Should You Hire a Hacker?
fabioj writes "Business Week has an article about today's debate at the RSA Security Conference held at the Moscone Center attended by Kevin Mitnick and his 1995 trial prosecutor, Christopher Painter. Interesting to note that Painter doesn't see Kevin Mitnick's experiences as a deterrent for the 'up-and-coming technology workforce' to criminally hack."
Most caught crackers are going to bring special, outdated skills to the job.
Kevin is lucky in that getting put in jail actually increased his prospect for employment once he got out. For most people, a felony can be a lifelong sentence. And I don't understand how that's called "justice".
Actually, I think the really important point here is the social aspect of his cracking. The tools and the security systems will change, but there will always be a human somewhere who knows the password, and you can ignore all of the technical defenses if you can sweet talk them just right. Or if they do stupid things like pick predictable passwords. Or write the password on a post-it-note on their desk.
I think much more than just doing a port scan, a company would hire Mitnik to examine their _human_ protocols and proceedings for dealing with security.
I am not in a position where I can affirm that Mr. Mitnick is reformed and can be trusted. However, I disagree with statements such as "Criminals are Criminals".
And in answer to the assumption that Fortune 500 would not hire a criminal for his services, I would like to point out that many of these companies have hired Mr. Frank Abagnale in the past, who first made himself famous for check fraud before working with the FBI and then creating his own consulting firm. He is an example that an ex-criminal can become successful by using the same skills that made him a criminal in the first place, and that law enforcement and big companies do sometimes hire such people for their services.
Once upon a time, I was a hacker. I've always been into computers, since I first encountered a TRS-80 in 1977. I'm 36 now. I'm still using my original handle from those days, and wrote an article for Phrack in '85. I actually was one of the people who helped talk Craig (Neidorf, "Knight Lightning") into starting it as an online magazine. I've always believed in freedom of information.
In those early days, there were LOTS of us (young people) who were into computers and were fascinated by them. But there was no internet, and those of us in small towns (like myself) had NO means to communicate with others with the same interests, other than BBS system using a 300 baud modem, or 1200 baud if you could possibly afford it.
So, at that time, if you wanted to learn and communicate, one of the first things you would do would be to call BBS's all over the US. But phone charges were high!! And the parents didn't like that!! So -- you would ask around. And soon, you'd find out about "hacking." Hacking local systems to use TELENET (not telnet), hacking local business PBX systems to get an outside line, which were usually 3-digit "passwords" in those days, or using "codes" to dial out using Sprint, MCI, or TMC (My article for Phrack was on TMC hacking.)
Was it illegal? Yes. It was also amazingly simple. At that time, you would dial a local access number, enter a code (sometimes only 4 digits), enter a # to call, and it would go through. You could use a phone code for a month or more usually, until the customer got the bill and complained. I guess phone co. insurance picked up the tab. I never really cared.
Pretty much my entire interest in and knowledge of computing and networking came from these early "hacking" experiences. I don't regret them. And I'm the most honest person you could hope to meet. Had there been an "internet" or ANY way to communicate with other computer folks, I would have used it. I pride myself on my honesty and don't steal, rob, rape, pillage or murder. I just like to learn new stuff.
And, at that time, that was how it was done. Mitnick came from that era, and I think he was screwed unforgivably. I'm now a partner in a company that does some security work. Would I hire him? Absolutely, I know just where he's from.
PK: 09F911029D74E35BD84156C5635688C0
if you meet a 5-time convicted felon, chances are good that he cannot be trusted with your corporation's security.
If you hire any consultant and simply plop your company's security in their lap, you have problems intelligent hiring cannot solve. Furthermore, as I consider the predatory and fraudulent work ethic your consultant hiring practices would seem to attract as being more socially destructive than hacking a cellphone network, I would suggest that you have already been screwed more mightily than you ever would if you hired Mitnick to tiger team your network.
I know this wont be a popular viewpoint here on slashdot, but perhaps we shouldn't reward people who break laws [by hacking] by giving them a job?
I dont mean to suggest either that (a) we should ignore a potentially powerful resource, or that (b) all hackers are necessarily immoral. However I personally would be quite upset if I were a security advisor who abstained from illegal activity, and a former hacker was hired to either replace or supervise me.
Also, from a devil's advocate position, I'm thinking this is akin to the hiring of former insider-traders to work on preventing further cheating. Basically, we're inviting the dog back into the pantry.
Please dont mod this as a troll, since I'm being serious here.
"Stumble before you crawl"