Slashdot Mirror
Should You Hire a Hacker?
fabioj writes "Business Week has an article about today's debate at the RSA Security Conference held at the Moscone Center attended by Kevin Mitnick and his 1995 trial prosecutor, Christopher Painter. Interesting to note that Painter doesn't see Kevin Mitnick's experiences as a deterrent for the 'up-and-coming technology workforce' to criminally hack."
So why is Poindexter running Total Information Awareness?
What ever happened to "rehabilitation"... I guess some people just can't forgive.
- colin
He's not a criminal any more, he's a member of society just like the rest of us.
Mr. Painter seems to be...painting...anyone who has ever committed a crime as a lifelong criminal. Good work rejecting the entire philosophical foundation of our criminal justice system, dipshit.
If someone will employ you, then you're trusted. You just have to prove yourself to them
Brocklesby Park Cricket Club
You know the rest.
Although it certainly matter what your former profession might be, as long as you can do your job (of network security, I mean). OTOH, it seems like the best methods of foiling spies and hackers is to think like one, and the best way to think like one, is to, well BE one.
Interestingly, I wonder exactly who the U.S. has employed in its counterterrorist operations.
So the question boils down to morality. And that's not so easily defined. IANAH, but I suppose one of the better methods would be double-blind security; one ex-hacker to design the system, one ex-hacker to try and defeat it, and never the twain shall meet.
I actually kinda agrea with both of them. A criminal isn't one to be trusted depending on why they were in jail for, but on the other hand, one who has the knowldge, a hacker in this story, could be very usefull. A hacker knows how to get around things, and if at first they can't, they work at getting their goal. they have experience. now Painter might say thats why you should higher a security professional. yet who would you rather have, some nerdy kid fresh out of college? or would you rather have someone who knows whats out there, has experience with the programs that you will be using? and quite frankly could do better security audits then the nerdy college kid? no offence to anyone in college for this, nerdy just seamed like a good way to state my point even though the majority of the people in the field aren't that way at all. heh. well just my 2bits, peace.
as a company's employee - maybe as an expert. AFAIK he was a genius at using tools, but I don't remember him creating any of them. Maybe I'm mistaken? That brings another question: if somebody creates a tool and somebody else uses it, who is the bad guy? Recent stories (like the one of DeCSS and the one about RIAA suing students) show that people start to go after those that make tools. Shouldn't we start prosecuting gun, hammer, ax, and car manucaturers?
iThink iHate iMod
Most caught crackers are going to bring special, outdated skills to the job.
$5 / month hosted VPS on linux = awesome!
They're called crackers.
Mitnick sounds like little more than a self-promoter to me.
Am I running a bank with millions of dollars, and do I want the reformed hacker to secure the database with all the money in it?
Come on, this is common sense:
1: If the reformed hacker was doing it for personal profit, don't hire the hacker. If the hacker was just bored and causing trouble, maybe hire the hacker.
2: If you want to secure the aforementioned bank's financial DB, don't hire a hacker, and have someone looking over the shoulder of the guy you do hire. =)
3: If the reformed hacker writes all of his memos in 1337$p34|{, make sure you aren't hiring a reformed script-kiddie.
Like I said, simple, sensible rules...
Lagito ergo expectabo
It's not just about whether convicted felons can be trusted--M. seems to argue that it's actually _better_ to hire someone who's been on the shady side of the law.
And as most crackers look for unsecured systems rather than attacking or defending a specific one, I don't think the "special skills" argument holds much weight.
Ex-druggies make great recovery therapists but bad customs agents..
What!? And miss out on that one-on-one attention?
Let it be known across the lands that this man has said loudly what we all have feared! Hacking is like having sex with kids! Beware! Begone!
I am not in a position where I can affirm that Mr. Mitnick is reformed and can be trusted. However, I disagree with statements such as "Criminals are Criminals".
And in answer to the assumption that Fortune 500 would not hire a criminal for his services, I would like to point out that many of these companies have hired Mr. Frank Abagnale in the past, who first made himself famous for check fraud before working with the FBI and then creating his own consulting firm. He is an example that an ex-criminal can become successful by using the same skills that made him a criminal in the first place, and that law enforcement and big companies do sometimes hire such people for their services.
So what is prison for? To make a profit for the private companies that have taken over the worlds largest (and growing) prison population? If it doesn't reform you, why are we letting people out at all?
Do people get to live nomal lives after coming out of prison? No. They get 20 bucks or whatever they came in with, and kicked out, and given no time to adjust to society.
I'd say that if you can't trust an ex-con who served his time, either he didn't get a long enough sentence, the prison system needs reform, or you've been watching too much Magnum P.I.
(I did very much enjoy posting that last one by the way....;)
I don't think most hackers hack because they like crime. They like a challenge. The want a way to test their intellectual arsenal against others.
:) )
In a way, I guess you could look at hacking the first multi-player online game. It was the first way to pit yourself against a real human opponent online (aside from checkers and chess on Prodigy back in the 80's I guess
The hackers play the "side" of the hackers because that is the side that's most available. If you give them a job as the sysadmin, then being able to read everyone's mail is no longer a challenge and, hence, tends to lose its novelty. Instead, they now have a new adversary: the rest of the hacker world.
It's all about proving that your king-fu is better. Whether you play the black pieces or the white pieces only determines the numbers printed on your paycheck (or your orange jumpsuit, I guess).
Once upon a time, I was a hacker. I've always been into computers, since I first encountered a TRS-80 in 1977. I'm 36 now. I'm still using my original handle from those days, and wrote an article for Phrack in '85. I actually was one of the people who helped talk Craig (Neidorf, "Knight Lightning") into starting it as an online magazine. I've always believed in freedom of information.
In those early days, there were LOTS of us (young people) who were into computers and were fascinated by them. But there was no internet, and those of us in small towns (like myself) had NO means to communicate with others with the same interests, other than BBS system using a 300 baud modem, or 1200 baud if you could possibly afford it.
So, at that time, if you wanted to learn and communicate, one of the first things you would do would be to call BBS's all over the US. But phone charges were high!! And the parents didn't like that!! So -- you would ask around. And soon, you'd find out about "hacking." Hacking local systems to use TELENET (not telnet), hacking local business PBX systems to get an outside line, which were usually 3-digit "passwords" in those days, or using "codes" to dial out using Sprint, MCI, or TMC (My article for Phrack was on TMC hacking.)
Was it illegal? Yes. It was also amazingly simple. At that time, you would dial a local access number, enter a code (sometimes only 4 digits), enter a # to call, and it would go through. You could use a phone code for a month or more usually, until the customer got the bill and complained. I guess phone co. insurance picked up the tab. I never really cared.
Pretty much my entire interest in and knowledge of computing and networking came from these early "hacking" experiences. I don't regret them. And I'm the most honest person you could hope to meet. Had there been an "internet" or ANY way to communicate with other computer folks, I would have used it. I pride myself on my honesty and don't steal, rob, rape, pillage or murder. I just like to learn new stuff.
And, at that time, that was how it was done. Mitnick came from that era, and I think he was screwed unforgivably. I'm now a partner in a company that does some security work. Would I hire him? Absolutely, I know just where he's from.
PK: 09F911029D74E35BD84156C5635688C0
I agree 100% and make a comparison with Werner Von Braun, who undoubtedly caused the death of many hundreds of people as a result of his development of the V2 rocket in WW2, but also undoubtedly knew more about rockets than just about anyone anywhere. His past history certainly didn't stop the US Government from leveraging his skills to get to the moon (well, maybe ;)
Moreover, Mitnick (and any felon who is now out of jail) has served his time and if the system does what its supposed to do, he is now reformed. (Unless you argue that jail is purely a punitive thing, in which case why let anyone out ever, if they are just going to be the same as they went in?) Certainly, I would think twice about handing him the proverbial keys to the NSA's servers, but equally, if I wanted to protect those same servers, who better to ask than someone who potentially has the skills to compromise them?
"I'm tired of all this 'Aren't humanity great' bullshit. We're a virus with shoes" - Bill Hicks
I don't know if I should hire a hacker but I do know that Slashdot should hire a copy editor.
My
Limekiller
I know this wont be a popular viewpoint here on slashdot, but perhaps we shouldn't reward people who break laws [by hacking] by giving them a job?
I dont mean to suggest either that (a) we should ignore a potentially powerful resource, or that (b) all hackers are necessarily immoral. However I personally would be quite upset if I were a security advisor who abstained from illegal activity, and a former hacker was hired to either replace or supervise me.
Also, from a devil's advocate position, I'm thinking this is akin to the hiring of former insider-traders to work on preventing further cheating. Basically, we're inviting the dog back into the pantry.
Please dont mod this as a troll, since I'm being serious here.
"Stumble before you crawl"
This isn't a repeat of the earlier /. post. That one linked to security focus and this one links to business week. But the business week article is just a reprint of the security focus article...
I for one as a honest person am tired of hearing about this frickin criminal! Yes! Criminal!
Sounds like this Mitnick guy is management material. Criminal action shows initiative. It shows that he will do what it takes to get ahead.
Most of our society looks at the criminal as a superior form of being not tied to the conventionalities of the honest man (ie peasant). But there is a big problem with that getting caught thing. If he was a criminal who hadn't been caught...well, there is there is no end to how far he could go in the American corporate structure.
Who knows, he could have been CEO? I suspect most CEOs have done far worse things than Kevin Mittnick on their back stabbing drives for power. Unfortunately, there is a gentleman's agreement on being caught, tried and covicted.
Hiring a felon might get people looking closer at what companies actually do, and how the insiders funnel off profits. It would be far too risky to hire the man.
Hiring a former cracker to secure your network could be an extremely valuable move. Why? Because they know the mindset and thought processes of one who is trying to compromise system security. This is not something that can be learned through college courses or workplace experience. Oh sure, you probably learn a lot with both of those, but it's always at least one step behind (you're only learning how to prevent those techniques, exploits, and patterns thereof that people have tried before). Former crackers can more easily step into an adversary's shoes, potentially giving their company valuable insight.
"Therefore, I say: Know your enemy and know yourself; in a hundred battles, you will never be defeated. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal." -- Sun Tzu, The Art of War, Chapter 3
Besides, if a company's network were compromised mysteriously by someone on the inside, who do you think would immediately be the prime suspect? No reasonably intelligent former cracker would ever do such a stupid thing.
Furthermore, regarding your analogies:
I would hire a convicted embezzler to keep track of my savings account if it were in danger of being attacked by numerous embezzlers on a daily basis (much like how corporate networks are attacked by crackers). And, for the same reasons as above.
And your rapist analogy is quite off base seeing how, even if one's daughter were in danger of being attacked by numerous rapists on a daily basis, such an attack would be extremely easy to spot and would require absolutely no special skills to help prevent (other than, maybe, not being a quadriplegic mute). A sufficiently trained monkey could stop a rapist -- and a sufficiently trained monkey could probably be a rapist. =)
If you (or your workplace) has a technically competent IT department, there is a good chance you already have hired hackers. If you also have a technically competent Infosec department, there's an even better chance. The only difference we're now hashing out is whether you wish to limit yourself to those who were either smart enough, or lucky enough, to never have gotten caught.
The important issue is not a criminal "hacker" record, but rather the abilities of the individual in question. If they are able to bring a particular skill-set to the table and perform to expectations, then they make a good employee.
The recent demonizing of "hackers" seems to have little to do with ability or morality. Such laws and legal actions seem to have more to do with publicity. A lawmaker or prosecuting attorney's career should have little to do with your hiring process.
There are exceptions. If the individual in question committed embezzlement, then they have demonstrated a willingness to victimize their employer (to say the least). Such an individual would be a risk - but then, that has little to do with a "hacking" conviction.
The other extreme is seeking to hire those with criminal convictions. This is perhaps a better example of "reward[ing] people who break laws." A computer crime conviction does little to prove one's skill-set. Again - it proves one was either stupid or unlucky. Or upset the wrong people. It doesn't prove that one would be able to deliver as a consultant or IT team member.
One final note - the old days of hacking seem to be passing. Hacking, no matter your definition, has always been about learning a system. Back in the old days, the only way one could gain more time/access to a system was to learn how to manipulate the system and provide it oneself. Without permission, if need be.
These days, one can create a functionally similar environment to most of what one would find in corporate and Government network at home using cheap, old hardware and free software. The need... and the excuse... to attack remote systems to gain the access needed to learn is fast fading. Of course, that doesn't take in to account proprietary hardware and software. But then it becomes a question of the risk being caught versus the lure of such systems. But then - if you learn enough and build a career, you'll get access to those systems legally.
Breaking the law is breaking the law is breaking the law. While you may not agree with the laws in place, you are assuming a certain amount of responsibility when you break them. I speed all the time, as I'm sure most of us do. When I speed I am well aware of the risk that I may get caught and have to pay a ticket. I weigh the risk against the benefit, and speed to my heart's content.
Mitnick broke the law. You're right, he didn't kill anyone or molest any small children or anything. But he did break the law, and there are consequences of that. A significant consequence is not being trusted in the infosec industry. The data that is being protected on these networks is just too important to gamble on someone who may or may not have "turned over a new leaf." Especially when there are more than enough excellent professionals with clean records out there.
I also like the point that allowing Mitnick to work in this industry only encourages the generation coming up now to violate the law. Or, if you think that's a stretch (which I don't), the fact that we can attempt to dissuade the younger generation from becoming black hats by making it clear that there is no place for them in the infosec industry. Whether or not Mitnick or any other black hat is qualified...we should use this opportunity to send a message that crime really doesn't pay (corny, I know).
Social Engineering Expert: Because there is no patch for stupidity.