Slashdot Mirror
Would You Hire a Former Black Hat?
Mark Zenson asks: "Understanding the mindset of a hacker and the likes of one may be useful to counter security attacks, but apparently companies still object to hiring former, or even reformed, black hats."
The article asks this question of several executives in the industry and for various reasons, many of them were skeptical to the idea of hiring such people. Would you give black hats a second chance if you were in their position?
But on a more serious note, I would hire anybody as long as they have the right personality. That's right, I've seen it happen too. People who don't know anything about computers are working in corporate America as programmers. They are one trick ponies and it would take me a few minutes to show others how to do that one trick. The questions I need answered are:
- Can they work with people?
- Can they dress well?
- Do they shower?
- Are they capable of staying after normal work hours every now and then to see to something getting finished?
- Are they sensitive to other people and their surroundings?
If you answered "yes" to all these questions, you too are a potential "team member." In any business. Degrees help but are not required.Judging by the stereotypical picture of a black hat that the media has given the public, I would guess they wouldn't pass the first bullet above. Judging by the few that I know, they are risks but at some point straightened up and are valuable employees to their companies. You just need to assess whether or not they've figured out that a steady source of income is way more rewarding than having "VIODENTIA RULEZ #1" spray painted on the RIAA's website once a year. And that "selling out" isn't really "selling out" but devoting some of your time to a large project in order to better your circumstances the rest of the time. If they're past that point, then you've got a potential for a great employee.
What's unfortunate for black hats is that there is a wealth of solid programmers from America, India and Russia (if they can make it here) who are more than willing to do anything. On top of that, they have no criminal background. So even if a Blackhat is more qualified, they're probably just dismissed since a thousand other people are eager for the work and meet the basic qualifications. Unfortunate, but something to think about if you want to delve into the dark side of computers and networks.
My work here is dung.
How do you respond to a job offer as a black hat? I wonder what the NDA looks like.
What self-respecting blackhat would admit to being one in a job interview?
Trust is hard to rebuild after others lose their trust in you.
I'm an ex-blackhat who's been working the security space for over 10 years now. My employers only know about my work experience; nothing prior to that. I'm very good at my job, I'm passionate about security, that's all that matters. As long as you're a blackhat who doesn't have a criminal record, you'll likely get a lot more value out of them than a cert crazy white hat who got into security cuz it's "cool".
If I worked at Hewlett-Packard.
we will end no whine before its time
Would you give black hats a second chance if you were in their position?
It depends on the job they were applying for. Someone who has proven their ability to ignore the law in the past can no longer be trusted in a position of responsibility, therefore I wouldn't give them a job in any role that required any amount of access to business critical systems or information. I might be willing to hire one as a code monkey to churn out boring stuff that could easily be audited, but even then only if there were no other suitable applicants.
It sounds harsh, bu my job, and the jobs of my colleagues, are more important than giving someone else a break.
http://twitter.com/onion2k
How hard is it to hire similarly qualified people who *weren't* blackhats? If the only difference between two candidates is that one has a felony record, it's not a hard decision to make. While it may look to the blackhat like it was solely his record prevented him from getting the job, it's really the fact that he's not that rare a commodity.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
Takes one to know one, I suppose. Looking at what Frank Abagnale did to improve security against bank fraud, I'm sure that a 'black hat' turned good could be of some use to a company.
If their "black hat" days occurred when they were 16 and curious, what's the problem? If it was after High School, I doubt it.
If the company is going to be ripped off, it will probably start in the boardroom as upper management are granted perks that they shouldn't have. One company I worked for is on the road to bankruptcy but the company is still paying for the CEO's $200K/year New York City apartment. This is the same management that banned free soda when they figured out that employees were taking a can or two home. Go figure.
The situation is analogous to hiring a former embezzler as an accountant, and the answer is always, "It depends." The burden is on the former black hat to establish credibility and trustworthiness. The potential employer also needs to be aware of scenarios where the former black hat can still be a valuable, contributing employee.
I might not hire a former BlackHat. However, Microsoft did when they hired me. Not quite as black as many hats out there these days, not making bot nets and selling them, or forming open FTP servers for all sorts of horrible stuff, but discovering vulnerabilities and sending them to folks other than the makers of the product.
Blackhats aren't all shut-ins, as one comment on this thread already posted. The trick is finding those who went blackhat because it was more fun, and had more chances to dig deper into things than going whitehat would have.
Now, how sad would it be if I forgot to check to post AC?Back in the day when networks were new and few people had the indepth understanding of what was still an arcane field, the recruiting of a blackhat made a lot of sense for trying to make more robust security solutions. But now, we have hundreds of thousands of qualified people and many IT Professionals are highly trained in the area of Network Security. And the blackhats these days by and large are either worm authors/botnet controllers or crackers who use scripted 'sploits to ply their trade. So no, I see no need for the Corporate Enterprise to open itself up to the liability it would face in the event of the "reformed" blackhat deciding to "play around" a little bit with employee data. There's already been enough fallout over loss of customer data and security concerns. Knowingly hiring a convicted felon to entrust that data to wold only serve to fuel lawsuits in the event a security breach did take place.
If a blackhat is skilled and "reformed" and truly interested in security, they can offer their services as an outside consultant.
Or perhaps the Military could make use of knowledgeable blackhats putting them on the front lines of electronic warfare.
But I agree that in the workplace they should be treated as any other convict when applying for a position.
Ducklin said: "Let's say that you're shot during a mugging [incident]. As you drift into unconsciousness, would you find yourself saying 'Gosh, I hope the surgeon who operates on me used to be a street criminal because he must really understand gunshot wounds well if he actually shot the people?' You wouldn't think that."
Agree 100%.
First of all, I've never heard of any of these interviewees. Have they done anything of note in security? I am committing a logical fallacy in asking this, but they don't carry any water in my security oriented meritocracy. As far as conferences go - I'd like to see a comparison of skillsets between attendees for say Defcon and Blackhat, excluding people attending both. I'll wager the Defcon crowd will win out anyways (not that defcon attendance = hacker, but it does mean more so than blackhat).
I'd much rather have a reformed blackhat on my team, than a white-hat. Simply judging from the people I've known in the industry, the people pushing the envelope have the greater skills and tend to have at least some illegal behaviour in the past.
Thinking as an attacker is a skill that requires cultivation too. You don't get this from Joe Software developer.
The real question is are Black Hat Hackers worth the potential risk (shown by their history). Being a Black Hat hacker doesn't mean you are any good at computers or security. Being labeled as a Black Hat Hacker means you were some Jerk Script Kiddy, who downloaded some scripts and took control of systems that they know is vulnerable. There are a lot fewer Black Hat hackers who are actually good at what they do. The Gray or White Hat hackers those are the ones you want to focus more on. They are more interested in breaking security to make it tighter, or for the Gray Hats make the tools for the Black Hats. Black Hacks will use what ever method is available to break in and cause damage. So if they are Reformed are they really that smart or just smart enough to type in some code word in 1337 speak, and there is a site where they can get some script. Vs. someone who know why the script works and what needs to be done to stop it.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I'd hire a "contracting" company that had their services to offer, but I wouldn't want to put them on my actual direct payroll. I'd always worry that they were collecting info on me off my system to use for the future. The less tech. savy a manager is, I'd bet the more that they'd want to cover their butts, just in case of that. I would use them for corporate IT theft on other companies, but would always would about how defended my own company is.
Would you hire a former jewelry thief to guard your jewelery store? Giving him full access to your security system and allowing him to be in alone at night?
You can never be sure someone is reformed; you only know when they fall back to their old ways, assuming you catch them.
Part of this is because of the ideological mindset; the ones who claim they did it all as a game still often think it's fun, and they seem to lack the subconscious barriers to antisocial behavior that normall tell people that it's destructive behavior. They may "go legit," but how do sociopaths grow ethical and/or moral senses?
These people still like manipulating people through different levels of social engineering. What says people like this won't just try to find other ways to screw with things or people, but in legal ways? What about those egos? Who really wants that in an organization?
If I were going to consider any former black hats at all, it would be those who did things like make spyware on contract in Eastern Europe, in order to feed their families, or something similar. I'd still be leery, but they at least have a situation of duress to claim. If I'm satisfied that they otherwise meet the profile of people I like to hire, I'd just have to worry that they feel rewarded enough that they can take care of their families. But I'd have that worry about all my employees.
I probably wouldn't. They are a liability. What happens if they get pissed during a meeting? What if the company is downsizing and they get laid off?
Not only that, but also what they were doing during their "black hat" phase.
Running scripts you've downloaded to scan for default passwords on websites so you can post that you've "pwn3d" their site
On the other hand, knowing enough about TCP/IP to crack servers with an injection routine that you've written
Script kiddies are a dime a dozen. And their "knowledge" is just about useless in the corporate world. What else do you have that's better than I can find elsewhere without the issue of your past behaviour?
The same with social engineering attacks (unless you're hired by HP to investigate leaks).
Real hackers, on the other hand, are extremely valuable not only for the technical skills they've built up, but also because they're driven by problem solving and they are more than happy to get down to the metal.
Well, it would depend, wouldn't it.
In no particular order:
How do you know the "hat status" of a potential employee?
What does the law say in the jurisdiction you're in?
Are there other "hat free" candidates with the same skills?
Are you willing to take the risk?
Are there any benefits to the available position that the former "black hat" status offers? (Think, for example, of a truly reformed virus writer who still has contacts in the underground, but, who is now applying for a position in an antivirus company.)
"Consistency is contrary to nature, contrary to life. The only completely consistent people are the dead." A. Huxley
Ethics, inspite of 'black hat' it is still possible for someone to be otherwise ethical. On the other hand, it isn't very likely.
The guy that spends his time concentrating on the 'how' of the hack, without much regard for the effect of the hack is more ethical than the guy performing the hack to steal credit card numbers.
One could potentially be a maturity issue, the other is intentionally criminal.
I could never trust someone who spent a few years stealing & using credit card numbers.
Someone I know was caught stealing cars, he was forced to pay restitution and has spent years being responsible. I like the guy, and he has a trusted position at a company; but it is only because you can see he has changed, he didn't stop doing it because it wasn't profitable any more.
Would you give black hats a second chance if you were in their position?
Barring any severe self-esteem issues, if I were a black hat, of course I would give myself a second chance.
Grammar, people, GRAMMAR!
https://www.accountkiller.com/removal-requested
Or to use the doctor analogy... If you were drifting off into unconciousness and through some absurd set of circumstances, you had a choice of the doctor that was going to treat you, would you prefer a doc who did "off the record" treatment of gunshot wounds for criminals(which would likely meant he used his skills illegally), or would you prefer a "legitimate" doc who has never actually removed a gunshot wound yet but has never used his skills illegally? I know who I'd prefer.
But that's one fringe case. All things being equal, I would lean towards the guy without the shady background as I'm sure most would.
"Our morality is good, theirs is repressive."- Partisanship Rule #3
.. I do have some painting and yard work that needs doing.. What do they charge?
God Be Gone
The term "black hat" can cover a lot of ground. In my mind, there's a big difference between someone who got in trouble for snooping around the university's network for the sake of curiosity and someone who attached a keygen trojan to something and put it out on the internet for the purpose of stealing credit card numbers. There's also a difference between someone who DoS'ed their school's webpage in high school and someone who DoS'ed their employer's webpage when they were 25.
//Would you hire a multiple-time burglar to protect your home? //Sometimes it's best to trust the home-security companies, regardless of whether or not their employees have ever broken into a house.
Here's another thing to think about too... The only reason to hire a black hat over someone else would be that you know they have some experience in hacking. However, there are many people who have the same experience and never did anything illegal. Basically, you're sacrificing a varying amount of ethics in exchange for a guaranteed amount of skill. Also, in many cases, the skill that a black hat has proven is directly proportional to the ethics that he has disproven. That is, if you know enough of a hacker's exploits to know that he is very skilled, you also know that he has broken the law a sufficient number of times to prove it to you.
In all, I would say that hiring a black hat would be case-by-case for me. Someone who is a black hat because of a harmless, but illegal, mistake may pique my interest because of his proven ability to learn independently. Someone who hacked a private network years ago, but has since proven to be a responsible person, may end up being a skilled employee and worth a second chance. But, to me, someone who committed repeated damaging, malicious acts online is no better than someone who committed repeated damaging, malicious acts in real like, and they would not be worth the risk, regardless of skill.
I would not hire a former thief in a supermarket as an detective
I would not hire somebody who took money from his employer in a bank
I would not hire an former drug addict as a saleperson in a pharmacy
I would not hire a former pedophile in an elementary school
I would not hire an murder as an social worker
So - no I would not hire somebody who fell one time to some temptation in a job where he is tempted each day.
A Blackhat as a programmer - maybe; as an administrator - no.
If the Black Hat was any good at all, you would have no way of knowing he was (or is) a black hat.
But if someone with a criminal record for cybercrime applied, there is NO WAY an informed manager would hire him. If he breaks the laws again, someone could go after you personally for negligence.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Lots of people do dumb things in their youth. Just evaluate the person as they currently are. There are certainly circumstances that would be hard to overlook for certain positions, but to forever eliminate from consideration anyone who ever did anything illegal with a computer seems a bit nuts. Would you refuse to hire someone that got caught shoplifting as a kid? What percentage of your coworkers did something dumb as a kid, whether they got caught or not?
if they're a really good black-hat, you'll never know about them will you?
http://geminisecurity.com/job.html
I'm not opposed in prinicple to hiring a former Black Hat. It still needs to be the right person for the job, and I still need to trust them. I have to get a real good feeling about the person to start off with, and the possibilities are endless.
Check out our infosecurity industry blog: http://securitymusings.com/
Don't be alarmed, there are a lot of idiots in leading positions in large companies, just as there are many idiots born into affluency a.k.a. Venture Capitalists.
First, Paul has attempted to apply traditional business philosophies and the illusion of value to that of Open Source development. "[hackers] don't have to support their product [or] be absolutely reliable", is one hint. The illusion of "support"... well, I paid 15,000 (USD) for this SunFire server... called up Sun Microsystems and I have to pay 125 dollars for a valid account just to access their knowledge database.... support my ass. Or, call up Microsoft, and watch as your told (after the 10-20 dollars you have to pay to talk to a rep), to go to Dell or whoever made your computer; support my ass again. Companies do NOT want to be responsible for their products, they never have, they never will be. At least you more often get a REAL NAME of someone on an Open Source project; as for companies, many Class Action lawsuits have been filed throughout the world and throughout history.
Deadlines... yeah, as a developer of both proprietary software and open source software. Nothing diminishes the value and quality of a software project more than a "deadline". This is fact. This is widely known amongst developers. Traditional, archaic business leaders are so ignorant that when this fact is mentioned they honestly think we are joking. Infact, the concept of a deadline is the single biggest factor why proprietary software will never compare to open source software when it comes to quality and usefulness.
But, of all that Paul Ducklin claimed in his article, take this one on for size. "I don't know why people think if you can trot out 10 or 20 or 100 viruses[sp], you would be great at actually producing some antivirus technology that can deal with 200,000 different bits of malware,"
Here, the moron decides to misdirect the reader with numbers. I've developed security software myself. And, I've also analysed a number of security software packages and implementations. When it comes to virus detection, intrusion detection and all that biz, 99% of it is nothing but pattern matching routines in a loop. That's why most NIDs have a data pack which is nothing more than a conglomeration of known patterns to published forms of attacks. It is no different for Antivirus software. In short.... if you know regex really well, you don't need to know flip about security or how to implement an attack to identify one with software. This part really ticked me off, becuase as a person who identifies and writes my own exploits which I might or might not publish, this line of logic Paul wishes onto others is completely bullshit. Then he goes in, and tries to relate the luxuries of production in a less-tangible world (the world of computers where resources is nothing more than imagination and virtually no effort goes into typing) to the real world where you have to chop down a tree to get wood. What I'm talking about is his falsely applied analogy with being shot by an attacker, asking if a victim might logically wonder if the doctor had ever been a criminal to be that much more familiar with gunshot wounds. What he's trying to say, is a person that is able to exploit a problem is far less intelligable than a IT "doctor" who only really writes up a regex string to identify a problem.
I'll end this here. Becuase I doubt anyone here will take this article seriously. And if it's not enough to bash Paul Ducklin any more... he's a Chief Technical Officer of Sophos. Sophos is an antivirus company. As far as I'm concerned, his only target is the end-user, the moron, the impulse-double-clicker; those in his image.
In the UK, after a period of time you don't have to declare convictions, so you may be hiring people who have been in jail for hacking without knowing it.
by hiring an ex-blackhat, at least you get:
* someone who can hack it - no CISSP is going to replace hands on skills
* someone who is willing to admit he has made mistakes in the past - which is more important than ever in the world of security: covering up mitakes doesn't help.
now, if he's good - it shouldn't even matter if he has been blackhat: the systems should be secure, especially from the inside job threat. And part of his job should be to make it provable that it is so.
Now, if all you want is some type of ISO certification stamp of approval - rubber stamp / get finance / show off, go hire some certified engineer with a long series of random acronyms on his CV, which may include MSCE in the lot - that should be a hint, but unfortunately depending on who does the recruitment it may not be a deciding factor...
TODO: 753) write sig.
i don't think that Kevin Mitnick's past has stopped anyone from hiring him. Personally, I believe that "hackers" are job-worthy. Most likely, they are more experienced with computers then the average computer worker.
Klingon Software is not released, it escapes, inflicting terrible damage onto the enemy as it does
Learning how something works is respectable. Deliberately screwing it up with the knowledge of how it works? Not at all. If someone is considered / considers his- or herself a "Black Hat" hacker, you need to think about what they're learning from you, and how that will affect your business. 99.9% of the time, that's not a risk worth taking. On the other hand if someone has an in-depth knowledge of a specific subject and they're responsible enough not to use that inappropriately, they're someone you want to take.
--<Mike>--
I am a bit confused about the iimplication. The black hat's.. well, they weren't called that in the beginning. I don't remember anyone but old people talking about your moral compass in regards to exploiting security holes. All information is knowable. It's a belief that borders on faith. In my circles, it was just assumed that you would do no harm to the whole. When a surgeon takes out your bulging appendix, he has to do some damage to make sure you survive in the end. That's a proper analogy to the successful "black hat" folks. Even if it meant OOB'ing Microsoft's site for 3 days(winnuke was brought up by a previous poster). A much worse scenario would ensue when a hospital was taken down because they(OS/ipsec company,etc.) ignore their own weakness.
I have to tell you that the people I knew that did those things and worse are running your fortune 500 companies right now. The smartest don't get caught. Mitnick had an ego. These people don't. They are innately good at what they do and there is a higher than likely possibility that a "black hat" has saved your company from disaster more times than anyone else. That's my observation.
There are those that destroy to destroy. They don't survive. It's natural law. Smart people know this. Smart people also know that you don't own information or thought- and everything can be altered. I don't think the connotation of "black hat" describes the best of us accurately. I think they are something different and you will see it when their intuition saves your company time and time again. Where the metal meets the meat, you would rather have a person who's been on the other side rather than some cert collector that's just guessing. Media likes to make their misconception reality because it lends them credence. Black Hat does not mean evil. Hacker does not mean cracker. They are not one and the same.
If America is any indication, all people deserve a second chance.
Hell, we hired a former drug-addicted AWOL alcoholic to run our country, and even that turned out allright.
So give backhats a second chance!
Obama likes poor people so much, he wants to make more of them.
Hire one? I've built an entire company with the combined efforts of former Black Hats.
Y-Crate
CEO - Setec Astronomy
There are always risks involved, but excluding top 1/3 of candidates from your list is stupid. If you are good at something, chances are you played around a bit in your formative years.
WhiteHats know more than a BlackHat only from priviledged access. WhiteHats don't know what a BlackHat knows, hence asymetric warfare rules have WhiteHats at a disadvantage from the start.
People hire convicted felons all the time. What they generally don't do is to hire them in roles that were central to their offenses. It's one thing to hire a convicted pedophile to balance the books, but quite another to put him in charge of the company daycare.
The unchallenged assumption here, of course, is that a "black hat" necessarily has any special qualification for a security job. It's like assuming that a graffiti artist will have any useful insights into formulating a graffiti-resistant exterior paint. For that, you really want a chemist.
That's not to say that there aren't some black hats who wouldn't be useful in a security role, but simply having exploited security holes from the outside doesn't automatically translate into knowing how to plug them from the inside, and it certainly doesn't automatically translate into being able to communicate effectively and work as a member of a larger IT team.
Proud member of the Weirdo-American community.
* Are they capable of staying after normal work hours every now and then to see to something getting finished? Oh, that kind of job. Sorry, despite what the above might lead one to imply, I do in fact have a life. Or at least, enough of a one not to waste it patching up someone elses mistakes.
Heh. Sucks to be you. You should try looking for a job you enjoy. When you find a job where you genuinely **want** to be there - the work is challenging and engaging and keeps you interested for 8+ hours a day - it is truly a joyful experiance. Hope you find it someday. Until then work is just a job, not a career.
Honest? You'd have to be borderline retarded to try to steal shit during a job interview.
The questions I need answered are: Can they work with people? Can they dress well? Do they shower? Are they capable of staying after normal work hours every now and then to see to something getting finished? Are they sensitive to other people and their surroundings?
#1 on most employer's list is, "can I trust them?" Hence why zillions of employers, especially the Big Boys, conduct criminal and credit checks and personality tests; they're not as worried about team-player-ness as they are whether you're going to try and rape Tina from accounting after the company "holiday" party.
A "black hat" hacker thinks it is not only ethical and acceptable to violate numerous laws and break in to computer systems they have no permission to do so on...but they've DONE it, which means they'll have ZERO problems going places they're not supposed to be in your company.
That sounds somewhat trivial unless, say, you work at a bank. Banks and lots of other companies employ "chinese walls" (for those that don't know: different divisions are intentionally 'firewalled' knowledge-wise to prevent conflict of interest.) A black hat that feels he/she has the right to traipse anywhere on the company file servers is a serious threat.
The real question is not "Are they mature?", but "Did they recognize and accept what they did was wrong, and will they do it again?" Another question is, "can they follow company procedures and policies, and industry regulations?" If they can't keep from violating serious federal statues, how on earth can you trust them to follow a rule that says they shouldn't poke around in the accounting files?
Please help metamoderate.
I fully respect your right to be who you want to be. I really do. But no one is going to pay you for it. There aren't many jobs where you are just paid for doing things--usually what they want is a bit more nebulous, and involves "playing the game." You not being willing to do that doesn't reflect on your character in a definitive, existential way, but it will impact your income.
I don't know if what you say is true, but the evidence supports it. This explains why all police officers are able to lie with a straight face.
But I fail to see why the ability to lie makes someone better at law enforcement...
A) You broke into a system and made it say naughty things five years ago.
B) You broke into a system and clearly could have stolen a million dollars, but didn't, fifteen years ago.
C) You broke into a system and DID steal a million dollars, thirty years ago.
A) You're 25? Oh, the marketing guys are going to love having you in tech support. 35? I wouldn't put you in the mailroom, you childish twit.
B) Once the FBI confirms your prints and finishes chatting with everyone you've known since 1980, let's do lunch. We might have a corner office with your name on it...in about six months.
C) Security, please show this man the door and never let him back in.
No. And I'm tired of them. After fighting 3 pop-ups, that was it. Closed the browser and left.
Graham
Linux - Fast Pane Relief
Would You Hire a Former Black Hat?
Only if they were also good at nunchuck skills and bowhunting skills. Companies only want people who have great skills.
Personally I would not, because they are sociopaths and I am not.
However, if I was Enron or RJ Reynolds, I could find a good use for them.
I think I have one more "witness protection program" move coming.
Controller Bob? Sorry, that just came out.
This issue is a bit more complicated than you think.
I mean seriously. If you were an evil hacker in a previous life, I don't care if you turned of a new leaf. Why would you let any employer find out you used to be a blackhat? If you've got such "skillz" I would think you could at least hide your past identity.
I you have a criminal record then you have a whole other set of problems. You'll never get a job at paypal if you've been convicted of a felony. Hell they won't even hire you if you have bad credit. A lot of big companies are the same way, especially if developers have access to financial software.
“Common sense is not so common.” — Voltaire
I am BLACK HAT, and was hired several times by well funded tech companies - REALLY!
one time, as a principal computer scientist to crack DRM and online transaction systems, and design them.
another time, as a VERY high paid contractor for a few months to defend patents in DRM and successfully work around patents, and get client out of various civil suits, and create amazing tools (video card interceptors)
as for my black hat credentials. they are notoriously very black indeed and i deem not to divulge my countless experiences in this forum, (military, pentagon, att, nasa, mci, sprint, countless networks, numerous telcos, many osses, civil power plants (one nuclear), over 5 colleges, etc etc etc)
too bad no one browses anon 0 anymore (eccept me)
..maybe. It depends on what type of blackhat hacker we're talking about. There may be hacker ethics, but every hacker will define these in their own way.
There will always be hackers that hack for their own profit and only care about covering their tracks, they believe the ability grants them the right, basically the 'predator ethos' (shared by so many managers out there as well *cough*HP*cough*). On the other side there are hackers that have deep convictions and use their ability to e.g. fight an oppressive government, that wages wars and makes the public believe it's for their own good; these are the idealists. And somewhere in between we'll find most of the hackers (including the disillusioned, cynical ones).
Whether they are suitable to serve as a gear in the machinery will be different from individual to individual.
And when you gaze long enough into the code, the code will also gaze into you.
Something similar happened in the 60s/70s... with the hippies. Now a days, we call them yuppies.
Most of the people I grew up with who were blackhats have moved along in the same way, we call them "wageslaves".
Hacker hasn't had a real meaning in years. Most who consider themselves hackers are at best script kiddies.
Shadus
Ofcourse it depends on the person, the person can not be a bad person at heart, but I'm all for hiring people with experience. Especially if I were a security company, I would opt for people who have worked in the field, and understand the workings of a criminal mind.
ugh...
Yes:
A guy who figured out how to get past some stupid piece of DRM-ware, and did some creative stuff just to test the waters when he was young. Only if I know him (or her?) well..
Casula DMCA violator...
No:
Phishers.
Script-Kiddies.
Anyone who caused actual financial damage, stole data, or broke trust that was given to him. (It's one thing to circumvent the school's computer workstation "policy" so you can pkzip your files before transferring them to your floppy. It's another thing to steal credit card numbers, send spam from work, etc.)
The second variety might be OK to contract for a "sandbox" situation where you're challenging them to break your code/machines. I would not let them inside the door of the company... [they might continue the 'challenge' after the contract is over...]
As for that McDonalds comment, there was a story here on Slashdot (I think, I am to lazy to look for it) about a guy who worked for Taco Bell and had hacked the register to ring up everything at a penny when a certian keystroke was entered. He charged normal price and pocketed the difference. Hackers can get you anywhere.
This signiture copied from somewhere.
For the Black Hat's own good, here are the answers and justification:
If i were a Bank i would say: NO.
If i were an IT OPS company like HP, Microsoft, Apple, etc., i would say: YES.
The reason is even if the Black Hat is really a good person and has behaved as a good person, any ID theft, or hacking into a Bank's computers would immediately make him the target of suspicion, even if he really had nothing to do with it.
Banks are paranoid about losing money anonymously, and they can make a break anyone's career with a slight twist of hand. I would NOT want a former black hat who has recently reformed to fall under a cloud of suspicion and break his own career for the final time.
Secondly, although a long shot, hackers can mask their attack based on the old hacker's signature moves and move the suspicion to the old former guy. And if i were a Bank, i would certainly believe them, instead of my new hire.
Also, banks tend to call in the Feds, who invariably would target this poor former hacker unnecessarily....
All this complicates things for him and now instead of helping the Bank trap its attackers, he himself is under fire and spending effort to defemd himself from unnecessary attention by feds [believe me, the Feds are the last thing you want on your tail: They are tenacious like a Bull terrier: only worse].
Banks earn their money from customers gullibility. Hence the role of an IT guys is second-class citizen at best.
IT companies are staffed with IT guys all around and IT geeks are first-class citizens. Hence a former black hat would comand more respect.
That said, it is ultimately up to the Black Hat and circumstances and Luck that plays a large part in his rehabiliation.
Even if were to work for 10 years at an IT shop and be an award winning employee every other year, if the recent attack/hack had his old signature (even if forged), would put him directly in the trench along with other hackers and expose him to fire.
All the years of goodwill, awards, friendships WILL melt like butter, and you would again be all alone, fighting for your rights, your respect, and your life.
The society always treats an ex-criminal as a criminal even if he is reformed.
"Doing what i can, with what i have." ~ Burt Gummer
There is a high degree of risk in hiring anyone with a criminal background, regardless of the position. Employers need to be able to trust that person. A man convicted of rape would be the last person to work at the YWCA, so why would you expect that a person convicted of a computer crime be the first pick for a job working with computers and security?
A slip of the foot you may soon recover, but a slip of the tongue you may never get over. -Benjamin Franklin
"I tell them I used to do "security consultation for companies" in the pre-dotcom days. I never get questioned.....I walked into my last job interview and wrote a sendmail ruleset....At 22 it landed me a project management position
PHB to Dilbert: "The kid is cheaper and more experienced than you, he's been writing rootkits since the day he was born!!!"
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
There's an excellent post just below here asking the question, "how black is black?" This is a key point--if the person in question did some things which might be illegal but shouldn't be (i.e. writing code to hack DVD encryption a la "DVD Jon"), then it's not that big of a deal. However, if this person did something that would have, in its day, hurt my company or something like it, then screw 'em. I don't need possibly reformed criminals.
The myth of the black-hat is becoming almost a cult belief. Black hats are amazing hackers, who think differently than the rest of the world, can penetrate incredibly secure systems with ease, and have mad skillz that normal humans can't achieve. On this I call bullshit. Anyone can learn to become a script kiddy, and the few who actually create new hacks don't often do anything extraordinary; they're just vandals who happen to be amateur programmers.
I sat down with a security consultant yesterday. The guy has been doing this for ten years. He gets paid a healthy sum to audit systems and make recommendations, and occasionally will get hired by a company to hack their own systems. He's very good at it. He follows the underground conversations, he keeps up on the latest exploits, and most importantly, he practices. He can think like a hacker, hack like a felon, but only goes after machines with the owners' approval. There are good security consultants, and they don't have to be criminals--in fact, the mindset and skillset of the hacker isn't necessarily the same as that of a security consultant. They're complementary, but not identical.
So no, I won't hire black hats. There are enough skilled and capable people out there to do the job that I'm not reduced to supporting reformed (maybe!) criminals in their former habits.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
"with the hippies. Now a days, we call them yuppies"
WTF??? How many yuppies hitch-hike, or drive barefoot in a hand painted combi van?
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
You can use that computer over there in the corner. We have a lot of boring work to do. No deadlines, as long as it gets done. Don't worry about your clothes or smell, nobody is going to remember you anyway. You don't have to come to meetings either.
When work isn't finished after normal hours you can go home, we'll finish it. You worked hard all day, while we wasted time with vapid conversations on several occasions. We enjoyed work today, now you can go home and enjoy your life.
It's a bit unfortunate that when we were chatting about our hollidays you weren't there. Somehow the topic changed to the new job opening. You would probably have liked that position, but we were not sure. We don't really know you. Besides, you're good at your current job, so it's probably best if you keep doing that.
Seems to me there are two issues:
1. How confident are you that you understand the black hat's motivations? Unfortunately, "inquisitiveness" is only one possible motivation. There's "destructiveness" to consider and there are possible "entrepreneurial" motivations for selling your secrets. That's 2 to 1 right there suggesting the guy might be more trouble than an asset.
2. Does your organization value criticism? With a gradaute philosophy degree I'm trained to be inherently reactive and pick apart flaws in other people's proposals. An organization that wants "yes men" and "total enthusiasm" wouldn't value me. The black hat is in the same situation. Would upper management value and support someone who is an active critic rooting about in their IT setup? It is a fair bet IT middle management wouldn't.
"Those with the true hacker mentality--explore, discover, invent--have long since moved on to a new title."
This may have been a self-proclaimed title at best. I have an old popular science magazine from the 1970s which has a whole explanation of the word "hacker" as a person that breaks into computers illegally.
I'm not sure the public ever used the word to mean "to invent, explore, or discover--mentally".
No, but most hippies are now yuppies. They are just yuppies that buy all organic.
Of course they do, publicly. To do anything other than condemn those who break the rules would send the message to the sheep that not only is it okay to break the rules, but doing so will make you worth more to your employer that you would be if you did everything the approved way. The corporate world relies drones, not autonomous beings. They pay the autonomous beings to ensure that the drone culture keeps functioning.
It's not easy finding qualified employees with felony fraud convictions, you know.
I would be intensely suspicious of anyone with a background that suggested they didn't have a problem stealing or harming strangers. Of course youthful indiscretions can be forgiven, but if someone has demonstrated, as an adult, that they don't know right from wrong (or care) I don't want them working for me. Oh yeah, I've been CTO of a couple of public companies etc. Rick
Hacking someone can and does in fact teach you how to administratively remove a security hole, especially by showing one where the hole is.
Analogy: Failed.
-Clio
Karma: Bad (mostly from not giving a fuck)
Blog: http://clintjcl.wordpress.com
I was a former black hat who got lucky - I broke into my School board's main frame when I was 13 years old and racked up a $11,000 phone bill for them by downloading C64 games (yes this was a LONG time ago) from around the world via there system. In the end, I got caught and the only reason I didn't get prosecuted was because the receptionist of the prosecutor for the school board was my brothers fiancé's mother - how lucky is that? Instead, when I was 15, I ended up going to school 1/2 of the year and working for the school board the other 1/2. I was teaching educators how to use technology in the classroom, taught gifted children how to make interactive kiosks, and wrote 18 educational software applications based on my mentors ideas - one of which has just past the $100,000,000 in sales (too bad I didn't understand the word royalties back then). Anyways, my point is I know I was very lucky and things could have turned out a lot worse (some say I have a horseshoe up my arse, others say it's the whole horse) but seriously, in my opinion former black hats are at the cutting edge of technology they abilities have proven them as people who are innovators - and I respect that. As you all know, the majority of black hats are really just explorers out to do no harm. Give them an opportunity to do the same thing legitimately and I think you'll be surprised at what they can accomplish. But here's my real point - if you're a former black hat looking for a job, don't tell the employer about it! For the most part, unless you have a criminal record, there is no way for them to know. Then you can joke about it 6-12 months after you've been hired when they know you're a solid individual. Now I'm a senior sotware producer who hires developers from all around the world, I personally wouldn't care what the persons background was re: being a black hat as long as they delivered. Nowadays I'll let the younger generation do the hacking as they usually just get a slap on the wrist when caught. As for me, as an "adult", I don't do it anymore as I don't want to end up in Jail with a big boyfriend named Rocky thank you very much. S.
Would You Hire a Former Black Hat?
Tigers don't change their stripes. If the "former" Black Hat was happy to screw people in the past, he/she won't have a problem screwing you later.
It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.