Slashdot Mirror
Should You Hire a Hacker?
fabioj writes "Business Week has an article about today's debate at the RSA Security Conference held at the Moscone Center attended by Kevin Mitnick and his 1995 trial prosecutor, Christopher Painter. Interesting to note that Painter doesn't see Kevin Mitnick's experiences as a deterrent for the 'up-and-coming technology workforce' to criminally hack."
So why is Poindexter running Total Information Awareness?
What ever happened to "rehabilitation"... I guess some people just can't forgive.
- colin
He's not a criminal any more, he's a member of society just like the rest of us.
Mr. Painter seems to be...painting...anyone who has ever committed a crime as a lifelong criminal. Good work rejecting the entire philosophical foundation of our criminal justice system, dipshit.
And as much as I hate replying to my own post, he's a 5 time CONVICTED felon.
He had his chance to do 'the right thing' and he proved he couldn't do it. Toss this guy out with the trash and give some honest, decent hard-working folks some jobs.
"Anybody who tells me I can't use a program because it's not open source, go suck on rms. I'm not interested." (LT 2004)
If someone will employ you, then you're trusted. You just have to prove yourself to them
Brocklesby Park Cricket Club
You know the rest.
Although it certainly matter what your former profession might be, as long as you can do your job (of network security, I mean). OTOH, it seems like the best methods of foiling spies and hackers is to think like one, and the best way to think like one, is to, well BE one.
Interestingly, I wonder exactly who the U.S. has employed in its counterterrorist operations.
So the question boils down to morality. And that's not so easily defined. IANAH, but I suppose one of the better methods would be double-blind security; one ex-hacker to design the system, one ex-hacker to try and defeat it, and never the twain shall meet.
I actually kinda agrea with both of them. A criminal isn't one to be trusted depending on why they were in jail for, but on the other hand, one who has the knowldge, a hacker in this story, could be very usefull. A hacker knows how to get around things, and if at first they can't, they work at getting their goal. they have experience. now Painter might say thats why you should higher a security professional. yet who would you rather have, some nerdy kid fresh out of college? or would you rather have someone who knows whats out there, has experience with the programs that you will be using? and quite frankly could do better security audits then the nerdy college kid? no offence to anyone in college for this, nerdy just seamed like a good way to state my point even though the majority of the people in the field aren't that way at all. heh. well just my 2bits, peace.
as a company's employee - maybe as an expert. AFAIK he was a genius at using tools, but I don't remember him creating any of them. Maybe I'm mistaken? That brings another question: if somebody creates a tool and somebody else uses it, who is the bad guy? Recent stories (like the one of DeCSS and the one about RIAA suing students) show that people start to go after those that make tools. Shouldn't we start prosecuting gun, hammer, ax, and car manucaturers?
iThink iHate iMod
Most caught crackers are going to bring special, outdated skills to the job.
$5 / month hosted VPS on linux = awesome!
They're called crackers.
Mitnick sounds like little more than a self-promoter to me.
Am I running a bank with millions of dollars, and do I want the reformed hacker to secure the database with all the money in it?
Come on, this is common sense:
1: If the reformed hacker was doing it for personal profit, don't hire the hacker. If the hacker was just bored and causing trouble, maybe hire the hacker.
2: If you want to secure the aforementioned bank's financial DB, don't hire a hacker, and have someone looking over the shoulder of the guy you do hire. =)
3: If the reformed hacker writes all of his memos in 1337$p34|{, make sure you aren't hiring a reformed script-kiddie.
Like I said, simple, sensible rules...
Lagito ergo expectabo
It's not just about whether convicted felons can be trusted--M. seems to argue that it's actually _better_ to hire someone who's been on the shady side of the law.
And as most crackers look for unsecured systems rather than attacking or defending a specific one, I don't think the "special skills" argument holds much weight.
Ex-druggies make great recovery therapists but bad customs agents..
What!? And miss out on that one-on-one attention?
Let it be known across the lands that this man has said loudly what we all have feared! Hacking is like having sex with kids! Beware! Begone!
The government hires ex-criminals to fight crime with great success -- just look at She-Spies! ;-)
Hacking is an addiction. Furthermore, a succesfull cracker does not necessarily make a good security expert. You wouldn't give a 5 time convicted drunk driver their license, even if they haven't touched alcohol for years... Why? Because it can be too easy, too much of a temptation to fall back into old habits.
Maybe you've never felt a true addiction. Perhaps you don't know what it's like to be mentally chained to some action, item, etc. Sure, you get into long programming binges, where you're in 'the zone' for hours, but it's not like you can't go 2 minutes without zoning out of real life and thinking about your program.
When you are addicted to something you very literally are unable to keep your mind off the subject for any length of time.
The chances of an addicted, convicted, and reformed cracker of being tempted and going back to their old ways are so much greater than the chances of a programmer/net admin/whatever who hasn't been addicted that it isn't a reasonable risk to take. You don't give a reformed alcoholic a wine tasting job.
That being said, it's unfair to group people together by any metric. I could say, for instance, that all good criminals are persistant con men. It isn't always true all the time, but when you look at one case at a time it certianly seems so. Most, if not all, of Mitnick's significant exploits weren't brain power, or shear ability to break systems. It was his ability to convince another person that he was authorized to recieve sensitive information, and when he didn't get it from one person he moved on to the next. A very charismatic, persistent con man. Certianly no Carmack.
So it's not fair to lock everyone convicted of computer crimes from using computers again, or even from using computers in the way they used them in their illegal activities.
But if you are shortsighted enough to believe that a true addicted can ever be fully and completely cured... Employer beware...
-Adam
I think it's the shortest definition and the most accurate. And actually means that cracker and hacker are mutually exclusive.
iThink iHate iMod
Despite that these two situations are completely and totally unrelated (one is intrusive the other is not), it depends on the situation.
*Does being a convincted rapist give him a particular insight into how to spot other rapists?
*Is he better at stopping--not just rapists--but other toughs and would-be assailants for his experience? Is he the best for the job?
*What level am I willing to trust him to and is the amount of trust required for the job less than the amount I trust this individual? (This does not just apply to felons, it applies to everyone).
You shouldn't hire someone because they have a criminal record, but you shouldn't dismiss them just because they are a convicted felon. Consider the entire picture and make the *best* decision for you and your company.
Integrate Keynote and LaTeX
I am not in a position where I can affirm that Mr. Mitnick is reformed and can be trusted. However, I disagree with statements such as "Criminals are Criminals".
And in answer to the assumption that Fortune 500 would not hire a criminal for his services, I would like to point out that many of these companies have hired Mr. Frank Abagnale in the past, who first made himself famous for check fraud before working with the FBI and then creating his own consulting firm. He is an example that an ex-criminal can become successful by using the same skills that made him a criminal in the first place, and that law enforcement and big companies do sometimes hire such people for their services.
True, why would you want to hire a _convicted_ felon?
You need to hire the hacker they _didn't_ catch. Surely the guy who managed to cover his tracks so well as to never get caught is a much better person to learn from.
So what is prison for? To make a profit for the private companies that have taken over the worlds largest (and growing) prison population? If it doesn't reform you, why are we letting people out at all?
Do people get to live nomal lives after coming out of prison? No. They get 20 bucks or whatever they came in with, and kicked out, and given no time to adjust to society.
I'd say that if you can't trust an ex-con who served his time, either he didn't get a long enough sentence, the prison system needs reform, or you've been watching too much Magnum P.I.
(I did very much enjoy posting that last one by the way....;)
From the article: Regardless of whether or not a hacker with a record has reformed, the bottom line, said Painter, is that paying former criminals big bucks sends the wrong message to the young, up-and-coming technology workforce. He added, "That's like saying the best way to a high pay check is to go out and be a criminal hacker."
Too right. I agree with this 100%.
If we encourage kids to do this, by promising them a long and lucrative career in 'Security', then we will just have even more crackers out there trying out their so-called skills.
I've had one guy who repeatedly downed a DALnet server I managed tell me that basically he hoped to put his skills on the market once he finished his Degree. He laughed at me when I suggested having a criminal record might slow him down.
If you run an IT department, don't hire crooks. No matter HOW good they say they are, a trained professional without a criminal record is a thousand times better than some thug who has spent his youth trying to make lives for people like me a misery.
I used to work at MHMR/TC and my supervisor, on at least one occasion, bought phony computer equipment and pocketed the money. Further, when a co-worker of mine tried to blow the whistle on him, he was told to play along or else they would make his life miserable at work, which they did and he was soon fired or forced to resign.
I, on the otherhand, who am very skilled with computers, was put in a rather awkward position after I was let in on the little secret because it soon became apparent that it was bothering me and they obviously feared they could not trust me, so they treated me badly and I soon became suicidal and tried to commit suicide four times.
Later on, however, after I was forced to resign and was able to collect myself, I discoverd that one particular co-worker's Yahoo! email account was linked to credit card stealing, which you may view for yourself here which so happened about the same time someone stole money out of two of my co-worker's purses.
When I discovered this, it was like, great! We finally have the culprit and so I told them, but they did not do anything. I even told them about the supervisor that was buying phony equipment and keeping the money. Still, they did not do anything. Then, after realizing many are involved, I wrote one email to many people in the organization (that is, many people were in the To: header) and they responded by threatening me with litigation concerning things like computer security breachment, criminal harassment with a computer and some other computer crimes.
Why is it that since they're idiots with computers but thieves they can point to someone that is good with computers and not a thief and call her a criminal hacker?
I don't think most hackers hack because they like crime. They like a challenge. The want a way to test their intellectual arsenal against others.
:) )
In a way, I guess you could look at hacking the first multi-player online game. It was the first way to pit yourself against a real human opponent online (aside from checkers and chess on Prodigy back in the 80's I guess
The hackers play the "side" of the hackers because that is the side that's most available. If you give them a job as the sysadmin, then being able to read everyone's mail is no longer a challenge and, hence, tends to lose its novelty. Instead, they now have a new adversary: the rest of the hacker world.
It's all about proving that your king-fu is better. Whether you play the black pieces or the white pieces only determines the numbers printed on your paycheck (or your orange jumpsuit, I guess).
OK. A guy breaks the law and is convicted on the basis of his hacking crimes. When he comes out he gets a prime well paid job on the basis of his law breaking experience.
What kind of example is that setting?
"Break the law, and get a good job" is NOT a good example to be setting, it will only encourage people to commit similar crimes.
I think companies are perfectly correct not to employ convicted hackers in a security role. It is completely morally and ethically wrong to reward people for crimes they have committed.
"Information wants to be paid"
Once upon a time, I was a hacker. I've always been into computers, since I first encountered a TRS-80 in 1977. I'm 36 now. I'm still using my original handle from those days, and wrote an article for Phrack in '85. I actually was one of the people who helped talk Craig (Neidorf, "Knight Lightning") into starting it as an online magazine. I've always believed in freedom of information.
In those early days, there were LOTS of us (young people) who were into computers and were fascinated by them. But there was no internet, and those of us in small towns (like myself) had NO means to communicate with others with the same interests, other than BBS system using a 300 baud modem, or 1200 baud if you could possibly afford it.
So, at that time, if you wanted to learn and communicate, one of the first things you would do would be to call BBS's all over the US. But phone charges were high!! And the parents didn't like that!! So -- you would ask around. And soon, you'd find out about "hacking." Hacking local systems to use TELENET (not telnet), hacking local business PBX systems to get an outside line, which were usually 3-digit "passwords" in those days, or using "codes" to dial out using Sprint, MCI, or TMC (My article for Phrack was on TMC hacking.)
Was it illegal? Yes. It was also amazingly simple. At that time, you would dial a local access number, enter a code (sometimes only 4 digits), enter a # to call, and it would go through. You could use a phone code for a month or more usually, until the customer got the bill and complained. I guess phone co. insurance picked up the tab. I never really cared.
Pretty much my entire interest in and knowledge of computing and networking came from these early "hacking" experiences. I don't regret them. And I'm the most honest person you could hope to meet. Had there been an "internet" or ANY way to communicate with other computer folks, I would have used it. I pride myself on my honesty and don't steal, rob, rape, pillage or murder. I just like to learn new stuff.
And, at that time, that was how it was done. Mitnick came from that era, and I think he was screwed unforgivably. I'm now a partner in a company that does some security work. Would I hire him? Absolutely, I know just where he's from.
PK: 09F911029D74E35BD84156C5635688C0
I agree 100% and make a comparison with Werner Von Braun, who undoubtedly caused the death of many hundreds of people as a result of his development of the V2 rocket in WW2, but also undoubtedly knew more about rockets than just about anyone anywhere. His past history certainly didn't stop the US Government from leveraging his skills to get to the moon (well, maybe ;)
Moreover, Mitnick (and any felon who is now out of jail) has served his time and if the system does what its supposed to do, he is now reformed. (Unless you argue that jail is purely a punitive thing, in which case why let anyone out ever, if they are just going to be the same as they went in?) Certainly, I would think twice about handing him the proverbial keys to the NSA's servers, but equally, if I wanted to protect those same servers, who better to ask than someone who potentially has the skills to compromise them?
"I'm tired of all this 'Aren't humanity great' bullshit. We're a virus with shoes" - Bill Hicks
Well, then, probably every politician currently active in the US (and most other places) ought to be fired immediately.
And it seems someone needs to read Les Miserables.
Here is one important difference between Mitnick and von Braun. Mitnick was charged, and convicted for his crimes. And he then served his time, and served his parole. Von Braun was never even charged.
What is the phrase Americans use? Mitnick "paid his debt to society."
As for the deaths von Braun was responsible for? Some of the later correspondents in this thread are allowing him the defense Tom Lehrer suggested in his satirical song,
Von Braun wasn't just in charge of a big research project. He was also a Nazi party member. I have heard people defend his Nazi party membership. They say something like this, "C'mon, he wasn't really a Nazi. He just wanted to build rockets."
Well, von Braun wasn't just a Nazi. He oversaw the construction of the rockets too. And, as such, he was responsible for the employment of slave labor.
The Nazis held captive members of ethnic groups they didn't like, political prisoners, and homosexuals, and they worked them to death. 15,000 slave labourers worked in von Braun's factories I heard.
This site says one of his plants contained a concentration camp that employed 40,000 slave laborers.
I don't know if I should hire a hacker but I do know that Slashdot should hire a copy editor.
My
Limekiller
I know this wont be a popular viewpoint here on slashdot, but perhaps we shouldn't reward people who break laws [by hacking] by giving them a job?
I dont mean to suggest either that (a) we should ignore a potentially powerful resource, or that (b) all hackers are necessarily immoral. However I personally would be quite upset if I were a security advisor who abstained from illegal activity, and a former hacker was hired to either replace or supervise me.
Also, from a devil's advocate position, I'm thinking this is akin to the hiring of former insider-traders to work on preventing further cheating. Basically, we're inviting the dog back into the pantry.
Please dont mod this as a troll, since I'm being serious here.
"Stumble before you crawl"
This isn't a repeat of the earlier /. post. That one linked to security focus and this one links to business week. But the business week article is just a reprint of the security focus article...
If I re-post all the +5 comments on this issue from the previous article, am I more or less honest than a convicted cracker? And if it works, and my karma goes through the roof, can I ever be reformed from karma-whoring or will I forver be branded the cut-and-paste king?
Freedom Is Universal
Linux-Universe
More like "I-should-stick-to-being-in-every-poll-so-I-dont-p ost-dupes dept."
I am getting VERY tired of the dupes. Seriously- I WANT an answer to this question from one of the Slashdot editors: how hard is it for you people to actually READ(gasp! What a concept!) the site you approve stories for? HUH? How about a new rule: "If you don't read the site, you DON'T APPROVE STORIES."
For a long time you guys have given the impression that you just don't give a shit anymore. One clear message was when you guys spun off that "meetup.com" thing, encouraged us all to participate in "slashdot day", and then you guys fuckin' didn't even SHOW UP because you had "other plans". What gives? It was, in fact, one of the first things we talked about at our local slashdot meeting.
If you don't care, here's a clue: find someone who DOES, and hand the site over to them, or just pick some new editors. If you do care, tell us what you're going to do to fix the problem- I'm sure, being the incredibly bright and talented people, that you can think of SOMETHING.
Oh, and while you're at it, add a "Mitnick" category, so all of us, who DON'T GIVE A CRAP ABOUT MITNICK, can filter out the stories.
Please help metamoderate.
Shut up, I missed it the first time!
I for one as a honest person am tired of hearing about this frickin criminal! Yes! Criminal!
Sounds like this Mitnick guy is management material. Criminal action shows initiative. It shows that he will do what it takes to get ahead.
Most of our society looks at the criminal as a superior form of being not tied to the conventionalities of the honest man (ie peasant). But there is a big problem with that getting caught thing. If he was a criminal who hadn't been caught...well, there is there is no end to how far he could go in the American corporate structure.
Who knows, he could have been CEO? I suspect most CEOs have done far worse things than Kevin Mittnick on their back stabbing drives for power. Unfortunately, there is a gentleman's agreement on being caught, tried and covicted.
Hiring a felon might get people looking closer at what companies actually do, and how the insiders funnel off profits. It would be far too risky to hire the man.
Dupe Dupe Dupe
Dupe of Earl
Dupe Dupe
Dupe of Earl
Dupe Dupe
Dupe of Earl
Dupe Dupe
whe-en I-eee waaaalk though this world
nothin can stop me, I'm the Dupe
I walk free-eely in my Dupedom
Cause nothin' can stop me, I'm the dupe of earl.
Maybe it's not a dupe, maybe it's a Poll Collision?
Personally, I like dupes... things should be considered more than once. Two closely spaced conversation reveal another dimension, the dimension of time, the fluctuflowations of the think.
But then, that's because,
I'm the Dupe of Earl
And you-uuu will be the Duchess in my Dupedome,
And nothing will stop us, from duuupin' agaaaain.
Hiring a former cracker to secure your network could be an extremely valuable move. Why? Because they know the mindset and thought processes of one who is trying to compromise system security. This is not something that can be learned through college courses or workplace experience. Oh sure, you probably learn a lot with both of those, but it's always at least one step behind (you're only learning how to prevent those techniques, exploits, and patterns thereof that people have tried before). Former crackers can more easily step into an adversary's shoes, potentially giving their company valuable insight.
"Therefore, I say: Know your enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal." -- Sun Tzu, The Art of War, Chapter 3
Besides, if a company's network were compromised mysteriously by someone on the inside, who do you think would immediately be the prime suspect? No reasonably intelligent former cracker would ever do such a stupid thing.
Furthermore, regarding your analogies:
I would hire a convicted embezzler to keep track of my savings account if it were in danger of being attacked by numerous embezzlers on a daily basis (much like how corporate networks are attacked by crackers). And, for the same reasons as above.
And your rapist analogy is quite off base seeing how, even if one's daughter were in danger of being attacked by numerous rapists on a daily basis, such an attack would be extremely easy to spot and would require absolutely no special skills to help prevent (other than, maybe, not being a quadriplegic mute). A sufficiently trained monkey could stop a rapist -- and a sufficiently trained monkey could probably be a rapist. =)
If you (or your workplace) has a technically competent IT department, there is a good chance you already have hired hackers. If you also have a technically competent Infosec department, there's an even better chance. The only difference we're now hashing out is whether you wish to limit yourself to those who were either smart enough, or lucky enough, to never have gotten caught.
The important issue is not a criminal "hacker" record, but rather the abilities of the individual in question. If they are able to bring a particular skill-set to the table and perform to expectations, then they make a good employee.
The recent demonizing of "hackers" seems to have little to do with ability or morality. Such laws and legal actions seem to have more to do with publicity. A lawmaker or prosecuting attorney's career should have little to do with your hiring process.
There are exceptions. If the individual in question committed embezzlement, then they have demonstrated a willingness to victimize their employer (to say the least). Such an individual would be a risk - but then, that has little to do with a "hacking" conviction.
The other extreme is seeking to hire those with criminal convictions. This is perhaps a better example of "reward[ing] people who break laws." A computer crime conviction does little to prove one's skill-set. Again - it proves one was either stupid or unlucky. Or upset the wrong people. It doesn't prove that one would be able to deliver as a consultant or IT team member.
One final note - the old days of hacking seem to be passing. Hacking, no matter your definition, has always been about learning a system. Back in the old days, the only way one could gain more time/access to a system was to learn how to manipulate the system and provide it oneself. Without permission, if need be.
These days, one can create a functionally similar environment to most of what one would find in corporate and Government network at home using cheap, old hardware and free software. The need... and the excuse... to attack remote systems to gain the access needed to learn is fast fading. Of course, that doesn't take in to account proprietary hardware and software. But then it becomes a question of the risk being caught versus the lure of such systems. But then - if you learn enough and build a career, you'll get access to those systems legally.
Breaking the law is breaking the law is breaking the law. While you may not agree with the laws in place, you are assuming a certain amount of responsibility when you break them. I speed all the time, as I'm sure most of us do. When I speed I am well aware of the risk that I may get caught and have to pay a ticket. I weigh the risk against the benefit, and speed to my heart's content.
Mitnick broke the law. You're right, he didn't kill anyone or molest any small children or anything. But he did break the law, and there are consequences of that. A significant consequence is not being trusted in the infosec industry. The data that is being protected on these networks is just too important to gamble on someone who may or may not have "turned over a new leaf." Especially when there are more than enough excellent professionals with clean records out there.
I also like the point that allowing Mitnick to work in this industry only encourages the generation coming up now to violate the law. Or, if you think that's a stretch (which I don't), the fact that we can attempt to dissuade the younger generation from becoming black hats by making it clear that there is no place for them in the infosec industry. Whether or not Mitnick or any other black hat is qualified...we should use this opportunity to send a message that crime really doesn't pay (corny, I know).
Social Engineering Expert: Because there is no patch for stupidity.