. That's the easy part. That's what every programmer does (and what I do mostly). But to really do security, you have to know what could happen and how something might work if manipulated. That's really, really hard when you think about all the possibilities!

I just can't imagine squeezing that all in to a short certificate class.

Comment removed

[account_deleted]

Comment removed based on user account deletion

script kiddie?

[MattW]

Script kiddies don't need to know why symmetrical encryption is faster... they just need to know how to subscribe to Bugraq.

Crap

[freaksta]

Old news :( Honestly please stop posting this crap. Not only is it old news, but its really alot of poo poo. Try reading Phrack or other underground zines. There are tons of entry level zines and zines that are for more advanced users (phrack). Save yourself $4000 and do it from the confort of your own home. If you want to know how hackers think, try speding some time on undernet. You get the feeling real quick :) This is not a flame.

About time

[RedShoeRider]

...but if you think about, it was just a matter of time before something like this caught on. In CS/CE, the measure of how big of a man/woman you are is how many certs you have to your name (at least it is in quite a few corportate environemnts). Soon enough, we'll see job postings that see "CEH preferred".

Though as it was already pointed out, this is an excellent example of social engineering. They ought to give kickbacks to Mitnik for every fool who enrolls in the class.

I can speak to this topic in a strong way...

[krinsh]

You WILL NOT learn hacking, even in the context that they're teaching (subverting the security of computer systems), in a class. You may learn about all kinds of tools; and about steps and techniques to attempt to break into computers, but the real work is not in a classroom. I still believe this after taking SANS Track 4; which was excellent training, but did not drop me back on the street with the ability to be pen tester extraordinaire. It's like the commercial says: you get good with practice. I think that's part of the reasoning behind SANS's practical papers for their certifications - so you research, and PRACTICE, and learn things by doing. Now, let me add yet another disclaimer to my posts - practicing does not mean going out and writing malicious code and breaking into sites. Practice means taking your own little air-gapped network and exploring every aspect of the art that you have time and aptitude to learn. Real hacking, the essence, and I'm not trying to start a definition war here; is trying everything you can and learning everything you can - for good or for evil now; but you get the point.

Re:Computer Ethics?

[techno-vampire]

Anyone who wants to take an ethics class obviously has some ethics (what you think someone lacking morales will be taking an ethics class to hope improving himself)???

Well, a smart but unpricipled cracker might take the course to learn how to "talk the talk" and make himself sound ethical. That would help him social engeneer himself into a security job where he can get paid to crack into systems and steal data while claiming to be looking for vulnerabilities to patch.

Re:Not New

[stephanruby]

This program seams like a stripped down version of computer science for people who are only interested in security related work.

No, this program seems like a stripped down version of computer security for people who are only interested in the stupid media-prestige that the term "hacker" might bestow.

WTF - WTC motivation

[morcheeba]

after the Sept. 11, 2001, attacks on the World Trade Center and the Pentagon, the company expanded its focus to information security courses.

That makes no sense. I could see them expanding in the wake of some vicious worm or virus, but they might as well take their inspiration from Chechnya. It makes it seem like they are in the business to trade on fear-of-hackers rather than to provide real security. Not that that's a bad marketing angle, but just one I'd have moral issues using.