Slashdot Mirror
Should You Hire a Hacker?
fabioj writes "Business Week has an article about today's debate at the RSA Security Conference held at the Moscone Center attended by Kevin Mitnick and his 1995 trial prosecutor, Christopher Painter. Interesting to note that Painter doesn't see Kevin Mitnick's experiences as a deterrent for the 'up-and-coming technology workforce' to criminally hack."
So why is Poindexter running Total Information Awareness?
What ever happened to "rehabilitation"... I guess some people just can't forgive.
- colin
He's not a criminal any more, he's a member of society just like the rest of us.
Mr. Painter seems to be...painting...anyone who has ever committed a crime as a lifelong criminal. Good work rejecting the entire philosophical foundation of our criminal justice system, dipshit.
And as much as I hate replying to my own post, he's a 5 time CONVICTED felon.
He had his chance to do 'the right thing' and he proved he couldn't do it. Toss this guy out with the trash and give some honest, decent hard-working folks some jobs.
"Anybody who tells me I can't use a program because it's not open source, go suck on rms. I'm not interested." (LT 2004)
If someone will employ you, then you're trusted. You just have to prove yourself to them
Brocklesby Park Cricket Club
You know the rest.
Although it certainly matter what your former profession might be, as long as you can do your job (of network security, I mean). OTOH, it seems like the best methods of foiling spies and hackers is to think like one, and the best way to think like one, is to, well BE one.
Interestingly, I wonder exactly who the U.S. has employed in its counterterrorist operations.
So the question boils down to morality. And that's not so easily defined. IANAH, but I suppose one of the better methods would be double-blind security; one ex-hacker to design the system, one ex-hacker to try and defeat it, and never the twain shall meet.
I actually kinda agrea with both of them. A criminal isn't one to be trusted depending on why they were in jail for, but on the other hand, one who has the knowldge, a hacker in this story, could be very usefull. A hacker knows how to get around things, and if at first they can't, they work at getting their goal. they have experience. now Painter might say thats why you should higher a security professional. yet who would you rather have, some nerdy kid fresh out of college? or would you rather have someone who knows whats out there, has experience with the programs that you will be using? and quite frankly could do better security audits then the nerdy college kid? no offence to anyone in college for this, nerdy just seamed like a good way to state my point even though the majority of the people in the field aren't that way at all. heh. well just my 2bits, peace.
as a company's employee - maybe as an expert. AFAIK he was a genius at using tools, but I don't remember him creating any of them. Maybe I'm mistaken? That brings another question: if somebody creates a tool and somebody else uses it, who is the bad guy? Recent stories (like the one of DeCSS and the one about RIAA suing students) show that people start to go after those that make tools. Shouldn't we start prosecuting gun, hammer, ax, and car manucaturers?
iThink iHate iMod
Most caught crackers are going to bring special, outdated skills to the job.
Companies should be allowed to hire anyone they want, whether they have a criminal conviction or not.
What's the problem?
If I seem short sighted, it is because I stand on the shoulders of midgets
$5 / month hosted VPS on linux = awesome!
Toss this guy out with the trash and give some honest, decent hard-working folks some jobs.
One problem I see with this approach is that he is probably one of the best qualified on this planet for certain jobs..
He has this valueable knowledge and changes are someone will approach him with an offer ..
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
They're called crackers.
Mitnick sounds like little more than a self-promoter to me.
Am I running a bank with millions of dollars, and do I want the reformed hacker to secure the database with all the money in it?
Come on, this is common sense:
1: If the reformed hacker was doing it for personal profit, don't hire the hacker. If the hacker was just bored and causing trouble, maybe hire the hacker.
2: If you want to secure the aforementioned bank's financial DB, don't hire a hacker, and have someone looking over the shoulder of the guy you do hire. =)
3: If the reformed hacker writes all of his memos in 1337$p34|{, make sure you aren't hiring a reformed script-kiddie.
Like I said, simple, sensible rules...
Lagito ergo expectabo
Just like no one who went AWOL should be Commander in Chief, and the head of a giant energy corporation who mismangaged and defrauded it out of zillions of dollars should serve on a energy 'task force' behind closed doors, and a convicted monopolist should be able to expand their business to the very department of Justice that looked the other way.
Oh.
I guess what I meant to say is Christopher Painter must be a dumbfuck.
Thank you! I'll be here all week!(or at least until the Privacy Czar's Storm Troopers come to put a transmitter in my ass...)
Just google for getting more results and descriptions on the subject.
Genius doesn't work on an assembly line basis. You can't simply say, "Today I will be brilliant."
It's not just about whether convicted felons can be trusted--M. seems to argue that it's actually _better_ to hire someone who's been on the shady side of the law.
And as most crackers look for unsecured systems rather than attacking or defending a specific one, I don't think the "special skills" argument holds much weight.
Ex-druggies make great recovery therapists but bad customs agents..
Like Frank Abagnale who, after a brief but brilliant career as a conman, was eventually hired by the FBI itself.
BOO! TERRO
So the prosecutor was concerned about Mitnick's lack of remorse? While I cannot condone Mitnick's actions at all, I have to wonder how easy it would be to show remorse when the legal is being used abused against you. If there had been a speedy and fair trial that would be one thing, but given all that happened in this case I know that by the time the actual trial came about my anger would get in the way. I'm not saying that's ok, I'm just guessing at what my own reactions might be.
Winkler might want to look at the message that HP is sending by hiring the Getto Hackers and not hiring Mitnick. To me that message is "Hacking is ok if you don't get caught." I suppose it might be a valid viewpoint (in football it isn't holding if the ref doesn't call it) but to me that seems like the wrong thing to say for someone who is trying to take the moral high ground.
"Where quality is like a dead stinking rat - you just can't miss it."
In a different context, how do you feel about someone like Nelson Mandella? A convicted terrorist who has shown that he can work for peace... Nelson Mandella was arrested while attempting to blow up a railway station, his organisation, the ANC, went on to kill hundreds of people. Yet now he is someone that works tirelessly for peace. He has a far greater understanding of the problems faced than a numbty like GW who just lives for war and seems no better than the terrorists.
The parrallels are very clear to me.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
What!? And miss out on that one-on-one attention?
Let it be known across the lands that this man has said loudly what we all have feared! Hacking is like having sex with kids! Beware! Begone!
The fundamental question here is if we, as a society, believe that breaking into computers and stealing data/access is a crime, why should people who commit that crime benefit from it by being able to claim it as a skill on their resume.
Work Experience:
1992-1998: Freelance consulting work in the information security sector.
Have you ever been convicted of a crime?
1998-2003: Jailed for invading a computer system and stealing sensitive information.
Note that I'm not representing the above as any actual person but an example of someone representing criminal activities as job experience. How about college followed by normal entry-level work, instead?
I believe there is room for people who proves themselves to be trustworth. These are the sort of folks who have a private contained network in which they do their hacking. There aren;t hurt anyone and theuy are still learning.
If they find something they then take the appropiate route of contacting the appropiate company and working with them to fix the problem As for the people who find an exploit then use it. No definitly not
Rus
Cheap UK and US VPS
The government hires ex-criminals to fight crime with great success -- just look at She-Spies! ;-)
Hacking is an addiction. Furthermore, a succesfull cracker does not necessarily make a good security expert. You wouldn't give a 5 time convicted drunk driver their license, even if they haven't touched alcohol for years... Why? Because it can be too easy, too much of a temptation to fall back into old habits.
Maybe you've never felt a true addiction. Perhaps you don't know what it's like to be mentally chained to some action, item, etc. Sure, you get into long programming binges, where you're in 'the zone' for hours, but it's not like you can't go 2 minutes without zoning out of real life and thinking about your program.
When you are addicted to something you very literally are unable to keep your mind off the subject for any length of time.
The chances of an addicted, convicted, and reformed cracker of being tempted and going back to their old ways are so much greater than the chances of a programmer/net admin/whatever who hasn't been addicted that it isn't a reasonable risk to take. You don't give a reformed alcoholic a wine tasting job.
That being said, it's unfair to group people together by any metric. I could say, for instance, that all good criminals are persistant con men. It isn't always true all the time, but when you look at one case at a time it certianly seems so. Most, if not all, of Mitnick's significant exploits weren't brain power, or shear ability to break systems. It was his ability to convince another person that he was authorized to recieve sensitive information, and when he didn't get it from one person he moved on to the next. A very charismatic, persistent con man. Certianly no Carmack.
So it's not fair to lock everyone convicted of computer crimes from using computers again, or even from using computers in the way they used them in their illegal activities.
But if you are shortsighted enough to believe that a true addicted can ever be fully and completely cured... Employer beware...
-Adam
A better example would be using the reformed pedophile to catch other pedophiles, since they know how they think and act...
I'm a consultant for an internet security company. The job is challenging, varied, fun and well paid. I get involved in pen tests, source code audits, hardware audits, etc etc. I wouldn't have got this job were it not for the fact that in a former life I used to 'play' with things I shouldn't. Don't get me wrong, I've never been arrested or charged with any crime relating to computer misuse, I've never done anything that serious. Something as simple as writings 'POKEs' for computer games was considered hacking/cracking in the old days.
I'm not the only one in the company like this. There are other senior members of staff that some good past experience. Between us all it means that we have a vast wealth of knowledge and experience that enables us to offer a good service to the customer.
So, the point of my post is, that being an ex hacker/cracker isn't a problem to my employers.
If a criminal is a criminal, does that not mean the whole point of prisons doesn't work? They aren't just there for punishment, they're there for the convict the reflect on his/her past and become a reformed person.
Im pretty sure that the main point of prison..besides simple punishment..is to reform those to behave society's rules when they have shown that they cant. When they are released from prison, they are -supposed- to be considered a fully functional reformed member of society.
To label an EX-con as always a criminal kind of goes against the whole point of prisons, and general reform.
It's easier to fight for one's principles than to live up to them.
I am not in a position where I can affirm that Mr. Mitnick is reformed and can be trusted. However, I disagree with statements such as "Criminals are Criminals".
And in answer to the assumption that Fortune 500 would not hire a criminal for his services, I would like to point out that many of these companies have hired Mr. Frank Abagnale in the past, who first made himself famous for check fraud before working with the FBI and then creating his own consulting firm. He is an example that an ex-criminal can become successful by using the same skills that made him a criminal in the first place, and that law enforcement and big companies do sometimes hire such people for their services.
True, why would you want to hire a _convicted_ felon?
You need to hire the hacker they _didn't_ catch. Surely the guy who managed to cover his tracks so well as to never get caught is a much better person to learn from.
So what is prison for? To make a profit for the private companies that have taken over the worlds largest (and growing) prison population? If it doesn't reform you, why are we letting people out at all?
Do people get to live nomal lives after coming out of prison? No. They get 20 bucks or whatever they came in with, and kicked out, and given no time to adjust to society.
I'd say that if you can't trust an ex-con who served his time, either he didn't get a long enough sentence, the prison system needs reform, or you've been watching too much Magnum P.I.
(I did very much enjoy posting that last one by the way....;)
I don't understand this discussion. A lot of movies and TV-series have already proven that using a former criminal is the only (cool) way to go if you really mean business?
The glass is half-full. With poison. And there are cracks in the glass. The dirty, dirty glass.
From the article: Regardless of whether or not a hacker with a record has reformed, the bottom line, said Painter, is that paying former criminals big bucks sends the wrong message to the young, up-and-coming technology workforce. He added, "That's like saying the best way to a high pay check is to go out and be a criminal hacker."
Too right. I agree with this 100%.
If we encourage kids to do this, by promising them a long and lucrative career in 'Security', then we will just have even more crackers out there trying out their so-called skills.
I've had one guy who repeatedly downed a DALnet server I managed tell me that basically he hoped to put his skills on the market once he finished his Degree. He laughed at me when I suggested having a criminal record might slow him down.
If you run an IT department, don't hire crooks. No matter HOW good they say they are, a trained professional without a criminal record is a thousand times better than some thug who has spent his youth trying to make lives for people like me a misery.
I used to work at MHMR/TC and my supervisor, on at least one occasion, bought phony computer equipment and pocketed the money. Further, when a co-worker of mine tried to blow the whistle on him, he was told to play along or else they would make his life miserable at work, which they did and he was soon fired or forced to resign.
I, on the otherhand, who am very skilled with computers, was put in a rather awkward position after I was let in on the little secret because it soon became apparent that it was bothering me and they obviously feared they could not trust me, so they treated me badly and I soon became suicidal and tried to commit suicide four times.
Later on, however, after I was forced to resign and was able to collect myself, I discoverd that one particular co-worker's Yahoo! email account was linked to credit card stealing, which you may view for yourself here which so happened about the same time someone stole money out of two of my co-worker's purses.
When I discovered this, it was like, great! We finally have the culprit and so I told them, but they did not do anything. I even told them about the supervisor that was buying phony equipment and keeping the money. Still, they did not do anything. Then, after realizing many are involved, I wrote one email to many people in the organization (that is, many people were in the To: header) and they responded by threatening me with litigation concerning things like computer security breachment, criminal harassment with a computer and some other computer crimes.
Why is it that since they're idiots with computers but thieves they can point to someone that is good with computers and not a thief and call her a criminal hacker?
I don't think most hackers hack because they like crime. They like a challenge. The want a way to test their intellectual arsenal against others.
:) )
In a way, I guess you could look at hacking the first multi-player online game. It was the first way to pit yourself against a real human opponent online (aside from checkers and chess on Prodigy back in the 80's I guess
The hackers play the "side" of the hackers because that is the side that's most available. If you give them a job as the sysadmin, then being able to read everyone's mail is no longer a challenge and, hence, tends to lose its novelty. Instead, they now have a new adversary: the rest of the hacker world.
It's all about proving that your king-fu is better. Whether you play the black pieces or the white pieces only determines the numbers printed on your paycheck (or your orange jumpsuit, I guess).
OK. A guy breaks the law and is convicted on the basis of his hacking crimes. When he comes out he gets a prime well paid job on the basis of his law breaking experience.
What kind of example is that setting?
"Break the law, and get a good job" is NOT a good example to be setting, it will only encourage people to commit similar crimes.
I think companies are perfectly correct not to employ convicted hackers in a security role. It is completely morally and ethically wrong to reward people for crimes they have committed.
"Information wants to be paid"
Once upon a time, I was a hacker. I've always been into computers, since I first encountered a TRS-80 in 1977. I'm 36 now. I'm still using my original handle from those days, and wrote an article for Phrack in '85. I actually was one of the people who helped talk Craig (Neidorf, "Knight Lightning") into starting it as an online magazine. I've always believed in freedom of information.
In those early days, there were LOTS of us (young people) who were into computers and were fascinated by them. But there was no internet, and those of us in small towns (like myself) had NO means to communicate with others with the same interests, other than BBS system using a 300 baud modem, or 1200 baud if you could possibly afford it.
So, at that time, if you wanted to learn and communicate, one of the first things you would do would be to call BBS's all over the US. But phone charges were high!! And the parents didn't like that!! So -- you would ask around. And soon, you'd find out about "hacking." Hacking local systems to use TELENET (not telnet), hacking local business PBX systems to get an outside line, which were usually 3-digit "passwords" in those days, or using "codes" to dial out using Sprint, MCI, or TMC (My article for Phrack was on TMC hacking.)
Was it illegal? Yes. It was also amazingly simple. At that time, you would dial a local access number, enter a code (sometimes only 4 digits), enter a # to call, and it would go through. You could use a phone code for a month or more usually, until the customer got the bill and complained. I guess phone co. insurance picked up the tab. I never really cared.
Pretty much my entire interest in and knowledge of computing and networking came from these early "hacking" experiences. I don't regret them. And I'm the most honest person you could hope to meet. Had there been an "internet" or ANY way to communicate with other computer folks, I would have used it. I pride myself on my honesty and don't steal, rob, rape, pillage or murder. I just like to learn new stuff.
And, at that time, that was how it was done. Mitnick came from that era, and I think he was screwed unforgivably. I'm now a partner in a company that does some security work. Would I hire him? Absolutely, I know just where he's from.
PK: 09F911029D74E35BD84156C5635688C0
You ever listened to any gangsta rap or seen the movie Catch Me If You Can? Both probably have a much bigger influence on the general public.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
This is a very insular USENet thing adopted by some segments of Free Software culture, and not at all in keeping with past or present common usage in the computer field or wider culture. As noted in one of the other replies, the usage of "cracker" to describe people who break into computers was coined ca. 1985; the usage of "hacker" to describe these same people dates back to the late 1970s, and was already in very common usage by the early 1980s. For the vast majority of the history of computers, this (someone who breaks into computers) has been the primary meaning of the term "hacker."
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Kevin Mitnick has served the sentence society gave him.
And while it is every employers choice if they want to hire him or not, it is foul play of his prosecutor to argue in public that he should not be given a job.
Even if the prosecutor personally don't believe in reform (no, even though you yanks all seem to believe it, the purpose of imprisonment is not revenge from society's point of view), he is still a DOJ official. How can he send people to jail, claiming it is for their reform, when he obviously don't believe this?
Maybe he is, like somebody here so eloquently put it in his sig, a gay dungeon master.How small a thought it takes to fill a whole life
I agree 100% and make a comparison with Werner Von Braun, who undoubtedly caused the death of many hundreds of people as a result of his development of the V2 rocket in WW2, but also undoubtedly knew more about rockets than just about anyone anywhere. His past history certainly didn't stop the US Government from leveraging his skills to get to the moon (well, maybe ;)
Moreover, Mitnick (and any felon who is now out of jail) has served his time and if the system does what its supposed to do, he is now reformed. (Unless you argue that jail is purely a punitive thing, in which case why let anyone out ever, if they are just going to be the same as they went in?) Certainly, I would think twice about handing him the proverbial keys to the NSA's servers, but equally, if I wanted to protect those same servers, who better to ask than someone who potentially has the skills to compromise them?
"I'm tired of all this 'Aren't humanity great' bullshit. We're a virus with shoes" - Bill Hicks
Arguing that Mitnick is glorifying hacking is like saying that The Sopranos is a "wrong" show because it glorifies New Jersey-- I mean the Mafia.
IANAH, but I suppose one of the better methods would be double-blind security; one ex-hacker to design the system, one ex-hacker to try and defeat it, and never the twain shall meet.
1. We talk about crackers here, not hackers.
2. Crackers generally suck at system design.
Remember that in general any destructive activity is easier than constructive - that's a property of the Universe we live in. Building demolition, while requires some thinking to be done properly, tends to take much less time, thought and effort than building construction. There is strong similarity in other areas of human activity.
Most creative types in the industry - software architects, engineers, good sysadmins - could succeed tremendously in cracking if they wanted to, much better than an average script kiddie. However they fortunately have different priorities.
So while I agree that it might be useful to hire ex-cracker for a security audit, the design of security measures should be left to experts.
Lisp is the Tengwar of programming languages.
Of course the probability of a Security Expert to be a black hat increases somewhat, if you know that he has been jailed for cracking. But you even might be able to trust an rehabilitated ex-cracker more than a hacker, whose hat colour you cant know...
And of course it goes without saing that I would hire Kevin Mitnick anytime. Indeed, this would give me a strong warm and fuzzy feeling.
Intresting concept but as many have pointed it out it has problems.
/.'ers have not crossed and its a line Mitnick was well on the other side of. But to some extent I think the largest difference there is someone who acted on knowledge vrs people who possesed the knowledge. Ultimately who makes the better applicant for a job ? The one with the knowledge or the one with the knowledge and the experience ? In terms of social engineering Mitnick is one of the few KNOWN people that knows through experience the difference between reality and theory. However the fact of his experience makes him a risk.
I can't say I would hire him to build my security system. I would however hire him to test it ala "Sneakers".
Computer security savvy is a catch twenty two. You can't know how to defend unless you know how they attack. The only way to be premptive is to figure out all the ways of attack. This means you have to attack your system at least theoretically. And the only way to determin if your deffense is effective is to test it.
People who are only testing a system will always be less creative in finding 'hacks' than those truly trying to penetrate the system. Its the problem of being inside the box.
The best crook is a cop and the best cop is a crook. Know your enemy. Keep your friends close and your enemies closer.
Ultimately I don't buy this rewarding crap. Mitnick at some level has paid for his transgressions with an all expense paid federal 'vacation'. If he so much as twitches his nose wrong with a computer system again and it is caught they will send him back and throw away the key. Paying the man to gain knowledge that can help you build a better and more secure system is not rewarding him. It is not encouraging kids to go get busted for a felony hacking offense and spend years in prison for the possibility of making big bucks as a security consultant.
To the letter of the law I doubt there are many people who post here who under 100% enforcement would not possess a computer misuse charge agianst them. How many here might have been that kid the RIAA just lit up? How many have never copied anything that was not supposed to be copied? How many have never tried a back door method of gaining access to a system ? Hell how many havn't successfully gone through a back door? Answer that with no justification, no weasle wording, and no claims but that was different. Technically the law dosn't give a damn.
Not that I think this is a wretched hive of scum and viallany. I just think this is a group of highly savvy computer users. There is deffinatly a line. A line I would wager the majority of
I can see both sides of the issue.
On one hand HP could embrace Mitnick's firm and then emblazon on their systems that it was hack proofed by the most notorious hacker to date.
On the other they can say we won't encorage miscreat beheivior and hire people who it seems pretty certain have done questionable things in their past but have never been caught.
Overall.... hiring the people that have yet to be caught may be better. But it also carries with it its own risk. They may be employing Mitnick Jr. The overworn Cliche of having the fox gauarding the hen house is poorly thought out. After all don't we often have a Dog guarding the hen house.. or the sheep ? And what is a dog but a domesticated version of the Fox/Wolf that has been trained to provide a constructive service instead of a destructive one ?
The true question to me then is if Mitnick is still a fox or if he has been house broken. If the former stay away, if the latter I can think of few would would be better. You decide. Me personally I think he is the moral equivalent of a celebrity spy ( its an oxymoron ) IE he can't do what he did anymore because he is too well known. I say companies should take advantage of the fact he is out in the open. Odds are he will wind up being a nemissis to wanna be Mitnicks more than an inspiration.
I don't ask you to be me. I only ask you not expect me to be you.
He more than developed the technology, he developed the weapon itself. If he didn't design the V2, those people killed by V2s wouldn't have been killed by V2s. (simple enough?) There really isnt any break in the chain of causation.
To expand your argument, its the person who pushed the button that launched each individual V2 who was the person responsible for the deaths. I argue that its the person who made it possible for a rocket to kill people who is responsible and Robert Oppenheimer certainly seemed to agree with me.
I made the comparison with von Braun because America in that case chose to ignore any possible crimes to obtain the benefit of his knowledge (and von Braun was only one of many many German scientists with shady pasts, and otherwise, who were happily welcomed in America for their knowledge post WW2), and this directly compares with Mitnick in that any person who choses to employ Mitnick, regardless of his crimes, to obtain his knowledge, has acted in exactly the same way. Its really nothing more than a simple cost benefit analysis. The benefit outweighs the cost, moral or otherwise, in both cases.
"I'm tired of all this 'Aren't humanity great' bullshit. We're a virus with shoes" - Bill Hicks
Well, then, probably every politician currently active in the US (and most other places) ought to be fired immediately.
And it seems someone needs to read Les Miserables.
Like many have already said, it's about trust... it's not about whether he is a criminal or not. Being a criminal convicted 5 times of computer related crimes makes him untrustworthy regarding computer security.
I'm sure Mr. Mitnick would be a very trustworthy chef or petroleum distribution agent (aka gas pumper). But as a security guy in a corporation? Uhhh I don't know about that one!
A criminal is only a criminal because the law says he is.
"The evil of the world is made possible by nothing but the sanction you give it." -- Ayn Rand
Just like I would never hire a delivery drive who has had a speeding ticket. Just can't trust them. I also don't hire receptionists who have had a speeding ticket. I don't use doctors who have had a speeding ticket. I don't talk to anyone who has ever had a speeding ticket in their entire life, because I have never had one, and that is the standard I expect of everyone around me. Of course I have broken the speed limit, almost every day, and I've been pulled over. But I've never gotten a speeding ticket, so I don't trust people who do.
In case you missed it, I was being sarcastic there. My point is that Mitnick was caught hacking into computers just to hack into computers. In many cases, people gave him access, unthinkingly. He never used it to steal money or trade secrets. He didn't blackmail the companies, or sell their info to competitors or the mafia. So big deal. He hacked some systems. Starting when it was no big thing. For those who say "Hacking is never acceptable", what industry are you in? It's like the websites that get pissed at people for linking to pages in their site, rather than their front page. "You don't have the right to link to our pages, you never asked permission." If a computer is connected to the Internet, or has dial-in access, and someone accesses it, and doesn't cause damage, I couldn't care less. It the computer's owner doesn't like it, he should have put better safeguards in place.
And before the "Should everyone be allowed to walk in your open front door" argument is thrown in, it's no comparison. The proper comparison would be "Should everyone be allowed to stand on the sidewalk in front of your house, and watch you have sex with your supermodel girlfriend while you two are standing in your private house, in the living room, pressed up against the large picture window?" My response would of course be, "They could take video of it and sell it if they wanted. The activity happened in public view. If I was worried about it, I would have closed the curtains to restrict their view. It would be my responsibility to protect my privacy, not theirs."
Here is one important difference between Mitnick and von Braun. Mitnick was charged, and convicted for his crimes. And he then served his time, and served his parole. Von Braun was never even charged.
What is the phrase Americans use? Mitnick "paid his debt to society."
As for the deaths von Braun was responsible for? Some of the later correspondents in this thread are allowing him the defense Tom Lehrer suggested in his satirical song,
Von Braun wasn't just in charge of a big research project. He was also a Nazi party member. I have heard people defend his Nazi party membership. They say something like this, "C'mon, he wasn't really a Nazi. He just wanted to build rockets."
Well, von Braun wasn't just a Nazi. He oversaw the construction of the rockets too. And, as such, he was responsible for the employment of slave labor.
The Nazis held captive members of ethnic groups they didn't like, political prisoners, and homosexuals, and they worked them to death. 15,000 slave labourers worked in von Braun's factories I heard.
This site says one of his plants contained a concentration camp that employed 40,000 slave laborers.
Okay, this irks me just a little bit. Someone in law enforcement (whether you are an officer or a prosecuter) should never say things like that. The problem our society faces is that mentality that once you are a criminal, you are always a criminal.
Recidivism is the leading cause for prison overcrowding. The problem is that the convicted felons are not given the opportunity to learn necessary skills (whether they be work skills or social skills) to make it in the real world. So when said prisoner gets out of the pen, they only know one thing, not to make the mistake that got them caught the first time.
It worries me to see prosecutors give up on people. I was charged with a felony, I was not exactly convicted (plea bargain for probation, no record cuz I was young) and the court actually gave me the opportunity to make things right. And I did. I also had studied criminology in college and knew the epidemic of recidivism that plagues our society. Understanding the problem and how to pull myself out of it was very important. I also had a support network of family and friends which is also important but that is a different story.
I guess my point is this... when somebody make a mistake or poor decision, it is not exactly good to label them a violator of the law for the rest of thier life. Yes, punishment and restitution is prudent, but labels are what cause that person to repeat the crime again. Prison is not so much of a deterrant once you have already been there... it becomes a training facility and the 'me versus them' attitude begins. If you make a mistake and you know that you were dumb and should have done better yet everyone keeps calling you a criminal and nobody tells you otherwise, you become just that... a criminal.. for life.
Yes, there are some that commit crimes that are so severe that you can only think that they are mentally damaged. That is a different story and I am not saying that we should just put murderers and pedophiles into counseling and then off to the real world where they will be perfect citizens for ever... I am saying that non-vilolent crimes that do not directly harm another individual should be treated with hope that the one that comitted the crime can be reformed and contribute to society in a meaningful way in the future.
It is scary, but here is a little theory of mine. If I were to have 100% knowledge of every law in the land, and I were to watch every move you make, I would be able to charge 95% of you with at least one felony be it federal or in your state. Would the case win? Not sure... but I bet I would have a good case.
Gotta call bullshit on this. You've been watching too much Shawshank or Magnum yourself.
In actuality, the majority of people coming out of prison _DO_ get time to adjust to a normal life. They aren't put on a bus and told to get out. That's only for people who have filled out their entire prison term. Most people don't fill out their entire prison term. They are released early on parole to save money and beds in prison. Most, if not all (that I'm aware of) violent prisoners and "hard" felons - assaults, robbery, rape, murder, etc. - are not even released immediately. They're put into a facility or halfway house. They have to follow a "level" program that requires that they follow some rules - these are things like 1) get a stable job (yes, they help) - 2) save some money with a budget and a bank account - 3) live by the rules - 4) see your PO consistently to make sure you're on track.
The quickest way to get out into society again via these halfway houses is to follow the rules - you get a job, buy your groceries, stay out of trouble, get some furloughs, and then, you "graduate" to full release, on conditions of parole or probation. If you don't follow the rules, you can get busted back down to your entrance level, or sent back to prison to fill out more of your term.
So, don't simply assume that prisoners are put back on the streets. There's a complex and well-organized program of supervision and rules to follow, unless you fill out your entire term. Which, in this economy, is nearly impossible. What they mean when they say "20 years, out in 7", is that you are sentenced to 20 years, commit no felonies _in_ prison, are released in 6.5 years to a halfway house, spend 4 - 6 months in the halfway house, then, assuming you're still following the rules of society, you are released into a parole program for 4 more years so someone can keep tabs on you - weekly visits, random drug tests, can't leave the county , that sort of thing - stricter rules than normal citizens - THEN you can be released back into society to try to live out your normal life.
So, it's not a simple, "Here's your $20 - get the fuck out." Prison systems do a thankless and difficult job of trying to get convicts back on the streets in the sanest and safest manner they can.
And yes, I was put in prison when I was 18 - convicted of felony assault for attacking a 35-year-old guy who hit my girlfriend. I've been through the program. It works. I was a violent kid. I've been in no trouble for 15 years, and I have had a good, stable career and a Masters in CS/BS in Math for about 8 years, now. It doesn't ruin your life. It SUCKS, but doesn't destroy you if you don't let it. I've got a wife, 7-year-old child, a nice house in an old neighborhood, a moderately stable job...
I'd say I'm living a "normal life".
Any sufficiently well-organized Government is indistinguishable from bullshit.
If, as the DOJ prosecutor says, "a criminal is a criminal", then why is Poindexter allowed in the White House to lead the "Total Information Awareness" program. Going even further, the US was convicted by the World Court and the UN Security Council of crimes in Nicaragua in the '80's. Then there's the matter of Kissinger, but he hasn't been convicted. In any event, lets cut the hypocrisy.
"Gentlemen, you can't fight in here! This is the War Room!" -- Dr. Strangelove
....I said...duplicate...
I don't know if I should hire a hacker but I do know that Slashdot should hire a copy editor.
My
Limekiller
Kevin is a criminal.
It's not any of our fault that he decided to turn to the dark side and hack sun, and many other cell phone vendors. Really.
Stop giving him so much sympathy. I for one as a honest person am tired of hearing about this frickin criminal! Yes! Criminal!
I know this wont be a popular viewpoint here on slashdot, but perhaps we shouldn't reward people who break laws [by hacking] by giving them a job?
I dont mean to suggest either that (a) we should ignore a potentially powerful resource, or that (b) all hackers are necessarily immoral. However I personally would be quite upset if I were a security advisor who abstained from illegal activity, and a former hacker was hired to either replace or supervise me.
Also, from a devil's advocate position, I'm thinking this is akin to the hiring of former insider-traders to work on preventing further cheating. Basically, we're inviting the dog back into the pantry.
Please dont mod this as a troll, since I'm being serious here.
"Stumble before you crawl"
Either this is the same story from earlier today.. or I'm like that dude who made all that cash in the stock market
What makes the whole repeat-ness of this story even worse is that there is a vote about it up right now!
This isn't a repeat of the earlier /. post. That one linked to security focus and this one links to business week. But the business week article is just a reprint of the security focus article...
Would you hire a reformed ex-spammer to advise you on how to secure your mail system?
Would you pay a reformed ex-spammer to give a presentation at your company about mail system security?
Would you trust a convicted spammer if they've said that they are, indeed, reformed?
My personal answers: no; yes; and probably not.
Sure, I'd hire a hacker. I don't think I'd want a Bad Guy or a Cracker or a Warz D00d or a Script Kid, but a hacker, sure, why not?
After all, I've got a fair amount of crufty lisp code that needs to be tweeked but have yet to meet anyone I'd trust with u+w. (Or rather, anyone I could afford...aye, there's the rub).
-- MarkusQ
P.S. For the ellusive final point, you have to figure out what the duck is for.
If I re-post all the +5 comments on this issue from the previous article, am I more or less honest than a convicted cracker? And if it works, and my karma goes through the roof, can I ever be reformed from karma-whoring or will I forver be branded the cut-and-paste king?
Freedom Is Universal
Linux-Universe
More like "I-should-stick-to-being-in-every-poll-so-I-dont-p ost-dupes dept."
I am getting VERY tired of the dupes. Seriously- I WANT an answer to this question from one of the Slashdot editors: how hard is it for you people to actually READ(gasp! What a concept!) the site you approve stories for? HUH? How about a new rule: "If you don't read the site, you DON'T APPROVE STORIES."
For a long time you guys have given the impression that you just don't give a shit anymore. One clear message was when you guys spun off that "meetup.com" thing, encouraged us all to participate in "slashdot day", and then you guys fuckin' didn't even SHOW UP because you had "other plans". What gives? It was, in fact, one of the first things we talked about at our local slashdot meeting.
If you don't care, here's a clue: find someone who DOES, and hand the site over to them, or just pick some new editors. If you do care, tell us what you're going to do to fix the problem- I'm sure, being the incredibly bright and talented people, that you can think of SOMETHING.
Oh, and while you're at it, add a "Mitnick" category, so all of us, who DON'T GIVE A CRAP ABOUT MITNICK, can filter out the stories.
Please help metamoderate.
I for one as a honest person am tired of hearing about this frickin criminal! Yes! Criminal!
Sounds like this Mitnick guy is management material. Criminal action shows initiative. It shows that he will do what it takes to get ahead.
Most of our society looks at the criminal as a superior form of being not tied to the conventionalities of the honest man (ie peasant). But there is a big problem with that getting caught thing. If he was a criminal who hadn't been caught...well, there is there is no end to how far he could go in the American corporate structure.
Who knows, he could have been CEO? I suspect most CEOs have done far worse things than Kevin Mittnick on their back stabbing drives for power. Unfortunately, there is a gentleman's agreement on being caught, tried and covicted.
Hiring a felon might get people looking closer at what companies actually do, and how the insiders funnel off profits. It would be far too risky to hire the man.
Dupe Dupe Dupe
Dupe of Earl
Dupe Dupe
Dupe of Earl
Dupe Dupe
Dupe of Earl
Dupe Dupe
whe-en I-eee waaaalk though this world
nothin can stop me, I'm the Dupe
I walk free-eely in my Dupedom
Cause nothin' can stop me, I'm the dupe of earl.
Maybe it's not a dupe, maybe it's a Poll Collision?
Personally, I like dupes... things should be considered more than once. Two closely spaced conversation reveal another dimension, the dimension of time, the fluctuflowations of the think.
But then, that's because,
I'm the Dupe of Earl
And you-uuu will be the Duchess in my Dupedome,
And nothing will stop us, from duuupin' agaaaain.
Hiring a former cracker to secure your network could be an extremely valuable move. Why? Because they know the mindset and thought processes of one who is trying to compromise system security. This is not something that can be learned through college courses or workplace experience. Oh sure, you probably learn a lot with both of those, but it's always at least one step behind (you're only learning how to prevent those techniques, exploits, and patterns thereof that people have tried before). Former crackers can more easily step into an adversary's shoes, potentially giving their company valuable insight.
"Therefore, I say: Know your enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal." -- Sun Tzu, The Art of War, Chapter 3
Besides, if a company's network were compromised mysteriously by someone on the inside, who do you think would immediately be the prime suspect? No reasonably intelligent former cracker would ever do such a stupid thing.
Furthermore, regarding your analogies:
I would hire a convicted embezzler to keep track of my savings account if it were in danger of being attacked by numerous embezzlers on a daily basis (much like how corporate networks are attacked by crackers). And, for the same reasons as above.
And your rapist analogy is quite off base seeing how, even if one's daughter were in danger of being attacked by numerous rapists on a daily basis, such an attack would be extremely easy to spot and would require absolutely no special skills to help prevent (other than, maybe, not being a quadriplegic mute). A sufficiently trained monkey could stop a rapist -- and a sufficiently trained monkey could probably be a rapist. =)
I wouldn't hire one to secure my network, but I would certainly hire one to check the security of my network.
Everybody has their strengths and weaknesses, and a crackers strength is likely in attacking rather than defending.
When I played soccer I was a great halfback, but a shitty goalie. Since my coach was not an idiot, he never had me play goalie. The same principle applies here.
Under capitalism man exploits man. Under communism it's the other way around.
If you (or your workplace) has a technically competent IT department, there is a good chance you already have hired hackers. If you also have a technically competent Infosec department, there's an even better chance. The only difference we're now hashing out is whether you wish to limit yourself to those who were either smart enough, or lucky enough, to never have gotten caught.
The important issue is not a criminal "hacker" record, but rather the abilities of the individual in question. If they are able to bring a particular skill-set to the table and perform to expectations, then they make a good employee.
The recent demonizing of "hackers" seems to have little to do with ability or morality. Such laws and legal actions seem to have more to do with publicity. A lawmaker or prosecuting attorney's career should have little to do with your hiring process.
There are exceptions. If the individual in question committed embezzlement, then they have demonstrated a willingness to victimize their employer (to say the least). Such an individual would be a risk - but then, that has little to do with a "hacking" conviction.
The other extreme is seeking to hire those with criminal convictions. This is perhaps a better example of "reward[ing] people who break laws." A computer crime conviction does little to prove one's skill-set. Again - it proves one was either stupid or unlucky. Or upset the wrong people. It doesn't prove that one would be able to deliver as a consultant or IT team member.
One final note - the old days of hacking seem to be passing. Hacking, no matter your definition, has always been about learning a system. Back in the old days, the only way one could gain more time/access to a system was to learn how to manipulate the system and provide it oneself. Without permission, if need be.
These days, one can create a functionally similar environment to most of what one would find in corporate and Government network at home using cheap, old hardware and free software. The need... and the excuse... to attack remote systems to gain the access needed to learn is fast fading. Of course, that doesn't take in to account proprietary hardware and software. But then it becomes a question of the risk being caught versus the lure of such systems. But then - if you learn enough and build a career, you'll get access to those systems legally.
I disagree in the bounds of your phylosophy, because it is the negative energy in this world that highlights the positive energy that counterbalances the environment. In a world of computer security, Kevin Mitnick is a mere pawn. Kevin has been there, he has wandered around the 'negative' side of computer security. Reluctantly, I confess much of modern security is attributed to the 'negative' side of science. It's the ever-so-encroachments on our communication that provides jobs to make the communication more secure. Kevin is just a man, a nice man that has been slandered. Kevin didn't kill anyone, his interest in computer security and curiousness of the world around him was channeled in a way to take advantage of his resources. Who wouldn't want to travel around the world networks in a day? If I knew half of what Kevin knows, I would do what he did in a heartbeat, but that wasn't enough, or perhaps even Kevin didn't care about concealing his attempts; he was caught and his sin compared equal to an armed bank robber using a battering ram to steal the hard-earned gold of an orphanage.
Look at Kevin, learning from himself, he has invested in him the phylosophy of computing security that none of the conspirators or critics against him could muster. Do you trust someone else with your security, that always plays catch-up to the crackers that have not been caught? In a past slashdot article (maybe this story is its dupe), Hewlet-Packard's representative and Kevin Mitnick's DOJ prosecutor debated (slandered) Kevin saying they know all about security and all Kevin is capable of doing is being a criminal. In the rhetoric of the Fox guarding a henhouse, this is absolutly sidewise. Kevin is just a mere wolf, captured by the farmer and turned into a sheep-hurding dog. Enough with the comparisons, everyone in the security world is nowhere in sight of the skill Kevin Mitnick has attained. They're the ones that sit back in shock and awe with only an on-off switch to save their ass. Kevin has been there, and laughably his unlawful detention to a prison has not and will not impede his skill. Kevin is a master of security, he didn't go to college, that's where uneducated go to learn, when they aren't capable of becoming brilliant or ingenius on their own. Some of us are born knowing what we want to accomplish...Kevin is who you want to meet for the most secure data networks.
In the words of a fellow slashdotter in a previous article, this post pretty much sums what Kevin Mitnick should be treated as by everyone. Kevin Mitnick, what a name, what a man. In a world of curiousity, you can be enslaved for someone else's lack of passion in their job. Kevin Mitnick is waiting to be hired, The Counselor on Computer Security. This is an enterprising man that is being held hostage by people who think they are God, judging him perpetualy. Above all, Kevin Mitnick is an American and I will die for his freedom because I know he would stand for my freedoms too. That is the hacker's ethic: Freedom!
The critical flaw in the thinking of establishment dweebs like Painter and Winkler is that they assume that security experts who are lawful are also skill- and knowledge-equivalent to a criminal or professional hacker, even a benign or hobby hacker.
... and I would bet my left testicle they would find this information in the writings or testimony of all types of hackers.
How do you know your code's broke unless you try to break it? Breaking software is a good way to test it -- since real-world operations are what the software will experience normally -- hence hacking systems is the capstone on the surety that your systems are secure. So, even if these so-called security experts do perform these tasks (i.e. hacking their own systems with permission), they must still come up with ways to assault systems
At the basis of knowledge and skill, knowing and doing are the same thing. Painter and Winkler types don't dare admit this even if they do understand it. They would be police admitting to the usefulness and need for criminals. I never expect to see that happen.
Mitnick is still in prison, but now his bars are made of philosophy.
[You have a stable society when some nut guns down a schoolyard and the law doesn't change.]
Breaking the law is breaking the law is breaking the law. While you may not agree with the laws in place, you are assuming a certain amount of responsibility when you break them. I speed all the time, as I'm sure most of us do. When I speed I am well aware of the risk that I may get caught and have to pay a ticket. I weigh the risk against the benefit, and speed to my heart's content.
Mitnick broke the law. You're right, he didn't kill anyone or molest any small children or anything. But he did break the law, and there are consequences of that. A significant consequence is not being trusted in the infosec industry. The data that is being protected on these networks is just too important to gamble on someone who may or may not have "turned over a new leaf." Especially when there are more than enough excellent professionals with clean records out there.
I also like the point that allowing Mitnick to work in this industry only encourages the generation coming up now to violate the law. Or, if you think that's a stretch (which I don't), the fact that we can attempt to dissuade the younger generation from becoming black hats by making it clear that there is no place for them in the infosec industry. Whether or not Mitnick or any other black hat is qualified...we should use this opportunity to send a message that crime really doesn't pay (corny, I know).
Social Engineering Expert: Because there is no patch for stupidity.