Slashdot Mirror
Hacker Boot Camp
abb_road writes "Business Week sent a reporter to TechTrain's ethical hacker training camp, where, for $4,300, participants spend five days working towards ICECC's 'Ethical Hacker Certification.' The camp serves companies' increasing needs for home-grown white hats, and covers topics ranging from the non-technical (social engineering and policy creation) to code-level attacks (buffer overflows and sql injections). The tuition seems a bit steep for materials that, as the article notes, are 'freely available over the web'--but where else can you play hacking capture the flag?"
"but where else can you play hacking capture the flag?"
The internet, like all the other hackers are already doing?
Is it just me, or does the very name "certified ethical hacker" seem like an utterly stupid, attention-whoring term? It reminds me of the kids who hang out on IRC asking "How do I hack someone's computer if I have their IP address?". People don't go to "certified ethicial arsonists" bootcamps, they study fire science at an accredited school.
It sounds like this bootcamp just teaches people a handful of tricks that can be used to impress hiring managers. (Mentioned in the article: The default MS SQL login is "sa" with no password. Well, that's tidbit is not going to do you much good if you're assesing any version of SQL Server released within the past six years.) Do they explain the difference between a frame, packet, and datagram? All specifics and no theory.
Entrepreneur : (noun), French for "unemployed"
I recommend they switch to "Important-Sounding Portal Site of Certified E-Clipart and Buzzwords". Gah. That site isn't just an eyesore; it's a brainsore. Basically, you send them money, they send you off to a third-party training course, throw you in a database and give you some logos and certificates with important-sounding words. Oh, and you'll be certified. It'll take your resume to the next level (where, presumably, we can find our princess.)
Ah, but now to the meat of the matter--the legal disclaimer!
l) Educational Licenses, Accreditation, and State Sanction. The ICECC does not claim to be a college or university nor does it claim accreditation from any 501 bodies, state, or federal government agency or body. The ICECC is not a 501c3 organization and never has claimed to be a tax free or charitable entity. The ICECC may engage in business with charitable organizations or form alliances with charities that operate under 501 but the ICECC operates as a responsible, growing, proprietary, growth oriented, and profit oriented association and company. The ICECC is an independent authority similar to other American Associations. The ICECC grants certificates, certifications, marks, designations, and charters much like hundreds of other legal educational and recognition institutes or associations in the United States. The ICECC strictly follows the criteria of the Ibanez decision in the United States. We encourage all members and certified members to meet all requirements for education, experience, testing, ethics, and continuing education. The ICECC licenses its marks and logos to others. The marks are generally licensed to individuals. The ICECC will license the CEC and other marks and logos to companies, universities, or other uses upon the consent of its board. The ICECC outsourses to other companies for training and education that is provided online. The ICECC does not collect money for the courses, provide the service, teach the class, enter into a contract with the student. THe company providing the education and training is simply using our site as a distribution point. THe ICECC may receive a referral fee, rebate, revenue share, or other payments for providing the website that afforded the sale of the service to the customer. In sum, you accept that we are not responsible for the performance of any education or training contract. We do not hold any of your private information that you submitted to the training, course, or education provider although directory infomation may be exchanged. This information is limited to email address, phone number, name, employer, educational degrees and background. [emphasis mine]
Makes ya feel all edjumicated already, dunnit?
Of course, all the above is moot; it fails the sniff test (twice, no less!) on its home page:
Don't forget to bookmark us! (CTRL-D)
Trust me, I didn't forget.
ALARMING LAPSES. And here's what may be the scariest part: to be a hacker, you don't even have to be a hardcore techie or particularly good at writing code. Take me, for instance. I'm an English major who hasn't written a line of code since third grade when I wrote a BASIC program that quizzed you on state capitals. Camp got started at 9 a.m., and within an hour, I was hacking into fictional banks' Microsoft databases and retrieving credit card numbers.
It's a matter of knowing tricks and what to look for. For instance, the default Microsoft database user name is "SA" and there's no default password. An alarming number of administrators never change these settings, so once hackers get into a system, they often try this first -- successful
Obliteracy: Words with explosions
4 grand for that? I wouldn't classify that as 'ethical'!
"Physics is to math as sex is to masturbation." -R. Feynman
2. Who out there is going to accredit this "certfication" to be sure it's worth more than the paper it's printed on?
3. Isn't one of the fundamental concepts of "hacking" to be anti-establishment? To break the rules and sock it to the man? Getting certified is about as establishment as you can get.
-Kurt
"We can categorically state we have not released man-eating badgers into the area." - UK military spokesman, July 2007
you spend a week learning all the "Secret Ninja Moves" and when you're done, you're a real life ninja. ... right? r-right?
"Is this just useless, or is it expensive as well?"
Sorry, but people can't really learn ethics in a 5 day camp. Ethics begin at home and in early childhood. It comes from the people who raise you and the people you're around as you grow. A 5 day camp is going to have absolutely no impact on your ethics. By the time you're old enough to go to a hacker camp, your ethics (or lack thereof) are firmly established. 5 days of camp is simply going to give them some new skillz to use ethically or unethically.
and all those popups will read - get your ethical hacking certificate for 2k! Just click on the monkey - I did!
Business Week sent a reporter to TechTrain's ethical hacker training camp, where, for $4,300, participants spend five days working towards ICECC's 'Ethical Hacker Certification.'
As opposed to the 'Unethical Hacker Certification' where companies pay you $43,000.00 or more to stop disabling their websites.
He who knows best knows how little he knows. - Thomas Jefferson
From the article:
you know that site is vulnerable to a technique of stealing database contents called "sequel injection."
Is this an attack based on the recent star wars trilogy? Someone should inform the author it's still written "SQL injection" despite how it sounds.
From the Article
They have to be gainfully employed in the security field and must sign waivers saying they won't use these tricks for ill. For more sophisticated classes there are background and criminal checks.
The new paper MSCE certification for the 21st century.
Is this an attack based on the recent star wars trilogy?
Yes, I believe the famous last words were, 'It's a trap!'
He who knows best knows how little he knows. - Thomas Jefferson
A more accurate label would be "Five Day Script Kiddie Class".
AOL has some chat rooms with hundreds of the very best hackers in the whole wide world answering questions and handing out all kinds of scripts 24/7. You have to be very smart and a real hacker to run a script from an AOL hacker chatroom.
Brought to you by Carl's Junior.
I want that T-shirt. And on the back I could put 1337 L0v3 5k1llz!
This appears to be similar to the highly regarded SANS GIAC Certified Incident Handler (GCIH) Course, SEC-504: Hacker Techniques, Exploits & Incident Handling, which I attended a while back. The SANS course was excellent and is often taught by Ed Skoudis. Its challenging, but also very worthwhile. They cover how to create an Incident Handling team and then launch in to Reconnaissance, Scanning, Exploits, Keeping Access, and Covering Your Tracks. It would take too long to list out all of the different tools and tactics that they covered, but it's pretty comprehensive.
It's a great course, and I highly recommend it to anyone involved in computer security. The insight into how attackers target, gather information, compromise, and maintain access on systems has been invaluable in understanding how to then try and close the holes and mitigate the risks. You'll never be 100% invulnerable on a machine or network that you actually use for anything, but if you know how to think like an attacker and what the current tools are capable of, then you'll be able to fix most of it.
You can play at defcon, but the level of the competition would probably be a bit intimidating for people who attend a boot camp.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
As a reformed "script kiddie", who once ran havok on your servers back in the 90's (sorry about that by the way) I must tell you that stories like this make me laugh. In my experience, the essence of all "hacking" is the same: the pursuit of an answer to a question.
Eventually, I discovered that the "real" hackers grew-up and got "real" jobs, so I did the same. However, like most hardcore IT people I know (not the MCSE morons), this inquisitive nature still lies at the heart of...well...me (whatever that is).
Point being: like life, hacking can't be taught, it must be experienced.
And just like life, it can be experienced 2nd-hand (via books or "training"), or, we can grow balls and go make some mistakes ourselves. The "wackos" like me will always opt for option B, and computers have nothing to do with this.
Math is math. Regular expression is regular expression. The tools are there. The future is now.
For the paltry sum of only $1000US, I'll send you a genuine Certificate of Ethical Hacking, Keytar Playing, and Being Good To Your Mom.
I'll even load my ink-jet printer with the impressive expensive paper.
Slashdot Burying Stories About Slashdot Media Owned
Anyone can learn these tricks at any time anywhere. They don't need to go to a school to find them. If you think someone going to a boot camp is going to become some 1337 h4x0r, well you might as well also start advocating destroying the internet.
"I use a Mac because I'm just better than you are."
I have been to it, the course ware is fairly extensive but was boring none the less. I cannot see much of the slashdot crowd getting much from it, just a rehash of common knowledge tools and techniques that we pretty much have all heard of.
Now I was stuck in a room full of MS and MCSE zombies who did not know the difference between
a TCP and UDP packet. Just listening to the students talk I could feel the grey matter being sucked from my head....sort of like a high school student sitting in on a first grade class.
Got Code?
I am a systems administrator at www.hackthissite.org (HTS), and at HTS, we intend to do just what this camp intends to--but for a nice sum of $0.
Although we are currently working on a new version of the site (dubbed "HTSv4"), the current place still has plenty of opportunities to gain knowledge in (ethical and legal) areas of computer security, such as XSS injection, SQL injection, buffer overflows, programming, and countless of other topics--all through personal experience with the "missions" on the site.
I think it is very important for people who are going into computer development of any kind to be aware of these issues. Personal experience and skill in computer security can only be beneficial, and will teach one to code applications that are capable of defense from outside intrusion.
Anyone can learn these tricks at any time anywhere. They don't need to go to a school to find them.
Agreed. I'm about to cost these bastards lots of money by giving away their secrets. Gang, listen closely. First, watch the film Hackers a few times and try to dress as they do. Nothing shows up a non-hacker faster than one out of uniform.
Next, install any CLI-based OS. DOS, Linux, doesn't matter.
Now that you have a command prompt (with the blinking cursor, nothing else will do), you can hack anything! Type in a command like "reroute airtraffic > Boise" and watch all of those jets turn around. Steal the latest hollywood flick with "download harrypotter.movie now" Want to make your idiot neighbors power blink in and out, spelling "I am t3h fag0rz" in morse code? Go right ahead. You're only limited by your imagination.
DISCLAIMER: I am not responsible for the misuse of the preceding information.
Where does the school board find them and why do they keep sending them to ME?
Wouldn't you also need a keyboard which beeps with every keystroke and a monitor which projects shapes onto your face as you work?
> It'll take your resume to the next level (where, presumably, we can find our princess.)
"Thank you Mario! But your certificate is in another castle!"
Instead of going with that company I would recommend either EC-Council or Vigilar/IntenseSchools for your CEH training needs.
I attended Vigilar's CISSP Boot Camp (Larry Greenblatt was the instructor) and had a very good experience. Passed the test the first time. They strictly adhere to the Code of Ethics of the various certification organizations and their NDAs. They will not tell you what's on the test like certain MS training camps.
My NT350 class at Herzing School of Technology (a traditional brick and mortar tech school with a new online branch) taught by Curt Gibeau (sp?) was like this. Only my tuition was $1200 I think, and the course was 16 three hour night classes. We were broken into groups (2-3 net-workers and 1 programmer in each group). Each group was given standard enterprise requirements (AD, email, file storage, database, web server, client machine). We could use what ever OSs and software packages we liked, and we could run up to 5 machines. Over the course of the class we went over security theory and specifics for demonstrations, and then we would break into groups to work on building and securing our group enterprises.
In the end we didn't have quite as much attack time as we had hoped, and a lot of vectors were blocked off because we all knew we were going to be attacked and there was no real life activity on the networks. So everyone was was scrounging each others networks for any mistakes or missed patches. Some people had honey pots, some people hosted exploiting web pages, but for the most part, there was little damage. But we all learned a lot about securing networks and servers, and different ways to minimize risks.
All in all, definitely a class that was worth taking. I would recommend it to anyone in range of a Herzing campus, but the Teacher I had is no longer teaching (he's a full time network admin for the school now) and I have no idea how the class is arranged any more.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
What about the exceedingly slow save program?
I want to make sure that whenever I save a file it goes extremely slowly and show's me every percent along the way.
Oh, and it has to flash every bit of data on screen as it saves. I'm sure it'll work out some sort of proper layout too.
Otherwise, how would I know it's actually saving the proper data?
Hmmm witty sig or funny sig? Maybe elitest techy sig!
all with links.
Further still, you get
Each one of those is a link, and every single one of them to the same domain.
This is a spammer site, and every page on the site has a footer labeled "links and sponsorship," also filled with spam links. I feel really bad for the poor suckers who wind up giving them money.
Also from their TOS:
The whole organization is a joke.
REM Old programmers don't die. They just GOSUB without RETURN.
you might know exactly what you're doing, but without a certification, most employers won't know that and you have no proof.
and plus the whole thing prevents you from having to risk getting a criminal record during your "practise".
upon the advice of my lawyer, i have no sig at this time
What about the exceedingly slow save program?
I want to make sure that whenever I save a file it goes extremely slowly and show's me every percent along the way.
Those should be avoided. Prolonged exposure to the loud suspenseful music that accompanies just-in-the-nick-of-time saving has been shown to be harmful to your hearing.
Where does the school board find them and why do they keep sending them to ME?
I currently attend WSU. Dr. Mateti is certainly a great professor (he says after changing majors after taking Mateti's OS course) and did push hard for an "ethical hacking" class. I was going to take it before I changed my major, but I heard from several friends that they learned more in that class than any other class they took at WSU.
For anyone interested in the class (CEG 429), Dr. Mateti licenses all his lecture notes under the Open Publication License.
I thought that was the point. Just like all of the people who have seminars on how to get rich. The moral of the story is that if you want to be rich and famous, you need to exploit the hopes of people who are too stupid to realize that it's a scam.
While "Institute of Certified E-Commerce Consultants" has a nice ring to it, it's a little ambiguous.
The submitter has put in the wrong website - The CEH site is at http://www.eccouncil.org/CEH.htm
It is a penetration testing certification for people who can't do penetration testing.
It wasn't a 5 day 8-hour a day class. It was 12 days from 0800 to 2100(ish) hours with a few breaks during the day.
It was a chance to play with a lot of nasty stuff on machines that were there for the purpose of breaking in a controlled environment.
The biggest positive was that someone sent two PHBs to the class to see if it was worth sending techs - they got to see first hand what was out there, what the risks were and ways to help their guys secure their networks. Nothing like people seeing for themselves what their staff is up against.
I worked at a training center through the whole dot-com bubble and up until recently. We had a ton of security classes, some of them excellent. However, anything with the term "hacker" was easier to sell. The students had a lot of fun, but they really didn't learn as much as with a more traditional approach. I the first generation of these clases they learned stuff like ping-of-death. For those who don't know, it's a tool that won't work on anything that's been invented after or patched since 1996. The students got to crash a horribly managed system, but gainde no useful skills doing so.
From the article -- in the first half day ($500 of his tuition), the reporter learned how to "hack" into a database that was completely unsecure. If the admin had even bothered to apply SQL Server service pack 3 (release two years ago), it would have warned him of the problem and forced him to fix it. The admin would also have to make a second horrible mistake of opening port 1433 to the Internet.
How would this lesson help the student secure his own network? If his SQL admin are leaving sa's password blank, they should be fired, not trained. As for the SQL injection stuff -- I teach every one of by web development students about it when we learn about connecting to databases. Teaching the security guy about it is STUPID. Do you teach your kids to lock the house, or do you hire a home security service to come and lock it every time you leave? SQL injection needs to be dealt with at the point of the problem -- so does database management and every other problem addressed in these courses.
Network security professionals should be learning about reducing attack surfaces and implementing security policies. They should learn how to defend against the problems of 2007, not 2005. All these "ethical hacker" classes do is scare the uninformed and provide a week long vacation for hard-core techies.
Another interesting side-effect of these classes is that students generally learn about technologies that have common problems. It's highly unlikely that a "certified ethical hacker" has experience with two-factor authentication, L2TP vpns, or Kerberos. But hey, they know how to crack an FTP server!!!! I'm going to hire one of these guys right now to fix my network.