Hacker - hero or villain?

I recently watched a documentary on UK satellite TV that seemingly portrayed the life of a computer hacker as glamorous, edgy and cool.  The hackers interviewed were all American, male, typically geeky with a fake hate of institutionalism and popular culture.

Many argued they 'hacked', or 'cracked' as some term it, simply for the enjoyment and prestige of being able to 'beat' large corporations or public organizations, that have spent vast sums on securing information systems and networks.  The thrill of a one-man-band crusade and coming out on top, spurs many individuals on to continually attempt to break and overcome security controls.  They argued that in fact they were helping the internal security teams by simply identifying where weak controls exist, before 'real' damage could occur.  Who and what caused the 'real' damage still seemed unquantified by the hacker community interviewed by the program maker.

Are You The Next Hacker Hero?

In defense of that argument, the term 'ethical hacker' has become popular in recent terms to define individuals and consultancy practices that do perform penetration and vunerability testing.  Their aim is help organizations find weaknesses in the security defense layers either from a network, protocol, application or process level.  Certifications such as the CEH or CHFI testify to this as being a sustainable niche industry and in-demand part of information security.  The 'official' hacker on the one hand often derides the term 'ethical', arguing that although the courses and certifications give the individual a technical back ground in the skills needed to overcome protective security controls, the 'ethical hacker' often doesn't have the drive, motive or natural ambition to overcome and beat the underlying mentality of protectionism.

But does the hacker or even the ethical version, actually provide a worthwhile service in the asset protection arena?  Many security related projects, either from a provisioning, firewall or application development stand point are often viewed as costly, non-profit impacting and more as a luxury rather than an essential.

As with most things, the more people are involved in developing a following or a practice, it will start to become mainstream and become professionalized and controlled.  Many would probably disagree, but the underlying reason for this is to make money.  As more and more people become skilled in the tool box of the hacker, we will probably become better equipped are preventing lower level attacks that several years ago would have been difficult to counteract.

But with most things, they evolve and the tools and skills or the hacker will evolve too, which in a perverse way keeps information security professionals in work, and certifications in high demand.