When Sam Bowne visited the DEFCON hacking conference in 2006, he saw a lot of people having fun with a really interesting topic: computer security. As a professor of computer science at the City College of San Francisco, Bowne wanted to find a way to make computer security accessible to the average student. So, following his …
Defence against the Dark Arts
I work in the finance industry and we are taught how money laundering is done in order to identify suspicious trades. Doctors need to know what kills you, and how, in order to cure you. And I'll troll with a claim that everyone should be taught how to handle a gun, just in case they come across one.
At the university i attended, we were taught a module called Secure Computing which amoungst other things showed us how to hack certain systems. This was mainly useful because without knowing how things are done how can you possibly defend against them?
Nothing new under the sun...
When I was at Bradford university almost a decade ago they'd been letting the students in the Informatics department loose on the web for quite a few years already. They had what was essentially an anonymising proxy set up so that if any attacks were traced back to the university they wouldn't be able to identify the students involved, at least from the outside. Then they worked on the principle of, if your attempts were found out, you lost marks. I believe they're still doing it. Of course it helps that they own a Class B domain. Don't ask how it helps, it just does somehow.
/sarcasm/ everyone should be taught:
how to handle a gun
how to intravenously introduce narcotics
how to smoke tobacco, hash, crack
how to enjoy pornography without guilt
point being that there are limits to the philosphy of "know the enemy".. Recent prominent child porn rap(s) in the UK have shown the "it was only for research" defence does not wash.
HOWEVER, ethical hacking is really useful, a powerful teaching method, in my opinion, therefore certainly in the realm of that which should be taught. Concerns about younger students 'going off the rails' can be mitigated, at least in terms of consequential claims made against the teacher / establishment, by requiring all candidates to sign a disclaimer to the effect that they undertake not to exploit the techniques that they are taught 'in the wild'.
Know thy enemy
Teaching establishments which won't discuss computer intrusion techniques are doing everyone, not just their computing students, a huge disservice. A problem will not simply go away because your prestigious college didn't put it on the curriculum.
Many of these graduates go on to write code for production systems, with no understanding of issues like SQL injection, cross-site scripting, buffer overflows, or any of the other basic tools of the cracker.
The end result? The same stupid mistakes over and over, insecure code and compromised systems.
As a web application developer, long-time coder and server administrator, who also has something of a hacker mentality, I knew well enough to find out what security issues might affect my work, and at least try to learn how to mitigate them. But how many of the people graduating with IT-related degrees got into computing because "the money is good" or "it's a growth industry", and how likely is it that such people will have the initiative or interest to learn anything beyond what their college spoon-fed them or what they accidentally pick up as they work?
Hacking vs. Cracking
When I attended my first web programming course at college, one of the first things he said was, "Hacking is encouraged. Cracking will get you expelled." In other words - be smart - but be ethical, and don't destroy anything. He warned us that anyone who messed with his grading files would receive an F and be expelled. I don't think anyone tried to hack into his stuff!
"But how many of the people graduating with IT-related degrees got into computing because "the money is good" or "it's a growth industry", and how likely is it that such people will have the initiative or interest to learn anything beyond what their college spoon-fed them or what they accidentally pick up as they work?"
Too bloody many in the US, that's for sure. Which is one of the reasons why I'm bitter. IT employees can be churned out a dime a dozen, and many of them are so bloody unmotivated or have the entirely wrong mindset for the field that it causes legit people like myself to be diminished proportionally.
"He had a failing grade and did not take the tests, but he maintained all the computers in the lab and the teacher found him indispensable."
Let me guess... despite never taking the tests, he mysteriously returned a 99% average and passed the course with flying colours?
How many people teach "certified ethical hacking"? It's, at least in the US, a certification program. Of course, you have to have qualifications like so many years in the industry to take the test, but anyone with the bucks can attend the one week class. Let's see, 15 weeks, three hours a week. 45 hours of instruction time. 5 days, eight hours a day. 40 hours of instruction time. But 40 concentrated hours.
Now that I've got all my certifications, I think that anyone who takes a class like this and hasn't taken the exam should be put on a terror watch list. Or maybe I'm already on that list and no body's told me. Must crack DHS tonight, for educational purposes, only.
terrer watch list
Surely they could take themselves back off the list. Or create a new identity that isn't on it..
You have to be kidding me. You take a military statement. “Know Thy Enemy” and try to apply it in this case. What a boat load of propaganda. More time and effort should be put on how to use forensics, counter intelligence and sound investigative techniques to catch and prosecute computer criminals. Stop wasting parents and tax payer’s hard earned money teaching kids to perform computer crimes under the cloak of “ethical” hacking. This so called professor, aka “Ward Churchill” had the nerve to say, "Its fun"
What's next - will he start to teach how to crack a bank safe, or how to rob a store or maybe how to pick a door lock. We know your real motives. What a crack-pot. Any so called "Universities" teaching students how to be criminals is simply looking for the fastest way to make a dollar - they have no real interest in protecting critical data assets.