Slashdot Mirror
Convicted Hackers Snubbed by Security Firms?
Esqueleto sent us an interesting story from Security Focus on convincted hackers and employment in the security field. When you get past the zillions of obnoxious frames, you'll read an article about a wierd problem: the guys who have a criminal record are tougher to hire... in this case they're talking about Mark Abene (Phiber Optik) being snubbed by @Stake, the guys who merged with L0pht. Of course this makes total sense from a corporate perspective, but considering many of the folks in the industry will admit freely to doing the same things, the conviction on your record makes all the difference.
Yes, just as it is your right "to think that you really need to wake up and smell the coffee brewing."
So you are telling me that you would like to have most of the talented individuals in the industry out of work?
Hell, I don't care if convicted hackers are employed or not, I do not work at a security firm, I am not an HR person at such a place. Personally I could care less if they are hired or not. I was just arguing that it is the employer's choice. Would the person have a better chance to be employed had they not been convicted of committing a crime? Yes, I'd wager. That was also what I said, if employability is important to you, don't break the law. Doing so will not prevent you from getting a job but it will likely make it tougher.
And no, I am not telling you what to do; I'm simply requesting that you think about the situation a little more
Your earlier statements sure made it seem like you were telling me what to think. The beauty with the situation as is, is that I don't have to think about it extensively since it doesn't effect me. Should a security firm hire someone who's been convicted of a crime. I DON'T CARE. If they want to, sure, OK, cool; if not, fine, that's their call. What I am saying is that: first, just because someone serves their time, my view is a bit slanted on them still (past behavior is the strongest indicator of future behavior); and if you are concerned about your employability, try your best to refrain from committing crimes.
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
~ Signal 11
Take an hour or two to read the Communist Manifesto. It is interesting, Marx and Engels argue that the bourgeois are (or were) constantly trying to improve technology to increase the efficiency of their production and reduce the effort and input needed by man in the production queue. Such a movement, the Manifesto argues, pushes those lower middle class individuals into the proletariat. In any case, it's interesting, because it seems the opposite of what the big corporations are doing today. Rather than embracing the new technologies like the bourgeois described by Marx and Engels, the bourgeois of today are trying to keep the status quo. Interesting....
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
Hopefully you also have spent some time writing your Senators and Representatives. Hopefully you have taken the time to register to vote. Hopefully you have taken the time to discuss this with other voters, be it in person or on the Net.
Unless the unjust law affects powerful people such an approach is unlikely to work. Behind such laws is likely to be a politically powerful lobbying group. Who have the ear of politicans 24x7...
The people who need convincing are judges and police.
An embezzeler who has stolen cash (presumably at least with some success, otherwise he'd be "petty thief," and not "embezzeler,") knows how other embezzelers work, and can help guard against them. I'm also willing to bet that a pedophile is far better at picking out other possible pedophiles by just looking, etc. etc.
Possibly true, but especially with the second example highly politically incorrect...
Hiring someone convicted of a computer crime has some pretty obvious benefits: yes, the person got caught, so they're probably not The Best. But they're probably also fairly good, and probably knows a bit more about the trade than your average Minesweeper Consultant.
Remember also that the better crook probably dosn't have a conviction...
This is the same country that won't give financial aid to anyone convicted of possesing or selling drugs. The debt is forever, its simply all about making an example out of one person to keep the rest of the herd in line.
My conviction is for three state felonies. One felony can get expunged. Two possibly. But three, never. (Or at least that's my understanding.)
Even if I win my appeal, and the law is made useless to prosecutors and harmless to the general populus (who seem to be breaking this law at least a half dozen times a day for each person who uses a computer), there will be some who claim "Well, he just got off on a technicality, or because he had enough money to throw at the problem."
And then there's the small matter of the quarter million dollars I've had to spend (subsidized in a small part by my legal defense fund, thank you!) which doesn't automatically come back if I win the appeal. Nor does the community service time, or the time I spent in courts. Or the missed opportunity because of bad timing.
I do not wish what I've been through for anyone else. Even my worst enemies. And that's why I talk about my personal mistakes in public as often as I can (including having given my 90 minute Just another Convicted Perl Hacker talk for user groups, universities, and conferences dozens of times all across the country). The saddest day in my life would be to hear that someone else was taken down for doing their job because they hadn't heard about my case. So please, spread the word!
On the other hand, there is a lot of research showing that general attributes of the society as applied to a person (age, racial/ethnic/religious group, level of education, level of income) can be clearly correlated to someone's likelihood to both commit a crime and be convicted of it.
It's also a mistake to assume that the convicted (and arrested) population mirrors the criminal population. Centain demographic groups are more likely to be arrested, more likely to be convicted (and to receive longer sentences.) (Added to this certain types of crime are specifically defined to only apply to certain catagories of people, e.g. rape.)
I really don't care whether crackers can pay their rent or not. The only people who are busted for cracking are the ones who are doing malicious things to other people's systems.
Were I to crack into some computer or another and leave it as I found it, nothing would happen to me, especially if I contacted the people in charge of that system's security and let them know they were vulnerable. Why? Because it simply doesn't pay to sue or prosecute someone when no harm has been done. It isn't worth the time and money. Even if I didn't contact the sysadmins to warn them the company would have very little incentive to go after me.
On the other hand, if I were going around breaking into people's systems (like Kevin Mitnick), erasing their data (like Kevin Mitnick), and posting their personal files online (like Kevin Mitnick), then I would of course be apprehended and rightfully prosecuted for my crimes.
I wouldn't want a cracker even in the building where I work, let alone working there too. Why? Because you can't trust them. I don't say that because of their criminal record. I say that because they have shown that they derive pleaure from harming others. Sociopaths don't make good employees, no matter what their technical skills.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
Of course, there's also the factor of having the sense to do little enough that you won't get busted.
Pros: Cons: Whether or not one should hire convicted criminals is completely up to the employer. It basically depends on whether or not you think you can trust them. It's obvious that they have the experience and knowledge, but whether or not you can trust them with your system is a whole other matter.
mmm...physics...
I'm sure the six year old in Chicago who murdered a child was on a "reckless streak" too. There are laws in this society, and you need to observe them. Minor infratcions can be forgiven easily, but most felonies will stick with you for the rest of your life- and they should.
-bugg
We don't hire serial killers to catch serial killers, do we? Nor need a psychiatrist BE bipolar to understand the condition...
And would you argue, say, that the folks auditing code for OpenBSD (and those in similar projects) do NOT know about computer security, simply because they don't break into other folks systems without their consent? That'd be one approach, but they use their judgement. One could train for a rifle competition by targetting pedestrians, but it's far more appropriate, if less challenging, to practice on a range with paper targets. That's discretion.
Getting convicted of a serious crime demonstrates a profound lack of judgement or discretion. I see no reason why a company should trust, let alone ever hire, somebody who utterly lacks such traits.
Only the dead have seen the end of war.
If you are a high profile company and allready have the moths doing circles around your flame it shouldn't matter that much. On the other hand many companies see themselves as low profile and do not wish to attract attention to themselves. What really irks me is that many criminals have had their records closed by the court, I have seen common embezzlers that have been convicted of stealing hundreds of thousands easily slide past employment screening. At the same time I have seen computer pranksters denied employment because they were spotlighted by the media. As long as inflated "Hacker stories" are in vogue and considered worthy of reporting innocent parties will be injured.
If a person is convicted and goes to jail while on the job, an employer might have to expend effort in replacing them w/o notice, even if the conviction is not related to the job.
This is different from time off for injury (say under the FMLA). Being ill/injured is not something that is a person's fault. Committing a crime is a person's fault.
Putting a person convicted of computer stealing computer data in conputer security is similar to putting an embezzler in a cash counting room or a child molester in a job at a day care provider or a convicted drunk driver as a school bus driver or a perjurer as an attorney.
Fight Spammers!
http://www.unm.edu/~finaid/eform01/drugconviction0 1.html
I did, and sorry, but it made a liar out of you. The debt is not "forever" as you claim unless you have been convicted of taking drugs three times, or selling them twice. And even then, even for selling, all you have to do is complete a drug treatment program. Basicly the prohibition looks to boil down to "we won't give you money if you have a drug problem, stay out of trouble for a few years or complete a program to demonstrate you don't have a problem anymore, and we're all set." Nothing like your orriginal claim.
-Kahuna Burger
...will work for Chick tracts...
I suppose it is sort a sort of filter by natural selection. An employer that would be bothered by the knowledge that they hired a person convicted of the kinds of things "Phiber Optic" was convicted of, would not be a good match for him or her anyways.
From reading the article it appears (and I only have this single media representation to judge by) that PO was a straight shooter who did not steal and was mostly interested in exploring and understanding.
Perhaps the biggest crime committed here was a failure to play the political games. During the 80's and early 90's as I remember the internet was more of a wild west where Academic turf was protected vigilante style. An unfortunate explorer might find themselves strung up for being on the wrong port at the wrong time.
Of course I wouldn't, but it all boils down to intent.
I completely understand why the guy who got caught as a young man breaking into computers (probably just for fun) did what he did. I know I did the same thing, and just never got caught. I don't see what he did as a 'sickness', and don't see it as any worse than a *lot* of technically illegal things younger people do.
A child molester, on the other hand, treads into animilastic behavior and the roots of civilised society; I belive that child molesters don't deserve prison, they deserve death.
Perhaps they believe that you have shown yourself unable to handle money responsibly. :)
More seriously, are you stating that this prohibition applies only to those convicted of drug crimes, or is it more broad based against covicted criminals? Also, are you talking about grants, loans, state aid, merit based, institutional, all of the above, what?
-Kahuna Burger
...will work for Chick tracts...
I mean, if a guy has a convition, how good can he be?
This makes me less up-to-date on the latest technologies, and cost me opportunities to do really cool things and be part of a team somewhere, a part of my "former" life that I sorely miss.
As the requirement for a formal disclosure and acknowledgement of my current legal status ends in just a few more days, I can once again look at being involved in direct consulting, rather than training. (Although being directly employed will almost certainly still not be possible, I can look for opportunities where a company contracts with my Stonehenge company once again.) But the six years in the middle have been very tiring.
For more information about my ongoing legal battles, please visit the Friends of Randal Schwartz website or send a blank mail message to my autoreply bot.
And would you argue, say, that the folks auditing code for OpenBSD (and those in similar projects) do NOT know about computer security, simply because they don't break into other folks systems without their consent?
/. put up a poll asking how many people would leave their current employer for a 20% raise and founders' shares, almost all would respond in the affirmative--employee loyalty is almost non-existant at this time.
Simply because a statement is true does not mean that its converse it true--you know that. The fact is that convicted computer criminals have (1) name recognition and (2) valuable knowledge about computer security. One of the other posts mentioned the lack of loyalty that computer criminals possess, but that is true of almost all employees in the computer industry. If
Computer criminals would be a valuable asset to any security consulting firm and can be had for a bargain price. Corporations would be irresponsible to not hire these people.
ByteMyCode.com: A Web 2.0 code sharing community.
I'm not so sure about "many of the folks in the industry will admit freely to doing the same things". We have a hard enough time getting IT manangers to admit to their bosses they're using Linux/FreeBSD on the mail server. What makes people think that saying "Gee boss, I'm a hacker" is any easier?
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
Really? The FBI sure as hell interviews them, utilizes and implements what they have to say. They also interview, and occasionally hire people convicted of computer crime. Take the recent ex-disney exec for example. It often takes a crook to catch a crook. Knowing how a hacker /thinks/ is as important as modus operandi.
While I certainly agree with you that you that getting convicted of a serious crime demonstrates a profound lack of judgement, I think dismissing someone who was convicted of such out of hand also exhibits a profound lack of judgement. People complain that they don't want an ex-con working with them. So where do these people want ex-cons working? As Reagan put it, "trust, but verify". I'm not saying to go light on these people or the like, but take advantage of what they know. They'll be the first person to thank you for doing so.
I am curious as to how you are fighting these unjust laws? By breaking them? By buying t-shirts? Hopefully you also have spent some time writing your Senators and Representatives. Hopefully you have taken the time to register to vote. Hopefully you have taken the time to discuss this with other voters, be it in person or on the Net.
Of course I say this all out of hyprocicy. I'm not registered to vote, I've written a Congressman but once (a couple years ago), and I rarely, if ever, discuss politics with others. Of course I am not the one professing my distaste for such laws...
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
Click:
o n01.html
. html
http://www.unm.edu/~finaid/eform01/drugconvicti
Interesting editorial here:
http://wildcat.arizona.edu/papers/93/109/03_1_m
You're in the process of *appealing*.
You maintain that you're *innocent*. (And from what I know of what happened, my personal belief is that you are).
That's a world away from being convicted and not appealing, thereby implicitly putting your hands up and saying, "it's a fair cop, guv. You got me bang to rights".
--
Peter
The problem is that a felony conviction doesn't mean as much as it used to. When most people think of felonies, they think of rape, murder and armed robbery. Today, a wide swath of crimes are considered felonies, and politicians and so-called activists for various causes, lobby for the reclassification of misdemeanor crimes as felonies, to "prove" they are serious about fighting crime or to advance some agenda. Some animal rights groups are trying to get "animal cruelty" reclassified as a felony, and some of them have very broad ideas about what constitutes "animal cruelty".
Mea navis aericumbens anguillis abundat
...That it makes no sense _not_ to hire former and convicted hackers and crackers. Face it, they've already been convicted, so people are already watching them like hawks. And would you rather have the people who can find security holes working against you, or working for you?
Frankly, I'd rather have them working for me...
Kierthos
Mr. Hu is not a ninja.
These people would also have a harder time getting a job at McDonalds. If you are concerned about your future employability, do not break the law. A simple enough maxim.
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
Convicted hackers should be *more* desireable from a corporate perspective as they have documentation substantiating their knowledge and are better able to "think like the enemy." They could probably be hired for a lower salary as they would not have the same expectations of somebody who has not recently been in prison.
MindPixel -- help build the world's largest neural network and get free stock!
ByteMyCode.com: A Web 2.0 code sharing community.
People have ample opportunity to practice those skills on-campus, in situations where they are not likely to get a felony conviction. It's when people direct that kind of effort against e-commerce, military, and financial sites and when they obtain credit card numbers and other sensitive information, that it suggests both an anti-social inclination and a lack of good sense. Whether they also have a good education or not has nothing to do with it.
That's basically the distinction between "crackers" and "hackers". Both crackers and hackers may enjoy a good beer afterwards, and both may know how to break into any system, but I would hire a hacker to work on security. I wouldn't hire a cracker.
Unfortunately, that's what happens when you live in the most litigous society on earth.
Why would it make a difference? Risk analysis. If Phiber ever did something bad (which I have no doubt he would never do.. but that's not how risk management works), and the client who was violated could show that the company *KNEW* he was a convicted felon.. who's negligent? This is the US man.. they would sue @stake for knowingly hiring a convicted hacker.
Sucks, eh?
Your motives are incorrect, I think.
It is valid to not want the convict working for you.. but the reason should be fear of litigaton *if* something happens, not fear that he will actually do something.
I would trust someone equally, had they been conviceted or not. What I don't trust is my clients feeling the same way.
The article pretty much reeks of whining to me. Not that I don't somewhat have sympathy for the guy, but when you go apply to a fast food place, they ask if you have any prior felonies. If they have something to do with the job that you are going to do (i.e. Stealing from a register) then they can deny you employment. I personally don't think that this is any different, for two reasons.
1)I don't want, as a corporation, to hire someone who is known to have done illegal things to break other people's security, if his job is to know all waeknesses of security we make. This guy could easily put an obscure back door into all of the security measures, and then exploit it at a later time.
2)I don't want someone who is known to be a cracker sitting on a computer behind my corporate firewall.
Now, as an individual, he may be a great, upstanding guy who's only crime was curiosity, but I don't think that a company should have to take a risk on the fact that he may be an idealist.
It is a rhetorical question, but one HNN felt that they had to bring up. No, life is not fair. Yes, some people are wrongly convicted. Yes, there is a stigma attached to computer "crime". Regardless, these are the rules you play by.
On the other hand, who better to hire than someone who has had real experience, as opposed to a paper cert? No wet-behind-the-ears MCSE is going to know how to craft security policy, how to do risk management, and how to do cost benefit analysis and everyone in the industry knows it.
It is a calculated risk every time you hire someone who has a criminal past. As a manager, it is your job to evaluate each person one by one and weigh the benefits. Most of the time if you're doing your job right, you'll find most people have had minor brushes with the law (reckless kids get drunk, smash mailboxes, etc), and computers are no different. We may be geeks, but many of us have a reckless streak - it's called being young. To outright deny these people a job is a failing on your part as a manager. Judge each person individually, and not as a group.
What customer would open up their server room for a week to let convicted fellons "audit" their network?
It's those 2 words combined, convicted and fellon, that sends chills down the spines of anyone listening, but should it?? ?
You bet it should! What is says is not only have you been accused of commiting a crime and dispite every possible civil right extended to you (as well as appeals) you still managed to get CONVICTED! That's a dumb move, and you deserve 2 flip burgers in silence while contemplating your mistake.
I can add something to this discussion, only a little tidbit, though.
I can tell you that being a convicted felon makes it impossible for one to get a security clearance of any sort from the U.S. Gov't. The FBI will sniff that one out in a second, and if you've got a felony conviction on your record, no clearance. One or two misdemeanors might make it.
So, if you're a security firm, and you hope to land fat gov't contracts which will require your people to get cleared to some level of security, do you want to hire convicted felons, who can't be cleared?
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
Also a computer security company that wasn't aware of this Phiber Optik's past kinda worries me.