Hacker Boot Camp

abb_road writes "Business Week sent a reporter to TechTrain's ethical hacker training camp, where, for $4,300, participants spend five days working towards ICECC's 'Ethical Hacker Certification.' The camp serves companies' increasing needs for home-grown white hats, and covers topics ranging from the non-technical (social engineering and policy creation) to code-level attacks (buffer overflows and sql injections). The tuition seems a bit steep for materials that, as the article notes, are 'freely available over the web'--but where else can you play hacking capture the flag?"

Hmm?

[SirTalon42]

"but where else can you play hacking capture the flag?"

The internet, like all the other hackers are already doing?

::groan:: Please make this go away.

[XorNand]

Is it just me, or does the very name "certified ethical hacker" seem like an utterly stupid, attention-whoring term? It reminds me of the kids who hang out on IRC asking "How do I hack someone's computer if I have their IP address?". People don't go to "certified ethicial arsonists" bootcamps, they study fire science at an accredited school.

It sounds like this bootcamp just teaches people a handful of tricks that can be used to impress hiring managers. (Mentioned in the article: The default MS SQL login is "sa" with no password. Well, that's tidbit is not going to do you much good if you're assesing any version of SQL Server released within the past six years.) Do they explain the difference between a frame, packet, and datagram? All specifics and no theory.

Re:::groan:: Please make this go away.

[bluelip]

I've been this training. We hand our hands held while having ethereal, nmap, and such tools demonstrated. It's a total waste of money for a technical person.

It may be useful to scare management into securing their networks though.

For better training, check out http://pulltheplug.org/ and the dozens of other "war games" out there.

Institute To Blow Smoke Into Uncomfortable Places

[American+AC+in+Paris]

While "Institute of Certified E-Commerce Consultants" has a nice ring to it, it's a little ambiguous.

I recommend they switch to "Important-Sounding Portal Site of Certified E-Clipart and Buzzwords". Gah. That site isn't just an eyesore; it's a brainsore. Basically, you send them money, they send you off to a third-party training course, throw you in a database and give you some logos and certificates with important-sounding words. Oh, and you'll be certified. It'll take your resume to the next level (where, presumably, we can find our princess.)

Ah, but now to the meat of the matter--the legal disclaimer!

l) Educational Licenses, Accreditation, and State Sanction. The ICECC does not claim to be a college or university nor does it claim accreditation from any 501 bodies, state, or federal government agency or body. The ICECC is not a 501c3 organization and never has claimed to be a tax free or charitable entity. The ICECC may engage in business with charitable organizations or form alliances with charities that operate under 501 but the ICECC operates as a responsible, growing, proprietary, growth oriented, and profit oriented association and company. The ICECC is an independent authority similar to other American Associations. The ICECC grants certificates, certifications, marks, designations, and charters much like hundreds of other legal educational and recognition institutes or associations in the United States. The ICECC strictly follows the criteria of the Ibanez decision in the United States. We encourage all members and certified members to meet all requirements for education, experience, testing, ethics, and continuing education. The ICECC licenses its marks and logos to others. The marks are generally licensed to individuals. The ICECC will license the CEC and other marks and logos to companies, universities, or other uses upon the consent of its board. The ICECC outsourses to other companies for training and education that is provided online. The ICECC does not collect money for the courses, provide the service, teach the class, enter into a contract with the student. THe company providing the education and training is simply using our site as a distribution point. THe ICECC may receive a referral fee, rebate, revenue share, or other payments for providing the website that afforded the sale of the service to the customer. In sum, you accept that we are not responsible for the performance of any education or training contract. We do not hold any of your private information that you submitted to the training, course, or education provider although directory infomation may be exchanged. This information is limited to email address, phone number, name, employer, educational degrees and background. [emphasis mine]

Makes ya feel all edjumicated already, dunnit?

Of course, all the above is moot; it fails the sniff test (twice, no less!) on its home page:

Don't forget to bookmark us! (CTRL-D)

Trust me, I didn't forget.

...as for the course itself, it seems to be little more than a rote lesson in exploiting commonly known weaknesses, such as default passwords and poorly-configured servers. From the BusinessWeek article:

ALARMING LAPSES. And here's what may be the scariest part: to be a hacker, you don't even have to be a hardcore techie or particularly good at writing code. Take me, for instance. I'm an English major who hasn't written a line of code since third grade when I wrote a BASIC program that quizzed you on state capitals. Camp got started at 9 a.m., and within an hour, I was hacking into fictional banks' Microsoft databases and retrieving credit card numbers.

It's a matter of knowing tricks and what to look for. For instance, the default Microsoft database user name is "SA" and there's no default password. An alarming number of administrators never change these settings, so once hackers get into a system, they often try this first -- successful

4 Grand?

[hairykrishna]

4 grand for that? I wouldn't classify that as 'ethical'!

just like "ninja training camp"

[blue_adept]

you spend a week learning all the "Secret Ninja Moves" and when you're done, you're a real life ninja. ... right? r-right?

ReBoot Camp

[digitaldc]

Business Week sent a reporter to TechTrain's ethical hacker training camp, where, for $4,300, participants spend five days working towards ICECC's 'Ethical Hacker Certification.'

As opposed to the 'Unethical Hacker Certification' where companies pay you $43,000.00 or more to stop disabling their websites.

Heh

[JavaLord]

From the article:

you know that site is vulnerable to a technique of stealing database contents called "sequel injection."

Is this an attack based on the recent star wars trilogy? Someone should inform the author it's still written "SQL injection" despite how it sounds.

Certified Ethical Hacker?

[Malor]

A more accurate label would be "Five Day Script Kiddie Class".

Defcon

[evenprime]

You can play at defcon, but the level of the competition would probably be a bit intimidating for people who attend a boot camp.

Been there done that

[codepunk]

I have been to it, the course ware is fairly extensive but was boring none the less. I cannot see much of the slashdot crowd getting much from it, just a rehash of common knowledge tools and techniques that we pretty much have all heard of.

Now I was stuck in a room full of MS and MCSE zombies who did not know the difference between
a TCP and UDP packet. Just listening to the students talk I could feel the grey matter being sucked from my head....sort of like a high school student sitting in on a first grade class.

"Hacking" exercises...

[TechnoGuyRob]

I am a systems administrator at www.hackthissite.org (HTS), and at HTS, we intend to do just what this camp intends to--but for a nice sum of $0.

Although we are currently working on a new version of the site (dubbed "HTSv4"), the current place still has plenty of opportunities to gain knowledge in (ethical and legal) areas of computer security, such as XSS injection, SQL injection, buffer overflows, programming, and countless of other topics--all through personal experience with the "missions" on the site.

I think it is very important for people who are going into computer development of any kind to be aware of these issues. Personal experience and skill in computer security can only be beneficial, and will teach one to code applications that are capable of defense from outside intrusion.

Re:What are the entry requirements?

[dr_dank]

Anyone can learn these tricks at any time anywhere. They don't need to go to a school to find them.

Agreed. I'm about to cost these bastards lots of money by giving away their secrets. Gang, listen closely. First, watch the film Hackers a few times and try to dress as they do. Nothing shows up a non-hacker faster than one out of uniform.

Next, install any CLI-based OS. DOS, Linux, doesn't matter.

Now that you have a command prompt (with the blinking cursor, nothing else will do), you can hack anything! Type in a command like "reroute airtraffic > Boise" and watch all of those jets turn around. Steal the latest hollywood flick with "download harrypotter.movie now" Want to make your idiot neighbors power blink in and out, spelling "I am t3h fag0rz" in morse code? Go right ahead. You're only limited by your imagination.

DISCLAIMER: I am not responsible for the misuse of the preceding information.

Re:What are the entry requirements?

[Your+Pal+Dave]

Wouldn't you also need a keyboard which beeps with every keystroke and a monitor which projects shapes onto your face as you work?

Re:What are the entry requirements?

[databyss]

What about the exceedingly slow save program?

I want to make sure that whenever I save a file it goes extremely slowly and show's me every percent along the way.

Oh, and it has to flash every bit of data on screen as it saves. I'm sure it'll work out some sort of proper layout too.

Otherwise, how would I know it's actually saving the proper data?