I am not calling him a hero or anything, and after such a long period of time with no computer, it is not like he is really "consultant" ready. (Unless he has been reading massive books, and lots of them to help make up for no real hacking) but this action by the ISSA shows that they are made up of NON hackers (the legal kind, classic sense of the word). Real Hackers know that most young men age out of the "illegal" form of hacking and find security jobs, and good paying jobs are better fun. As a man ages he has a natural sense of wanting to contribute and leave a better legacy than to simply break into systems and brag about it on an IRC channel. Some of the best security contributions to BugTraq are provided by hackers. Many of which have started security companies. Hacking clubs that used to meet in abandoned warehouses and tap into payphone lines and such are now on staff with security companies. They are not know for using credit cards fraudulently or hacking their cell phones. (There may be a few DTV hackers among them) but hopefully they will mature from that as well. The idea that ONCE an Illegal hacker always an illegal hacker or a fear that someone is going to have their company compromised by sharing information when Kevin is in the room prooves that they are probably already hacked and will be for a long time to come. If Kevin wanted to, he could do it with his own persistant efforts and find the weakness, whether you share it or not. And if Kevin can so can another "younger 'kevin'" who hasn't aged out of the illegal hacking scene.

I will not join the ISSA now that I have heard this. I need to join an organization that RECRUITS blackhats to the side of good. If Kevin does anything to violate the rules of the ISSA after joining that would be another story. But even then the rules might need to be changed.

There is no security hacker worth his salt if he has not even attempted pen tests, and by doing so broken into systems. This can happen even by accident. I remember an instructer accidently hacking a university in a demo and would he be banned? It was not really an accident, he hacked it on purpose. He broke the law, for the sake of class demo. The MOTIVATION does not make it legal. Hacking is such a grey area that we have to be careful when we call it illegal. I know that if you rip a credit card database and use the cards to buy stuff you are not a hacker your are a thief. However if you hack a creditcard database and don't use the cards are you still a thief? Yes you are, you have stolen from the companys in time and expense to deal with the intrusion. However these hackers don't think like that until they get older. The young teens do not think it cost the company anything to close the hole, they do not comprehend the costs of the company resources. Things have to be taken on an individual basis.

In Kevin's case he has admitted to wrong doing not only in court but in interviews. I always give people a chance who admit wrong, it is the ones that dont that you have to avoid. The ISSA ought to admit wrong in this decision and withdraw the decision to ban Kevin. And Kevin ought to start a new Organization. One dedicated to hiring real hackers to secure their systems.

You cannot secure a system with personel that punch a clock and go home, attend a trade meeting and get a few 3 day classes once a year. The hacker is staying up allnight on amphetomines probing your ports and exploring your scripts, you need to hire hackers that will stay up allnight with him listening to tecno music and sending DoS attacks against the blackhats IP. Ok that might be going to far, but you get the idea.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/2403/18234#18234