Slashdot Mirror
Would You Hire a Former Black Hat?
Mark Zenson asks: "Understanding the mindset of a hacker and the likes of one may be useful to counter security attacks, but apparently companies still object to hiring former, or even reformed, black hats."
The article asks this question of several executives in the industry and for various reasons, many of them were skeptical to the idea of hiring such people. Would you give black hats a second chance if you were in their position?
But on a more serious note, I would hire anybody as long as they have the right personality. That's right, I've seen it happen too. People who don't know anything about computers are working in corporate America as programmers. They are one trick ponies and it would take me a few minutes to show others how to do that one trick. The questions I need answered are:
- Can they work with people?
- Can they dress well?
- Do they shower?
- Are they capable of staying after normal work hours every now and then to see to something getting finished?
- Are they sensitive to other people and their surroundings?
If you answered "yes" to all these questions, you too are a potential "team member." In any business. Degrees help but are not required.Judging by the stereotypical picture of a black hat that the media has given the public, I would guess they wouldn't pass the first bullet above. Judging by the few that I know, they are risks but at some point straightened up and are valuable employees to their companies. You just need to assess whether or not they've figured out that a steady source of income is way more rewarding than having "VIODENTIA RULEZ #1" spray painted on the RIAA's website once a year. And that "selling out" isn't really "selling out" but devoting some of your time to a large project in order to better your circumstances the rest of the time. If they're past that point, then you've got a potential for a great employee.
What's unfortunate for black hats is that there is a wealth of solid programmers from America, India and Russia (if they can make it here) who are more than willing to do anything. On top of that, they have no criminal background. So even if a Blackhat is more qualified, they're probably just dismissed since a thousand other people are eager for the work and meet the basic qualifications. Unfortunate, but something to think about if you want to delve into the dark side of computers and networks.
My work here is dung.
How do you respond to a job offer as a black hat? I wonder what the NDA looks like.
What self-respecting blackhat would admit to being one in a job interview?
Trust is hard to rebuild after others lose their trust in you.
I'm an ex-blackhat who's been working the security space for over 10 years now. My employers only know about my work experience; nothing prior to that. I'm very good at my job, I'm passionate about security, that's all that matters. As long as you're a blackhat who doesn't have a criminal record, you'll likely get a lot more value out of them than a cert crazy white hat who got into security cuz it's "cool".
If I worked at Hewlett-Packard.
we will end no whine before its time
Would you give black hats a second chance if you were in their position?
It depends on the job they were applying for. Someone who has proven their ability to ignore the law in the past can no longer be trusted in a position of responsibility, therefore I wouldn't give them a job in any role that required any amount of access to business critical systems or information. I might be willing to hire one as a code monkey to churn out boring stuff that could easily be audited, but even then only if there were no other suitable applicants.
It sounds harsh, bu my job, and the jobs of my colleagues, are more important than giving someone else a break.
http://twitter.com/onion2k
How hard is it to hire similarly qualified people who *weren't* blackhats? If the only difference between two candidates is that one has a felony record, it's not a hard decision to make. While it may look to the blackhat like it was solely his record prevented him from getting the job, it's really the fact that he's not that rare a commodity.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
Takes one to know one, I suppose. Looking at what Frank Abagnale did to improve security against bank fraud, I'm sure that a 'black hat' turned good could be of some use to a company.
If you know he was a blackhat hacker, he can't be that good. Combine with trust issues and the answer is a clear No.
If their "black hat" days occurred when they were 16 and curious, what's the problem? If it was after High School, I doubt it.
If the company is going to be ripped off, it will probably start in the boardroom as upper management are granted perks that they shouldn't have. One company I worked for is on the road to bankruptcy but the company is still paying for the CEO's $200K/year New York City apartment. This is the same management that banned free soda when they figured out that employees were taking a can or two home. Go figure.
The situation is analogous to hiring a former embezzler as an accountant, and the answer is always, "It depends." The burden is on the former black hat to establish credibility and trustworthiness. The potential employer also needs to be aware of scenarios where the former black hat can still be a valuable, contributing employee.
I might not hire a former BlackHat. However, Microsoft did when they hired me. Not quite as black as many hats out there these days, not making bot nets and selling them, or forming open FTP servers for all sorts of horrible stuff, but discovering vulnerabilities and sending them to folks other than the makers of the product.
Blackhats aren't all shut-ins, as one comment on this thread already posted. The trick is finding those who went blackhat because it was more fun, and had more chances to dig deper into things than going whitehat would have.
Now, how sad would it be if I forgot to check to post AC?Back in the day when networks were new and few people had the indepth understanding of what was still an arcane field, the recruiting of a blackhat made a lot of sense for trying to make more robust security solutions. But now, we have hundreds of thousands of qualified people and many IT Professionals are highly trained in the area of Network Security. And the blackhats these days by and large are either worm authors/botnet controllers or crackers who use scripted 'sploits to ply their trade. So no, I see no need for the Corporate Enterprise to open itself up to the liability it would face in the event of the "reformed" blackhat deciding to "play around" a little bit with employee data. There's already been enough fallout over loss of customer data and security concerns. Knowingly hiring a convicted felon to entrust that data to wold only serve to fuel lawsuits in the event a security breach did take place.
If a blackhat is skilled and "reformed" and truly interested in security, they can offer their services as an outside consultant.
Or perhaps the Military could make use of knowledgeable blackhats putting them on the front lines of electronic warfare.
But I agree that in the workplace they should be treated as any other convict when applying for a position.
Ducklin said: "Let's say that you're shot during a mugging [incident]. As you drift into unconsciousness, would you find yourself saying 'Gosh, I hope the surgeon who operates on me used to be a street criminal because he must really understand gunshot wounds well if he actually shot the people?' You wouldn't think that."
Agree 100%.
"Black hats" is just a funny way of saying "criminal". Would you hire a criminal? Just like all criminals, they serve no purpose in society except to waste the time and money of people who want to accomplish legitimate goals.
I'd be pretty hesitant to hire one.
But I bet the set of people I wouldn't hire based on personality and the set of so-called "reformed" black hats have tremendous overlap. I've been in this business a long time and I've seen the various personality types.
First of all, I've never heard of any of these interviewees. Have they done anything of note in security? I am committing a logical fallacy in asking this, but they don't carry any water in my security oriented meritocracy. As far as conferences go - I'd like to see a comparison of skillsets between attendees for say Defcon and Blackhat, excluding people attending both. I'll wager the Defcon crowd will win out anyways (not that defcon attendance = hacker, but it does mean more so than blackhat).
I'd much rather have a reformed blackhat on my team, than a white-hat. Simply judging from the people I've known in the industry, the people pushing the envelope have the greater skills and tend to have at least some illegal behaviour in the past.
Thinking as an attacker is a skill that requires cultivation too. You don't get this from Joe Software developer.
The real question is are Black Hat Hackers worth the potential risk (shown by their history). Being a Black Hat hacker doesn't mean you are any good at computers or security. Being labeled as a Black Hat Hacker means you were some Jerk Script Kiddy, who downloaded some scripts and took control of systems that they know is vulnerable. There are a lot fewer Black Hat hackers who are actually good at what they do. The Gray or White Hat hackers those are the ones you want to focus more on. They are more interested in breaking security to make it tighter, or for the Gray Hats make the tools for the Black Hats. Black Hacks will use what ever method is available to break in and cause damage. So if they are Reformed are they really that smart or just smart enough to type in some code word in 1337 speak, and there is a site where they can get some script. Vs. someone who know why the script works and what needs to be done to stop it.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I'd hire a "contracting" company that had their services to offer, but I wouldn't want to put them on my actual direct payroll. I'd always worry that they were collecting info on me off my system to use for the future. The less tech. savy a manager is, I'd bet the more that they'd want to cover their butts, just in case of that. I would use them for corporate IT theft on other companies, but would always would about how defended my own company is.
Would you hire a former jewelry thief to guard your jewelery store? Giving him full access to your security system and allowing him to be in alone at night?
.
.
.
You can never be sure someone is reformed; you only know when they fall back to their old ways, assuming you catch them.
Part of this is because of the ideological mindset; the ones who claim they did it all as a game still often think it's fun, and they seem to lack the subconscious barriers to antisocial behavior that normall tell people that it's destructive behavior. They may "go legit," but how do sociopaths grow ethical and/or moral senses?
These people still like manipulating people through different levels of social engineering. What says people like this won't just try to find other ways to screw with things or people, but in legal ways? What about those egos? Who really wants that in an organization?
If I were going to consider any former black hats at all, it would be those who did things like make spyware on contract in Eastern Europe, in order to feed their families, or something similar. I'd still be leery, but they at least have a situation of duress to claim. If I'm satisfied that they otherwise meet the profile of people I like to hire, I'd just have to worry that they feel rewarded enough that they can take care of their families. But I'd have that worry about all my employees.
I'd hire a former blackhat, but at the "You're hired" meeting, I'd say something along the lines of "Keep your nose clean. If you wanna take your lunch break and non-destructively poke around a little bit, I don't mind. But if you find anything that could pose a risk, I wanna know about it. Nothing illigal on corporate machines.After you leave this room, you're just another new employee... I won't bring up this topic again. Are we clear?"
Of corse... I wouldn't hire a blackhat just because they were a blackhat.
-jX
Don't you just love politics? It's like a comedy of errors.
I probably wouldn't. They are a liability. What happens if they get pissed during a meeting? What if the company is downsizing and they get laid off?
Not only that, but also what they were doing during their "black hat" phase.
Running scripts you've downloaded to scan for default passwords on websites so you can post that you've "pwn3d" their site
On the other hand, knowing enough about TCP/IP to crack servers with an injection routine that you've written
Script kiddies are a dime a dozen. And their "knowledge" is just about useless in the corporate world. What else do you have that's better than I can find elsewhere without the issue of your past behaviour?
The same with social engineering attacks (unless you're hired by HP to investigate leaks).
Real hackers, on the other hand, are extremely valuable not only for the technical skills they've built up, but also because they're driven by problem solving and they are more than happy to get down to the metal.
Well, it would depend, wouldn't it.
In no particular order:
How do you know the "hat status" of a potential employee?
What does the law say in the jurisdiction you're in?
Are there other "hat free" candidates with the same skills?
Are you willing to take the risk?
Are there any benefits to the available position that the former "black hat" status offers? (Think, for example, of a truly reformed virus writer who still has contacts in the underground, but, who is now applying for a position in an antivirus company.)
"Consistency is contrary to nature, contrary to life. The only completely consistent people are the dead." A. Huxley
Ethics, inspite of 'black hat' it is still possible for someone to be otherwise ethical. On the other hand, it isn't very likely.
The guy that spends his time concentrating on the 'how' of the hack, without much regard for the effect of the hack is more ethical than the guy performing the hack to steal credit card numbers.
One could potentially be a maturity issue, the other is intentionally criminal.
I could never trust someone who spent a few years stealing & using credit card numbers.
Someone I know was caught stealing cars, he was forced to pay restitution and has spent years being responsible. I like the guy, and he has a trusted position at a company; but it is only because you can see he has changed, he didn't stop doing it because it wasn't profitable any more.
I find the comments that people would rather hire a Black Hat over a White Hat to be amazing. Just the idea that I would be more likely to get a job BECAUSE I committed a felony to be crazy.
... and he's reformed, he's not going to get us in trouble".
... especially these days. In no time we're probably going to see the equivalent of Sarbanes Oxley hitting IT if we follow this sort of road. It only takes a few bad eggs to ruin it for us all. Do we want to set ourselves up for the fall?
Would we rather hire a bouncer with a history of assault? "He's proven to be a good fighter in those situations
Is the possibility of ruin worth that extra bit of experience the person has? How many times in history has this sort of thinking backfired for people? I agree that people should be given a second chance, but I also feel that you can't be stupid. Especially in business
Would you give black hats a second chance if you were in their position?
Barring any severe self-esteem issues, if I were a black hat, of course I would give myself a second chance.
Grammar, people, GRAMMAR!
https://www.accountkiller.com/removal-requested
Or to use the doctor analogy... If you were drifting off into unconciousness and through some absurd set of circumstances, you had a choice of the doctor that was going to treat you, would you prefer a doc who did "off the record" treatment of gunshot wounds for criminals(which would likely meant he used his skills illegally), or would you prefer a "legitimate" doc who has never actually removed a gunshot wound yet but has never used his skills illegally? I know who I'd prefer.
But that's one fringe case. All things being equal, I would lean towards the guy without the shady background as I'm sure most would.
"Our morality is good, theirs is repressive."- Partisanship Rule #3
.. I do have some painting and yard work that needs doing.. What do they charge?
God Be Gone
The term "black hat" can cover a lot of ground. In my mind, there's a big difference between someone who got in trouble for snooping around the university's network for the sake of curiosity and someone who attached a keygen trojan to something and put it out on the internet for the purpose of stealing credit card numbers. There's also a difference between someone who DoS'ed their school's webpage in high school and someone who DoS'ed their employer's webpage when they were 25.
//Would you hire a multiple-time burglar to protect your home? //Sometimes it's best to trust the home-security companies, regardless of whether or not their employees have ever broken into a house.
Here's another thing to think about too... The only reason to hire a black hat over someone else would be that you know they have some experience in hacking. However, there are many people who have the same experience and never did anything illegal. Basically, you're sacrificing a varying amount of ethics in exchange for a guaranteed amount of skill. Also, in many cases, the skill that a black hat has proven is directly proportional to the ethics that he has disproven. That is, if you know enough of a hacker's exploits to know that he is very skilled, you also know that he has broken the law a sufficient number of times to prove it to you.
In all, I would say that hiring a black hat would be case-by-case for me. Someone who is a black hat because of a harmless, but illegal, mistake may pique my interest because of his proven ability to learn independently. Someone who hacked a private network years ago, but has since proven to be a responsible person, may end up being a skilled employee and worth a second chance. But, to me, someone who committed repeated damaging, malicious acts online is no better than someone who committed repeated damaging, malicious acts in real like, and they would not be worth the risk, regardless of skill.
I would not hire a former thief in a supermarket as an detective
I would not hire somebody who took money from his employer in a bank
I would not hire an former drug addict as a saleperson in a pharmacy
I would not hire a former pedophile in an elementary school
I would not hire an murder as an social worker
So - no I would not hire somebody who fell one time to some temptation in a job where he is tempted each day.
A Blackhat as a programmer - maybe; as an administrator - no.
If the Black Hat was any good at all, you would have no way of knowing he was (or is) a black hat.
But if someone with a criminal record for cybercrime applied, there is NO WAY an informed manager would hire him. If he breaks the laws again, someone could go after you personally for negligence.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Lots of people do dumb things in their youth. Just evaluate the person as they currently are. There are certainly circumstances that would be hard to overlook for certain positions, but to forever eliminate from consideration anyone who ever did anything illegal with a computer seems a bit nuts. Would you refuse to hire someone that got caught shoplifting as a kid? What percentage of your coworkers did something dumb as a kid, whether they got caught or not?
if they're a really good black-hat, you'll never know about them will you?
http://geminisecurity.com/job.html
I'm not opposed in prinicple to hiring a former Black Hat. It still needs to be the right person for the job, and I still need to trust them. I have to get a real good feeling about the person to start off with, and the possibilities are endless.
Check out our infosecurity industry blog: http://securitymusings.com/
Don't be alarmed, there are a lot of idiots in leading positions in large companies, just as there are many idiots born into affluency a.k.a. Venture Capitalists.
First, Paul has attempted to apply traditional business philosophies and the illusion of value to that of Open Source development. "[hackers] don't have to support their product [or] be absolutely reliable", is one hint. The illusion of "support"... well, I paid 15,000 (USD) for this SunFire server... called up Sun Microsystems and I have to pay 125 dollars for a valid account just to access their knowledge database.... support my ass. Or, call up Microsoft, and watch as your told (after the 10-20 dollars you have to pay to talk to a rep), to go to Dell or whoever made your computer; support my ass again. Companies do NOT want to be responsible for their products, they never have, they never will be. At least you more often get a REAL NAME of someone on an Open Source project; as for companies, many Class Action lawsuits have been filed throughout the world and throughout history.
Deadlines... yeah, as a developer of both proprietary software and open source software. Nothing diminishes the value and quality of a software project more than a "deadline". This is fact. This is widely known amongst developers. Traditional, archaic business leaders are so ignorant that when this fact is mentioned they honestly think we are joking. Infact, the concept of a deadline is the single biggest factor why proprietary software will never compare to open source software when it comes to quality and usefulness.
But, of all that Paul Ducklin claimed in his article, take this one on for size. "I don't know why people think if you can trot out 10 or 20 or 100 viruses[sp], you would be great at actually producing some antivirus technology that can deal with 200,000 different bits of malware,"
Here, the moron decides to misdirect the reader with numbers. I've developed security software myself. And, I've also analysed a number of security software packages and implementations. When it comes to virus detection, intrusion detection and all that biz, 99% of it is nothing but pattern matching routines in a loop. That's why most NIDs have a data pack which is nothing more than a conglomeration of known patterns to published forms of attacks. It is no different for Antivirus software. In short.... if you know regex really well, you don't need to know flip about security or how to implement an attack to identify one with software. This part really ticked me off, becuase as a person who identifies and writes my own exploits which I might or might not publish, this line of logic Paul wishes onto others is completely bullshit. Then he goes in, and tries to relate the luxuries of production in a less-tangible world (the world of computers where resources is nothing more than imagination and virtually no effort goes into typing) to the real world where you have to chop down a tree to get wood. What I'm talking about is his falsely applied analogy with being shot by an attacker, asking if a victim might logically wonder if the doctor had ever been a criminal to be that much more familiar with gunshot wounds. What he's trying to say, is a person that is able to exploit a problem is far less intelligable than a IT "doctor" who only really writes up a regex string to identify a problem.
I'll end this here. Becuase I doubt anyone here will take this article seriously. And if it's not enough to bash Paul Ducklin any more... he's a Chief Technical Officer of Sophos. Sophos is an antivirus company. As far as I'm concerned, his only target is the end-user, the moron, the impulse-double-clicker; those in his image.
Hi!
when I want to hire someone, I just evaluate the candidates in several areas, but one of the most important is "honesty" (I leave several value things that can be stolen (usually money on the desk, or in the floor), and I leave him/her alone for some time, after the interview I review if something is missing), and a psicological test to determine if they can be "trusted".... Yes, I know, the test can be fooled if the person is smart enough, because of that, I also put everybody on a "test period", where I monitor them very closely, for at least two weeks (normally, it is extended to three months).
In fact, I hired an hacker, because I know him from a long time ago. That's why I knew he was a hacker....... Please, don't read the word "hacker" as "bad"... so many people make that mistake. A hacker is someone who likes to do difficult things, just for the pleasure of doing so.... so, in this order of ideas, almost any researcher is a hacker. Thus, we have "computer hacker" ---> someone who like the challenges in the computer field, and yes, a security system is a challenge, but there are many others. So, If I need to evaluate security anywhere, I need a hacker, I don't need somebody who will see the holes that are already reported, and that I can look for using nessus (or name your tool). A hacker can evaluate code for security bugs, and will report them, if he is a good person.
It is the same: if you have a gun, and you are a very good shooter ---> does it means that you will go out there and shoot anyone? I don't thing so... The same goes for martial arts: they could kill you, but they don't do it.
So, If I didn't knew this "hacker", I maybe would not call him "hacker", I would just say that he is someone with a great talent.
Then: How do you know the difference?: you can't.
Just like you don't know if the man that is walking in the street is a killer.
I hope this answer the question,
Soulhunter
Yes. No. Maybe.... That tagging system you got there works great dunnit.
In the UK, after a period of time you don't have to declare convictions, so you may be hiring people who have been in jail for hacking without knowing it.
by hiring an ex-blackhat, at least you get:
* someone who can hack it - no CISSP is going to replace hands on skills
* someone who is willing to admit he has made mistakes in the past - which is more important than ever in the world of security: covering up mitakes doesn't help.
now, if he's good - it shouldn't even matter if he has been blackhat: the systems should be secure, especially from the inside job threat. And part of his job should be to make it provable that it is so.
Now, if all you want is some type of ISO certification stamp of approval - rubber stamp / get finance / show off, go hire some certified engineer with a long series of random acronyms on his CV, which may include MSCE in the lot - that should be a hint, but unfortunately depending on who does the recruitment it may not be a deciding factor...
TODO: 753) write sig.
There is the uncommon form. A Legal Black Hacker.
As long as the contracts don't let them destroy you they are safe. Use good lawers.
These are normally the smarter than the run of the mill black hackers. Reason they don't do anything legally wrong. Only morrally. They give a harmless looking contract to a person that allowing the to destory there network. If they sign it legal black hackers do it.
They are just as evil. They hunt there pray. They enjoy it. There is no skill in just hacking illegaly in there mind. Its a art to do it in the law. Reason you can show you face to who you caused harm to. And watch the cry when they know there is nothing that can be done to the hacker that destoryed there network and backups.
The funny bit it the hunting they love and human expressions of suffering. So hunting down Illegal black hackers is just as much fun to them in most cases as long as they get to be present at the catching.
So yes I will trust a Black Hacker. Just a legal class black hacker. Note I will never trust a contract that a Legal Black Hacker give me. I would most likely get my own written.
We aren't "reformed"...we've just found focus.
i don't think that Kevin Mitnick's past has stopped anyone from hiring him. Personally, I believe that "hackers" are job-worthy. Most likely, they are more experienced with computers then the average computer worker.
Klingon Software is not released, it escapes, inflicting terrible damage onto the enemy as it does
Learning how something works is respectable. Deliberately screwing it up with the knowledge of how it works? Not at all. If someone is considered / considers his- or herself a "Black Hat" hacker, you need to think about what they're learning from you, and how that will affect your business. 99.9% of the time, that's not a risk worth taking. On the other hand if someone has an in-depth knowledge of a specific subject and they're responsible enough not to use that inappropriately, they're someone you want to take.
--<Mike>--
I am a bit confused about the iimplication. The black hat's.. well, they weren't called that in the beginning. I don't remember anyone but old people talking about your moral compass in regards to exploiting security holes. All information is knowable. It's a belief that borders on faith. In my circles, it was just assumed that you would do no harm to the whole. When a surgeon takes out your bulging appendix, he has to do some damage to make sure you survive in the end. That's a proper analogy to the successful "black hat" folks. Even if it meant OOB'ing Microsoft's site for 3 days(winnuke was brought up by a previous poster). A much worse scenario would ensue when a hospital was taken down because they(OS/ipsec company,etc.) ignore their own weakness.
I have to tell you that the people I knew that did those things and worse are running your fortune 500 companies right now. The smartest don't get caught. Mitnick had an ego. These people don't. They are innately good at what they do and there is a higher than likely possibility that a "black hat" has saved your company from disaster more times than anyone else. That's my observation.
There are those that destroy to destroy. They don't survive. It's natural law. Smart people know this. Smart people also know that you don't own information or thought- and everything can be altered. I don't think the connotation of "black hat" describes the best of us accurately. I think they are something different and you will see it when their intuition saves your company time and time again. Where the metal meets the meat, you would rather have a person who's been on the other side rather than some cert collector that's just guessing. Media likes to make their misconception reality because it lends them credence. Black Hat does not mean evil. Hacker does not mean cracker. They are not one and the same.
There was a movie about a similar situation: "The Silence of the Lambs". I suggest using the same strategy.
Do not touch the glass. Do not approach the glass. You pass him nothing but soft paper - no pencils, no pens. No paper clips or staples in his paper. Use the sliding food carrier only, no exceptions. If he attempts to pass you anything, do not accept it.
If America is any indication, all people deserve a second chance.
Hell, we hired a former drug-addicted AWOL alcoholic to run our country, and even that turned out allright.
So give backhats a second chance!
Obama likes poor people so much, he wants to make more of them.
Was is person a professional social engineer? Then absolutely not. No way, no how. Babysitting engineers and keep the team functioning and happy can be difficult enough at times, I don't know when I'd start to trust a professional liar or be convinced that they weren't playing mind games.
If they were your prototypical stack smasher type cracker then I'd be measuring them differently. First of all, I know of next to nobody from the defcon/blackhat set that have moved on to do productive things. Secondly, most of those guys have arrogance that you can't barely stand just from their presentations. Nothing makes me think that these guys normally work as teams or are in any way capable of being good team members. If you read Sarah Gordon's profile of virus writers and give it any sort of thought, these people have to have some antisocial disorders to do that in the first place, some of which are pretty extreme. I have no desire to introduce that to my team or company. Some of those disorders aren't things you "recover" from so much as things you learn to control and keep in check, some of those sociopaths are not capable of the feelings and thoughts that make people good team members. As reformed as the guy might claim to be, I'd stll want to review everything and isolate him from important materials, I'm not sure when I'd ever be able to let my guard down and just think how it would be if you did and the guy took stuff?
Thing is, just about no skill isn't replacable in computers. Nobody is beyond being replaced.
Hire one? I've built an entire company with the combined efforts of former Black Hats.
Y-Crate
CEO - Setec Astronomy
There are always risks involved, but excluding top 1/3 of candidates from your list is stupid. If you are good at something, chances are you played around a bit in your formative years.
WhiteHats know more than a BlackHat only from priviledged access. WhiteHats don't know what a BlackHat knows, hence asymetric warfare rules have WhiteHats at a disadvantage from the start.
People hire convicted felons all the time. What they generally don't do is to hire them in roles that were central to their offenses. It's one thing to hire a convicted pedophile to balance the books, but quite another to put him in charge of the company daycare.
The unchallenged assumption here, of course, is that a "black hat" necessarily has any special qualification for a security job. It's like assuming that a graffiti artist will have any useful insights into formulating a graffiti-resistant exterior paint. For that, you really want a chemist.
That's not to say that there aren't some black hats who wouldn't be useful in a security role, but simply having exploited security holes from the outside doesn't automatically translate into knowing how to plug them from the inside, and it certainly doesn't automatically translate into being able to communicate effectively and work as a member of a larger IT team.
Proud member of the Weirdo-American community.
No, wouldn't hire them. But then the scurvy dogs would just go make their own company, so what can ya do?
* Are they capable of staying after normal work hours every now and then to see to something getting finished? Oh, that kind of job. Sorry, despite what the above might lead one to imply, I do in fact have a life. Or at least, enough of a one not to waste it patching up someone elses mistakes.
Heh. Sucks to be you. You should try looking for a job you enjoy. When you find a job where you genuinely **want** to be there - the work is challenging and engaging and keeps you interested for 8+ hours a day - it is truly a joyful experiance. Hope you find it someday. Until then work is just a job, not a career.
The questions I need answered are: Can they work with people? Can they dress well? Do they shower? Are they capable of staying after normal work hours every now and then to see to something getting finished? Are they sensitive to other people and their surroundings?
#1 on most employer's list is, "can I trust them?" Hence why zillions of employers, especially the Big Boys, conduct criminal and credit checks and personality tests; they're not as worried about team-player-ness as they are whether you're going to try and rape Tina from accounting after the company "holiday" party.
A "black hat" hacker thinks it is not only ethical and acceptable to violate numerous laws and break in to computer systems they have no permission to do so on...but they've DONE it, which means they'll have ZERO problems going places they're not supposed to be in your company.
That sounds somewhat trivial unless, say, you work at a bank. Banks and lots of other companies employ "chinese walls" (for those that don't know: different divisions are intentionally 'firewalled' knowledge-wise to prevent conflict of interest.) A black hat that feels he/she has the right to traipse anywhere on the company file servers is a serious threat.
The real question is not "Are they mature?", but "Did they recognize and accept what they did was wrong, and will they do it again?" Another question is, "can they follow company procedures and policies, and industry regulations?" If they can't keep from violating serious federal statues, how on earth can you trust them to follow a rule that says they shouldn't poke around in the accounting files?
Please help metamoderate.
I fully respect your right to be who you want to be. I really do. But no one is going to pay you for it. There aren't many jobs where you are just paid for doing things--usually what they want is a bit more nebulous, and involves "playing the game." You not being willing to do that doesn't reflect on your character in a definitive, existential way, but it will impact your income.
I don't know if what you say is true, but the evidence supports it. This explains why all police officers are able to lie with a straight face.
But I fail to see why the ability to lie makes someone better at law enforcement...
A) You broke into a system and made it say naughty things five years ago.
B) You broke into a system and clearly could have stolen a million dollars, but didn't, fifteen years ago.
C) You broke into a system and DID steal a million dollars, thirty years ago.
A) You're 25? Oh, the marketing guys are going to love having you in tech support. 35? I wouldn't put you in the mailroom, you childish twit.
B) Once the FBI confirms your prints and finishes chatting with everyone you've known since 1980, let's do lunch. We might have a corner office with your name on it...in about six months.
C) Security, please show this man the door and never let him back in.
No. And I'm tired of them. After fighting 3 pop-ups, that was it. Closed the browser and left.
Graham
Linux - Fast Pane Relief
Would You Hire a Former Black Hat?
Only if they were also good at nunchuck skills and bowhunting skills. Companies only want people who have great skills.
Personally I would not, because they are sociopaths and I am not.
However, if I was Enron or RJ Reynolds, I could find a good use for them.
Or hiring a bank-robber to manage a bank.
Or hiring an alchoholic to run a bar.
It can be done and you may be the better for it. BUT you'll have to constantly monitor the employee to make sure he doesn't backslide.
Recovering alchoholics CAN make excellent bartenders... they are less likely to steal as long as they stay on the wagon.
Pedophiles in recovery CAN make excellent day-care workers... they are less likely than Joe Average to molest kids as long as they take recovery seriously.
A former bank robber who is in some kind of accountability program is less likely than an average employee to rob or embezzle.
The kicker is very few of these people would actually want such jobs. Most would know they weren't strong enough to withstand such temptation. The few that can, however, would make excellent employees in any job, everything else being equal.
Yes, I'd hire a former black-hat hacker, but ONLY if
1) I was convinced he was sincere about turning around
2) he was either in an accountability program OR more than 10 years had passed since his last black-hat endeavor. Maybe fewer years if he quit in his teen years or early 20s.
3) I had the means to watch everything he did for the duration of his employment and then some
4) he brought a particular talent or other advantage that I couldn't easily find elsewhere
I think I have one more "witness protection program" move coming.
Controller Bob? Sorry, that just came out.
This issue is a bit more complicated than you think.
I mean seriously. If you were an evil hacker in a previous life, I don't care if you turned of a new leaf. Why would you let any employer find out you used to be a blackhat? If you've got such "skillz" I would think you could at least hide your past identity.
I you have a criminal record then you have a whole other set of problems. You'll never get a job at paypal if you've been convicted of a felony. Hell they won't even hire you if you have bad credit. A lot of big companies are the same way, especially if developers have access to financial software.
“Common sense is not so common.” — Voltaire
Sort of. I have a recent federal felony conviction for computer fraud. Yet I'm gainfully employed and do (non-security) work for some of the largest companies in the world. All because I've had great bosses and I've been able to prove myself before and after my conviction.
One of the CEOs I've worked for flat-out said that I was now the least likely guy in the company to pull anything, since I knew what I'd face and I know everyone is watching me.
I am BLACK HAT, and was hired several times by well funded tech companies - REALLY!
one time, as a principal computer scientist to crack DRM and online transaction systems, and design them.
another time, as a VERY high paid contractor for a few months to defend patents in DRM and successfully work around patents, and get client out of various civil suits, and create amazing tools (video card interceptors)
as for my black hat credentials. they are notoriously very black indeed and i deem not to divulge my countless experiences in this forum, (military, pentagon, att, nasa, mci, sprint, countless networks, numerous telcos, many osses, civil power plants (one nuclear), over 5 colleges, etc etc etc)
too bad no one browses anon 0 anymore (eccept me)
Yeah, that guy claiming to be a 'blackhat' and a reformed 'hacker' who just applied to your company? Merely a wanna-be. A byproduct of the media infatuation with 'hackers'. Hacking is about the innate curiosity of human kind. A driving need to explore and understand and tinker with all things. A true hacker will never claim to be such, and cares little for the label. Security and exploitation are just small parts of the world that real hackers wander through.
-SignalFreq-
..maybe. It depends on what type of blackhat hacker we're talking about. There may be hacker ethics, but every hacker will define these in their own way.
There will always be hackers that hack for their own profit and only care about covering their tracks, they believe the ability grants them the right, basically the 'predator ethos' (shared by so many managers out there as well *cough*HP*cough*). On the other side there are hackers that have deep convictions and use their ability to e.g. fight an oppressive government, that wages wars and makes the public believe it's for their own good; these are the idealists. And somewhere in between we'll find most of the hackers (including the disillusioned, cynical ones).
Whether they are suitable to serve as a gear in the machinery will be different from individual to individual.
And when you gaze long enough into the code, the code will also gaze into you.
by an influx of adolescents and twenty something college drop outs. Hackers and hacking have been hyped up and glamorized by the media for years. The dotcom crazy and subsequent bomb left a huge pool of unemployed semi-intelligent computer geeks with too much time on their hands. 'Hacker' means nothing anymore.
Those with the true hacker mentality--explore, discover, invent--have long since moved on to a new title.
they are required to pass a 300-question polygraph to make sure that they haven't committed any crimes in which they haven't gotten caught [...] Police know that if you've broken the law once, even if you weren't caught, then you're likely to break the law again.
The problem with this, of course, is that there are so many laws that *everybody* has broken *some* law (and gotten away with it).
Yes, if you've broken the law before you're likely to break the law again -- because everybody has, and everybody will.
Ofcourse it depends on the person, the person can not be a bad person at heart, but I'm all for hiring people with experience. Especially if I were a security company, I would opt for people who have worked in the field, and understand the workings of a criminal mind.
ugh...
Yes:
A guy who figured out how to get past some stupid piece of DRM-ware, and did some creative stuff just to test the waters when he was young. Only if I know him (or her?) well..
Casula DMCA violator...
No:
Phishers.
Script-Kiddies.
Anyone who caused actual financial damage, stole data, or broke trust that was given to him. (It's one thing to circumvent the school's computer workstation "policy" so you can pkzip your files before transferring them to your floppy. It's another thing to steal credit card numbers, send spam from work, etc.)
The second variety might be OK to contract for a "sandbox" situation where you're challenging them to break your code/machines. I would not let them inside the door of the company... [they might continue the 'challenge' after the contract is over...]
The key to keeping me from hacking the companies assets was to keep me busy.
So you basically confirm that once a blackhat, always a blackhat. Why should a company be bothered? You seem to assume, in your unlimited ubergeekness, that noone else but you posseses the incredible skills that you possess and can do the job that you do. And that's why I say you are full of sh**. You feel so much better than everyone else, that you also don't have any respect for other people. However, last time I looked, you hadn't saved the world yet, so guess what, in my eyes, you are not so uberhuman at all. You are just a mischievous little computer admin, for all I know.
Why would a company emplloy someone who is a ticking time bomb and at the slightest hint of dissatisfaction will turn against the company? It doesn't make sense to me.
As for that McDonalds comment, there was a story here on Slashdot (I think, I am to lazy to look for it) about a guy who worked for Taco Bell and had hacked the register to ring up everything at a penny when a certian keystroke was entered. He charged normal price and pocketed the difference. Hackers can get you anywhere.
This signiture copied from somewhere.
For the Black Hat's own good, here are the answers and justification:
If i were a Bank i would say: NO.
If i were an IT OPS company like HP, Microsoft, Apple, etc., i would say: YES.
The reason is even if the Black Hat is really a good person and has behaved as a good person, any ID theft, or hacking into a Bank's computers would immediately make him the target of suspicion, even if he really had nothing to do with it.
Banks are paranoid about losing money anonymously, and they can make a break anyone's career with a slight twist of hand. I would NOT want a former black hat who has recently reformed to fall under a cloud of suspicion and break his own career for the final time.
Secondly, although a long shot, hackers can mask their attack based on the old hacker's signature moves and move the suspicion to the old former guy. And if i were a Bank, i would certainly believe them, instead of my new hire.
Also, banks tend to call in the Feds, who invariably would target this poor former hacker unnecessarily....
All this complicates things for him and now instead of helping the Bank trap its attackers, he himself is under fire and spending effort to defemd himself from unnecessary attention by feds [believe me, the Feds are the last thing you want on your tail: They are tenacious like a Bull terrier: only worse].
Banks earn their money from customers gullibility. Hence the role of an IT guys is second-class citizen at best.
IT companies are staffed with IT guys all around and IT geeks are first-class citizens. Hence a former black hat would comand more respect.
That said, it is ultimately up to the Black Hat and circumstances and Luck that plays a large part in his rehabiliation.
Even if were to work for 10 years at an IT shop and be an award winning employee every other year, if the recent attack/hack had his old signature (even if forged), would put him directly in the trench along with other hackers and expose him to fire.
All the years of goodwill, awards, friendships WILL melt like butter, and you would again be all alone, fighting for your rights, your respect, and your life.
The society always treats an ex-criminal as a criminal even if he is reformed.
"Doing what i can, with what i have." ~ Burt Gummer
What is this of ex-blackhats... there is no ex- thing here. this is not a fraternity or soroity when you are a black hat you ware till the day you pop liolies in the underground... But whatever I do or did in my most active years is to my knowledge only to share this with other people would be putting a big enclosure around me. I dont think Blackhatting is like being a sex offender, god no... But whatever I do I use it for my professional advantage against the
text book mit wow playing "Hackers" of today. I am old school and the reason I keep my self in shape is that regardless what I say or write in here, no one really knows for sure what I am .
I'm a blackhat who's been working the security space for over 10 years now. My employers only know about my work experience. I think that what I did prior to that doesnt concern them, but I use it to keep up with everything, which makes em wonder why I'm very good at my job. They do know that I'm passionate about security enforced towards technology, and to them that's all that matters.
We black hats do it for passion, the thrill of the moment... our drug is technology and our high is to keep doing it..., white hats do it because its cool.
Everyone knows hackers... Its the greatest of them that remain unknown...
There is a high degree of risk in hiring anyone with a criminal background, regardless of the position. Employers need to be able to trust that person. A man convicted of rape would be the last person to work at the YWCA, so why would you expect that a person convicted of a computer crime be the first pick for a job working with computers and security?
A slip of the foot you may soon recover, but a slip of the tongue you may never get over. -Benjamin Franklin
"I tell them I used to do "security consultation for companies" in the pre-dotcom days. I never get questioned.....I walked into my last job interview and wrote a sendmail ruleset....At 22 it landed me a project management position
PHB to Dilbert: "The kid is cheaper and more experienced than you, he's been writing rootkits since the day he was born!!!"
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
There's an excellent post just below here asking the question, "how black is black?" This is a key point--if the person in question did some things which might be illegal but shouldn't be (i.e. writing code to hack DVD encryption a la "DVD Jon"), then it's not that big of a deal. However, if this person did something that would have, in its day, hurt my company or something like it, then screw 'em. I don't need possibly reformed criminals.
The myth of the black-hat is becoming almost a cult belief. Black hats are amazing hackers, who think differently than the rest of the world, can penetrate incredibly secure systems with ease, and have mad skillz that normal humans can't achieve. On this I call bullshit. Anyone can learn to become a script kiddy, and the few who actually create new hacks don't often do anything extraordinary; they're just vandals who happen to be amateur programmers.
I sat down with a security consultant yesterday. The guy has been doing this for ten years. He gets paid a healthy sum to audit systems and make recommendations, and occasionally will get hired by a company to hack their own systems. He's very good at it. He follows the underground conversations, he keeps up on the latest exploits, and most importantly, he practices. He can think like a hacker, hack like a felon, but only goes after machines with the owners' approval. There are good security consultants, and they don't have to be criminals--in fact, the mindset and skillset of the hacker isn't necessarily the same as that of a security consultant. They're complementary, but not identical.
So no, I won't hire black hats. There are enough skilled and capable people out there to do the job that I'm not reduced to supporting reformed (maybe!) criminals in their former habits.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
You can use that computer over there in the corner. We have a lot of boring work to do. No deadlines, as long as it gets done. Don't worry about your clothes or smell, nobody is going to remember you anyway. You don't have to come to meetings either.
When work isn't finished after normal hours you can go home, we'll finish it. You worked hard all day, while we wasted time with vapid conversations on several occasions. We enjoyed work today, now you can go home and enjoy your life.
It's a bit unfortunate that when we were chatting about our hollidays you weren't there. Somehow the topic changed to the new job opening. You would probably have liked that position, but we were not sure. We don't really know you. Besides, you're good at your current job, so it's probably best if you keep doing that.
Seems to me there are two issues:
1. How confident are you that you understand the black hat's motivations? Unfortunately, "inquisitiveness" is only one possible motivation. There's "destructiveness" to consider and there are possible "entrepreneurial" motivations for selling your secrets. That's 2 to 1 right there suggesting the guy might be more trouble than an asset.
2. Does your organization value criticism? With a gradaute philosophy degree I'm trained to be inherently reactive and pick apart flaws in other people's proposals. An organization that wants "yes men" and "total enthusiasm" wouldn't value me. The black hat is in the same situation. Would upper management value and support someone who is an active critic rooting about in their IT setup? It is a fair bet IT middle management wouldn't.
Many of these kids suffer from a major personality disorder - usually NPD or BPD. (Just look at all the posturing on these pages.) They're technicians of genius but utter strangers to discipline and nearly impossible to focus. Get a complete psych profile done before you take one on.
This isn't a black and white answer since, given the proper circumstances, one can always find exceptions to principles. Would you hire a convicted felon as a babysitter? Would you hire an illegal immigrant to cut your lawn? If during an interview, the hacker was able to convince me he was reformed--and he definitely had good Kung Fu, I'd possibly consider hiring him. But it's very, very, unlikely that I would ever TRUST him.
This brings up a off-topic question of interest to me:
Do you think it's a good idea for an older developer to wear a suit to an interview, or do you think it just emphasizes the fact that he's not of the same generation as most of the existing staff?
Of course they do, publicly. To do anything other than condemn those who break the rules would send the message to the sheep that not only is it okay to break the rules, but doing so will make you worth more to your employer that you would be if you did everything the approved way. The corporate world relies drones, not autonomous beings. They pay the autonomous beings to ensure that the drone culture keeps functioning.
It's not easy finding qualified employees with felony fraud convictions, you know.
I would be intensely suspicious of anyone with a background that suggested they didn't have a problem stealing or harming strangers. Of course youthful indiscretions can be forgiven, but if someone has demonstrated, as an adult, that they don't know right from wrong (or care) I don't want them working for me. Oh yeah, I've been CTO of a couple of public companies etc. Rick
Hacking someone can and does in fact teach you how to administratively remove a security hole, especially by showing one where the hole is.
Analogy: Failed.
-Clio
Karma: Bad (mostly from not giving a fuck)
Blog: http://clintjcl.wordpress.com
I was a former black hat who got lucky - I broke into my School board's main frame when I was 13 years old and racked up a $11,000 phone bill for them by downloading C64 games (yes this was a LONG time ago) from around the world via there system. In the end, I got caught and the only reason I didn't get prosecuted was because the receptionist of the prosecutor for the school board was my brothers fiancé's mother - how lucky is that? Instead, when I was 15, I ended up going to school 1/2 of the year and working for the school board the other 1/2. I was teaching educators how to use technology in the classroom, taught gifted children how to make interactive kiosks, and wrote 18 educational software applications based on my mentors ideas - one of which has just past the $100,000,000 in sales (too bad I didn't understand the word royalties back then). Anyways, my point is I know I was very lucky and things could have turned out a lot worse (some say I have a horseshoe up my arse, others say it's the whole horse) but seriously, in my opinion former black hats are at the cutting edge of technology they abilities have proven them as people who are innovators - and I respect that. As you all know, the majority of black hats are really just explorers out to do no harm. Give them an opportunity to do the same thing legitimately and I think you'll be surprised at what they can accomplish. But here's my real point - if you're a former black hat looking for a job, don't tell the employer about it! For the most part, unless you have a criminal record, there is no way for them to know. Then you can joke about it 6-12 months after you've been hired when they know you're a solid individual. Now I'm a senior sotware producer who hires developers from all around the world, I personally wouldn't care what the persons background was re: being a black hat as long as they delivered. Nowadays I'll let the younger generation do the hacking as they usually just get a slap on the wrist when caught. As for me, as an "adult", I don't do it anymore as I don't want to end up in Jail with a big boyfriend named Rocky thank you very much. S.
Would You Hire a Former Black Hat?
Tigers don't change their stripes. If the "former" Black Hat was happy to screw people in the past, he/she won't have a problem screwing you later.
It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
Any black hat that's not just a script kiddie is NOT going to let on to anyone what they used to do for this very reason. They're going to fly as much under the radar to get anywhere professinally. You'd have to be plain stupid to make light of the fact that you used to do illegal things, which would prevent you from even getting an initial interview anywhere.
If a black hat wanted to use their skills professionally, the best way to do so would be to pick up a veneer of legitimacy in the field of information security. A system admin worth his or her salt should know at least something about information security, hardening, and the like. It'd be trivial for a black hat to say "I've been studying infosec lately, taking classes, and I'm going for $SECURITY_CERT. That's how I know this."
Even the body of all people who are CISSPs (the system of ethics of which are theoretically supposed to weed out past and present black hats) has its share of black hats. Just get a couple of CISSPs drunk and watch the war stories start coming out...