Slashdot Mirror
School Teaches 'Ethical Hacking'
Yardboy writes "A Yahoo! News/Reuters story discusses students in Los Angeles paying $4,000 to attend 'Hacker College' and become 'Certified Ethical Hackers'. Apparently: 'Instructors race through topics like symmetric versus asymmetric key cryptography (symmetric is faster), war dialing (hackers will always call late at night) and well-known TCP ports and services (be wary of any activity on Port 0)', and the president of the college: says 'What we attempt to do in our classes is teach how the hackers think.' Hmmm, perhaps 'Certified Script Kiddie' would be a more accurate designation."
The name of the certificate is new, but the concepts are not novel.
We went through an entire class about computer ethics. We had to to get a Computer Science degree. And since it was an actual Computer Science degree, we learned all about security and machine language and what have you... basically everyting you would learn in this course.
This program seams like a stripped down version of computer science for people who are only interested in security related work.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
First day. 2day kidZ, w3 LeRN 2 HaX0R t3H g00d w^y...w00t. OMG. RTFB.
"It'll destroy you if you try to make it mean anything to anyone but yourself." - Henry Rollins
What they don't tell you until the PhD course is that it's always late at night somewhere.
Sounds like they are social engineering people out of $4,000.
Now we have SCHOOLS that teach that "hacking" means breaking into computer systems
I wonder how long before they offer the qualification of "Certified Pointy Haired Boss"?
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
Wake me up when they offer Ethical Racketeering, Ethical Pimping, and Ethical Congressional Campaigning.
4r3 7h3y c3r71f13d 1n 1337sp34k? j00 c4n't b3 4 h4x0r w17h0u7 1337sp34k. ;-)
Do you like German cars?
This is an outrage to all of us who toiled for years to become script kiddies and received no formal documentation of our accomplishments.
I do security
...of self knowledge and recognized accomplishment amongst your peers that only MCSEs have enjoyed up to now.
ICMP is not port 0, it is IP Protocol 1. TCP/UDP port 0 is officially "Reserved"
Recent graduates of the 'Hacker College' realize that their diploma is virtually worthless in the real world and come to realize that they were just socially enginered out of $4000 dollars.
Out of the 5 people I personally know that have taken classes like this, 4 of them have continued on to go after their GIAC/CISSP certifications. If a class like this gets people started, I'm all for it. I just worry about the people that think something like this is all they need.
is never good or evil. If the students are atttending for the right reasons, then this will help them understand the basics of how script kiddies work. And what do the current stats tell us about most attacks? That they are unsophisticated and are run by people who have little deep knowledge of systems. So this course wil (theoretically) allow them to better protect against the majority of attacks. If the students are attending for the wrong reasons, then they spent $4k for what a day or two of googling and reading would have gotten them. BFD.
Always value the individual over the system. --Bruce Lee "I don't need a Sig - I have a custom 191" - me
Anyone who is smart enough to hack, is smart enough (save for those with mental problems) to realize the difference between right and wrong.
Anyone who wants to take an ethics class obviously has some ethics (what you think someone lacking morales will be taking an ethics class to hope improving himself)???
What they should offer is a class that teaches non-techies what is a hacker - so they learn that not all hackers are evil people bent on ruling the world (not there is anything inherently wrong with this..I mean if I ran the world, it would be a much better place - for you and me....well more me, but it's all good)
I mod down so you can mod up. Your welcome.
$4,000 seems a bit expensive. I'm not seeing the true benefit of having a "Certified Hacker Certificate"? I think the days of getting a job out of highschool because you took a hacking course are over (if they ever existed in the first place).
Right now the University of Cincinnati is about $8,000 for a year. And I thought that was expensive.
Seems trendy to me...I just don't see hacker courses having much of a true impact on security.
But kudos to whoever is making money off the idea. Wish I would have thought of it.
Better than Flickr - Manage, Share, Archive
Woah. If the course is lectured by Angelina Jolie, I'll cough up my 4KUSD in about 3 seconds flat ;)
Man creates computer, internet.
Intelligent, misunderstood youths discover internet, realize they've been lied to, strung along, generally mistreated. Youths show the guts and brains to learn without teachers.
Feds discover internet, realize there are children smarter and more skilled than them, throw beauracratic temper-tantrum, track down said kids (well, some of 'em) and bust them, refuse leniency.
Feds realize this "internet thingy" is more important than they though, and worse, there are kids in other countries who not only have mad skillz, but also actively hate america. Feds shit bricks.
Gov't, realizing it has cut off it's left testicle, tries to fill the gap with "Ethical hackers", ie, tries to create what it had in the first place.
Jeezus F Kryst on a surfboard, why didn't you just train the @#(*&^*(@# hackers in ethics in the first place? You can't teach curiosity, autodidactism or problem solving.
Nature laughs, goes back to being inscrutable.
Way to go.
"A witty saying proves nothing." ~Voltaire
"d'Oh!" ~Homer
Script kiddies don't need to know why symmetrical encryption is faster... they just need to know how to subscribe to Bugraq.
[/cynical]
Education is extremely important in this segment, no doubt. What concerns me is the "boot camp" format of these particular gigs, as well as the entry fee.
$4000 is an awful lot of money for a Common Body of Knowledge -- especially since its all available from the Internet.
I have nothing but encouragement for those who wish to enter the field. But save your money. Hell, drop sixty bucks and go to defcon.
trustedworlds.net - gaming, security, and the gunk that lives in between
75% of the graduating class is under house arrest for hacking back into the schools' cc merchant account servers and getting their $4000 back. The other 25% also stole back their money, but couldn't be traced, and are presumed at large.
stuff |
You WILL NOT learn hacking, even in the context that they're teaching (subverting the security of computer systems), in a class. You may learn about all kinds of tools; and about steps and techniques to attempt to break into computers, but the real work is not in a classroom. I still believe this after taking SANS Track 4; which was excellent training, but did not drop me back on the street with the ability to be pen tester extraordinaire. It's like the commercial says: you get good with practice. I think that's part of the reasoning behind SANS's practical papers for their certifications - so you research, and PRACTICE, and learn things by doing. Now, let me add yet another disclaimer to my posts - practicing does not mean going out and writing malicious code and breaking into sites. Practice means taking your own little air-gapped network and exploring every aspect of the art that you have time and aptitude to learn. Real hacking, the essence, and I'm not trying to start a definition war here; is trying everything you can and learning everything you can - for good or for evil now; but you get the point.
I think with the interesting people, their lives can't possibly be wrapped up into a nice little package.
The course seems pretty expensive and probably not exactly ideal, but it's a bit more than just script-kiddiesm. Unless, of course, the tests look like this:
Q: You are the IT manager of an online business. The owner is pleased to announce that the business has enjoyed rapid growth, and has asked you to prepare an outline of system upgrades and estimated costs to deal with an estimated 8,000 daily visitors consuming approximately 320KB, with the number of visitors doubling every six months. What are your main concerns likely to be? (circle all that apply)
a) Cost of expanded bandwidth utilization
b) Maintenance issues associated with a medium-sized server farm, as well as software concerns regarding your web application and load balancing
c) Continued self-hosting via the corporate T1 line vs. co-location
d) wtf ???? ummm just run linux+apache d00d !!!!!
Q: You are a consultant, hired to evaluate the security and efficiency of a small business's server configuration. Your employer, inexperienced with both the technology itself as well as online business in general, has hinted to you that he's not certain how competent his system administrator Simon is. In evaluating the systems, you discover that Simon has misappropriated the server budget to upgrade his desktop system to play Unreal Tournament 2k4, and has left the actual servers themselves equipped with 386s and faulty hard disks. As you were confronting him about this in the server room, he excused himself from the room to fetch "documentation" while his young and pimply-faced apprentice tripped the halon fire extinguishers. What should your reaction be?
a) Immediately contact the police.
b) Inform the manager, and urge him to speak with the apprentice's parents about a possible intervention.
c) Return a favorable report after realizing that you have become tangled with things far larger than you, and never interfere with those servers again.
d) whats a halon fire
Q: A company has suffered a break-in. Not having a security professional on-hand, they have turned to you as a forensics consultant to help them assess the damage, identify the point of origin, and take appropriate response measures. What will your first action be?
a) Request a list of all servers on the network with their operating systems, as well as servers and version numbers.
b) Unplug the servers.
c) Inquire if there is any way an employee could have accessed the servers.
d) Ask your friends on EFNet if they did it.
99% of the stuff I learned in a college classroom was available on the Internet. Putting it together right demands something more than just a Google search.
Other things I got from college:
Credibility
A class ring
Life experience (studied abroad, lived in a dorm)
Friends
Relationships with professors - having connections with people in your field is a good thing
I went to a school that runs around $30,000/year. It was worth every penny.
I gravitated towards ISECOM's OPST/OPSA classes because they fill a role I felt was missing in the security class space. Many non-vendor specific security classes have a very narrow tools based focus. While I agree that knowing how to use your tools in a test is important, I feel knowing why and when to use them is far more important. Knowing the politics involved in testing, going over internationally accepted testing practices, and reviewing regional and national legal regulations are just as much part of the job. These things are not merely important, but are required to be successful in your role as a security tester. In addition to the intensely technical aspects of the testing process, this is what the OPST represents; the "professional" side of security testing. Also, the ISECOM classes teach from ISECOM's Open Source Security Testing Methodology Manual (OSSTMM) which provides a much needed methodical framework to bring a scientific method style to the chaotic world of security testing.
The CEH class represents the other kind of class. One that is "flashy", "fun", "exciting", but not overly useful to the serious professional. While I have a lot of respect for Clément (one of the instructors for Intense School), I have very little respect for any organization that markets "hacker" classes. This includes the so-called ethical hacking, applied hacking, exposed hacking, grandmother hacking, squirrel hacking, super-duper 3y3 4m 31337 hacking, or any other fancy way of saying "Learn how to think and act like the bad guys".
While choosing where to spend your time and money, consider the community you are aligning with. If you look at ISACA, SANS, ISC2, ISECOM, etc.. they all have a true dedication to security and the betterment of the global information security community. Contrast the value of being affiliated (via education/certification) with any of those organizations over a piece of paper and a cd of toys.
College can more useful in opening doors than it is as a tome of information. As you said, you may have learned quite a bit from your on the job training, are in contact with numerous people in your field, and do not suffer the financial hardships of a recent college graduate. Unfortunately you may have a hard time competing with those who have a higher education background, especially if they've worked while going to school (like many of us do).
Graduating from college with very good grades requires a lot of work, something any employer knows. If an applicant finishes with a 4.0 GPA, it can be safely assumed that they can "actually do the work."
What you say is a little alarming; your assumption that college is entirely worthless when compared to a high school job is entirely unfounded.
Oh, and before you apply anywhere in the future, work on that spelling and grammar ;)
LegendMUD