Would You Hire a Former Black Hat?

Mark Zenson asks: "Understanding the mindset of a hacker and the likes of one may be useful to counter security attacks, but apparently companies still object to hiring former, or even reformed, black hats." The article asks this question of several executives in the industry and for various reasons, many of them were skeptical to the idea of hiring such people. Would you give black hats a second chance if you were in their position?

It All Depends on Their Maturity

[eldavojohn]

Would You Hire a Former Black Hat?

Depends, if I'm a manager at McDonald's, you bet your ass I'd hire him. Anti-social nerds make the best french fries.

But on a more serious note, I would hire anybody as long as they have the right personality. That's right, I've seen it happen too. People who don't know anything about computers are working in corporate America as programmers. They are one trick ponies and it would take me a few minutes to show others how to do that one trick. The questions I need answered are:

• Can they work with people?
• Can they dress well?
• Do they shower?
• Are they capable of staying after normal work hours every now and then to see to something getting finished?
• Are they sensitive to other people and their surroundings?

If you answered "yes" to all these questions, you too are a potential "team member." In any business. Degrees help but are not required.

Judging by the stereotypical picture of a black hat that the media has given the public, I would guess they wouldn't pass the first bullet above. Judging by the few that I know, they are risks but at some point straightened up and are valuable employees to their companies. You just need to assess whether or not they've figured out that a steady source of income is way more rewarding than having "VIODENTIA RULEZ #1" spray painted on the RIAA's website once a year. And that "selling out" isn't really "selling out" but devoting some of your time to a large project in order to better your circumstances the rest of the time. If they're past that point, then you've got a potential for a great employee.

What's unfortunate for black hats is that there is a wealth of solid programmers from America, India and Russia (if they can make it here) who are more than willing to do anything. On top of that, they have no criminal background. So even if a Blackhat is more qualified, they're probably just dismissed since a thousand other people are eager for the work and meet the basic qualifications. Unfortunate, but something to think about if you want to delve into the dark side of computers and networks.

Re:It All Depends on Their Maturity

[networkBoy]

I was about so say something similar, but instead I will expound on your post.
I am a former "black hat" as the media would portray it. While I never did anything knowingly illegal for profit, I do/did hack systems for entertainment.

I was employed by a small company where I rapidly rose to the position of being a network admin for a lab that dealt with ethernet equipment and components. Some of our gear was capable of generating arbatrary data frames (sourse/desti IP & MAC address, any length up to 20Kbyte (1518 IEEE spec is 1518 Byte), any interframe gap down to ~4nS (spec 9.6nS)). So to say that the network took a punishing when some dimwhit plugged the test side of the gear into the support network is a gross understatement (said support network was directly connected to the corp net, which went down when this happened).

I was given a budget of a few tens of grand, a spare Cat7K router, and told to "make it work" so I did. I got to hack my self silly doing that job and maintaining the network. Just before we were sold, that lab had ~400 nodes of well mixed clients with hostile traffic patterns and I was able to maintain connectivity.

The key to keeping me from hacking the companies assets was to keep me busy. Safe to say I bet the same goes for any others of my ilk.
In my new company I have the Hacker creedo up on my office door. Just took the hacker creedo label off it. Everyone thinks it's the best statement since sliced bread. They're blown away when I tell them what it is. My management knows I'm a hacker, my peers know I'm a hacker. My IT department is less than loving of me (as I've modified thier standard windows build to suit my needs) but the know I'm a hacker and they tend to let me be.

Basically it all boils down to the following fact: I presented that I'm a hacker in my interview. I presented samples of my work. I was hired. This in a company of ~80K employees. My bosses-bosses-bosses-boss knows me by name. When we have a really sticky technological customer issue, I seemed to get tapped fairly predictably. From manually re-balling a 72 ball BGA part to hacking a mouse such that when an LED on a customer design turns on the logic analyzer will arm, I do it all. My best asset is my inner hacker.

-nB

Re:It All Depends on Their Maturity

[Vicissidude]

Exactly. Law enforcement has asked the same question since the time of the first criminal and the first sheriff: Can you trust a former crook to enforce the law?

In law enforcement, they came to the conclusion long ago that the answer is no . Besides all the other qualifications for a police officer, they can't have a criminal record. In fact, they are required to pass a 300-question polygraph to make sure that they haven't committed any crimes in which they haven't gotten caught. Further, if a candidate fails a polygraph, the police can investigate and decide to press charges or just blackball you from any chance you have at getting a job with any other police agency.

That happened to one of my friends who applied for a police officer position here. His offense? As a 18-year-old high school senior, he dated and had sex with a 14-year-old female freshman. It was completely consensual, but the police investigated him for statutory rape. Because of that, he was blackballed, he would never become a policeman, and his 2 years of police academy were completely wasted.

Police know that if you've broken the law once, even if you weren't caught, then you're likely to break the law again. OR, like the case of my friend, you're not likely to enforce the laws that you broke. (In his case, the statutory rape law.)

It's the same thing with these black-hat hackers. I wouldn't trust them in top positions in security related IT jobs or in less-sensitive general business jobs.

Re:It All Depends on Their Maturity

[thrashaholic]

It should go both ways, if a cop breaks the law (almost every beat cop breaks the law daily, I assure you), they should never be allowed to work in law enforcement again.

Most times, however, they are reprimanded and sent on their merry way. Hell, breaking the law is all part of the job for most cops. Illegal searches, illegal profiling, illegal traffic manuevers, illegal harrasment, etc..when's the last time you saw a patrol vehicle doing the speed limit, or setting up a speed trap?

(Of course, I'm of the frame of mind that if a cop so much as litters they should be fired, no excuses.)

It's the same thing with these black-hat hackers. I wouldn't trust them in top positions in security related IT jobs or in less-sensitive general business jobs.

That's a pretty harsh attitude, considering that most of these CxO's also constantly break laws.

I wouldn't trust them in top level positions off the bat, but I don't think breaking some stupid DMCA-like law when you were 15 should preclude you from getting a general business job in your 20s. I mean, everyone's stolen something in their life time, admit it or not. Should nobody be allowed to work?

Re:It All Depends on Their Maturity

[msuzio]

Exactly. The parent opinion is, in all seriousness, completely absurd. Get with the program, buddy, that's not how it actually works.

I'm at a stellar company, one of the best in its field. So good, in fact, that next month we're due to be acquired by one of the largest corporations in the world, because they want what we can deliver. Yippee for us, I know, but it still points out: we're not a bunch of moronic slackers.

I look around me at my fellow workers, all of whom bust their asses day in and day out to get the job done. I see plenty of the above marks of "offense". Somehow, we manage to be competant, well-mannered, hard-working people. Who just happen to (in many cases) be wearing Jeans, t-shirts, and have tattoos/piercings.

Maybe I'm just offended because right now, I've got all of the above. The whole wardrobe is black. My cube might have action figures and big pile of "alternative" music CDs in it. Oh, and I shave my head. Some people might think I'm a bit strange, although I myself think I'm relatively mild overall.

Regardless, I'm also among the absolute best programmers you will ever find. Seriously. It's 8pm, I've been here since 9am, and I'm not going to leave tonight until this particular bug is squashed. I'm dedicated, smart, and I love my job. Also, when I'm not here, I sometimes put on a suit and teach motivational speaking and personal growth courses. I blend in as well in that venue as I do when I'm out at the local bar filled with people in fetish gear and sporting more piercings in them than Custer on his worst day. The first impression in any of these places doesn't convey the totality of who I am, and most people who are open-minded enough to get to know me realize I've got a lot to offer.

So, sorry, buddy. I can find people who wear nice suits at any business school. Good programmers, who work their asses off and love it? Not so easy to find, and so long as they are willing to be a team player, they're a welcome addition to the crew.

Re:It All Depends on Their Maturity

[Wiseleo]

I make no secret that I can make a compelling presentation on the subject of security and exploiting vulnerabilities with no preparation at any time of the day or night.

My clients know that when they need something done, I'll find a way to get it done for them. Data mining is a frequent request that deals with modifying underlying queries on public websites. I contact the data source, ask them if there are any limits on how their data can be accessed. Typically they have none. Good for the client who winds up saving 100s of hours of manual labor with my tricks. Another frequent request is making machines that were not designed for it talk to each other, which yields combined functionality of equipment that costs an order of magnitude more. They also know that when debugging an obscure problem, I have no problem reading register dumps and locating offending files and that this I did not learn that in school.

I have theoretical knowledge that could be used for nefarious purposes in practice quite easily, but my ethics standards prevent me from doing anything stupid. Besides, it is more fun to be paid to catch blackhats who are unfortunate enough to wonder into my domain.

Re:It All Depends on Their Maturity

[dknj]

I have theoretical knowledge that could be used for nefarious purposes in practice quite easily, but my ethics standards prevent me from doing anything stupid. Besides, it is more fun to be paid to catch blackhats who are unfortunate enough to wonder into my domain.

erm. what's stopping you from doing it? They may have nefarious uses in nature, but they also have some wildly fun practical applications. My favorite is an app I wrote recently that will randomly take all the letters in the current Word or notepad window and make them start dancing around the screen. The faces of my victims are priceless. Its even better when their computer gets "hacked" and I never touched it (USB drive social engineering anyone? :). Or taking over an array of computers to play a sound chopped into 100ms blocks (i miss sun boxes coming with built in audio).

I wouldn't take these apps to work, nor would I broadcast my knowledge to potential clients*.. I would just say I have extensive knowledge of black hat techniques. If they ask, I tell them I used to do "security consultation for companies" in the pre-dotcom days. I never get questioned beyond that. ;)

Why?
It all started Some 13+ years ago, I wrote a "virus" that prenteded to erase my mom's computer. She was extremely upset at the thought of losing all of her data, but being able to turn her anger into racuous laughter was priceless.

* - there are better ways to do this without painting a picture of distrust around you. For instance, I walked into my last job interview and wrote a sendmail ruleset to block an annoying spam problem my interviewer had almost entirely from the top of my head. At 22 it landed me a project management position.. i don't think i would have made it if i said (and/or demonstrated) "i can write a near undetectable rootkit" :-)

So dont tell them

[ninja_assault_kitten]

I'm an ex-blackhat who's been working the security space for over 10 years now. My employers only know about my work experience; nothing prior to that. I'm very good at my job, I'm passionate about security, that's all that matters. As long as you're a blackhat who doesn't have a criminal record, you'll likely get a lot more value out of them than a cert crazy white hat who got into security cuz it's "cool".

Re:So dont tell them

[crashelite]

i would have to say any black hat is about 10K times more qualified then most white hats dew to the fact that black hats will have more experince. why you may ask? because the go where there not suppose to DUH! a white hat is limited to the variables they set up and are able to access, black hates can access any variables because they are not limited by the light only by their will and how protected they think they are from gettin caught, inet cafe with cd or flash bootable version of (insert OS here most would be linux) on a terminal and no cameras in the cafe then there pretty secure, as long as no one notices, but home computer with no firewall no proxy nothing at all just directly attackin a NSA server, then that is where we call it just plain stupid...

Re:So dont tell them

[ninja_assault_kitten]

well put.

Re:So dont tell them

[cerberusss]

Indeed, well put! So, do I get modded "interesting" too?

I might not...

I might not hire a former BlackHat. However, Microsoft did when they hired me. Not quite as black as many hats out there these days, not making bot nets and selling them, or forming open FTP servers for all sorts of horrible stuff, but discovering vulnerabilities and sending them to folks other than the makers of the product.

Blackhats aren't all shut-ins, as one comment on this thread already posted. The trick is finding those who went blackhat because it was more fun, and had more chances to dig deper into things than going whitehat would have.

Now, how sad would it be if I forgot to check to post AC?

Article has a good analogy

[brunes69]

Ducklin said: "Let's say that you're shot during a mugging [incident]. As you drift into unconsciousness, would you find yourself saying 'Gosh, I hope the surgeon who operates on me used to be a street criminal because he must really understand gunshot wounds well if he actually shot the people?' You wouldn't think that."

Agree 100%.

Well...

[jellomizer]

The real question is are Black Hat Hackers worth the potential risk (shown by their history). Being a Black Hat hacker doesn't mean you are any good at computers or security. Being labeled as a Black Hat Hacker means you were some Jerk Script Kiddy, who downloaded some scripts and took control of systems that they know is vulnerable. There are a lot fewer Black Hat hackers who are actually good at what they do. The Gray or White Hat hackers those are the ones you want to focus more on. They are more interested in breaking security to make it tighter, or for the Gray Hats make the tools for the Black Hats. Black Hacks will use what ever method is available to break in and cause damage. So if they are Reformed are they really that smart or just smart enough to type in some code word in 1337 speak, and there is a site where they can get some script. Vs. someone who know why the script works and what needs to be done to stop it.

Re:Script kiddie vs Hacker

[jjohnson]

This is a good point--how many people fairly labelled as blackhats are real hackers in the best sense of the word, vs. getting caught at something stupid and easily downloaded from a l33t site?

In fact, if someone was actually a blackhat, it would tend to count against them in my mind as a capable hacker because it implies that they got caught.

Would You Hire a Former Black Hat????/

[really?]

Well, it would depend, wouldn't it.

In no particular order:
How do you know the "hat status" of a potential employee?
What does the law say in the jurisdiction you're in?
Are there other "hat free" candidates with the same skills?
Are you willing to take the risk?
Are there any benefits to the available position that the former "black hat" status offers? (Think, for example, of a truly reformed virus writer who still has contacts in the underground, but, who is now applying for a position in an antivirus company.)

sucks to be you i guess...

[everphilski]

* Are they capable of staying after normal work hours every now and then to see to something getting finished? Oh, that kind of job. Sorry, despite what the above might lead one to imply, I do in fact have a life. Or at least, enough of a one not to waste it patching up someone elses mistakes.

Heh. Sucks to be you. You should try looking for a job you enjoy. When you find a job where you genuinely **want** to be there - the work is challenging and engaging and keeps you interested for 8+ hours a day - it is truly a joyful experiance. Hope you find it someday. Until then work is just a job, not a career.

Re:Clear answer

[senatorpjt]

I can't see a blackhat even wanting to be an admin. If you already have access, it's boring.