Slashdot Mirror
Hacker Boot Camp
abb_road writes "Business Week sent a reporter to TechTrain's ethical hacker training camp, where, for $4,300, participants spend five days working towards ICECC's 'Ethical Hacker Certification.' The camp serves companies' increasing needs for home-grown white hats, and covers topics ranging from the non-technical (social engineering and policy creation) to code-level attacks (buffer overflows and sql injections). The tuition seems a bit steep for materials that, as the article notes, are 'freely available over the web'--but where else can you play hacking capture the flag?"
"but where else can you play hacking capture the flag?"
The internet, like all the other hackers are already doing?
I didn't see anywhere that mentioned any kind of entry requirements to get on the program, hopefully they will require company sponsorship to get on the course or else anyone that can get together the cash can learn these techniques.
I for one would prefer not to welcome our script kiddie / real hacker overlords.
GeekServ Unix Consulting Services (http://www.geekserv.com)
Is it just me, or does the very name "certified ethical hacker" seem like an utterly stupid, attention-whoring term? It reminds me of the kids who hang out on IRC asking "How do I hack someone's computer if I have their IP address?". People don't go to "certified ethicial arsonists" bootcamps, they study fire science at an accredited school.
It sounds like this bootcamp just teaches people a handful of tricks that can be used to impress hiring managers. (Mentioned in the article: The default MS SQL login is "sa" with no password. Well, that's tidbit is not going to do you much good if you're assesing any version of SQL Server released within the past six years.) Do they explain the difference between a frame, packet, and datagram? All specifics and no theory.
Entrepreneur : (noun), French for "unemployed"
I recommend they switch to "Important-Sounding Portal Site of Certified E-Clipart and Buzzwords". Gah. That site isn't just an eyesore; it's a brainsore. Basically, you send them money, they send you off to a third-party training course, throw you in a database and give you some logos and certificates with important-sounding words. Oh, and you'll be certified. It'll take your resume to the next level (where, presumably, we can find our princess.)
Ah, but now to the meat of the matter--the legal disclaimer!
l) Educational Licenses, Accreditation, and State Sanction. The ICECC does not claim to be a college or university nor does it claim accreditation from any 501 bodies, state, or federal government agency or body. The ICECC is not a 501c3 organization and never has claimed to be a tax free or charitable entity. The ICECC may engage in business with charitable organizations or form alliances with charities that operate under 501 but the ICECC operates as a responsible, growing, proprietary, growth oriented, and profit oriented association and company. The ICECC is an independent authority similar to other American Associations. The ICECC grants certificates, certifications, marks, designations, and charters much like hundreds of other legal educational and recognition institutes or associations in the United States. The ICECC strictly follows the criteria of the Ibanez decision in the United States. We encourage all members and certified members to meet all requirements for education, experience, testing, ethics, and continuing education. The ICECC licenses its marks and logos to others. The marks are generally licensed to individuals. The ICECC will license the CEC and other marks and logos to companies, universities, or other uses upon the consent of its board. The ICECC outsourses to other companies for training and education that is provided online. The ICECC does not collect money for the courses, provide the service, teach the class, enter into a contract with the student. THe company providing the education and training is simply using our site as a distribution point. THe ICECC may receive a referral fee, rebate, revenue share, or other payments for providing the website that afforded the sale of the service to the customer. In sum, you accept that we are not responsible for the performance of any education or training contract. We do not hold any of your private information that you submitted to the training, course, or education provider although directory infomation may be exchanged. This information is limited to email address, phone number, name, employer, educational degrees and background. [emphasis mine]
Makes ya feel all edjumicated already, dunnit?
Of course, all the above is moot; it fails the sniff test (twice, no less!) on its home page:
Don't forget to bookmark us! (CTRL-D)
Trust me, I didn't forget.
ALARMING LAPSES. And here's what may be the scariest part: to be a hacker, you don't even have to be a hardcore techie or particularly good at writing code. Take me, for instance. I'm an English major who hasn't written a line of code since third grade when I wrote a BASIC program that quizzed you on state capitals. Camp got started at 9 a.m., and within an hour, I was hacking into fictional banks' Microsoft databases and retrieving credit card numbers.
It's a matter of knowing tricks and what to look for. For instance, the default Microsoft database user name is "SA" and there's no default password. An alarming number of administrators never change these settings, so once hackers get into a system, they often try this first -- successful
Obliteracy: Words with explosions
"The tuition seems a bit steep for materials that, as the article notes, are 'freely available over the web'--but where else can you play hacking capture the flag?"
Defcon, Hope, Toorcon etc etc etc
4 grand for that? I wouldn't classify that as 'ethical'!
"Physics is to math as sex is to masturbation." -R. Feynman
That doesn't differ from my daily routine anyways. Why pay 4300 for something I already do for free over the summer?
Warning: Corny karma killing post above.
...you pay tons of money to get a piece of paper that lets you join a club.
Higher education is just another form of hazing. You say that you've read the assignment, (the teacher) says "Fuck you, prove it!". --David Mamet
Does this sig remind you of Agatha Christie?
2. Who out there is going to accredit this "certfication" to be sure it's worth more than the paper it's printed on?
3. Isn't one of the fundamental concepts of "hacking" to be anti-establishment? To break the rules and sock it to the man? Getting certified is about as establishment as you can get.
-Kurt
"We can categorically state we have not released man-eating badgers into the area." - UK military spokesman, July 2007
...is whether they had to shave their heads or were subject to violent hazing. Doesn't seem like boot camp otherwise.
GetOuttaMySpace - The Anti-Social Network
you spend a week learning all the "Secret Ninja Moves" and when you're done, you're a real life ninja. ... right? r-right?
"Is this just useless, or is it expensive as well?"
Sorry, but people can't really learn ethics in a 5 day camp. Ethics begin at home and in early childhood. It comes from the people who raise you and the people you're around as you grow. A 5 day camp is going to have absolutely no impact on your ethics. By the time you're old enough to go to a hacker camp, your ethics (or lack thereof) are firmly established. 5 days of camp is simply going to give them some new skillz to use ethically or unethically.
and all those popups will read - get your ethical hacking certificate for 2k! Just click on the monkey - I did!
"a classroom full of middle-aged high-tech system administrators." If they get their company to send them to hacking school for a day, they have more free time for pr0n in the evenings! Brilliant.
The tuition seems a bit steep for materials that, as the article notes, are 'freely available over the web'
Reservations for the State Correctional Facilities maybe ?
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Business Week sent a reporter to TechTrain's ethical hacker training camp, where, for $4,300, participants spend five days working towards ICECC's 'Ethical Hacker Certification.'
As opposed to the 'Unethical Hacker Certification' where companies pay you $43,000.00 or more to stop disabling their websites.
He who knows best knows how little he knows. - Thomas Jefferson
Defcon? Anyone? Anyone......
From the article:
you know that site is vulnerable to a technique of stealing database contents called "sequel injection."
Is this an attack based on the recent star wars trilogy? Someone should inform the author it's still written "SQL injection" despite how it sounds.
how completely useless. if you want to be a hacker, you go learn how to be a hacker on your own, on the internets. if you have to go to a school for it, you probably weren't meant to hack into much of anything in the first place.
companies like his screen candidates carefully. They have to be gainfully employed in the security field and must sign waivers saying they won't use these tricks for ill.
Or, they could be a reporter who just wants to write a cool story and maybe detail a few of the hacks that "an English major who hasn't written a line of code since third grade" can do. You know, just in case some of his readers can't afford the class, but really want to be ethical hackers. It's all cool.
The new paper MSCE certification for the 21st century.
Wouldn't this be like wearing a "Certified Trained Sexual Dynamo Boyfriend" t-shirt into a singles bar. A little to nerdy for me.
Is this an attack based on the recent star wars trilogy?
Yes, I believe the famous last words were, 'It's a trap!'
He who knows best knows how little he knows. - Thomas Jefferson
You mean, like, the back seat of a Volkswagen Beetle?
Trust not a man who's rich in flax / His morals may be sadly lax
A more accurate label would be "Five Day Script Kiddie Class".
Having just attended a SANS class (one week, tons of fun, learned a boatload), I would highly recommend them. Not everything there is available on the web (well, sort of, but the stories from the storm center certainly aren't). The course I took was taught by Ed Skoudis, easily one of the best lecturers I have even seen. At the end, yes, we got to play capture the flag.
Some hackers have actually died at boot camp when the staff tried to beat the ethics into uncooperative programmers.
they are getting jacked then learning to hack.
Karma: a simple way of silencing those with unpopular views regardless how correct or just that view might be.
AOL has some chat rooms with hundreds of the very best hackers in the whole wide world answering questions and handing out all kinds of scripts 24/7. You have to be very smart and a real hacker to run a script from an AOL hacker chatroom.
Brought to you by Carl's Junior.
This appears to be similar to the highly regarded SANS GIAC Certified Incident Handler (GCIH) Course, SEC-504: Hacker Techniques, Exploits & Incident Handling, which I attended a while back. The SANS course was excellent and is often taught by Ed Skoudis. Its challenging, but also very worthwhile. They cover how to create an Incident Handling team and then launch in to Reconnaissance, Scanning, Exploits, Keeping Access, and Covering Your Tracks. It would take too long to list out all of the different tools and tactics that they covered, but it's pretty comprehensive.
It's a great course, and I highly recommend it to anyone involved in computer security. The insight into how attackers target, gather information, compromise, and maintain access on systems has been invaluable in understanding how to then try and close the holes and mitigate the risks. You'll never be 100% invulnerable on a machine or network that you actually use for anything, but if you know how to think like an attacker and what the current tools are capable of, then you'll be able to fix most of it.
You can play at defcon, but the level of the competition would probably be a bit intimidating for people who attend a boot camp.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
As a reformed "script kiddie", who once ran havok on your servers back in the 90's (sorry about that by the way) I must tell you that stories like this make me laugh. In my experience, the essence of all "hacking" is the same: the pursuit of an answer to a question.
Eventually, I discovered that the "real" hackers grew-up and got "real" jobs, so I did the same. However, like most hardcore IT people I know (not the MCSE morons), this inquisitive nature still lies at the heart of...well...me (whatever that is).
Point being: like life, hacking can't be taught, it must be experienced.
And just like life, it can be experienced 2nd-hand (via books or "training"), or, we can grow balls and go make some mistakes ourselves. The "wackos" like me will always opt for option B, and computers have nothing to do with this.
Math is math. Regular expression is regular expression. The tools are there. The future is now.
For the paltry sum of only $1000US, I'll send you a genuine Certificate of Ethical Hacking, Keytar Playing, and Being Good To Your Mom.
I'll even load my ink-jet printer with the impressive expensive paper.
Slashdot Burying Stories About Slashdot Media Owned
Not to stray too far off topic, but didn't all this 'boot camp' crap start when cable channels like Discovery began airing stuff like this and 30yo adolescents far and wide thought that one Hell Week of any sort and they could be Authorized Bad-Ass Certified Hacker Ninjas?
"Yeah (sniff), I coulda been a F-16 pilot, but I couldn't pass the vision screening, so I became an MCSE instead."
Jesus told him, "I am the way, the truth, and the life. No one can come to the Father except through me. - John 14:6 NLT
The only reason why you would spend this amount of money to obtain a cert. is because you are not qualified/knowledgable enough pass it in the first place.
If you really knew what you were doing, you would pay the $250 to take the test (http://www.eccouncil.org/312-50.htm) and be able to pass either on your own accord, or with the help of books or freely available study guides.
Anything more than a few hours of your time and some decently written books is a waste of money.
An instructor at one of my MCSE classes also taught the CEH class and told us that in order to take the class you have to sign agreements with the FBI agreeing not to use your skills for unethical behavior. The class material is freely available for download all over the place, so yes, the price does seem a little steep, but if that cert lands you a job then it's all worth it.
Otherwise, the training could be a prelude to the rise of corporate hacking warfare: corporate to corporate hacking. Basically just because you took white hat training doesn't mean you can't use those skills in a black hat environment against other companies. White hat or black hat, the temptation to hack other systems (just not your company's) is great cause hacking is all about experiementation.
Me thinks the reporter got p0wned.
I have been to it, the course ware is fairly extensive but was boring none the less. I cannot see much of the slashdot crowd getting much from it, just a rehash of common knowledge tools and techniques that we pretty much have all heard of.
Now I was stuck in a room full of MS and MCSE zombies who did not know the difference between
a TCP and UDP packet. Just listening to the students talk I could feel the grey matter being sucked from my head....sort of like a high school student sitting in on a first grade class.
Got Code?
you can teach the techniques but you can't certify their ethics....
The author states himself in TFA that he has no programming experience since the 3rd grade. Therefore, can this really be considered "hacker" camp?
In addition, the teacher showed the class SQL injection techniques, etc. However, wouldn't their time be better spent learning penetration testing techniques and how to use certain applications like Nessus? I don't see how learning how to package "Beast" with a screensaver really teaches anyone anything worth over 4 thousand dollars.
Hagrin.com
I am a systems administrator at www.hackthissite.org (HTS), and at HTS, we intend to do just what this camp intends to--but for a nice sum of $0.
Although we are currently working on a new version of the site (dubbed "HTSv4"), the current place still has plenty of opportunities to gain knowledge in (ethical and legal) areas of computer security, such as XSS injection, SQL injection, buffer overflows, programming, and countless of other topics--all through personal experience with the "missions" on the site.
I think it is very important for people who are going into computer development of any kind to be aware of these issues. Personal experience and skill in computer security can only be beneficial, and will teach one to code applications that are capable of defense from outside intrusion.
"but where else can you play hacking capture the flag?"
for the price of tuition you and a friend could buy some serious hardware and go at each other.
I am Bennett Haselton! I am Bennett Haselton!
> It'll take your resume to the next level (where, presumably, we can find our princess.)
"Thank you Mario! But your certificate is in another castle!"
It sounds to me like the course assumes you bring good ethics to it. It's not about learning ethics. It's for learning about security vulnerabilities by exploiting them. The idea is that the pupils then can go out and test their own networks or those of a client with what they learned, as a service. They title it ethical hacking because it is to be done with the permission of the victim in the interest of finding and subsequently eliminating potential security holes. If someone came to the class with ill intent, of course, they could use this knowledge unethically. This is probably why they require students show proof of gainful employment, although none of this is exactly top secret.
According to another poster somewhere in this discussion, the class isn't very advanced, and basically useless to anyone who already has a decent but more general training.
My NT350 class at Herzing School of Technology (a traditional brick and mortar tech school with a new online branch) taught by Curt Gibeau (sp?) was like this. Only my tuition was $1200 I think, and the course was 16 three hour night classes. We were broken into groups (2-3 net-workers and 1 programmer in each group). Each group was given standard enterprise requirements (AD, email, file storage, database, web server, client machine). We could use what ever OSs and software packages we liked, and we could run up to 5 machines. Over the course of the class we went over security theory and specifics for demonstrations, and then we would break into groups to work on building and securing our group enterprises.
In the end we didn't have quite as much attack time as we had hoped, and a lot of vectors were blocked off because we all knew we were going to be attacked and there was no real life activity on the networks. So everyone was was scrounging each others networks for any mistakes or missed patches. Some people had honey pots, some people hosted exploiting web pages, but for the most part, there was little damage. But we all learned a lot about securing networks and servers, and different ways to minimize risks.
All in all, definitely a class that was worth taking. I would recommend it to anyone in range of a Herzing campus, but the Teacher I had is no longer teaching (he's a full time network admin for the school now) and I have no idea how the class is arranged any more.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
all with links.
Further still, you get
Each one of those is a link, and every single one of them to the same domain.
This is a spammer site, and every page on the site has a footer labeled "links and sponsorship," also filled with spam links. I feel really bad for the poor suckers who wind up giving them money.
Also from their TOS:
The whole organization is a joke.
REM Old programmers don't die. They just GOSUB without RETURN.
More fun than a nice game of chess. Not nearly as much fun as Global Thermonuclear War.
Anybody else notice the number of ads for "Certified Ethical Hacker" showing up with the story? Love that contextual advertising.
Anyone who's paid $4300 to attend this 'event' is a fucking moron who should work anywhere but IT
For a hell of a lot less. And it was considered a viable elective for my major, Computer Science. We were taught pretty much the same things, but mostly geared toward Unix/Linux since the prof was an OS Guru of sorts. It was a great class. I'd take it again in heartbeat. The college? Wright State University in Dayton, OH. Whoda thunk?
i'm sorry, did someone just say 'ethical hacking' and 'serving companies' in the same breath? ri-i-i-ght....
I don't know anything about these guys (the cert mentioned in the post not even on the site). http://www.icecc.com/ But it's not the same as: http://www.eccouncil.org/CEH.htm And can be had for about 2k less at other training places. I'm always amazed at the hostile reactions to the name of this cert. Would it make any feel better if it was called Certified Ethical Pen-Tester? Cause that's what it really is, learning the methodology for pen-testing, which like everything else *could* be learned for free, but hey thrash away on your keyboard in outrage if it makes you feel better.
Just remember that ICECC is a pre-requirement for entering Advanced Social Engineering :)
course offered by not-so-ethical hacker training facility next door.
3.243F6A8885A308D313
While "Institute of Certified E-Commerce Consultants" has a nice ring to it, it's a little ambiguous.
The submitter has put in the wrong website - The CEH site is at http://www.eccouncil.org/CEH.htm
It is a penetration testing certification for people who can't do penetration testing.
Really, you ought to know all this stuff as part of your job if you are a sysadmin or a developer, just like a police detective knows all the easy ways to commit crimes.
Sooner or later you are going to work with some dumb ass and it will be your responsibility to (tactfully) demonstrate all the security holes they have introduced in their code.
Standlaone so-called "security experts" are all useless poseurs. Twice now I have encountered "ethical hackers" in the job, hired by high-up muckety mucks, who told me "we like totally 0wned you systems d00d" and then refused to disclose to me what they had done. My logs said nothing, nobody took any action, and as far as I could tell it was all bullshit.(I owned all the servers, routers, and firewalls, so I should have known.)
I've only encountered one "security expert" who could ever actually demonstrate a non-obvious exploit to me, and that was in the Solaris 2.5 days.
"Ethical hacking" is core competency of any experienced system administrator. I'm amazed that there are so many senior sysadmins out there who don't or can't lock down their systems, or think that security is some kind of separate thing from system administration. I'd never hire any of them.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
It wasn't a 5 day 8-hour a day class. It was 12 days from 0800 to 2100(ish) hours with a few breaks during the day.
It was a chance to play with a lot of nasty stuff on machines that were there for the purpose of breaking in a controlled environment.
The biggest positive was that someone sent two PHBs to the class to see if it was worth sending techs - they got to see first hand what was out there, what the risks were and ways to help their guys secure their networks. Nothing like people seeing for themselves what their staff is up against.
"but where else can you play hacking capture the flag?"
HackThisSite.org
Nothing new yet, I thought that he was out of article to post and discover at Google that there is a thing called Ethical Hacker.
http://www.michel.eti.br
Ok, but first I need to leverage my botnet to extort the money I need for the price of admission.
-R
The terms 'ethical' seems to be misused. Its not the teaching that will be ethical/unethical, its what the students will do with the material taught after they leave the bootcamp.
Someone who visits a cracker website where unethical behavior is sometimes promoted to learn how to bypass IDS' only so that he can better secure his own IDS against emerging attacks does not appear to me as being unethical. Similarly, someone who attends a SANS course or some 'ethical hacker bootcamp' and goes out and use his newly learnt skills to DoS networks will certainly not be acting out in an ethical manner.
I'm under the impression that the people running the boot camp are simply trying to exploit the mysticism that surrounds the hacker culture while reassuring the general population (and the ones who will be paying the bill such as your boss) that the students who will be comming out the camp will be 1337 H4x0rs who will only use their skills for the greater good of humanity.
Cheap marketing strategy targeted at Joe Six-pack if you ask me.
I worked at a training center through the whole dot-com bubble and up until recently. We had a ton of security classes, some of them excellent. However, anything with the term "hacker" was easier to sell. The students had a lot of fun, but they really didn't learn as much as with a more traditional approach. I the first generation of these clases they learned stuff like ping-of-death. For those who don't know, it's a tool that won't work on anything that's been invented after or patched since 1996. The students got to crash a horribly managed system, but gainde no useful skills doing so.
From the article -- in the first half day ($500 of his tuition), the reporter learned how to "hack" into a database that was completely unsecure. If the admin had even bothered to apply SQL Server service pack 3 (release two years ago), it would have warned him of the problem and forced him to fix it. The admin would also have to make a second horrible mistake of opening port 1433 to the Internet.
How would this lesson help the student secure his own network? If his SQL admin are leaving sa's password blank, they should be fired, not trained. As for the SQL injection stuff -- I teach every one of by web development students about it when we learn about connecting to databases. Teaching the security guy about it is STUPID. Do you teach your kids to lock the house, or do you hire a home security service to come and lock it every time you leave? SQL injection needs to be dealt with at the point of the problem -- so does database management and every other problem addressed in these courses.
Network security professionals should be learning about reducing attack surfaces and implementing security policies. They should learn how to defend against the problems of 2007, not 2005. All these "ethical hacker" classes do is scare the uninformed and provide a week long vacation for hard-core techies.
Another interesting side-effect of these classes is that students generally learn about technologies that have common problems. It's highly unlikely that a "certified ethical hacker" has experience with two-factor authentication, L2TP vpns, or Kerberos. But hey, they know how to crack an FTP server!!!! I'm going to hire one of these guys right now to fix my network.
Why is called an ethical Hacker certificate? I thought this activity was called Cracking...
"All you have to do is be fragile and grateful. So stay the underdog." Chuck Palahniuk, Choke
"Hacker" is not a technical term. The word is meaningless. I have heard of the following refered to as "hacks" or "hackers" : cab drivers, writers, and prison guards - not to mention smokers and hacky-sack players.
In the IT realm "hacker" has strongly negitive conitations, no matter if you say "ethical" or not.
If by "ethical hacker" you mean specialist in penetration testing, then call it that.
We've been offering the CEH for a short while now, and it's definitely a racket. We charge the client some ridiculous amount of money (I didn't know the amount, but 4300 would sound about right), and run through some basic techniques.
The PowerPoint slides provided by the 'Institute' are garish and unprofessional, there are no other materials for the trainers to work with, and the techniques are quite basic as previously mentioned: portscans, HTTP referer spoofing and the like. Having seen the contents of the course, I wouldn't take it.
(Posting as AC so I don't get fired (yet))
Put a single quote mark in the user name line of a password. If you get a particular error message, you know that site is vulnerable to a technique of stealing database contents called "sequel injection." It's good to see that they are learning something then...
In the CS 410/596 Network Management and Security class at Portland State University there is a capture the flag exercise which lasts about 6 weeks of the term. This goes on concurrent to the normal class activites and is a 24x7 exercise as would be the case in the real world. Not sure on the exact details as I am just taking the class now and the first day was yesterday.
That having said, being a hacker (ethical or not) is IMHO more a state of mind and an attitude than plain knowledge of tools and techniques. Those of the attendees who did not dig into the topic before attending the course will not turn into expert hackers by knowing the tools and tricks and by passing an exam but it surely is quite good for pen testing. Yes, the pen tester ideally should be as sophisticated as the attacker but I have seen pen testers (for very respected companies like KPMG) who were no hackers at all and all they knew was what they have learned from their hacker colleagues on the job.
In our Sec504 class is only one lady who by the way seems to be Muslim (she wears a veil). Cyber terrorists anyone? Of course I do not want to suggest that she might be an extremist with bad intentions, but still - it makes me wonder. I mean, remember the 9/11 terrorists who learned how to fly a plane in the states? Are you sure that there is not the next generation of cyber terrorists educated (Al'quaeda could probably well afford the price tag for those courses) .