During a conversation with someone, to be known as ‘FS’.
Me: So what are you considering studying next year?
FS: Ethnic hacking (sic).
Me: (Contemplates whether to point out the error then decides it was probably just a slip of the tongue) Oh right, cool. What made you choose that?
FS: Because you can make loads of money doing it. It’s cool. Also, you don’t have to learn much programming, I hate programming, I just don’t understand it. You get to use other people’s software and just point and click.
At the time, I contemplated whether to say anything, but just left it, I’ve got better things to be doing. But, it’s been bugging me, and not for the reasons you might expect, so now it’s my time to vent.
Let’s get over the fact that it’s ethical hacking, not “ethnic hacking”, fuck it, not worth the time.
“Because you can make loads of money doing it.”
True, I have friends who are Pen Testers, at least one of which I know is earning 6 figures a year. Calling that loads is fair.
Please tell me you didn’t just say that. You did, didn’t you? It’s only cool in your head. It’s the name that makes you think that it’s cool because you’ve watched too many fucking movies. If you think a job as an Ethical Hacker (and I don’t think most jobs in the security field even have “hacking” in the name) is to perpetually live out scenes from The Matrix or WarGames think again.
“…you don’t have to learn much programming…I don’t understand it.”
Well, basically, you’re fucked then.
“You get to use other people’s software and just point and click.”
FFS, when are you going to shut up talking nonsense and let me get back to my class?
It wasn’t for a while. The conversation continued on, I won’t post it all here for the sake of brevity, but the long and short of it is that this guy had done absolutely no research into the topic, had bad reasons for wanting to study it and basically just wanted to look cool, earn lots of money and do the bare minimal amount of work to get by.
This wouldn’t usually worry me, there’s people like this in all walks of life, but this is not the first person wanting to be an ethical hacker that I’ve heard this from and I’m sure it won’t be the last.
Anyways, what is worrying, is that security, ultimately, is the last line of defence against malicious people wanting to fuck you or your business over. When those in charge of that security are, as above, lazy, wannabe cool, and uninformed, I think we have a problem that needs to be addressed.
This seems to be the only professional computer related field, in my experience, where there are people like that. Not once have I heard from a potential Computer Science student “yeah, I wanna do it because it’s easy and makes you look cool”. Not even Computer/Information Security students, which is pretty much exactly the same thing as Ethical Hacking, have that attitude.
I had been seriously considering studying Ethical Hacking after finding Ryan Dewhurst’s blog. However, this recent encounter has put me off somewhat and all my UCAS choices have been changed back to Computer Science.
I don’t know if there’s really much point to this post, I don’t really have anything constructive to contribute to the conversation, not that there’s a conversation at all, I’m just randomly and possibly incoherently rambling on about something that annoyed me.
But, I will leave you with this thought. It’s from Lexi Pimendis (a computer security lecturer) giving a talk at the 22C3 convention about hosting CTF style hacking competitions to aid in students’ learning. This specific part is about people entering tournaments. (Obviously paraphrased, I don’t have that good a memory).
“You need to have some sort of test before letting teams enter your tournament to check they actually have some skills. Before, we’ve had teams enter that couldn’t setup iptables, couldn’t compile software, crashed their own boxes, etc…”
- Disclaimer One:
Due to me considering taking a course of study in ethical hacking, I’ve had conversations with many people recently about it. Don’t instantly assume the person I’m talking about here is you. If you’re reading this blog then I can almost guarantee it isn’t you.
- Disclaimer Two:
I am by no means qualified to be be talking about the state of the computer security industry. I don’t study or work in the field. I just have a passing interest, having seriously considered studying it. So don’t take this post the wrong way.