Re: Believe it or not, there are hackers lurking everywhere

[InfoSec News <isn () C4I ORG>]

Forwarded By: Russell Coker <russell () coker com au>


On Wed, 23 Aug 2000, you wrote:
> http://www.globetechnology.com/archive/gam/News/20000822/ROUTS.html
>
> PERSONAL VIEW
>
> "PALANTE"
>
> Tuesday, August 22, 2000
>
> Two things come to mind when reading Victor Keong's recent Personal
> View (Don't Hire DefCon Hackers -- Aug. 8). First, the author's firm,
> as reputable as it is, obviously has a financial interest in companies

[snip]

> The real question is not whether a consulting firm has hackers,
> crackers and black hats, but rather why a business should trust them?
> The business should ask for resumes and look into the consultant's
> reputation, but it shouldn't assume that the DefCon people it hears
> about aren't the same people who work for respectable security
> consulting companies.

I think that anyone who hires people from consulting companies should
always check the resumes of the people first.  If the people from the
consulting company are going to be working on-site then they should be
given an interview first in the same way that you interview someone
before hiring them.

If you don't then such a consulting company has no real incentive to
send their good people to your site when they can just as easily send
recent graduates and charge >$100 per hour for their time.  Hiring
graduates for $40K each and having them work for $100 per hour gives a
profit of $160K per annum each and requires very little work.
Consulting companies do this because there is no need to use one of
their more qualified staff to do the work because the client won't
demand it. If the client has problems because the graduates can't do
the job properly (I've seen this happen twice) then the consulting
company after getting booted from the client site can just redeploy
their people at another site for the same large profit margin.

Another reason for hiring independant consultants (as a lot of the
Defcon people are) instead of large consulting companies is that your
business will matter to them.  If an independant consultant is sacked
from a site then the financial loss and the embarrasment will matter
to them, so they will try very hard not to have things go wrong.  The
managers of a consulting company can play the odds and happily have a
certain percentage of projects fail dismally.

Another thing that you can do to ensure quality when hiring
consultants is to release as open source all in-house software that
isn't business critical.  For any large project there will be numerous
programs written which have no great value in terms of resale or
secrecy.  If those programs are released as open source then they will
be reviewed by other people who use them.  The consensus of opinion on
the software as expressed on the net can be taken as an indication of
the skill of the programmers who wrote it.



Russell Coker


PS Probably many people from large consulting companies will take
offense to my message.  That's OK.  I have evidence to back up my
opinions which I am prepared to share on a private-email basis.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".