Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Path From Hacker To Security Consultant

Posted by Soulskill on from the curiosity-killed-the-cracker dept.

CNet has a series of interviews with former hackers who ran afoul of the law in their youth, but later turned their skills toward a profession in security consulting. Adrian Lamo discusses taking "normal every day information resources and [arranging] them in improbable ways," describing a time when he broke into Excite@Home's system and ended up answering help desk questions from their users. Kevin Mitnick, famous for gaining access to many high-profile systems, warns today's young hackers not to follow in his footsteps, saying, "A lot of pen testers today have done unethical things in their past during their learning process, especially the older ones because there was no opportunity to learn about security. Back in the '70s and '80s, it was all self-taught. So a lot of the old-school hackers really learned on other people's systems. And at the time, I couldn't even afford my own computer." Mark Abene explains how he got interested in phone phreaking, and how it led to a prison term and a career in computer security. Like Mitnick, he says that easy access to powerful modern computers removes part of the motivation for breaking into other systems.

15 of 96 comments (clear)

  1. Or maybe... by Anonymous Coward · · Score: 3, Insightful

    They just realize they can hide better as security researchers. :)

  2. Sounds familiar by unlametheweak · · Score: 5, Insightful

    And at the time, I couldn't even afford my own computer."

    Don't do what I've done, do what I say. Things were also tougher for me. When I was a child I had to walk 20 miles to school everyday in a snow storm, through swamps and trying to avoid crocodiles. Things were tough. You kids today have it easy.

  3. From hacker to help desk? by petes_PoV · · Score: 4, Funny

    he broke into Excite@Home's system and ended up answering help desk questions from their users.

    Sounds like he's still being punished for his "crimes".

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  4. Old adage. by dov_0 · · Score: 3, Interesting

    It takes one to know one. This works in all sorts of industries. The best teachers for example were often the worst behaved students.

    --
    sudo mount --milk --sugar /cup/tea /mouth /etc/init.d/relax start
    1. Re:Old adage. by Antique+Geekmeister · · Score: 5, Insightful

      No, the best teachers really weren't the worst students. That's a silly idea.

      The "worst behaved" students of my experience, and ossibly yours, are dead, massively crippled by their own foolishness, in jail, dying of AIDS or lung cancer, homeless, etc. Being homicidal, fundamentally stupid, a slut of any gender or orientation, constantly stoned, or spoiled does not help one as a teacher.

      There are kinds of behaviors that are frowned on by authorities, for lots of understandable reasons, but help people be leaders or teachers. Curiousity, interest in others, love of particular types of knowledge, etc. can all hinder someone in school but pay off for teachers, true.

    2. Re:Old adage. by dov_0 · · Score: 4, Insightful

      Maybe your experiences are different to mine.

      --
      sudo mount --milk --sugar /cup/tea /mouth /etc/init.d/relax start
    3. Re:Old adage. by thesandtiger · · Score: 4, Interesting

      If by "worst behaved" you simply mean the ones that would challenge authority and "color outside the lines," then sure - those kinds of "misbehaviors" are pretty common among people who are really good at their job. That seems to be a pretty milquetoast version of "worst behaved" though.

      As someone who went to Chicago Public Schools, I can say that the "worst behaved" students are the ones who were unable to handle any kind of structured environment, were disruptive and violent towards other students, were often high if they bothered to show up for classes, and generally couldn't handle even remedial work. The few of these kids that eventually straightened themselves out might make good mentors or counselors at programs to help at-risk children, but generally wouldn't be what I'd call good teachers because they're usually lacking the academic accomplishment that really good teachers must have.

      On the issue of taking one to know one - I think it's possible to be a good security expert without being a convicted felon. Given the choice between hiring someone who is very good but a convicted felon vs. someone who is very good and who has the moral compass necessary to avoid committing acts that are criminal, I'll take the latter any time. There are *millions* of people the world over who do computer security - most of them without criminal records - it's not exactly like it's some kind of arcane art or a skillset so hard to come by that one must hire a (hopefully former) black-hat.

      My guess is some of these guys are being hired by organizations who want to use their felony record as some kind of street cred - "Our security is the best; we've got one of the worst of the hackers in charge of it!" etc.

      --
      Since I can't tell them apart, I treat all ACs as the same person.
  5. Criminal record == no job by syousef · · Score: 5, Insightful

    It is the exception, not the rule, that a hacker becomes employed as a highly paid consultant. A lot of jobs require security checks, which you will fail if you have a criminal record. Some places have the flexibility to allow exceptions. Most don't. Even if they do you have to prove you offer something so unique and worthwhile that an exception should be made.

    It does happen. Hackers do sometimes get jobs. People also win the lottery. Doesn't mean it's smart to play against the odds.

    --
    These posts express my own personal views, not those of my employer
    1. Re:Criminal record == no job by Anonymous Coward · · Score: 3, Interesting

      "A lot of jobs"? You mean jobs where you're an employee.

      This is why most of these guys are "consultants". That is, they run their own business and therefore don't typically require any of the normal checks that employees have to get. Some (government) things require security clearance but most stuff does not. All you need is a good reputation and proven skills.

    2. Re:Criminal record == no job by CaptainJeff · · Score: 3, Informative

      If you are hiring consultants to perform security-related functions, you're being negligent by not doing background checks and such on them. Any security-related processing you are doing on full-time employees should be done on contractors as well if they are doing similar jobs. If you're not doing that, you're doing it wrong.

    3. Re:Criminal record == no job by smoker2 · · Score: 3, Insightful

      It is the exception, not the rule, that a hacker becomes employed as a highly paid consultant.

      How do you know ?
      Surely if you were any good at it you wouldn't get caught, so no criminal record. It's only the ones who do get caught that have nothing to lose by exposing their past. And of course they're going to say "don't do it". I would argue that we need more people involved in it not less. Why should "the man" have everything his way ? Sometimes it is necessary to step outside the law, precisely because it is the law. If an authoritarian govt. says you can't access a website, should you just say "yes sir", or would you find a way to do it anyway ? I would have thought that with all the passive-aggressive angst on here recently regarding Irans internet policy, the answer should be obvious.

      "Hacking" drives security, and keeps the corporations and the govt. awake. Information is control, why should the powers that be have all the control ?

    4. Re:Criminal record == no job by Captain+Jack+Taylor · · Score: 5, Insightful

      Don't worry, you sound like a great candidate for President.

  6. Not in my experience by Anonymous Coward · · Score: 4, Interesting

    I worked at a company who shall remain anonymous. I worked there as their security consultant and was in charge of keeping the systems secure.

    I noticed that their systems were insecure, I kept telling them that these things will get hacked, I kept telling them that they are wide open. Did they listen to me? No. They kept going on and on, I worked to patch as many holes as I can, but the system was insecure in itself (things like passwords stored in plain text on mysql databases etc...). Fixes I recommended were rejected by management because they would change things from how they were used to, or too expensive, or "but who would want to hack us" responses.

    A few weeks ago our external servers get hacked (surprise surprise), and the hacker notifies the company. What do they do? They pay the guy 600 euros per domain (we have a lot of domains) to fix it for us. That dude had the ear of all management, everything he said went, they changed things that I've been recommending to them for months because he said so. And to finish it off, he earned more money in those two weeks working for this company than I did in the last 6 months, to make fixes I've been telling them to do since I got the job.

    F*ck it, in future I will just break into computers and then offer them a huge fee to fix them, It seems to pay more to do it that way. The company didn't call the police, just kept it as quiet as possible so word didn't get out.

    Posting anonymously for obvious reasons.

    1. Re:Not in my experience by fluffy99 · · Score: 3, Insightful

      Have you expressed this very directly to your management? Perhaps now they will be more receptive to your wisdom. If they aren't, you need to either find another job or recognize that they really don't give a crap and work with what you've got. Otherwise, continuing to complain when they don't care will just get you labeled a whiner, or worse a scapegoat when another intrusion happens.

  7. Re:Crackers, not hackers by ActusReus · · Score: 3, Insightful

    Sorry, but I think it's time to acknowledge that there are some "Wordsmith Wars" that have simply been lost. Moreover, lost about 10-15 years ago. The general public is not going to refer to "Linux" as "GNU/Linux"... not going to use licensing terms like "Libre"... and thinks of "cracker" as a silly racial slur for white people.