Don't forget about a flux capacitor (FC). Firewall + FC = Fort Knox

Sorry, I was being a dick, I'll be serious for a minute.

It's a strange question. Illegal hacking is bad but it also keeps me employed on the white hat side. Our industry benefits from the Anonymous stuff and also when the media takes an incident and scares the crap out of people that don't understand it.

I don't promote illegal activity and I agree that a serious hacking incident can have devastating effects to a business.

I think a more interesting question is in regards to cyber warfare and what you think about nations using it against each other.....in my opinion, I think those hacks are good...

Stating that a person only needs a firewall to be secure is such an ignorant statement. There is so much wrong with it, I won't even get into it here. Go read about the attest new York times incident. They had a firewall AND antivirus ooooooooo. Those hackers must have used voodoo to get in 

I'm with Don. Hacking is not good or bad, it is how the person that posesses these skills uses them. The media has given the term "hackers" a negative meaning as they only feature blackhat incidents under this label and in positive messages speak of "compter professionals / consultants / experts).

Blackhats or criminals are a necessary evil. If they wouldn't be around, there was no security industry or policeforce and hence many people would be without a job. So not expect a completely safe internet ever, it's the same as real life: there will always be risks. Take your precautions and you will be most likely be safe enough.

A fw or anti-virus will not keep you safe from a serious threat. You should determine for yourself how valuable your data is and what level of protection is needed. As long as anything is in a computer there will ALWAYS be a way to get to it.

A reply on your first part:

If hacking did not exist there would be no internet. The true and old definition of a hacker is somebody who has the need to understand the inner workings of something in order to enhance / improve it or to gain more knowledge.

When using that definition you see a hacker is not restricted to the digital world. The same processes can be adopted to almost any field. People like this are the reason society always advances and comes up with new technology.

Second part: my opinion is that somebody who breaks in a computer and finds information that the public should know about must have the right to publish this. However in real life this is not the case. It usually comes down to profits and money. If there is enough at stake companies will try to sue you and goverments will put you in jail.

Journalists occasionaly publish stuff they get from an anonymous source. That would be the only way I would dare to publish.

The general public, have a view such as your friend's. This is because they do not understand that there are professional / ethical hackers like us, on the "good side", to many people, this type of job is surrealistic and incomprehensible, it's only something that exists in the movies, while this type of community on the good side, is in fact, quite large.

Obviously your friend is biased and somewhat newb, as he is only thinking about the script kiddies and black hats, and not thinking about that it was in fact a hacker who invented SSL (HTTPS), and another form of hacker, that invented a lot of other cool things, who was named Nikola Tesla.

It's a shame the general public have this view about hackers, that they are all bad, while a lot of us use a lot of our time, dedicated to learning in a safe and non harmful way, while increasing the security locally, or globally, often completely free. If increasing the security on a local or global scale is bad, then your friend may want to reconsider what is good or bad. (I know this is not what he said, but I am assuming his perception of the hacker world and the security aspect of technology is very limited.)

PS: Yes, it were hackers that invented the Internet.

The reason why I used Nikola Tesla as an example of a hacker, is because he was extremely clever and brilliant, he was way ahead of his time and was hacking together devices still in use today. Hacking is you and many others said, not confined to technology. The original meaning of a hacker was e.g. a person who was extremely good at crafting items out of wood. Of course, you don't have to share my beliefs and generally I wouldn't consider Nikola Tesla as the general kind of hacker, but, he was extremely dedicated to his work, just like any other hacker is, and he knew exactly what he was doing.

It's good to hear your friend is learning that everything is not black and white, there's (even though I don't want to say this), shades of grey in between. (Not 50 though.)

On the good side, depending on what type of role you're in, you will do almost the same as the attackers (blackhats), except you have permission to do so, and that you abide by an ethical code so you won't e.g. sell the client out, blackmail them, or disclose their information, etc.

Examples of work I have done is as follows:
- Web Application Penetration Tests (often few ips or small blocks)
- Web Service Penetration Tests
- Wireless Penetration Tests
- External Network Penetration Tests
(And soon I'll be doing Internal Network Penetration Tests too.)
- External Vulnerability Assessments (of large blocks)
- Vulnerability Research (finding 0days)
- Incident Response (when a client gets hacked by the bad guys..)
- Host Security Assessments (review of OS and/or Service configuration)
- Writing Secure Configuration Standards (for clients)
(And soon, I'll be writing Secure Coding Standards)
- Denial of Service Testing (i.e. stress testing servers.)
- Verifying that a site is e.g. out of a PCI Scope. (Otherwise, they have to get a PCI Assessment, which I don't do. We have a separate team for that.
- Source Code Reviews (I have a few big projects coming up.)
- Social Engineering Penetration Test (I have this type of project coming up soon as well.)

Of course I have also done:
- Marketing Videos for Information Security Conferences (showing how an external penetration test could get Domain Access, all because of an XSS bug to start with, and a MySQL server (the latest) hosted on a Windows server. This video was made months before KingCope released his "bugs".)
- Developing and upgrading internal tools (hacking tools, reporting tools, security tools)
- Developing and upgrading internal lab environment (for demonstrations, Capture-the-Flag contest, testing environments, etc)

And of course, I have used a variety of different risk rating systems, internal, client-based, and CVSS 2.0


Besides that I have done research in a variety of domains (most not released yet), but it spans across network attacks, web application security, etc.

The released stuff is mostly related to web application security. (Where this was released way before I got my job.)

All what mrvore said is truth, even though the term script kiddie (and the acronym skiddie) is still widely used