I'm sitting at my desk, having a cup of coffee and a toasted bagel when I notice this young, blond, pimply-faced kid standing outside my cube with this smirk on his red, puffy-cheeked face. I ask him what I can do for him, and he hands me a piece of paper with a Web site address written on it. It looks like an address that a customer would use to access the application that we host.

I ask what this is all about and he introduces himself as one of our company's application developers. He explains that he likes to "kinda hack a little bit" on the side and how he "discovered this" while playing around at home. I take the Web address, type it into my browser, hit Enter and a list of customer names, addresses, phone numbers and credit card numbers appears on screen.

Uh-oh. This information is normally supposed to be accessible only through a series

He introduces himself as one of our company's application developers and explains that he likes to 'kinda hack a little bit' on the side.

of authentications, but the address bypassed the authentication mechanisms and displayed the data. The kid goes on to explain to me how the application programming interface (API) isn't configured properly and how many other pages can be displayed by bypassing the authentication screens. I thank him for the information, take a few notes on the details of the authentication API and then begin to interview him.

He's just 23 years old and has been playing with Linux since he was 14, started programming at 16 (for fun, he says) and has had part-time and full-time jobs as a Unix and Windows NT administrator and as an application developer for the past six years. He has no college education (but has just enrolled), and security is his hobby.

Eureka! I've hit the jackpot. A perfect fit for my plan to conquer the world. Even better, the application development project he has been working on was finished and he had been expressing an interest in security for some time. To make a long story short, I put in a request to have this kid transferred into my group. He's Unix-savvy, bright, articulate and, best of all, he knows our business very well. He's been working as a developer for almost two years and therefore has an extreme in-depth knowledge of the application we host and sell to customers.

As many readers probably know, security professionals are extremely difficult to find. In my experience, there are many

It's difficult finding individuals with good communication skills combined with years of hands-on Unix, Windows NT, programming and, most important, hacking skills. Yes, hacking skills.

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine