Slashdot Mirror
Would You Hire A Hacker?
theodp writes "A German security company has divided opinion in the IT industry by offering a job to the teen charged with creating Sasser. Silicon.com asks its CIO Jury: Would you hire a hacker? and finds the jury split down the middle, with one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother."
[O]ne IT Director [said] doing so would be like hiring serial-killing doctor
A little extreme on the allegories, aren't we? Virus writing is not exactly like taking out a knife and killing someone. (Although it may result in the shutdown of systems that support people's lives. I'd tend to blame this on the idiots who use Windows for those systems, though.)
As for hiring him, I think my answer would be "maybe". I certainly wouldn't hire him because of his transgressions, but rather despite them. Basically, everyone should be entitled to a second chance. If this employer believes that the guy has a lot of talent and is repentant of his past deeds, then give him another shot! He'll have to try damn hard to remove the stigma from his deeds, but try hard enough and he might just turn his life around.
Javascript + Nintendo DSi = DSiCade
I mean, sure the people who create these things (usually) prove to be rather technically savvy people with a good knowledge of computers, would you want someone on your payroll who obviously doesn't possess the ethics or morals not to be creating these damned viruses in the first place?
I mean, what's next? Embezzlement? Not on my watch.
On, among other things, the definition of hacker. I talked to RMS (while he was in Oslo), on the subject of hacker vs. cracker. I would, no doubt, hire a hacker. I would have serious difficulties hiring a cracker. But, I would consider it. I might even hire two, both unaware of the other, to verify the work.
It might be nice while they're working for you, but if you piss them off(who hasn't been an employer and had an employee pissed off?) then they have inside knowledge about your company and the ability to hack.
On the other hand, I wouldn't consider these VBS writers "hackers". They are just glorified script kiddies. Don't reward that behavior.
Chris
.. I work for the Federal Government in a place with 3 letters (starting with N, ends with A...) you've all heard of.
They put computers online in honeypot setups with obscure holes that only they know about. When someone hacks in they're basically told they have a job for life. That sounds like crap but it's how I got my job. Seriously.
If they want to learn more about their "trade" and the company that hires them properly handles all of the information it could then extract out of them, then whatever damage the kid could do would be mitigated by how much the security guys could learn. I for one say go for it, if the company that is going to hire this person knows what it's doing on collecting data about any and all work the cracker will be doing for them.
Sometimes the best way to learn about your enemy really is to contain them and see how they think. Who knows, maybe the security guys could find out enough to actually get an insight into how to properly go about proactively handling security threats posed by worms?
Click here or a puppy gets stomped!
I think it would depend on the QUALITY of the hack. A poorly written hack that breaks out in the wild, that causes unintended results would prevent me from hiring said person.
However, if the hack is an elegant piece of code, that does exactly and only what the author indended would be something I would consider.
Originality also would count. The creative nature of the hack would also weigh in. This prevents script kiddies from modifying existing hacks from the "application" for the job.
In otherwords, I would evaluate each hack and make judgements on the over all skill, novelty and execution of the hack, all skills needed for any programming job.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
That's exactly what I was thinking. OTOH, I don't know the details of Sasser or how much intelligence it took to write it, but the kid's only 18. I think giving him a shot to make legitimate money, provided he's got the smarts, is better than blacklisting him. We all make idiotic choices when we're younger, some of them have a greater impact than others. It's not like he's a serial killing doctor(that analogy was completely over the top).
Think for yourself, destroy your television.
Not to play devil's advocate or anything, but if worm writers start getting high paying jobs (especially if they get lots of media coverage) wouldn't this encourage people to write more worms? Hey look, I can destroy all these machines, become famouse, get stuck on probation, and get great job offers!
I Am My Own Worst Enemy
End result : Software is insanely optimized, thanks to worm-writing kid who has insight on the program so you KNOW he's gonna break it at least once a week. And gray-hat security genius doesn't get paid to sit around looking up pr0n on the company's T3 line. Obviously it doesn't mean EVERYTHING is fixed *cough*Windows*cough*, but its better than releasing a full blown program only to have bug reporting coming in 6 hours before its even officially released.
Maybe if the kid wrote a virus that infected Linux, but anyone can write a virus for MS computers.
Use of the term 'hacker' here is a misnomer. Would I hire someone who has a broad technical ability and excels in why things do and don't work? Absolutely. But allow me to go on a little old-man rant here (and hell, I'm in my 20s): viruses these days aren't what they used to be.
In the 1980s-1990s, you could pick up a copy of 2600 and read the code for a relatively complicated polymorphing boot sector virus -- complicated because it took a good knowledge of assembler, specific system calls, the boot process on a PC, etc., among other things. With a few tweaks, it would be slow-incubating, but deadly.
The internet has changed the way we deal with security, because no longer is the question "How clever is the virus?" so much as it is "How cautious is the user?" Example: the "Microsoft Office 2004 Beta" for Mac appeared on P2P networks a few months ago. When run, it deleted the contents of your user folder. Devastating, yes, but nothing I couldn't do myself without programming knowledge. So the 'virus' wasn't clever, tricky, or even unique in function, except for the method of delivery, which was social in nature -- not technical.
The same applies to security holes in your OS. Whether the hole should be patched is another discussion, but taking the obvious routes through those holes to bring down computers isn't particularly noteworthy. If everyone at my office has VNC installed without a password, and I go delete their My Documents folder at noon today, am I a hacker? No. I'm just a prick.
So when you ask, "would I hire a hacker?" Yes.
But when you ask, "would I hire someone who creates/uses something annoying and not that special; requiring a moderate level of programming skill if at all; that relies on the user to activate it or a major security flaw in the OS?" Absolutely not. These kids' salaries should be going to sociologists who can better analyze group behavior, and real coders, not scr1pt k1dd13z.
It is not about skill or knowledge, it is about "Can I trust this person?". If someone can write a virus, that might demonstrate good knowledge. Releasing the virus shows the person either did not think about the damage they would make, or worse, they did not care. I would not want someone like that in my company or organization. I happen to think those kinds of people belong in jail, because sooner or later they will do something as stupid as the common thug.
Come and say hi. http://forum.penpals.com/index.php
Hire a script kiddie, maybe if I need my lawn mowed...and they had a pattern to try to copy.
Of course, none of us were alive to see this, but when medicine was just starting out, the best doctors employed grave robbers to get bodies on which to practice and learn. It was against the law, and against the church, but they needed a place to learn without killing people. Now, I guess the question I ask is, would you want a doctor who had never seen the inside of a person to be the one helping your dear old mother?
I would propose a third possiblity:
C) He did not predict the impact his actions would have.
Consider how many viruses are written that never amount to anything - a few dozen infections, you get on the antivirus list, and no one cares about your virus anymore. (Have you seen the length of those virus definition lists?) Consider that, in all likelihood, the kid associated with people who had written lots of viruses like that - probably even authored some himself. What do you think he would perceive the odds of making a virus this impactful to be? About the same odds that setting off a firecracker would burn down a city block: yes, they should be charged with arson, but don't assume that they meant to set it all on fire. They were just bored and wanted to see a few sparks.
I've got more mod points and GMail invi
Lots of us have been calling ourselves hackers for years,
The "hacker code" that I grew up by was: "Hacker" is sort of an honorific. You can't call yourself a hacker. Others have to call you a hacker. If you call yourself a hacker, you almost assuredly aren't one.
The first perp had an account with a different ISP. He found several big holes in their security and alerted them of the problem. The ISP revoked his account as a reward. We found out about it, and gave him a job. He was 16 at the time and stayed with us well into adulthood while he went to college.
The second perp, who still works for us, was asked to perform a security check by his employer. He found holes, presented his findings, (including the dirt he dug,) and was brought up on charges for "Exceeding mandate" or something along those lines. We hired him. He's great.
Regardless, hacker jerks regularly hack away at our walls. I wish we had jobs for all of them! My vote? Hire them.
You DO hire hackers to catch hackers, that is - you do if you want to catch/stop them. Big surprise for the naive IT Director would be the mindset of the average cop, which is not so different from the average criminal (usually just smarter).
Cops and criminals think a lot alike, they just make different choices. Hackers and hacker-catchers must also think a lot alike, ie - where is the weakness in this? how does this work? I wonder if you could do this? People who don't naturally think along these lines find it very difficult to out-think those who do.
An important point to consider is that by hiring him you are sending a message to others that cracking is a good way to get a job. Do we really want a bunch of script kiddies trying to make a name a for themselves thinking it will turn into a career?
http://www.setec.org/hirehacker.html
-- The Funk, The Whole Funk, And Nothing But The Funk
Why on earth should we assume that someone who can break security has the slightest knowledge of how to fix security? I can break regular glass with a rock, but have no clue how to make shatter-proof glass.
Keeping to computer security: Say a particular system has 5000 current, undiscovered ways of being broken into (or just broken). Breaking into it requires finding one of them. But you have to find 2500 of them just to have a 50% chance of finding the one the hack.. err... cracker finds. If a typical passibly decent hacker can find 5 holes, he'd have over a 95% chance of finding one of the ones the security team, that found 2500, missed.
Yes, I wouldn't hire a computer criminal because of his ethical problems. I also wouldn't hire him because if he actually thinks that breaking into a system makes him qualified to work securing systems, he clearly knows nothing about securing systems.
I can't talk for the other guys...
People trust my judgement in terms of security background (from A to Z), I always turn around when people are typing their password because for me a password IS PERSONNAL. I never go read other people's email. Yes I'm going into home accounts BUT only when we have a 100% full volume. I am searching for big files, sometimes I see "weird things" (like: how to girl a girl in your bed all the time.htm !!! .EXE files downloaded from Ka...? mp3 ... ). I never spoke about the "weird" files to nobody not even the owner -- I act like if I didn't see those files.
I'm proud of the job I do comparing others.
Skills are a small portion of the issues here. Police don't hire criminals. Criminals clearly have the skills, but the problem of police departments is not as much finding the criminals, but managing the cops. Thats why you have the incredibly strong culture of anti-criminal behavior amongst police officers. That way, the cops tend to want to seek out criminals and bust them. Thinking about hackers, the mission of getting one over on the man is inherently different from hating and seeking out the bad guys.
Many years ago I worked for GCHQ, the British equivalent, with a Top Secret ("codeword") security clearance. During the interviews and vetting process I admitted to hacking into my school network on several occasions.
The interviewer, far from being concerned, started to discuss the methods I had used and tested me for possibilities I had possibly overlooked.
Needless to say I got the job.