Re: Extreme Hacking

[Vanja Hrustic <vanja () siamrelay com>]

At 07:06 PM 7/1/99 +0200, Kunz, Peter wrote:
> Folks,
> Ernst & young made headlines in TIME when they offered the first run fo
> their Extreme Hacking course. 5 days of Unix and NT hacking, with a CD to
> take home. The participants are somewhat screend by having to be referenced
> by local the local EY office. Recently, I was told attendees learn new
> exploits and hacks that we will probably only see out in the open in 1-2
> years. IBM seems to maintain a database with similar information, accessible

So, does it mean that E&Y are not reporting the vulnerabilities to the
vendors? I can hardly imagine an 'exploit' and a 'hack' that we won't see
open in 1-2 years, and someone is using it (and TEACHING) now. At the end,
the people who are 'inventing' the techniques and finding exploits are not
always from security or consulting companies.

> by only a few pros. So, the question arises: what other companies have such
> DBs? What are they worth? And the real issue: is there anything in there you
> won't find on Bugtraq? After all, EY charges about $4.5K for 5 days.

Is there something like "30-day moneyback guarantee" if student is not
satisfied!? ;)

One thing remains very unclear - "pro". What is "pro"? If you work in "Just
Started Security & Co. Ltd." but other guys work in E&Y or IBM - does it
make them 'pros' and you are an 'amateur'? I also don't think that in 5
days you can really become a "pro" either... No matter how good teachers
you have.

Computer security business is still a big risk. You can pay a lot and get
nothing, you can pay a lot and get lot - but you might also pay nothing and
get lot.

Gamble ;)

Vanja