Sporting long sideburns, a goatee and black baseball cap, instructor Ralph Echemendia has a class of 15 buttoned-down corporate, academic and military leaders spellbound. The lesson: hacking.
The students huddled over laptops at a Los Angeles-area college have paid nearly $4 000 to attend "Hacker College", a computer boot camp designed to show how people will try to break into network systems -- and how they will succeed.
"It is an amazing thing how insecure the big corporations are," said Echemendia during a break in the weeklong seminar. "It is just amazing how easy it is."
Hackers are believed to cost global businesses billions of dollars every year, and the costs to defend against them are soaring. One study by Good Harbor Consulting showed that security now accounts for up to 12% of corporate technology budgets, up from 3% five years ago.
"This is definitely bleeding edge -- so bleeding edge in fact, sometimes, that it is frightening," said Loren Shirk, a student in the class at Mt Sierra College who owns a small-business computer consulting company.
Licence to hack (nicely)
The course prepares students for an exam offered by the International Council of E-Commerce Consultants, or EC-Council. If they pass that test, they get the ultimate seal of approval: Certified Ethical Hacker.
The class is by no means easy. Instructors race through topics like symmetric versus asymmetric key cryptography (symmetric is faster), war dialling (hackers will always call late at night) and well-known TCP ports and services (be wary of any activity on Port 0).
"I can definitely say it is not for everyone," said Ben Sookying, director of network security services for the California State University`s 23-campus system and another student in the class. "If you do not have discipline, you will not make it through this course."
But the work is practical, too. On the first day, students were taught basic, free and legal research methods, mostly involving search engines and securities databases, so they could learn as much information as possible about companies, their executives and systems.
With relatively little effort, they found out that the chief executive of one public company maintained his own Web site dedicated to guitars, while another public company still uses a number of systems known to be easily exploited by hackers.
It takes a thief
Intense School, the Florida-based company that runs the hacking boot camp, started off in 1997 with a $35 000 investment, teaching Microsoft and Cisco software to systems engineers.
After the 11 September 2001 attacks on the World Trade Centre and the Pentagon, the company expanded its focus to information security courses. It now offers around 200 classes a year, generating about $15 million in annual revenue.
"What we attempt to do in our classes is teach how the hackers think," said Dave Kaufman, president of Intense School. The only way to keep hackers out of major corporate systems, he said, is to know how they will be attacked in the first place.
Cal State`s Sookying said, in his case, the problem is that the users of his systems know how to attack all too well.
"We teach students how to hack and how to code and here are the students applying what they have learned against us," he said.