Slashdot Mirror
Should You Hire a Hacker?
fabioj writes "Business Week has an article about today's debate at the RSA Security Conference held at the Moscone Center attended by Kevin Mitnick and his 1995 trial prosecutor, Christopher Painter. Interesting to note that Painter doesn't see Kevin Mitnick's experiences as a deterrent for the 'up-and-coming technology workforce' to criminally hack."
So why is Poindexter running Total Information Awareness?
What ever happened to "rehabilitation"... I guess some people just can't forgive.
- colin
He's not a criminal any more, he's a member of society just like the rest of us.
Mr. Painter seems to be...painting...anyone who has ever committed a crime as a lifelong criminal. Good work rejecting the entire philosophical foundation of our criminal justice system, dipshit.
You know the rest.
Although it certainly matter what your former profession might be, as long as you can do your job (of network security, I mean). OTOH, it seems like the best methods of foiling spies and hackers is to think like one, and the best way to think like one, is to, well BE one.
Interestingly, I wonder exactly who the U.S. has employed in its counterterrorist operations.
So the question boils down to morality. And that's not so easily defined. IANAH, but I suppose one of the better methods would be double-blind security; one ex-hacker to design the system, one ex-hacker to try and defeat it, and never the twain shall meet.
Most caught crackers are going to bring special, outdated skills to the job.
Am I running a bank with millions of dollars, and do I want the reformed hacker to secure the database with all the money in it?
Come on, this is common sense:
1: If the reformed hacker was doing it for personal profit, don't hire the hacker. If the hacker was just bored and causing trouble, maybe hire the hacker.
2: If you want to secure the aforementioned bank's financial DB, don't hire a hacker, and have someone looking over the shoulder of the guy you do hire. =)
3: If the reformed hacker writes all of his memos in 1337$p34|{, make sure you aren't hiring a reformed script-kiddie.
Like I said, simple, sensible rules...
Lagito ergo expectabo
I am not in a position where I can affirm that Mr. Mitnick is reformed and can be trusted. However, I disagree with statements such as "Criminals are Criminals".
And in answer to the assumption that Fortune 500 would not hire a criminal for his services, I would like to point out that many of these companies have hired Mr. Frank Abagnale in the past, who first made himself famous for check fraud before working with the FBI and then creating his own consulting firm. He is an example that an ex-criminal can become successful by using the same skills that made him a criminal in the first place, and that law enforcement and big companies do sometimes hire such people for their services.
So what is prison for? To make a profit for the private companies that have taken over the worlds largest (and growing) prison population? If it doesn't reform you, why are we letting people out at all?
Do people get to live nomal lives after coming out of prison? No. They get 20 bucks or whatever they came in with, and kicked out, and given no time to adjust to society.
I'd say that if you can't trust an ex-con who served his time, either he didn't get a long enough sentence, the prison system needs reform, or you've been watching too much Magnum P.I.
(I did very much enjoy posting that last one by the way....;)
I don't think most hackers hack because they like crime. They like a challenge. The want a way to test their intellectual arsenal against others.
:) )
In a way, I guess you could look at hacking the first multi-player online game. It was the first way to pit yourself against a real human opponent online (aside from checkers and chess on Prodigy back in the 80's I guess
The hackers play the "side" of the hackers because that is the side that's most available. If you give them a job as the sysadmin, then being able to read everyone's mail is no longer a challenge and, hence, tends to lose its novelty. Instead, they now have a new adversary: the rest of the hacker world.
It's all about proving that your king-fu is better. Whether you play the black pieces or the white pieces only determines the numbers printed on your paycheck (or your orange jumpsuit, I guess).
Once upon a time, I was a hacker. I've always been into computers, since I first encountered a TRS-80 in 1977. I'm 36 now. I'm still using my original handle from those days, and wrote an article for Phrack in '85. I actually was one of the people who helped talk Craig (Neidorf, "Knight Lightning") into starting it as an online magazine. I've always believed in freedom of information.
In those early days, there were LOTS of us (young people) who were into computers and were fascinated by them. But there was no internet, and those of us in small towns (like myself) had NO means to communicate with others with the same interests, other than BBS system using a 300 baud modem, or 1200 baud if you could possibly afford it.
So, at that time, if you wanted to learn and communicate, one of the first things you would do would be to call BBS's all over the US. But phone charges were high!! And the parents didn't like that!! So -- you would ask around. And soon, you'd find out about "hacking." Hacking local systems to use TELENET (not telnet), hacking local business PBX systems to get an outside line, which were usually 3-digit "passwords" in those days, or using "codes" to dial out using Sprint, MCI, or TMC (My article for Phrack was on TMC hacking.)
Was it illegal? Yes. It was also amazingly simple. At that time, you would dial a local access number, enter a code (sometimes only 4 digits), enter a # to call, and it would go through. You could use a phone code for a month or more usually, until the customer got the bill and complained. I guess phone co. insurance picked up the tab. I never really cared.
Pretty much my entire interest in and knowledge of computing and networking came from these early "hacking" experiences. I don't regret them. And I'm the most honest person you could hope to meet. Had there been an "internet" or ANY way to communicate with other computer folks, I would have used it. I pride myself on my honesty and don't steal, rob, rape, pillage or murder. I just like to learn new stuff.
And, at that time, that was how it was done. Mitnick came from that era, and I think he was screwed unforgivably. I'm now a partner in a company that does some security work. Would I hire him? Absolutely, I know just where he's from.
PK: 09F911029D74E35BD84156C5635688C0
I know this wont be a popular viewpoint here on slashdot, but perhaps we shouldn't reward people who break laws [by hacking] by giving them a job?
I dont mean to suggest either that (a) we should ignore a potentially powerful resource, or that (b) all hackers are necessarily immoral. However I personally would be quite upset if I were a security advisor who abstained from illegal activity, and a former hacker was hired to either replace or supervise me.
Also, from a devil's advocate position, I'm thinking this is akin to the hiring of former insider-traders to work on preventing further cheating. Basically, we're inviting the dog back into the pantry.
Please dont mod this as a troll, since I'm being serious here.
"Stumble before you crawl"
I think they do. It seems that all the articles are copied from yesterday.
Warning: Poster of this comment is a nerd. Just like everybody else here.
If you (or your workplace) has a technically competent IT department, there is a good chance you already have hired hackers. If you also have a technically competent Infosec department, there's an even better chance. The only difference we're now hashing out is whether you wish to limit yourself to those who were either smart enough, or lucky enough, to never have gotten caught.
The important issue is not a criminal "hacker" record, but rather the abilities of the individual in question. If they are able to bring a particular skill-set to the table and perform to expectations, then they make a good employee.
The recent demonizing of "hackers" seems to have little to do with ability or morality. Such laws and legal actions seem to have more to do with publicity. A lawmaker or prosecuting attorney's career should have little to do with your hiring process.
There are exceptions. If the individual in question committed embezzlement, then they have demonstrated a willingness to victimize their employer (to say the least). Such an individual would be a risk - but then, that has little to do with a "hacking" conviction.
The other extreme is seeking to hire those with criminal convictions. This is perhaps a better example of "reward[ing] people who break laws." A computer crime conviction does little to prove one's skill-set. Again - it proves one was either stupid or unlucky. Or upset the wrong people. It doesn't prove that one would be able to deliver as a consultant or IT team member.
One final note - the old days of hacking seem to be passing. Hacking, no matter your definition, has always been about learning a system. Back in the old days, the only way one could gain more time/access to a system was to learn how to manipulate the system and provide it oneself. Without permission, if need be.
These days, one can create a functionally similar environment to most of what one would find in corporate and Government network at home using cheap, old hardware and free software. The need... and the excuse... to attack remote systems to gain the access needed to learn is fast fading. Of course, that doesn't take in to account proprietary hardware and software. But then it becomes a question of the risk being caught versus the lure of such systems. But then - if you learn enough and build a career, you'll get access to those systems legally.
Breaking the law is breaking the law is breaking the law. While you may not agree with the laws in place, you are assuming a certain amount of responsibility when you break them. I speed all the time, as I'm sure most of us do. When I speed I am well aware of the risk that I may get caught and have to pay a ticket. I weigh the risk against the benefit, and speed to my heart's content.
Mitnick broke the law. You're right, he didn't kill anyone or molest any small children or anything. But he did break the law, and there are consequences of that. A significant consequence is not being trusted in the infosec industry. The data that is being protected on these networks is just too important to gamble on someone who may or may not have "turned over a new leaf." Especially when there are more than enough excellent professionals with clean records out there.
I also like the point that allowing Mitnick to work in this industry only encourages the generation coming up now to violate the law. Or, if you think that's a stretch (which I don't), the fact that we can attempt to dissuade the younger generation from becoming black hats by making it clear that there is no place for them in the infosec industry. Whether or not Mitnick or any other black hat is qualified...we should use this opportunity to send a message that crime really doesn't pay (corny, I know).
Social Engineering Expert: Because there is no patch for stupidity.