"Why would I want to bother in the first place?" In Ellyne's article, Paul Ducklin asks a common sense question: None of these arguments are new or convincing, yet we discuss this issue every time someone mentions hacking. We haven't yet considered the cost of managing (alleviating) concerns among business customers, peers, and partners to whom you should feel ethically obliged to disclose your hiring practice, much less attrition of customers, peers or partners who won't accept the risk your hiring practices pose to their businesses. How does the cost-risk-benefit look now? These are the obvious tangible costs. Next, add the cost of managing a probationary period Chan recommends. The equivalent check when investigating someone with a rap sheet can be very expensive (if you doubt this, visit the FBI Identification Record page). A background check on a white hat is unlikely to require a costly and extensive investigation resulting in hundreds of pages. For example, in the article, Chan stresses the need for background checks. Moreover, there are costs beyond the salary you pay the black hat to consider. I am embarrassed for any security professional who would argue in favor of hiring hackers on the basis that "They could also be cheap to hire computer science PhD holders." The truly elite and reformed black hat probably doesn't come cheap. More importantly, I can add "they act ethically and have never committed criminal acts." Black hats are cheap labor Chan explains that "A good hacker loves the challenge of finding vulnerabilities in networks and systems, and spends countless hours perfecting his craft and is hence competent at this role." I can characterize any number of security and operations staff I've had the privilege to meet and work with this way. The assumption that a certain dimension of expertise can only be acquired by hiring a black hat is curious. Do you recall the last time you read an article praising a white hat for having secured his shop so well that black hats turn away and look for lower hanging fruit? Black hats add a dimension of expertise I also know that black hat activities get better press and social media coverage than white hats. I do know that reports of high profile security incidents demonstrate that certain black hats can successfully attack certain sites that are not adequately protected. I am willing to concede that these are opposing views, but I know of no body of scientific data to support the claim that black hats know the trade better than white hats. Later in Ellyne's article, however, Richard George correctly points out that it is certainly possible to learn the same skills without breaking the law ( I make the same points in my Security Hats article). I won't argue that elite hackers may indeed have a keen understanding of programming, operating systems, network protocols. Hackers have experience or know the trade Are you comfortable with any of these scenarios? Work out the rest of this scenario for yourself. In another scenario, a candidate interviews with you and privately discloses he is a black hat and describes his hacktivities. A second scenario is that some number of hackers already serving sentences claim they are reformed. These admissions may result in arrest, prosecution, trial, and jail time. In one possible scenario, the hacker admits to malicious, possibly criminal (possibly felony) acts. Honestly, I'm not certain a reformation of this kind is all that attractive. The article provides no evidence that the hacker community is in the throws of a moral reformation. Ellyne Phneah's article, Black hats can benefit firms but precautions needed, considers both sides of the controversial subject of hiring black hats.The arguments Ellyne elicits from Eric Chan, who suggests that this practice can be beneficial, and my reactions, follow: A pool of reformed hackers is available for hire
0 Comments
Leave a Reply. |