Yeah, I'm a hacker, or at least I used to be. I have found Microsoft vulnerabilities, written zero-day exploits with custom shellcode. Hmmm… shellcode. Aren't there tons of books on that now and even free tools that write it for you? As a matter of fact my 13-year-old nephew has already done those things too. This stinks -- I can't get my head around what makes people hackers today. Do you have to get caught or deface a company's Web site? If so, I'm definitely not a hacker. But I still use IRC -- does that count for any cool points anymore? Maybe I was just a programmer with security experience. Heck, who really knows. Can someone please tell me what a hacker is again?
If you were at DefCon this year, then you would have recognized that all real hackers fit into one of two categories. Category 1: the people in jeans and baggy khaki shorts that have been around for awhile and think the whole scene has changed and that there's nothing new happening. By the way these people are too hip to talk about their zero-days. Category 2: the majority of the hardcore "security-ites" that have multitudes of conspiracy theories, wear mostly black and wouldn't be caught dead talking about highly-technical security issues in public.
I think I fit into the uncool "ponyboy" non-category comprised of people that are still generally interested in infosec technology and protecting organizations -- and tuck in their shirts.
Vulnerability releases continue to increase alongside
I continuously envy and question those companies in the space that have re-branded themselves multiple times or chase the latest ambulances. For instance, a startup application security company is now suing other application security companies for effectively infringing on their application-layer assessment methodology. Wow, I love it. Who would have thought you could statically patent the method for testing an inherently dynamic application base: Web applications. If only Renaud Deraison, the creator of Nessus, would have patented vulnerability assessments… the world would be different and with this new theory he'd be richer. This sort of action, while in theory is well thought, can only lead to the demise of an otherwise potentially successful security business.
And speaking of poor security decisions, why is it that hackers feel that they can get away with self-serving titles on their business cards like "Penetration Authority," "Professional Sniffer" and, of course, the ever-popular "Backdoor Specialist." At what point did it become acceptable to dye your hair green, hack a multibillion dollar company's software, and ask your boss for a raise all in the same week? I've met myriad hackers in my day while at CSC, Foundstone, Guardent and writing for Information Security magazine, and I've hired from around the globe. I still haven't hired anyone that believes that the hackers in The Matrix and Hackers are the real deal.
After some serious thought, I now believe that hackers still exist purely because of the insidious craving of the media to push FUD-based stories. Case and point: Google News found more than 2,500 articles that cited hackers just within the past month. While not all journalists are created equal, bad ones do exist. What about the publication that published the headline "World's worst hacker arrested"? I think I would be more proud of catching the world's best hacker, but hey that's just me.
At any rate I can neither confirm nor deny that I am a hacker… for the simple reason that I just don't know anymore.
About the author
James C. Foster, Fellow, is the Deputy Director of Global Security Solutions at CSC. He spoke on antiforensics in Las Vegas last month at the annual Black Hat security conference, in addition to performing the conference's first comedic standup routine. Foster has contributed to more than 15 books and has held executive positions at Foundstone, Guardent and the U.S. Department of Defense.