Information Security News mailing list archives
Re: Believe it or not, there are hackers lurking everywhere
From: InfoSec News <isn () C4I ORG>
Date: Thu, 24 Aug 2000 13:51:22 -0500
Forwarded By: Russell Coker <russell () coker com au> On Wed, 23 Aug 2000, you wrote:
http://www.globetechnology.com/archive/gam/News/20000822/ROUTS.html PERSONAL VIEW "PALANTE" Tuesday, August 22, 2000 Two things come to mind when reading Victor Keong's recent Personal View (Don't Hire DefCon Hackers -- Aug. 8). First, the author's firm, as reputable as it is, obviously has a financial interest in companies
[snip]
The real question is not whether a consulting firm has hackers, crackers and black hats, but rather why a business should trust them? The business should ask for resumes and look into the consultant's reputation, but it shouldn't assume that the DefCon people it hears about aren't the same people who work for respectable security consulting companies.
I think that anyone who hires people from consulting companies should always check the resumes of the people first. If the people from the consulting company are going to be working on-site then they should be given an interview first in the same way that you interview someone before hiring them. If you don't then such a consulting company has no real incentive to send their good people to your site when they can just as easily send recent graduates and charge >$100 per hour for their time. Hiring graduates for $40K each and having them work for $100 per hour gives a profit of $160K per annum each and requires very little work. Consulting companies do this because there is no need to use one of their more qualified staff to do the work because the client won't demand it. If the client has problems because the graduates can't do the job properly (I've seen this happen twice) then the consulting company after getting booted from the client site can just redeploy their people at another site for the same large profit margin. Another reason for hiring independant consultants (as a lot of the Defcon people are) instead of large consulting companies is that your business will matter to them. If an independant consultant is sacked from a site then the financial loss and the embarrasment will matter to them, so they will try very hard not to have things go wrong. The managers of a consulting company can play the odds and happily have a certain percentage of projects fail dismally. Another thing that you can do to ensure quality when hiring consultants is to release as open source all in-house software that isn't business critical. For any large project there will be numerous programs written which have no great value in terms of resale or secrecy. If those programs are released as open source then they will be reviewed by other people who use them. The consensus of opinion on the software as expressed on the net can be taken as an indication of the skill of the programmers who wrote it. Russell Coker PS Probably many people from large consulting companies will take offense to my message. That's OK. I have evidence to back up my opinions which I am prepared to share on a private-email basis. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Believe it or not, there are hackers lurking everywhere InfoSec News (Aug 23)
- <Possible follow-ups>
- Re: Believe it or not, there are hackers lurking everywhere InfoSec News (Aug 25)
- Re: Believe it or not, there are hackers lurking everywhere InfoSec News (Aug 26)