Slashdot Mirror
Should You Hire a Hacker?
fabioj writes "Business Week has an article about today's debate at the RSA Security Conference held at the Moscone Center attended by Kevin Mitnick and his 1995 trial prosecutor, Christopher Painter. Interesting to note that Painter doesn't see Kevin Mitnick's experiences as a deterrent for the 'up-and-coming technology workforce' to criminally hack."
I can see Kevin's point: People do change and have the ability to 'grow up' beyond their previous transgressions..
However, he's not just a hacker, he's a felon. Big difference.
"Anybody who tells me I can't use a program because it's not open source, go suck on rms. I'm not interested." (LT 2004)
So why is Poindexter running Total Information Awareness?
What ever happened to "rehabilitation"... I guess some people just can't forgive.
- colin
He's not a criminal any more, he's a member of society just like the rest of us.
Mr. Painter seems to be...painting...anyone who has ever committed a crime as a lifelong criminal. Good work rejecting the entire philosophical foundation of our criminal justice system, dipshit.
If someone will employ you, then you're trusted. You just have to prove yourself to them
Brocklesby Park Cricket Club
You know the rest.
Although it certainly matter what your former profession might be, as long as you can do your job (of network security, I mean). OTOH, it seems like the best methods of foiling spies and hackers is to think like one, and the best way to think like one, is to, well BE one.
Interestingly, I wonder exactly who the U.S. has employed in its counterterrorist operations.
So the question boils down to morality. And that's not so easily defined. IANAH, but I suppose one of the better methods would be double-blind security; one ex-hacker to design the system, one ex-hacker to try and defeat it, and never the twain shall meet.
I actually kinda agrea with both of them. A criminal isn't one to be trusted depending on why they were in jail for, but on the other hand, one who has the knowldge, a hacker in this story, could be very usefull. A hacker knows how to get around things, and if at first they can't, they work at getting their goal. they have experience. now Painter might say thats why you should higher a security professional. yet who would you rather have, some nerdy kid fresh out of college? or would you rather have someone who knows whats out there, has experience with the programs that you will be using? and quite frankly could do better security audits then the nerdy college kid? no offence to anyone in college for this, nerdy just seamed like a good way to state my point even though the majority of the people in the field aren't that way at all. heh. well just my 2bits, peace.
as a company's employee - maybe as an expert. AFAIK he was a genius at using tools, but I don't remember him creating any of them. Maybe I'm mistaken? That brings another question: if somebody creates a tool and somebody else uses it, who is the bad guy? Recent stories (like the one of DeCSS and the one about RIAA suing students) show that people start to go after those that make tools. Shouldn't we start prosecuting gun, hammer, ax, and car manucaturers?
iThink iHate iMod
The social engineer knowledge is Kevin's specialty. That kind of skill will never be obsolete.
Am I running a bank with millions of dollars, and do I want the reformed hacker to secure the database with all the money in it?
Come on, this is common sense:
1: If the reformed hacker was doing it for personal profit, don't hire the hacker. If the hacker was just bored and causing trouble, maybe hire the hacker.
2: If you want to secure the aforementioned bank's financial DB, don't hire a hacker, and have someone looking over the shoulder of the guy you do hire. =)
3: If the reformed hacker writes all of his memos in 1337$p34|{, make sure you aren't hiring a reformed script-kiddie.
Like I said, simple, sensible rules...
Lagito ergo expectabo
See what that kind of thinking led to?
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
It's not just about whether convicted felons can be trusted--M. seems to argue that it's actually _better_ to hire someone who's been on the shady side of the law.
And as most crackers look for unsecured systems rather than attacking or defending a specific one, I don't think the "special skills" argument holds much weight.
Ex-druggies make great recovery therapists but bad customs agents..
So the prosecutor was concerned about Mitnick's lack of remorse? While I cannot condone Mitnick's actions at all, I have to wonder how easy it would be to show remorse when the legal is being used abused against you. If there had been a speedy and fair trial that would be one thing, but given all that happened in this case I know that by the time the actual trial came about my anger would get in the way. I'm not saying that's ok, I'm just guessing at what my own reactions might be.
Winkler might want to look at the message that HP is sending by hiring the Getto Hackers and not hiring Mitnick. To me that message is "Hacking is ok if you don't get caught." I suppose it might be a valid viewpoint (in football it isn't holding if the ref doesn't call it) but to me that seems like the wrong thing to say for someone who is trying to take the moral high ground.
"Where quality is like a dead stinking rat - you just can't miss it."
The fundamental question here is if we, as a society, believe that breaking into computers and stealing data/access is a crime, why should people who commit that crime benefit from it by being able to claim it as a skill on their resume.
Work Experience:
1992-1998: Freelance consulting work in the information security sector.
Have you ever been convicted of a crime?
1998-2003: Jailed for invading a computer system and stealing sensitive information.
Note that I'm not representing the above as any actual person but an example of someone representing criminal activities as job experience. How about college followed by normal entry-level work, instead?
Hacking is an addiction. Furthermore, a succesfull cracker does not necessarily make a good security expert. You wouldn't give a 5 time convicted drunk driver their license, even if they haven't touched alcohol for years... Why? Because it can be too easy, too much of a temptation to fall back into old habits.
Maybe you've never felt a true addiction. Perhaps you don't know what it's like to be mentally chained to some action, item, etc. Sure, you get into long programming binges, where you're in 'the zone' for hours, but it's not like you can't go 2 minutes without zoning out of real life and thinking about your program.
When you are addicted to something you very literally are unable to keep your mind off the subject for any length of time.
The chances of an addicted, convicted, and reformed cracker of being tempted and going back to their old ways are so much greater than the chances of a programmer/net admin/whatever who hasn't been addicted that it isn't a reasonable risk to take. You don't give a reformed alcoholic a wine tasting job.
That being said, it's unfair to group people together by any metric. I could say, for instance, that all good criminals are persistant con men. It isn't always true all the time, but when you look at one case at a time it certianly seems so. Most, if not all, of Mitnick's significant exploits weren't brain power, or shear ability to break systems. It was his ability to convince another person that he was authorized to recieve sensitive information, and when he didn't get it from one person he moved on to the next. A very charismatic, persistent con man. Certianly no Carmack.
So it's not fair to lock everyone convicted of computer crimes from using computers again, or even from using computers in the way they used them in their illegal activities.
But if you are shortsighted enough to believe that a true addicted can ever be fully and completely cured... Employer beware...
-Adam
I'm a consultant for an internet security company. The job is challenging, varied, fun and well paid. I get involved in pen tests, source code audits, hardware audits, etc etc. I wouldn't have got this job were it not for the fact that in a former life I used to 'play' with things I shouldn't. Don't get me wrong, I've never been arrested or charged with any crime relating to computer misuse, I've never done anything that serious. Something as simple as writings 'POKEs' for computer games was considered hacking/cracking in the old days.
I'm not the only one in the company like this. There are other senior members of staff that some good past experience. Between us all it means that we have a vast wealth of knowledge and experience that enables us to offer a good service to the customer.
So, the point of my post is, that being an ex hacker/cracker isn't a problem to my employers.
If a criminal is a criminal, does that not mean the whole point of prisons doesn't work? They aren't just there for punishment, they're there for the convict the reflect on his/her past and become a reformed person.
Im pretty sure that the main point of prison..besides simple punishment..is to reform those to behave society's rules when they have shown that they cant. When they are released from prison, they are -supposed- to be considered a fully functional reformed member of society.
To label an EX-con as always a criminal kind of goes against the whole point of prisons, and general reform.
It's easier to fight for one's principles than to live up to them.
Despite that these two situations are completely and totally unrelated (one is intrusive the other is not), it depends on the situation.
*Does being a convincted rapist give him a particular insight into how to spot other rapists?
*Is he better at stopping--not just rapists--but other toughs and would-be assailants for his experience? Is he the best for the job?
*What level am I willing to trust him to and is the amount of trust required for the job less than the amount I trust this individual? (This does not just apply to felons, it applies to everyone).
You shouldn't hire someone because they have a criminal record, but you shouldn't dismiss them just because they are a convicted felon. Consider the entire picture and make the *best* decision for you and your company.
Integrate Keynote and LaTeX
From the article: Regardless of whether or not a hacker with a record has reformed, the bottom line, said Painter, is that paying former criminals big bucks sends the wrong message to the young, up-and-coming technology workforce. He added, "That's like saying the best way to a high pay check is to go out and be a criminal hacker."
Too right. I agree with this 100%.
If we encourage kids to do this, by promising them a long and lucrative career in 'Security', then we will just have even more crackers out there trying out their so-called skills.
I've had one guy who repeatedly downed a DALnet server I managed tell me that basically he hoped to put his skills on the market once he finished his Degree. He laughed at me when I suggested having a criminal record might slow him down.
If you run an IT department, don't hire crooks. No matter HOW good they say they are, a trained professional without a criminal record is a thousand times better than some thug who has spent his youth trying to make lives for people like me a misery.
I don't think most hackers hack because they like crime. They like a challenge. The want a way to test their intellectual arsenal against others.
:) )
In a way, I guess you could look at hacking the first multi-player online game. It was the first way to pit yourself against a real human opponent online (aside from checkers and chess on Prodigy back in the 80's I guess
The hackers play the "side" of the hackers because that is the side that's most available. If you give them a job as the sysadmin, then being able to read everyone's mail is no longer a challenge and, hence, tends to lose its novelty. Instead, they now have a new adversary: the rest of the hacker world.
It's all about proving that your king-fu is better. Whether you play the black pieces or the white pieces only determines the numbers printed on your paycheck (or your orange jumpsuit, I guess).
You ever listened to any gangsta rap or seen the movie Catch Me If You Can? Both probably have a much bigger influence on the general public.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Kevin Mitnick has served the sentence society gave him.
And while it is every employers choice if they want to hire him or not, it is foul play of his prosecutor to argue in public that he should not be given a job.
Even if the prosecutor personally don't believe in reform (no, even though you yanks all seem to believe it, the purpose of imprisonment is not revenge from society's point of view), he is still a DOJ official. How can he send people to jail, claiming it is for their reform, when he obviously don't believe this?
Maybe he is, like somebody here so eloquently put it in his sig, a gay dungeon master.How small a thought it takes to fill a whole life
Arguing that Mitnick is glorifying hacking is like saying that The Sopranos is a "wrong" show because it glorifies New Jersey-- I mean the Mafia.
Of course the probability of a Security Expert to be a black hat increases somewhat, if you know that he has been jailed for cracking. But you even might be able to trust an rehabilitated ex-cracker more than a hacker, whose hat colour you cant know...
And of course it goes without saing that I would hire Kevin Mitnick anytime. Indeed, this would give me a strong warm and fuzzy feeling.
Nice article:
The TMC Primer
I can dig that, old-timer. I can see where you are coming from too. I came in on the tail-end of the BBS era, just when it was really starting to die, and the internet was just started to get around, in Australia. I could really have done with some of these phreaking deals when I was a kid ($2000AU phone bill, ouch).
The thing is, I'd hire you, as you have not been caught, yet you freely admit your past. Mitnick, however, was caught - yet he repeatedly complains about the rough deal. Who is the better hire?
Well, then, probably every politician currently active in the US (and most other places) ought to be fired immediately.
And it seems someone needs to read Les Miserables.
Like many have already said, it's about trust... it's not about whether he is a criminal or not. Being a criminal convicted 5 times of computer related crimes makes him untrustworthy regarding computer security.
I'm sure Mr. Mitnick would be a very trustworthy chef or petroleum distribution agent (aka gas pumper). But as a security guy in a corporation? Uhhh I don't know about that one!
A criminal is only a criminal because the law says he is.
"The evil of the world is made possible by nothing but the sanction you give it." -- Ayn Rand
Just like I would never hire a delivery drive who has had a speeding ticket. Just can't trust them. I also don't hire receptionists who have had a speeding ticket. I don't use doctors who have had a speeding ticket. I don't talk to anyone who has ever had a speeding ticket in their entire life, because I have never had one, and that is the standard I expect of everyone around me. Of course I have broken the speed limit, almost every day, and I've been pulled over. But I've never gotten a speeding ticket, so I don't trust people who do.
In case you missed it, I was being sarcastic there. My point is that Mitnick was caught hacking into computers just to hack into computers. In many cases, people gave him access, unthinkingly. He never used it to steal money or trade secrets. He didn't blackmail the companies, or sell their info to competitors or the mafia. So big deal. He hacked some systems. Starting when it was no big thing. For those who say "Hacking is never acceptable", what industry are you in? It's like the websites that get pissed at people for linking to pages in their site, rather than their front page. "You don't have the right to link to our pages, you never asked permission." If a computer is connected to the Internet, or has dial-in access, and someone accesses it, and doesn't cause damage, I couldn't care less. It the computer's owner doesn't like it, he should have put better safeguards in place.
And before the "Should everyone be allowed to walk in your open front door" argument is thrown in, it's no comparison. The proper comparison would be "Should everyone be allowed to stand on the sidewalk in front of your house, and watch you have sex with your supermodel girlfriend while you two are standing in your private house, in the living room, pressed up against the large picture window?" My response would of course be, "They could take video of it and sell it if they wanted. The activity happened in public view. If I was worried about it, I would have closed the curtains to restrict their view. It would be my responsibility to protect my privacy, not theirs."
Tell it to Wozniak, he and ALOT of other names in the IT field are admitted hackers just like the person you're replying to. So am I for that matter, I was around then, but that was long ago, today is a very different world. Its a MINDSET. The same mindset I put to use for 7 years in the realm of physical security. How does the system work, were are its weak points, can I get around the system?
Everything isn't so cut and dried, and if you want to make such blanket statements, I hope you check the records of the politicians you vote for, because there's an AWEFUL lot of law violators in Congress and so forth. Frankly it would be the best place to start if we are to follow your philosophy.
"You didn't just break some random law--you STOLE service!"
And what the hell is that supposed to mean? "You STOLE service"? You make it sound like he decked a nun or something. The law is the law, if you violate it you may have to face consequences. Ever speed? Ever jaywalk? Ever put change into someone elses parking mater to be a nice guy? Ever walk off with someone's pen or lighter? Congradulations, you're a criminal.
If, as the DOJ prosecutor says, "a criminal is a criminal", then why is Poindexter allowed in the White House to lead the "Total Information Awareness" program. Going even further, the US was convicted by the World Court and the UN Security Council of crimes in Nicaragua in the '80's. Then there's the matter of Kissinger, but he hasn't been convicted. In any event, lets cut the hypocrisy.
"Gentlemen, you can't fight in here! This is the War Room!" -- Dr. Strangelove
Kevin is a criminal.
It's not any of our fault that he decided to turn to the dark side and hack sun, and many other cell phone vendors. Really.
Stop giving him so much sympathy. I for one as a honest person am tired of hearing about this frickin criminal! Yes! Criminal!
Idea: Hire the best person for the job. Sometimes that is Kevin Mitnick sometimes that is Theo De Raadt, it depends on whether you need pen testing done or secure software written.
I was thinking of getting a subscription to see posts early but I realized with the amount of dupes i was already seeing posts days in advance
perhaps we shouldn't reward people who break laws [by hacking] by giving them a job?
If that person is reformed, why not? They'll have a hard enough time finding a job with a criminal record, at least they should be able to get jobs in areas where they've proven themselves competent.
Of course, if the person is a repeat offender and they've proven themselves untrustworthy, that's a different can of worms. But if it's just one offence, and they've subsequently cleaned up their act, then what's the problem?
Would you hire a convicted embezzler to keep track of your savings account?
Would you hire a rapist to babysit your daughter?
Why would you hire a former cracker to secure your network, when there are plenty of non ex-convicts with similar or better experience for the job? How well-versed on current, relevant technology do you think someone who spent the last 7 years of their life in prison and prohibited from touching a computer is? Sure, social engineering never changes, but that's only part of your security infrastructure.
NO CARRIER
"You have to remember, the point of a public corp. isn't to obey the law, it is to make a profit."
See, I have to disagree with you there. I think that, (a) All groups, including corporations, are responsible to the law and so they must be concerned about whether or not their employees will be law abiding, and (b) From a purely moral perspective, all groups are responsible to act morally.
"Stumble before you crawl"
That is all.
People change. You gotta believe in people. Give them a second chance to prove themselves. Think "Catch me if you can" (the movie)
The reformed guy needs to prove himself. But if no one hires him, if no one trusts him enough to employ him, maybe he gets back to breaking the law.
Hiring a former cracker to secure your network could be an extremely valuable move. Why? Because they know the mindset and thought processes of one who is trying to compromise system security. This is not something that can be learned through college courses or workplace experience. Oh sure, you probably learn a lot with both of those, but it's always at least one step behind (you're only learning how to prevent those techniques, exploits, and patterns thereof that people have tried before). Former crackers can more easily step into an adversary's shoes, potentially giving their company valuable insight.
"Therefore, I say: Know your enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal." -- Sun Tzu, The Art of War, Chapter 3
Besides, if a company's network were compromised mysteriously by someone on the inside, who do you think would immediately be the prime suspect? No reasonably intelligent former cracker would ever do such a stupid thing.
Furthermore, regarding your analogies:
I would hire a convicted embezzler to keep track of my savings account if it were in danger of being attacked by numerous embezzlers on a daily basis (much like how corporate networks are attacked by crackers). And, for the same reasons as above.
And your rapist analogy is quite off base seeing how, even if one's daughter were in danger of being attacked by numerous rapists on a daily basis, such an attack would be extremely easy to spot and would require absolutely no special skills to help prevent (other than, maybe, not being a quadriplegic mute). A sufficiently trained monkey could stop a rapist -- and a sufficiently trained monkey could probably be a rapist. =)
Hire the best person for the job.
... pen testing, rofl.
minor rant (pen testing... heheh) anyway, back to the minor rant.
This drives me nuts. Hire the best person. I hear this a lot in conversations about affirmative action or related judgement questions like this article raises, where one considers adding some "weighted criteria" into the situation.
The idea of "choose the best for the job" is false. There is no objective determination of this for the vast majority of jobs. You are guessing a persons potential. You are guessing the role they really played in past successes. You're guessing if good diction and a nice manner represent a good worker... you are going from a limited set of perceptions.
In short, most hiring is done by feelings. So for example the question is a philosophical question about hiring criminals as crime fighters. Now that I don't have a rant over except to say
-pyrrho
Ya know, the media and world has warped the word "hacker" into a bad word referring to a person that breaks into computers for nefarious activities. The IT community knows a hacker as someone skilled in computers that comes up with a "hack" as a clever way to accomplish a desired task (not illegal). But really, why can't we just let the world have the word "hacker" and just come up with another title. Because when it comes down to titles, who is really going to go around calling themselves a hacker, knowing the negative connotation associated with the title. And who is going to really take the time to care if someone calling him/herself a hacker is a computer professional with ethics or a person looking to break into their computer and steal info.
Some would ask why should we change, why can't the rest of the world change and realize the difference between a hacker and a cracker. That's just not going to happen, at least not in this lifetime. Maybe if someone saves the world and proclaims him/herself a hacker, then the world will start to change their concept of hacker = bad. But for now, that's just how it is. There should be some other title for a truly skilled computer professional and get rid of the duality of good hacker/bad hacker.
[/Soapbox]
-Look lively. LOOK LIVELY!!! --Mr. Shmallow
If you (or your workplace) has a technically competent IT department, there is a good chance you already have hired hackers. If you also have a technically competent Infosec department, there's an even better chance. The only difference we're now hashing out is whether you wish to limit yourself to those who were either smart enough, or lucky enough, to never have gotten caught.
The important issue is not a criminal "hacker" record, but rather the abilities of the individual in question. If they are able to bring a particular skill-set to the table and perform to expectations, then they make a good employee.
The recent demonizing of "hackers" seems to have little to do with ability or morality. Such laws and legal actions seem to have more to do with publicity. A lawmaker or prosecuting attorney's career should have little to do with your hiring process.
There are exceptions. If the individual in question committed embezzlement, then they have demonstrated a willingness to victimize their employer (to say the least). Such an individual would be a risk - but then, that has little to do with a "hacking" conviction.
The other extreme is seeking to hire those with criminal convictions. This is perhaps a better example of "reward[ing] people who break laws." A computer crime conviction does little to prove one's skill-set. Again - it proves one was either stupid or unlucky. Or upset the wrong people. It doesn't prove that one would be able to deliver as a consultant or IT team member.
One final note - the old days of hacking seem to be passing. Hacking, no matter your definition, has always been about learning a system. Back in the old days, the only way one could gain more time/access to a system was to learn how to manipulate the system and provide it oneself. Without permission, if need be.
These days, one can create a functionally similar environment to most of what one would find in corporate and Government network at home using cheap, old hardware and free software. The need... and the excuse... to attack remote systems to gain the access needed to learn is fast fading. Of course, that doesn't take in to account proprietary hardware and software. But then it becomes a question of the risk being caught versus the lure of such systems. But then - if you learn enough and build a career, you'll get access to those systems legally.
Great point.
(my expansion)If they are not reformed why release them? If you know that they are going to repeat thier crime then they should not be released.
If they are released then they have served their time and should no longer be a burden on society. Hence they should have full rights.
Other wise you are saying that while they are harmfull enough to society to remove for a few years, they are not harmfull enough to keep them from doing it again (so then, why try and keep them from doing it again if it is not harmfull?). either reformed and no more retaliation, or not reformed so remove from society. Holds true for any jail sentance.
------- Sorry about the spelling, I suffer from two problems. Dyslexia makes it difficult to spell well, lazy makes it
Indeed. I think it's pretty obvious that Slashdot has gone in the crapper when dupes are a daily occurance, and obviously innacurate (and weeks old) stories like "timetraveler busted for insider trading" gets posted as if it's truth.
Slashdot desperately needs somewhere to discuss problems about itself. The editors have this "it's your sight" attitude, but then don't listen when just about everyone screams about the major problems. For lack of a better place to discuss problems, and solutions, I elect any and all dupe posts. Here's some of the problems, as I see them. (Sorry, I don't have many good solutions).
1. Dupes. It makes it pretty obvious the editors aren't make the least bit of effort in approving stories. It's gotten quite bad in the last year, and this makes it look like slashdot is in decline.
2. Innacurate stories, and/or misleading or sensational headlines. I'm really tired of these, as the conversation starts from untruth. Casting the story in the wrong light has a major impact on discussion. It makes slashdot into an unreliable news source which I think is just bad in general. Yes, the editors say "it's the job of the readers to verify stories" but it's pretty ridiculous when the headline is obviously sensational and innacurate after reading the actual article.
3. As I mentioned above, nowhere for a meta discussion. If slashdot is supposed to be partially run by the readers, we need a common place to discuss slashdot itself.
4. I don't have a four. I could list deeper problems with slashdot, but they're mostly just a matter of taste. The three listed above I think apply to everyone, no matter what you think slashdot should be.
AccountKiller
Breaking the law is breaking the law is breaking the law. While you may not agree with the laws in place, you are assuming a certain amount of responsibility when you break them. I speed all the time, as I'm sure most of us do. When I speed I am well aware of the risk that I may get caught and have to pay a ticket. I weigh the risk against the benefit, and speed to my heart's content.
Mitnick broke the law. You're right, he didn't kill anyone or molest any small children or anything. But he did break the law, and there are consequences of that. A significant consequence is not being trusted in the infosec industry. The data that is being protected on these networks is just too important to gamble on someone who may or may not have "turned over a new leaf." Especially when there are more than enough excellent professionals with clean records out there.
I also like the point that allowing Mitnick to work in this industry only encourages the generation coming up now to violate the law. Or, if you think that's a stretch (which I don't), the fact that we can attempt to dissuade the younger generation from becoming black hats by making it clear that there is no place for them in the infosec industry. Whether or not Mitnick or any other black hat is qualified...we should use this opportunity to send a message that crime really doesn't pay (corny, I know).
Social Engineering Expert: Because there is no patch for stupidity.
Except when the "best person" is a criminal. You don't hire pedophiles to run a daycare center no matter how good they are with kids. There's a line to be drawn between having skills and using them responsibly and having skills and misusing them. I don't care if you're the greatest "security expert" in the world if I can't trust you. It's like cheating on your wife. You might end up resolving it and staying with her but you'll never be trusted again. Ok, ok, analogy overload.