Slashdot Mirror
Should You Hire a Hacker?
fabioj writes "Business Week has an article about today's debate at the RSA Security Conference held at the Moscone Center attended by Kevin Mitnick and his 1995 trial prosecutor, Christopher Painter. Interesting to note that Painter doesn't see Kevin Mitnick's experiences as a deterrent for the 'up-and-coming technology workforce' to criminally hack."
Most caught crackers are going to bring special, outdated skills to the job.
Kevin is lucky in that getting put in jail actually increased his prospect for employment once he got out. For most people, a felony can be a lifelong sentence. And I don't understand how that's called "justice".
Companies should be allowed to hire anyone they want, whether they have a criminal conviction or not.
What's the problem?
If I seem short sighted, it is because I stand on the shoulders of midgets
Toss this guy out with the trash and give some honest, decent hard-working folks some jobs.
One problem I see with this approach is that he is probably one of the best qualified on this planet for certain jobs..
He has this valueable knowledge and changes are someone will approach him with an offer ..
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Actually, I think the really important point here is the social aspect of his cracking. The tools and the security systems will change, but there will always be a human somewhere who knows the password, and you can ignore all of the technical defenses if you can sweet talk them just right. Or if they do stupid things like pick predictable passwords. Or write the password on a post-it-note on their desk.
I think much more than just doing a port scan, a company would hire Mitnik to examine their _human_ protocols and proceedings for dealing with security.
In a different context, how do you feel about someone like Nelson Mandella? A convicted terrorist who has shown that he can work for peace... Nelson Mandella was arrested while attempting to blow up a railway station, his organisation, the ANC, went on to kill hundreds of people. Yet now he is someone that works tirelessly for peace. He has a far greater understanding of the problems faced than a numbty like GW who just lives for war and seems no better than the terrorists.
The parrallels are very clear to me.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
I believe there is room for people who proves themselves to be trustworth. These are the sort of folks who have a private contained network in which they do their hacking. There aren;t hurt anyone and theuy are still learning.
If they find something they then take the appropiate route of contacting the appropiate company and working with them to fix the problem As for the people who find an exploit then use it. No definitly not
Rus
Cheap UK and US VPS
The government hires ex-criminals to fight crime with great success -- just look at She-Spies! ;-)
Mitnick served time, but even after he's 'paid his debt to society' he's considered a criminal.
Poindexter served no time, certainly made no recompensation to society for his acts, yet is in charge of the US government's security effort.
God help you all.
Let's say a maid who robbed a former employer? A nanny who assaulted a child in her care? A butler who used an employer's Net connection to threaten the President?
Let's see if you'd put your money where your mouth is.
I am not in a position where I can affirm that Mr. Mitnick is reformed and can be trusted. However, I disagree with statements such as "Criminals are Criminals".
And in answer to the assumption that Fortune 500 would not hire a criminal for his services, I would like to point out that many of these companies have hired Mr. Frank Abagnale in the past, who first made himself famous for check fraud before working with the FBI and then creating his own consulting firm. He is an example that an ex-criminal can become successful by using the same skills that made him a criminal in the first place, and that law enforcement and big companies do sometimes hire such people for their services.
True, why would you want to hire a _convicted_ felon?
You need to hire the hacker they _didn't_ catch. Surely the guy who managed to cover his tracks so well as to never get caught is a much better person to learn from.
I used to work at MHMR/TC and my supervisor, on at least one occasion, bought phony computer equipment and pocketed the money. Further, when a co-worker of mine tried to blow the whistle on him, he was told to play along or else they would make his life miserable at work, which they did and he was soon fired or forced to resign.
I, on the otherhand, who am very skilled with computers, was put in a rather awkward position after I was let in on the little secret because it soon became apparent that it was bothering me and they obviously feared they could not trust me, so they treated me badly and I soon became suicidal and tried to commit suicide four times.
Later on, however, after I was forced to resign and was able to collect myself, I discoverd that one particular co-worker's Yahoo! email account was linked to credit card stealing, which you may view for yourself here which so happened about the same time someone stole money out of two of my co-worker's purses.
When I discovered this, it was like, great! We finally have the culprit and so I told them, but they did not do anything. I even told them about the supervisor that was buying phony equipment and keeping the money. Still, they did not do anything. Then, after realizing many are involved, I wrote one email to many people in the organization (that is, many people were in the To: header) and they responded by threatening me with litigation concerning things like computer security breachment, criminal harassment with a computer and some other computer crimes.
Why is it that since they're idiots with computers but thieves they can point to someone that is good with computers and not a thief and call her a criminal hacker?
OK. A guy breaks the law and is convicted on the basis of his hacking crimes. When he comes out he gets a prime well paid job on the basis of his law breaking experience.
What kind of example is that setting?
"Break the law, and get a good job" is NOT a good example to be setting, it will only encourage people to commit similar crimes.
I think companies are perfectly correct not to employ convicted hackers in a security role. It is completely morally and ethically wrong to reward people for crimes they have committed.
"Information wants to be paid"
Once upon a time, I was a hacker. I've always been into computers, since I first encountered a TRS-80 in 1977. I'm 36 now. I'm still using my original handle from those days, and wrote an article for Phrack in '85. I actually was one of the people who helped talk Craig (Neidorf, "Knight Lightning") into starting it as an online magazine. I've always believed in freedom of information.
In those early days, there were LOTS of us (young people) who were into computers and were fascinated by them. But there was no internet, and those of us in small towns (like myself) had NO means to communicate with others with the same interests, other than BBS system using a 300 baud modem, or 1200 baud if you could possibly afford it.
So, at that time, if you wanted to learn and communicate, one of the first things you would do would be to call BBS's all over the US. But phone charges were high!! And the parents didn't like that!! So -- you would ask around. And soon, you'd find out about "hacking." Hacking local systems to use TELENET (not telnet), hacking local business PBX systems to get an outside line, which were usually 3-digit "passwords" in those days, or using "codes" to dial out using Sprint, MCI, or TMC (My article for Phrack was on TMC hacking.)
Was it illegal? Yes. It was also amazingly simple. At that time, you would dial a local access number, enter a code (sometimes only 4 digits), enter a # to call, and it would go through. You could use a phone code for a month or more usually, until the customer got the bill and complained. I guess phone co. insurance picked up the tab. I never really cared.
Pretty much my entire interest in and knowledge of computing and networking came from these early "hacking" experiences. I don't regret them. And I'm the most honest person you could hope to meet. Had there been an "internet" or ANY way to communicate with other computer folks, I would have used it. I pride myself on my honesty and don't steal, rob, rape, pillage or murder. I just like to learn new stuff.
And, at that time, that was how it was done. Mitnick came from that era, and I think he was screwed unforgivably. I'm now a partner in a company that does some security work. Would I hire him? Absolutely, I know just where he's from.
PK: 09F911029D74E35BD84156C5635688C0
IANAH, but I suppose one of the better methods would be double-blind security; one ex-hacker to design the system, one ex-hacker to try and defeat it, and never the twain shall meet.
1. We talk about crackers here, not hackers.
2. Crackers generally suck at system design.
Remember that in general any destructive activity is easier than constructive - that's a property of the Universe we live in. Building demolition, while requires some thinking to be done properly, tends to take much less time, thought and effort than building construction. There is strong similarity in other areas of human activity.
Most creative types in the industry - software architects, engineers, good sysadmins - could succeed tremendously in cracking if they wanted to, much better than an average script kiddie. However they fortunately have different priorities.
So while I agree that it might be useful to hire ex-cracker for a security audit, the design of security measures should be left to experts.
Lisp is the Tengwar of programming languages.
Intresting concept but as many have pointed it out it has problems.
/.'ers have not crossed and its a line Mitnick was well on the other side of. But to some extent I think the largest difference there is someone who acted on knowledge vrs people who possesed the knowledge. Ultimately who makes the better applicant for a job ? The one with the knowledge or the one with the knowledge and the experience ? In terms of social engineering Mitnick is one of the few KNOWN people that knows through experience the difference between reality and theory. However the fact of his experience makes him a risk.
I can't say I would hire him to build my security system. I would however hire him to test it ala "Sneakers".
Computer security savvy is a catch twenty two. You can't know how to defend unless you know how they attack. The only way to be premptive is to figure out all the ways of attack. This means you have to attack your system at least theoretically. And the only way to determin if your deffense is effective is to test it.
People who are only testing a system will always be less creative in finding 'hacks' than those truly trying to penetrate the system. Its the problem of being inside the box.
The best crook is a cop and the best cop is a crook. Know your enemy. Keep your friends close and your enemies closer.
Ultimately I don't buy this rewarding crap. Mitnick at some level has paid for his transgressions with an all expense paid federal 'vacation'. If he so much as twitches his nose wrong with a computer system again and it is caught they will send him back and throw away the key. Paying the man to gain knowledge that can help you build a better and more secure system is not rewarding him. It is not encouraging kids to go get busted for a felony hacking offense and spend years in prison for the possibility of making big bucks as a security consultant.
To the letter of the law I doubt there are many people who post here who under 100% enforcement would not possess a computer misuse charge agianst them. How many here might have been that kid the RIAA just lit up? How many have never copied anything that was not supposed to be copied? How many have never tried a back door method of gaining access to a system ? Hell how many havn't successfully gone through a back door? Answer that with no justification, no weasle wording, and no claims but that was different. Technically the law dosn't give a damn.
Not that I think this is a wretched hive of scum and viallany. I just think this is a group of highly savvy computer users. There is deffinatly a line. A line I would wager the majority of
I can see both sides of the issue.
On one hand HP could embrace Mitnick's firm and then emblazon on their systems that it was hack proofed by the most notorious hacker to date.
On the other they can say we won't encorage miscreat beheivior and hire people who it seems pretty certain have done questionable things in their past but have never been caught.
Overall.... hiring the people that have yet to be caught may be better. But it also carries with it its own risk. They may be employing Mitnick Jr. The overworn Cliche of having the fox gauarding the hen house is poorly thought out. After all don't we often have a Dog guarding the hen house.. or the sheep ? And what is a dog but a domesticated version of the Fox/Wolf that has been trained to provide a constructive service instead of a destructive one ?
The true question to me then is if Mitnick is still a fox or if he has been house broken. If the former stay away, if the latter I can think of few would would be better. You decide. Me personally I think he is the moral equivalent of a celebrity spy ( its an oxymoron ) IE he can't do what he did anymore because he is too well known. I say companies should take advantage of the fact he is out in the open. Odds are he will wind up being a nemissis to wanna be Mitnicks more than an inspiration.
I don't ask you to be me. I only ask you not expect me to be you.
Sometimes, with the smarter ones. But that is only a small percentage.
;)
Most are fairly dumb. Probably no smarter than I.
The main reason they get started is they think its cool. Thats all there is to it. They hang around with a bunch of guys on IRC, find some hacking related channels, suck up to various people, start trying to develop some skills so they can get cred, and it goes from there.
With a trojan kit and half an hour of time (and a few weeks of waiting for the trojan to propogate), you to can be a DoS attack kiddie's best friend along with your 1000 drones or so.
Being a Kevin Mitnick is neither hard nor clever. It is very, very easy in this day and age.
He more than developed the technology, he developed the weapon itself. If he didn't design the V2, those people killed by V2s wouldn't have been killed by V2s. (simple enough?) There really isnt any break in the chain of causation.
To expand your argument, its the person who pushed the button that launched each individual V2 who was the person responsible for the deaths. I argue that its the person who made it possible for a rocket to kill people who is responsible and Robert Oppenheimer certainly seemed to agree with me.
I made the comparison with von Braun because America in that case chose to ignore any possible crimes to obtain the benefit of his knowledge (and von Braun was only one of many many German scientists with shady pasts, and otherwise, who were happily welcomed in America for their knowledge post WW2), and this directly compares with Mitnick in that any person who choses to employ Mitnick, regardless of his crimes, to obtain his knowledge, has acted in exactly the same way. Its really nothing more than a simple cost benefit analysis. The benefit outweighs the cost, moral or otherwise, in both cases.
"I'm tired of all this 'Aren't humanity great' bullshit. We're a virus with shoes" - Bill Hicks
Perhaps one of my favorite stories is of an Air Force Colonel who was proudly relaying a story about how he had recently taken his sports car and was by his own proud admittance racing through traffic. Well he got busted... and was being arrogant (after all, why should a Colonel be submissive to enlisted?) He then made some generic comment about "not going to speed" yet when he went around the corner he made a point to floor it (and oh yes, there was traffic around). He was very proud of himself. Sometimes people speed because they just did not realize the speed limit or just lost track of their actual speed... then there are those that feel they are above any laws made for "the little people."
if you meet a 5-time convicted felon, chances are good that he cannot be trusted with your corporation's security.
If you hire any consultant and simply plop your company's security in their lap, you have problems intelligent hiring cannot solve. Furthermore, as I consider the predatory and fraudulent work ethic your consultant hiring practices would seem to attract as being more socially destructive than hacking a cellphone network, I would suggest that you have already been screwed more mightily than you ever would if you hired Mitnick to tiger team your network.
Here is one important difference between Mitnick and von Braun. Mitnick was charged, and convicted for his crimes. And he then served his time, and served his parole. Von Braun was never even charged.
What is the phrase Americans use? Mitnick "paid his debt to society."
As for the deaths von Braun was responsible for? Some of the later correspondents in this thread are allowing him the defense Tom Lehrer suggested in his satirical song,
Von Braun wasn't just in charge of a big research project. He was also a Nazi party member. I have heard people defend his Nazi party membership. They say something like this, "C'mon, he wasn't really a Nazi. He just wanted to build rockets."
Well, von Braun wasn't just a Nazi. He oversaw the construction of the rockets too. And, as such, he was responsible for the employment of slave labor.
The Nazis held captive members of ethnic groups they didn't like, political prisoners, and homosexuals, and they worked them to death. 15,000 slave labourers worked in von Braun's factories I heard.
This site says one of his plants contained a concentration camp that employed 40,000 slave laborers.
Billy bob notwithstanding, the carter administration was pretty decent (on the scale of not being corrupt).
And I would suggest going back fourty-three years, at least.
I know this wont be a popular viewpoint here on slashdot, but perhaps we shouldn't reward people who break laws [by hacking] by giving them a job?
I dont mean to suggest either that (a) we should ignore a potentially powerful resource, or that (b) all hackers are necessarily immoral. However I personally would be quite upset if I were a security advisor who abstained from illegal activity, and a former hacker was hired to either replace or supervise me.
Also, from a devil's advocate position, I'm thinking this is akin to the hiring of former insider-traders to work on preventing further cheating. Basically, we're inviting the dog back into the pantry.
Please dont mod this as a troll, since I'm being serious here.
"Stumble before you crawl"
Would you hire a reformed ex-spammer to advise you on how to secure your mail system?
Would you pay a reformed ex-spammer to give a presentation at your company about mail system security?
Would you trust a convicted spammer if they've said that they are, indeed, reformed?
My personal answers: no; yes; and probably not.
More like "I-should-stick-to-being-in-every-poll-so-I-dont-p ost-dupes dept."
I am getting VERY tired of the dupes. Seriously- I WANT an answer to this question from one of the Slashdot editors: how hard is it for you people to actually READ(gasp! What a concept!) the site you approve stories for? HUH? How about a new rule: "If you don't read the site, you DON'T APPROVE STORIES."
For a long time you guys have given the impression that you just don't give a shit anymore. One clear message was when you guys spun off that "meetup.com" thing, encouraged us all to participate in "slashdot day", and then you guys fuckin' didn't even SHOW UP because you had "other plans". What gives? It was, in fact, one of the first things we talked about at our local slashdot meeting.
If you don't care, here's a clue: find someone who DOES, and hand the site over to them, or just pick some new editors. If you do care, tell us what you're going to do to fix the problem- I'm sure, being the incredibly bright and talented people, that you can think of SOMETHING.
Oh, and while you're at it, add a "Mitnick" category, so all of us, who DON'T GIVE A CRAP ABOUT MITNICK, can filter out the stories.
Please help metamoderate.
I disagree in the bounds of your phylosophy, because it is the negative energy in this world that highlights the positive energy that counterbalances the environment. In a world of computer security, Kevin Mitnick is a mere pawn. Kevin has been there, he has wandered around the 'negative' side of computer security. Reluctantly, I confess much of modern security is attributed to the 'negative' side of science. It's the ever-so-encroachments on our communication that provides jobs to make the communication more secure. Kevin is just a man, a nice man that has been slandered. Kevin didn't kill anyone, his interest in computer security and curiousness of the world around him was channeled in a way to take advantage of his resources. Who wouldn't want to travel around the world networks in a day? If I knew half of what Kevin knows, I would do what he did in a heartbeat, but that wasn't enough, or perhaps even Kevin didn't care about concealing his attempts; he was caught and his sin compared equal to an armed bank robber using a battering ram to steal the hard-earned gold of an orphanage.
Look at Kevin, learning from himself, he has invested in him the phylosophy of computing security that none of the conspirators or critics against him could muster. Do you trust someone else with your security, that always plays catch-up to the crackers that have not been caught? In a past slashdot article (maybe this story is its dupe), Hewlet-Packard's representative and Kevin Mitnick's DOJ prosecutor debated (slandered) Kevin saying they know all about security and all Kevin is capable of doing is being a criminal. In the rhetoric of the Fox guarding a henhouse, this is absolutly sidewise. Kevin is just a mere wolf, captured by the farmer and turned into a sheep-hurding dog. Enough with the comparisons, everyone in the security world is nowhere in sight of the skill Kevin Mitnick has attained. They're the ones that sit back in shock and awe with only an on-off switch to save their ass. Kevin has been there, and laughably his unlawful detention to a prison has not and will not impede his skill. Kevin is a master of security, he didn't go to college, that's where uneducated go to learn, when they aren't capable of becoming brilliant or ingenius on their own. Some of us are born knowing what we want to accomplish...Kevin is who you want to meet for the most secure data networks.
In the words of a fellow slashdotter in a previous article, this post pretty much sums what Kevin Mitnick should be treated as by everyone. Kevin Mitnick, what a name, what a man. In a world of curiousity, you can be enslaved for someone else's lack of passion in their job. Kevin Mitnick is waiting to be hired, The Counselor on Computer Security. This is an enterprising man that is being held hostage by people who think they are God, judging him perpetualy. Above all, Kevin Mitnick is an American and I will die for his freedom because I know he would stand for my freedoms too. That is the hacker's ethic: Freedom!
The critical flaw in the thinking of establishment dweebs like Painter and Winkler is that they assume that security experts who are lawful are also skill- and knowledge-equivalent to a criminal or professional hacker, even a benign or hobby hacker.
... and I would bet my left testicle they would find this information in the writings or testimony of all types of hackers.
How do you know your code's broke unless you try to break it? Breaking software is a good way to test it -- since real-world operations are what the software will experience normally -- hence hacking systems is the capstone on the surety that your systems are secure. So, even if these so-called security experts do perform these tasks (i.e. hacking their own systems with permission), they must still come up with ways to assault systems
At the basis of knowledge and skill, knowing and doing are the same thing. Painter and Winkler types don't dare admit this even if they do understand it. They would be police admitting to the usefulness and need for criminals. I never expect to see that happen.
Mitnick is still in prison, but now his bars are made of philosophy.
[You have a stable society when some nut guns down a schoolyard and the law doesn't change.]