Slashdot Mirror

← Back to Stories (view on slashdot.org)

Would You Hire A Hacker?

Posted by timothy on from the depends-on-circumstances dept.

theodp writes "A German security company has divided opinion in the IT industry by offering a job to the teen charged with creating Sasser. Silicon.com asks its CIO Jury: Would you hire a hacker? and finds the jury split down the middle, with one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother."

39 of 466 comments (clear)

  1. No, no, no! by Anonymous Coward · · Score: 5, Informative

    That's not hacker! It's cracker. Hackers create, crackers destroy.

    -ESR (fake)

    Hacker != Cracker. How-to.

    1. Re:No, no, no! by Dr+Reducto · · Score: 5, Insightful

      Yeah, I don't think this kid is all too bright compared to a lot of other hackers. I mean, for one, he got caught.

    2. Re:No, no, no! by DogDude · · Score: 5, Insightful

      Hackers create, crackers destroy.

      And while you are busy trying to make this assertion to a hiring manager, somebody else who doesn't deal with pedantic stuff like "hacker vs cracker" is taking your job.

      --
      I don't respond to AC's.
    3. Re:No, no, no! by ePhil_One · · Score: 5, Informative
      Yeah, I don't think this kid is all too bright compared to a lot of other hackers. I mean, for one, he got caught.

      For another, he's clearly subject to certain moral lapses.

      I've been given this opportunity before, an applicant admited to hacking into a company to demonstrate his abilities and knowledge; they hired him. While I recognized his potential to help secure our network, could I trust him not to monitor peoples mail for his own amusement, access private data like salaries, "attack" computers of folks he didn't like, or otherwise cause trouble?

      It took a slam dunk "Hire him" to a long debate, we wound up not making an offer.

      --
      You are in a maze of twisted little posts, all alike.
    4. Re:No, no, no! by carpe_noctem · · Score: 4, Insightful

      Completely agreed. The meaning of words is determined by their use and context, and sadly, "hacker" is one of those words that has taken a negative context in the eye of the greater public...

      --
      "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
    5. Re:No, no, no! by Frymaster · · Score: 4, Insightful
      log his activities to a machine he doesn't have the skills to crack...

      if you could create a machine that he didn't have skills to crack... why would you need to hire him in the first place?

      --

      2 1337 4 u!

    6. Re:No, no, no! by jhoffoss · · Score: 5, Insightful
      This would fail even more quickly. Most of my clients are stressed out as it is when they bring my firm in. The one thing we have that they take comfort in is our integrity. Without that, we would be out of a job.

      If a company's entire basis is the fact that their employees do not (or did not, if truly grey hat...) have integrity, they're sunk before they leave dock.

      In the same breath, I will just state what I have seen someone else on /. state, and I found humorous: black hats are good hackers, white hats are good fakers, and grey hats are good liars.

      --
      Linux: The world's best text-adventure game.
    7. Re:No, no, no! by stratjakt · · Score: 4, Insightful

      That'd be nice if you have the manpower or spare time to babysit all your employees.

      I don't and nor does anyone in this office, if theres any question of trust around here, you're out on your ass.

      --
      I don't need no instructions to know how to rock!!!!
    8. Re:No, no, no! by dead+sun · · Score: 4, Insightful
      So is what's being said here equate to 'if the applicant hadn't admitted to hacking a company to demonstrate knowledge, and instead plausibly lied about having worked in a "test" environment configured just like a real company, the debate wouldn't have happened'?

      I'm sorry, but at least the person you didn't make an offer to was willing to come forth about it, let people know that he found that sort of behavior acceptable, and give a chance to lay down a set of rules that are perhaps more fitting to his particular morals. He was decent enough to give that opportunity.

      I wonder how many people you've worked with have ever done the same things as this individual but haven't owned up to it. I wonder if anybody you've worked with monitored mail for their own amusement and just never set off warning flags during the interview process.

      It's one thing to catch somebody doing something after giving them a chance (because of not being told about certain behaviors or not). It's another entirely to deny them a chance after they're trying to be out in the open with you.

      Why would a spy come out and say they're a spy? It sets off alarms and unless you're just that damn good, blows any future chance of spying you have. Why would a cracker come out and declare they're a cracker unless they're willing to change their tune while on the job? I guess, unless you're looking for feints within feints.

      --
      If not now, when?
    9. Re:No, no, no! by pilgrim23 · · Score: 4, Funny

      I rememebr years ago the strident arguments on IRC: "No No! this is NOT some AOL 'room'. This is a CHANNEL!"

      We need a new word that denotes a good or cool hack, or hacker. I propose "mugwump" but am open to reasonable suggestions...

      --
      - Minutus cantorum, minutus balorum, minutus carborata descendum pantorum.
    10. Re:No, no, no! by skiflyer · · Score: 4, Funny

      Best logging system for super secure systems I ever heard of.

      A good old fashion linefeed dot matrix printer... so a cracker may at some point be able to disable the feed, but if you were tracking them on the way in there's no way to cover their footprints electronically.

    11. Re:No, no, no! by divisionbyzero · · Score: 5, Insightful

      Hmmm... clearly if this kid has any brains he would know that he is under scrutiny. So what's he going to do? Spend all day looking for where the logs are kept and trying to get into the machine that stores them. It would be trivial to find out which machine is storing them because a connection has to be opened to his computer at some point and not only that since the logs would be generated on the machine and downloaded, assuming there wasn't a persistent connection for continual download which would also be blatantly obvious, the log file itself would be the perfect vector for malicious code.

      For most crackers it is the thrill of defeating someone in power that gets them going. Trying to control him would only encourage him. No, if you can't trust him, then don't hire him, and someone that consistently has moral lapses is clearly not trustworthy.

    12. Re:No, no, no! by sunjin · · Score: 5, Interesting

      An important point to consider is that by hiring him you are sending a message to others that cracking is a good way to get a job. Do we really want a bunch of script kiddies trying to make a name a for themselves thinking it will turn into a career?

  2. Extreme comparisons by AKAImBatman · · Score: 4, Interesting

    [O]ne IT Director [said] doing so would be like hiring serial-killing doctor

    A little extreme on the allegories, aren't we? Virus writing is not exactly like taking out a knife and killing someone. (Although it may result in the shutdown of systems that support people's lives. I'd tend to blame this on the idiots who use Windows for those systems, though.)

    As for hiring him, I think my answer would be "maybe". I certainly wouldn't hire him because of his transgressions, but rather despite them. Basically, everyone should be entitled to a second chance. If this employer believes that the guy has a lot of talent and is repentant of his past deeds, then give him another shot! He'll have to try damn hard to remove the stigma from his deeds, but try hard enough and he might just turn his life around.

    --
    Javascript + Nintendo DSi = DSiCade
    1. Re:Extreme comparisons by epiphani · · Score: 4, Interesting

      A little extreme on the allegories, aren't we?

      Agreed. If we want to stick with the Doctor example, I would equate it more towards someone performing impressive medical research without a license. Or practicing medicine without a license.

      Most of these virus writers are teenagers with no formal education and no job prospects as a result. Writing something like this proves they're not only talented, but quite bored. Give them something positive to work on, and a paycheck to boot, and im sure good results will come of it.

      I think the fact that these teens exist is a result of the stupidity of the system to depend on education metrics to represent knowledge and value.

      --
      .
    2. Re:Extreme comparisons by shawn(at)fsu · · Score: 4, Insightful

      I can see three potential problems with this.

      1) The possibility that this might motivate other crackers to unleash the next big worm to find a job.

      2) What about the poor shmuck that does nothing wrong and gets passed up for a job.

      3) Say you hire him and he goes back to his old ways. Wouldn't you be somewhat liable for damages caused to you clients.

      As I said potential and possibly extreme situations.

      --
      500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
    3. Re:Extreme comparisons by einhverfr · · Score: 4, Insightful

      I read a couple or articles on this case by the time it hit /. So here is what I have to say.

      First, I think that this kid has been punished pretty severely already. His *dad* got fired over it, and he has recieved his share of death threats. This is not something you can just take lightly, especially when one's actions affect those close to the perpetrator. BTW I do think that firing the guy's dad is a little severe. Indeed these actions were what motivated the German security firm to offer a job to the kid.

      Secondly, the comparison to the serial-killing doctor is quite misguided. In this case, it is more like hiring the serial-killing doctor as a pathologist. He *might* make a really good pathologist. But there are no guarantees.

      Finally, at least in the US, our legal system recognizes that teenagers are not as capable of considering consequences of their actions as adults,and there are some scientific studies which have been published in the last few years that may provide a solid scientific case for challenging those states which allow the death penalty for individuals under the age of 18 who commit capital crimes. If you say that "we will never allow anyone in this field to ever hire a teenager who commits this crime" then you are placing, IMO, unbalanced consequences for the misguided and even criminal actions of such individuals.

      --

      LedgerSMB: Open source Accounting/ERP
    4. Re:Extreme comparisons by stratjakt · · Score: 5, Insightful

      It doesn't necessarily prove any talent at all.

      It proves they go to their favorite hacker website, download some proof of concept code, and wrap some VBScript around it.

      I wouldn't call Sasser a work of genious, but a work of pure assholery. He didn't invent something, or do it to prove a point. The point was proven, the exploit was known. He did it to be a 1337 h4x0r.

      I think the fact that these teens exist is a result of their own stupidity. Guess what, you want to commit crimes for attention, it just might fuck your entire life up.

      Try and get a job in retail with a shoplifting conviction. Try and get a job as a kindergarten teacher with an assault conviction. Try and get anywhere in politics with virually any conviction greater than a traffic violation.

      Boo hoo for teens too stupid to realize actions have consequences, sometimes life long consequences. And I'm sick of people blaming "the education system" or "society".

      This kid was mentally developed enough to know what he was doing was wrong, and did it anyways. He's lucky to be offered a job doing anything more technical than digging holes in the dirt.

      --
      I don't need no instructions to know how to rock!!!!
  3. Bad analogy by Anonymous Coward · · Score: 5, Insightful

    It'd be more like hiring a doctor who was convicted of illegal cloning experiments to work on alternatives to organ transplants.

  4. Mitnick by Klar · · Score: 4, Insightful

    doing so would be like hiring serial-killing doctor
    Well, if he's good with a knife..

    Honestly though, if a hacker has payed his debt to society and now wants to help businesses prevent what he was doing(Kevin Mitnick), why not let them? Having the most knowledgeable person for the job might just save you from being hacked by someone else--as long as you can trust the person.

    --
    Boxing Equipment Reviews
    1. Re:Mitnick by SpecBear · · Score: 4, Insightful

      One word: liability
      It's not just about how you feel about it, it's how your clients feel as well.

      There's always the danger that one of your employees is going do something evil. But hiring a known black hat makes you highly vulnerable. What happens when your competitor is giving a presentation to a potential client and says, "Yeah, those guys at FooCorp hired the guy who wrote that virus that took down GreatBigWebSite.com. I wouldn't trust that guy with my customer data, would you? Do you really want to do business with a company the rewards criminal behavior?" What percent of your potential business would you lose?

  5. hacker? by BoldAC · · Score: 5, Insightful

    What a loaded question?

    Would I hire a worm-writing kid? No.

    Would I hire a gray-hat security genius? Absolutely.

  6. Depends on what you do by stratjakt · · Score: 5, Insightful

    A security company might benefit from his experience, or even just the marketting angle "the best hackers work for us!"

    In the field I'm in, he'd be a liability. We do government stuff, relating to law enforcement, and while we're not a bunch of angels, we don't want any skeletons in our closet either.

    --
    I don't need no instructions to know how to rock!!!!
  7. wow... by Izago909 · · Score: 4, Funny
    ...with one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother.
    I bet Freud would have a few things to say about that subject..
  8. I wouldn't hire one by alatesystems · · Score: 4, Interesting

    It might be nice while they're working for you, but if you piss them off(who hasn't been an employer and had an employee pissed off?) then they have inside knowledge about your company and the ability to hack.

    On the other hand, I wouldn't consider these VBS writers "hackers". They are just glorified script kiddies. Don't reward that behavior.

    Chris

  9. definitely not by staticdaze · · Score: 5, Funny

    Fear the day that you ever have to let him go.

  10. Hackers and Hiring by Archangel+Michael · · Score: 5, Interesting

    I think it would depend on the QUALITY of the hack. A poorly written hack that breaks out in the wild, that causes unintended results would prevent me from hiring said person.

    However, if the hack is an elegant piece of code, that does exactly and only what the author indended would be something I would consider.

    Originality also would count. The creative nature of the hack would also weigh in. This prevents script kiddies from modifying existing hacks from the "application" for the job.

    In otherwords, I would evaluate each hack and make judgements on the over all skill, novelty and execution of the hack, all skills needed for any programming job.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  11. Think outside the box by MicroBerto · · Score: 4, Insightful
    If your company designs high quality locks (haha like Kryptonite U-Locks), would you hire the best lockpick around, even though he once used his skills to break into 7/11 and steal a bunch of stuff? Personally, I would. You need people to think outside of the box and go against the grain of your culture once in a while, IMO.

    Note: I'm not saying that this chump is the best programmer around, I'm sure he's not. But if he's a great man for the job and can think of things that you and I won't, then I'm on.

    --
    Berto
  12. Short Answer: Maybe by jallen02 · · Score: 4, Insightful

    There are PLENTY of information security white hats that are just as talented, if not more talented, than the black hats. If we are truly talking about hiring a "black hat cracker". Even if they were exceptionally skilled it would depend on the individual.

    They commited a computer crime. That is a liability, not an asset. All in all their benefits as a skilled IT professional would have to outweigh their liabilities (being busted for a computer crime). It is a factor that goes into the equation. I would say that in most cases it would be enough to lean me towards not hiring them. I think its a pretty serious thing to hack someone elses system. There are PLENTY of ways to make a name for yourself in a white hat way. Writing papers, studying info sec and staying on top of the field and becoming a noted voice in the communities is one. Ultimately if you need negative publicity to be known (and or hired) your just being lazy :)

    Jeremy

  13. Akin to a serial killer - moronic statement. by Anonymous Coward · · Score: 5, Insightful

    The FBI hired Frank Abagnale Jr. as a counterfeit specialist and it turned out to be a good thing. Why? Because he was just a freaking teenage KID that happened to be misguided through lack of maturity. If this teen hacker was given a little direction and purpose with his life then he could steer everything completely around.

    I can't believe that comment about hiring him being similar to hiring a serial killer as a doctor. The director that spoke that comment is an idiot.

  14. Depends by jhagler · · Score: 4, Insightful

    I think I would look at what type of hacker they are.

    Is it someone who knows systems inside and out and enjoys toying with them? Then definitely yes.

    Is it a script kiddie who just took someone elses work and capitalized on it? Definitely not.

    The issue is not about elitism, it's about attitude, someone who has gone to the effort to learn something and apply it is in a whole different world than someone who is so socially mal-adjusted they feel the need to tweak the latest worm to say "I RULEZ" and sends it back out.

    --
    Never underestimate the power of human stupidity -RAH
  15. I did hire a hacker! by Offwhite98 · · Score: 4, Informative

    And he worked out great. We both had similar skills and were able to hammer out a lot of code. We do not work together anymore, but I still work with hackers. If you do not enjoy pulling things apart to see how they work and hack them to do new things you should not be writing software.

    --
    Brennan Stehling - http://brennan.offwhite.net/blog/
  16. Nope. by captnitro · · Score: 5, Interesting

    Use of the term 'hacker' here is a misnomer. Would I hire someone who has a broad technical ability and excels in why things do and don't work? Absolutely. But allow me to go on a little old-man rant here (and hell, I'm in my 20s): viruses these days aren't what they used to be.

    In the 1980s-1990s, you could pick up a copy of 2600 and read the code for a relatively complicated polymorphing boot sector virus -- complicated because it took a good knowledge of assembler, specific system calls, the boot process on a PC, etc., among other things. With a few tweaks, it would be slow-incubating, but deadly.

    The internet has changed the way we deal with security, because no longer is the question "How clever is the virus?" so much as it is "How cautious is the user?" Example: the "Microsoft Office 2004 Beta" for Mac appeared on P2P networks a few months ago. When run, it deleted the contents of your user folder. Devastating, yes, but nothing I couldn't do myself without programming knowledge. So the 'virus' wasn't clever, tricky, or even unique in function, except for the method of delivery, which was social in nature -- not technical.

    The same applies to security holes in your OS. Whether the hole should be patched is another discussion, but taking the obvious routes through those holes to bring down computers isn't particularly noteworthy. If everyone at my office has VNC installed without a password, and I go delete their My Documents folder at noon today, am I a hacker? No. I'm just a prick.

    So when you ask, "would I hire a hacker?" Yes.

    But when you ask, "would I hire someone who creates/uses something annoying and not that special; requiring a moderate level of programming skill if at all; that relies on the user to activate it or a major security flaw in the OS?" Absolutely not. These kids' salaries should be going to sociologists who can better analyze group behavior, and real coders, not scr1pt k1dd13z.

  17. I would not hire a hacker by here4fun · · Score: 4, Interesting

    It is not about skill or knowledge, it is about "Can I trust this person?". If someone can write a virus, that might demonstrate good knowledge. Releasing the virus shows the person either did not think about the damage they would make, or worse, they did not care. I would not want someone like that in my company or organization. I happen to think those kinds of people belong in jail, because sooner or later they will do something as stupid as the common thug.

    --

    Come and say hi. http://forum.penpals.com/index.php

  18. Re:My employer does... by friendscallmelenny · · Score: 5, Funny
    They put computers online in honeypot setups

    mmm honey

    I give up, what sort of stuff do you do at National Endowment for the Arts?

  19. Re:My employer does... by Anonymous Coward · · Score: 4, Funny

    It's amazing to me what kind of gullible suckers the mods are around here.

  20. Amen! by PCM2 · · Score: 5, Funny

    Hear hear! I can't stand how many people keep making this simple mistake. By calling destructive computer criminals "hackers," you're bringing down everybody who codes for the love of it. Lots of us have been calling ourselves hackers for years, only now to get painted with this negative brush.

    I don't expect the mainstream press to know any better, but this is Slashdot. Can we please try to keep our definitions straight?

    A hacker is a skilled, passionate computer programmer -- nothing more.

    A person who commits malicious computer crimes is a biscuit. Like those evil software pirates who walk around with those parrots on their shoulders: "Polly want a biscuit!" Get it right, people.

    --
    Breakfast served all day!
  21. Re:My employer does... by SpyPlane · · Score: 5, Interesting

    All you script kiddies out there who are drooling, be warned that you probably wouldn't have a chance in hell of getting a TS/SCI security clearance.

    Move along, certainly nothing to see here. BTW I second the post that the Mod's are gullible today. Of all days that I have no points.

    --
    "We need a fourth law of Robotics: Stop Fingering My Wife"
  22. Just how fucking insane is our society anyway? by theolein · · Score: 4, Insightful

    The IT Director who made the Shipman comparison should be fucking fired. Just what kind of values does a man have when he equates a mass murderer with a teenage computer virus writer? My god, the kid is exactly that, a kid! He isn't a violent drug crazed sociopath, he's doing what many kids do, i.e. messing around to see what he can do and how far he can go, with the exception that he got caught.

    This kind of fanatic mentality, where a stupid fucking computer (or a song or movie on the internet) becomes more valuable than people's lives, is a sad testament to the state of our society.

    You think I'm over the top? Why is it that people who download songs from the internet get punished harder than the executives of corrupt and failing corporations?

    If you give someone a chance, after he or she has messed up, especially as a teen, they might or might not do something useful with their lives. But if you dismiss them outright, you are condemning them for the rest of their lives.

    Way to go fuckers.