Learning to Counter Threats – Skills or Ethics?

Fellow CISSP  Cragin Shelton made this very pertinent observation and gave me permission to quote him.

The long thread about the appropriateness of learning how to lie (con, `social engineer,' etc.) by practising lying (conning, `social engineering', etc.) is logically identical to innumerable arguments about whether "good guys" (e.g. cops and security folk) should teach, learn, and practice

•  writing viruses,
•  picking locks,
•   penetrating firewall-protected networks,
•  cracking safes,
•  initiating and exploiting buffer overflows, or
•  engaging in any other practice that is useful to and used by the bad guys.

We can't build defenses unless we fully understand the offenses. University professors teaching how to write viruses have had to explain this problem over and over.

Declaring that learning such techniques is a priori a breach of ethics is short-sighted. This discussion should not be about whether white hats should learn by doing. It should be about how to design and carry out responsible learning experiences and exercises. It should be about developing and promoting the culture of responsible, ethical practice. We need to know why, when, how, and who should learn these skills.

We must not pretend that preventing our white hatted, good guy, ethical, patriotic, well-intentioned protégés from learning these skills will somehow ensure that the unethical, immoral, low breed, teen-vandal, criminal, terrorist crowds will eschew such knowledge.

I have grave reservations about teaching such subjects.