Would You Hire a Former Black Hat?

Mark Zenson asks: "Understanding the mindset of a hacker and the likes of one may be useful to counter security attacks, but apparently companies still object to hiring former, or even reformed, black hats." The article asks this question of several executives in the industry and for various reasons, many of them were skeptical to the idea of hiring such people. Would you give black hats a second chance if you were in their position?

It All Depends on Their Maturity

[eldavojohn]

Would You Hire a Former Black Hat?

Depends, if I'm a manager at McDonald's, you bet your ass I'd hire him. Anti-social nerds make the best french fries.

But on a more serious note, I would hire anybody as long as they have the right personality. That's right, I've seen it happen too. People who don't know anything about computers are working in corporate America as programmers. They are one trick ponies and it would take me a few minutes to show others how to do that one trick. The questions I need answered are:

• Can they work with people?
• Can they dress well?
• Do they shower?
• Are they capable of staying after normal work hours every now and then to see to something getting finished?
• Are they sensitive to other people and their surroundings?

If you answered "yes" to all these questions, you too are a potential "team member." In any business. Degrees help but are not required.

Judging by the stereotypical picture of a black hat that the media has given the public, I would guess they wouldn't pass the first bullet above. Judging by the few that I know, they are risks but at some point straightened up and are valuable employees to their companies. You just need to assess whether or not they've figured out that a steady source of income is way more rewarding than having "VIODENTIA RULEZ #1" spray painted on the RIAA's website once a year. And that "selling out" isn't really "selling out" but devoting some of your time to a large project in order to better your circumstances the rest of the time. If they're past that point, then you've got a potential for a great employee.

What's unfortunate for black hats is that there is a wealth of solid programmers from America, India and Russia (if they can make it here) who are more than willing to do anything. On top of that, they have no criminal background. So even if a Blackhat is more qualified, they're probably just dismissed since a thousand other people are eager for the work and meet the basic qualifications. Unfortunate, but something to think about if you want to delve into the dark side of computers and networks.

Re:It All Depends on Their Maturity

[russ1337]

Are these big companies likening it to hiring a reformed bank robber as a teller, or a paedophile as a teacher?

Anyway, I thought the biggest part of being a 'black-hat' was to keep your online identity COMPLETLY SEPARTE from your real life ID... A big company should have no idea they've employed a 'former' black hat - at least if they were any good at it. If they got caught then he/she might not have the attention to detail you require for an employee in that field.

Re:It All Depends on Their Maturity

[ePhil_One]

So even if a Blackhat is more qualified, they're probably just dismissed since a thousand other people are eager for the work and meet the basic qualifications. Unfortunate, but something to think about if you want to delve into the dark side of computers and networks.

My question is, why would they know of their "Black Hat" exploits? I have to admit I've skipped applicants who admitted to "hacking" in a black hat context (Not "I sniffed my neighbors WiFi to get free internet", but I hacked into a potential employers network and explored). It shows an inability to set bounds and a lack of understanding of appropriate/inappropriate. I'd rather have lower skills that I can trust over high skills that might be working against me.

Re:It All Depends on Their Maturity

[sgt+scrub]

My observations as an old person by definition using your rules:

        * Can they work with people?
        * Can they dress well?
        * Do they shower?
        * Are they capable of staying after normal work hours every now and then to see to something getting finished?
        * Are they sensitive to other people and their surroundings?

Black Hat Hacker.
I am clean, charming, well dressed, always working, and my sensors are constantly monitoring people and places. I'm also perfectly cold and capable of taking every coin you own and are capable of borrowing. I will do this using my clean, charming, well dressed, and sensitive persona.

White Hat Hacker.
I showered today because I wasn't up all night playing WOW. Jeans, T-shirt, piercings, tatoos, uncombed long hair and beard are my personality, get over it. People are either cool or annoying. I try not to be around too many of them at one time but there is nothing wrong with that. Most of my friends are on IRC and WOW anyway. As long as I bang out enough code to meet my boss' requirements I'm golden.

Re:It All Depends on Their Maturity

[ObsessiveMathsFreak]

* Can they work with people?

Fair enough. If my job requires me to be a part of a team, it's reasonable to ask that.

* Can they dress well?

Oh Gods. It depends on what you mean. If you mean my normal attaire is that uncomfortable garish dandy's outfit known as a three piece suit, I'll have to say no. The apparell oft proclaims the man, and I generally don't choose what clothes to wear based on what everyone else deems appropriate. If you need me to meet customers, I suppose, but for gods sakes why are you making me wear a shirt in my cubicle? Would anything else make you feel uncomfortable somehow?

* Do they shower?

This is reasonable. If you're going to ask me to do this every morning unconditionally, I'm gogint to ahve to say that if I choose the odd tuesday or so as a "wash the bits" morning and you take offense; you're standing to close inside my bubble.

* Are they sensitive to other people and their surroundings?

Of course I am! You'll never see me do or say anything inappropriate. Oh, wait. Do you mean by sensitive that I must take time away from my job to engage in vapid conversation to make insecure coworkers feel better? Must my meetings and greeting be peppered with trite reassurances and shallow smiles? Must I waste precious minutes of my life decoding and responding precisely to oh so many unfathomable and illogical social nuances, walking a tightrope of peril with each word I utter lest someone take grevious and irremediable offense and a misplaced clause or syllable. I'd rather just, you know, work.

* Are they capable of staying after normal work hours every now and then to see to something getting finished?

Oh, that kind of job. Sorry, despite what the above might lead one to imply, I do in fact have a life. Or at least, enough of a one not to waste it patching up someone elses mistakes.

Re:It All Depends on Their Maturity

[D-Cypell]

I am not sure a "history of fraud" defines a black hat (according to my defination anyway).

Having worked with some people from this kind of background I would say that having them around in any kind of hi-tech start-up is a geniune asset. High IQ comes with the terroritory and I have also found that uber-geeks (as most dedicated black-hats are, by default) have a deep pride and sense of ownerships in their projects. I think that 'black hat' behaviour is more about ego than they would like to admit, and egos can be good if they make the owner strive to make their project the best out there.

There definatly will be a few assholes that try to screw you over, but I am not sure that it is fair to say there are more of these people in the 'ex black-hat' community than in the general population.

Re:It All Depends on Their Maturity

[Amoeba]

What's unfortunate for black hats is that there is a wealth of solid programmers from America, India and Russia (if they can make it here) who are more than willing to do anything. On top of that, they have no criminal background. So even if a Blackhat is more qualified, they're probably just dismissed since a thousand other people are eager for the work and meet the basic qualifications. Unfortunate, but something to think about if you want to delve into the dark side of computers and networks.

eldavojohn, I was agreeing with everything you said up until this point. I'm the moderator for the SecurityFocus pentration-testing mail list and the CTO for a security firm specializing in pen-testing. At the level of skill I'm talking about there is no "thousand other people... and meet the basic qualifications" but a very limited number. That fact alone allows for some wiggle room for companies looking for candidates with a rare high-level skill set. Would I hire someone with a blackhat background? Sure, if they met the criteria you outlined above and played at the level I'm looking for because there aren't that many candidates out there looking for work.

Of course, while I would hope the decision would be a sound one I'd remain wary as it *is* risky... but people can change or grow up. Anyone who has been in the security industry for a good length of time has some skeletons in their closet. I was not always a lily-white scion of responsibility *cough*... but I grew up. Had the mistakes of my youth precluded me from working in the industry I might have turned out to be a very well-dressed, sensitive, thoughtful, extremely hireable burger flipper.

Re:It All Depends on Their Maturity

[Fulcrum+of+Evil]

I'd hire a reformed bank robber to do a pen test on my bank, which is really what they're talking about.

Re:It All Depends on Their Maturity

[networkBoy]

I was about so say something similar, but instead I will expound on your post.
I am a former "black hat" as the media would portray it. While I never did anything knowingly illegal for profit, I do/did hack systems for entertainment.

I was employed by a small company where I rapidly rose to the position of being a network admin for a lab that dealt with ethernet equipment and components. Some of our gear was capable of generating arbatrary data frames (sourse/desti IP & MAC address, any length up to 20Kbyte (1518 IEEE spec is 1518 Byte), any interframe gap down to ~4nS (spec 9.6nS)). So to say that the network took a punishing when some dimwhit plugged the test side of the gear into the support network is a gross understatement (said support network was directly connected to the corp net, which went down when this happened).

I was given a budget of a few tens of grand, a spare Cat7K router, and told to "make it work" so I did. I got to hack my self silly doing that job and maintaining the network. Just before we were sold, that lab had ~400 nodes of well mixed clients with hostile traffic patterns and I was able to maintain connectivity.

The key to keeping me from hacking the companies assets was to keep me busy. Safe to say I bet the same goes for any others of my ilk.
In my new company I have the Hacker creedo up on my office door. Just took the hacker creedo label off it. Everyone thinks it's the best statement since sliced bread. They're blown away when I tell them what it is. My management knows I'm a hacker, my peers know I'm a hacker. My IT department is less than loving of me (as I've modified thier standard windows build to suit my needs) but the know I'm a hacker and they tend to let me be.

Basically it all boils down to the following fact: I presented that I'm a hacker in my interview. I presented samples of my work. I was hired. This in a company of ~80K employees. My bosses-bosses-bosses-boss knows me by name. When we have a really sticky technological customer issue, I seemed to get tapped fairly predictably. From manually re-balling a 72 ball BGA part to hacking a mouse such that when an LED on a customer design turns on the logic analyzer will arm, I do it all. My best asset is my inner hacker.

-nB

Re:It All Depends on Their Maturity

[Vicissidude]

Exactly. Law enforcement has asked the same question since the time of the first criminal and the first sheriff: Can you trust a former crook to enforce the law?

In law enforcement, they came to the conclusion long ago that the answer is no . Besides all the other qualifications for a police officer, they can't have a criminal record. In fact, they are required to pass a 300-question polygraph to make sure that they haven't committed any crimes in which they haven't gotten caught. Further, if a candidate fails a polygraph, the police can investigate and decide to press charges or just blackball you from any chance you have at getting a job with any other police agency.

That happened to one of my friends who applied for a police officer position here. His offense? As a 18-year-old high school senior, he dated and had sex with a 14-year-old female freshman. It was completely consensual, but the police investigated him for statutory rape. Because of that, he was blackballed, he would never become a policeman, and his 2 years of police academy were completely wasted.

Police know that if you've broken the law once, even if you weren't caught, then you're likely to break the law again. OR, like the case of my friend, you're not likely to enforce the laws that you broke. (In his case, the statutory rape law.)

It's the same thing with these black-hat hackers. I wouldn't trust them in top positions in security related IT jobs or in less-sensitive general business jobs.

Re:It All Depends on Their Maturity

[msuzio]

Exactly. The parent opinion is, in all seriousness, completely absurd. Get with the program, buddy, that's not how it actually works.

I'm at a stellar company, one of the best in its field. So good, in fact, that next month we're due to be acquired by one of the largest corporations in the world, because they want what we can deliver. Yippee for us, I know, but it still points out: we're not a bunch of moronic slackers.

I look around me at my fellow workers, all of whom bust their asses day in and day out to get the job done. I see plenty of the above marks of "offense". Somehow, we manage to be competant, well-mannered, hard-working people. Who just happen to (in many cases) be wearing Jeans, t-shirts, and have tattoos/piercings.

Maybe I'm just offended because right now, I've got all of the above. The whole wardrobe is black. My cube might have action figures and big pile of "alternative" music CDs in it. Oh, and I shave my head. Some people might think I'm a bit strange, although I myself think I'm relatively mild overall.

Regardless, I'm also among the absolute best programmers you will ever find. Seriously. It's 8pm, I've been here since 9am, and I'm not going to leave tonight until this particular bug is squashed. I'm dedicated, smart, and I love my job. Also, when I'm not here, I sometimes put on a suit and teach motivational speaking and personal growth courses. I blend in as well in that venue as I do when I'm out at the local bar filled with people in fetish gear and sporting more piercings in them than Custer on his worst day. The first impression in any of these places doesn't convey the totality of who I am, and most people who are open-minded enough to get to know me realize I've got a lot to offer.

So, sorry, buddy. I can find people who wear nice suits at any business school. Good programmers, who work their asses off and love it? Not so easy to find, and so long as they are willing to be a team player, they're a welcome addition to the crew.

Re:It All Depends on Their Maturity

So... shouldn't you be working on that bug?

So dont tell them

[ninja_assault_kitten]

I'm an ex-blackhat who's been working the security space for over 10 years now. My employers only know about my work experience; nothing prior to that. I'm very good at my job, I'm passionate about security, that's all that matters. As long as you're a blackhat who doesn't have a criminal record, you'll likely get a lot more value out of them than a cert crazy white hat who got into security cuz it's "cool".

of course I would

[EllynGeek]

If I worked at Hewlett-Packard.

Takes one to know one.

[b4jts]

Takes one to know one, I suppose. Looking at what Frank Abagnale did to improve security against bank fraud, I'm sure that a 'black hat' turned good could be of some use to a company.

Let's be realistic...

[__aaclcg7560]

If the company is going to be ripped off, it will probably start in the boardroom as upper management are granted perks that they shouldn't have. One company I worked for is on the road to bankruptcy but the company is still paying for the CEO's $200K/year New York City apartment. This is the same management that banned free soda when they figured out that employees were taking a can or two home. Go figure.

Script kiddie vs Hacker

[khasim]

If the only difference between two candidates is that one has a felony record, it's not a hard decision to make.

Not only that, but also what they were doing during their "black hat" phase.

Running scripts you've downloaded to scan for default passwords on websites so you can post that you've "pwn3d" their site ... yeah, that's going to go real far in the interview.

On the other hand, knowing enough about TCP/IP to crack servers with an injection routine that you've written ... that would go VERY far in the interview for the right job.

Script kiddies are a dime a dozen. And their "knowledge" is just about useless in the corporate world. What else do you have that's better than I can find elsewhere without the issue of your past behaviour?

The same with social engineering attacks (unless you're hired by HP to investigate leaks).

Real hackers, on the other hand, are extremely valuable not only for the technical skills they've built up, but also because they're driven by problem solving and they are more than happy to get down to the metal.

Re:It depends.

[jlarocco]

I might be willing to hire one as a code monkey to churn out boring stuff that could easily be audited, but even then only if there were no other suitable applicants.

Yes, that's exactly what you want. A *bored* (ex)black hat hacker.