Convicted Hackers Snubbed by Security Firms?

Esqueleto sent us an interesting story from Security Focus on convincted hackers and employment in the security field. When you get past the zillions of obnoxious frames, you'll read an article about a wierd problem: the guys who have a criminal record are tougher to hire... in this case they're talking about Mark Abene (Phiber Optik) being snubbed by @Stake, the guys who merged with L0pht. Of course this makes total sense from a corporate perspective, but considering many of the folks in the industry will admit freely to doing the same things, the conviction on your record makes all the difference.

How it has affected me

[merlyn]

My conviction, still in appeal, has been a significant detriment to my business operations. Because any "employment" would have required a note on company letterhead sent to my probation officer, and at least more than one potential client said that this would be problematic to get it through their legal department, I have had to focus on providing Perl training (which did not have the same requirement) rather than Systems and Network consulting for the past six years, which is my primary area of expertise (although I got really good at training as well {grin}).

This makes me less up-to-date on the latest technologies, and cost me opportunities to do really cool things and be part of a team somewhere, a part of my "former" life that I sorely miss.

As the requirement for a formal disclosure and acknowledgement of my current legal status ends in just a few more days, I can once again look at being involved in direct consulting, rather than training. (Although being directly employed will almost certainly still not be possible, I can look for opportunities where a company contracts with my Stonehenge company once again.) But the six years in the middle have been very tiring.

For more information about my ongoing legal battles, please visit the Friends of Randal Schwartz website or send a blank mail message to my autoreply bot.

I don't think...

[DustyHodges]

The article pretty much reeks of whining to me. Not that I don't somewhat have sympathy for the guy, but when you go apply to a fast food place, they ask if you have any prior felonies. If they have something to do with the job that you are going to do (i.e. Stealing from a register) then they can deny you employment. I personally don't think that this is any different, for two reasons.

1)I don't want, as a corporation, to hire someone who is known to have done illegal things to break other people's security, if his job is to know all waeknesses of security we make. This guy could easily put an obscure back door into all of the security measures, and then exploit it at a later time.

2)I don't want someone who is known to be a cracker sitting on a computer behind my corporate firewall.

Now, as an individual, he may be a great, upstanding guy who's only crime was curiosity, but I don't think that a company should have to take a risk on the fact that he may be an idealist.

NEWS FLASH: Real Life Not Fair!

[Signal+11]

If I were a security firm charged with taking money from banks and transferring it to a safe location every evening, would it be sane for me to hire a bunch of convicted bank robbers to do it?

It is a rhetorical question, but one HNN felt that they had to bring up. No, life is not fair. Yes, some people are wrongly convicted. Yes, there is a stigma attached to computer "crime". Regardless, these are the rules you play by.

On the other hand, who better to hire than someone who has had real experience, as opposed to a paper cert? No wet-behind-the-ears MCSE is going to know how to craft security policy, how to do risk management, and how to do cost benefit analysis and everyone in the industry knows it.

It is a calculated risk every time you hire someone who has a criminal past. As a manager, it is your job to evaluate each person one by one and weigh the benefits. Most of the time if you're doing your job right, you'll find most people have had minor brushes with the law (reckless kids get drunk, smash mailboxes, etc), and computers are no different. We may be geeks, but many of us have a reckless streak - it's called being young. To outright deny these people a job is a failing on your part as a manager. Judge each person individually, and not as a group.