Thinking Like the Enemy, Rafe Needleman, Business 2.0

As Andy Grove has said, only the paranoid survive. If so, David and Barry Kaufman, the founders of the Intense School, run an academy for survivors. They help the paranoid become even more so.

The six-year-old Intense School, whose immersion courses in information technology topics like Microsoft (MSFT) Exchange administration are offered across the country, recently added several security courses, including the five-day "Professional Hacking Boot Camp" and "Social Engineering in Two Days."

The main philosophy of the security courses is simply to know thine enemy. And what better enemy to get to know than Kevin Mitnick, the famous hacker who was imprisoned from 1995 to 2000? Teaching security from the hacker's perspective, as Mitnick does, is more difficult than teaching hacking itself: A hacker just needs to know one way into a system, David Kaufman notes, but a security professional needs to know all of the system's vulnerabilities. The two courses analyze those vulnerabilities from different perspectives.

The hacking course, which costs $3,500, teaches ways to protect against the mischief we usually associate with hackers: worming through computer systems through vulnerabilities that are susceptible to technical, or computer-based, attacks. Mitnick's $1,950 social engineering course, by contrast, teaches the more frightening art of worming through the vulnerabilities of the people using and maintaining systems -- getting passwords and access through duplicity, not technology. Take this class, or read Mitnick's book, The Art of Deception, and you'll never again think of your passwords or your trash bin the same way. Which is, of course, the whole point of the class -- turning its students into emissaries of thoughtful security.

So how do you teach hacking? With sessions on dumpster diving (the unsavory practice of looking for passwords and other bits of information on discarded papers), with field trips to case target systems, and with practice runs at the company's in-house "target range," a network of computers set up to thwart and educate students. The school is constantly updating its curriculum -- Kaufman says "no exploits more than six months old" are allowed in the course (so perhaps the best method for getting through the security of Intense School grads is to use tired old hacks).

In today's era of paranoid IT administrators and government regulations that demand secure systems, it makes perfect sense for companies to teach their IT teams how to protect their systems. But the concept of sending IT pros to a hacking school must be difficult for IT administrators to stomach; it'd be like sending all your accountants to Embezzling 101. And the Intense School doesn't check anybody's morals at the door: You pay, and you're in. The school does, however, strive to teach its students how to be "ethical" hackers: to use their skills to build better locks, and to understand the minds of those who would like to crack them.

Given the potential danger that an unchecked graduate of a hacking school could represent, I'm surprised the FBI doesn't collect the names of the graduates. Although perhaps it gets them anyhow -- several governmental agencies have sent students to the school. -

Rafe Needleman Rafe Needleman is the Silicon Valley insider's insider. For years he's led loyal readers of his Catch of the Day column to the hottest new technologies. Now he's bringing his latest finds to you with What's Next, his twice-weekly online column for Business 2.0. You can reach Rafe at rafen@rafeneedleman.com.