The UK's first course in ethical hacking was announced this week and it's something which is likely to attract a lot of controversy.
After all - is it really wise to teach people such skills?
Of course the answer to that is a resounding yes. Locksmiths need to know how locks work. They need to know about the potential weaknesses and the fallibility. It's the same principle. People safeguarding anything should be aware of the ways in which it can be breached. That much is common sense.
The idea of techies putting systems and safeguards through their paces is nothing new - but the idea of an independent body doing the educating does represent a shift.
The organisers, Training Camp, claim they will carefully screen anybody taking the course but there will be many who are concerned about the rigorousness of that process. After all screening processes are invariably prone to failure and one instance of a Training Camp taught hacker involved in any kind of malicious activity will likely result in a very angry backlash about where these skills were learned.
Robert Chapman, co-founder of the Training Camp, said there has been a huge amount of interest, with about 30 queries a day about the course.
"We can take a competent network administrator and show him the type of tool that people who try to attack him use. It means they can approach their own network to find where vulnerabilities are. It is what hackers actually do that you need to know."
That's certainly the idea and it's a very sound one - but it's also easy to see how something which sounds so sensible in theory could so easily go wrong.
Comments
There are 17 comments. Join the discussion
1. anonymous
Hmm - the principle of teaching where weaknesses lie and then teaching how to strengthen those weaknesses is a sound one. However, if such organisations as the Police cannot effectively monitor an individual's background, then how can an organisation such as Training Camp justifiably say they can identify potential "bad eggs" via screening processes?
Not too long ago, a university announced its intention to launch a hackers' degree course, a piece of news that was met with much shouting and screaming from all corners. Where is the difference with Training Camp?
One last comment: the locksmith analogy is a good one to make, but (and at the risk of maligning innocent people, which is not my intention!) is every locksmith 100% honest?
2. anonymous
Why not an independent body doing this training? Who would be better? Can you imagine Microsoft offering training on hacking into MS systems?
The only thing new here may be that it is in the UK. I attended a similar course in New York in 2002, run by a respected independent company, allowing it to cover Microsoft, Unix/Linux, web servers, firewalls etc. Attendees were vetted beforehand.
The training has proved invaluable in being able to test and demonstrate security problems within my company
3. anonymous
I think thats a really good comment but im all for the training camp.
most administrators today really on the system being secure and/or software tool's to do the hardening and work for them.
if they know how to hack or where to get in a system surely they would know on their own system not to leave that route open.
the screening will probally not owrk atall bu the intention and idea is their but the methods on screening people who want to join leaves alot to be desiered
4. anonymous
Whats all the fuss about, if you want to learn to hack illegally then all you need to do is surf the web for the information to do all the hacking.
5. Russell
Typical over-reaction to a sensible training course.
If someone wants to learn to hack, they can either (a) search the internet for information or (b) walk into their local book store and pick up one of a number of different books telling them 95% of the techniques used by hackers. Some of these even include CD's full of tools like nmap, l0pht and nbtscan. I've read one on physical attacks and one on social engineering (which is actually much scarier). I've even tested some of the tools out in our office (internally I hasten to add!) and they are scarily effective.
The same applies to locks. I've read a book on how locks work, and there's plenty of companies offering both lock picks and books on how to open locks. Selling these is not illegal in the same way that selling guns to people with gun licenses is not illegal. It's what you *do* with them is illegal.
If you follow the same arguement through, teaching people to write code should be illegal because you can write a virus that way...and roads would be much safer if nobody learnt to drive...
Offering a training course might make it more accessible to some people, however there are universities offering similar courses as well (Westminster I think). Should they be running them? If no-one gets this training who exactly will stop the hackers?
Please note that the average wannabe hacker (or script kiddie) is much more likely to lash out £50 on a book and spend some time on the 'net than attend a training course for several thousand pounds...
PS: Please don't email me and ask me for the title of any of those books(!)
6. Chris McNab
Not the UK's first ethical hacking course
Matta (www.trustmatta.com), ISS (www.iss.net), QinetiQ (www.qinetiq.com), and many others have run these courses for years
Also, look out for my forthcoming O'Reilly book on the subject - titled Network Security Assessment, and available from www.oreilly.com/catalog/networksa/
7. Thomas OZENNE
Well that's probably not a bad thing, investigate your possible flaws and learn how long it would take to use an exploit on security breaches how to prevent those, react and understand, but it's like being given a parachute and you'll have learn how to open it at the critical moment .... nah that's a great idea :)
8. anonymous
The real name is Cracker, surely? A hacher is someone who alters software program code not some one that 'breaks' in.
9. David J Walker
From time immemorial, poachers have always made the best gamekeepers.
10. anonymous
Silicom!!! I have to agree with the other post. you are supossed to report the right terms. What you are talking about is CRACKING not HACKING. It would help if you explained these two diferent terms to people.If firms do not know the diference then how do they expect to learn the diference and protect themselves from these two diferent areas security.
11. tim bain
If some 14 year old kid wants to learn "hacking", then he will. If courses like this don't run, all the knowledge will be on the wrong side and we'll all suffer in the end.
To defend against something you first need to know it well. the locksmiths analogy is right....locksmiths can pick locks but it's faster to crowbar a door. Burglars don't go to locksmith school.
12. anonymous
Surely whether this is too far depends heavily on how it is done.
Let's extend the question for a moment on whether articles about hacking should appear in magazines or elsewhere. Would it be best for all if the topic was silenced completely in the media, to avoid the danger that somebody might be enticed to enquire further into hacking and learn those skills as a consequence?
Some may think so - I do not. As a computer user I would like to know which means are available to a malign hacker. I want to know what a virus, a worm and a root kit is and how these things could affect the operation of my equipment. I want to know the possible ways for malign code to infect my computer and how to detect and remove such code. Maybe some things need to be demonstrated to make a stubborn administrator believe that they are possible.
However, this does not include instructions (possibly with source code examples) for writing a virus or a worm. In my opinion, doing practical exercises in writing destructive code in a class would be crossing the line of going "too far".
13. Will
With the threats of virus and worms, people who are interested in network security need to know what tools are being used by hackers. Knowing these tools and other methods of attacks, people know better how to protect their systems and data
14. kabo
It is true, it is very easy to convert a white hat guy into a black hat guy. It is very tempting to test one's (hacking) skills for the "FUN" of it.
15. John
no, you've got them mixed up. A hacker is someone who hacks into someone else's box.. although it's a general term that can be applied to getting into/taking over just about anything... A cracker is a southerner, a yummy snack, and someone who puts out cracks to programs, or just cracks into them and gets serial codes or nonsense like that.
16. Nigel Landman
I am somewhat intrigued by the assumption that the UK is only now offering it first "Hacking" course and indeed by the debate on the subject.
I have worked closely with two Companies in the UK that have offered training to IT Techs/Admin personnel in Ethical Hacking for 14 months and no debate appears to have been generated. Interesting!
17. Wayne Johnsen
There will always be a person in a group who will use their new found knowledge and abuse it.
You cannot stop teaching the rest of the group because you fear the one.
That one person may eventually break into your house, using the knowledge however it was acquired and you may never know it.
Remember, security systems just keep honest people honest.