Convicted Hackers Snubbed by Security Firms?

Esqueleto sent us an interesting story from Security Focus on convincted hackers and employment in the security field. When you get past the zillions of obnoxious frames, you'll read an article about a wierd problem: the guys who have a criminal record are tougher to hire... in this case they're talking about Mark Abene (Phiber Optik) being snubbed by @Stake, the guys who merged with L0pht. Of course this makes total sense from a corporate perspective, but considering many of the folks in the industry will admit freely to doing the same things, the conviction on your record makes all the difference.

Getting caught is the real problem.

[lord+kiwano]

If someone can pull off the same sploits as a big name black-hat, and not get caught, they must have some sort of superior skills that enabled them to avoid getting caught. If they didn't pull off the same sploits, then the scope of the exploits should be weighted more heavily than the conviction in judging candidates.

Of course, there's also the factor of having the sense to do little enough that you won't get busted.

It's the same with any convicted felon!

[www.sorehands.com]

Any convicted felon has a hard time getting a job. That's why moost job applicatioons contains a question about past convictions. That is why juvenile records are sealed.

If a person is convicted and goes to jail while on the job, an employer might have to expend effort in replacing them w/o notice, even if the conviction is not related to the job.

This is different from time off for injury (say under the FMLA). Being ill/injured is not something that is a person's fault. Committing a crime is a person's fault.

Putting a person convicted of computer stealing computer data in conputer security is similar to putting an embezzler in a cash counting room or a child molester in a job at a day care provider or a convicted drunk driver as a school bus driver or a perjurer as an attorney.

How it has affected me

[merlyn]

My conviction, still in appeal, has been a significant detriment to my business operations. Because any "employment" would have required a note on company letterhead sent to my probation officer, and at least more than one potential client said that this would be problematic to get it through their legal department, I have had to focus on providing Perl training (which did not have the same requirement) rather than Systems and Network consulting for the past six years, which is my primary area of expertise (although I got really good at training as well {grin}).

This makes me less up-to-date on the latest technologies, and cost me opportunities to do really cool things and be part of a team somewhere, a part of my "former" life that I sorely miss.

As the requirement for a formal disclosure and acknowledgement of my current legal status ends in just a few more days, I can once again look at being involved in direct consulting, rather than training. (Although being directly employed will almost certainly still not be possible, I can look for opportunities where a company contracts with my Stonehenge company once again.) But the six years in the middle have been very tiring.

For more information about my ongoing legal battles, please visit the Friends of Randal Schwartz website or send a blank mail message to my autoreply bot.

Re:Why?

[onyxruby]

We don't hire serial killers to catch serial killers, do we?

Really? The FBI sure as hell interviews them, utilizes and implements what they have to say. They also interview, and occasionally hire people convicted of computer crime. Take the recent ex-disney exec for example. It often takes a crook to catch a crook. Knowing how a hacker /thinks/ is as important as modus operandi.

While I certainly agree with you that you that getting convicted of a serious crime demonstrates a profound lack of judgement, I think dismissing someone who was convicted of such out of hand also exhibits a profound lack of judgement. People complain that they don't want an ex-con working with them. So where do these people want ex-cons working? As Reagan put it, "trust, but verify". I'm not saying to go light on these people or the like, but take advantage of what they know. They'll be the first person to thank you for doing so.

Re:This is news??

[Detritus]

What the hell is a fellon?

The problem is that a felony conviction doesn't mean as much as it used to. When most people think of felonies, they think of rape, murder and armed robbery. Today, a wide swath of crimes are considered felonies, and politicians and so-called activists for various causes, lobby for the reclassification of misdemeanor crimes as felonies, to "prove" they are serious about fighting crime or to advance some agenda. Some animal rights groups are trying to get "animal cruelty" reclassified as a felony, and some of them have very broad ideas about what constitutes "animal cruelty".

Well duh

[Skim123]

These people would also have a harder time getting a job at McDonalds. If you are concerned about your future employability, do not break the law. A simple enough maxim.

Ha.

[mindstrm]

Unfortunately, that's what happens when you live in the most litigous society on earth.

Why would it make a difference? Risk analysis. If Phiber ever did something bad (which I have no doubt he would never do.. but that's not how risk management works), and the client who was violated could show that the company *KNEW* he was a convicted felon.. who's negligent? This is the US man.. they would sue @stake for knowingly hiring a convicted hacker.
Sucks, eh?

I don't think...

[DustyHodges]

The article pretty much reeks of whining to me. Not that I don't somewhat have sympathy for the guy, but when you go apply to a fast food place, they ask if you have any prior felonies. If they have something to do with the job that you are going to do (i.e. Stealing from a register) then they can deny you employment. I personally don't think that this is any different, for two reasons.

1)I don't want, as a corporation, to hire someone who is known to have done illegal things to break other people's security, if his job is to know all waeknesses of security we make. This guy could easily put an obscure back door into all of the security measures, and then exploit it at a later time.

2)I don't want someone who is known to be a cracker sitting on a computer behind my corporate firewall.

Now, as an individual, he may be a great, upstanding guy who's only crime was curiosity, but I don't think that a company should have to take a risk on the fact that he may be an idealist.

NEWS FLASH: Real Life Not Fair!

[Signal+11]

If I were a security firm charged with taking money from banks and transferring it to a safe location every evening, would it be sane for me to hire a bunch of convicted bank robbers to do it?

It is a rhetorical question, but one HNN felt that they had to bring up. No, life is not fair. Yes, some people are wrongly convicted. Yes, there is a stigma attached to computer "crime". Regardless, these are the rules you play by.

On the other hand, who better to hire than someone who has had real experience, as opposed to a paper cert? No wet-behind-the-ears MCSE is going to know how to craft security policy, how to do risk management, and how to do cost benefit analysis and everyone in the industry knows it.

It is a calculated risk every time you hire someone who has a criminal past. As a manager, it is your job to evaluate each person one by one and weigh the benefits. Most of the time if you're doing your job right, you'll find most people have had minor brushes with the law (reckless kids get drunk, smash mailboxes, etc), and computers are no different. We may be geeks, but many of us have a reckless streak - it's called being young. To outright deny these people a job is a failing on your part as a manager. Judge each person individually, and not as a group.