Hacker News new | past | comments | ask | show | jobs | submit login

"We have hired professional white hat hackers with government level security experience to attempt regular pen tests on our system..."

I guess whenever I read this kind of statement from now on I'll be thinking of HBGary and chuckling a bit inside.




At the risk of that comment being taken as a joke, I've done a lot of work with the federal government, and I can assure you that while the level of hilarity that HBGary has generated, the typical level of talent in government cleared individuals is not necessarily great.

I don't mean to impune the capabilities of the people involved (I don't know who they are,) and it isn't to say that you can't find some AMAZING talent in the government realm, but as in all fields, it's the exception, not the rule.


Reminds me of when I was in the Navy and I went to Navy Security and Vulnerabilities Technician school. I was all excited, so I went out and bought a copy of Hackers Exposed and read through the whole thing, learning everything from how to determine what family and version of operating system a computer is running by what ports are open, to how a buffer overflow attack actually works.

Fast-forward to the class, and we're sitting there running tools like BackOrifice that exploit vulnerabilities that had been patched for years, and learning that a SYN flood is "a malicious attack". That's it, just "a malicious attack". When I asked about the difference between a SYN flood and a Christmas tree attack, I got a blank stare and "they're both malicious attacks".

I spent the rest of the class in the back of the room, reading the Armadillo Book.

Also, I did not once in my brief Navy career get to hack an enemy computer. Hugely disappointing.


That's exactly it. I've worked for agencies where the Chief IT Security Officer (if they have one, or an equivalent role) got that exact training, and nothing more, and was considered the site expert.

Like I said, it isn't all bad. Two of the best security guys I know work in the government, and one of them was actually ex-Navy. But the hurdle for finding people that can get top secret clearances AND tie their shoes often proves too high to hire anybody, much less somebody qualified.


Yeah, military schools on scientific/technological subjects can be very disappointing. Not all of them, obviously, but computer science topics get distilled down to be accessible to the bottom 20% of attendees. Having spent over a decade in the Marines, I learned not to get excited about anything like that... unless the schools were taught by civilians.


Hacking Exposed: http://www.amazon.com/dp/0072121270

Armadillo book: http://www.amazon.com/dp/0596003439




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: