IT Employment

Hiring hackers: The good, the bad and the ugly

Deb Shinder looks at the practice of hiring former hackers to work as security professionals. When is it a good idea? Is it ever? Here are the risks.

Hack into the Department of Defense, go to prison, come out and get a high paid job as a security analyst. For a while there, it seemed this was a hot career path for geeky, rebellious teenagers who might have viewed spending four years sitting in college classrooms as not that different from being behind bars, anyway. From the point of view of the ex-con kids, it was a dream come true: they got paid - often very well - to do what they were doing anyway, for free, and didn't have to worry that the FBI would come knocking at the door (or bust it down) late some night.

From the point of view of the companies doing the hiring, who better to do penetration testing than people whose skill levels have been proven in a court of law? It seems to make sense, but the trend appears to have leveled off as many organizations have tightened their general hiring criteria in a less robust economy. However, even if your HR department isn't bringing them on staff, a close look at the employees (and owners/founders!) of that security consulting firm you're contracting with might reveal a few folks whose backgrounds include more than a few illegal activities. What are the arguments for and against allowing such people access to your network, and what are the ramifications if it goes wrong?

The good

The obvious argument for hiring reformed black hat hackers to provide advice on network security is that, when it comes to the network intrusion game, they have real world experience in playing offense. The typical IT pro only knows about playing defense. There is a very big difference in mindset between being someone whose primary training is in protecting the network and someone who has learned, usually mostly through trial and error, all the little "tricks of the trade" for breaking into networks. A good hacker really loves the challenge and spends many, many hours perfecting his craft.

There's also the possibility that you can get the hacker to work cheap - or at least, at a lower salary than the computer science Ph.D. who's paying off $100K in student loans - and who doesn't have a felony conviction on his/her record. It's not just the lack of conventional credentials that can lower the ex-hacker's compensation expectations, though. Finding vulnerabilities in networks and systems is something that those with hacking in the blood would happily do for no compensation at all.

The bad

Even if the hacker you're considering hiring as an employee or contractor is completely reformed, having a criminal onboard may not set well with your clients. If your company has or hopes to bid on government contracts that require a security clearance, having a known hacker associated with the company could count against you.

Then there's the question of whether the hacker really is completely reformed. Maybe he's sworn off cracking DoD passwords and writing viruses, but will he be tempted to dip into your company's confidential files and take a look around, just because he can? Can you trust him not to illegally download copy protected music and movies or install warez on computers on your network in his spare time? If he gets bored, might he decide to peruse the personnel files just for fun, or whip up a "harmless" little practical joke script to turn everyone's desktop wallpaper into a graphic of the blue screen of death?

It all comes down to a question of trust. Giving a person access to your network - especially the kind of access that's required to analyze your security - is akin to giving someone access to your bank accounts. It's a position that carries a great deal of responsibility. Would you hire a former embezzler to oversee your money? Probably not, because that person has been shown to misuse that type of access in the past.

Those in favor of hiring hackers (and the hackers hoping to be hired) will argue that "it takes one to catch one." However, you don't see law enforcement agencies hiring former murderers to help them catch violent criminals or former burglars to help thwart other breakers-and-enterers. Oh, they might make use of those people as confidential informants but they would never put them into positions of trust where they would have the opportunity to commit the same crimes again.

The ugly

What if your hacker hasn't reformed at all, but has merely learned to play the game in a more sophisticated way. Social engineering is the art of manipulating people, rather than or in addition to code, to gain entry into a network or system. I've always found it interesting when supposedly reformed hackers, who themselves go around preaching the dangers of social engineering, are then hired by companies in spite of the fact that they're basically telling you that what they're doing now could easily be another big social engineering ploy. Posing as a reformed hacker/consultant is a great way to gain access to networks - much better than pretending to be a phone company employee or someone from "headquarters" that you're not. Not only do you get a legitimate pass to get into the network, you also get a paycheck from your target for doing it.

The possible ramifications of having a covert hacker on the "inside" of your network range from serious to devastating. He could use your network to launch a botnet attack. He could send out malware from your location. He could even access files with your company's confidential financial data or trade secrets and sell the information to one of your competitors.

If you're in a regulated industry such as healthcare or financial services, such an insider security breach could put you in a precarious position. It would be difficult to argue that you practiced due diligence to protect your data if you knowingly and voluntarily put it in the hands of a known hacker.

You also need to consider whether the self-proclaimed hacker really has the level of skill he claims to have. After all, if he's been convicted, that means he got caught - and if he were really good, wouldn't he have been able to cover his tracks? Perhaps he's just a "script kiddie" who ripped off hacks constructed by others and used them clumsily. On the other hand, if he hasn't ever been arrested or convicted, what proof do you have that he's really a hacker at all? Maybe he's only a wannabe who talks the talk but doesn't have the programming chops to walk the walk.

Bottom line is that someone who would illegally access someone else's network may not have a strong sense of right and wrong and/or might have a problem with authority. If he had no compunction about breaking the law, why would you think he would be willing to abide by your company's policies and the rules and boundaries that you lay down for him as an employee or consultant?

It's also important to remember that "birds of a feather flock together." Hackers tend to be friends with other hackers. They learn from each other, and it's also a culture in which members get a lot of gratification out of impressing each other. Even if "your" hacker doesn't attempt to harm your network or its assets, can you be sure that he won't inadvertently let slip information about it when bragging to his hacker friends, that they might use to get in and wreak havoc?

Remember: All hackers are not created equal

In last month's Cybercrime column, Profiling and Categorizing Cybercriminals, I discussed how different cybercriminals have different motivations for committing criminal acts. If you're considering hiring a former hacker, it's a good idea to delve deeply into his background and record and try to discern exactly what category he fits into. That can give you a clue into how much of a risk you would be taking on by hiring him.

A former teenage hacker who stumbled into a federally protected network with no real intent to do harm might very well have been "scared straight" by getting caught. (On the other hand, he may also have been embittered by his experience behind bars, and he might have had his criminal tendencies reinforced in an environment where "being bad" is not looked down on but is rewarded with admiration). A more mature white collar criminal who was deliberately moving money into his own account from another or committing corporate espionage as a "hacker for hire" is likely to have a more deeply ingrained criminal mindset and attitude that's not so easily changed.

There is always some element of risk in hiring a person to do a job you don't know how to do yourself, because it makes it easy for that person to put one over on you. There is a greater risk in hiring someone who has committed illegal acts in the past - but some hackers are more of a risk than others.

Protecting your company from your own "hired gun"

If you do make the decision to hire a former hacker, take steps to protect your company from the possible consequences:

  • Do a thorough background check. Don't assume that what the hacker tells you is true. Believe it or not, some people will claim to be criminals when they really aren't, if they think it will get them a high paying job that makes them look "cool" to their friends.
  • Have the hacker sign an employment contract (or independent contractor agreement) that very explicitly sets boundaries and prohibits any access not specifically authorized, prohibits any use or sharing with others of information gathered in penetration testing or other parts of the job, and specifies the penalties for violation.
  • Consider having the hacker covered by an employee dishonesty/fidelity bond, or if the hacker is a contractor, require that he provide proof of insurance that will reimburse you if he steals from you, defrauds you or otherwise deliberately causes a loss to your business.
  • Don't give the hacker access to any more than he needs to do the job for which you've hired him. Never give him administrative passwords. If he can obtain those credentials on his own, you know you have a security problem, but you should not provide him with them.
  • If the hacker leaves or when his contract work is over, change passwords (even if you think he didn't have them) and make sure strong intrusion detection/prevention controls are in place.
  • Monitor network access while and after the hacker works for you and be on the lookout for any suspicious activity. Remember that the hacker may use some other user's account, not necessarily one that you've given him for his own use.

Summary

The practical reasons aside, those who set the tone for a company must examine whether hiring a hacker fits in with their own codes of ethics. Do you want to encourage the practice of profiting from one's criminal background?

On a final note, I've used the masculine pronoun throughout this column, not only because I hate the grammatically incorrect use of "they" and "them" as a singular, but also because the vast majority of black hat hackers - and especially convicted ones - are male.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

71 comments
Jason Wiglaw
Jason Wiglaw


Do you need hackers for hire? Do you need to keep an eye on your spouse by gaining access to their emails? As a parent do you want to know what your kids do on a daily basis on social networks ( This includes facebook, twitter , instagram, whatsapp, WeChat and others to make sure they’re not getting into trouble? Whatever it is, Ranging from Bank Jobs, Flipping cash, Criminal records, DMV, Taxes, Name it, We can get the job done. We’re a group of professional hackers with 25 Years+ experience. Contact at hackneyjase0808@outlook.com ..or text +1 (754) 444-2416.. Send an email and Its done. Its that easy, try us out today.

hackinglogins
hackinglogins

hackinglogins@gmail.com

U Need Any Help ?

*University grades changing 
*Bank accounts hack 
*Twitters hack 
*email accounts hack 
*Grade Changes hack * load bank account any amounts
*Website crashed hack 
*server crashed hack 
*Retrieval of lost file/documents 
*Erase criminal records hack 
*Databases hack 
*Sales of Dumps cards of all kinds 
*Untraceable Ip 
*Individual computers hack 
*Websites hack 
*Facebook hack 
*Control devices remotely hack 
*Burner Numbers hack 
*Verified Paypal Accounts hack 
*Any social media account hack 
*Android & iPhone Hack 
*Word Press Blogs hack 
*Text message interception hack 

*email interception hack

- See more at:

hackinglogins@gmail.com

moranscris
moranscris

High Profile Legit hackers for hire.


Do you want to hack something? 


Contact us here 

hirehackers599@gmail.com

moranscris@yahoo.com

or visit here for more details and price list 


http://hirehackers69.blogspot.com/


Just Serious guys need not time waster

Leoisthetruth
Leoisthetruth

The only legit hacking group I know of is EliteHackers@Hushmail.com I have been scammed so much within the last year It felt good to know not everyone is a scammer. The only con about them is they take a while, maybe because I had 5 hacks for them to do. But other than that, they always answered my emails and kept be intuned with the process.


A+

maineysol
maineysol

If you are looking for a hacker to hire i`d really suggest you check the black list of hackers first and see how you can chose a good hacker for your needs. for this i recomend you visit : http://hireahackerreviews.com . Broswe the pages and see who is worth your time or no

frank34
frank34

due to high scam rate we don't know who is real any more. most of them are scum bag.  please be vigilant because there are bad eggs among the good ones. please if you need a legitimate hacker kindly contact this man on his email. (dgf090293@gmail.com). he is real and he will never reap you off. rather he will do your job. i have been a victim of scam for several years until a friend in Italy refer this man to me. he is a lecturer in one of the best university in Leeds, which is Leeds university. above all he is a God fearing man. i am doing this to help the needy one who has fall victim of the bad eggs. his email again (dgf090293@gmail.com)

hamzahacker
hamzahacker



I NEED  THIS  BANKS ASAP  TO LOAD MONEY THERE

NO UPFRONT FEE I DO  WE SHARE 50 50 EMAIL  ME

HAMZABEN.D@HACKERMAIL.COM


USAA instant 30K....  Navy federal credit union 15K.... Security service federal credit union 25K.... san diego county credit union 10K.... affinity federal credit union 10K instant..... Ally bank 10K.....  pentagon federal credit union 15K.... old Boa (6months plus) btw 8K to 32K.....   Bmo harris bank 5K.. PNC bank 5K.. Regions bank 3K... Key bank 5K... State employee credit union (maryland) 5K.... first national bank(fnb direct) 4K..... Suntrust bank 5K... Army aviation centre federal credit union 20K... San francisco police credit union 5K....  First Niagra bank 5K... San antonio federal credit union 10K....  Charles schwabb 10K....  Cal coast 5K..... Webster bank 5K.... BBVA compass 10K.... Merrill lynch IRA... 2



Grich001
Grich001

If you want to know someone's email password than get it right now. How to hack? No, you don't have to do that, let our experts to hack your requested password in less than 48 hrs and you will be charged with $170usd contact us here bexto14u@yahoo.com

Pinewood2013
Pinewood2013

Hiring a hacker is scary and often they are not regulated. There are sites like http://hackerforhirereview.com/ that try and show some light on scammers and malicious people while highlighting genuine skill. But, the risk to an organization by hiring an ex con is far too great. No matter the screening process. Giving someone who may be tempted to hack you will keep your system admins awake at night.

peterrogers
peterrogers

If you can beat you, hire them! Just like catch me if you can, as if the someone who could hack past FBI security wouldn't then be hired by the FBI. Come on, they want the best of the best criminal record or no criminal record.

insuranceman1
insuranceman1

This is such a gray area. Innocent applicants claiming they're criminals, criminals being too inept to avoid prosecution, trustworthy employees maybe being too crafty to get caught and bringing down your company. Thanks for breaking down the pros and cons of this dicey business.

elisabetha
elisabetha

fortunately, this hacker helps me alot. i would recommend him. his email is superhackerx@gmail.com

nonstp
nonstp

A Hacker has been and will always be a person that makes something better, adds to a process, or a technology. IF a hacker breaks the law then they are a criminal. I really wish people would use the right terms, not just what the news media uses. Please do the research on the origin, terminology and so on. Thanks for the article.

collinandrews
collinandrews

real hacker for hire is hacker4hire@hackermail.com he helped me alot.

ksandro.papa
ksandro.papa

I did enjoy most parts of your article and i thought it was on target for most of the parts. (apart from the word hacker being misplaced a little, as some of the comments pointed out). On the other hand, if we consider the original meaning of the word, and if we are all in the same page here by the word "hacker" male of female (ive had the pleasure to know some fantastic female ones) as seen in the article the bad and the ugly are not really concerning hackers per se. A real hacker, especially "one that never got caught" as mentioned, would never NEVER mention it to you or any employer for that matter. Being able to recognise a hacker would be a stupid skill to have since most of security consultants, or the old enough to be in the game, they would either not write their whole experience in their CV, (as it would take 25 pages) or they would write the only ones the employer is interested in. On the other hand, crackers/cybercriminals...etc, would love to advertise anything, even script kiddies...but then again, the minute that happens you know what you got in your hands. ;) A real hacker, would not mess with the files of the company he works for. Where is the fun/challenge in that? Also, if someone gave you the password, most likely you would tell him to change it since that is a bad password (advice him on something better, and a known password= no password) I would suggest being a little more knowledgeable on the person would be better, than labeling him and being more concerned/afraid because he has more skills or anything than the actual employer. (95% of the hackers do). People are always afraid of the unknown, (hackers gets excited by it) Do not be afraid, share their excitement and you will be in the winning army ;) if you want to call it that way. ( I have to excuse myself for any bad English, i am only Greek.) The-Croupier

aharper
aharper

First of all, people hack more than computer networks. Just because you hire a hacker, does not mean you hired a reformed network intrusion expert. What kind of hacker are they? One of my favorite hacker friends is what we call a "foodie". She makes ridiculously delicious deserts by employing a hacker mindset and method to cooking. Oddly enough, this closely resembles the scientific method. Second, many have the hacker mindset without wearing the badge. Want to find a good one? go to a 2600 meeting and listen. You will see the range including who the responsible adults of the group are. Just don't go there with attitude, fear, or a closed mind. These people are smarter than you, but will not take advantage of you unless you "put it right out there..." Hint: Turn off your cell and don't bring a laptop. Third, if your "pet hacker" doesn't feel utilized, valued, and respected, he will own your network and everything attached to it. A contract will not even slow him down, but mutual respect will stop it cold. You don't have to be his superior in skill to have this respect. All you have to do is be willing to listen and learn. If you pen him in with a bunch of rules, even posting them around the office to make sure he "gets it", you need to get rid of him now. Treating a hacker like a child will piss him off with predictable results. Practical jokes? Put some limits on them with discussions, but if he changes the wallpaper to a BSOD, laugh, and use this opportunity to catalog who the technical have and have-nots are. The folks who see right through it and fix it themselves may be good people to groom for IT even though they are CSRs. Fourth and finally, yes, hackers have friends. These friends are likely also hackers. He may talk to them, but he also knows these people. He probably doesn't trust them any more than you do. If he values his relationship with his employer at least as much as his friendship, you are well and thoroughly protected, and the shared expertise of his friends will be at your disposal. What good is that? Okay, you have hired "Bob" who is God's gift when it comes to network intrusions. How are you on the desktop or in physical security? These areas may not be Bob's areas of expertise, but he might know "Johnny" and "Mike" who are quite good in these areas. Be ready to throw contracts at these friends of his if you want to be truly secure, but above all listen and act on as many recommendations as you can. By doing so, and letting them see the fruits of their labor, you will earn their respect and the respect of the community. This is a powerful and valuable asset. Hopefully you caught the tone of this missive. If it seems that hackers value relationships more than enforced duty or money, you got the right idea. They have a completely different ethical system than the average cog, and this is something that cannot be changed. Read and comprehend "The Hacker Ethic" by Pekka Himanen, and you will know how to deal with folks who probably don't think like you, but would be a valuable addition to a progressive 21st century organization.

bboyd
bboyd

My boss quips "why don't they just arrest all those people. Ugly world of semantics. Never mind that now Apple and Microsoft are forced to fix longstanding security flaws that hackers brought to light. Responsible disclosure my buttocks. After a good game of "spot the FED" many hackers get hired into NSA FBI and other alphabet soup jobs after being screened and vetted at these "Hacker" conventions. You deserve what you get if you hire a criminal. If that criminal is a hacker, his area of expertise may burn you too.

aandruli
aandruli

HR departments and hiring departments just aren't capable of hiring good security people. They don't even know where to begin. Out of desperation they hire "hacker criminals" because they don't know where else to look. They may have superior security people already on their staff in a different role, but it doesn't show up on their resume. Its not really about cyber-crooks, its about the ineffectuality and incompetence inherent in the standard HR department

chiransj
chiransj

I think there may be some problems regarding hiring a hacker, because the ex-hacker will try to hack another system under the veil of the employed organization.

Gabby22
Gabby22

Without getting into name-calling, it becomes a matter of selective morality and where we draw the line. Most of us are 'selective' defining right and wrong. A quick browse of the responses above shows this very clearly. Usually as we get older the line raises slightly (and amazing how it quickly it can lower when we're put under pressure!). Would I hire a hacker? Yes, to learn what he knows, how he works and what he thinks. Would I trust him to become a full employee? Probably not. Possibly wrongly, but I'd always be concerned about where *he* draws the line.

ltreff
ltreff

Hackers and email spammers +++ Do as the Arabs do for stealing, cut their fingers off. If they continue the practice with voice recognition, cut their tongues out. No tolerance, I'm sick of the crap.

fr33think3r
fr33think3r

This will encourage people to start hacking to get into the pool of "Hackers for Hiring"...

seanferd
seanferd

But they certainly would apply to any hire, especially those with more power - be it in the form of technical knowledge (e.g., hackers), or other forms of corporate/financial knowledge as well as managerial authority. Past behavior (good or bad) is no guarantee of future behavior. If only C-level and upper management positions were so well vetted and used as strict guidelines as proposed or used when hiring former hackers. They can and have done far more damage many more times than all the evil-type hackers in the world.

Joe_Wulf
Joe_Wulf

Your language is skewed in the wrong direction. Hackers develop skill and competancy through experience and persistance---with a predominantly good bent to their efforts. Miscreants also develop skill and experience with ill-intent. Please re-write you article with more accurate terminology.

santeewelding
santeewelding

As I saw with your previous, Deb, deep and serious structural problems with your underlying perception. Getting into that in a wholesale way would take as much or more work than you put into the piece -- which I regard as substantial. Only, I don't get paid for it. You move freely, with written skill, within your set of perceptions. That set obviously comes of long experience in law enforcement, along with its articulation. I was looking for, but did not find, an articulation of hard facts about the "hacker". Instead, I saw a whole bunch of probablys, mights, likelys, maybes, ifs, and coulds, supplied by -- guess -- your perception.

Neon Samurai
Neon Samurai

Having read the article through fully, you meant "criminal" or if you really must have some hip sounding "look at me, I'm cools too cause I use computer terms" then you could have used "Cracker".. you've done a huge disservice to the Hacker community of primarily ethical and law abiding enthusiasts and demonstrated a complete lack of understanding and credibility on the subject.. well done.. what mass media tripe.

frankietomato
frankietomato

can he block stories from indexing on google or delete stories? I have contacted the webmaster of the site but he refuses to do it.

Neon Samurai
Neon Samurai

since you specify "Hacker" and assuming "Computer Hacker".. was the job pentesting your network with prior approval? Improving your IT setup in some way? Writing custom code to solve one of your outstanding problems? What legal activity did you hire a hacker for?

Neon Samurai
Neon Samurai

bah.. I'd specifically bring my gear.. but then.. that is my area of hackerdome and a wipe and restore when I get home is no biggie. :D "Third, if your "pet hacker" doesn't feel utilized, valued, and respected, he will own your network and everything attached to it. A contract will not even slow him down, but mutual respect will stop it cold." I wouldn't pwn a network over revenge. Myself and the folks I know would be more likely to ignore the network. If it's my job to keep it running; it'll run but you won't get my tinkering and ongoing improvement recommendations. If it's not my job to keep it running and the owner is a git, let the network rott; my impulse would be to try and help improve it or harden discovered vulnerabilities but you can't help someone's who's already made up there mind. Pen me in with a bunch of rules and it's more likely I'll polish my resume and bide my time. Someone who would consider these justifications for mischief is crossing a line. Practical jokes; absolutely depending on the audience. I really wanted to install the utility that connects the speakers on different computers the start playing tunes through the whole office but enough of my users would not see the humour. (program is meant to give you music throughout your house or similar type situations). Humour is generally a highly valued attribute within hackerdom though so if you give your "pet hacker" reasonable room to play, you may see some seriously funny stuff and improve workplace moral in the process. I'd have to go the other way with trusting friends also. Among my friends, I am in the minority but even those who are of the community are highly trustworthy. Some friends I have open invitation to mess about with. We're may knock over a router or add an extra root account in an evening's fun but we're not going to do anything malicious or damaging. Other friends wouldn't appreciate having there gear mucked about with so hands off. I see it like martial arts, you may have friends who train and you can spar with them but your not going to take a swing at a friend who doesn't train or an employer/friend/person that pissed you off. The skills come with some responsibility; just like Spidy. Second last paragraph; fantastically accurate. Ignoring them shouldn't lead to malicious actions but recognizing them and hearing what they have to say stands a very good chance to benefit you. It's really not hard to ask questions of friends with other skill sets without exposing sensitive details about one's employer and that goes the other way, I've had questions I could only guess at answers for since the friend on the inside and myself on the outside where not going to expose that company's information. Most importantly, Hackers play in there areas of interest and know people who play in other areas of interested along with how to combine there efforts to collaborate on questions and projects. Not all information is mine to make free but that which is within my authority to do so and is relevant to others is free.

santeewelding
santeewelding

Hallmarks the tone of your missive, and destroys your credibility. Thank you.

Neon Samurai
Neon Samurai

Without meaning any offence, if English is not your first language, you may not be understanding the proper definition of "hacker". You clearly mean "criminal" or "ex-criminal". I won't lay on a rant to clarify the differences though as I have more than enough comments doing so already. You should give the full discussion a read without the presumption of guilt attached to the word discussed.

Neon Samurai
Neon Samurai

What if the Hacker you hired was an honorable and ethical citizen with no criminal record or history or criminal intent? I'd hire a hacker: - They are applying for the job because it is in there area of interest and a hacker will learn a subject far deeper than a civilian looking to pass a certification test - If they discover an issue at work and can't solve it during the day, they are going to be nagged by curiosity until they do solve it - which may be before the return to work the next day - They naturally think "outside the box" and include creative and unorthodox solutions in addition to expected solutions - After a day infront of a computer, they'll likely go home and sit infront of a computer pursuing there own hobbies and projects (I do, drives the significant other nuts). I'd be selective if hiring someone with a criminal history: - the crime may have been stupid kid stuff they've grown out of - the crime may not be related or relevant to the job I'm hiring for - the crime may have been singificantly overblown to make an example of an otherwise fine indavidual who make a stupid mistake (ex. Mr Mitnick) but - nothing creates criminals like time in prison; they may not-quite-reformed or now hardened and confirmed in contrast to having entered the system as a simple person that made bad choices - who did they meet inside and is there a potential for pressure to be applied to them even though they do make the best efforts to be reformed - why did they commit the original crime and are similar circumstances to come back into play Hire a bank robber as my vault security gaurd; heck no. Hire a bank robber for consulting and penetration testing; yes, with supervision. Hire a bank robber for a job as a expediting courier between banks; snowball's chance on a beach in Florida (you gotta pass a background check and be bonded for that work). Hiring a Hacker is pretty black and white having a real understanding of the community; do they have the skills to do the job better than the other applications - done. Hiring someone with a criminal history takes much more consideration if it's an option at all.

Neon Samurai
Neon Samurai

Hackers would be the people discovering things like spamming and inventing ways to stop it (Security Hackers specifically in this case). Spammers would be the criminals exploiting previously discovered technological and psychological methods for getting those grifting email blasts out to civilian targets (fraudsters, grifters.. nothing new just because they use a modern medium). Please don't perpetuate the core mistake demonstrated in this article.

fatman65535
fatman65535

Joe, you are right. She threw tons of ---- in the faces of hackers; when her target should have been MISCREANTS or CRIMINALS. Those who do pen testing are not criminals; but I don't think she or so many others in MEDIA get it. To them, we all are hackers, and hackers ARE ALWAYS BAD. That is just the way MEDIA likes to play it, AND IT IS WRONG! That plus her excessive identification of the male gender really put me off. Too many stereotypes.

aharper
aharper

You can meet the real thing, without the "probablys, mights, likelys, maybes, ifs, and coulds". There is a hacker's meeting on the first Friday of every month at Regents Pizza, 4150 Regents Park Row #170 in San Diego. I believe that's reasonably close to you right?

Jellimonsta
Jellimonsta

I found the use of 'hacker' in her first piece distasteful also.

aharper
aharper

You and I would never pwn a network out of revenge, but we all know people that would. These are usually the types to get hired by a company by showing off their "leet skillz", and promptly become a poor fit for the organization, in spite of the fact that this is likely the reason they were tapped in the first place. The big thing is to never let a hacker feel like they are just another cog. A member of the team, fine. But a cog? The worst thing to do to a hacker is stick them in a cubicle and micromanage them. Even the most patient will lash out. While that may be limited to quitting, the will probably do it in an artistic and well timed way. Keep them engaged and busy. I even need to keep myself engaged for that reason. Probably the most powerful force on the planet is a group of motivated hackers within a company with a common target. I was a sysadmin of a Fortune 500, and I had compatriots in ops, programming, support, and 6 other departments who formed a subculture / unofficial task force. We were acknowledged by the leadership and had fairly broad latitude to fix things within certain parameters. We communicated directly and solved company wide issues often before management read their emails. It just worked. I too have a standing invite to knock off non crit routers at friends houses and work, as they have from me. We become better at what we do, making our worlds safer. You are spot on about it being a martial art. What good is a martial art without the practice to put it in muscle memory or bring the person into shape? At the same time, there is a mental discipline as well. Just because you can, you have an inherent responsibility to use this power for good When I attend meetings, all too rarely due to my location and insane schedule, I bring my kit too. I participate in root wars and other events at the cons, but noobs need to be a little more cautious, especially when they show up at a meeting and start to spout off. Limit the way people can put them in their place when they get sick of the "I changed my cursor" hacker brags. Before you ask, I missed Defcon... again. Practical jokes... speaker crosslinking? heheheh. I think my office will learn something new soon. We do ours on Friday after lunch. Probably my all time favorite is to write a script (we're a Linux shop) that intermittently crosslinks the keyboard and mouse. Kinda the 21st century version of swapping keyboards on the old Wyse terminals (yes, I'm that old). Another is remapping their keyboard to Dvorak with a script that kills itself on reboot. Nice to see another who talks the talk and walks the walk. I'll be looking for more posts from you.

aharper
aharper

If you are smarter than they are, worry not, you are secure. If you are not, you may wish to yield to the experts. Experts come in two categories: school taught and practical. You can see this in any field. There are those with a degree, and those with oodles of experience. Obviously you want the guy with the most of both, but what if you could only have one or the other? Hacking is like that. Most with a security certification can simply do the equivalent of coloring between the lines. They know what they have been taught. This helps them defend against all recognized attacks up to the point when the curriculum was written. If he manages to keep current, he will still be months out of date compared to what's out there. A hacker used for network security and pen testing will make it his mission in life to be current. This is not because her writes the stuff, but rather because he can see how it works. Sort of a causal understanding as opposed to a Monte Carlo approach to adjusting effect. The bottom line is this: Hire the best, and they will be smarter than you in their field. Hire those who do not threaten you with more knowledge than you have, and you will lose in this game, which is high stakes and knowledge is currency.

saghaulor
saghaulor

who has a change of heart later on, after being hired. Humans are multidimensional. While I agree that you must be careful hiring a known criminal, you can't trust someone just because they're not known to be a criminal. Your honest abe might be a cracker so good that s/he hasn't been caught yet, or more importantly s/he may be someone who has a change of heart. Life has a funny way of making crooks out of honest people. Say a tragedy happens and honest abe needs a lot of money fast, are you sure he won't crack your system and funnel money into an account he controls? You can never really know what a person is like until you've been through hell and high water with them. Even then, people change. The best thing is to protect yourself in every legal way, and make sure that you have sufficient mechanisms in place that will dissuade a potential crook, and more importantly, that can provide sufficient evidence to lead to a conviction if necessary. The idea is, shit happens. You gotta try to mitigate damage before it occurs. We never know what Murphey's Law has in store for us.

Gabby22
Gabby22

Whether he had a criminal record or not is only an indicator. The issue is whether you feel you can trust him to be loyal and respect the values of coworkers and clients. Would you trust someone who was a known liar, or who you knew went round peeking into windows late at night? I'd be more likely to hire someone with a criminal record - it would strongly depend on the crime and when it happened of course.

Neon Samurai
Neon Samurai

Media sells advertising. We readers are the product they retail not the client they serve. We, as consumers, are motivated by two things; fear and greed. It's either a greed sell or a fear sell. We want the thing because it will bring us something or we want the thing to avoid what happens if we don't have it. To target the fear sell, the media puffs up scare words. "Eveeil hax0rs are coming for you - read our article so we can sell your visits to our real customers (the advertisers)." This is why the Media continues to not "get it".. they've invested too much fear and misdirection of true definition. It's all about the current 'bogeyman' unknown they can scar us with. It used to be the claim of a "Red" under every bed coming to steal our children and turn us all commie. The modern day unknown that civilians don't understand well is the computer enthusiasts and rest of the oddballs that spend there time learning and exploring rather than watching I Love Raymond reruns. The media has invested there time in turning Hackers into the new bogeyman since Commie's don't sell news articles anymore. I personally have no problem with advertising sponsored media. 90% of the content I see on TR is good stuff and I'm willing to put up with the add banner down the side in exchange. It's the patently misrepresenting gross bogeyman generalizations and blatant fear sell I take issue with.

Neon Samurai
Neon Samurai

I stand by the points but I may have hit on them a little harder than needed. On the other hand, this was posted under Chad's IT Security area. Good to know I'm not completely off base though. Mr Shneier recently had a very nice entry about hiring reformed criminals on his blog which fits in with the sentiments of the article. It basically boiled down to the fact that most people who are foolish enough to try the "break in to get hired" approach these days are just shooting themselves in the foot. - There are more than enough Hackers available for hire that one does not need to interview criminals to get the applicable skill set. - Those with criminal records who have managed to find security related work these days have done so by starting there own consulting companies. - There is room for case specific consideration; maybe the criminal's past is behind them and maybe the past issue is not related to the current job role but a company still has to consider why this person is trust worthy and more capable than someone who's just as skilled but without the criminal history. For example with that last point; I believe Mr Mitnick has long since put unethical activity behind him but I wouldn't suggest that everyone who's been through a Club Fed vacation has come out of it reformed. (Granted, Mr Mitnick was also railroaded into an excessive punishment for what few crimes he actually committed. - it's a very interesting bit of history)

Neon Samurai
Neon Samurai

Hurray big business corporate structures; spent several years as a cog. I had the best running machine in the department and was firmly part of the "shadow IT" fixing any problem in the office that didn't require an administrator password. But, formally, I was an analyst and IT didn't have much interest. Still, being a hacker enabled me to bend the workstation to my will and turn out reports that couldn't be matched or work with files that regularily chocked other machines with non-tech savvy users. I hacked that job as much as I could within the ethical limits of the possition. May not have helped that one of the IT meetings my manager dragged me along to turned out to be with several heads of IT department branches. He organized the meeting at his political level so when I walked in and stated that the IT systems where broken regarding our work needs they took it personally. I said the IT systems not the managers tasked with keeping those systems running. Good old self defeating politics though the lack of diplomacy was related to a few years of being a cog not able to really address the problems we restled with constantly instead of providing accurate and comprehensive reporting. I'd say one of the most brilliant hardware hackers I know has had some seriously bad luck with employers and even then, he's never caused revenge damage on his way out the door. Most realize there is just no point too it; like any person leaving a job, you only screw the co-workers you liked by doing so rather than fixing the company problem that caused the grief. Engaged and busy..very much so along with allowing leeway for personal projects. Seeing a hacker focused on a topic of interest to that near of not outright obsessive level is a true thing of power though. If they don't solve the problem by end of day, there's a pretty big chance they'll return with the solution in the morning having spent all evening at home continuing to scratch that need to know. This is definitely a culture that benefits lurking until your familiar. I remember popping into #hackers early in my larva days long ago (look at me.. I'm all big time hacker cause I got Red Hat 3.. mowahahah).. then my computer rebooted and I learned about firewalls :D .. ah, the old days of the IRC keyboard cowboys. Your ahead of me for the cons.. I seriously have to pop that cherry. Hopefully SecTor since HOPE will be 2012 and Blackhat/Defcon would be a huge personal expense. A good european hacker camp would be an experience too given availability of travel budget. For now, I'm limited to aproaching it through my small town boy resources; whatever talks and video turn up online or can be ordered for a reasonable cost. (Is Dear Hacker on your wishlist yet?) offtopic; I always giggle a little when I see posts from the TR member Bernie S as my mind jumps to "the" Burnie S for a moment. Check it out.. I don't have the program name handy but it's a Windows utility that takes sound from one machine and forwards it to all the rest of the client machines on the network. I'd recommend Abba, Michael Boobley (spelling?) or maybe some nice heavy German industrial depending on your target audience. ;) I used to have a "Panic" button I'd replace the Esc with on keyboards. Turning screens upside down is fun if you have time to remount them on the base (more fun that then old "invert screen" utility even). The blood curdling scream from Fantom of the Opera is a good startup sound. The oldies; hiding all the desktop icons and replacing the background with a screenshot of all the icons. Stacking icons used to be fun too. I don't go as far back as terminals (was a boy at my dad's place of work so I saw them.. didn't get to play though) but, BBS.. hehe.. such fun to be had with Renegade BBS if you new all the raw command codes; //\\*so. All good harmless fun.

Neon Samurai
Neon Samurai

Given Mr Mitnick's history since serving time (accessive punishments at that), I would have little concern hiring him for a contract. Some folks that have had trouble with the law straiten out. Some folks who have had no trouble with the law may get bent still. Nothing is ever purely black or white.

Neon Samurai
Neon Samurai

Well, if it's an experience thing then I'll have to ask how much time you spend with current real hackers. If not able to attend conferences, do you read resulting presentation content or listen/watch what audio and video content is made freely available? Have you looked into Hackerspaces and what they are really all about? Have you looked at local professional groups primarily populated by Hackers (eg. information security groups similar to TASK here in Toronto)? Or, do you simply justify your willful ignorance by mass media representation and reports of stupid highschool kid miscief with no factual basis from the real hacker community? You'll have to forgive me for understanding the word and related community through significant experience from within it.

Gabby22
Gabby22

... and it obviously does. You say "Your more likely to hire someone with a criminal record than someone who is a hacker. Wow.. this shows a complete lack of understanding what Hackers and hacking is." You seem to have no idea what you can get a criminal record for. I didn't say that I wouldn't hire some of the hackers in *your* list - they sound like a lovely bunch of folks - and dedicated, trustworthy, etc. It appears to me that that you only know about 'good' hackers, or you choose your definition only to include them. Or maybe your definition is about 30 years out of date, eg Gates - fast coders were called hackers in those days. Fair enough. You choose your hackers and I'll choose mine. Or not.

Neon Samurai
Neon Samurai

My problem is that your assuming distrust based on the person's problem solving method and recreation. Your seeing "Hacker" and blindly deciding "oh, they must be a criminal and if they don't have a record it's just a matter of time, those hackers are all immoral, unethical criminals" This is the exact same misrepresentation the article makes. Hackers are simply people who approach the world a little differently. They take an area of interest and study it through persistence and self directed learning. Hackers are not known liars who go around peaking in windows at night. People in the hacking community are not some modern boogyman degenerates only interested in malicious and abusive behavior. I've layed down a couple of long posts above with links to audio and video of real hackers. Real people not the Hollywood and mass media depiction you seem to be suggesting. Hollywood and the mass media take words, make them scary then sell them regardless of if that representation is remotely close to reality. You are the victim of media disinformation not the beneficiary of there work. Your last statement gives me the most concern. "I'd be more likely to hire someone with a criminal record - it would strongly depend on the crime and when it happened of course." Your more likely to hire someone with a criminal record than someone who is a hacker. Wow.. this shows a complete lack of understanding what Hackers and hacking is. Take all the negative perception you have attacked to the word "hacker" and disregard it. Start from a clean slate and discover what the world of hacking as actually about. Come discover reality. Security Hackers are people interested in security and who study it out of persistent curiosity and desire to improve it. when someone discovers and reports a vulnerability in software, they do so with the wish that the vulnerability be fixed for all users of that program. when someone discovers vulnerabilities in bank machines that make them spit out money into the street, the disclose how that's done so that the bank machine manufacturer can fix the problem and so you don't loose your money because of it. Hardware Hackers - you like that nifty desktop? You can thank Steve Wozniak for that. Seriously, for all it's faults, Apple was the first to make the personal computer. First by inventing the chip boards and selling them at hacking conferences and then by building a wooden box to house the boards and support a keyboard and monitor. Apollo 11, 12 and 13 would have all ended in tears if not for the hardware hackers on the ground giving the astronauts creative solutions to dire problems. Computer Hackers focus more on software and may more accurately be thought of as Software Hackers. You like Windows? Mr Gates hacked the Dos boot loader the night before having to demonstrate that Dos booted up and worked. You like all this FOSS software including Linux, Firefox, Apache web server and such; all started by software hackers. All contributed to by software hackers along side the minority of developers who didn't happen to be hackers. Social Hackers (social engineers) explore the world of social interaction and what can be done with it. They are interested in how it can be exploited and how to avoid that exploitation. They don't continue to tell people how easy it is to phone a company and talk your way into passwords and other sensitive information so we can all go out and defraud companies. They continue to tell people about this because it continues to be teh weakest link in any situation. You can have the world's best security mechanisms and business policies in place but people still blindly void all that by people still falling for social hacking. It's not "hahaha.. people are dumb" but "people, please recognize these tricks and stop falling for them". Car Hackers (gearheads) do some truly amazing things with cars. Many may simply be teh gifted mechanic that keeps your car running like new while tuning there own car as a hobby after hours. The Burning Man conference held in the Navada desert has some truly amazing works of machinery from car and hardware hackers. Are we to assume that anyone who can drive better than the average person has been a criminal get-away driver or inevitably will be in the future? Political Hackers include the US founding fathers as demonstrated by questioning how people could be governed and laying out very hacker centric principles. Freedom to learn, live and worship provided it doesn't harm others; live how you like, study what you like, pray to who you like. Freedom to question authority and address concerns in legal ways. Business Hackers (eg. Mr Gates). I said earlier that he was a computer hacker, yes but his real strength is as a business hacker. One may not like much of what he was able to do but he did hack the business world by understanding the rules as a hacker rather than a book read MBA. The stereo type inventor alone in his workshop creating the next great advancement; that is hacking. "think outside the box" that is hacking. Seriously, take the time to watch these.. I'll even go back and collect them all for you here in one place again. Steven Levy http://www.thelasthope.org/media/audio/64kbps/Keynote_Address_-_Steven_Levy.mp3 Dan Kaminsky http://c2047862.cdn.cloudfiles.rackspacecloud.comFriday%20Keynote%20-%20Dan%20Kaminsky.mp3 (high quality) http://c2047852.cdn.cloudfiles.rackspacecloud.comFriday%20Keynote%20-%20Dan%20Kaminsky.mp3 (low quality) Real hackers in new york: http://www.youtube.com/watch?v=_yU1Fi021mM It's nothing to do with behaving unethically or breaking the law. It's not about defrauding and exploiting other people. For many, it's not even about computers or security. Click the "view all" link and give this full discussion a read without a preconceived definition of "hacker". What is your person area of enthusiasm? What is your topic of interest that you put personal time into learning and reading about? Imagine people blindly labeled you a criminal because you happen to be interested in that topic to a deeper level than they are. You like boats? Oh, you must be reading about boats only so you can one day steel one. You like gardening? Oh, you must be growing drugs or practicing so you can switch over to growing drugs in the future. You like painting? Oh, you must be working to get better so you can peer through windows at night and paint accurate images of unaware people; naturally right? This is the leap of broken logic your making when you say you'd potentially hire someone with a criminal record bout wouldn't give anything but prejudice consideration to a hacker.

Editor's Picks