crazyphilman writes: Still, there's GOT to be a better way to spin this to the media. People are bound to react badly, don't you think? I don't have a lot of faith in people suddenly developing open minds...:)
You're absolutely right. But for better or worse, I don't have editorial control of what the media says about this program. If I did, would you trust anything I said (not that you do now, but hypothetically speaking:-)?
On the one hand people will react badly when they see "hacker school." On the other hand, the very controversy surrounding the word "hacker" (or even whether it's the right word) brings public attention to the issue of information security and initiates an open dialog. The mission of the ISF is to raise public awareness of INFOSEC issues, so from that standpoint we've succeeded.
I just hope that our good deed will go unpunished.
shaitand writes: [...] If they are teaching these kids to be real hackers it means being fluent in at least 6 languages, [...], the list goes on and on...
A very good point, but everyone has to start somewhere. Some people posting here seem to be saying that if the Tiger Team program doesn't crank out "real" hackers, it's not worth doing. Knowledge is easy to acquire, but fluency and expertise require experience. Even a savant doesn't become an expert instantaneously, and most people aren't savants.
fjaffe writes: Good Question. Andy Robinson, the originator of the program thought up the name.
Just to clarify Frank's post, I didn't originate the term "Tiger Team." It has been used for some time to describe the "red team" in both physical and electronic security evaluations.
crazyphilman writes: Instead of teaching people how to hack systems, wouldn't it make more sense to teach them how to set up firewalls properly, restrict setuid, restrict the number of services running [...]. That sort of thing would be useful to kids, instead of just making them unemployable.
The Tiger Team program does both. In a "capture the flag" environment, both teams have to install, harden, and monitor their own systems as well as probe the other team's systems. Vulnerability analysis, penetration testing, or whatever term you want to use for "ethical hacking," is a major component of any good risk assessment strategy.
As for unemployable, think again! Not only do information security companies hire people who have these skills and experience, but many industries that are required to conduct risk assessments by law and regulation (such as the banking industry) are actively seeking such people as well.
This is not to say that Tiger Team "graduates" are ready for this sort of work. They have simply taken the first step on the road. To flog my martial arts analogy, they will have graduated to yellow belt.
Andy Robinson
Information Security Foundation
www.isfound.org
I absolutely hate the word "hacking" when used in the media
I read the MIT Hacker's Dictionary before many people posting in SlashDot were born. The fact is that "hacker" and "hacking" have had a pejorative connotation for a long time. I remember the University of Maine operations manager calling me a "hacker" (in a disparaging tone) in 1980 when I first exploited a race condition to break out of the limited student shell into "full CMS" (the humor here will only be apparent to those who have experience with IBM's VM mainframe operating system).
You can rail against this usage all you want, but it's an accomplished fact--and I at least have given up trying to convert the rest of humanity to "cracker" or "threat agent." Perhaps we can all join a class action suit against "the media" based on defamation of character, and force them to use something more acceptable. But probably not.
Andy
Andrew T. Robinson
President, Chairman
Information Security Foundation
www.isfound.org
Emperor Tiberius writes:
From what I've heard of Mr. Robinson's company he lacks the expertise in some of the "higher-level" blackhat ideas
You may be right. Even after 19 years as an IT professional and 13 years as an INFOSEC professional, I remain humble about my capabilities. Both my professional career and martial arts training have taught me that no matter how much you know, there is always at least that much left to learn.
Your comment, though, presupposes that the goal is to generate "high level" blackhats in a 7 week course. I don't care if we generate any blackhats. In fact, the purpose of the Tiger Team program is to identify young people interested in INFOSEC and get them started on an INFOSEC career path. The "capture the flag" aspect makes it fun--but the real core of the course is ethics, teamwork, documentation, responsibility, and the other attributes that separate a legitimate INFOSEC professional from anyone else with INFOSEC pretensions.
In that regard, I and the other ISF (www.isfound.org) instructors definitely have the standing and qualifications to help these young people.
And in closing--it already has taken off!
Andy Robinson
President, Chairman
Information Security Foundation
www.isfound.org
Slashdot Mirror
You're absolutely right. But for better or worse, I don't have editorial control of what the media says about this program. If I did, would you trust anything I said (not that you do now, but hypothetically speaking :-)?
On the one hand people will react badly when they see "hacker school." On the other hand, the very controversy surrounding the word "hacker" (or even whether it's the right word) brings public attention to the issue of information security and initiates an open dialog. The mission of the ISF is to raise public awareness of INFOSEC issues, so from that standpoint we've succeeded.
I just hope that our good deed will go unpunished.
Andy
A very good point, but everyone has to start somewhere. Some people posting here seem to be saying that if the Tiger Team program doesn't crank out "real" hackers, it's not worth doing. Knowledge is easy to acquire, but fluency and expertise require experience. Even a savant doesn't become an expert instantaneously, and most people aren't savants.
Andy
Good Question. Andy Robinson, the originator of the program thought up the name.
Just to clarify Frank's post, I didn't originate the term "Tiger Team." It has been used for some time to describe the "red team" in both physical and electronic security evaluations.
Andy
Instead of teaching people how to hack systems, wouldn't it make more sense to teach them how to set up firewalls properly, restrict setuid, restrict the number of services running [...]. That sort of thing would be useful to kids, instead of just making them unemployable.
The Tiger Team program does both. In a "capture the flag" environment, both teams have to install, harden, and monitor their own systems as well as probe the other team's systems. Vulnerability analysis, penetration testing, or whatever term you want to use for "ethical hacking," is a major component of any good risk assessment strategy.
As for unemployable, think again! Not only do information security companies hire people who have these skills and experience, but many industries that are required to conduct risk assessments by law and regulation (such as the banking industry) are actively seeking such people as well.
This is not to say that Tiger Team "graduates" are ready for this sort of work. They have simply taken the first step on the road. To flog my martial arts analogy, they will have graduated to yellow belt.
Andy Robinson
Information Security Foundation
www.isfound.org
I read the MIT Hacker's Dictionary before many people posting in SlashDot were born. The fact is that "hacker" and "hacking" have had a pejorative connotation for a long time. I remember the University of Maine operations manager calling me a "hacker" (in a disparaging tone) in 1980 when I first exploited a race condition to break out of the limited student shell into "full CMS" (the humor here will only be apparent to those who have experience with IBM's VM mainframe operating system).
You can rail against this usage all you want, but it's an accomplished fact--and I at least have given up trying to convert the rest of humanity to "cracker" or "threat agent." Perhaps we can all join a class action suit against "the media" based on defamation of character, and force them to use something more acceptable. But probably not.
Andy
Andrew T. Robinson
President, Chairman
Information Security Foundation
www.isfound.org
You may be right. Even after 19 years as an IT professional and 13 years as an INFOSEC professional, I remain humble about my capabilities. Both my professional career and martial arts training have taught me that no matter how much you know, there is always at least that much left to learn.
Your comment, though, presupposes that the goal is to generate "high level" blackhats in a 7 week course. I don't care if we generate any blackhats. In fact, the purpose of the Tiger Team program is to identify young people interested in INFOSEC and get them started on an INFOSEC career path. The "capture the flag" aspect makes it fun--but the real core of the course is ethics, teamwork, documentation, responsibility, and the other attributes that separate a legitimate INFOSEC professional from anyone else with INFOSEC pretensions.
In that regard, I and the other ISF (www.isfound.org) instructors definitely have the standing and qualifications to help these young people.
And in closing--it already has taken off!
Andy Robinson President, Chairman Information Security Foundation www.isfound.org