If I fly into Bali and find someone has sneaked 4.1Kg of marijuana into my boogie bag without my knowledge, am I guilty of illegal importation?
You can make reasonable efforts to keep your bag in sight at all times so someone doesn't get the opportunity. The same cannot be said about stuff you are downloading - you could download a Torrent that claims to be the latest copy of Fedora, only to find it's hard core kiddie porn - how were you to prevent this from happening?
If your car breaks go out and you hit someone, you're almost certainly going to be considered at fault.
I think you are wrong.
1. If there was a mechanical fault with your car brakes which you would not reasonably have known about until they actually failed I think it would be ruled an accident rather than your fault. 2. If someone tampered with your brakes then you certainly aren't going to be considered responsible.
And they're going to try and get their grubby little hands on all this money free software is makeing.
I think you can still sue for damages, even if the defendent isn't making any money can't you? And like it or not, the Mozilla Foundation _does_ have some money.
When I hear "firefox" or "phoenix," in no way would I automatically think of a web browser, or a software program at all.
Because "Outlook" certainly sounds like an email client and "Excel" just makes you automatically think of a spreadsheet... And infact, how do "Cheerios" tell you they're a breakfast cerial? Please...
Mozilla gives away products. It also gives away the source for those products. It doesn't mind people making alterations to it's products. It just wants you to not call it the same thing.
That's not such a bad thing.
And indeed it's not a bad thing - it prevents you getting multiple slgihtly different versions of the same program, which would truely confuse people. What's more, if you needed to modify it in a trivial way to make it work with your distribution, I'm sure you could negotiate with the Mozilla Foundation about the use of the trademark - just because the name is trademarked doesn't mean they can't negotiate the use of the trademark on 3rd party products.
Both German and UK intelligence services believed Iraq had WMDs.
Wrong - post-war investigations have shown that the UK intelligence services thought it very unlikely Iraq had WMDs and the government had infact ignored that and outright lied to the public.
Are you living under a rock or something? The war on terror has less to do with legitimate nation-states obtaining nuclear weapons (See: India and Pakistan) and more to do with rogue nations and terrorists from getting their hands on nuclear weapons.
From what I can tell, the "war on terror" is all about scaring the shit out of law abiding citizens of countries like the US and UK whilest restricting their rights. Oh and invading other sovereign states on the grounds that they have weapons of mass destruction - yes, thats right, the war was justified against much public opposition (certainly here in the UK) on the grounds that there _were_ weapons of mass destruction in Iraq, despite no proof of this and infact much evidence to the contrary... and guess what, the weapons inspectors couldn't find anything.... which is what the intelligence services had been suggesting all along.
If the war had been justified with evidence of _something_ (not necessarilly anything to do with weapons of mass destruction) then it may have been a valid thing to do - justifying it by lieing to your citizens is not a good plan. Sadly recent elections have shown that the electorate either have very short memories or are just plain stupid.
Simply allowing unfettered proliferation of nuclear weapons to fanatics unaccountable to their own people would be a bad--if not lethal--situation for everyone in the world.
I'm not advocating the proliferation of nuclear weapons - I'm saying that before the US tells a country that they can't develop nukes, maybe the US should set an example and decomission their own. Afterall, if the enemy doesn't have any nukes, why the hell does the US need them to defend itself - you can bet that if the enemy suddenly had the means to build a nuke and the US found they needed to defend themselves, the US could knock one up in next to no time even if they had decomissioned the lot. As it is, sitting on top of your own nukes and telling everyone else that they can't have any themselves because they can't be trusted is completely hypocritical, especially when the US decides that it's going to illegally invade other countries whenever it pleases (admittedly not using nukes, but I fail to see how this promotes trust).
An issue of who who trusts? You may trust Bush (I don't) but I think it's fair to say most of the middle-east don't trust Bush... so I ask again, why is it ok for the US to have nukes but other countries not to have them? Is this because _you_ trust the US and not Iraq? What about the people who trust Iraq and not the US? Or are you making the claim that you are right, everyone else is wrong? How arrogant.
I'm afraid I just see it as massively hypocritical to declare that it's ok for you to do something but noone else is trustworthy enough to do the same. If you're going to tell people they shouldn't be doing something you sure as hell shouldn't be already doing it yourself.
I thought most DDoS attacks were just doing SYN floods
SYN floods can be partially mitigated using SYN cookies... so assuming the server admin has enough clue to use SYN cookies there may not be a significant advantage in using TCP SYN requests over any other allowed traffic.
Perhaps we should focus on getting ISPs to quickly correct the problem once it is identified to them, rather than dreaming up ways to retaliate.
Unfortunately ISPs are lazy and a good proportion of them don't care about abuse reports, either letting them vanish into the bitbucket or leaving them to mature for a few months in the hope the problem will go away without them having to do anything about it. Maybe a central register of how responsive ISPs are to abuse reports would be a good move... If a good chunk of the internet started throttling all network traffic to/from an ISP based on how well it responds to abuse reports, maybe it would encourage the bad ISPs to get their finger out.
I have had some servers get hit, and start attacking others. Now, if you were the target, and then started attacking one of my servers in retaliation, how does that help me?
It doesn't help _you_, but then I suspect concern for your wellbeing went right out the window when you ran an insecure machine and got rooted. (Yes, I have been rooted in the past too, but I don't think I'd be in a position to complain if someone decided to retaliate against me for running a server that's attacking them).
That said, maybe it does help you coz instead of having a rooted server running unnoticed on your network, the sudden outage would draw your attention to the compromise.
From the point of view of everyone who isn't you, however, downing your machine prevents thousands of other machines being attacked. And each of the machines who you are attacking could potentially be cracked and used as a further attack staging platform so taking out your compromised machine could have a knock on effect of saving a great number of machines in the long run.
I generally send out emails to companies or universites that have a trojaned machine that regularly attacks one of my machines
Then you probably know how much of a shit most people give when they are told that their machine (or their customer's machine) has been compromised. Most of the time I don't bother informing people that they're cracked because it's not worth it - I used to notify the ISPs when I received attacks from their customers, I get a few tens of different machines running SSH brute force attacks against me and I'd guess that under 1% of the ISPs I notified actually bothered to take action. I for one don't have time to chase up hundreds of attacks a week for a 1% success rate at getting the offenders shut down or cleaned up. At least if everyone your machine attacks retaliates then you have no choice but to take notice of the problem.
IANAL, but tt depends on where the downloaders are located, and whether downloading the content is illegal according to local laws and international treaties that apply.
There have been cases of people in countries where downloading is not illegal being successfully sued by people in the US for downloading _from_ the US. It seems that unfortunately local laws only apply locally but US laws apply globally (someone please explain to me why half the world's government's seem to find it necessary to bend over and take it up the arse when the US government or corporations ask them to, instead of protecting their own citizens who have broken no laws that apply to them?)
they downplay and ignore the security issues of having an unprotected computer on a fixed IP address just to ease the sale of their service.
Sorry, but having a fixed IP address really isn't a security risk - unless you're a high-profile target pretty much all the attacks you get are directed at random IP addresses so having a fixed address gives you exactly the same probability of getting hit at if you have a dynamic address. Even worse, if a zombie is on a dynamic address, it makes it very difficult for the victims to block it's attacks (I once ended up having to block an _entire_ ISP from my webserver because one of their customers with a dynamic IP kept log-spamming me and the ISP just ignored my abuse reports).
Having said all that, I do believe the ISP should do more to combat zombied machines - chopping a customer's _entire_ internet access when the ISP detects they are launching attacks would be a good start (redirect all web requests to a web server with the fixes on). Just blocking the specific attack and letting the user's internet connection continue as normal is almost pointless because most of the time it won't encourage the user to fix their security - if they lose their entire connection every time they get compromised then they might start thinking about security. There are also too many ISPs who ignore abuse reports made against their customers, which does noone any good.
Self defense is one thing, but attacking back is another.
Self defense and attacking back may well be the same thing. If you're sitting on a park bench and some guy comes up to you every 30 seconds and smacks you around the head with a baseball bat, I think you probably have every right to smack them back until they stop.
IMHO what you _shouldn't_ do is a delayed reaction - if someone has stopped attacking you already then any retalitory attack you make is offensive rather than defensive. Going back to the guy in the park who's smacking you with a baseball bat - if he gets bored and goes away then you don't exactly have the right to beat the crap out of him when you see him at the supermarket a couple of days later.
I think there is something to be said for retaliating and taking down someone who is DoSing you, so long as you do it _during_ the attack (since you are then doing it to protect yourself rather than just as a bit of revenge) and so long as you can identify the attacker with close to 100% accuracy (i.e. you only retaliate to attacks that cannot be spoofed... which unfortunately rules out most DoS attacks). The only reason to retaliate against someone who has stopped attacking you is to protect other parties they might be about to attack, which I guess has some merit but is certainly more ethically dubious.
You can still mess with the attackers with things like tarpits, though.
the Netfilter TARPIT target used to work very well, unfortunately AFAIK it still hasn't been ported to the 2.6 kernel.
That said, I think you need to be very careful with tarpitting - i.e. only tarpit stuff which has no legitimate use over the public network (i.e. NetBIOS, etc). I'm very much against tarpitting legitimate ports (which you aren't running services on) such as HTTP, etc since it's entirely possible that someone is legitimately contacting your server on that port by mistake, rather than actually attacking you - whilest tarpitting won't do any serious harm to someone connecting by mistake, it is certainly quite impolite.
Imaging if IP spoofing is used. You can trick one of these networks into launching attacks towards the IP your program is spoofing as.
There are certain attacks that can't be spoofed. For example, whilest you can spoof single TCP packets, you can't spoof an entire session (unless you control one of the routers the traffic would go through anyway). So if you only launch a defensive attack against unspoofable attacks then this would seem safe (unspoofable attacks include stuff like attacks over HTTP, SSH brute force attacks, etc).
there were still IRA bombings up to the late 90s, no cold war then either. and the bombs did seem pretty bad because they killed and injured a lot of people.
Indeed. And infact, for the UK, the terrorist attacks on the US have probably been beneficial since they made the people in the US who fund the IRA's terrorism realise what their money was actually doing.
So many people seem obsessed with comparing Bush with Saddam/Hitler/Stalin/Pol Pot whoever. My reply is: Grow Up. If you truly cant see the difference between Bush and Saddam, then I truly feel sorry for you.
Nomatter who you're talking about, I don't see what gives the right for one country who has weapons of mass destruction (and has used them in the past) to tell another country that they can't develop their own. If the US decomissioned it's weapons of mass destruction then it would be in more of a position to make that point. Like it or not, the US is _not_ the most morally superior and trustworthy country in the world.
I forgot--perhaps you can refresh my memory: How many nukes did we use in the most recent Iraq war?
I think you can safely say that the US has killed more people with nukes than Iraq... Just because the US hasn't used a nuclear weapon recently shouldn't give them the right to tell other countries that they can't do the same - only when the US has decomissioned all it's weapons of mass destruction would it be non-hypocritical to tell other people they shouldn't have weapons of mass destruction.
Infact, given the US's history of trying to be the world's police force, I think many countries are more in need of weapons to defend themselves against an attack by the US than the US is in need of weapons to defend themselves.
Why is it considered bad for a warmongering dictator (Saddam) to have weapons of mass destruction whilest it's ok for a warmongering dictator (Bush) to have weapons of mass destruction?
And congrats on being another one of the million Americans that think 9/11 should restrict everything we do.
When I was growing up, here in the UK, we had terrorist attacks from the IRA every so often (bombings, shootings, etc. mainly in London). The thing that the politicians always said was "If the terrorists change they way we live our lives and restrict what we can do then they have won" (or words to that effect). Then a bunch of people flew a plane into a building in the US and it seems the terrorists have won since everything is now being restricted to prevent terrorism... how times change.
Re:I'm all for science/technology/astronomy but...
on
Back to Moon in 2015?
·
· Score: 1
Well yeah... But do it again, and build a base there this time, and use newer, faster, better, cheaper technology. Baby steps.
Most 45 year olds aren't still taking baby steps:)
I think, in its broadest form, this is what a hacker means generally: able novice
Well, the New Hacker's Dictionary defines a hacker as "1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. 2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming." - the definition goes on a bit but the bit I quoted seems to be a pretty good definition of the term IMHO.
try computer security enthusiast/expert
Whilest I do do some work in the field of network security, I'm afraid as far as I'm concerned the term "hacker" has _nothing_ to do with security work - see the above definition. If you're talking about security work then you need to talk about security experts and/or crackers (of both the white-hat and black-hat varieties), not hackers.
The use of the term "hacker" with regards to security (and in particular, illegal acts) is a corruption created by the media and is not the true meaning of the term.
Slashdot Mirror
The only reason they were still on his machine was that he was too clueless to clear the cache
Clearing the cache does not necessarilly help anyway - the computer forensics people are rather good at reconstructing deleted data.
If I fly into Bali and find someone has sneaked 4.1Kg of marijuana into my boogie bag without my knowledge, am I guilty of illegal importation?
You can make reasonable efforts to keep your bag in sight at all times so someone doesn't get the opportunity. The same cannot be said about stuff you are downloading - you could download a Torrent that claims to be the latest copy of Fedora, only to find it's hard core kiddie porn - how were you to prevent this from happening?
If your car breaks go out and you hit someone, you're almost certainly going to be considered at fault.
I think you are wrong.
1. If there was a mechanical fault with your car brakes which you would not reasonably have known about until they actually failed I think it would be ruled an accident rather than your fault.
2. If someone tampered with your brakes then you certainly aren't going to be considered responsible.
Browser.
Why not? It's no worse than calling a word processor "Word".
Or appeal to the mass public and call it "The Intarweb"...
And they're going to try and get their grubby little hands on all this money free software is makeing.
I think you can still sue for damages, even if the defendent isn't making any money can't you? And like it or not, the Mozilla Foundation _does_ have some money.
When I hear "firefox" or "phoenix," in no way would I automatically think of a web browser, or a software program at all.
Because "Outlook" certainly sounds like an email client and "Excel" just makes you automatically think of a spreadsheet... And infact, how do "Cheerios" tell you they're a breakfast cerial? Please...
Mozilla gives away products. It also gives away the source for those products. It doesn't mind people making alterations to it's products. It just wants you to not call it the same thing.
That's not such a bad thing.
And indeed it's not a bad thing - it prevents you getting multiple slgihtly different versions of the same program, which would truely confuse people. What's more, if you needed to modify it in a trivial way to make it work with your distribution, I'm sure you could negotiate with the Mozilla Foundation about the use of the trademark - just because the name is trademarked doesn't mean they can't negotiate the use of the trademark on 3rd party products.
Both German and UK intelligence services believed Iraq had WMDs.
Wrong - post-war investigations have shown that the UK intelligence services thought it very unlikely Iraq had WMDs and the government had infact ignored that and outright lied to the public.
Are you living under a rock or something? The war on terror has less to do with legitimate nation-states obtaining nuclear weapons (See: India and Pakistan) and more to do with rogue nations and terrorists from getting their hands on nuclear weapons.
From what I can tell, the "war on terror" is all about scaring the shit out of law abiding citizens of countries like the US and UK whilest restricting their rights. Oh and invading other sovereign states on the grounds that they have weapons of mass destruction - yes, thats right, the war was justified against much public opposition (certainly here in the UK) on the grounds that there _were_ weapons of mass destruction in Iraq, despite no proof of this and infact much evidence to the contrary... and guess what, the weapons inspectors couldn't find anything.... which is what the intelligence services had been suggesting all along.
If the war had been justified with evidence of _something_ (not necessarilly anything to do with weapons of mass destruction) then it may have been a valid thing to do - justifying it by lieing to your citizens is not a good plan. Sadly recent elections have shown that the electorate either have very short memories or are just plain stupid.
Simply allowing unfettered proliferation of nuclear weapons to fanatics unaccountable to their own people would be a bad--if not lethal--situation for everyone in the world.
I'm not advocating the proliferation of nuclear weapons - I'm saying that before the US tells a country that they can't develop nukes, maybe the US should set an example and decomission their own. Afterall, if the enemy doesn't have any nukes, why the hell does the US need them to defend itself - you can bet that if the enemy suddenly had the means to build a nuke and the US found they needed to defend themselves, the US could knock one up in next to no time even if they had decomissioned the lot. As it is, sitting on top of your own nukes and telling everyone else that they can't have any themselves because they can't be trusted is completely hypocritical, especially when the US decides that it's going to illegally invade other countries whenever it pleases (admittedly not using nukes, but I fail to see how this promotes trust).
it's an issue of who you trust.
An issue of who who trusts? You may trust Bush (I don't) but I think it's fair to say most of the middle-east don't trust Bush... so I ask again, why is it ok for the US to have nukes but other countries not to have them? Is this because _you_ trust the US and not Iraq? What about the people who trust Iraq and not the US? Or are you making the claim that you are right, everyone else is wrong? How arrogant.
I'm afraid I just see it as massively hypocritical to declare that it's ok for you to do something but noone else is trustworthy enough to do the same. If you're going to tell people they shouldn't be doing something you sure as hell shouldn't be already doing it yourself.
I thought most DDoS attacks were just doing SYN floods
SYN floods can be partially mitigated using SYN cookies... so assuming the server admin has enough clue to use SYN cookies there may not be a significant advantage in using TCP SYN requests over any other allowed traffic.
Perhaps we should focus on getting ISPs to quickly correct the problem once it is identified to them, rather than dreaming up ways to retaliate.
Unfortunately ISPs are lazy and a good proportion of them don't care about abuse reports, either letting them vanish into the bitbucket or leaving them to mature for a few months in the hope the problem will go away without them having to do anything about it. Maybe a central register of how responsive ISPs are to abuse reports would be a good move... If a good chunk of the internet started throttling all network traffic to/from an ISP based on how well it responds to abuse reports, maybe it would encourage the bad ISPs to get their finger out.
I have had some servers get hit, and start attacking others. Now, if you were the target, and then started attacking one of my servers in retaliation, how does that help me?
It doesn't help _you_, but then I suspect concern for your wellbeing went right out the window when you ran an insecure machine and got rooted. (Yes, I have been rooted in the past too, but I don't think I'd be in a position to complain if someone decided to retaliate against me for running a server that's attacking them).
That said, maybe it does help you coz instead of having a rooted server running unnoticed on your network, the sudden outage would draw your attention to the compromise.
From the point of view of everyone who isn't you, however, downing your machine prevents thousands of other machines being attacked. And each of the machines who you are attacking could potentially be cracked and used as a further attack staging platform so taking out your compromised machine could have a knock on effect of saving a great number of machines in the long run.
I generally send out emails to companies or universites that have a trojaned machine that regularly attacks one of my machines
Then you probably know how much of a shit most people give when they are told that their machine (or their customer's machine) has been compromised. Most of the time I don't bother informing people that they're cracked because it's not worth it - I used to notify the ISPs when I received attacks from their customers, I get a few tens of different machines running SSH brute force attacks against me and I'd guess that under 1% of the ISPs I notified actually bothered to take action. I for one don't have time to chase up hundreds of attacks a week for a 1% success rate at getting the offenders shut down or cleaned up. At least if everyone your machine attacks retaliates then you have no choice but to take notice of the problem.
IANAL, but tt depends on where the downloaders are located, and whether downloading the content is illegal according to local laws and international treaties that apply.
There have been cases of people in countries where downloading is not illegal being successfully sued by people in the US for downloading _from_ the US. It seems that unfortunately local laws only apply locally but US laws apply globally (someone please explain to me why half the world's government's seem to find it necessary to bend over and take it up the arse when the US government or corporations ask them to, instead of protecting their own citizens who have broken no laws that apply to them?)
they downplay and ignore the security issues of having an unprotected computer on a fixed IP address just to ease the sale of their service.
Sorry, but having a fixed IP address really isn't a security risk - unless you're a high-profile target pretty much all the attacks you get are directed at random IP addresses so having a fixed address gives you exactly the same probability of getting hit at if you have a dynamic address. Even worse, if a zombie is on a dynamic address, it makes it very difficult for the victims to block it's attacks (I once ended up having to block an _entire_ ISP from my webserver because one of their customers with a dynamic IP kept log-spamming me and the ISP just ignored my abuse reports).
Having said all that, I do believe the ISP should do more to combat zombied machines - chopping a customer's _entire_ internet access when the ISP detects they are launching attacks would be a good start (redirect all web requests to a web server with the fixes on). Just blocking the specific attack and letting the user's internet connection continue as normal is almost pointless because most of the time it won't encourage the user to fix their security - if they lose their entire connection every time they get compromised then they might start thinking about security. There are also too many ISPs who ignore abuse reports made against their customers, which does noone any good.
Self defense is one thing, but attacking back is another.
Self defense and attacking back may well be the same thing. If you're sitting on a park bench and some guy comes up to you every 30 seconds and smacks you around the head with a baseball bat, I think you probably have every right to smack them back until they stop.
IMHO what you _shouldn't_ do is a delayed reaction - if someone has stopped attacking you already then any retalitory attack you make is offensive rather than defensive. Going back to the guy in the park who's smacking you with a baseball bat - if he gets bored and goes away then you don't exactly have the right to beat the crap out of him when you see him at the supermarket a couple of days later.
I think there is something to be said for retaliating and taking down someone who is DoSing you, so long as you do it _during_ the attack (since you are then doing it to protect yourself rather than just as a bit of revenge) and so long as you can identify the attacker with close to 100% accuracy (i.e. you only retaliate to attacks that cannot be spoofed... which unfortunately rules out most DoS attacks). The only reason to retaliate against someone who has stopped attacking you is to protect other parties they might be about to attack, which I guess has some merit but is certainly more ethically dubious.
You can still mess with the attackers with things like tarpits, though.
the Netfilter TARPIT target used to work very well, unfortunately AFAIK it still hasn't been ported to the 2.6 kernel.
That said, I think you need to be very careful with tarpitting - i.e. only tarpit stuff which has no legitimate use over the public network (i.e. NetBIOS, etc). I'm very much against tarpitting legitimate ports (which you aren't running services on) such as HTTP, etc since it's entirely possible that someone is legitimately contacting your server on that port by mistake, rather than actually attacking you - whilest tarpitting won't do any serious harm to someone connecting by mistake, it is certainly quite impolite.
Imaging if IP spoofing is used. You can trick one of these networks into launching attacks towards the IP your program is spoofing as.
There are certain attacks that can't be spoofed. For example, whilest you can spoof single TCP packets, you can't spoof an entire session (unless you control one of the routers the traffic would go through anyway). So if you only launch a defensive attack against unspoofable attacks then this would seem safe (unspoofable attacks include stuff like attacks over HTTP, SSH brute force attacks, etc).
there were still IRA bombings up to the late 90s, no cold war then either. and the bombs did seem pretty bad because they killed and injured a lot of people.
Indeed. And infact, for the UK, the terrorist attacks on the US have probably been beneficial since they made the people in the US who fund the IRA's terrorism realise what their money was actually doing.
So many people seem obsessed with comparing Bush with Saddam/Hitler/Stalin/Pol Pot whoever. My reply is: Grow Up. If you truly cant see the difference between Bush and Saddam, then I truly feel sorry for you.
Nomatter who you're talking about, I don't see what gives the right for one country who has weapons of mass destruction (and has used them in the past) to tell another country that they can't develop their own. If the US decomissioned it's weapons of mass destruction then it would be in more of a position to make that point. Like it or not, the US is _not_ the most morally superior and trustworthy country in the world.
I forgot--perhaps you can refresh my memory: How many nukes did we use in the most recent Iraq war?
I think you can safely say that the US has killed more people with nukes than Iraq... Just because the US hasn't used a nuclear weapon recently shouldn't give them the right to tell other countries that they can't do the same - only when the US has decomissioned all it's weapons of mass destruction would it be non-hypocritical to tell other people they shouldn't have weapons of mass destruction.
Infact, given the US's history of trying to be the world's police force, I think many countries are more in need of weapons to defend themselves against an attack by the US than the US is in need of weapons to defend themselves.
IMO the US can build as many nukes as they want.
Why is it considered bad for a warmongering dictator (Saddam) to have weapons of mass destruction whilest it's ok for a warmongering dictator (Bush) to have weapons of mass destruction?
And congrats on being another one of the million Americans that think 9/11 should restrict everything we do.
When I was growing up, here in the UK, we had terrorist attacks from the IRA every so often (bombings, shootings, etc. mainly in London). The thing that the politicians always said was "If the terrorists change they way we live our lives and restrict what we can do then they have won" (or words to that effect). Then a bunch of people flew a plane into a building in the US and it seems the terrorists have won since everything is now being restricted to prevent terrorism... how times change.
Well yeah... But do it again, and build a base there this time, and use newer, faster, better, cheaper technology. Baby steps.
:)
Most 45 year olds aren't still taking baby steps
I think, in its broadest form, this is what a hacker means generally: able novice
Well, the New Hacker's Dictionary defines a hacker as "1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. 2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming." - the definition goes on a bit but the bit I quoted seems to be a pretty good definition of the term IMHO.
try computer security enthusiast/expert
Whilest I do do some work in the field of network security, I'm afraid as far as I'm concerned the term "hacker" has _nothing_ to do with security work - see the above definition. If you're talking about security work then you need to talk about security experts and/or crackers (of both the white-hat and black-hat varieties), not hackers.
The use of the term "hacker" with regards to security (and in particular, illegal acts) is a corruption created by the media and is not the true meaning of the term.
companies that want hackers ... "can I trust this spunky guy with my customer data?"
In what way are hackers untrustworthy? I consider myself to be both a hacker and trustworthy... or are you mistaking the term "hacker" for "cracker"?