Why don’t they just hire some hackers to stop the other hackers?

Last Updated on November 23, 2018 by Dave Farquhar

After Ebay got hacked, someone asked Rob O’Hara why they don’t just hire hackers to stop the hackers.

That’s a more complicated question than it sounds like. The simple answer is that most companies do, but their hackers don’t find everything. The more complicated question is one of ethics.To me, I’m inclined to answer the question why a company wouldn’t turn around and hire the people who just hacked them with another question: Would a bank hire someone who just robbed it as its new security guard? Probably not–because someone whose morals permit them to rob a bank once are likely to rob it again.

So instead, you find someone with the mindset and morals to keep those skills in check. Technically, I’m a hacker. I work in a room full of other hackers, many of them more skilled than I am.

And I’ll tell you a story. Last month, a vice president of my employer challenged us to breach the defenses around one of the company’s computer systems. I won’t go into the details of what he told us to breach, but he gave us two files and told us to steal them. The only rules, besides not stealing anything besides those two files, were that we had to tell him what we did, but we had to use company e-mail to disclose it. Aside from that, just about everything went.

The guy who designed the defenses we were supposed to breach was an old mentor of mine. He changed the direction of many people’s careers, including but not limited to mine. He taught me more than anyone else I know. He’s given presentations at hacker conferences. The guy is good–much more skilled than I am.

And yet, at last count, all of us breached his defenses an average of three times apiece, using various means. He’s good, and he thought of a lot, but couldn’t think of everything. Once they close all the openings we found, the defenses will be even better. But I won’t bet on them being impenetrable. In a year, if we repeat the challenge, chances are someone will find something we didn’t find this year.

Computer systems are a lot like cars. They aren’t perfect. Even Scourge the Wonder Honda, my 2002 Honda Civic with 205,000 miles on it, has been recalled two or three times. Scourge also failed three straight emissions inspections from 2003-2006–hence the name, Scourge. Could Honda have had its engineers obsess over the design a little bit longer to avoid those flaws? Certainly. But at some point they had to declare it good enough and release the design and start building.

If we waited around for our computer systems to be 100% perfect, we would never deploy anything. Nobody’s built a perfect one yet.

When I sign off on deploying a new system, I’m not saying the system is flawless. I’m saying that the system is good enough that the risks of not deploying it outweigh the risks of deploying it. Sometimes the system even goes out the door with a known flaw–but if I’m the one signing off on it, I know when the flaw is going to be fixed, how it’s going to be fixed, and why it wasn’t fixed yesterday.

We find more stuff than we miss, but trust me, when we find something, it doesn’t make us popular. I’m pretty confident more people see me as an obstructionist than as a hero.

If you found this post informative or helpful, please share it!

2 thoughts on “Why don’t they just hire some hackers to stop the other hackers?

  • June 2, 2014 at 8:53 pm

    Most importantly these days is a fairly new
    as hacking goes ‘white hat’ certification. mind it does NOT insure the certified will always be white hat, but his standing in the community will drop if he does not stay clean AND gets caught.

    Which remind me, David. I’m about to retire,and am seriously looking into becoming a CEH. I’d like advise beyond get kali and the like!


    • June 2, 2014 at 10:25 pm

      My boss recommends the SANS GPEN certification over CEH. It has the same idea, but the material it covers is more practical.

      What you say is true regarding certifications. A CISSP gets their cert suspended if they go on trial for a felony and gets it revoked if convicted. Granted, CISSP is more like 30% hacking, 60% policy and 10% ethics, but most certs try to instill a code of ethics to keep their adherents from misusing what they learn.

Comments are closed.

%d bloggers like this: