Should You Hire a Hacker?
fabioj writes "Business Week has an article about today's debate at the RSA Security Conference held at the Moscone Center attended by Kevin Mitnick and his 1995 trial prosecutor, Christopher Painter. Interesting to note that Painter doesn't see Kevin Mitnick's experiences as a deterrent for the 'up-and-coming technology workforce' to criminally hack."
Most caught crackers are going to bring special, outdated skills to the job.
Kevin is lucky in that getting put in jail actually increased his prospect for employment once he got out. For most people, a felony can be a lifelong sentence. And I don't understand how that's called "justice".
Actually, I think the really important point here is the social aspect of his cracking. The tools and the security systems will change, but there will always be a human somewhere who knows the password, and you can ignore all of the technical defenses if you can sweet talk them just right. Or if they do stupid things like pick predictable passwords. Or write the password on a post-it-note on their desk.
I think much more than just doing a port scan, a company would hire Mitnik to examine their _human_ protocols and proceedings for dealing with security.
The government hires ex-criminals to fight crime with great success -- just look at She-Spies! ;-)
I am not in a position where I can affirm that Mr. Mitnick is reformed and can be trusted. However, I disagree with statements such as "Criminals are Criminals".
And in answer to the assumption that Fortune 500 would not hire a criminal for his services, I would like to point out that many of these companies have hired Mr. Frank Abagnale in the past, who first made himself famous for check fraud before working with the FBI and then creating his own consulting firm. He is an example that an ex-criminal can become successful by using the same skills that made him a criminal in the first place, and that law enforcement and big companies do sometimes hire such people for their services.
True, why would you want to hire a _convicted_ felon?
You need to hire the hacker they _didn't_ catch. Surely the guy who managed to cover his tracks so well as to never get caught is a much better person to learn from.
I used to work at MHMR/TC and my supervisor, on at least one occasion, bought phony computer equipment and pocketed the money. Further, when a co-worker of mine tried to blow the whistle on him, he was told to play along or else they would make his life miserable at work, which they did and he was soon fired or forced to resign.
I, on the otherhand, who am very skilled with computers, was put in a rather awkward position after I was let in on the little secret because it soon became apparent that it was bothering me and they obviously feared they could not trust me, so they treated me badly and I soon became suicidal and tried to commit suicide four times.
Later on, however, after I was forced to resign and was able to collect myself, I discoverd that one particular co-worker's Yahoo! email account was linked to credit card stealing, which you may view for yourself here which so happened about the same time someone stole money out of two of my co-worker's purses.
When I discovered this, it was like, great! We finally have the culprit and so I told them, but they did not do anything. I even told them about the supervisor that was buying phony equipment and keeping the money. Still, they did not do anything. Then, after realizing many are involved, I wrote one email to many people in the organization (that is, many people were in the To: header) and they responded by threatening me with litigation concerning things like computer security breachment, criminal harassment with a computer and some other computer crimes.
Why is it that since they're idiots with computers but thieves they can point to someone that is good with computers and not a thief and call her a criminal hacker?
OK. A guy breaks the law and is convicted on the basis of his hacking crimes. When he comes out he gets a prime well paid job on the basis of his law breaking experience.
What kind of example is that setting?
"Break the law, and get a good job" is NOT a good example to be setting, it will only encourage people to commit similar crimes.
I think companies are perfectly correct not to employ convicted hackers in a security role. It is completely morally and ethically wrong to reward people for crimes they have committed.
"Information wants to be paid"
Once upon a time, I was a hacker. I've always been into computers, since I first encountered a TRS-80 in 1977. I'm 36 now. I'm still using my original handle from those days, and wrote an article for Phrack in '85. I actually was one of the people who helped talk Craig (Neidorf, "Knight Lightning") into starting it as an online magazine. I've always believed in freedom of information.
In those early days, there were LOTS of us (young people) who were into computers and were fascinated by them. But there was no internet, and those of us in small towns (like myself) had NO means to communicate with others with the same interests, other than BBS system using a 300 baud modem, or 1200 baud if you could possibly afford it.
So, at that time, if you wanted to learn and communicate, one of the first things you would do would be to call BBS's all over the US. But phone charges were high!! And the parents didn't like that!! So -- you would ask around. And soon, you'd find out about "hacking." Hacking local systems to use TELENET (not telnet), hacking local business PBX systems to get an outside line, which were usually 3-digit "passwords" in those days, or using "codes" to dial out using Sprint, MCI, or TMC (My article for Phrack was on TMC hacking.)
Was it illegal? Yes. It was also amazingly simple. At that time, you would dial a local access number, enter a code (sometimes only 4 digits), enter a # to call, and it would go through. You could use a phone code for a month or more usually, until the customer got the bill and complained. I guess phone co. insurance picked up the tab. I never really cared.
Pretty much my entire interest in and knowledge of computing and networking came from these early "hacking" experiences. I don't regret them. And I'm the most honest person you could hope to meet. Had there been an "internet" or ANY way to communicate with other computer folks, I would have used it. I pride myself on my honesty and don't steal, rob, rape, pillage or murder. I just like to learn new stuff.
And, at that time, that was how it was done. Mitnick came from that era, and I think he was screwed unforgivably. I'm now a partner in a company that does some security work. Would I hire him? Absolutely, I know just where he's from.
PK: 09F911029D74E35BD84156C5635688C0
if you meet a 5-time convicted felon, chances are good that he cannot be trusted with your corporation's security.
If you hire any consultant and simply plop your company's security in their lap, you have problems intelligent hiring cannot solve. Furthermore, as I consider the predatory and fraudulent work ethic your consultant hiring practices would seem to attract as being more socially destructive than hacking a cellphone network, I would suggest that you have already been screwed more mightily than you ever would if you hired Mitnick to tiger team your network.
Here is one important difference between Mitnick and von Braun. Mitnick was charged, and convicted for his crimes. And he then served his time, and served his parole. Von Braun was never even charged.
What is the phrase Americans use? Mitnick "paid his debt to society."
As for the deaths von Braun was responsible for? Some of the later correspondents in this thread are allowing him the defense Tom Lehrer suggested in his satirical song,
Von Braun wasn't just in charge of a big research project. He was also a Nazi party member. I have heard people defend his Nazi party membership. They say something like this, "C'mon, he wasn't really a Nazi. He just wanted to build rockets."
Well, von Braun wasn't just a Nazi. He oversaw the construction of the rockets too. And, as such, he was responsible for the employment of slave labor.
The Nazis held captive members of ethnic groups they didn't like, political prisoners, and homosexuals, and they worked them to death. 15,000 slave labourers worked in von Braun's factories I heard.
This site says one of his plants contained a concentration camp that employed 40,000 slave laborers.
I know this wont be a popular viewpoint here on slashdot, but perhaps we shouldn't reward people who break laws [by hacking] by giving them a job?
I dont mean to suggest either that (a) we should ignore a potentially powerful resource, or that (b) all hackers are necessarily immoral. However I personally would be quite upset if I were a security advisor who abstained from illegal activity, and a former hacker was hired to either replace or supervise me.
Also, from a devil's advocate position, I'm thinking this is akin to the hiring of former insider-traders to work on preventing further cheating. Basically, we're inviting the dog back into the pantry.
Please dont mod this as a troll, since I'm being serious here.
"Stumble before you crawl"
More like "I-should-stick-to-being-in-every-poll-so-I-dont-p ost-dupes dept."
I am getting VERY tired of the dupes. Seriously- I WANT an answer to this question from one of the Slashdot editors: how hard is it for you people to actually READ(gasp! What a concept!) the site you approve stories for? HUH? How about a new rule: "If you don't read the site, you DON'T APPROVE STORIES."
For a long time you guys have given the impression that you just don't give a shit anymore. One clear message was when you guys spun off that "meetup.com" thing, encouraged us all to participate in "slashdot day", and then you guys fuckin' didn't even SHOW UP because you had "other plans". What gives? It was, in fact, one of the first things we talked about at our local slashdot meeting.
If you don't care, here's a clue: find someone who DOES, and hand the site over to them, or just pick some new editors. If you do care, tell us what you're going to do to fix the problem- I'm sure, being the incredibly bright and talented people, that you can think of SOMETHING.
Oh, and while you're at it, add a "Mitnick" category, so all of us, who DON'T GIVE A CRAP ABOUT MITNICK, can filter out the stories.
Please help metamoderate.