Obviously anybody who succeeds by hurting others is a narcissist and a parasite on society, but I wonder which takes more skill: to hack, to secure against the hacker, or to catch the hacker. Is a hacker any craftier than a man with a gun?

The question is like "which tastes better, an apple or a carrot?"

The skills appear to overlap on the surface, but deep down they are VERY different, IMHO. Plus, since they are different, it is impossible to say that person A is skilled to level 10 at hacking and person B is skilled to level 10 at securing (whatever that means).

Some hackers are extremely skilled. Some security professionals are extremely skilled. There is more training available to learn to be a security professional than to be a hacker - just visit SANS to see all their expensive training. BTW, most system admins I've met have never been to security training, like a CISSP would get.

OTOH, much of security in the enterprise is policy-based (http://www.pearsonitcertification.com/articles/article.aspx?p=30287&seqNum=5). Audits, forms, consulting with project teams, with very little hands-on systems work. Those policy security pros have a mostly thankless job trying to get vendors to stop doing stupid things in their systems/software/hardware. That takes skill too.

The verb "to hack " can apply to any computer programmer or code writer. A person can hack code by fixing bugs. In Ubuntu there is a wider meaning of the word "hack."


"an event in which computer programmers and others involved in software development, including graphic designers, interface designers and project managers, collaborate intensively on software projects"

https://wiki.ubuntu.com/Touch/CoreApps/HackDays

How much skill is required to hack a password when the password is 123456789? How much skill is required to hack a password when all a person has to do is run a computer program? A lot of hackers are simply running programs written by somebody else. No skill required.

How much skill is need to insert malicious code when the target software has vulnerabilities? To my mind greater skill is needed to design software without vulnerabilities that can be exploited. Skill is needed to identify how the malicious hacker or criminal can exploit the software and then to prevent it from happening. Or to at least make it unprofitable for the criminal to do.

Is it enough to write software and be satisfied that it looks they way the programmer wants it to look and that it does what the programmer wants it to do? All that requires skill but does the software have built in security? Now, that is where the real skill comes in.

Regards.

These are two sides to the same coin. The same knowledge that enables you to secure something, allows you to know it's weaknesses too. And this applies the other way round too of course.

The skills appear to overlap on the surface, but deep down they are VERY different, IMHO. Plus, since they are different, it is impossible to say that person A is skilled to level 10 at hacking and person B is skilled to level 10 at securing (whatever that means).

That's opposite to what I expected, expecting they would require the same understanding of packets/protocols/etc, but rely on different tools and interfaces.

I imagine many hackers take a shotgun approach, simply hitting whoever's not prepared.

I imagine many hackers take a shotgun approach, simply hitting whoever's not prepared.

Most criminal hackers are next to clueless, IME. They've heard of a few tools, watched a few youtube videos about those tools and pick a subnet to use the automatic tools at ... let er go. Most have little interest in learning all that computer stuff - they just want free pron or to mess with a friend's computer/tablet/phone.

The idea that most criminal hackers are exceptionally smart isn't what I've see. They appear to be looking for opportunities.

BTW - don't forget that "hacker" is also another term for "maker" and has a very positive connotation. I am a hacker, because I'm willing to alter equipment to fit what I need, not necessarily the thing the original vendor thought it would be used for.

For professionals on both sides (good and bad), there will be teams of people with different expertise working together. The firewall guys generally know ZERO about programming. The network architect and switch guys know only those things well, the application devs usually don't know anything else (sometimes not even the OS), until a security consultant forces them to learn ... by following a process document for which they are expert, but these same pros don't know detailed networking, detailed programming or application architecture. If there is an enterprise security team - full time security people, not sys admins, not desktop support, not network people, not firewall people, out of 50 full time security people, only 2-5 will have vast amounts of expertise across everything skill I've listed. It is never 1 guy. It is always a team. Corporations live by security audits, so they have internal experts to ensure they pass the annual security audit from the external annual audit team they must pay.

In professional organizations, the security people can usually work 8 hr days, 5 days a week and have outside lives, attend kids baseball, volunteer for church choir, etc. Very few of these corporate types have a home security lab, but some do. Those are the guys I'd want to hire and work with.

Having different people perform the different roles in a corporation is also part of the security architecture and process. If too much power is held by a single person, that is a single point of failure. In smaller organizations, it can't be helped usually, but the financial risks aren't usually as large either.

Professional hackers working in legal enterprises trying to help secure corporations generally have concentrated on hacking tools, forensics, and social hacking. That is part of penetration testing. They will have likely attended training at SANS or from the hacking community. They are active in ISSA and DefCon groups, they attend conferences to learn more and more, since the attack surface is constantly changing. They try to think like a criminal hacker to show the attacks for their clients.

Forensics guys are weird. ;) In some areas, they are required to be licensed private investigators for their work to be legal. There just isn't enough time to do all these required certs and be expert at everything. PI training simply doesn't cross-over into computer forensics knowledge, but the PIs were able to convince lawmakers that it was a good idea. Sort like how the Las Vegas monorail doesn't go to the airport because the taxi and limo guys were organized enough to get that stopped. I could see where PIs may have had photos that politicians may not want known ... or not. Don't know the truth. http://digital-forensics.sans.org/blog/2010/06/21/computer-forensic-examiners-pi-licensing-requirement-revisited/

I remember the days when every Unix admin was also a C programmer of some level. Those days are long gone. That isn't good or bad, after all, we don't all know how to rebuild a car engine, but will all can drive. There is just more to know so more specialization is needed.

Anyway - the idea that security folks or hackers know the same stuff usually isn't true in the real world. Nobody has time to do both sides. There are exceptions, of course, but in my work as a consultant at 9 different companies, that just isn't what I've seen.

And for further clarification - I'm now a generalist for computer, networking, and security. Expert at very little that matters anymore. When I was younger, I was an expert in my fields and that can be rewarding too.

Is there a better word than "hacker"? Dictionary.com doesn't have a computers entry for "cracker".

Hacker (computer security) (http://en.wikipedia.org/wiki/Hacker_%28computer_security%29) someone who seeks and exploits weaknesses in a computer system or computer network
Hacker (hobbyist) (http://en.wikipedia.org/wiki/Hacker_%28hobbyist%29), who makes innovative customizations or combinations of retail electronic and computer equipment
Hacker (programmer subculture) (http://en.wikipedia.org/wiki/Hacker_%28programmer_subculture%29), who combines excellence, playfulness, cleverness and exploration in performed activities

The sad part of this is the first in line above gives a bad name to 2 other definitions.

Is there a better word than "hacker"? Dictionary.com doesn't have a computers entry for "cracker".The only people that care are hackers fitting the first and second definitions. The general population understands hackers to be malicious with computers. If I say "cracker" to my family they think it's a derogatory name for white guys along the lines of honkey ;) The term you use depends on your audience: if you're talking to hackers then use the term "actor" or "bad actor". If you're talking to regular people then use "hacker".

As for which requires more skill, it's my experience that there are tons of ways into a system. A hacker has to just find one. Sometimes it's easy and sometimes it requires creativity and persistence. A defender has to find and secure every single hole, which is impossible and therefore requires infinite skill.

Perhaps some of the best measures are physical. I was repeatedly unmounting uvcvideo, and eventually setting a cronjob to do it upon boot, when I could have just taped a guard over the webcam. What was I thinking!? Remove the physical device. Block its input. Don't just unmount the module from the kernel.