Cyber security has never been a hotter field to get into, but how do you gain the skills needed for landing a job? There are various paths to a cyber security career, from a formal university education to being a self-taught hacker. In episode 33 of Cyber Security Sauna, we hear from our guests about cyber security education from both a student and teacher perspective. Jesse Rasimus is a recent graduate of F-Secure’s Cyber Security Academy who is now employed with F-Secure, and Tom Van de Wiele is an F-Secure consultant who also teaches infosec. They discuss university versus practical training, what it’s like starting out in the field, dealing with imposter syndrome, and the cyber security careers of the future.
Listen, or read on for the transcript. And don’t forget to subscribe, rate and review!
ALL EPISODES | FOLLOW US ON TWITTER
Janne: Welcome, guys.
Jesse: Thanks for having us.
Tom: Thanks.
So Jesse, what is your background? How did you get into cyber security?
Jesse: Well, my background basically is vocational school. Vocational school was more focused on physical security, and also computers in general. So those are my study backgrounds. As my job background, I have two years of physical security, guard and then mobile security guard. My interest piqued in cyber security when I was fooling around with computers in my free time.
So it started out as a hobby, and then became your profession.
Jesse: Yeah, and my friend was working in cyber security as a consultant. I saw his work and it sounded really interesting, and I was like, maybe this is something I want to do also. I looked more into it, and I checked F-Secure’s career page and they had the Academy open, and I was like, I’ll apply here and see if something comes up.
Working in security as a security guard, you were already a little bit into security, but was there something specific that made you flip the switch into full time cyber security?
Jesse: Basically it was when I was doing my night rounds around different offices, I tended to read all these bug bounty writeups and stuff like that, and different kinds of cyber security news, and it was really interesting for me. I was thinking I really want to do that. I had the physical side, maybe I could somehow combine the physical side with the computer side.
That’s interesting. What do you think Tom, sort of switching from hobby to career, that’s a story we’ve heard before, but the physical side is a new one.
Tom: Absolutely, and it’s good that you found that angle into this whole domain. Because most people in the beginning seem to be a bit overwhelmed with what’s out there, or they go for the headline things of “become a hacker,” or do this or that, without actually having a foundation. So it’s quite nice that you found that angle and found that way in to kind of expand it into a full-fledged cyber security domain. Of which, of course, physical is a part, right? They don’t keep computers in fields, they keep them in secure buildings with locks and keys.
And guards.
Tom: And guards, exactly. So that can only help you further your career, of course if you want to stay in that, or expand from it. So, absolutely.
Yeah, so what’s it been like for you, the whole new domain of cyber security?
Jesse: It’s been learning a lot of new stuff. Because I’ve basically mostly been on the Windows side. But then, because Linux is a big part of my day to day work, I’ve had to build upon my bare bones Linux experience and then learn about it from there onwards. But the fact that it’s been a big challenge for me, I really like that.
Has it been difficult?
Jesse: Well, it has been difficult, and then I start feeling comfortable for a moment, and I’m like, “Oh, this is easy,” and then a curveball comes in, and then I’m like, “Oh – this is not as easy as I thought.”
I think that’s pretty much the definition of a learning curve, is like when first you don’t know anything, and then you start to feel like “Oh yeah, I got this,” and then you start to realize “Oh man, I don’t know anything.”
Jesse: Yeah. And then there’s always the issue of imposter syndrome. It’s like, what if everybody else starts seeing through this veil of lies and smoke and mirrors that I think I have up. But then in reality, I probably don’t have them and I know much more than I think I do.
Tom, is there anything we can do about imposter syndrome in educating these kids, or…?
Tom: I think it’s very healthy to have a little dose of imposter syndrome, because it means that you haven’t become that arrogant that you know everything. Because in any domain, if you think you’ve reached the top, there’s somebody who’s going to prove you wrong by something really stupid that will make you think that whatever you learned is on shaky ground and how to continue your career and all that. So it’s a very healthy thing to have, I think, a bit of humility.
Yeah, as long as it doesn’t become crippling.
Tom: Sure, absolutely. And on that topic, throughout the years that I’ve been teaching, I think it’s safe to say that I’ve almost learned as much from students as I have from people who taught me back in the day, who mentored me in different areas when it comes to the actual domain itself, or writing, or reporting, or dealing with people. And you have the same thing with people who teach kids for example, because in the words of the famous Richard Feynman, he says if you can’t explain it to a small child, you haven’t understood it. So you have to force yourself to reinvent it in whatever way. And that will show you new ways of explaining it, and it will also result in new insights, but also it will help whatever generation you have in front of you to understand it within their mindset.
Absolutely. So how did you get into infosec teaching?
Tom: Teaching came later, obviously. I got into the business when there wasn’t any business. There was this one guy, who is one of my personal heroes, Peiter Zatko, Mudge, as he’s called. He, kind of with the L0pht, was kind of the first company on the private side, or non-industrial contractor side doing consultancy. But the people that I hung out with were system administrators, were network experts, were phone experts, were privacy experts. And I can tell you back in those days, there was no school to learn dumpster diving –
Right, right. I don’t think there’s a school to learn dumpster diving today either.
Tom: There’s still time, Janne. There’s still time. This could be a career move.
(Laughing)
Tom: So, you have to be out there to learn and to challenge yourself constantly, saying I want to understand how this works.
Did teaching come because of that, challenging yourself?
Tom: Yes, and trying to project that question into others, trying to put that question into their lap, saying don’t you want to know why this happens? Or to show them, or to show anyone who’s learning something new, something you’re almost certain they won’t understand right off the bat, and it forces them to ask questions. And once you can have those questions bubble up from the person themselves towards whatever topic it is, then you have a very healthy situation. Because this is a moving target. Cyber security is constantly being quoted as the one domain where the goalposts are constantly being moved. Because we use different systems than we did 10, 15 years ago. Things and concepts are changing. When we grew up – and there’s a bit of a generation gap here – but our version of privacy is completely different from what the kids are using at school these days, where it doesn’t even exist anymore.
So has that changing playing field been the difficult part in cyber security, or what would you say, Jesse, has been the most challenging thing? What surprised you the most?
Jesse: There have been moments in my working day that have been a bit grindy. It’s not always that you go into a system and you break it, and you have sunglasses on, and you’re like “I’m in.” But it’s much, much more sometimes just grinding the same thing again and again just to find that one goal.
Yeah. It’s almost like you’re saying that there’s actual work that goes into hacking.
Jesse: Yeah, it’s actually not just all fun and games.
Tom: Who would have thought?
Yeah, who would have thunk it?
Jesse: My friend, whose job seemed really interesting, he showed the most glamorous parts. He showed like, “I got in, and I could grab these files from here,” for example, but in reality it’s not always that way.
No, but that’s how they get you. So you started in our cyber security academy, which is like this entry level training program we have. What was that experience like?
Jesse: I’d say the cliche “It was really good.” We started with the basics. We saw what is the baseline for everybody, what does everybody know in common between everyone. And then started building upon that, getting familiar with the different tools, the command line on Linux, scripting also was something we started getting familiar with, and trying to move around with those.
So sort of the common language of the information security field.
Jesse: Yeah, and then we had those kind of mock targets that we use, stuff like VulnHub, and we had these bugs and web services that were vulnerable and then we just tried to break them, and then went onwards from that.
So very hands-on.
Jesse: Yep. Really hands-on.
Tom: This makes me very jealous, by the way.
Because you didn’t have that.
Tom: I went into system administration, and went into consultancy. And the first real consultancy job I had, my manager took me aside and said, “Tom, this is a new job that we have to do. We have to get into this place. This job requires the best hackers that we have here in Belgium,” back in the day. I got really, you know, you could see me visibly grow.
“It needs the best. Unfortunately, the best are out of town, and we’re gonna give it to you.”
(Laughing)
Tom: And that’s how I started my first gig. So I would have loved a steady ramp-up of, you know, skills and experience and all that, versus just being thrown in, but that’s how you did it back in the day.
No, I’m sure. But then Jesse, when you moved from the academy to actual working life, a professional infosec career, did you feel the academy did a good job in preparing you for that?
Jesse: In general, yeah. We did these kind of mockup reports that we do in our day-to-day work, gigs, we did a mockup version of for example some kind of online web store that was vulnerable, we wrote a security report based on that, so that prepared us really well for our day-to-day work. But then always there are those certain things in the day-to-day work, for example, a client you need to engage with, instead of the mentor we had in the academy. And in some ways it wasn’t the same as client engagement in real life.
No, I’m sure. Nothing prepares you for a live customer encounter.
Jesse: Who pays.
Yeah, absolutely. I mean that in the most positive and in the most negative way, both. So for the good or the bad, in real life customer engagements, nothing prepares you for that.
So, okay, you’re not just a hacker, you’re an infosec consultant. So you were talking a little bit about writing reports and that, so the consulting side of this business, was that covered in the academy as well?
Jesse: It was, to an extent. But you can’t always go all the way in because it’s a really really wide array of stuff. The academy was one year, of which we had I think about four months of intensive training. That’s not enough to cover the whole array of consultancy. You have to have extra stuff also, like different workshops later on and keep honing your skills.
Yeah. But would you say that the work you did in the academy was practical enough for you to get a head start in this business?
Jesse: Yeah, it was really practical. The route I was thinking about going down was five more years of university. And university doesn’t have the hands-on experience like you get from the academy, for example.
Yeah. Like Tom said, back in the day, there didn’t used to be a lot of university training available for this stuff, but now we’re seeing a lot of universities offer that. So is formal education a good starting place for this field?
Tom: Well, different institutions and schools and after work education centers, they try to prioritize cyber security in their courses. But the domain is so big that they still have to make a selection. And that’s either application security, or architecture, or privacy, with GDPR. So they certainly have value, but it’s not going to prepare you for the field or the position or role as being a security consultant, and just being there sitting next to the customer and being their oracle that you can just ask questions to and get the right answers to make the right decisions.
So it’s certainly a help, but there’s nothing as good as getting the exposure with the people that are actually buying security, that actually want to have it applied, because they need to make decisions. They want to grow their business. They want to launch that new app, or connect two networks together. They need to know the right information to have an overview of the risk to make that decision. And the consultant plays a key part of that.
So when you did that one master’s or that one year of extra education when it comes to security? Well the answer is probably no. But it’s certainly a good starting point, where then we come to the area of self-motivation and self-education, because there’s still a lot in the business when it comes to security that is just based on making sure you can fill those gaps yourself.
Right, but now we’re touching on the age-old problem that actual practical experience is the best teacher, but you can’t gain that experience unless you have a job in the field, and you can’t get a job in the field because you don’t have the experience.
Tom: Exactly. That was a huge chicken and egg problem back in the day. And when I say back in the day, it’s like early 2000s, end of the ’90s, where software was almost not available, because you had to have very expensive licenses, you couldn’t try things out because there were no real virtualization technologies around, so you had to try things on your own smaller, older computers, or universities and all that.
That has all gone away. Now, when it comes to being able to try things out when it comes to learning things, I mean…you know, documents you can read, online courses you can do, war games and hacking games you can play, virtualization. I would say even right now, there’s a little bit too much information to know what to focus on if you want to have a job in cyber security. So it has shifted.
So it’s more a question of focus now.
Tom: It’s more a question of focus on knowing what you want to specialize in. Because if you over-specialize, you’re going to find yourself without a job or maybe not as relevant in a few years. So you have to keep as open a door as possible, to make sure that you at least have some kind of overview of the domains, but make sure that you specialize in a few of them. And of course, take a step back and keep track of what that domain is doing in the world.
Yeah, I like your point about there being so many opportunities to learning this stuff. I like how Jesse was saying as a security guard he was reading bug bounty reports and capture the flag writeups and stuff like that. There are these opportunities to learn. Did you find it easy, Jesse, to find information about this business, or was there, like Tom said, that problem of over-information and having to choose what you find relevant?
Jesse: Yeah, I’d say there is the problem of there being too much information. Because if you’re really fresh in the industry, you don’t know what’s really wanted. Like for me, I was reading all these news articles spanning from red teaming stuff to bug bounty stuff and everything in between, and sometimes I had the issue that I didn’t know what to focus on. It’s like, here’s a certification you can do that might be helpful or might not be helpful.
But then the best thing is just going through job postings, they usually have what they’re wishing for, certifications and knowledge you need to have. That did help a bit, but still, there is in my opinion a bit too much information for someone who doesn’t know specifically what they want to do.
So maybe that’s something as an industry, we have to focus on, is providing almost career advice, like these are your choices, as far as we understand them, and this is what you need for this, this is what you need for that.
Tom: I mean, it also has to do with your background, right? Most university programs that I have seen, when people want to get into the industry when they’re still studying, they will come out of the world of application development. And then that’s kind of the only thing that people focus on. But cyber security is a lot more, of course. So it kind of depends on, do I want to work in application security? Do I want to work in network security? Do I want to work in the bigger domain or being a consultant?
So you always have people that the way they look at the world and cyber security will be colored by their background. So we have people that we’ve interviewed where their world is application security, and when you talk about other aspects when it comes to design, when it comes to architecture, they will just say that someone else can take care of that.
Yeah, and that’s one of the things, like what would you say about expectation management? Like every week we get contacted by people who say “I want to do professional red teaming.” Especially when you and I talk about red teaming, that always spikes it up. But we very seldom get an application from someone saying, “I want to do web app stuff day in and day out for the next 20 years.”
Tom: Well, they do exist. And again, it all depends on what you want to specialize in and what you find challenging. Because one is not above the other. But it has to do with what the market is demanding right now, it has to do with what is being taught at universities.
I personally give guest lectures at the technical departments at universities. I used to give classes as well on the ten domains of one of the bigger certifications, the CISSP certification, because it provides that baseline. And that really opens people’s eyes, that there’s more to this than that.
So it’s good that through our academies and also other initiatives that we are giving this foundation to people to say look, this is the area you can move around in. I know you have a certain background, a certain expectation, but try to get as much exposure as possible to these new domains, to find out what you like, what you don’t like, and how we can get more people into this business through your own motivation, saying “I’ve now found my one thing, I’m going to develop it for two or three years, and then I’m going to pivot towards some other domain.” There’s room for that, but right now, the only limitation you have is your own interests.
School ends, education is for the rest of your life. So we just need to keep being hungry and making sure that we give this perspective to new people coming into the business.
Now on that topic of choosing your own career and university versus vendor academies like our own, what is it that a vendor academy like the F-Secure cyber security academy offers that a college doesn’t and vice versa? How do I make the choice which one I want to go to?
Tom: Well, you constantly have the tradeoff between do we want to give a very wide foundation, versus train a fellow colleague in being able to answer the demands of our clients, to say they have real, concrete security problems that we have to try and solve with them. So you need something from both worlds. Right now the most, I would say, almost disappointing aspect, is that right now we need to have governments of countries, especially in Europe, to look at this and take this seriously and provide more formal education when it comes to cyber security or information security in general.
Right, okay, yeah.
Tom: And also, you know, when you come out of a very formal educational background, one of the things that we are seeing, and this is a thing that all juniors have when they get into this field is that they want to see the world in a very idealistic way. In that you come across maybe a technical infrastructure of a client, or something you’re supposed to evaluate when it comes to security or design, and you come across something that is basically the equivalent of someone installing an application next next finish, and when you start out in the business you get really upset, right? Because how could they do this?
And you might well see stuff like that.
Tom: And these people are obviously morons, right? But only later can you get the perspective and ask yourself the question, saying, the time that was not spent on this application or this particular thing, where was that time spent? And that gives you a far more wider view of what is this company or organization doing, and what are they really spending their time on, and maybe this needs to come from the top, rather than from the bottom up. Because we can cry wolf all we want. If we don’t change things from the top down, you’re not going to see these changes trickle down where maybe we’re going to see more hygiene when it comes to IT security.
And in the beginning you have kind of a black and white view on this, and that’s fine, you need to be able to handle that as well, but later on you develop these shades of gray, and that helps you make better decisions.
What are some curveballs that you would suggest people just getting into infosec should keep an eye out for? Were there some things that caught you by surprise in this field?
Jesse: This might be a bit cliche, but a person who doesn’t seem like a hacker might actually be a super efficient and skilled person in the infosec industry. Some people I’ve worked with, the skills that they have, have been way over my expectations. And I really look up to them in that regard, that they have these amazing skills but then in certain situations they seem completely chill even though –
They’re super-hackers.
Jesse: Yeah.
Tom: I think one of the main things for me where my eyes really opened, was that the IT industry, which has a reputation over the last 30 to 40 years of overpromising and underdelivering, still doesn’t really know what it wants. Or there’s this fetish belief that the industry will figure it out, and they won’t. And it’s a matter of how big you are in the industry, where you can try things out, like being a Google or a Facebook or whatever.
But fundamentally, when we are hired in being able to consult on topics like secure architecture, and penetration testing and trying to establish a risk picture, at least it was my perception when I started out that this will improve, right? This will become commodity. When’s the last time in an airport you saw an ad for a firewall, right? These things are a commodity now. Back in the day this was the latest and greatest thing.
And I thought back in the day, as naive as I was maybe, that this also would become a commodity. That when you go into a sandwich shop and on the front door it has a report from the government that says “This is how they handle the food, this is how they handle the hygiene,” that we would have something similar for applications.
Because in the end it’s also architecture. We want bridges that don’t fall down, we want apps that don’t crash. And that still hasn’t really come to fruition, or we don’t really have that. We’re kind of still in square one by saying, “Let’s take decisions faster, let’s move our stuff to the cloud, because this other company that’s way bigger than us chose it, so let’s also go down that path.” And the lack of that commodity and still that quick – what I think is maybe not the right way of thinking about things, that still surprises me to this day, and that was one of the first things that really opened my eyes when starting out.
Jesse: It’s always easier to say “We take your security seriously.”
And then apologize for the breach, yeah. So for years now, we’ve been reading news articles about the cyber security talent shortage. Yet some in the field say that this is a myth, that the real problem lies in unrealistic hiring expectations. What do you guys think is the current situation in the field?
Jesse: I’d say depending on the company. Some companies prefer you to have like a master’s and bachelor’s in a related field, instead of if you have the experience and the motivation. For those companies, it might be that the degrees and all these, they weigh much more than the motivation, and they see that this person has proven success in different master’s and bachelor’s. And motivation doesn’t weigh at all. And that becomes an issue in hiring, in my opinion, for some companies.
Tom: I think hiring has changed in information security in the last five years. In that up to five years ago, you would see vacancies for information security consultants, and cyber security consultants, which means we want someone with a very broad foundation that is able to specialize in certain areas and is basically able to talk about anything. That is changing, when you look at the vacancies that are open right now, where companies are looking for mobile security experts, red team experts, security architects, so it’s much more specialized.
And I think that’s kind of the one clue that the education departments of countries and universities need to take, but also third party organizations, is not to try and cram as much general or generic information into someone, but try to do it in an applied way, to saying, look, you take this course or you finish this education, and this is where you’re going to end up. Knowing very well that you will be specializing, and of course you need to make sure that you keep your options open, if you want to pivot from one area to another.
But we are seeing more specialized vacancies opening up. And still, even with that change, we see that organizations have problems hiring people. Because again, it’s very hard to find people that have kind of a knack for this, that want to learn and keep learning, even though that also has become a commodity at some point. It used to be only the world of hackers and all that, but now we need more people that can look at information security more broadly. So I think we are still lacking people on the market that want to get into this field, and we need to create incentives from all sides, private sector as well as the governments, to get more people in this field, so that, again, we are looking at the digitalization of a lot of governments, a lot of departments of governments that haven’t gone through that phase or are still going through that phase.
We are building the legacy systems of the next five, ten, fifteen years. We need people right now that can make sure that we have some room to maneuver and we have some slack space when those things that we’re using right now become legacy.
Right. I mean, we do need warm bodies in the industry, but like you’re saying, we’re also specializing, so we’re going to need specialists tomorrow that we don’t have today. Do you want to go on record with a prediction, like what’s going to be a specialty that we’re going to have a shortage in?
Tom: I think right now, the industry or society as a whole, could really benefit from more people who build systems, build applications, are architects, that know about information security. Unfortunately, the industry, and the way the industry works, there’s and incentive not to do that, because the more data you have, the more you can enrich the data and of course monetize it, but as a standard by default, we should be looking at information in a way that we look at a ticking time bomb, in that I don’t want your personal information. If I can get rid of it, that would be great, because otherwise I need to guard it. So this hunger for more information, and we’ll just put it in the cloud, and we’ll just put some AI on it and magic is going to come out, we need to start looking at this in a very sober way.
So to answer your question, we need more security architects, we need more people who can design systems, in the most abstract form of the word, in a way that has security and privacy built in, or at least anticipates some kind of breach or misuse or abuse, we need people to make sure that we have data audit, data privacy, data accuracy, data decommissioning. Because again, we are building these systems for the future. We are building our own information age right now, and it seems right now we’re going to end up in an information age and not be actively building one. And I think we need more people in those areas.
So how do we incentivize the people with those kinds of skill sets to join us in this industry?
Tom: I think first and foremost, governments need to take care of the difference and the rift between the public and the private sector. As someone who’s worked in the private sector for almost 17 years now but also with clients in the public sector, it really hurts to see that the institutions that need information security the most, the brick and mortar of our society, the information systems that govern our governments, our defense, our critical infrastructure, energy, schools, hospitals, they need security, information security, to make sure that whatever data they are sitting on can be trusted, is kept confidential to whoever needs to have it, and is available whenever they need it.
And those people right now are not getting the same level of training, education, compensation, and I think that could be a good starting point in making sure that we level the water between the private sector and the public sector, so that all of us get more career options moving from one to the other.
I would love to start working at a hospital keeping medical data safe because these are extremely interesting security challenges. Because you have so much accessibility that needs to be possible for medical staff and patients versus some of the most critical data you can be sitting on, where you literally have someone’s life in your hands depending on what is sitting in a database. So I think that could be a really good starting point, but also to look at the current education systems and say, okay, how can we make information security part of this?
One of you guys basically got into hacking before there even was an internet, and one of you is a very millennial internet age digital native. If you had your roles reversed, would you still get into the hacking? Jesse, how does it sound, the hard dumpster diving road that Tom had to take?
Jesse: I would say eventually, yeah, but it would take a longer time for me to get into and actually get so interested in the whole industry.
So what about you, Tom? Did young Tom have the self discipline to sift through all the noise of information and pick out the grains of truth and get into this industry?
Tom: I think so, because for me back in the day, it was about learning and being the master of a certain domain. So for me it was really the hunger of knowing or finding out how things work and making it do my bidding. And I would probably be a little bit confused as far as how much is out there right now, but yes, I would be in this same industry doing the same thing. Maybe I would have overspecialized in a certain subject, maybe stayed in there rather than the broad foundation that you would need to get into the industry back then, but certainly I would still be in this industry.
Jesse: I remember when I was like, seven years old or so. My parents put a time lock on the computer on when I can use the computer.
Tom: How long did that last?
Jesse: Probably like two weeks. Because then –
Tom: Oh, there you go. What took you so long?
Jesse: Because then I was annoyed I wasn’t able to play any games. So then I was seeing how can I bypass this time lock? I kind of knew when the time window is when I could access it, and I knew I could go to the BIOS and change the system time from there. So then I went there and changed the system time to the certain time I could be on the computer. And that way I could log in normally.
Tom: I’m reading Edward Snowden’s book, and on the first page it says the first thing any kid learns to hack is time. When to go to bed, changing clocks. Anything they can do either by opening a new conversation or whatever it is that they do to stretch bedtime. And I think we’re pretty good at that as human beings.
Time hackers…
Tom: Yeah, maybe not like that, but…(laughing). In that sense, it’s something that we’re all trying to manipulate to get what we want, and I think the essence of hacking is kind of based on that. Trying to make your own rules, bend the ones that are there, make up your own, and be the lord and commander of your own little domain or system.
I’m actually surprised that that doesn’t lead to more hubris, with people always breaking or bending the rules, does that lead to a mindset where nothing is true and nothing is carved in stone and everything is possible?
Tom: I mean, it has raised the stakes. The hacking that was done for example in the 90s and the early 2000s, if you got into a system, I mean, everyone was basically running an involuntary bug bounty. So you got a t-shirt and a mug and they said “More power to you, please don’t do it again.” If you do the same thing now as part of a “prank” they give you an orange pajama and they send you to Cuba. So things have changed.
But luckily also on the educational side, where we have these war games, these hacker games, virtualization, where you can just try things out without hurting anyone, unfortunately some of the people out there haven’t gotten that message and still consider the internet their playground. And that’s just kind of a sign of the times.
That’s an interesting point you bring up, the ethics of hacking. Because we’re seeing a lot of young kids who seem to have a potential for this field. But then they do a couple of stupid mistakes too many in their young age, and then they’re damaged goods after that.
Tom: I mean, a computer is just a tool and a multiplier, right? So if someone’s going to do something stupid, that’s now going to be multiplied by whatever technology they can get their hands on. So you’ll always have criminals that leverage – this is the eternal hacker versus cracker discussion.
Right. But like, these are not bad kids. They’re just misguided, they don’t know better. So should our hacker training for young people be more about what is right and what is wrong?
Tom: Again, the stakes are higher, because when I was growing up, the worst you could do was maybe do something over the phone, or you could toilet paper your local school. But someone with the right skills right now, even just being young and foolish and trying to prove something to yourself or to others, that can go horribly wrong right now, with the things that are connected to the internet right now.
Yeah, you can do some real damage.
Tom: Exactly. So regardless of whatever specialized education or whatever academy you take, that also needs to be taught in schools, saying that there is right and wrong when it comes to computers, because these things govern our lives now. So you need to know what the boundaries are, and to some extent what the law is, as far as what is fair computer use and what is not.
Right. Just because you can do something doesn’t mean you should.
Tom: Exactly.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.
Categories