Good riddance to bad rubbish

You can't beat it as a means of drumming up business: crack a few well-chosen websites. Armed with embarrassing information, contact your victims. If they don't sign you up as a security adviser, tell the world about the slack security practices within NZ organisations.

can’t beat it as a means of drumming up business: apply all the tricks you’ve learnt during your misspent hacker youth cracking a few well-chosen websites. Then, armed with whatever embarrassing information you’ve succeeded in harvesting, contact your victims. If they don’t immediately sign you up as a security adviser, then fire off a press release telling the world about the slack security practices within New Zealand organisations. Name names, to really rub it in.

If I was one of your hapless victims, I think I’d be seriously annoyed. My next emotion is likely to be sheepishness, that I allowed myself to be caught out. After that, I’d be ready to hire someone to secure my systems. You can be sure, though, that I wouldn’t be hiring you.

It’s an approach to business that seems to have been latched onto by a number of people of late. Computerworld ran a story a fortnight ago about one such ‘white hat hacker’s’ exploits. The company concerned styles itself an “internet security firm”, and probably doesn’t see itself a hacker in any sense. It’s quite a different species from the firms that conduct so-called ethical hacks. They do so at the invitation of organisations wanting to know how their systems will fare in the face of attack.

Predictably, the targets of unsolicited probing don’t always take a very cheerful view of being caught out. While some are grateful to have vulnerabilities pointed out, others describe the probing that goes on, and subsequent alerting to the degree of insecurity exposed, as “spam-based scaremongering”. I’m with them.

It’s a well-trodden career path, from adolescent (or younger) hacker to security consultant. The usual badge of office is a shaved head and bits of metal dangling from various appendages, which only have further attention drawn to them by the badly fitting suit. Computerworld has had examples of the breed paraded before it on a number of occasions.

They might lend a bit of street cred, but how smart is it to hire a car thief to mind your precious motor? Not particularly: aside from the risk you run in letting a known miscreant loose with your data, it only encourages others to embark on the same career course.

Fortunately, not every company in the security business feels the need to hire someone from the wrong side of the fence to help put the frighteners on potential customers. One who wouldn’t entertain the notion is the head of British-based antivirus company Sophos, Jan Hruska. He told Computerworld early this year that while hackers and virus writers might be technically clever, they’d never have his trust.

Another doubter of the wisdom of hiring “reformed” hackers is David Perry, of US antivirus company Trend Micro. Perry rubbishes the claim of notorious American hacker Kevin Mittnick, who was released from jail last year after a spell inside for hacking, that he was doing his targets a favour by ferreting out their system insecurities.

However they might rationalise it, companies that use this crude approach to finding business will soon find themselves up against the law. The Crimes Amendment Bill that’s working its way through the parliamentary maze looks certain to outlaw the practice. The bill won’t affect the activities of invitation-only security auditors, but should put the other lot out of business. Good riddance to them.

Doesburg is Computerworld’s editor. Send email to Anthony Doesburg.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about BillSophosTrend Micro Australia

Show Comments