Slashdot Mirror
Would You Hire A Hacker?
theodp writes "A German security company has divided opinion in the IT industry by offering a job to the teen charged with creating Sasser. Silicon.com asks its CIO Jury: Would you hire a hacker? and finds the jury split down the middle, with one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother."
It'd be more like hiring a doctor who was convicted of illegal cloning experiments to work on alternatives to organ transplants.
doing so would be like hiring serial-killing doctor
Well, if he's good with a knife..
Honestly though, if a hacker has payed his debt to society and now wants to help businesses prevent what he was doing(Kevin Mitnick), why not let them? Having the most knowledgeable person for the job might just save you from being hacked by someone else--as long as you can trust the person.
Boxing Equipment Reviews
What a loaded question?
Would I hire a worm-writing kid? No.
Would I hire a gray-hat security genius? Absolutely.
A security company might benefit from his experience, or even just the marketting angle "the best hackers work for us!"
In the field I'm in, he'd be a liability. We do government stuff, relating to law enforcement, and while we're not a bunch of angels, we don't want any skeletons in our closet either.
I don't need no instructions to know how to rock!!!!
Yeah, I don't think this kid is all too bright compared to a lot of other hackers. I mean, for one, he got caught.
hacker != coder and certainly != developer.
But if you need someone to tinker with your system and find it's faults...
I'd think of a "hacker" as a "QA tester".
I tend to think that just because someone creates a virus that happens to work well, and causes massive amounts of destruction isn't a horrible person at heart.
I think if you've ever done any amount of prgramming, you've been there before, little mental masturbations of doing bad things to people to clever programming.
This is like refusing to hire someone because they got a speeding ticket, or downloaded music off of the internet.
Note: I'm not saying that this chump is the best programmer around, I'm sure he's not. But if he's a great man for the job and can think of things that you and I won't, then I'm on.
Berto
There are PLENTY of information security white hats that are just as talented, if not more talented, than the black hats. If we are truly talking about hiring a "black hat cracker". Even if they were exceptionally skilled it would depend on the individual.
:)
They commited a computer crime. That is a liability, not an asset. All in all their benefits as a skilled IT professional would have to outweigh their liabilities (being busted for a computer crime). It is a factor that goes into the equation. I would say that in most cases it would be enough to lean me towards not hiring them. I think its a pretty serious thing to hack someone elses system. There are PLENTY of ways to make a name for yourself in a white hat way. Writing papers, studying info sec and staying on top of the field and becoming a noted voice in the communities is one. Ultimately if you need negative publicity to be known (and or hired) your just being lazy
Jeremy
I can see three potential problems with this.
1) The possibility that this might motivate other crackers to unleash the next big worm to find a job.
2) What about the poor shmuck that does nothing wrong and gets passed up for a job.
3) Say you hire him and he goes back to his old ways. Wouldn't you be somewhat liable for damages caused to you clients.
As I said potential and possibly extreme situations.
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
The FBI hired Frank Abagnale Jr. as a counterfeit specialist and it turned out to be a good thing. Why? Because he was just a freaking teenage KID that happened to be misguided through lack of maturity. If this teen hacker was given a little direction and purpose with his life then he could steer everything completely around.
I can't believe that comment about hiring him being similar to hiring a serial killer as a doctor. The director that spoke that comment is an idiot.
I think I would look at what type of hacker they are.
Is it someone who knows systems inside and out and enjoys toying with them? Then definitely yes.
Is it a script kiddie who just took someone elses work and capitalized on it? Definitely not.
The issue is not about elitism, it's about attitude, someone who has gone to the effort to learn something and apply it is in a whole different world than someone who is so socially mal-adjusted they feel the need to tweak the latest worm to say "I RULEZ" and sends it back out.
Never underestimate the power of human stupidity -RAH
Hackers create, crackers destroy.
And while you are busy trying to make this assertion to a hiring manager, somebody else who doesn't deal with pedantic stuff like "hacker vs cracker" is taking your job.
I don't respond to AC's.
Would I hire an extortionist to be my accountant?
Would I hire a thief to manage my inventory?
Would I hire a sadist to manage my HR (Catbert obviously excluded)?
Would I hire a sex offender to babysit my children?
No.
Yes, they did pay their debt to society/do their time. I might hire them to do other things away from their area of conviction, but I'm not going to dangle temptation in front of their face. Does that seem like just straight common sense to anyone but me?
somesites suggest. ,like providing security etc.
hacker=harmful.
cracker=has the skills like hacker but uses them for good purpose
Its not my opinion ,but what I have seen in websites.
but try hard enough and he might just turn his life around
i dislike the implication that his life needs to be "turned around." the kid made some dumb decisions about how to use his intelligence, i hardly think that makes him a terrible person. correct me if im wrong but i dont think he tried to rob a bank or gain in any other way except for, perhaps, recognition.
bad decision != bad person.
Would I hire com Adrian Lamo? Yeah.
It depends a lot on the intent of the attack and what was done once it was successful. Also on the personal morals of the individual.
I do security
If a hacker gets caught , doesnt have to mean he isnt bright.Eg:Mitnick.He is the role model for many.
Do you really want to blame the victim, because of what OS they used? Think through your argument. If you got mugged, should someone be able to tell the cops "well, look at him, not too strong... it's his fault for being such an easy target".
As for hiring him, I think my answer would be "maybe". I certainly wouldn't hire him because of his transgressions, but rather despite them. Basically, everyone should be entitled to a second chance.
People stay the same, do the same things. Very few people change who they are. They might change jobs, hairstyles; but they don't change their value system. If you hired this person, and six months later were held hostage because he wrote some backdoor, then that would be a problem for you. Now if you hired him to work where people used credit cards or data, you could be liable for hiring someone like that. It is like hiring a convicted pedophile to watch a second grade class.
Come and say hi. http://forum.penpals.com/index.php
I read a couple or articles on this case by the time it hit /. So here is what I have to say.
First, I think that this kid has been punished pretty severely already. His *dad* got fired over it, and he has recieved his share of death threats. This is not something you can just take lightly, especially when one's actions affect those close to the perpetrator. BTW I do think that firing the guy's dad is a little severe. Indeed these actions were what motivated the German security firm to offer a job to the kid.
Secondly, the comparison to the serial-killing doctor is quite misguided. In this case, it is more like hiring the serial-killing doctor as a pathologist. He *might* make a really good pathologist. But there are no guarantees.
Finally, at least in the US, our legal system recognizes that teenagers are not as capable of considering consequences of their actions as adults,and there are some scientific studies which have been published in the last few years that may provide a solid scientific case for challenging those states which allow the death penalty for individuals under the age of 18 who commit capital crimes. If you say that "we will never allow anyone in this field to ever hire a teenager who commits this crime" then you are placing, IMO, unbalanced consequences for the misguided and even criminal actions of such individuals.
LedgerSMB: Open source Accounting/ERP
Completely agreed. The meaning of words is determined by their use and context, and sadly, "hacker" is one of those words that has taken a negative context in the eye of the greater public...
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
A hack is never malicious.
Sometimes a crack isn't malicious, but that is an entirely different, and illegle thing.
Exactly, I completely agree with you on this one.
It's one thing to create an exploit i.e. to research a given application, Look for bugs, and exploit them on your own.
But it's a completely different thing, to use an exploit for an already documented vulnerability.
I doubt his "skills" are any better than an average programmer.
Furthermore, he has proved that he used his average skills for "evil".
What good is there to be said about this kind' a guy?
Sigs are for the weak.
Security is all about trust. Would you trust software written by an ex-virus writer? Or would you use the software recommanded by your local guru?
Actually, I wish more victims would take responsibility for some of their actions. If somebody leaves the door to their house wide open, or if they decided to go jogging in the nude in NY Central Park, Or downtown Dallas, do you really think that the victim shares no blame if they are mugged or raped?
Likewise, if somebody is behind a wheel drunk, they are stopped at a sign, and somebody plows into them, do they share part of the blame by being foolish enough to drive drunk? It is possible that had they not been drunk that they would have seen the car coming and gotten out of the way.
I prefer the "u" in honour as it seems to be missing these days.
Secondly, all you hackers-aren't-crackers posters should be modded "-1, Tilting at Windmills." If you want to waste time debating semantics, you've obviously got no message worth anyone's time.
The most important trait for an employee is ability to work well with others. Very few things are solo-genius creations, and those that are, fit better in startups than established corporations. I'd be more inclined to invest my personal money as VC to a hacker-run startup than I would be to bet it that a particular hacker would thrive in a Fortune 100 environment.
The next most important thing is the ability to follow a documentable and repeatable process. Hacking for yourself is fun, because it only ever requires you to poke and prod based on your own intuition. When you're anti-hacking, you don't get the same luxury: you have to cover/examine/harden whole systems. Think of the hackers as the Blitzkreig, and the anti-hackers as the Maginot line: the odds are stacked against the defenders.
Thirdly, degrees and certifications (which typically have ethics requirements which preclude ex-hackers) really matter in a corporate environment... Not if your hacking is successful, but to help assure that UNsuccessful hacking means something. That is, if we couldn't get in, we expect it's pretty secure.
And, lastly, it's about the liability. All self-righteous nonsense about giving people second-chances aside, those who have committed crimes in the past are more likely to commit them in the future.
Bottom line? It's far easier to take a hard-working system administrator and make her into a good hacker than it is to take a computer criminal and make him into someone who fits in a corporate environment.
if you could create a machine that he didn't have skills to crack... why would you need to hire him in the first place?
2 1337 4 u!
It doesn't necessarily prove any talent at all.
It proves they go to their favorite hacker website, download some proof of concept code, and wrap some VBScript around it.
I wouldn't call Sasser a work of genious, but a work of pure assholery. He didn't invent something, or do it to prove a point. The point was proven, the exploit was known. He did it to be a 1337 h4x0r.
I think the fact that these teens exist is a result of their own stupidity. Guess what, you want to commit crimes for attention, it just might fuck your entire life up.
Try and get a job in retail with a shoplifting conviction. Try and get a job as a kindergarten teacher with an assault conviction. Try and get anywhere in politics with virually any conviction greater than a traffic violation.
Boo hoo for teens too stupid to realize actions have consequences, sometimes life long consequences. And I'm sick of people blaming "the education system" or "society".
This kid was mentally developed enough to know what he was doing was wrong, and did it anyways. He's lucky to be offered a job doing anything more technical than digging holes in the dirt.
I don't need no instructions to know how to rock!!!!
If a company's entire basis is the fact that their employees do not (or did not, if truly grey hat...) have integrity, they're sunk before they leave dock.
In the same breath, I will just state what I have seen someone else on /. state, and I found humorous: black hats are good hackers, white hats are good fakers, and grey hats are good liars.
Linux: The world's best text-adventure game.
That'd be nice if you have the manpower or spare time to babysit all your employees.
I don't and nor does anyone in this office, if theres any question of trust around here, you're out on your ass.
I don't need no instructions to know how to rock!!!!
Mitnick lacked the wisdom not to crack into other people's systems, despite knowing he'd be caught. He's stupid in that sense.
Anyone who is worth his salt as a coder/geek has done some questionable things before. The question is whether or not they got caught. You can be sure there are people working at major tech companies already who have done some questionable things. Only they weren't caught. If you can trust a person and they're good, hire them. Chances are you've already got someone working for you who has broken the law only you don't know it.
The Information Revolution will be fought on the command line.
A Windows crackmaster may not have the skills to crack an OS/2 box, a BeOS box, or even a Linux box.
Cracking skills come with some degree of specialization. You hired the guy to audit your Windows workstations, not your UNIX-clone servers.
tasks(723) drafts(105) languages(484) examples(29106)
I'm sorry, but at least the person you didn't make an offer to was willing to come forth about it, let people know that he found that sort of behavior acceptable, and give a chance to lay down a set of rules that are perhaps more fitting to his particular morals. He was decent enough to give that opportunity.
I wonder how many people you've worked with have ever done the same things as this individual but haven't owned up to it. I wonder if anybody you've worked with monitored mail for their own amusement and just never set off warning flags during the interview process.
It's one thing to catch somebody doing something after giving them a chance (because of not being told about certain behaviors or not). It's another entirely to deny them a chance after they're trying to be out in the open with you.
Why would a spy come out and say they're a spy? It sets off alarms and unless you're just that damn good, blows any future chance of spying you have. Why would a cracker come out and declare they're a cracker unless they're willing to change their tune while on the job? I guess, unless you're looking for feints within feints.
If not now, when?
Why should computer criminals be called "Crackers"? What have they done to deserve their own special descriptor? Nothing constructive. computer criminals should be laeled as criminals with the nearest normally-applying label. If you break into a machine without proper authorization and make off with privae or sensitive data, that probably falls under some existing laws against expionage. same applies to any computer crime. If there is no pre-existing label for the crime, why not? is it something that can only be done with computers? if so then is it actually a crime? and if it is, label it and apply the proper label to those who perpetrate the act.
Wow that was incoherent of me.
I believe his actions speak for the quality of his charector.
Why *wouldn't* you hire him? He isn't really a "black hat" or "cracker", since he isn't technically a hacker... but his programming skills must be pretty good in order to code such a deadly virus (or was it technically a worm?). I'd hire him as a programmer, but definitely not as a network security guy. Just because he can write an exploit into his own code doesn't make him a security pro. It's really not that hard, unfortunately.
- Code Dark
Hmmm... clearly if this kid has any brains he would know that he is under scrutiny. So what's he going to do? Spend all day looking for where the logs are kept and trying to get into the machine that stores them. It would be trivial to find out which machine is storing them because a connection has to be opened to his computer at some point and not only that since the logs would be generated on the machine and downloaded, assuming there wasn't a persistent connection for continual download which would also be blatantly obvious, the log file itself would be the perfect vector for malicious code.
For most crackers it is the thrill of defeating someone in power that gets them going. Trying to control him would only encourage him. No, if you can't trust him, then don't hire him, and someone that consistently has moral lapses is clearly not trustworthy.
You're an idiot.
You would also need a hell of a lot of dot matrix printer paper. And ink-tape cartridges (not sure if that is what they were called).
Ceterum censeo Microsoftem esse delendam
Excuse me fellas... Kevin Mitnick was a hacker/cracker. By saying because he is a criminal and you wouldn't hire him... I pose another question... would you hire Kevin Mitnick? How about Steve Wozniak (I know he wasn't a cracker... not that we know anyways)? True he is definitely not as skilled as Mr. Mitnick (whom I have tremondous amounts of respect for) but this kid definitely has got some skills. I would definitely hire him.
Nope. Why? Because hiding the fact means that he knows what he did was wrong. Because he admits to it in an interview, its a sign he doesn't view it as wrong. I don't care if he likes pornography, but if he brings it up in an interview, thats a sign he has trouble with determining appropriateness(is that a word?).
It not about giving him a chance to mend his ways, it about the ability to determine where the lines are. I know some of my staff might do this sort of thing, I know some have done this sort of thing. I've made some really dumb hiring decisions, allowed people who were drunk to drive for my company because I trusted my staff would say something and I didn't think it was neccessary. Now, would you allow somebody with DUI on their record to drive for you? Would you waste time administering breathalizers every 4 hours?
You are in a maze of twisted little posts, all alike.
The IT Director who made the Shipman comparison should be fucking fired. Just what kind of values does a man have when he equates a mass murderer with a teenage computer virus writer? My god, the kid is exactly that, a kid! He isn't a violent drug crazed sociopath, he's doing what many kids do, i.e. messing around to see what he can do and how far he can go, with the exception that he got caught.
This kind of fanatic mentality, where a stupid fucking computer (or a song or movie on the internet) becomes more valuable than people's lives, is a sad testament to the state of our society.
You think I'm over the top? Why is it that people who download songs from the internet get punished harder than the executives of corrupt and failing corporations?
If you give someone a chance, after he or she has messed up, especially as a teen, they might or might not do something useful with their lives. But if you dismiss them outright, you are condemning them for the rest of their lives.
Way to go fuckers.
If it wasn't a job where theify things needed doing then I'd have to think about it. On one hand he could have kept mum about it. If it was something he was never caught doing prior I would be none the wiser. Maybe he's trying to start clean or stay on the right side of the lines, or just wants it all in the clear first. If the information is being provided in earnest and for my sake I wouldn't use it as a disqualifying point. You can bet he'd be watched if he got the job though.
On the other hand, if they're just trying to cover their bases so they don't get screwed over when their prior transgressions are uncovered, then I'm not so sure. In that instance the information isn't being cleared into the light for anybody's benefit but the thief's. This doesn't really seem to be the case for the post I originally replied to though.
As for crackers, there's a fine line between black and white hats, an internal state of morals and conduct. It isn't something one can directly observe since covering it up is possible. I wouldn't doubt there are black hats masquerading as white hats out there that are just good enough to never get caught. From that view, how does one tell the difference?
If not now, when?
I'm a big believer in second chances and turning over leaves, but we are talking about a person who has demonstrated a weakness of moral fiber.
Whether or not the individual is good(skillwise) or not is irrelevant. What is relevant is how one goes about redeeming themselves in the eyes of the community.
I suppose it comes down to your company's comfort level. It is alot like the transition homes where families take in young ex-criminals to help give them a second chance. Sometimes, you honestly see great things come from second chances. Other times, you get a family who is robbed by the one they entrusted.
It doesn't take a rocket scientist to write a replicating piece of code. It doesn't take alot of brains to take an existing one and modify it either.
Which brings one to wonder why hire someone whose only done these things?
The only apparent benefit is to use him to get at other virii writers through association online and by monitoring his access and communications. By hiring him, they increase his profile and will likely draw the attention of script kiddies who will get caught by the firm.
Otherwise, such a hire only risks stock prices and makes the company liable for future damages.
Winged Power Photography
Would I hire a hacker? The answer is absolutely; hire someone who learns on their own without some instructor holding their hand.
Hackers have the best problem solveing, and deductive reasoning skills of anyone in the IT industry not to mention attention to detail. One could only be so lucky to have one on staff (and you probably do).
Don't get me wrong, there are definitly milicious hackers (crackers) who find joy in compromising, stealing, and destroying systems and networks, but to be honest, most of them do not get cought, and if they do, one needs to wonder, how good are they anyway if they got cought.
AdsJunction.com Ad Network
Here we have the morally righteous leading the charge against hiring hackers who've engaged in criminal activities in the past because they can't ever be trusted again; and yet these same folks keep voting in Congressmen who themselves have criminal records, ranging from DUIs to bribery to racketeering to assault to spousal abuse to sexual misconduct with minors.
So I guess the message here is that you can't afford to compromise when it comes to hiring IT staff, but you don't have to be nearly as selective when voting in members of the legislative branch of your government.
This'd be funny if it weren't so pathetic.
(You can google the criminal records of your Congressmen rather easily on your own, so there's no need for a link - do it yourself. You may find the results enlightening. Or not. This is slashdot, after all.)
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
Who here thinks that they have the knowledge to do what he did?
I believe a large proportion of the readership here would claim to have some coding ability maybe have programed some big complex products but who knows where the weaknesses are what routines are going to lead to security holes and exploits.
who took hacking/cracking 101?
someone mentioned 5000 exploits and maybe being able to close down half of them, Isn't the focus of most software projects to achieve the desired result.
the vunerability left in software are from minds focused on achieving that result.
I would think his unique viewpoint on code is perhaps a valuble asset. Showing the main coding staff where thier code is weak could be a valuble learning experience for them.
maybe some of the white hats are afraid that someone like him could show how poor thier coding practices are?
of course his exploit may not have been hard to impliment and he might have been following a reciepe, I don't know him or the skill needed to achieve what he did.
hopefully the person hiring him does
Blarney Quality Restaurant, Plants