Column

Where have all the hackers gone?

James Foster

Yeah, I'm a hacker, or at least I used to be. I have found Microsoft vulnerabilities, written zero-day exploits with custom shellcode. Hmmm… shellcode. Aren't there tons of books on that now and even free tools that write it for you? As a matter of fact my 13-year-old nephew has already done those things too. This stinks -- I can't get my head around what makes people hackers today. Do you have to get caught or deface a company's Web site? If so, I'm definitely not a hacker. But I still use IRC -- does that count for any cool points anymore? Maybe I was just a programmer with security experience. Heck, who really knows. Can someone please tell me what a hacker is again?

If you were at DefCon this year, then you would have recognized that all real hackers fit into one of two categories. Category 1: the people in jeans and baggy khaki shorts that have been around for awhile and think the whole scene has changed and that there's nothing new happening. By the way these people are too hip to talk about their zero-days. Category 2: the majority of the hardcore "security-ites" that have multitudes of conspiracy theories, wear mostly black and wouldn't be caught dead talking about highly-technical security issues in public.

I think I fit into the uncool "ponyboy" non-category comprised of people that are still generally interested in infosec technology and protecting organizations -- and tuck in their shirts.

Vulnerability releases continue to increase alongside

    Requires Free Membership to View

a number of startup companies that feel their all-in-one
Other Black Hat news
USB could be the death of me
Seemingly innocent USB driver bugs may allow device attacks that many won't see coming, say researchers.

Raising risk prospects with a new SQL injection threat
"Inference attacks" could deliver up your so-called secure database to an attacker.

IPv6 risks may outweigh benefits
Early adopters are transitioning to the next-generation protocol, but evidence -- including a flaw disclosed at Black Hat -- suggests IPv6 is a potentially risky change with few benefits.

solution will be your sole security solution. Companies are still getting broken into with devastating results. Take that big credit card processor that lost 40 million accounts. Seriously now, is there no investment in security at that company? Has due diligence gone out the window? Think about how big a file with 40 million accounts is -- it's like me trying to casually drive away with the Rockefeller Christmas tree on the hood of my car. Think anyone would notice?

I continuously envy and question those companies in the space that have re-branded themselves multiple times or chase the latest ambulances. For instance, a startup application security company is now suing other application security companies for effectively infringing on their application-layer assessment methodology. Wow, I love it. Who would have thought you could statically patent the method for testing an inherently dynamic application base: Web applications. If only Renaud Deraison, the creator of Nessus, would have patented vulnerability assessments… the world would be different and with this new theory he'd be richer. This sort of action, while in theory is well thought, can only lead to the demise of an otherwise potentially successful security business.

And speaking of poor security decisions, why is it that hackers feel that they can get away with self-serving titles on their business cards like "Penetration Authority," "Professional Sniffer" and, of course, the ever-popular "Backdoor Specialist." At what point did it become acceptable to dye your hair green, hack a multibillion dollar company's software, and ask your boss for a raise all in the same week? I've met myriad hackers in my day while at CSC, Foundstone, Guardent and writing for Information Security magazine, and I've hired from around the globe. I still haven't hired anyone that believes that the hackers in The Matrix and Hackers are the real deal.

After some serious thought, I now believe that hackers still exist purely because of the insidious craving of the media to push FUD-based stories. Case and point: Google News found more than 2,500 articles that cited hackers just within the past month. While not all journalists are created equal, bad ones do exist. What about the publication that published the headline "World's worst hacker arrested"? I think I would be more proud of catching the world's best hacker, but hey that's just me.

At any rate I can neither confirm nor deny that I am a hacker… for the simple reason that I just don't know anymore.

About the author
James C. Foster, Fellow, is the Deputy Director of Global Security Solutions at CSC. He spoke on antiforensics in Las Vegas last month at the annual Black Hat security conference, in addition to performing the conference's first comedic standup routine. Foster has contributed to more than 15 books and has held executive positions at Foundstone, Guardent and the U.S. Department of Defense.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: