Wireless guru & Ethical Hacker Network columnist, Dan Hoffman, shares his secrets on what it's like being a professional "ethical hacker" in a video interview with NetworkWorld. See the story titled, Good Will Hacking:

http://www.networkworld.com/video/121106hs-hacker.html

Digg story:
http://digg.com/security/Video_Good_Will_Hacking

Don

Nice interview, but it bothered me when he stated that the “underground has at lot more knowledge than the typical ethical hacker.”  He states that they are the ones creating a lot of the exploits and the best we can do is garner that and try to replicate that knowledge. That statement makes the EH look weak and is not reality based.  I disagree totally with that statement and if you really know the underground, which most ethical hackers don’t, you would see how false a statement that is.  Most of the better exploits have been developed by people doing serious exploit research and then they are ripped off by the underground at a later time.  Yes I know there are some exploits that the so called black hats have developed and I am the first to take my “white hat” off to them, but let’s keep it real.   Look at the Cisco router hack that was revealed at Defcon.  That was not from the underground and that was the hack of the century. I can relate many more from those working on the secure side of things. The problem is, the ethical hacker community is a very new thing and not connected. Thats why I support this board! There are some extremely high level people in  this community and have skills that go way beyond anything in the so called black hat community.  CISSP’s are not supposed to have a relationship with known hackers and I think that’s a weak part of their code of ethics. That is the main reason I havent taken that cert. If you know the dark side then you don’t make it more romantic than what it really is.  I have seen it and 90% is lame. If the industry sees us as just trying to “keep up” why would they respect us?

Thanks for the comment and I agree with your post, but I still feel the skill  level is higher on the “ethical” side of things.  The statement was made that the underground is more advanced than the typical ethical hacker. I guess you can interpret that many was I suppose.  But I would say as far as hacking goes, in my opinion its completely opposite. The average black hat is a  teenage script kiddie  while most ethical hackers are seasoned admin trying to protect their networks. 

@Dan

I agree with that, but Kev's point has validity. The area of vulnerability/exploit research has grown exponentially in the last few years. These researchers are not the typically corporate security guy focused more on ops, they are a mix of highly educated engineers and talented software guys and I think they are on average more talented then the bulk of blackhats. There are likely a handful of elite blackhats that are making millions on selling private exclusive remote 0-days and they are the best because they aren't as tied to a 40hr work week mentality and will stay up several days straight testing code and often have more financial motivation then whitehats to succeed. Another factor to consider is the whitehat talent within the NSA and other gov agencies, which tilts the elite talent pool even more towards the whitehat side. With all this considered I think more ground breaking exploit may be done by a smaller elite community of blackhats, but IMO there is more talent as a whole on the whitehat side of things. Now the impact of that, is entirely subjective, because all it takes is for one guy to be able to defeat your security and your hosed.

Hey Dan,

Thank you for taking the time to post your thoughts.  We are probably just arguing over semantics, which happens a lot when terms like hacker, etc. are used.  If by what you term as the underground is specifically those that are finding ways to exploit and crack systems and if by ethical hacker you are using the Ec-council standard. Well, I would have to agree with your statement completely.  Of course writing exploits and tools requires more skill than to use them, although I have seen some brilliant things done with tools in the hands of extremely talented and seasoned professionals.  In those few instances I might say it took less skill to make the paint brush than for the artist Rembrandt to paint his masterpiece.  Ok, that might be a bit of an exaggeration, but those of you that have seen some really clever people at work know what I mean. 

My interpretation of the term underground is all inclusive and I include the term “black hat.”  I include those that are writing exploits so they can crack systems to the small underground hacking groups that might consists of teenage script kiddies.   I see the Ethical Hacker as an all inclusive term also and I go way beyond the narrow confines of what the EC-Council certifies.  Everyone that is involved in discovering exploits to pentesting in order to secure networks from malicious attacks is a “white hat” or ethical hacker. I see hacking as “thinking outside the box” whether for good or bad.  I like this more inclusive approach because its puts everyone working in security on the same team so to speak.  Also, if you view it this way, this Ethical community is very formidable.  I believe it’s important for the business world to not take the underground for granted, but also believe they can feel reasonably secure if they place their networks in the hands of high level security professionals. 

So in reality we are than likely just interpreting terms differently.