Slashdot Mirror
Would You Hire A Hacker?
theodp writes "A German security company has divided opinion in the IT industry by offering a job to the teen charged with creating Sasser. Silicon.com asks its CIO Jury: Would you hire a hacker? and finds the jury split down the middle, with one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother."
That's not hacker! It's cracker. Hackers create, crackers destroy.
-ESR (fake)
Hacker != Cracker. How-to.
[O]ne IT Director [said] doing so would be like hiring serial-killing doctor
A little extreme on the allegories, aren't we? Virus writing is not exactly like taking out a knife and killing someone. (Although it may result in the shutdown of systems that support people's lives. I'd tend to blame this on the idiots who use Windows for those systems, though.)
As for hiring him, I think my answer would be "maybe". I certainly wouldn't hire him because of his transgressions, but rather despite them. Basically, everyone should be entitled to a second chance. If this employer believes that the guy has a lot of talent and is repentant of his past deeds, then give him another shot! He'll have to try damn hard to remove the stigma from his deeds, but try hard enough and he might just turn his life around.
Javascript + Nintendo DSi = DSiCade
It'd be more like hiring a doctor who was convicted of illegal cloning experiments to work on alternatives to organ transplants.
doing so would be like hiring serial-killing doctor
Well, if he's good with a knife..
Honestly though, if a hacker has payed his debt to society and now wants to help businesses prevent what he was doing(Kevin Mitnick), why not let them? Having the most knowledgeable person for the job might just save you from being hacked by someone else--as long as you can trust the person.
Boxing Equipment Reviews
What a loaded question?
Would I hire a worm-writing kid? No.
Would I hire a gray-hat security genius? Absolutely.
A security company might benefit from his experience, or even just the marketting angle "the best hackers work for us!"
In the field I'm in, he'd be a liability. We do government stuff, relating to law enforcement, and while we're not a bunch of angels, we don't want any skeletons in our closet either.
I don't need no instructions to know how to rock!!!!
I know a lot of people who are "Hackers" who work in IT... Hiring someone who writes worms and virii though? not bloody likely... Hackers aren't always malicious, and more then likely they know what they are doing with system administration then someone whore just reads a few FAQs and manuals...
It might be nice while they're working for you, but if you piss them off(who hasn't been an employer and had an employee pissed off?) then they have inside knowledge about your company and the ability to hack.
On the other hand, I wouldn't consider these VBS writers "hackers". They are just glorified script kiddies. Don't reward that behavior.
Chris
I tend to think that just because someone creates a virus that happens to work well, and causes massive amounts of destruction isn't a horrible person at heart.
I think if you've ever done any amount of prgramming, you've been there before, little mental masturbations of doing bad things to people to clever programming.
This is like refusing to hire someone because they got a speeding ticket, or downloaded music off of the internet.
Fear the day that you ever have to let him go.
If they want to learn more about their "trade" and the company that hires them properly handles all of the information it could then extract out of them, then whatever damage the kid could do would be mitigated by how much the security guys could learn. I for one say go for it, if the company that is going to hire this person knows what it's doing on collecting data about any and all work the cracker will be doing for them.
Sometimes the best way to learn about your enemy really is to contain them and see how they think. Who knows, maybe the security guys could find out enough to actually get an insight into how to properly go about proactively handling security threats posed by worms?
Click here or a puppy gets stomped!
I think it would depend on the QUALITY of the hack. A poorly written hack that breaks out in the wild, that causes unintended results would prevent me from hiring said person.
However, if the hack is an elegant piece of code, that does exactly and only what the author indended would be something I would consider.
Originality also would count. The creative nature of the hack would also weigh in. This prevents script kiddies from modifying existing hacks from the "application" for the job.
In otherwords, I would evaluate each hack and make judgements on the over all skill, novelty and execution of the hack, all skills needed for any programming job.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Note: I'm not saying that this chump is the best programmer around, I'm sure he's not. But if he's a great man for the job and can think of things that you and I won't, then I'm on.
Berto
There are PLENTY of information security white hats that are just as talented, if not more talented, than the black hats. If we are truly talking about hiring a "black hat cracker". Even if they were exceptionally skilled it would depend on the individual.
:)
They commited a computer crime. That is a liability, not an asset. All in all their benefits as a skilled IT professional would have to outweigh their liabilities (being busted for a computer crime). It is a factor that goes into the equation. I would say that in most cases it would be enough to lean me towards not hiring them. I think its a pretty serious thing to hack someone elses system. There are PLENTY of ways to make a name for yourself in a white hat way. Writing papers, studying info sec and staying on top of the field and becoming a noted voice in the communities is one. Ultimately if you need negative publicity to be known (and or hired) your just being lazy
Jeremy
Not to play devil's advocate or anything, but if worm writers start getting high paying jobs (especially if they get lots of media coverage) wouldn't this encourage people to write more worms? Hey look, I can destroy all these machines, become famouse, get stuck on probation, and get great job offers!
I Am My Own Worst Enemy
The FBI hired Frank Abagnale Jr. as a counterfeit specialist and it turned out to be a good thing. Why? Because he was just a freaking teenage KID that happened to be misguided through lack of maturity. If this teen hacker was given a little direction and purpose with his life then he could steer everything completely around.
I can't believe that comment about hiring him being similar to hiring a serial killer as a doctor. The director that spoke that comment is an idiot.
I think I would look at what type of hacker they are.
Is it someone who knows systems inside and out and enjoys toying with them? Then definitely yes.
Is it a script kiddie who just took someone elses work and capitalized on it? Definitely not.
The issue is not about elitism, it's about attitude, someone who has gone to the effort to learn something and apply it is in a whole different world than someone who is so socially mal-adjusted they feel the need to tweak the latest worm to say "I RULEZ" and sends it back out.
Never underestimate the power of human stupidity -RAH
Would I hire an extortionist to be my accountant?
Would I hire a thief to manage my inventory?
Would I hire a sadist to manage my HR (Catbert obviously excluded)?
Would I hire a sex offender to babysit my children?
No.
Yes, they did pay their debt to society/do their time. I might hire them to do other things away from their area of conviction, but I'm not going to dangle temptation in front of their face. Does that seem like just straight common sense to anyone but me?
The Hacker FAQ.
Belief is the currency of delusion.
And he worked out great. We both had similar skills and were able to hammer out a lot of code. We do not work together anymore, but I still work with hackers. If you do not enjoy pulling things apart to see how they work and hack them to do new things you should not be writing software.
Brennan Stehling - http://brennan.offwhite.net/blog/
Use of the term 'hacker' here is a misnomer. Would I hire someone who has a broad technical ability and excels in why things do and don't work? Absolutely. But allow me to go on a little old-man rant here (and hell, I'm in my 20s): viruses these days aren't what they used to be.
In the 1980s-1990s, you could pick up a copy of 2600 and read the code for a relatively complicated polymorphing boot sector virus -- complicated because it took a good knowledge of assembler, specific system calls, the boot process on a PC, etc., among other things. With a few tweaks, it would be slow-incubating, but deadly.
The internet has changed the way we deal with security, because no longer is the question "How clever is the virus?" so much as it is "How cautious is the user?" Example: the "Microsoft Office 2004 Beta" for Mac appeared on P2P networks a few months ago. When run, it deleted the contents of your user folder. Devastating, yes, but nothing I couldn't do myself without programming knowledge. So the 'virus' wasn't clever, tricky, or even unique in function, except for the method of delivery, which was social in nature -- not technical.
The same applies to security holes in your OS. Whether the hole should be patched is another discussion, but taking the obvious routes through those holes to bring down computers isn't particularly noteworthy. If everyone at my office has VNC installed without a password, and I go delete their My Documents folder at noon today, am I a hacker? No. I'm just a prick.
So when you ask, "would I hire a hacker?" Yes.
But when you ask, "would I hire someone who creates/uses something annoying and not that special; requiring a moderate level of programming skill if at all; that relies on the user to activate it or a major security flaw in the OS?" Absolutely not. These kids' salaries should be going to sociologists who can better analyze group behavior, and real coders, not scr1pt k1dd13z.
It is not about skill or knowledge, it is about "Can I trust this person?". If someone can write a virus, that might demonstrate good knowledge. Releasing the virus shows the person either did not think about the damage they would make, or worse, they did not care. I would not want someone like that in my company or organization. I happen to think those kinds of people belong in jail, because sooner or later they will do something as stupid as the common thug.
Come and say hi. http://forum.penpals.com/index.php
mmm honey
I give up, what sort of stuff do you do at National Endowment for the Arts?
It's amazing to me what kind of gullible suckers the mods are around here.
Would I hire com Adrian Lamo? Yeah.
It depends a lot on the intent of the attack and what was done once it was successful. Also on the personal morals of the individual.
I do security
Hear hear! I can't stand how many people keep making this simple mistake. By calling destructive computer criminals "hackers," you're bringing down everybody who codes for the love of it. Lots of us have been calling ourselves hackers for years, only now to get painted with this negative brush.
I don't expect the mainstream press to know any better, but this is Slashdot. Can we please try to keep our definitions straight?
A hacker is a skilled, passionate computer programmer -- nothing more.
A person who commits malicious computer crimes is a biscuit. Like those evil software pirates who walk around with those parrots on their shoulders: "Polly want a biscuit!" Get it right, people.
Breakfast served all day!
if you treated the guy right, he really wouldn't bother to take you down
:D
I never treated him badly, yet his Sasser worm attacked me anyway. Oh wait, I got it... he's changed for the better
one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother.
Being that Shipman is dead, it would be really stupid to hire him for anything.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
In this case, I don't think there's a whole lot to be learned.
The Sassar work exploited a hole in LSASS that Microsoft patched on 4/14, the worm itself was discovered in the wild some time later than that, around 5/1 as best I can remember.
The lesson? Keep you crap patched and you won't get as many worms. How can observing this guy give any insight into that?
All you script kiddies out there who are drooling, be warned that you probably wouldn't have a chance in hell of getting a TS/SCI security clearance.
Move along, certainly nothing to see here. BTW I second the post that the Mod's are gullible today. Of all days that I have no points.
"We need a fourth law of Robotics: Stop Fingering My Wife"
Security is all about trust. Would you trust software written by an ex-virus writer? Or would you use the software recommanded by your local guru?
Secondly, all you hackers-aren't-crackers posters should be modded "-1, Tilting at Windmills." If you want to waste time debating semantics, you've obviously got no message worth anyone's time.
The most important trait for an employee is ability to work well with others. Very few things are solo-genius creations, and those that are, fit better in startups than established corporations. I'd be more inclined to invest my personal money as VC to a hacker-run startup than I would be to bet it that a particular hacker would thrive in a Fortune 100 environment.
The next most important thing is the ability to follow a documentable and repeatable process. Hacking for yourself is fun, because it only ever requires you to poke and prod based on your own intuition. When you're anti-hacking, you don't get the same luxury: you have to cover/examine/harden whole systems. Think of the hackers as the Blitzkreig, and the anti-hackers as the Maginot line: the odds are stacked against the defenders.
Thirdly, degrees and certifications (which typically have ethics requirements which preclude ex-hackers) really matter in a corporate environment... Not if your hacking is successful, but to help assure that UNsuccessful hacking means something. That is, if we couldn't get in, we expect it's pretty secure.
And, lastly, it's about the liability. All self-righteous nonsense about giving people second-chances aside, those who have committed crimes in the past are more likely to commit them in the future.
Bottom line? It's far easier to take a hard-working system administrator and make her into a good hacker than it is to take a computer criminal and make him into someone who fits in a corporate environment.
My employer does...
Not any more, you are fired! I have told you not to post on slashdot...
Yours ex-Boss
It sounds exciting working for the NRA.
Hmmm, how many other organizations start with "N" and end in "A" that have nothing to do with computers?
myke
Mimetics Inc. Twitter
Harold Shipman committed suicide 9 months ago
There must have been a better analogy than mentioning hiring a dead person
FGD 135
You don't necessarily need TS/SCI to work for the NSA. Of course, not having it certainly limits how far you can go.
Everyone on my wifes side of the family is some form of NSA spook. The grandparent article was pure horseshit, too.
I don't need no instructions to know how to rock!!!!
Of course, none of us were alive to see this, but when medicine was just starting out, the best doctors employed grave robbers to get bodies on which to practice and learn. It was against the law, and against the church, but they needed a place to learn without killing people. Now, I guess the question I ask is, would you want a doctor who had never seen the inside of a person to be the one helping your dear old mother?
Anyone who is worth his salt as a coder/geek has done some questionable things before. The question is whether or not they got caught. You can be sure there are people working at major tech companies already who have done some questionable things. Only they weren't caught. If you can trust a person and they're good, hire them. Chances are you've already got someone working for you who has broken the law only you don't know it.
The Information Revolution will be fought on the command line.
I believe his actions speak for the quality of his charector.
We had a lesser, but similar situation at the company where I work. This guy applied for a programming job, and his entire coding experience consisted of writing spamming tools.
He'd openly, and seemingly without shame, listed all his spammer tools on his CV (resume for you over-the-pond types)
I desperately tried to get the guy doing the recruiting to hire him, just so I'd get an opportunity to beat the shit out of the filthy bastard.
Language is a living thing, it evolves and word usage changes. Hacker is a negative thing in this context, talk to a kernel dev or a FreeBSD developer and maybe it won't be. Gay used to mean a happy person, and ignorant was uninformed, neither definition is what the general use is now so get over it.
BTW a hacker was not a skilled, passionate computer programmer, it was someone who created an ugly kludge to quickly solve a problem.
"I use a Mac because I'm just better than you are."
The first perp had an account with a different ISP. He found several big holes in their security and alerted them of the problem. The ISP revoked his account as a reward. We found out about it, and gave him a job. He was 16 at the time and stayed with us well into adulthood while he went to college.
The second perp, who still works for us, was asked to perform a security check by his employer. He found holes, presented his findings, (including the dirt he dug,) and was brought up on charges for "Exceeding mandate" or something along those lines. We hired him. He's great.
Regardless, hacker jerks regularly hack away at our walls. I wish we had jobs for all of them! My vote? Hire them.
http://www.setec.org/hirehacker.html
-- The Funk, The Whole Funk, And Nothing But The Funk
Excuse me fellas... Kevin Mitnick was a hacker/cracker. By saying because he is a criminal and you wouldn't hire him... I pose another question... would you hire Kevin Mitnick? How about Steve Wozniak (I know he wasn't a cracker... not that we know anyways)? True he is definitely not as skilled as Mr. Mitnick (whom I have tremondous amounts of respect for) but this kid definitely has got some skills. I would definitely hire him.
The IT Director who made the Shipman comparison should be fucking fired. Just what kind of values does a man have when he equates a mass murderer with a teenage computer virus writer? My god, the kid is exactly that, a kid! He isn't a violent drug crazed sociopath, he's doing what many kids do, i.e. messing around to see what he can do and how far he can go, with the exception that he got caught.
This kind of fanatic mentality, where a stupid fucking computer (or a song or movie on the internet) becomes more valuable than people's lives, is a sad testament to the state of our society.
You think I'm over the top? Why is it that people who download songs from the internet get punished harder than the executives of corrupt and failing corporations?
If you give someone a chance, after he or she has messed up, especially as a teen, they might or might not do something useful with their lives. But if you dismiss them outright, you are condemning them for the rest of their lives.
Way to go fuckers.
As in "Last night I mugwumped your sister".
Why on earth should we assume that someone who can break security has the slightest knowledge of how to fix security? I can break regular glass with a rock, but have no clue how to make shatter-proof glass.
Keeping to computer security: Say a particular system has 5000 current, undiscovered ways of being broken into (or just broken). Breaking into it requires finding one of them. But you have to find 2500 of them just to have a 50% chance of finding the one the hack.. err... cracker finds. If a typical passibly decent hacker can find 5 holes, he'd have over a 95% chance of finding one of the ones the security team, that found 2500, missed.
Yes, I wouldn't hire a computer criminal because of his ethical problems. I also wouldn't hire him because if he actually thinks that breaking into a system makes him qualified to work securing systems, he clearly knows nothing about securing systems.
I'm a big believer in second chances and turning over leaves, but we are talking about a person who has demonstrated a weakness of moral fiber.
Whether or not the individual is good(skillwise) or not is irrelevant. What is relevant is how one goes about redeeming themselves in the eyes of the community.
I suppose it comes down to your company's comfort level. It is alot like the transition homes where families take in young ex-criminals to help give them a second chance. Sometimes, you honestly see great things come from second chances. Other times, you get a family who is robbed by the one they entrusted.
It doesn't take a rocket scientist to write a replicating piece of code. It doesn't take alot of brains to take an existing one and modify it either.
Which brings one to wonder why hire someone whose only done these things?
The only apparent benefit is to use him to get at other virii writers through association online and by monitoring his access and communications. By hiring him, they increase his profile and will likely draw the attention of script kiddies who will get caught by the firm.
Otherwise, such a hire only risks stock prices and makes the company liable for future damages.
Winged Power Photography
Would I hire a hacker? The answer is absolutely; hire someone who learns on their own without some instructor holding their hand.
Hackers have the best problem solveing, and deductive reasoning skills of anyone in the IT industry not to mention attention to detail. One could only be so lucky to have one on staff (and you probably do).
Don't get me wrong, there are definitly milicious hackers (crackers) who find joy in compromising, stealing, and destroying systems and networks, but to be honest, most of them do not get cought, and if they do, one needs to wonder, how good are they anyway if they got cought.
AdsJunction.com Ad Network
Skills are a small portion of the issues here. Police don't hire criminals. Criminals clearly have the skills, but the problem of police departments is not as much finding the criminals, but managing the cops. Thats why you have the incredibly strong culture of anti-criminal behavior amongst police officers. That way, the cops tend to want to seek out criminals and bust them. Thinking about hackers, the mission of getting one over on the man is inherently different from hating and seeking out the bad guys.
Here we have the morally righteous leading the charge against hiring hackers who've engaged in criminal activities in the past because they can't ever be trusted again; and yet these same folks keep voting in Congressmen who themselves have criminal records, ranging from DUIs to bribery to racketeering to assault to spousal abuse to sexual misconduct with minors.
So I guess the message here is that you can't afford to compromise when it comes to hiring IT staff, but you don't have to be nearly as selective when voting in members of the legislative branch of your government.
This'd be funny if it weren't so pathetic.
(You can google the criminal records of your Congressmen rather easily on your own, so there's no need for a link - do it yourself. You may find the results enlightening. Or not. This is slashdot, after all.)
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
You should probably add to your defintion there a part about the person calling you a hacker actually knowing what the hell they're talking about... because by your current wording, i'd be a hacker. I'm not. My boss occasionally refers to me as "hacker" at work (other choice nicknames are "Dell", "Pentium", and "Bum-bum-bum-bum!" which is supposed to be the chimes from the Intel commercials. He tried to call me "Compaq" one time but I gave him a dirty look so he doesn't do that anymore).
:D
My hacking skills that impressed him so? Tracking down a missing document on the company network (thanks to my amazing ability to press 'ctrl+f') so we could copy it to a floppy disc for safekeeping.
Last month I taught him to say "leet" (1337). I was so proud!
Who here thinks that they have the knowledge to do what he did?
I believe a large proportion of the readership here would claim to have some coding ability maybe have programed some big complex products but who knows where the weaknesses are what routines are going to lead to security holes and exploits.
who took hacking/cracking 101?
someone mentioned 5000 exploits and maybe being able to close down half of them, Isn't the focus of most software projects to achieve the desired result.
the vunerability left in software are from minds focused on achieving that result.
I would think his unique viewpoint on code is perhaps a valuble asset. Showing the main coding staff where thier code is weak could be a valuble learning experience for them.
maybe some of the white hats are afraid that someone like him could show how poor thier coding practices are?
of course his exploit may not have been hard to impliment and he might have been following a reciepe, I don't know him or the skill needed to achieve what he did.
hopefully the person hiring him does
Blarney Quality Restaurant, Plants