Security

Ask these questions before you hire a hacker or cracker

What's the difference between an ex-hacker and an ex-cracker, and should you hire one? Builder.com members sound off on a controversial issue.


Two recent articles on hiring ex-hackers generated a lot of discussion on the importance of knowing whom you’re dealing with when an ex-hacker is up for consideration at your company. I’ll review some of those comments and address the concerns they raise.

Thinking of hiring a hacker?
Did you miss the two articles from Builder.com contributor Bob Weinstein on how hackers can contribute to an enterprise environment? Click here to read “Should you hire an ex-hacker?” and “What enterprise developers can learn from hackers.”

Hackers vs. crackers: What’s in a name?
If you interview someone who claims to be a former hacker or cracker, don’t jump to conclusions. Many people who call themselves hackers have never committed an illegal act and possess qualities desirable in an employee. Likewise, some who claim to be crackers lack the technical skills to justify the term, however malicious or self-serving their intent.

Builder.com member bradmbrown, a hacker advocate, defines a hacker this way: “A hacker is nothing more than a computer techie without ‘professional’ schooling.” This definition stems from the early days of computing and denotesa hack as a good thing in which innovation, endurance, and resourcefulness provide solutions where none is apparent. The popular media has twisted the term hacker to mean an individual who acts maliciously; however, in many tech circles, this meaning is rejected.

Builder.com member kaji00 uses the term hacker to mean a malicious party in stating that, “for every 30 teens who call themselves hackers, there are maybe up to three out of those kids who can do so without the aid of aprewritten program.”

Builder.com member el Terrible quotes the techdictionary.com definition of a cracker as “a person who breaks into a computer system or network, using them without authorization, either maliciously or just to show off.” Most members seemed to agree with that definition.

The distinction between the terms hacker and cracker is worth making when you interview someone who claims to be either. If a candidate touts hacking abilities, ask the candidate for a definition of the term. If the answer suggests someone who has maliciously broken into systems in the past—in other words, a cracker—you should question that individual’s skill level.

Crackers and script kiddies
In recent years, the resources available to would-be crackers have proliferated on the Web. There are so many detailed descriptions of crackers’ exploits available online that it’s not necessary for a would-be cracker to be skilled—just able to follow directions.

This may be an overstatement, but it points out that truly skilled crackers are rare finds. Someone who downloads scripts for an exploit but doesn’t necessarily understand the technology is called a script kiddie, primarily due to the typically young age of these would-be crackers.

If you find yourself with a self-proclaimed cracker on your hands, ask about the person's methodologies. Find out what initiatives were taken to earn this title. Even better, grill the person with the same types of technical questions you’d ask any other candidate. Some individuals may claim to be hackers or crackers because these terms can be intimidating and because they imply technical savvy.

Benefits and risks
Finally, when considering a hacker or cracker, it’s important to evaluate character. Member a.tom, who has hired what he refers to as “reformed hackers,” offers an insightful variation on the “trust but verify” axiom: “Although you need to ‘trust,’ you also need to verify, even more so with an ex-hacker. A lotis at stake if you made a wrong decision on the personality of the individual.”

In another post, a.tom expresses many of the concerns managers face when considering whether to hire an ex-hacker: “A hacker typically needs inside information to save a huge amount of time in his/her hacking attempt. What better way than to bring that person in-house? What happens if the hackerbecomes a disgruntled employee? Who is the best to be able to hack and tear down your entire system? What if your hacker employee is building 'back doors' to your system, ‘just in case?’”

A common perception of ex-hackers and ex-crackers is that they’ll continue their rogue ways once they’re a part of your development team. Member gefrustreerd highlights some benefits, then offers a warning: “If you want a safe network, how better than to have it checked and altered by a hacker?” However,gefrustreerd goes on to say, “If an enterprise puts up a good contract, they won’t have anything to fear.” This statement typifies a notion of ex-crackers as employees: that they must be treated exceptionally well, lest they retaliate against the system.

The same type of sentiment comes from Builder.com member j.g.camp, who points out that crackers “offer higher-end work than the guy who has little motivation,” but cautions, “make sure they get paid for their excellence or they could turn on you.” In spite of this danger, j.g.camp concludes  that the benefits of hiring a cracker “far  outweigh any mistrust issues.”

Regardless of the dangers hackers or crackers seemingly pose an employer, Builder.com member mike_theriault brings up a good point about people who enjoyed the challenge of illegally accessing systems in their youth: “Now  most of us have high-paying jobs as programmers or engineers and families and lives that do not permit us to spend 18 hours a day coding.” This suggests that employers should look for more seasoned individuals when hiring.

So the most important question should be posed to yourself. In an interview, consciously give thought to the candidate’s character and motivations. Ask yourself whether:
  • There is someone on the team capable of learning from the hacker/cracker on a technical level.
  • There is a current risk of cracking or other illegal activity.
  • Your system’s vulnerability to attacks from a single insider is acceptable.
  • The candidate’s motivations are sincere.

Know what you’re getting into
When considering whether to bring an ex-hacker or ex-cracker on board, take extra precautions during the interview process to learn more about the candidate’s personality and motivations. Be wary of individuals who try to leverage their knowledge for anything other than proving they can offer you security. Finally, keep an eye out for hackers in the positive sense of the word, and latch on to these self-challenging, resourceful individuals.

Builder.com readers expressed concern over the terminology used to define hackers and crackers and what the roles associated with those terms meant. After reviewing members’ comments, my conclusion is that many of these individuals, once they have “gone legitimate,” can make great additions to your team.

Whom have you dealt with?
Have you employed former crackers? What were the pluses and minuses of that experience? Post your comment in the discussion below.

 

Editor's Picks