[iwar] [fc:Newest.IT.Job.Title:.Chief.Hacking.Officer]

From: Fred Cohen (fc@all.net)
Date: 2002-05-29 19:16:24


Return-Path: <sentto-279987-4727-1022724840-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 29 May 2002 19:22:11 -0700 (PDT)
Received: (qmail 4414 invoked by uid 510); 30 May 2002 02:18:04 -0000
Received: from n11.grp.scd.yahoo.com (66.218.66.66) by all.net with SMTP; 30 May 2002 02:18:04 -0000
X-eGroups-Return: sentto-279987-4727-1022724840-fc=all.net@returns.groups.yahoo.com
Received: from [66.218.67.196] by n11.grp.scd.yahoo.com with NNFMP; 30 May 2002 02:14:00 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_3_2); 30 May 2002 02:14:00 -0000
Received: (qmail 9878 invoked from network); 30 May 2002 02:13:59 -0000
Received: from unknown (66.218.66.218) by m3.grp.scd.yahoo.com with QMQP; 30 May 2002 02:13:59 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta3.grp.scd.yahoo.com with SMTP; 30 May 2002 02:13:59 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g4U2GOk11720 for iwar@onelist.com; Wed, 29 May 2002 19:16:24 -0700
Message-Id: <200205300216.g4U2GOk11720@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Wed, 29 May 2002 19:16:24 -0700 (PDT)
Subject: [iwar] [fc:Newest.IT.Job.Title:.Chief.Hacking.Officer]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20
X-Spam-Level: 

Newest IT Job Title: Chief Hacking Officer

By Jay Lyman, NewsFactor Network, 5/29/02
<a href="http://www.newsfactor.com/perl/story/17940.html">http://www.newsfactor.com/perl/story/17940.html>

While companies are uncomfortable hiring IT security personnel with
prior criminal records, there are advantages to hiring an experienced
hacker.  
Companies seeking to ensure they are as impervious as possible to the
latest computer viruses and to the Internet's most talented hackers
often find themselves in need of -- the Internet's most talented
hackers. 
Some of these so-called "white-hat" hackers hold high positions in
various enterprises, including security companies, but analysts told
NewsFactor that they rarely carry the actual title "chief hacking
officer" because companies tend to be a bit skittish about the
connotation. 
Still, some security pros -- such as Aliso Viejo, California-based Eeye
Security's Marc Maiffret -- do carry the "CHO" title, and few argue the
point that in order to protect themselves from the best hackers and
crackers, companies need to hire them. 
Hidden Hiring 
SecurityFocus senior threat analyst Ryan Russell told NewsFactor that
while only a handful of companies actually refer to their in-house
hacker as "chief hacking officer," many companies are hiring hackers and
giving them titles that are slightly less indicative of their less
socially acceptable skills. 
"A large number of people who used to do that sort of thing end up
working in security," Russell said. "There are some companies out there
specifically saying, 'We do not hire hackers, we are against that,' but
really they are [hiring them]." 
Russell said that while there is definitely an increased emphasis on
security since last year's disastrous terrorist attacks, deflation of
the dot-com bubble has resulted in consolidation among security
personnel and a reduction in the number of titles that are obviously
associated with hacking. 
Born To Hack 
Russell noted that hackers legitimately working in IT are usually
involved in penetration testing.

While companies are uncomfortable hiring IT security personnel with
prior criminal records, there are advantages to hiring an experienced
hacker, even if the individual has used an Internet "handle" associated
with so-called "black-hat" hackers. 
Still, Russell said, "I think in very few cases do people with the
reputation of a hacker or black-hat [get hired]." 
One such person who was hired is Cambridge, Massachusetts-based security
company @Stake's chief scientist, Peiter "Mudge" Zatko -- a well-known
hacker and security expert who has briefed government officials,
addressed industry forums and authored an NT password auditing tool. 
Regular Workers 
Regardless of whether they wear a white hat or a black one, Russell said
it takes more than good hacking skills to land a legitimate job. 
"You want someone who does [penetrations] for a living," Russell said of
penetration testers. "You want them to be good at giving you the
information you need." 
Russell added that while some hackers hold chief technical officer or
equivalent positions, the rule of fewer managers and more employees
means there are probably more hackers working in regular jobs than in
management. 
Checking References 
Forrester (Nasdaq: FORR) analyst Laura Koetzle told NewsFactor that
companies will not hire anyone convicted of a computer crime, but they
will seek out hackers, particularly for penetration testing. 
"They won't have a title of chief hacking officer, and they haven't
necessarily broken any laws, but they're still skilled at this stuff,"
she said. 
Koetzle said many companies avoid the issue of checking the backgrounds
of former hackers by using services firms, such as
PricewaterhouseCoopers or Deloitte &amp; Touche, to hire such personnel. 
Extortion and Employment 
But hiring hackers can backfire. 
Russell said cases of extortion range from blatant attempts at blackmail
-- demanding money to prevent disclosure of customer data or security
vulnerabilities -- to more subtle efforts, wherein hackers find holes,
offer a fix and add a request for a job. 
According to Koetzle, despite the desire to keep security breaches
quiet, companies must resist attempts on the part of potential
hacker-hires to extort money or work in computer security. 
"I would strongly caution against dealing with that type of hacker,"
Koetzle said. "It absolutely does happen, but it's absolutely the wrong
thing to do." 
Right or wrong, however, it seems that the person best equipped to
ferret out a hacker is another hacker. So, as unsavory as it may seem,
the better the hacker, the more likely he or she is to join the square
working world as chief hacking officer.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tied to your PC? Cut Loose and
Stay connected with Yahoo! Mobile
http://us.click.yahoo.com/QBCcSD/o1CEAA/sXBHAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2003-08-24 02:46:32 PDT