DEF CON 2013: Heroes or villains?
Davey Winder investigates the value of sending IT security pros to hacker conventions
"It is important to note that all hackers are not criminals and do not steal your data," Hilbert told IT Pro, "hackers in many cases are hired to test the security of system and have no intention of stealing anything, rather they showcase how someone might get in and steal stuff".
Of course, that's not to say there isn't a hacker sub-culture, and within that sub-culture a broad dislike of law enforcement. Even allowing for this dislike (or should that be distrust following the PRISM fallout?) Lysa Myers, a virus hunter for Intego, reminds us that when defining the hacker it's not simply a matter of good guys vs bad guys.
It's almost always a good idea to speak with malicious computer attackers.
"White-hat hackers can include penetration testers, vulnerability researchers, etc," Myers says. "It's perhaps more informative to think of the distinction as defensive versus offensive security tactics".
Which is a good point, as there are lots of conferences such as BlackHat (which happens in the days immediately preceding DEF CON in Las Vegas) and DEF CON itself that are mainly about offensive tactics. "A lot of defensive security professionals attend these conferences" Myers admits "as learning about offensive discoveries can be helpful in developing defensive technology."
Members of the IT security community, and it is very much a community these days, thrive on an openness and ability to share information. That doesn't change whether you are talking white, black or grey hat hackers.
There are black hats keen to share their discoveries with the world, and white hats just as keen to help their companies and clients. Participation in these kinds of events is seen as helping to preserve the status quo.
"I think it is good to keep the channels of communication open and for communities to mix," Ryan Rubin, managing director of Protiviti told IT Pro. "It is when the channels are closed off they we really need to be concerned."
Indeed, the responsible disclosure of vulnerabilities is well regarded for a reason and it's when vulnerabilities are kept secret and then used for profit, criminal or political purposes that the problems really start.
"I see more benefits of bringing communities together rather than pitfalls," Rubin continues, "sharing of information and responsible disclosure helps us all mature our defenses and make the world a safer place."
Robert Hansen, security evangelist with WhiteHat Security, sees mixing with known malicious attackers as often as possible, without jeopardising legal boundaries, as a responsibility of those in the security industry in order to find out what they are willing to talk about.
"It's almost always a good idea to speak with malicious computer attackers," Hansen insists, "given that some amount of what the attackers are telling you is self-serving or flat out false, even in those half-truths and misleading information a skilled IT professional can glean real gems of information."
And talking of the self-serving and flat out false side of things, former FBI agent E.J. Hilbert reminds us that law enforcement also goes undercover at events such as DEF CON because "in order to be accepted into the criminal world they need to know the latest methodologies and need to be present at known hacker events to establish their credentials."
Hilbert also confessed to IT Pro that such hacker conventions are "a fertile recruitment ground for both formal employees and sources for law enforcement on investigations."
So, getting back to the original premise of this insight piece, should you be surprised that IT security professionals attend hacker conferences? No, of course not, it's a necessary and productive part of the job.
Should you be surprised that they also mix with cybercriminals, given the opportunity, at least as far as online forums and other meeting places are concerned? Again, it's a big fat no.
Intelligence gathering is a crucial part of any data defence strategy and the professionals need to keep up with the technological innovations that the bad guys are using. That's just common sense.
Where common sense all too often gets thrown out of the window is in painting all hackers with the dark brush of criminality. After all, let's not forget, that for very many IT security professionals working at the very top of the industry today it was hacking that acted as their gate pass into the business.
Reader, I was one myself back in the day (some twenty years ago now) and have gone on to become a three times winner of the Information Security Journalist of the Year award. Information itself is morally neutral it's what you do with the data that adds either a positive or negative connotation to it.