Schneier on Security

I'm just sorry for you that "Schiefer" is so visually close to "Schneier"...

The difference between a security professional and a "former" hacker is ethics.

Following the link to a story about the other jailed members of his a 'hacker group' included this:

"He apparently violated the terms of his supervised release, which barred him from possessing or using any computer, cell phone or other electronic equipment capable of accessing the Internet."

That is a tough sentence. My house lights, my TV, my refrigerator and my car are all connected to the internet.

How on here.

Security Professional is like it says when you deconstruct it: You get paid for security "stuff" (advice, holding a torch, whatever).
Ethics don't come into that definition.

Hackers have ethics too, I consider myself a highly ethical, 'Student Hacker'.

Try reading 'Out of the Inner Circle' by Blll Landreth, or my own summary in:
http://devitto.com/Making_and_Breaking_Internet_Site_Security/Making_and_Breaking_Internet_Site_Security.html

The press label 'hacker' as BAD, but in truth, 'hacker' is like 'scientist', it does not infer intent, or ethics.

Back OT: The guy did wrong, and got sent down. See Darth Vader for a similar plight.

With respect, johns, it's still possible to get lights, TVs, fridges and cars that *don't* connect to the 'Net ;o)

@Dom De Vitto

A profession is not a profession without laws requiring a license, and a licensing body imposing requirements to get and keep one (including standards for ethical practice).

Security professionals aren't (unless something happened while I wasn't looking).

>> A profession is not a profession without laws requiring a license, and a licensing body imposing requirements to get and keep one (including standards for ethical practice).

Close in spirit, wide of the mark. Government regulation is only one part of professionalization. Industry standards, self-policing, and a body of generally accepted practices are also important.

>> Security professionals aren't (unless something happened while I wasn't looking).

Maybe not information security professionals, with voluntary industry accreditations and murky credentials.

Here in California, all uniformed security personnel are now required to be licensed by the state of California, whether they are contractors or work for a single in-house company. This means a state and Federal background check. It's not much but it's getting better.

>> Security Professional is like it says when you deconstruct it: You get paid for security "stuff" (advice, holding a torch, whatever).

No. A security professional has the special trust of his clients, and a general obligation to the public, in applying a specialized body of knowledge and skills.

>> Ethics don't come into that definition.

Yes, they do. A lawyer does not give advice on how to break the law. Neither does a security professional.

@anonymous: A lawyer does not give advice on how to break the law.

I'm guessing you don't come into contact with many lawyers. I wish I was joking.

@MikeA

No, he's partially correct. A lawyer doesn't give advise on how to break the law because you probably know how already. They give advice on how to break the law *and* not get prosecuted for doing so.

@Dom De Vitto

Arguments about "good hacker" or "evil hacker" are irrelevant to the point. Running a botnet is criminal.

Furthermore, the battle over that definition was lost many years ago.

It has always amazed me that a group that professes the "hacker ethnic" can expect to exercise proprietary control over the English language. And if you revisit the issue, golfers had a prior claim.

If your definition of “hacker� allows trespass, consider that someone defending cannot tell your intentions or skill. And you cannot predict if your trespass will cause harm or damage. Nor can you use an ideal to hide from responsibility for your actions.

If you believe in the “hacker ethic�, that all information is truly free for all, why don’t you post all your sensitive information here for all to see?

If the world were such a perfect place, we would not need security professionals.

Regardless of intent, breaking and entering is illegal. Regardless of intent, trespassing by entering someone's domicile without permission (even if the windows and doors were wide open) is illegal.

In the same way, testing the security measures of a computer or network you don't own without explicit permission to test those security measures is illegal, regardless of intent.

Hiring someone to randomly break into your home because their only credentials are a criminal background and a long rap sheet is not a good idea.

In the same way, hiring someone that deliberately breaks the law and trespasses on other peoples' digital property without permission is probably not the best idea for keeping your business data safe.

Security Personel are here by dominence to the ethical road. The real evidence for computer "crackers" are in the biscuit tin.