back to article Cyber security minister ridiculed over s'kiddie hire plan

Security experts have strongly criticised suggestions by a government minister that former hackers might play a key role in Britain's newly announced cybersecurity strategy. Lord West, the Home Office security minster, made the controversial suggestion that the government had recruited former hackers to work in its new Cyber …

COMMENTS

This topic is closed for new posts.
  1. David 39
    Thumb Down

    Who is being dense

    Boyd writes: "Lord West sez: hire lots of talentless script kiddies to shore up UK cyberdefences. How can people be so dense?"

    I'm pretty sure hacker != s'kiddie

    A hacker will have indepth knowledge of programming languages on different platforms, low level computer architecture, low level networking knowledge, and (in some cases massive beards/beer bellys and body odour issues)

    where as a s'kiddie will know how to use google and run a program, no if the govt said that they would be hiring script kiddies I could well understand that comment

  2. Anonymous Coward
    WTF?

    Come back Wakie Jackie, all is forgiven!

    What a f****** numpty.

    Good job a change of government is just round the corner and this guys job will hopefully be short-lived, (although the Tories may not chose any better)

  3. Bronek Kozicki
    Flame

    so, what's wrong ...

    with employing hackers(*) as security experts?

    *) http://www.ccil.org/jargon/jargon_23.html#TAG833

  4. Anonymous Coward
    WTF?

    WTF?

    Hire Eastern Europeans?? If Lord West is so keen to employ former "bad guys" then I'm sure he could find some home grown talent? Eg. Gary McKinnon? He would be far better employed in the service of Her Majesty rather than languishing in an American jail surely?

  5. John Macintyre
    Thumb Down

    Nothing new to see here, move along...

    So the govt puts a complete twat I mean someone who has no bloody idea about the area he's ministering in charge of it. Well that sums up Labour doesn't it - we know better than you because we get paid more.

    Annoyingly I've seen the same amongs other govt areas like MoD, where managers of IT have never worked in it, but they've gone on the MoD management program so of course they can manage a project they've no expertise in... It'll all lead to a bit bowl of FAIL, but not before draconian standards are applied :(

  6. Anonymous Coward
    Boffin

    Well, its not entirely tosh

    Look at the successful security careers carved out post-bird by the likes of Mitnick (sp?).

    And compared to the civil services usual crop of liberal-arts graduates and media studies types, even failed hackers will have more of a clue....

  7. Tom 106

    He He

    Sounds to me like there are jealous people criticising Lord West.

  8. Dangermouse

    Have said it before...

    ...Ministry of Technology. Staffed by competent people who know about this fucking stuff.

    It's not hard....

  9. This post has been deleted by its author

  10. Stuza

    Falklands?

    " As Ferguson points out the war in the south Atlantic happened a year before the first TCP/IP based wide area network became operational"

    So are you suggesting that hacking can only happen over a TCP/IP WAN? ...... hmmmm.......

  11. Anonymous Hero
    Go

    Isn't this normal?

    "The government has actually hired a team of people known to have committed criminal acts"

    One bunch of criminals hiring another bunch of criminals.....what's new in government these days?

  12. Anonymous Coward
    Go

    I'm sure I'll be the 100th person to suggest this but...

    ...why don't they hire Gary McKinnon?

  13. Anonymous Coward
    Anonymous Coward

    Dense? The Lord refers to "youngsters"

    @David 39 "where as a s'kiddie will know how to use google and run a program, no if the govt said that they would be hiring script kiddies I could well understand that comment"

    well, it doesn't take a genius to work out that him talking about "naughty boys" and "You need youngsters who are deep into this stuff" that he's more likely refering to script kiddies who have been caught and (in his own mind) he presumes they're really, really good at "hacking".

    is a "youngster" who has "been naughty" more likely to be a talented hacking individual, or a script kiddie whose very existence they'd probably only know about because they'd been caught in the first place?

  14. Anonymous Coward
    Anonymous Coward

    Joined up thinking.

    The UK government is currently trying to rail road the "notorious" cyber hacker Gary McKinnon on a one way ticket to the US where, after doing his bird, he will no doubt be co-opted into the American cyber warfare programme. Does someone have to hit Lord West over the head with a big stick before he acknowledges the bleedin' obvious flaw in this scenario?

  15. Avalanche

    @David 39

    Do you think this Lord West knows the difference?

  16. hj
    FAIL

    RE: I'm sure I'll be the 100th person to suggest this but...

    because he got caught?

    I would like to employ those who were never!

  17. Anonymous Coward
    Paris Hilton

    WTF is an ultra ultra criminal?

    While we're at it, maybe we should hire football hooligans for crowd control, paedophiles for social services, the terminally stupid for the education department and Jacqui Smith as village idiot. Oops, last two already done.

    Paris, for no apparent reason.

  18. Rob 5

    If I worked there...

    ... I'd be a little bit peeved at the implication that I used to be some kind of a crim.

  19. Nux Vomica
    IT Angle

    Calm down folks, it's just politics

    As with every other "policy" recent UK governments have come up with, it's primary objective is convince the masses that it's doing something, rather than actually achieving it's overtly stated objective.

    This means that it can't actually publicly explain the complexities of the issue, but has to rely on something the average Joe can grasp, and more people have seen Swordfish/Matrix/WarGames, than have actually done any security work. Hence the crowd pleasing, but actually useless announcement.

    As with every other "policy" recent UK governments have come up with, it's primary objective is convince the masses that it's doing something, rather than actually achieving it's overtly stated objective.

    This means that it can't actually publicly explain the complexities of the issue, but has to rely on something the average Joe can grasp, and more people have seen Swordfish/Matrix/WarGames, than have actually done any security work. Hence the crowd pleasing, but actually useless announcement.

    While I assume that most of us here are at least IT literate if not professionals, how many could actually claim to be qualified in IT security work to the kind of level required for this job? Not me.

    I'm not defending the shite being peddled, just pointing out that it's more likely they don't have a clue either, so that's why they're trying to bullshit their way out of it, rather than fessing up. In politics, lying (even transparently) is always far preferable to honestly owning up, regardless of the question being asked. Most people aren't going to know it's bollocks, so in this as in so many other fields, they will get away with it.

    While I assume that most of us here are at least IT literate if not professionals, how many could actually claim to be qualified in IT security work to the kind of level required for this job? Not me.

    I'm not defending the shite being peddled, just pointing out that it's more likely they don't have a clue either, so that's why they're trying to bullshit their way out of it, rather than fessing up. In politics, lying (even transparently) is always far preferable to honestly owning up, regardless of the question being asked. Most people aren't going to know it's bollocks, so in this field, as in so many others, they will get away with it.

  20. Sub Wrath

    agreed

    ".. I'd be a little bit peeved at the implication that I used to be some kind of a crim."

    the real lack of knowledge on display is shown through his extremely cliched idea that the very first place they'll go looking is amongst the naughty boys, because (of course) theres this myth that ONLY bad guys can do this kind of work. sorry white hats, your skills aren't required unless you choose to go break into something and...er...get caught?

  21. Gareth
    Thumb Up

    Most of those hackers grew up and became security pros...

    I had some vague attachment to that scene in the mid to late 90s (and that's all I'm willing to admit...).

    It was made up of very smart, disaffected middle class kids who were in it mainly for the rebelliousness/intellectual curiosity angle, rather than hardened criminals. Funny as it sounds for someone reading the tabloid headlines there were lengthy considerations on the ethics involved - not damaging anything, not deleting anything other than what was required to cover your tracks, etc.

    All the kids from that scene I stayed in touch with have grown up and now occupy some rather high-level industry positions, in security or otherwise. Wozniak and Gates have admitted similar interests in their distant past.

    These are the sort of people who are going to apply for the position anyway, so why not announce that it's OK for them to mention their youthful indiscretions in the interview?

  22. Anonymous Coward
    Linux

    Skiddies on Bricks

    Is it me. Or will they be hiring the stupid ones. Who dont know what their doing. And dont know how to stop themselves getting caught.

    Mitnick was good. And was unlucky to get caught.

    He sucks at 21st century security though. His website has been defaced god knows how many times.

  23. Anonymous Coward
    Anonymous Coward

    Droogs

    this is straight out of clockwork orange, you know the part where they make the gang members police.

    IT Security is a very hard field to master, primarily because you need to know programming from assembly up, have had a lot of exposure to many different programming styles and architectures, implemented a number of encryption algorithms, and also have a very good grasp of maths, along with functional programming, kernel level knowledge, psychology and magic, and of course be able to reverse engineer, and write shellcode, fuzzing systems and polymorphic code.

    Oh, and you will need to know operating systems and networking beyond TCP/IP into the utility networking protocols, there are just not that many people. And unfortunately those with these skills, tend to be people that the system has rejected or deep in their own businesses. The system rejection happens because they are just too over skilled, and it is very hard to attain those skills whilst working in the system.

    These people also seem to be able to work in chaos, and order and that duality is a rare trait even if you take the entire populace, let alone with the above skill set.

    They want the best they will have to pony up the cash, and to sign the Official Secrets Act most would be looking for at least 0.5 million sterling, and a salary at about 160K per annum, it ain't going to happen. Now, working for a foreign power, well that could bring in the cash, the UK consistently undervalues IT skill sets.

  24. The Other Steve
    FAIL

    Bum Gravy

    "As Ferguson points out the war in the south Atlantic happened a year before the first TCP/IP based wide area network became operational."

    And of course, before TCP/IP WANs there were absolutely no widely deployed digital electronic communications systems, like, oh I don't know, X.25. There were like, totally no other ways that electronic jiggery pokery could be used to, say, disrupt circuit switched communications, fuck up Exocet guidance systems, interfere with air defence radar or mess with aircraft IFF systems.

    "Confusion about technical terms in a former Naval chief turned government minister is one thing but it's far more of a worry for someone chosen to serve as the UK's first cyber security minister."

    Conflation of the TCP/IP protocol stack with the entire set of pre (and still) existing communications networks (or any other strategically important electronic asset) which may be susceptible to electronic disruption by an attacker is quite a worry for someone who writes articles about information security.

    @David39

    "A hacker will have... "

    No, stop. It isn't safe to generalise, no matter what you think you read in the gospel of St Levy or in Raymond's shitty jargon file or any of his (or Stallman's or Grahams, etc) other asinine outpourings of arsewash.

  25. Aldous
    FAIL

    mitnik would be useless in this role

    mitnik did the bulk of his work social engineering, (and even admits such) so would be useless probing a foreign states security.

  26. John Smith 19 Gold badge
    Boffin

    And let's not forget SNA

    That's for the IBM mainframe types. The networks were big. The data was valuable and you can *bet* not all of it stayed pristine.

    And (I suspect) someone, somewhere is still using it.

  27. WhatWasThat?
    Pirate

    @mitnik would be useless in this role

    ... and besides the fact that it would be a Act of Treason (under Patriot II) to touch a keyboard, let alone secure his own website (looking at you zerofool2005)?

    There are many things that are needed for the right personality for IT security, but it is not a "black science." It simply requires training, aptitude, and desire. Isn't that the kind of thing that GCSE tests, etc. are supposed to find, the better to lead the forming minds of Blighty to intellectual domination in the EU?

    Pirate - because the desire for true privacy and freedom forms the desire that leads to training and aptitude.

  28. RW
    Big Brother

    @ AC 29th June 2009 17:22 GMT

    "the UK consistently undervalues IT skill sets."

    More like "brain skill sets". But let me ask: is it "the UK", or is it "Labour"?

    Labour has always impressed me as having a hidden hate-on for people with education, experience, and inherent talent, presumably because these are elitist qualifications.

  29. Anonymous Coward
    FAIL

    @ hj

    "because he got caught?

    I would like to employ those who were never!"

    If the govt can't employ people that get caught we'd have to sack half our MPs.

  30. The Other Steve
    Flame

    @ AC 29th June 2009 17:22 GMT

    "IT Security is a very hard field to master"

    No, not really. There are actually a lot of professionals in the field. The distribution curve of talent approaches normal. There simply isn't anything magical about it, it's just a different set of working skills than _you_ have.

    "primarily because you need to know ... " <snip utter wank>

    Mmm, only not. See what you have there, again, is someone generalising from their own turgid wank fantasy of what constitutes "a hacker". I can't think of many professional pen testers who are also hard core functional programming geeks, just to take one example.

    "there are just not that many people"

    No, there's loads. They just don't want to hang out with you.

    "These people also seem to be able to work in chaos, and order and that duality is a rare trait even if you take the entire populace."

    Rubbish. Have you ever worked in (or even been in) a call centre ? A night club ? Any average office environment ? A hospital ? Police station ? People work in and out of chaos all the time. That's the norm, not the exception.

    "They want the best they will have to pony up the cash, and to sign the Official Secrets Act most would be looking for at least 0.5 million sterling"

    No kid, they don't want the best, they want the BEST of the BEST! Hoo yeah!

    ATTN Delinquent parents: Increase Ritalin by 0.5 mg/Kg

  31. RobS
    Badgers

    Foxes guarding henhouses

    Can't be bothered finding the link but the US Navy had a big spy in the sixties and seventies, when asked why he did it he said (paraphrased). "If I had access to drugs, I would have sold those, I had access to secrets so I sold those"

    The analysis of his career indicated that, contrary to policy, a judge suppressed a conviction so that he could be put into the Navy "to make a decent citizen of him".

    'Course these are only slightly naughty boys so they aren't likely to cause much harm to the enemy or the state.

  32. Ed 3

    Hmmmm

    Hiring Hackers... Its all very Anime... In a weird way

  33. jf 1

    most intelligent comments by a govt official relating to computers yet..

    You know, first and foremost, I hate that people toss the word script kiddie around so much, especially by so called security experts who are not intelligent enough to realize that *they* generally are the script kids. I mean first of all, trend micro puts out a horrible product, but consider this Mr. Ferguson, can you find your own bugs? write your own exploit? have the intelligence enough to figure out what happened when it didn't work? pop the box? put a non-trivial rootkit on it once you get it? My bet is that no, unless it comes packaged with metasploit, nessus, qualys, et cetera, you can't-- this makes you the script kid.

    Furthermore, the idea that only unskilled hackers get caught is silly. It's the same rhetoric that the whitehat world has been using to dance around the fact that the majority of them have never broken into a computer. 'I just didnt get caught', no you didn't do it in the first place.

    McKinnion is a bad example, because he really is a script kid, he just ran pc anywhere or similar and randomly connected to boxes with no password/default passwords. But consider people like Max Butler/Vision, or Stephen Watts. Both of these men are currently awaiting sentencing. This is going to be Max's second trip to prison actually. Both are absurdly talented and broke into a hell of a lot of computers prior to getting caught. Eventually, if your acts are high-profile enough you get caught, period.

    Finally, the original quotes from the MP included statements about offensive capabilities. Trend Micro et al have no place in that area, you can't even defend properly, much less reach out and smack your adversaries back. The MPs statements, I thought, as a fairly accomplished security researcher in this industry, were spot on and represented the first time ever I've heard a government official from any country say something intelligent in this regards. Obama just put up several billion dollars for cyber-defense, what he's going to get is several billion more dollars worth of the same failed infrastructure that we've had for quite some time.

    This is sort of an arms race, and much like the nuclear arms race what matters is the end result. The standard government hiring practices fail to adequately staff such departments as from experience in the US Govt, I found that typically the people you wanted probably wouldn't get a clearance (myself included), so you have to ask yourself whether the ends justify the means, if you want a superior capability or not and if its worth it to hire a bunch of people who wouldn't pass the usual standards in order to have it.

  34. Anonymous Coward
    Anonymous Coward

    @The Other Steve

    Ohh, got your little boy nickers in a twist :)

    See this is the problem, you have under estimated just how good people have to be in security, yeah sure you can get some morons in, a few bums on seats, as I suspect that is how you got your burger flipping job, Steve. But, that doesn't make for good security now does it deluded ego boy.

    I will have fries with that Steve, steady on the ketchup, you know how I like it ;)

  35. bell

    They can all be right ...

    You do need some broad and deep expertise at the top end of any security effort. These roles probably require a more structured organisational approach to security rather than a messy and exploratory technical one. Further down the chain the bar won't be quite as high but the people are still required, implementation is still a highly labour intensive endeavour. The pure compliance jobsworths are doing more harm than good though.

    Maybe the attacking side of information warfare does require utilising the skills that have come to the authorities notice through criminal activities. The field is quite immature. Ultimately it's in everyone's interest for the field to mature and get some discipline and structure. Wishing that we had reached this point already doesn't make it so.

  36. bish
    FAIL

    As if further incentive were needed...

    s'kiddies, and other nefarious 'cyber-criminals' (good god, when was the last time anyone outside the government used the word 'cyber' with a straight face? 96?) do their dodgy deeds for a variety of reasons - a sense of achievement, to boost their rep, and most commonly to earn a bit of dirty money.

    None of those reasons is going to just go away, so why give baby geeks yet another incentive to turn to the dark side? Why not just run a recruitment ad - "Bored? Talented? Become a network bandit, get caught, and get a job working for the Ministry!" - I dare say they might get some of the less useless ones that way, too.

This topic is closed for new posts.