Slashdot Mirror
The Path From Hacker To Security Consultant
CNet has a series of interviews with former hackers who ran afoul of the law in their youth, but later turned their skills toward a profession in security consulting. Adrian Lamo discusses taking "normal every day information resources and [arranging] them in improbable ways," describing a time when he broke into Excite@Home's system and ended up answering help desk questions from their users. Kevin Mitnick, famous for gaining access to many high-profile systems, warns today's young hackers not to follow in his footsteps, saying, "A lot of pen testers today have done unethical things in their past during their learning process, especially the older ones because there was no opportunity to learn about security. Back in the '70s and '80s, it was all self-taught. So a lot of the old-school hackers really learned on other people's systems. And at the time, I couldn't even afford my own computer." Mark Abene explains how he got interested in phone phreaking, and how it led to a prison term and a career in computer security. Like Mitnick, he says that easy access to powerful modern computers removes part of the motivation for breaking into other systems.
They just realize they can hide better as security researchers. :)
And at the time, I couldn't even afford my own computer."
Don't do what I've done, do what I say. Things were also tougher for me. When I was a child I had to walk 20 miles to school everyday in a snow storm, through swamps and trying to avoid crocodiles. Things were tough. You kids today have it easy.
he broke into Excite@Home's system and ended up answering help desk questions from their users.
Sounds like he's still being punished for his "crimes".
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
It takes one to know one. This works in all sorts of industries. The best teachers for example were often the worst behaved students.
sudo mount --milk --sugar
Will someone please put kevin back in jail!?
It is the exception, not the rule, that a hacker becomes employed as a highly paid consultant. A lot of jobs require security checks, which you will fail if you have a criminal record. Some places have the flexibility to allow exceptions. Most don't. Even if they do you have to prove you offer something so unique and worthwhile that an exception should be made.
It does happen. Hackers do sometimes get jobs. People also win the lottery. Doesn't mean it's smart to play against the odds.
These posts express my own personal views, not those of my employer
I'm disappointed, Slashdot editor. Everyone here should know that people who break into other systems are crackers, while "hacker" simply refers to anyone with an interest in coding and computer technology.
Speaking from experience, it is difficult to get back into the workplace after a battle with law enforcement due to a high-tech crime. It is possible, however. Keep your nose clean and keep up with the industry and eventually you can regain a bit of trust. I am proof that it is possible, as I was once the subject of a Slashdot interview regarding a pretty public piracy case.
Hacker means cracker, end of story.
That what you call hacker, is just a hopeless virgin.
Politics.
I worked at a company who shall remain anonymous. I worked there as their security consultant and was in charge of keeping the systems secure.
I noticed that their systems were insecure, I kept telling them that these things will get hacked, I kept telling them that they are wide open. Did they listen to me? No. They kept going on and on, I worked to patch as many holes as I can, but the system was insecure in itself (things like passwords stored in plain text on mysql databases etc...). Fixes I recommended were rejected by management because they would change things from how they were used to, or too expensive, or "but who would want to hack us" responses.
A few weeks ago our external servers get hacked (surprise surprise), and the hacker notifies the company. What do they do? They pay the guy 600 euros per domain (we have a lot of domains) to fix it for us. That dude had the ear of all management, everything he said went, they changed things that I've been recommending to them for months because he said so. And to finish it off, he earned more money in those two weeks working for this company than I did in the last 6 months, to make fixes I've been telling them to do since I got the job.
F*ck it, in future I will just break into computers and then offer them a huge fee to fix them, It seems to pay more to do it that way. The company didn't call the police, just kept it as quiet as possible so word didn't get out.
Posting anonymously for obvious reasons.
I don't like these articles on hackers becoming security consultants. Obviously it has happened in the past - and the story itself covers well known examples, but doing information security for private corporation is so much, much, much much much more than pen testing and other skills typical crackers are good at. In practice, the vast majority of security professionals aren't ex-hackers, and that's a damn good thing.
Maybe it's because I'm actually working in the field, but I really don't like how the medias keep bringing back ex-hackers and present them as some kinds of security gurus, or worst, geek super stars. I don't think it is mature, and I don't think it is healthy. These individuals are criminals, and many have caused thousands if not millions of damages, or forced other people to spend countless hours to fix their mess. No matter how you look at this, this is not cool.
Security Vendors need people with 'the cracker mentality' to join their ranks. Without 'morally gray' staffers, how could they supply regimes like the ones in Iran and China with the 'tools' they need to operate their repressive regimes? Morally blind nihilists, while not necessarily those to fill the ranks of the Ideologically 'pure' elite inside the regime, will always be necessary force.
The people that they can't EVER become involved with are the real hackers.
Having been in security since the beginning of my IT career I have seen all kinds of companies. Most SMBs don't do background checks or drug testing. How many people with a hacker background (or any for that matter) are planning on working for a Fortune 100 company as a career goal? As a VP friend of mine once put it, "If I wanted to go through background checks and drug testing I would have gone to work for the CIA or FBI." He refuses to work for any company that does either of those, in the belief that it's not necessary to know those things to hire a person who can do their job, and the fact that it doesn't enhance shareholder value. It's OK to turn down a job on principal. I can also say that having been on the dealing end of the background checks, most vendor companies out there are worthless and you won't get the whole picture about a candidate. Most background checks only look at NCIC and not state or city/county level. If your HR department is paying $50 per person you're only getting the Federal level. If you want the whole picture you'll be paying about $1000-$2000 per candidate for city level screening if you check each and every city and county the candidate has ever lived in. The same goes for drug testing. The DOT accurate drug tests for commercial drivers cost anywhere from $150-$300. The cheap ones cost about $25 for 5 different drugs and aren't that accurate. I complained to someone in HR at a previous company I worked at about wasting the time and money for a drug test that was in all probability inaccurate. I was told that the drug testing was mainly for marketing purposes so the company could say they were a drug free workplace and bid on government contracts. HR had no interest in actually rooting out drug users, as they had no desire to actually find out for sure if anyone had a criminal record, hence the $50 background check. Basically if you didn't smoke weed a few weeks before coming on board you were golden. If you always got into bar fights or simply drive drunk all the time, the company wouldn't know about that either.
You can also be a security consultant without dealing with the equipment directly, which is what a lot of people are concerned with when it comes to consultants. I haven't logged into a firewall or an IDS in 6 years, but I used to develop IDS software early on. Security consulting for a lot of customers involves business process analysis mainly to determine if anything is broken. If you're doing ISO 27001 or COBIT consulting you probably won't be handling any of the equipment, but performing audits and writing project plans for the customer to implement. If a customer asks me to implement the recommendations I'll bounce them to a firm I trust and take a referral fee. If you've ever sat through a security audit with a Big 4 company, they spend most of their time performing interviews with IT staff, they'll shoulder surf or look at screen shots for random items, then charge you a ton of money for not really verifying anything. Most of them are CISA certified, but aren't technical which is really amusing.
There's enough work out there for everyone if you're willing to move to another city or travel for business, regardless of your background. If you're really in bad shape you create your own company and approach clients as a vendor, not an individual. LLC or Corporation filing fees are around $100 and I have yet to encounter anyone in the private sector who does background checks on firms performing work on premises.
I was caught hacking pbx's and calling cards and using them for call backs and call fwding to facilitate credit card and direct deposit scams in Australia.. ... but that took over 10 years a transition to complete and not a journey I would recommend for anyone either. There's much easier and quicker ways to get here... put it that way....
I am now generally a profitable security consultant with my own vsp/telco
CNet has a series of interviews with former hackers
If they're only former hackers, then they're useless as security consultants.
what is their influence on the people involved in the development of the GNU/Linux? I guess a bit less than worth mentioning.
A common theme of a lot of the replies seems to be that black hat behavior is the only way to learn computer security. Far from it. I don't need to have broken into an insecure network connection without permission to understand the problems of sending passwords in the clear. Often, it takes a little imagination, a bit of reasoning, and a bit of technical skill -- the same skills I often suggest for system administrators.
The best security analysts I've worked with are so strictly white hat that they've managed to get policies in place that prohibit black or gray hats from working in security in the companys I've been in. Is it perfect? No. Some people managed to mostly hide their historical black hat behavior. Once it was learned, a quiet black mark was placed against them and they were gently eased away from security work. There are enough good security professionals who have no history of breaking into computers without permission of the owner to fill the jobs requiring that level of technical skill.
"I may disagree with what you say, but I will defend unto the death your right to say it." -- Voltaire
Why in the world would you hire someone who got "caught" hacking to do your security? There are plenty of people out there who know security but don't have a record of taking a company's information. Even most of the people who "hacked" didn't steal information, just got into stuff to see what we could do. Yet companies are hiring these people. Unbelievable. Like most things, the best never got busted, and many of them do security now. Let me tell you, it is a whole different game nowadays.
Open Source: Eroding the Digital Divide
A Hacker with the proven ability to create and execute a project plan should be seriously employable.
Know what pieces overlap, understand how they impact the business, and what it takes to get from A to Z.
Weekends to peopleig2t mean that they can have a two-day wowgold4europe good rest. For exampleï¼OE people gameusd can go out to enjoy themselves or get meinwowgold together with relatives and friends to talk with each storeingame other or watch interesting video tapes with the speebie whole family.
Everyone spends agamegold weekends in his ownmmofly way. Within two days,some people can relax themselves by listening to musicï¼OE reading novelsï¼OEor watchingogeworld films. Others perhaps are more active by playing basketballï¼OEwimming ormmorpgvip dancing. Different people have different gamesavor relaxations.
I often spend weekends withoggsale my family or my friends. Sometimes my parents take me on a visit to their old friends. Sometimesgamersell I go to the library to study or borrow some books tommovirtex gain much knowledge. I also go to see various exhibition to broadenrpg trader my vision. An excursion to seashore or mountain resorts is my favorite way of spending weekends. Weekends are always enjoyable for me.
igxe swagvault oforu wowgold-usa ignmax wowgoldlive brogame thsale GoldRockU brogame
swagvault goldsoon oforu igxe thsale