A few weeks ago, a couple of my co-workers visited a workshop about a new course: ethical hacking. In short, it teaches system administrators how to try and hack your own system, to check it's vulnerabilities and find out whether your security needs working on. The course is also available for pretty much everyone else, but that on a side note.
When i heard about it, the only thing that sprung to my mind was "WTF??". Are we really going to TEACH people to hack, how to do it and what to do with it? Why not just build a program for it then? That would make things a lot easier: Microsoft Hacking 2007 or something, ofcourse licensed, but that would not be a problem, since - well it is a hacking tool, right?
As i remember in the good ol' days, hacking was staring at black screens, learning, adapting to what you found and working with that information. It was almost completely auto-didacted by people that wanted to know. That made hackers good system admins, if and when they choose to be. They were used to handy tools, scripted anything they needed and knew a lot about indepth command lining.
These kind of people are active, unfortunately more and more on the background, doing either something illegal, creating programs for the nextgen hackers, or embarressed by the rest of the community locking themselves up in cellars and atticks, learning. They tend to stay out of the media - either rightfully or unrightfully - fearing there skills and whether or not they would be prosecuted if they shared what they know.
Send in the script kiddies!
The nextgen hacker were script kiddies. Young people, finding a handy program on the net (created by the firstgen hackers) and ultilizing them in ways they were ment to be used or finding new, innovative ways to utilize their tools. Let me make clear: i do think script kiddies are a step back from the firstgen hackers. But on the other hand, they are creative in other ways, combining powers of one program with other programs, not used in this set before. These nextgen hackers are still an asset to security, but in a different way. They teach us that one vulnerability leads to a second, until your entire system is compromized. the knowledge of these people limits though to using tools and finding them, not in knowing what the tool does and why it does it like this.
And now this?
And now we are going to teach people, without background knowledge, how to hack? But what defines a good hacker? Self teaching, self preservation, self learning. I do not actually know what will be taught in this course. I presume some standard methods, which nullifies the reason for the course, since hacking always tries to find new, innovating ways. The taught material will be absolete in about one month or so. And who is the teacher? A firstgen, or nextgen hacker?
If he would be the firstgen: where did they find this guy? Doing legal or illegal things? And how could he teach his years of expirience and mindset that comes with his hobby to a bunch of people, most of them "sent" by their employer, in about five working days?
If he would be the nextgen: don't even bother going and go with your browser to www.google.com. That would be just as effective.
Ethical Hacking?
They choose the name Ethical Hacking, because they also teach you not to use your skillzz for the dark side. But who prescreens applicants, or keeps track of them after completing the course? To answer the question myself: no one. They teach a bunch of people skills they should not know and hope for the best. And whether or not the skills are tought by a firstgen or nextgen: they can harm. Especially in the hands of the wrong people, or people that don't know how to utilize their skills.
Would you for instance fire your system admin, knowing he can hack your system in return, using skills learned in a course payed by that same company?
Summarized
Yes, teach people how hackers think and work. But when you choose to teach them the skills, don't be mighty surprised something goes terribly terribly wrong.