Slashdot Mirror
Would You Hire A Hacker?
theodp writes "A German security company has divided opinion in the IT industry by offering a job to the teen charged with creating Sasser. Silicon.com asks its CIO Jury: Would you hire a hacker? and finds the jury split down the middle, with one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother."
That's not hacker! It's cracker. Hackers create, crackers destroy.
-ESR (fake)
Hacker != Cracker. How-to.
[O]ne IT Director [said] doing so would be like hiring serial-killing doctor
A little extreme on the allegories, aren't we? Virus writing is not exactly like taking out a knife and killing someone. (Although it may result in the shutdown of systems that support people's lives. I'd tend to blame this on the idiots who use Windows for those systems, though.)
As for hiring him, I think my answer would be "maybe". I certainly wouldn't hire him because of his transgressions, but rather despite them. Basically, everyone should be entitled to a second chance. If this employer believes that the guy has a lot of talent and is repentant of his past deeds, then give him another shot! He'll have to try damn hard to remove the stigma from his deeds, but try hard enough and he might just turn his life around.
Javascript + Nintendo DSi = DSiCade
It'd be more like hiring a doctor who was convicted of illegal cloning experiments to work on alternatives to organ transplants.
doing so would be like hiring serial-killing doctor
Well, if he's good with a knife..
Honestly though, if a hacker has payed his debt to society and now wants to help businesses prevent what he was doing(Kevin Mitnick), why not let them? Having the most knowledgeable person for the job might just save you from being hacked by someone else--as long as you can trust the person.
Boxing Equipment Reviews
What a loaded question?
Would I hire a worm-writing kid? No.
Would I hire a gray-hat security genius? Absolutely.
I mean, sure the people who create these things (usually) prove to be rather technically savvy people with a good knowledge of computers, would you want someone on your payroll who obviously doesn't possess the ethics or morals not to be creating these damned viruses in the first place?
I mean, what's next? Embezzlement? Not on my watch.
Hacker yes, Cracker No.
A security company might benefit from his experience, or even just the marketting angle "the best hackers work for us!"
In the field I'm in, he'd be a liability. We do government stuff, relating to law enforcement, and while we're not a bunch of angels, we don't want any skeletons in our closet either.
I don't need no instructions to know how to rock!!!!
On, among other things, the definition of hacker. I talked to RMS (while he was in Oslo), on the subject of hacker vs. cracker. I would, no doubt, hire a hacker. I would have serious difficulties hiring a cracker. But, I would consider it. I might even hire two, both unaware of the other, to verify the work.
While he has shown he can code a self propogating program given a canned exploit, he has not shown either above average programming talent, any sort of security knowledge, or any judgement whatsoever.
hacker != coder and certainly != developer.
But if you need someone to tinker with your system and find it's faults...
I'd think of a "hacker" as a "QA tester".
I know a lot of people who are "Hackers" who work in IT... Hiring someone who writes worms and virii though? not bloody likely... Hackers aren't always malicious, and more then likely they know what they are doing with system administration then someone whore just reads a few FAQs and manuals...
It might be nice while they're working for you, but if you piss them off(who hasn't been an employer and had an employee pissed off?) then they have inside knowledge about your company and the ability to hack.
On the other hand, I wouldn't consider these VBS writers "hackers". They are just glorified script kiddies. Don't reward that behavior.
Chris
Or in this case a script kiddie who's probably been hanging around /. to much. At any rate, I wouldn't hire one this soon after he had "learned his lesson." I'd wait and see if he can contribute to society before trusting him with my boxen. But if he's got a clean record after a few years, and has proven that he's trustworthy, and has the skills, yeah, probably.
I tend to think that just because someone creates a virus that happens to work well, and causes massive amounts of destruction isn't a horrible person at heart.
I think if you've ever done any amount of prgramming, you've been there before, little mental masturbations of doing bad things to people to clever programming.
This is like refusing to hire someone because they got a speeding ticket, or downloaded music off of the internet.
.. I work for the Federal Government in a place with 3 letters (starting with N, ends with A...) you've all heard of.
They put computers online in honeypot setups with obscure holes that only they know about. When someone hacks in they're basically told they have a job for life. That sounds like crap but it's how I got my job. Seriously.
I would think that the image of your company long term would be a bigger thing than the publicity you would get short term. Although that good old saying, any publicity is good publicity...
Fear the day that you ever have to let him go.
If they want to learn more about their "trade" and the company that hires them properly handles all of the information it could then extract out of them, then whatever damage the kid could do would be mitigated by how much the security guys could learn. I for one say go for it, if the company that is going to hire this person knows what it's doing on collecting data about any and all work the cracker will be doing for them.
Sometimes the best way to learn about your enemy really is to contain them and see how they think. Who knows, maybe the security guys could find out enough to actually get an insight into how to properly go about proactively handling security threats posed by worms?
Click here or a puppy gets stomped!
I think it would depend on the QUALITY of the hack. A poorly written hack that breaks out in the wild, that causes unintended results would prevent me from hiring said person.
However, if the hack is an elegant piece of code, that does exactly and only what the author indended would be something I would consider.
Originality also would count. The creative nature of the hack would also weigh in. This prevents script kiddies from modifying existing hacks from the "application" for the job.
In otherwords, I would evaluate each hack and make judgements on the over all skill, novelty and execution of the hack, all skills needed for any programming job.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
OK... this hacker has become a celebrity of sorts, who has got all kinds of publicity. Then, consider how many programmers these days are discriminated against for all sorts of reasons, like age, not having exact skill sets, and the like. Methinks the famous hacker has the great advantage.
Heck, I'd rather be this hacker than being the relatively unknown programmer. I'd love for 50% of those polled saying they would hire me!
Steve Magruder, Metro Foodist
Ethics can get tricky, and gray areas surely exist, but sometimes, the ends justifies the means. It isn't a perfect world we live in, and hiring the imperfect -- a cyber criminal -- to produce what you hope to be a better product is understandable.
To use an ethical model: "is" does not equal "ought."
But "is" is often the best of all possibilities....
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
Note: I'm not saying that this chump is the best programmer around, I'm sure he's not. But if he's a great man for the job and can think of things that you and I won't, then I'm on.
Berto
Would you hire him?
If that's true then the answer's "no".
If it was like hiring Hannible Lecter, then I would probably say go for it, he has some great stories not to mention a few interesting recipes.
Of course, it would be important to keep your "petty torments" to a minimum.
myke
Mimetics Inc. Twitter
I can see WHY they'd want to, but think about it. You don't give your kid that candy bar when he throws a temper in the checkout aisle, right? Why encourage malicious hacking by rewarding hackers with a prestigious job? If anything, they should be blacklisted from the industry. That would send a message, and maybe the script kiddies would start thinking twice before wreaking havoc.
but I would not hire a Script kiddie...
There are PLENTY of information security white hats that are just as talented, if not more talented, than the black hats. If we are truly talking about hiring a "black hat cracker". Even if they were exceptionally skilled it would depend on the individual.
:)
They commited a computer crime. That is a liability, not an asset. All in all their benefits as a skilled IT professional would have to outweigh their liabilities (being busted for a computer crime). It is a factor that goes into the equation. I would say that in most cases it would be enough to lean me towards not hiring them. I think its a pretty serious thing to hack someone elses system. There are PLENTY of ways to make a name for yourself in a white hat way. Writing papers, studying info sec and staying on top of the field and becoming a noted voice in the communities is one. Ultimately if you need negative publicity to be known (and or hired) your just being lazy
Jeremy
Not to play devil's advocate or anything, but if worm writers start getting high paying jobs (especially if they get lots of media coverage) wouldn't this encourage people to write more worms? Hey look, I can destroy all these machines, become famouse, get stuck on probation, and get great job offers!
I Am My Own Worst Enemy
The FBI hired Frank Abagnale Jr. as a counterfeit specialist and it turned out to be a good thing. Why? Because he was just a freaking teenage KID that happened to be misguided through lack of maturity. If this teen hacker was given a little direction and purpose with his life then he could steer everything completely around.
I can't believe that comment about hiring him being similar to hiring a serial killer as a doctor. The director that spoke that comment is an idiot.
Why do companies think that hackers would continue to write malicious stuff while gainfully employed? What would motivate them to do so?
Who am I to blow against the wind? -- Paul Simon
I know you're joking, but really, if you treated the guy right, he really wouldn't bother to take you down... it's not much of a challenge.
I think I would look at what type of hacker they are.
Is it someone who knows systems inside and out and enjoys toying with them? Then definitely yes.
Is it a script kiddie who just took someone elses work and capitalized on it? Definitely not.
The issue is not about elitism, it's about attitude, someone who has gone to the effort to learn something and apply it is in a whole different world than someone who is so socially mal-adjusted they feel the need to tweak the latest worm to say "I RULEZ" and sends it back out.
Never underestimate the power of human stupidity -RAH
On one hand he has shown some talent and expertise, but on the other hand he has shown that he has a malicious side. I don't think I would be able to trust him even if I could respect his ability.
Anyone ever see that movie? A guy was an expert check forger by the age of 19. While in jail, he got hired by the government to help catch other check forgers. It pays to have proven experts on staff. (Even if the proof is in the form of crimes.) As for whether I'd hire them?...not with out being sure that the source of the crime is a combinaton of high ability, high energy, and low opertunity to exercise it. The guy who has it in for soceity is worthless to me, but they guy who just needs something to do would be a great asset.
Short answer, no. Long answer, yes.
Why Not!!! The US Government has!!
Back in the day, Wasn't there a hacker group called 411?? And I think they or someone wrote a book on them...I remember the eyes being blacked out on the cover....And I think they, in the end, were hired by the US...
God that was so long ago....
It's left blank because I have nothing to say to you punks!
Just because someone took an exploit and exploited doesn't mean they would be good a doing security. If they were the one that researched the hole and then developed a proof, then yes, they might be a good hire, but someone that grabbed a source code package/modified/redistrubited, no.
The question is not about whether he's paid his dues to society or is talented/not talented. The question is, does hiring a worm writer set a bad precedent and make worm writing as a means of attaining a dream tech job with loads of pay worth the risk of being caught? Are we saying to other would-be writers that if you're good enough at disrupting information flow and computer/network use that you will be given cushy jobs that most geeks could only dream of being offered? I say that there are plenty of people equally smart out there with the ability to have created and/or exploited a security vulnerability who instead report the potential and by that action itself have proven to be better, more trustworthy and honest people right there. This kid's got a lot of life ahead of him and plenty of time to mend his ways, but I think rewarding him right out the door is a bad idea. Further, I would be skeptical at best about installing _any_ software that this kid has been involved with, much less software that is supposed to protect me. So should they hire him? Absolutely not. PS Hire me!
Would I hire an extortionist to be my accountant?
Would I hire a thief to manage my inventory?
Would I hire a sadist to manage my HR (Catbert obviously excluded)?
Would I hire a sex offender to babysit my children?
No.
Yes, they did pay their debt to society/do their time. I might hire them to do other things away from their area of conviction, but I'm not going to dangle temptation in front of their face. Does that seem like just straight common sense to anyone but me?
The Hacker FAQ.
Belief is the currency of delusion.
I'm sure whatever damage this person could possibly do at the company will be more than made up for by the publicity they get from hiring him.
And he worked out great. We both had similar skills and were able to hammer out a lot of code. We do not work together anymore, but I still work with hackers. If you do not enjoy pulling things apart to see how they work and hack them to do new things you should not be writing software.
Brennan Stehling - http://brennan.offwhite.net/blog/
I remember a day when /. newbies would be roasted for confusing the terms hacker and cracker - now the editors do it :-/
Maybe if the kid wrote a virus that infected Linux, but anyone can write a virus for MS computers.
Use of the term 'hacker' here is a misnomer. Would I hire someone who has a broad technical ability and excels in why things do and don't work? Absolutely. But allow me to go on a little old-man rant here (and hell, I'm in my 20s): viruses these days aren't what they used to be.
In the 1980s-1990s, you could pick up a copy of 2600 and read the code for a relatively complicated polymorphing boot sector virus -- complicated because it took a good knowledge of assembler, specific system calls, the boot process on a PC, etc., among other things. With a few tweaks, it would be slow-incubating, but deadly.
The internet has changed the way we deal with security, because no longer is the question "How clever is the virus?" so much as it is "How cautious is the user?" Example: the "Microsoft Office 2004 Beta" for Mac appeared on P2P networks a few months ago. When run, it deleted the contents of your user folder. Devastating, yes, but nothing I couldn't do myself without programming knowledge. So the 'virus' wasn't clever, tricky, or even unique in function, except for the method of delivery, which was social in nature -- not technical.
The same applies to security holes in your OS. Whether the hole should be patched is another discussion, but taking the obvious routes through those holes to bring down computers isn't particularly noteworthy. If everyone at my office has VNC installed without a password, and I go delete their My Documents folder at noon today, am I a hacker? No. I'm just a prick.
So when you ask, "would I hire a hacker?" Yes.
But when you ask, "would I hire someone who creates/uses something annoying and not that special; requiring a moderate level of programming skill if at all; that relies on the user to activate it or a major security flaw in the OS?" Absolutely not. These kids' salaries should be going to sociologists who can better analyze group behavior, and real coders, not scr1pt k1dd13z.
Unemployed script kiddie? Try cracking. In the end, the only things potential employers remember from the headlines are your name and your apparent security expertise. I think this well and truly proves that any publicity is good publicity.
Would I hire a cracker/hacker if I were in the market? No. There are equally skilled or more skilled (unemployed) programmers or security guys whose ethics and loyalty I can depend on.
Isn't a big part of punishment meant to be deterance, both for repeat offenders, and folks looking on?
What kind of message does this send, regardless of talent, shade of grey, or field.
Cause and effect. Do a crime, get punished.
The only effect of this is a better reason for these potentially skilled folks to eschew a more practical path, and go for the easy route.
It is not about skill or knowledge, it is about "Can I trust this person?". If someone can write a virus, that might demonstrate good knowledge. Releasing the virus shows the person either did not think about the damage they would make, or worse, they did not care. I would not want someone like that in my company or organization. I happen to think those kinds of people belong in jail, because sooner or later they will do something as stupid as the common thug.
Come and say hi. http://forum.penpals.com/index.php
pulling a trigger doesn't make you a sharpshooter, writing a script for a known bug doesn't make you a programmer. that little f*ck should be sent to jail for 10 years and hang out with the lifers who need a new b*tch to pass around.
sigs suck
Hire a script kiddie, maybe if I need my lawn mowed...and they had a pattern to try to copy.
First of all white people are just plain evil!! Kill Whitey! just kidding.... I'm whitey too...
Anyway, NO. I would not hire a person responsible for such destruction for two really good reasons:
1. You can never be sure of their moral alignment no matter how much money you pay him
2. Doing so would provide additional incentive to people who want to add "I wrote Monkey.B" to his resume to get their next job.
It is a bad idea and sets a bad example for others.
The problem with this analogy is that the doctor in question has not demonstrated extraordinary skills or aptitude in his chosen career and would not necessarily benefit the ailing mother.
The hacker, on the other hand, has clearly demonstrated skill (not a typical script kiddie), interest and aptitude in his (decidedly skewed) hobby.
So it's not a question of hiring *just* a (hopefully occasional) "wr0ngdoer". It's about hiring a proven highly-skilled one who could benefit you with his skillset.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
someone need to hax m$'s drm (i.e wmv)
its been done before so it can be done again
url ?
We're deploying a J2EE app to be hosted on their infrastructure. To get permission from their IT we had to go through an ARB [Architecture Review Board in their language].
There was about 300 question and sections on all sorts of stuff like Information Layers and Anonymising of credit card/personal information.
But in the middle was a section on whether our application would survive an Ethical Hack.
They had a team who would Hack into the app, or die trying etc. Now having met some of their IT staff, I can't tell whether they have a Phone Phreaking department hidden away in the Competent Section, or whether it was some overworked Exchange Admin who had some spare time after patching all his servers.
So some Fortune 100 Car company CTO already rubber stamped this Ethical Hack business. The rest cannot be too far behind
[% slash_sig_val.text %]
Would I hire com Adrian Lamo? Yeah.
It depends a lot on the intent of the attack and what was done once it was successful. Also on the personal morals of the individual.
I do security
good post, and he needs the karma!
a thousand monkeys working on a thousand typewriters?
Just shift them from typewriters to computers and soon they will write the greatest hax man has ever seen
"ILLEGAL OPERATION"
"It was the best of times, it was the blurst of times"
Granted, I haven't tried to write anything but is it that hard to really write a good virus? I would think a good security 'professional' with years of experience defending such attacks would be a better candidate then an 18 year old kid. If they aren't, well, maybe they should be more worried about finding suitable employee's.
"Thanks to the remote control I have the attention span of a gerbil."
Wow this was easier than I thought.
Would I hire some kiddie who managed to modify someone else's worm code? No.
Would I spend 1 programmer year salary to get my company's name plastered on the news across the world? Yeah, I'd wager that's a great deal.
A cracker, when talking about a person, is "a poor white person, esp. from the Southeast". Nothing in english talks about destroying anything.
A hacker, definition #2 in the American Heritage dictionary, does illegal access to computer dictionaries. I can understand arguing that you wish they were more specific which definition of 'hacker' they used - but computer geeks trying to redefine 'cracker' is an insult to poor white crackers in the southeastern US.
crack-er Audio pronunciation of "cracker" ( P ) Pronunciation Key (krkr)
n.
1. A thin crisp wafer or biscuit, usually made of unsweetened dough.
2. One that cracks, especially:
1. A firecracker.
2. A small cardboard cylinder covered with decorative paper that holds candy or a party favor and pops when a paper strip is pulled at one or both ends and torn.
3. The apparatus used in the cracking of petroleum.
4. One who makes unauthorized use of a computer, especially to tamper with data or programs.
3. Offensive.
1. Used as a disparaging term for a poor white person of the rural, especially southeast United States.
2. Used as a disparaging term for a white person.
hack-er 1 Audio pronunciation of "hacker" ( P ) Pronunciation Key (hkr)
n. Informal
1. One who is proficient at using or programming a computer; a computer buff.
2. One who uses programming skills to gain illegal access to a computer network or file.
3. One who enthusiastically pursues a game or sport: a weekend tennis hacker.
IMO, sys-admin script writing in Perl, Pyton or whatever is similar to black-hat hacking. Scripts are written that report current IP addy, software installed, uptime, MAC addy, etc. How is this different from getting info from spam bots or DDOS zombies? Some of our scripts have come in handy for stolen laptops. The laptops phone home when the user logs on reporting MAC addy, IP, GW, SNM, etc... we call the cops who in turn call the ISP who then provide an address and bam, the thief is caught. Knowing a bit how to think like a black-hat hacker can be benificial!!!
I would only hire a hacker that was smart and had been properly punished for crimes committed. Also, his rap sheet better not contain more crimes than just the hacking. I can give a little slack to a curious genius while none for semi-intelligent career criminal.
Hear hear! I can't stand how many people keep making this simple mistake. By calling destructive computer criminals "hackers," you're bringing down everybody who codes for the love of it. Lots of us have been calling ourselves hackers for years, only now to get painted with this negative brush.
I don't expect the mainstream press to know any better, but this is Slashdot. Can we please try to keep our definitions straight?
A hacker is a skilled, passionate computer programmer -- nothing more.
A person who commits malicious computer crimes is a biscuit. Like those evil software pirates who walk around with those parrots on their shoulders: "Polly want a biscuit!" Get it right, people.
Breakfast served all day!
More like hireing an out of work surgeon who got caught for switching the heads of neighborhood pets.
Geeze I don't want to ever for this clown....I bet hes got a law degree too!
government agencies in the US will hire criminals to help them 'think like criminals.' some notable ex-felons: la femme nakita, wolverine, spawn... this is obviously okay!
Martini Glasses
Except I would hire him to wash dishes, make the beds, do my laundry, dance for me....
Don't Crease the Weasel!
There are a lot of loons out there.
The term hacker used to refer to people who were familiar with computers at a scay level and who could make them do unexpected things. It did not have a negative connotation - it was actually something of a honorary title like "guru". But when network-based attacks started to be reported by the media, it was reported as being done by "hackers" which was probably true... but because the media only ever used the term in that context they came to think of it as "hacker == computer criminal". Thus we created the term "cracker" for them to use instead. They haven't.
Now that Hollywood and Slashdot and whomever have taught a generation of teenagers that "hacker == computer criminal" you see a lot of people not believing this explanation, and some even think that there should be a different term for "white-hat" crackers. To me, it just adds more confusion to the mix.
So, in summary:
hacker == computer guru, neither good nor bad
cracker == computer criminal, may also be a hacker
one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother.
Being that Shipman is dead, it would be really stupid to hire him for anything.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
nope
If Kerry was the answer, it must have been a stupid question.
The UN - The largest "political" cause of death.
"NASA" has four letters and starts with N and ends with A. It won't fit in 1, down!
In this case, I don't think there's a whole lot to be learned.
The Sassar work exploited a hole in LSASS that Microsoft patched on 4/14, the worm itself was discovered in the wild some time later than that, around 5/1 as best I can remember.
The lesson? Keep you crap patched and you won't get as many worms. How can observing this guy give any insight into that?
The management people interested in hiring previously malacious hackers are barking up the wrong tree. Shady hacking isn't necessarily smarter hacking. Demonstrating successful security skills, for example, is no less impressive than breaking into a system.
with one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother.
why not it will get the job done one way or the other
Who controls the information, controls the world...
This isn't some newfangled use: black-hats and gray-hats have been called "hackers" forever. Wozniak and Jobs were phreakers too back in the 1970s, remember?
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
I'd be inclined to hire a hacker, but only if I could get good buy-in from everyone he/she'd be working with (and, if applicable, my manangement). Someone with a hacker background is likely better than the average person off the street and this can certain help. The downside is if the people he/she works for don't trust him/her. A hacker (especially this one) comes with a stigma attached that can be used against him/her and you. Anything goes wrong and unscrupulous people with something to gain will promptly point the finger. It would be easy to wind up in a guilty until proved innocent situation. Thus, getting strong backing in the company/group would be the key for me.
An elegant/well-done hack is a proof of talent just like any other thing. And does it make sense for a company to hire talented individuals ? Yes. Enough said.
Would you hire a teenager?
If you did hire a teenager, would you only hire a teenager who had never done something stupid?
If you would never hire a teenager who had done something stupid, would you only hire adults who had never done something stupid as a teenager?
Teenagers are people trying to learn how to be adults. They make mistakes.
--
Bush: Spending money the U.S. doesn't have to try to make his administration look good.
The question to ask is can he do the job he's being hired for. If he can then I don't see a problem. Does writing evil code disqualify somebody from getting a job coding? I don't think so, unless part of the plea agreement requires him to stay away from computers. On the other hand, I don't think writing a virus necessarily qualifies one to write just any kind of program anymore than being a speeder qualifies one to drive NASCAR.
As long as the actions they are convicted of are not what I would call criminal. Let me explain. You have varying degrees here that are being discussed. You have the cracker/hacker that is of a malicious mindset, writing virus programs and hacking sites for credit card information. I wouldn't hire one of them. You also have the hacker who is curious, who is looking for ways to circumvent the status quo. Sure they have hacked into sites and company networks, mostly undetected, but they did so just because it presented a challenge. No harm no foul. These are the thinkers, the ones who need to know how things work, the ones who can look at a problem from many different angles. They are the ones who are going to be productive architects and engineers. They are the ones I would hire. Keep em challenged and you keep em happy.
Security is all about trust. Would you trust software written by an ex-virus writer? Or would you use the software recommanded by your local guru?
you could have told us what RMS actually said, rather than just saying that you talked to him.
Seems to me like it would be better to have him in a controlled environment being forced to focus his energy in a positive direction.
Clearly this individual is both dangerous and exceptionally talented at the same time. If the company can handle their employees with stringent security measures then most likely they will see the benefits of hiring someone like this.
For a software engineer or technical operations position, sure. For a project manager position, no way.
Secondly, all you hackers-aren't-crackers posters should be modded "-1, Tilting at Windmills." If you want to waste time debating semantics, you've obviously got no message worth anyone's time.
The most important trait for an employee is ability to work well with others. Very few things are solo-genius creations, and those that are, fit better in startups than established corporations. I'd be more inclined to invest my personal money as VC to a hacker-run startup than I would be to bet it that a particular hacker would thrive in a Fortune 100 environment.
The next most important thing is the ability to follow a documentable and repeatable process. Hacking for yourself is fun, because it only ever requires you to poke and prod based on your own intuition. When you're anti-hacking, you don't get the same luxury: you have to cover/examine/harden whole systems. Think of the hackers as the Blitzkreig, and the anti-hackers as the Maginot line: the odds are stacked against the defenders.
Thirdly, degrees and certifications (which typically have ethics requirements which preclude ex-hackers) really matter in a corporate environment... Not if your hacking is successful, but to help assure that UNsuccessful hacking means something. That is, if we couldn't get in, we expect it's pretty secure.
And, lastly, it's about the liability. All self-righteous nonsense about giving people second-chances aside, those who have committed crimes in the past are more likely to commit them in the future.
Bottom line? It's far easier to take a hard-working system administrator and make her into a good hacker than it is to take a computer criminal and make him into someone who fits in a corporate environment.
While I certainly disagree with refering to virus authors being referred to as "hackers", to the original question of whether or not I would hire them it would depend on the hack.
Writing code that maliciously attacks computers using known and published exploits is no great feat, it simply means you have a desire to cause chaos and you can spread your code faster than it can be patched. This is not the type of person I would hire.
Infiltrating systems by methods that are NOT well known or published anywhere and contacting the company to inform them of the security hole would lead me to believe that you are dealing with an intelligent and ethical person, i.e. - the type that you would want to hire.
Depends on:
--How much he wanted.
--What kind of job he would do.
--What kind of publicity I was trying to get.
--What kind of culture I had within the company
(if supercorporate then never; if supergeek then yes)
--What fears I would have if the competition hired him.
--What level of competencies the company already possessed.
(if IT was UNIXed and Grizzled, they could mold him. If clean-shaven MSCEs, then no)
"Piter, too, is dead."
It sounds exciting working for the NRA.
Hmmm, how many other organizations start with "N" and end in "A" that have nothing to do with computers?
myke
Mimetics Inc. Twitter
Silicon.com asks its CIO Jury: Would you hire a hacker? and finds the jury split down the middle, with one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother."
Flawed analogy. It takes a thief to catch a thief - ex-cons often serve as security advisers. The most famous case is obviously that of Frank Abagnale, master of bank fraud, whose autobiography was recently filmed, but he was not the only one. There's actually nothing new in the idea of hiring hacker/cracker to improve your security - it's like hiring an experience burglar to help you design better locks.
He exploited a flaw that someone else found, and almost certainly did by modifying a proof-of-concept exploit that someone else coded. That does not automatically make him a great hacker.
I'm going to ignore the whole hacker vs cracker thing and assume we're talking about crackers - people with ethical lapses in their past w.r.t. technology.
.cracking.
Someone that is an accomplished cracker in the wild is good at..
Does your company have a need for someone to try and crack stuff ? If so, hiring a cracker for the sole purpose of attempting to break whatever it is you make that you dont want broken is probably a good idea. However, you may as well contract that work out unless you make enough stuff that having a full time cracker seems like a justified expense.
Now, the unwritten implicatino here is that people that are good at cracking are good defending against other crackers. I don't think this is self evident.
For instance, Michael Schumacher is perhaps the best car driver in the history of motorsports. He arguably knows more about driving a car quickly than anyone else ever has.
He is not designing the cars he drives. he is driving them. He provides _feedback_ on the cars he sits in, based on his personal preferences and experience as a car driver.
I think the analogy holds for employing crackers - if your job is to make something that crackers will "use" (i.e. try and attack), get some of them looking at it, get their comments, their feedback. But thinking that they are going to magically design you a crack proof or crack resistant scheme is folly.
The "cracker as consultant or exteral advisor" approach also has the benefit that you don't necessarily need to let them into your corporate network.
If the question is "should you hire someone that was a cracker in the past for an unrelated CS/IT job", then that just depends on the nature of their offense, the threats / risks of the new project in question, and your personal beleifs on giving people a second chance, personal judgement, etc.
My opinions are my own, and do not necessarily represent those of my employer.
It is different for kids who grow up in the digital age. You may have gone outside and explored the outdoors or neighborhood growing up 20 years ago, but this is the digital age and the Internet is this kid's adventure. He has obviously demonstrated ingenuity and talent. It is only a question of when he matures and really grows up. That is something you can only tell by meeting and working with someone. I guarantee growing up and starting a family grounds and matures most people.
It conceivable that you could see this as a way to change someone to be productive rather than destructive. By giving them goals and giving them the tools to accomplish them.
.
On the other hand we all know what business is REALLY like
IANAL, but I've seen actors play them on TV
From the link you gave for the hacker FAQ [http://www.catb.org/~esr/faqs/hacker-howto.html], Iam posting a scoop about Microsoft.
I know its a little offtopic,but interesting. ~~~~~~
Do I need to hate and bash Microsoft?
A: No, you don't. Not that Microsoft isn't loathsome, but there was a hacker culture long before Microsoft and there will still be one long after Microsoft is history. Any energy you spend hating Microsoft would be better spent on loving your craft. Write good code -- that will bash Microsoft quite sufficiently without polluting your karma.
Harold Shipman committed suicide 9 months ago
There must have been a better analogy than mentioning hiring a dead person
FGD 135
No, the people who create these things usually prove to be teenagers.
Teenagers acting irresponsibly is hardly news.
Gimme a break.
If your organization started hiring guys who wrote these worms, you would be basically putting a bounty on every machine out there. You would be giving the impression to every kid out there that if they can write a worm that does massive damages to other people's machines, they will get a coveted job.
Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 percent imagination.
Of course, none of us were alive to see this, but when medicine was just starting out, the best doctors employed grave robbers to get bodies on which to practice and learn. It was against the law, and against the church, but they needed a place to learn without killing people. Now, I guess the question I ask is, would you want a doctor who had never seen the inside of a person to be the one helping your dear old mother?
I think it would depend really. As a potential employer, i've got to be able to visualize you sitting in the job in question. If you stand out as being extremely good at security, then i might hire you. But the trust issue is a huge one. Internal threats are one of the biggest IMHO.
There are _lots_ of IT functions that don't involve lots of security risks-to the company involved or other companies. Also, there are few meaningful ways to really test security _without_ putting someone of proven experience involved in the testing. Now, it might help if the CIO's had a better way of gauging proven experience than someone doing stuff that is illegal/immoral--but that is the CIO's problem.
I don't see that the Sasser guy was any great talent-but then neither are most of the folks managing major US corporations. Maybe they and the sasser guy deserve each other.
Personally, I would like to see the sasser guy in a secure, non-sensitive job someplace-and his testing functions as part of court-mandated community service(with proceeds going to clean up security messes). I hate seeing folks profiting from anti-social acts--and some of the Corporate types seem drawing to the more sociopathic crackers like flies to honey(If you believe the film "The Corporation" maybe it is because they have so much in common).
While I somewhat agree, there is good reason the media doesn't use the term "cracker" to describe someone who writes viruses / trojans / defaces sites / etc.
"Cracker" is already a derogatory term that has been used far longer than computers have been around. If someone on the 6 o'clock news said " A cracker defaced Microsoft.com today", 95% of the American population would immediately assume they meant that "A homophobic, racist southerner defaced Microsoft.com today."
Cracker was already taken long before computers were even invented. We should have come up with a better word. It's our own fault.
It's like the difference between the archetypal silent-but-deadly martial arts master compared to the street punk who beats people up because he can. No. I wouldn't hire this guy because he wrote the sasser worm.
Anyone who is worth his salt as a coder/geek has done some questionable things before. The question is whether or not they got caught. You can be sure there are people working at major tech companies already who have done some questionable things. Only they weren't caught. If you can trust a person and they're good, hire them. Chances are you've already got someone working for you who has broken the law only you don't know it.
The Information Revolution will be fought on the command line.
If you answer "yes", then hire him.
If you answer "no", then you just saved yourself from future headaches. If that person doesn't get along with others, becomes lazy, doesn't get the job done, or requires disciplinary action, you will be at his mercy because he will have probably programmed opened backdoors and spy trojans on your internal LAN ready to retaliate.
Ethical hacks are not necessarily carried out by "hackers" as most people describe them. There are a lot of people in the security field that have never committed crimes using their knowledge. They can do excellent penetration testing work without the worry of whether or not they'll go rogue again.
What the CTO probably rubber stamped was that an individual that had been vetted by his HR group and hired as an employee, or an audit firm that had been retained by the company after appropriate legal agreements, can perform penetration tests in a manner that takes business requirements into consideration. For example, operations probably knows it's going on, the people doing the hack care about whether they might crash something and try to head that off, and they have strict parameters about how they handle the findings (i.e. no bugtraq posts).
You should taken into account his popularity factor.
A GOOGLE search on "Sven Jaschan" gives 17,200 Results!
Seriously , How many slashdotters names would give that many results on Google.? [Bill Gates,Steve Jobs et al dont read slashdot...or do they? lol.]
That's unbelievable and unacceptable. Hackers are not the same as Crackers. The correct question should be "Would you hire a cracker?" or "Would you hire a criminal?"
if only micro$oft would hire some hackers, perhaps they would get a clue on security
I would hire a hacker or a cracker, it's honestly a logical option. After all, a cracker won't bite the hand that feeds it.
I audit code for fun, write exploits to see if things are practical.
I'm also hirable - reckon my chances will go up if I write a mass mailer? ;)
This is shit really is not rocket science. But it REALLY is about reliability and trust. Would you hire a kidnapping rapist to babysit your kids on the assumption that they probably know how all the kinapping rapists operate?
Shit, boys and girls, get your 1337 heads out yo asses. You can't trust someone who has demonstrated to you you shouldn't trust them, who fundamentally believes s/he is smarter than you and your rules don't apply. And if you can't trust them then they can't work for you.
with one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother."
That's the dumbest thing I've ever heard. Cracking a computer network is nothing like killing another human being, much less killing multiple people.
If you wait for those "few years" for the cultural demonstration that he's trustworthy; his skills are by virtue of our fast moving industry: rusty. You then don't have to hire him. How about a compromise? Hire, but don't fully trust. Given the number of security breaches which turn out to have inside complicity from those who previously displayed no criminal behavior "hire, but don't fully trust" is good advice for any employer of any person.
Here, no-one could access critical information without three way collusion. None of us have criminal records, but none of are fully trusted. See the methodology? And the reward is that you, the employer, have sharp people, and the one with the checkered past has a job he enjoys and by which he is challenged.
Not a cracker who got caught and everyone know he got caught. He wasn't smart enough not to get caught - he is not smart enough to work for me.
You can't handle the truth.
Nothing man, just giving away some invites...
Robert Tappan Morris - Yes
Richard Stallman - yes
Dennis Ritchie - yes
Ken Thomson - yes
John Draper - yes
and a few others that could be mentioned.
Could i afford to hire them no.
Hire him for what? I mean really. Hacking can be looked on as an additional skill-set, but with a disadvantage. If I can get someone whos qualified to do the job with no questionable blackmarks on their record what am I going to do? If I need someone with some advanced knowledge of socially reprehensible activity A and I can't find someone who's traditionally qualified, then hacker it is. And there are places that having a hacker simply makes sense.
Quack, quack.
Caucasian-American, Dude, please.
I am Sartre of the Borg. Existence is futile.
It's a gray area. Some security flaws may never have been discovered if it wasnt for a hacker. It might be possible that the day will come that a system, due to so many hacks, has become full-proof.. However, a hacker, that makes a stupid format c:\ type virus should be hung. I say, allow protocol based hacking, but if you touch files directly or indirectly then you go down.
I believe his actions speak for the quality of his charector.
Why *wouldn't* you hire him? He isn't really a "black hat" or "cracker", since he isn't technically a hacker... but his programming skills must be pretty good in order to code such a deadly virus (or was it technically a worm?). I'd hire him as a programmer, but definitely not as a network security guy. Just because he can write an exploit into his own code doesn't make him a security pro. It's really not that hard, unfortunately.
- Code Dark
hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother.
Firstly, this assumes I like my mother
Secondly, being a hacker doctor, you figure he's probably seens more specs and nitty gritty details of his programs -- i mean, patients-- than most doctors.
Would I hire a worm-writing kid? No.
Would I hire a gray-hat security genius? Absolutely.
Would you do something marginally useful if it attracts an attention to your company ? Absolutely.
Ok, I think many people here are talking out of their ass without a real clue about hacker culture. I've known some hardcore hackers and most of them stopped hacking after 18. How good are these hackers? Put it this way, a hardcore elete hacker and break into a hardened unix system under 2 hours. these type of guys do it because it's a challenge. they are not like your typical programmer. they eat, breathe and speak code. they don't get caught, because they are that good and they aren't stupid enough to leave traces all over the place. I've known guys who read assembly and hex like they're reading a comic book. the lame ones get caught and I've known a few who did.
I'd hire a former hacker, if s/he was just a kid when they did it.
After about five or ten years after the deed. Preferably after they got a wife and child(ren). Responsibility can make a big difference in life. A stupid kid has nothing to lose. A father does.
We had a lesser, but similar situation at the company where I work. This guy applied for a programming job, and his entire coding experience consisted of writing spamming tools.
He'd openly, and seemingly without shame, listed all his spammer tools on his CV (resume for you over-the-pond types)
I desperately tried to get the guy doing the recruiting to hire him, just so I'd get an opportunity to beat the shit out of the filthy bastard.
The media won that war. :_
Quack, quack.
I am a hacker, you insensitive clod...
"It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
I would hire a hacker, or even more than one, as my bodyguard, in hopes that with two possible geeky target in sight, the playground bullies will pick him first so that I can run away. That's almost like doubling the survival chance for me!
Why does race have to play into to it? Just because I'm white doesn't mean I destroy.
Have you ever been to a turkish prison?
The analogy is that of a safe-cracker. A safe-cracker breaks into safes. A computer cracker breaks into computers.
"I'm not impatient. I just hate waiting." - My Dad
Language is a living thing, it evolves and word usage changes. Hacker is a negative thing in this context, talk to a kernel dev or a FreeBSD developer and maybe it won't be. Gay used to mean a happy person, and ignorant was uninformed, neither definition is what the general use is now so get over it.
BTW a hacker was not a skilled, passionate computer programmer, it was someone who created an ugly kludge to quickly solve a problem.
"I use a Mac because I'm just better than you are."
That one IT Director is incorrect in his analogy, a correct one would be a government medical agency hiring a scientist that designed a highly infections, but only annoying, virus and then set him to creating cures to other more dangerous viri. I can see this happening, because if the man is skilled enough to design such a virus as viral as that, it is a good bet they can come up with ways to deal with similar viri. A corresponding computer analogy to the one said one IT Director gave would be hiring a cracker that made a virus that burns out the computers and leaves them entirely a pile of ash. I have yet to see that one, though it would be pretty cool.
I'm sick of following my dreams - I'm just going to ask them where they're going and hook up with them later.
In magazine or TV interviews, I see executives at security companies or departments say that they would never hire a hacker they have no hackers blah blah blah. Of course that's what they'd answer but all of them do. There is no major security company that does not have current or former hackers. I can state this because I know at least one at least former hacker in every major security company (or in security departments like the consulting departments of accounting companies).
In fact security work is the main job ex-hackers get. I have known many hackers from the 1980s until now and this is the most common job. I take a different tack though. Instead of "Should the boss (e.g. owner) hire a former hacker?", I ask, "should a former hacker go into security work?" I consider going into security work to be somewhat of a sellout. Information wants to be free, the means of production in the workers hands and all of that. Some hackers become sysadmins or programmers, which is what I did. I think the question as asked puts out a bad way to think - it shouldn't be, will I be forgiven for my supposed transgressions by the holy boss/owner who decides if I eat or not, the question should be, have the idle class parasites assimilated people who (at least used to) rebel against the concept that they have the right to control the means of production.
The first perp had an account with a different ISP. He found several big holes in their security and alerted them of the problem. The ISP revoked his account as a reward. We found out about it, and gave him a job. He was 16 at the time and stayed with us well into adulthood while he went to college.
The second perp, who still works for us, was asked to perform a security check by his employer. He found holes, presented his findings, (including the dirt he dug,) and was brought up on charges for "Exceeding mandate" or something along those lines. We hired him. He's great.
Regardless, hacker jerks regularly hack away at our walls. I wish we had jobs for all of them! My vote? Hire them.
You DO hire hackers to catch hackers, that is - you do if you want to catch/stop them. Big surprise for the naive IT Director would be the mindset of the average cop, which is not so different from the average criminal (usually just smarter).
Cops and criminals think a lot alike, they just make different choices. Hackers and hacker-catchers must also think a lot alike, ie - where is the weakness in this? how does this work? I wonder if you could do this? People who don't naturally think along these lines find it very difficult to out-think those who do.
For other positions, only if I could spare the resource to monitor and double-check their work for some period of time.
In all cases, I'd expect them to come clean about the situation at the application stage, so that mutually-agreeable terms can be specified in the contract of employment; if there were any signs that old habits had been resumed in spite of such terms, I would expect to terminate the contract.
but hasn't the U.S. Government hired hackers before, right after finding them guilty? Then the hacker/cracker gets a job offer as a way of getting out of it?
FWIW, a colleague once told me the membership of The Cult of the Dead Cow was/is in part made up of some med.-highly respected individuals in the software security industry. Has anyone heard this before?
People from my generation (and we are the ones in charge at IT now) think both terms are derogetory. You want to get hired, don't use either one.
As for the premise of this article, not NO, HELL NO!
Wikileaks, no DNS
What am I hiring a hacker for in this scenario? My mail room? sure, he can deliver mail and pens to the cubicles. How about to design my security infrastructure or web application policy? Not so sure here, he might be out of his league. The beauty of this question is everyone is making all these assumptions in their answers.
Beyond the hacker v. cracker debate this question seems to imply that to be a "made hacker" one has to be convicted. And that is utter bullshit.
Some of the best hackers I know have been in prison for Federal crimes (notably USC title 18 violations) however the majority of them have NOT been to prison. Of those some have been investigated but never convicted and some believe it or not have never commited a crime more heinous then violating a EULA.
So to restate the question, "Would you hire a convicted felon with electronic skillsets?"
Yes I possibly would depending on the job. If it were a closed network and I needed someone to conduct penetration testing I would certainly hire him/her.
If the job were to involve consulting and facing clients I might be more reserved. A felon has serious liabilities including, but not limited to, bans on interstate travel and certainly international travel. In this case the person could only service clients in the local area without having to petition his PO every single time and then it's too big a hassle.
Hire him in a flash. There's no such thing as a bad kid, every child deserves favor and a second chance. Some stick up their ass over-educated twits won't see it but then they aren't very good people to begin with.
http://www.setec.org/hirehacker.html
-- The Funk, The Whole Funk, And Nothing But The Funk
First, I'd like to say that I am a white hat hacker as well as a security consultant/engineer.
I have never committed any computer crimes nor done so although I -outside of the corporate environement- would consider myself to be a gray hat. Because the world is not just black and white and I reserve my option to crack into computers if I feel that this would be morally correct (like, say, disabling the great firewall of china or stealing money from the mafia in order to donate it to the poor).
That beeing said, I would probably have hired the sasser script kiddie, although I consider it to be morally incorrect in some way:
Morally incorrect because of the danger that it emphasises future script kiddies to write viruses in order to get famous and employed. But on the other hand his father got fired because of him, he probably had not much malicious intent and deserves a second chance as well as he will probably get convicted for it (and even faces time in prison).
BUT if I were his employer, I would probably hire him because of the huge publicity.
I can not agree with all the "how can you trust a convicted criminal" posts: On the one hand, how can you know that a white hat hacker you employ never committed any cyber crimes (e.g. in his youth)? And on the other hand, couldn't it be, that a convicted script kiddie is less likely to commit any crime again than a supposed white hat who you employ who just has never been caught?
Conclusion: great marketing gag but not ok due to the incitement of futute virus authors and skript kiddies to seek employment within the IT security industry that way. But I don't expect CEOs to behave in a morally correct way.
"Would you help me cross the river?" The scorpion asks the turtle.
"Hop on!" Says the turtle generously, "but you have to promise not to sting me?"
"I promise." The scorpion declares.
He then hops on. The turtle swims across the river. Just as they get to the other bank the scorpion stings the turtle.
"Why did you do that?" Asks the turtle painfully right before he takes his last breath and sinks under the water.
"it is in my nature..." The scorpion answers. (copied from here)
Not long ago I worked for a company with a similar situation. We asked this brilliant coder why he left his last job. He very honestly answered that he was a drunk and it caused him not to be able to do his last job, but assured us he was getting help and now clean and sober.
A couple months later he was doing terrible work, and back drinking. We confronted him about it.
All he had to say was, "What'd you expect? I told you that I was a drunk.".
...Also, I didn't know Buggalo could fly.
Excuse me fellas... Kevin Mitnick was a hacker/cracker. By saying because he is a criminal and you wouldn't hire him... I pose another question... would you hire Kevin Mitnick? How about Steve Wozniak (I know he wasn't a cracker... not that we know anyways)? True he is definitely not as skilled as Mr. Mitnick (whom I have tremondous amounts of respect for) but this kid definitely has got some skills. I would definitely hire him.
See: Relevant post.
Wikileaks, no DNS
Umm, he acted with positive intent, maybe?
Wikileaks, no DNS
How does writing a virus relate to hacking/cracking/etc?
Anyone with basic programming knowledge and a google search of the many holes in Microsoft software can write a virus... Does not require any skill, just a lack of ethics.
It's like hiring someone who programmed for a bulk email company... Sure, they have knowledge... but questionable ethics.
Generally good hackers/crackers have an indepth knowledge of hardware, software, and the related laws and moral boundaries related to such activities... They use their skills to identify weaknesses and alert the appropriate people, they do not exploit those weaknesses for personal amusement/gain...
More like hiring a quack who was convicted of illegal cloning experiments that he implanted in your body without your permission, causing all sorts of malfunction, to work on alternatives to organ transplant.
Exactly! Someone mod this up!
But this description doesn't describe this kid.
Wikileaks, no DNS
Indeed. It seems particularly apt in this case!
Wikileaks, no DNS
"I specifically requested no geeks"
C. Montgomery Burns
"But nerds are my mortal enemies"
Homer J. Simpson
The IT Director who made the Shipman comparison should be fucking fired. Just what kind of values does a man have when he equates a mass murderer with a teenage computer virus writer? My god, the kid is exactly that, a kid! He isn't a violent drug crazed sociopath, he's doing what many kids do, i.e. messing around to see what he can do and how far he can go, with the exception that he got caught.
This kind of fanatic mentality, where a stupid fucking computer (or a song or movie on the internet) becomes more valuable than people's lives, is a sad testament to the state of our society.
You think I'm over the top? Why is it that people who download songs from the internet get punished harder than the executives of corrupt and failing corporations?
If you give someone a chance, after he or she has messed up, especially as a teen, they might or might not do something useful with their lives. But if you dismiss them outright, you are condemning them for the rest of their lives.
Way to go fuckers.
Alas, the evidence of history is NOT on your side. Prior to the backlash from a CBS News story, the term "hacking" was indeed routinely used for the subset of hackish activity including subtle systems penetration and perversion. At that time, cracking was indeed a genuine (if largely frowned upon) subset of hacking.
The semantic distinction of "cracking" (systems penetration and perversion, whether subtle or as-now-usually-not) from "hacking" (in its many zen senses of the word) would be a useful one, had the computer community made it prior to exposure to the common parlance. We didn't. And thus this distinction can no longer be made usefully. (Feel feel to argue with me if you want over whether or not this was a bigger lack of forethought than the 32 bit IP addressing scheme, as long as you're buying the beer while we argue.)
What we could arguably do is try and find a new catch phrase for the terms covered by the now-corrupted "hack". Of course, anyone who can spread that kind of agreement in the hacker community should be shipped to the Middle East immediately to settle the Arab/Israeli conflict-- they're wasted at whatever they're doing now.
//Information does not want to be free; it wants to breed.
I know who I wouldn't hire: the so-called security firm who only hires ignoramuses. Milquetoast moral crusadors don't get my dinero, nohow, noway.
I know I'm fighting a loosing battle here, but sheesh, *I'm* a hacker, of course I'd hire me. Virus writers, OTOH, I don't think I'd want around me. Like spammers, I'm just afraid that they're just too evil for me.
"Mission Accomplished" -- George W. Bush May 1, 2003
As in "Last night I mugwumped your sister".
Why on earth should we assume that someone who can break security has the slightest knowledge of how to fix security? I can break regular glass with a rock, but have no clue how to make shatter-proof glass.
Keeping to computer security: Say a particular system has 5000 current, undiscovered ways of being broken into (or just broken). Breaking into it requires finding one of them. But you have to find 2500 of them just to have a 50% chance of finding the one the hack.. err... cracker finds. If a typical passibly decent hacker can find 5 holes, he'd have over a 95% chance of finding one of the ones the security team, that found 2500, missed.
Yes, I wouldn't hire a computer criminal because of his ethical problems. I also wouldn't hire him because if he actually thinks that breaking into a system makes him qualified to work securing systems, he clearly knows nothing about securing systems.
This guy's a criminal and maybe the only reason Slashdot readers are not calling him that is because the only other geeks the make the news are not really geeks, but businessmen running geek companies. A better analogy is a terrorist that set off bomb that happened not to kill anyone or one of the accountants cooking the books at Enron. This job should go to the high school kid that wrote a killer app for homeless shelters, but then again, he didn't make the news.
Ultimatly it depends on the indivdual, the fact they admit they write such programs is a good start on learning something about them, but a virus maker still has malicous intent, even if it is just to make a bsod pop up on april fools day. Okay so no one whould hire him now, what about 10 years down the road, hed be in his late twentys, do you assume that wiht all of his skill and newfound maturity he is a good hire? or perhaps even more of a liability.
Like the saying goes, never underestimate the bandwidth of a station wagon full of tapes. -Pyrotic
...hiring a cracker to put down Whitey?
Comment removed based on user account deletion
1. Debate whether or not to hire $VERY_FAMOUS_H4X0R to attract media attention.
2. Say "No, we value our trustworthiness too much"
3. Profit!
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
It's more like hiring the Hells Angels to provide security at your concert. That being said, it still doesn't sound like the best idea.
20 years ago? Sure. Back then you had to have a clue to be a hacker. Even a cracker. Today? God no. "Hackers" these days are typically teenaged punks that at their noblest, are out for notoriety in much the same fashion that taggers are. At their worst (and this includes the majority of them now) they're working for (or are) spammers, scammers, and the Mob. This gives me an incentive to either beat the crap out of them on the spot or make them homeless, depending on how cruel I feel at the moment.
That and most of them don't have the skill to build anything real.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
Then why doesn't MS do it? You make it sound like a walk in a park. If it's really that fucking easy to write a virus, it ought to be that easy to fix the vulnerability exploiting it. Part of intelligence is standing on the shoulders of others and not reinventing the wheel.
I think you have trouble distinguishing between knowledge and wisdom. From a purely phenomenological view (just looking at the consequences of actions), someone who writes a widespread virus has a very good chance of becoming hired at a security firm right now. No one ever gave an convicted assualter a kindergarten job.
-- Political fascism requires a Fuhrer.
Umm... Wouldn't it be more like hiring serial-killing doctor Harold Shipman to KILL your ailing and aged mother ?
Time travel is possible. We are quickly heading for 1984.
I believe your spelling speaks for your intelligence quotient.
I'm a big believer in second chances and turning over leaves, but we are talking about a person who has demonstrated a weakness of moral fiber.
Whether or not the individual is good(skillwise) or not is irrelevant. What is relevant is how one goes about redeeming themselves in the eyes of the community.
I suppose it comes down to your company's comfort level. It is alot like the transition homes where families take in young ex-criminals to help give them a second chance. Sometimes, you honestly see great things come from second chances. Other times, you get a family who is robbed by the one they entrusted.
It doesn't take a rocket scientist to write a replicating piece of code. It doesn't take alot of brains to take an existing one and modify it either.
Which brings one to wonder why hire someone whose only done these things?
The only apparent benefit is to use him to get at other virii writers through association online and by monitoring his access and communications. By hiring him, they increase his profile and will likely draw the attention of script kiddies who will get caught by the firm.
Otherwise, such a hire only risks stock prices and makes the company liable for future damages.
Winged Power Photography
It seems like a Bad Idea to hire him right away, but it is unfair to assume that people never change. Maybe in a few years, if he gains some maturity, he could be trusted and could provide some important insights about security.
@11 j00 p30P13z @r3 \/\/33/ @zz pu$$i3z...!!!!111!!! i+ i$ i \/\/h0 iz +h3 13++3z+ h@x0r 0N +h3 p1@N3+!!11!! i /N0\/\/ @11 0f j00 iPz @Nd @Md g0iNgz +0 piNgz j00 @11
\/\/i+h my m3 n3\/\/3$+ 0-d@y xP10i+
f3@r!!!!111!!!!
OMFGBBQ!!!
Would I hire a hacker? The answer is absolutely; hire someone who learns on their own without some instructor holding their hand.
Hackers have the best problem solveing, and deductive reasoning skills of anyone in the IT industry not to mention attention to detail. One could only be so lucky to have one on staff (and you probably do).
Don't get me wrong, there are definitly milicious hackers (crackers) who find joy in compromising, stealing, and destroying systems and networks, but to be honest, most of them do not get cought, and if they do, one needs to wonder, how good are they anyway if they got cought.
AdsJunction.com Ad Network
Skills are a small portion of the issues here. Police don't hire criminals. Criminals clearly have the skills, but the problem of police departments is not as much finding the criminals, but managing the cops. Thats why you have the incredibly strong culture of anti-criminal behavior amongst police officers. That way, the cops tend to want to seek out criminals and bust them. Thinking about hackers, the mission of getting one over on the man is inherently different from hating and seeking out the bad guys.
Hire myself.
-- "You can lead a yak to water, but you can't teach an old dog to make a silk purse out of a pig in a poke" - Opus
Here we have the morally righteous leading the charge against hiring hackers who've engaged in criminal activities in the past because they can't ever be trusted again; and yet these same folks keep voting in Congressmen who themselves have criminal records, ranging from DUIs to bribery to racketeering to assault to spousal abuse to sexual misconduct with minors.
So I guess the message here is that you can't afford to compromise when it comes to hiring IT staff, but you don't have to be nearly as selective when voting in members of the legislative branch of your government.
This'd be funny if it weren't so pathetic.
(You can google the criminal records of your Congressmen rather easily on your own, so there's no need for a link - do it yourself. You may find the results enlightening. Or not. This is slashdot, after all.)
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
You should probably add to your defintion there a part about the person calling you a hacker actually knowing what the hell they're talking about... because by your current wording, i'd be a hacker. I'm not. My boss occasionally refers to me as "hacker" at work (other choice nicknames are "Dell", "Pentium", and "Bum-bum-bum-bum!" which is supposed to be the chimes from the Intel commercials. He tried to call me "Compaq" one time but I gave him a dirty look so he doesn't do that anymore).
:D
My hacking skills that impressed him so? Tracking down a missing document on the company network (thanks to my amazing ability to press 'ctrl+f') so we could copy it to a floppy disc for safekeeping.
Last month I taught him to say "leet" (1337). I was so proud!
My company did exactly that.
Many years ago I worked for GCHQ, the British equivalent, with a Top Secret ("codeword") security clearance. During the interviews and vetting process I admitted to hacking into my school network on several occasions.
The interviewer, far from being concerned, started to discuss the methods I had used and tested me for possibilities I had possibly overlooked.
Needless to say I got the job.
Who here thinks that they have the knowledge to do what he did?
I believe a large proportion of the readership here would claim to have some coding ability maybe have programed some big complex products but who knows where the weaknesses are what routines are going to lead to security holes and exploits.
who took hacking/cracking 101?
someone mentioned 5000 exploits and maybe being able to close down half of them, Isn't the focus of most software projects to achieve the desired result.
the vunerability left in software are from minds focused on achieving that result.
I would think his unique viewpoint on code is perhaps a valuble asset. Showing the main coding staff where thier code is weak could be a valuble learning experience for them.
maybe some of the white hats are afraid that someone like him could show how poor thier coding practices are?
of course his exploit may not have been hard to impliment and he might have been following a reciepe, I don't know him or the skill needed to achieve what he did.
hopefully the person hiring him does
Blarney Quality Restaurant, Plants
have you been on that side of the gun?
.... i can tell you now that SOME of these convicted hackers DO feel remorse... and when they are up front with you it's for a reason.... becuase they feel it's time they can be honest about their mistakes and move on...
.... the risk may seem worth your time.... but in the end the consequences aren't... and the impact it has on everyone around you isnt.
.. regardless of the knowledge i've obtained.
let me say it's not pretty at all... believe me - here in the US hackers do get whats comming to them. I've seen it happen..
once your busted you lose everything your respect, the respect of family, friends and co-workers. You lose your job you lose your self respect and everything you treasure is taken away....by fbi, lawyers, judges..
now i sit here and read this
i've had the door slammed on me quite a few times becuase of my record.... and three years later i'm still unemployed and other's i know are in the same position....
what i did was when i was much younger.... and at this point... It's so discouraging to know that.... there's no more future for me in what i found passionate originally. and i regret what i did...
i'm slowly realizing that... a second chance is very rare and that if given the oppurtunity i'd do anything for it.
and what i can tell younger generation of "hackers" or "crackers" (whichever you prefer)
i'm not much older than i was... but i feel in the last three 1/2 years of being a "convicted" i've matured +10 years..
there's plenty of ways to "test your limits" like the many many wargame's (programming challenges) out there (pulltheplug.com is one).
in conclusion... i dont think i'll ever stop regretting what i've done
- arc
Send the logs via broadcast UDP on the local network, have a machine with its tramsmitter disabled that merely collects and saves the broadcast UDP data that it sees. If you are double paranoid print the saved data to hardcopy at regular intervals (not via dot-matrix, consider a laser printer).
Hard to find the logger, even harder to crack into it. Doesn't require a genius to build.
We allow teenagers to drive. Depending on country, state, whatnot, as early as 16 years old. And we basically trust them to have enough judgment to not start running people over for fun.
_Also_ most countries conscript people at 18 years old. And then trust them to stand guard with an assault rifle and live ammo. Some long hours alone at night, just you and your rifle. And some of those bases are right in the middle of cities. (A lot of Eastern Europe sports small military compounds right in the middle of cities, for example.)
And we trust them to not start shooting people with that assault rifle when they get bored. And make no mistake, standing around for 3 hours at night alone, with nothing to do and noone to talk to, is the apex of boring. It's so fucking boring that it feels like your head will explode.
We also allow teenagers in less spectacular jobs, such as fast food jobs. And you trust that they'll be smart and responsible enough to not put some poison in that food just because they're bored.
You also allow teenagers who are just discovering that they have hormones to go to school together, and trust that they won't start raping each other.
Etc.
The fact is: every day your life may well depend on the fact that 99.9999% of teenagers _are_ capable of judging consequences.
So spare me the rethoric. Those who do choose to be a criminal asshole are just that: criminals. No more, no less, no excuses.
A polar bear is a cartesian bear after a coordinate transform.
This discussion has given me an idea for a new design of machine. Never mind, I'll see ywall when ahm back from the Patent Office.
Anyone still consider history remotely relevant?
The life of Wyatt Earp was certainly not restricted to following the police rulebook, and he took part in a number of morally dubious activities.
welkcome our newly employed race of script kiddies!
Having trouble finding a job? Write a virus- the jobs will come to you.
How about 'hacker' meaning what you think it means, and 'criminal' meaning what it means? That said, I'd jump at the chance to hire a hacker, but I'd keep criminals at arms' length.
Carthago delenda est!
a buddy of mine who once cracked loads of copy-protections like "Cdilla, safedisk, Securom etc." (for Echelon and others) now works for SONY developing Copy Protections. :)
He wouldn't even need to disclose anything of the new tech to the scene, because it would just render the cracker's efforts lame(lower the prestige for success).
Cracking (software) and hacking (into networks) is a nice way to spend their free time for our youth. (if they are "nice" hackers who don't intentionally break or delete stuff on the servers they hack into)
currently too many kids are wasting their time with getting fat at their fav. Junk-food Seller, downloding stupid mobile-ring-tones and other senseless crap.
it's been discussed certainly 100 times and more. Here's the definitions the scene goes by :)
:)
hacking : breaking on some (remote) system.
cracking: break (copy and trial) protections.
I know that lots of folks like to call their coding "hacking" but they probably just like the evil sound of that word and got wet fantasies about it. they really are just "coders". call them "code monkeys" or whatever, but not hackers
coding is my favourite of those three things, 'cause it's the most creative (imho) of them. but i hate people call themselves 'hackers', even when they are brilliant coders.
and please don't mention any lame-ass jargon dictionaries now, or i petition to rename "cracking software" into sucking. (or something)
It would depend on the hacker. Not all hackers are the same, you know. This question is as inane as "Would you hire a gamer?", or "Would you hire a model plane builder?".
You'd have to interview him, see why he did whatever he did, how succesful he was at it, would he do it again...
Then again, a virus kiddie is not a hacker, so in this case, the question is academic.
Your recruiter was probably right. When I was going through US Army Intel school one of my classmates listed on her application:
She got her clearance before the training was over. It's when you don't tell them things and they find out about them during the investigation that they deny your clearance.
I've even heard that they'll give you a chance to fess up after they find stuff ("derogatory information") on you. My recruiter told me about a guy who had forged several checks, ranging in value from $10 to $1,500, but hadn't reported them on his application. They brought him in and asked if he'd ever bounced a check, and let him deny it before pulling out the $10 check as evidence. They then asked if he'd ever bounced any other checks, which he denied until they pulled out the next check. Lather, rinse, repeat all the way through $1,500 to an airlines company.
Needless to say, he didn't get a clearance. It's all about trust; if they can't trust you to tell them the truth, then you're worthless to any sort of Intelligence(TM)-based security program. And, if they already know eveything you've done wrong, you can't be blackmailed with it!
Travel the Galaxy! Meet fascinating life forms...
I think in this case, you pretty much have to use your best judgement when hiring a former hacker/cracker/script kiddie...
Many people can and do change, and it's insane to judge someone on their past actions. Otherwise, why don't you just judge them on their behavior as a 4 year old. If your going to choose to judge them on their behavior at 18 or 19 then that is a judgement placed by you for no apparent reason. If the kid learns a shitload of life lessons (the easy or the hard way) then he/she could be a (relatively) different person by the time they are 22. Everyone makes mistakes, but nobody does wrong. Everyone does right based on their view of the world at the time of said act. So the kid has learned some lessons (maybe), thats good, now give him a chance. If he hasn't learned and he fucks up, kick him out until he learns and then let him have another stab at it.
I used to hack into things on a regular basis many years ago, and no, I have never been caught. That is either because I am really good, or because the admins are very poor at what they do (perhaps a bit of both). I am now an admin for an ISP and my boss trusts me. I have never done anything to betray that trust either openly or in secret, so I personally can say that one can go from being bad ass hacker type to a perfectly professional security analyst/sysadmin/whatever
Past is past (as in, not relevant now). If everyone judged everyone else on past actions, we really wouldn't be anywhere today because everyone could pick one action that they didn't like about someone else to use that as an excuse not to include/hire/like/whatever that person. Just remember - when you judge someone on a past action, you better take the WHOLE picture into consideration (up to the present) or you are just selecting a specific event in time and judging someones whole life (worth) based on one action without understanding the circumstances on how that action came to be. Best not to judge, but to BE.
You create your own reality - Leave mine to me.
yes.. or A thief to work security. or making a known cheater a TA in your class. worst analogy ever
The Wolfkin
Ozzy once complained along the lines of "Just _once_ you bite the head off a live bat on stage and nobody _ever_ stops ragging you about it."
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Or Southern-American. A dumb Yankee can be just as dumb, but you've got to be Southern to be a "cracker".
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
If it's somebody who just tourists around other people's systems, or uses them as a springboard to get to other places, then maybe, if he's got Redeeming Social Value and useful skills and personality, I'd consider him.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
No.
1) They got caught.
2) Most (h|cr)ackers "grow up" (ie. get to a certain state where they dont feel the need to be destructive). These people - a lot of the time - end up in security anyway. Of course, by this time, their experiences and knowledge have increased ten fold and are therefore much more useful to a security company.