Ethical Hacking

[shikataganai]

I am a Certified Ethical Hacker with 21 other certifications. I used to teach full time traveling the US and doing ethical hacking classes at conference centers. I was pondering doing that here in SL. I have designed a large course and was thinking of doing live 1 hour sessions in-world teaching the basics and more advanced concepts of Ethical Hacking (which is a real thing, I currently work as an ethical hacker for an HR company in charge of all application security Pentesting). Because it has real world value as in a new career, I will be charging a fee for the 1 hour classes. If anyone here is interested in this sort of thing, would 2400L for the hour be reasonable? i saw some scripting books in SL going for 1500L so i figured thats a sweet spot price for live instruction. Please let me know your thoughts. 

[Kweopi]

Personally, I do not like the name " pentesting " -are you testing a pen ?
a title like Licensed Penetration Tester has more flavor in it, especially in SL, but I can understand how things can be confused.
Fly low Icarus ! you aim too high.
as a person involved in all kinds of universities and academies in second life years ago, I can tell you it won't work. people pay for building, scripting, blender, classes because they are practical applications for SL.they can use the knowledge learned immediately and can gain from them.The most academies here provides classes that are different then every day real life school classes and focuses more on skills you could actually use for second life. ( or there are RP academies where they pretend to be students / teachers but I don't think that interests you)
 maybe it's just my own experience, but I haven't met anyone willing to pay for something they will use in the real world almost without any connection to what's going on in the game. Especially when it comes to courses almost impossible to learn only through text / voice interaction in sl - not to mention study materials, tests on various systems / computers / applications. direct interaction between teacher and student in a technical field is mandatory and cannot be replicated in SL.

and now, the good part:
2 choices:
1. get some land, open a school, provide some free samples, ask for the money. Ask for every student 240 L $ and if you have 10 students you made the 2400 you want (about - or maybe you thought of 2400 each and if you have 10 students you get 24k - a bit too much, in my opinion, but , again, is your dream)
2.Go to Inworld Employment section of the forum, search for academy, university and you will find posts that are looking for teachers. In some you can even choose the teaching area. Contact them and you have the answers ready.

*** About the poster : Kweopi is a professional demotivator with multiple experiences in ruining dreams during Christmas since 2009.

[srv4u Conacher]

thanks for your feedback

[Beth Macbain]

On 12/17/2019 at 11:26 PM, shikataganai said:

I am a Certified Ethical Hacker

I'm just curious - Did you start off as an unethical hacker?

[shikataganai]

yes

[Beth Macbain]

18 hours ago, shikataganai said:

yes

Can it really be called ethical hacking if you're trying to monetize it by teaching hacking techniques to people who may use those learned skills for unethical purposes?

[Coffee Pancake]

Hacking is a term that predates computing, meaning simply to change the behavior of a thing. In that sense computer hacking and development are synonymous, the nefarious connotation is a hollywood storytelling shortcut, much in the same way eye-liner (and facial deformity) are use to denote evil.

Network security, pentesting, etc are legitimate fields and without the work and diligence of ethical hackers, much of the data security you take for granted would not exist.

The reality of actual hacking is sadly nothing like the associated imagery, the OP might as well be teaching ethical accounting.

[Beth Macbain]

On 12/20/2019 at 4:53 PM, CoffeeDujour said:

Hacking is a term that predates computing, meaning simply to change the behavior of a thing. In that sense computer hacking and development are synonymous, the nefarious connotation is a hollywood storytelling shortcut, much in the same way eye-liner (and facial deformity) are use to denote evil.

I'm not questioning whether or not ethical hacking is a real thing... I'm questioning OP's ethics and end game. 

[Coffee Pancake]

Most people I know who are in STEM fields got their start by 'hacking' stuff up to accomplish less than laudable goals. It's not the software geeks you have to worry about, it's the chemists .... and the microbiology folk, who have labs at home .. for reasons.

The OP is no more responsible for what his students do with their acquired knowledge than any other educator.

Edited December 22, 2019 by CoffeeDujour

[shikataganai]

I assure you there's nothing nefarious on my motive. I work in the field that most lay people would understand as Ethical Hacking. There are a hundred ways to say it, but the career is highly sought after. Companies these days have strong web and cloud presence, and with that comes high risk of exposure to attack by nefarious people. Lets say you owned such a company, if you wanted to secure your assets from nefarious hacker types, wouldn't it make sense to hire someone who knows the tricks of the trade that a malicious hacker would try to deploy against you? If I hired a guy that claimed to be a network security guy and in reality he only really knew how to set some firewall and WAF rules, and maybe an intrusion detection system, would this guy be most effective in securing your web applications and assets? Or, would a guy who studied how to create specific virus reverse shell code and utilized BASH shell wildcard exploits to bypass the WAF and upload said shell, compromise your web host via this shell, and proceed to pivot into your network to other computers? Most would say the second guy would be more effective, and if this person worked for you and had your permission to try this against your systems to see if they were indeed vulnerable to such attacks, you, the owner would have confidence that you are protected from more nefarious acts. In order for this guy to work in an ethical manner and with your companies permission to attack your company as a bad guy would, this person would need to know what bad guys know. This is where they coin the phrase "Ethical Hacker", and this field is absolutely booming, for which I can attest first hand as I do it for a living. My purpose here is two-fold, One is I would like to bring a more diverse events offering than what we currently see every day and night in SL. Instead of the normal DJ this, live music that, make a teacup out of prims, sort of events dominating the landscape, a class in teaching skills for a career in cyber security to me would be highly interesting to see. Second, I talk to people all the time that ask me how they break into this cybersecurity field, as the normal payscale for qualified individuals is around 70k - 200k a year. I know from experience being an instructor for Microsoft, Comptia, ECCouncil and the like, that we live in a world of certifications. All of these employers for this field are looking for certifications in order for you to get an interview. The main 2 are Security + and Certified Ethical Hacking. Personally, I know there are better ones than these two, but these are usually what you need to get an interview. So my ultimate purpose is to provide some instruction for those interested in this field, provide diversity of events in second life, and develop a monetized business with it in the process. As for the question about bad guys now learning this stuff and doing bad things... trust me when I say this, they already are finding sources of info to do this outside of even what I would teach. 

[Beth Macbain]

Oh FFS.

I'm going to starting stabbing people with pitchforks, and then I'm going to charge them for bandages to stop the bleeding from the wounds I inflicted. I call it ethical stabbing. 

 

[Coffee Pancake]

 Missing all the points entirely .. fine. hackers bad, best refrain from using any third party viewer.

[Madelaine McMasters]

On 12/20/2019 at 3:21 PM, Beth Macbain said:

Can it really be called ethical hacking if you're trying to monetize it by teaching hacking techniques to people who may use those learned skills for unethical purposes?

It sure can.

As others have explained, there is real and substantial value in hiring people to test your IT system's vulnerability. The mindset of a developer is different than that of a bad actor. The developer has in mind a particular problem they're trying to solve, and they're trying to solve it as efficiently and quickly as possible. With the limited resources they have available, they must focus primarily, if not exclusively, on the tools and techniques that support solving the problem.

Bad actors have a different focus, different knowledge base, and different tools. Their intention is to subvert the system for some advantage, whether psychological, operational, monetary, etc. Unless you employ good people with that knowledge to take that focus and use those tools against your system, you're going to be vulnerable to the bad actors.

It's much the same with hardware design. Cars are purposely crashed to determine how well they protect the occupants or pedestrians should something go wrong. Dead geese are thrown into jet engines on test beds, to make sure they can withstand bird strikes in normal operation. In these cases, the "bad actors" are accidents, and they're ultimately unavoidable. I imagine Boeing now wishes they'd placed a higher priority on threat testing the 737 Max. Good test engineers, the kind that can well imagine things that can go wrong, get paid very well for their ability to ferret out vulnerabilities in products and systems. The test engineering community is aghast at Boeing's reliance on a single sensor to compute the 737 Max angle of attack. If ever there was a time for an ethical hacker to force a sensor malfunction during a simulation or flight test, that was it.

The patient monitors and electrocardiographs I designed were subjected to electrical torture tests to ensure that I'd protected them against power surges, application of defibrillators, static electricity zaps and exposure to flammable gases. Radio links in my equipment were subjected to jamming to ensure that nothing untoward happened if radio contact was lost. We employed office staff to bang on keys, buttons and switches like angry monkeys to make sure that some weird combination of key presses wouldn't precipitate a software malfunction.

Without employing people to "attack" the things I'd designed, I'd never have had confidence to send them out into the wild where people's lives depended on their correct and safe operation. You may find fault with the phrase "ethical hacking", but the underlying endeavor is tremendously valuable, and undertaken by good and highly capable people. Apple just increased it's "Bug Bounty" to a maximum of $1.5 Million to encourage ethical hackers to find vulnerabilities in their goods and services. Surely that's a sign that ethical hacking both exists and is valuable.

53 minutes ago, Beth Macbain said:

I'm going to starting stabbing people with pitchforks, and then I'm going to charge them for bandages to stop the bleeding from the wounds I inflicted. I call it ethical stabbing. 

We routinely hack laboratory animals and even humans (ex: clinical trials), stabbing them with needles in attempts to ameliorate or eliminate human (and animal) suffering. There are ethics review boards for these hacking attempts, to help guide good people, trying to do good things, in an area that's fraught with moral dilemmas. I walked away from one research project because I thought they'd drawn the moral line in the wrong place in their use of laboratory animals, and I've participated in others (sometimes using myself as a guinea pig) because I felt we were on the right side of the moral line.

I can see how the term "ethical hacking" might be misconstrued, but the underlying endeavors are absolutely valuable for the safe operation of our modern world. The term "hacking" had a neutral to positive connotation when I was young. It's only in the last few decades that the lay public as come to associate it with nefarious activity. The public's ignorance of the historical importance of abuse, destructive, and threat testing doesn't make it wrong.

[Love Zhaoying]

50 minutes ago, Madelaine McMasters said:

It sure can.

As others have explained, there is real and substantial value in hiring people to test your IT system's vulnerability. The mindset of a developer is different than that of a bad actor. The developer has in mind a particular problem they're trying to solve, and they're trying to solve it as efficiently and quickly as possible. With the limited resources they have available, they must focus primarily, if not exclusively, on the tools and techniques that support solving the problem.

My company in fact (Fortune 100 now but going private) hires "Red hat" ethical hackers, full time for penetration and other testing.

*ooohhh* "Penetration testing"

[Wulfie Reanimator]

3 hours ago, Beth Macbain said:

Oh FFS.

I'm going to starting stabbing people with pitchforks, and then I'm going to charge them for bandages to stop the bleeding from the wounds I inflicted. I call it ethical stabbing. 

That's not an equivalent situation at all, though? What you're describing is equivalent to ransomware, which locks up (stabs) a system until the "ransom" (bandage) is paid.

Ethical hacking does not involve "you stabbing people with pitchforks." It involves people asking you to stab their target-dummy in a safe environment under their supervision.

[Selene Gregoire]

Did someone call for a pitchfork?

[Coffee Pancake]

And this is why we all miserably pay for prime shipping.

[Bitsy Buccaneer]

Given what Kweopi said about classes for inworld uses being the most popular, if this project succeeded might it increase the skill set of griefers and others who might try to exploit some aspect of SL or a viewer like Red Zone and copybotters did?

 

[Wulfie Reanimator]

49 minutes ago, Bitsy Buccaneer said:

Given what Kweopi said about classes for inworld uses being the most popular, if this project succeeded might it increase the skill set of griefers and others who might try to exploit some aspect of SL or a viewer like Red Zone and copybotters did?

The same argument can be made for teaching hacking techniques in the real world, but it still happens. (Even my school has a bunch of projects with the direct goal of writing viruses and malicious programs that break other running programs on the computer.)

Knowledge isn't evil. The griefers are held accountable for their actions. That's all there is to it.

[Bitsy Buccaneer]

54 minutes ago, Wulfie Reanimator said:

The same argument can be made for teaching hacking techniques in the real world, but it still happens. (Even my school has a bunch of projects with the direct goal of writing viruses and malicious programs that break other running programs on the computer.)

Knowledge isn't evil. The griefers are held accountable for their actions. That's all there is to it.

I asked a question. I haven't made an argument.

I would just like to know if this might increase the skills of griefers and other bad actors in SL.

It is knowledge. Surely I'm allowed to further my own.

[Wulfie Reanimator]

4 minutes ago, Bitsy Buccaneer said:

I asked a question. I haven't made an argument.

I would just like to know if this might increase the skills of griefers and other bad actors in SL.

It is knowledge. Surely I'm allowed to further my own.

Your question has a lot of implications (to me it sounded rhetorical), but to answer it directly: Yes.

Edited March 4, 2020 by Wulfie Reanimator

[Bitsy Buccaneer]

20 minutes ago, Wulfie Reanimator said:

Your question has a lot of implications (to me it sounded rhetorical), but to answer it directly: Yes.

Thank you.

My question wasn't rhetorical. I genuinely didn't know the answer and wanted more information.

I think a conversation about the "implications" of that answer would be interesting and worth having, if only to consider some possible unintended outcomes and give the OP or anyone else a more complete and informed position to make their decisions from. But not today if I'm going to get shot down for even trying to get some facts right.

[Wulfie Reanimator]

3 minutes ago, Bitsy Buccaneer said:

Thank you.

My question wasn't rhetorical. I genuinely didn't know the answer and wanted more information.

I think a conversation about the "implications" of that answer would be interesting and worth having, if only to consider some possible unintended outcomes and give the OP or anyone else a more complete and informed position to make their decisions from. But not today if I'm going to get shot down for even trying to get some facts right.

When you ask "wouldn't the bad people get even worse" and the answer is "yes," it usually follows (implicates) that "it shouldn't be done then." (See all the posts above.)

That's why I responded the way I did, and it's the same response I would give here when you say "if yes, then we should think/talk about it."

Unless you mean something else by "the implications of that answer." What do you think it implies?

[Bitsy Buccaneer]

4 hours ago, Wulfie Reanimator said:

When you ask "wouldn't the bad people get even worse" and the answer is "yes," it usually follows (implicates) that "it shouldn't be done then." (See all the posts above.)

That's why I responded the way I did, and it's the same response I would give here when you say "if yes, then we should think/talk about it."

Unless you mean something else by "the implications of that answer." What do you think it implies?

My post above was that imo it would be interesting and worthwhile to talk about it. I've made a start on considering it from different angles, such as I can manage, but am far from drawing any prescriptive conclusions. My rule of thumb for life overall is that informed discussion and consideration is generally a good thing, although the state of the internet and some media is certainly complicating matters. That may very well be where my opinion on this ends up, with nothing more definitive than a suggestion for an informed and considered decision.

If the answer had been no, then one avenue for possible discussion would be a dead end. Which is useful to know before getting to far down the road.