Mac hacks, BBC attacks and backing hackers
Posted on 18 Jun 2009 at 11:20
Davey Winder exposes the 100% secure mac myth, questions the BBC's botnet morality, and considers hiring hackers.
Hiring hackers
Another botnet story that caught my attention recently also involves ethics in the IT security business - the old chestnut about whether or not you should employ convicted hackers. Now let me get this straight: some of the best security consultants I know have had a somewhat "colourful past" - including perpetrating hacking exploits - and in my opinion, such experience actually qualifies them rather than disqualifies them from this job. There are some people, however, who vehemently disagree with me and argue (with some merit) that good hacking skills and good IT security skills aren't in fact entirely the same, insisting that to break into a network and to protect a network require two completely different sets of technical qualifications. I was even at a security conference some years back when a highly placed director of security at one of the big IT companies suggested that a monkey could be trained to hack most networks in just a few hours. That, I think, misses the point.
IT security is more often than not a matter of mindset, and while it can be learned from a book and can be taught, even so a poacher-turned-gamekeeper will always have an edge over a book-taught one. They understand how the hacker's mind works, how the hackers think, and that's something that's a lot harder to grasp from theory than it is from battlefield practice. I will agree that most ex-hackers nowadays tend not to be the most skilled members of their profession, by the very fact that they were caught, which suggests they weren't entirely in control of the game. Back in the day of 20 years or so ago - when hacking truly did require a high level of technical know-how - things were different, but today most ex-hackers are actually self-proclaimed and really nothing more than kiddie-script-monkeys who use ready-made solutions.
Most of the hackers I know who made the move from the dark side to the light did so with the passage of time and without ever being caught, which is why I was somewhat concerned when I read that a botnet builder, duly convicted of spreading malware to a quarter of a million computers and starting his four-year prison term, will have a job waiting for him when he gets out as a security consultant for a big search company. His boss didn't know that this botnet builder had already pleaded guilty to his crimes as part of the FBI Operation Bot Roast in 2007 and was awaiting sentencing when he applied for the job, and admits that he wouldn't have hired him had he known this - but he also says that the perp is a talented developer who just pushed the envelope too far when young, and has gone on the record to say he hopes to offer him a job when released. Feel free to voice your opinion on this case in the PC Pro forums (www.pcpro.co.uk/forum/), as I'd be very interested to see which way you swing on this rather tricky moral issue.
Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site
From around the web
I've never said that Macs were 100% secure...
...just that, given a reasonable amount of common sense, they were far less likely to deteriorate over time than Windows systems, and far more intuitively usable to the average new/inexperienced user (or expert) than either Windows or Linux. I say this with 25 years' experience developing for and supporting Windows in every environment imaginable.
I've blogged about this sort of thing a few times, talking about the debate between adequacy and excellence ( http://tr.im/wmRR), "Happy Updating...." ( http://tr.im/wmS7) and, particularly, "Differences that Make Differences [i]Are[/i] Differences" ( http://tr.im/wmSh). I'd be very interested in your thoughts.
By jdickey1 on 14 Aug 2009 
Davey Winder
Davey is a contributing editor to PC Pro, having covered the internet as a topic since the magazine started in 1994. Since that time he's won numerous awards for his journalism, but remains a small-business consultant specialising in privacy, security and usability issues.
advertisement
- Why virtualisation hasn't slowed the growth of data
- How to make Google AdWords work for your business
- The curse of sloppily written software
- Paying for your crimes with Bitcoin
- Behind the scenes: tech support for Formula 1
- The security risk of fat fingers
- Why Windows Phone 7 isn't quite ready for business
- When will Microsoft stop fiddling with Windows 8?
- Flash down the pan?
- Metro Style apps vs desktop applications
- Chrome's shine getting lost in translation
- BytePac: the cardboard hard disk enclosure
- How tech loosens our grip on reality
- Hokum watch: Safer Internet Day
- Why I'm deleting Adobe from my PC
- Prepare to be patronised: it's Safer Internet Day
- Dear Sony, Samsung and every other tech company in the world: stop trying to be Apple
- Will Apple's Final Cut Pro X update placate the pros?
- Smartr Contacts for iPhone review
- Switching to Office 365's Outlook Web App
- VeriSign slammed for security breach cover-up
- SAP willing to share HANA with Oracle
- Why using a tablet could harm your health
- New RIM boss: no need for drastic change
- RIM founders fall on their swords
- Slow economy helps boost Red Hat revenue by 23%
- Google+ pages get multiple admins
- One in five companies lack card industry compliance
- Oil industry warns hacking attacks could kill
- British workers fear email monitoring
advertisement
Printed from www.pcpro.co.uk