Former LulzSec Hacker Gets a Job As Security Adviser At Big UK Firm

An anonymous reader writes: Mustafa Al-Bassam, co-founder and former member of LulzSec under the alias tFlow, has announced he'll be joining Secure Trading, a UK-based online payments firm, assuming the role of security adviser. He'll be consulting the company on various ways to secure their upcoming blockchain-based payments system. The announcement comes two days after another hacker (GhostShell) revealed his true identity, just so he could get prosecuted, get it over with, and move on with his life by getting a legitimate job in the security industry.

Cha-ching!

It's nice to see these fine, principled hackers selling the fuck out.

This is why you never trust revolutionaries and insurgents. They're ultimately looking to overthrow the Man so that they can become the Man.

Re:Cha-ching!

[U2xhc2hkb3QgU3Vja3M]

That's why you can only trust male, cross-dressing revolutionaries and insurgents. They don't even want to be the man in the first place.

Re:Cha-ching!

[TheCarp]

Or, "Never trust anyone over 30" :)

There is a great quote often mis-attributed to Churchhill:
"If you're not a liberal when you're 25, you have no heart. If you're not a conservative by the time you're 35, you have no brain."

Rewarding Criminals!

[mlw4428]

It's like giving a rapist a job as a sex toy consultant.

Re:Rewarding Criminals!

[tnk1]

That's almost exactly what it is like. Like a rapist, these folks have documented proof, courtesy of the criminal justice system, that they have done penetrations.

Re:Rewarding Criminals!

[U2xhc2hkb3QgU3Vja3M]

And in the end, it's always the users that get screwed.

Re:Rewarding Criminals!

No, it would be like giving a pedophile a job as a childs toy consultant.

No physical harm was done in either cases. (except pissy children that broke their console controllers over their foreheads / brothers / sisters)

Re:Rewarding Criminals!

I find your analogy limping.

Re:Rewarding Criminals!

[vel-ex-tech]

Yep. Yet another sign that things aren't right when it comes to tech jobs. We have massive diversity problems because of asshole managers who demand that workers have zero personal life and 24/7/365 availability, driving women out of the industry.

Those of us who did what we were told, didn't go blackhat with our skills, and didn't try to rock the boat hoping we'd get ahead didn't. Hell, a lot of us here have stories about being harassed, railroaded, and either threatened with criminal prosecution or actually prosecuted by our middle schools and high schools.

Our jobs are getting shipped overseas with H1B visas all the while companies can't figure out either telecommuting or opening branch offices in places with lower costs of living. Meanwhile, hiring managers can't be arsed to even figure out what the fuck it is we do for and can offer to an organization, chalking it up to magic that's somehow just socially below them but intellectually above them and expecting to find people with 10 years experience with Visual Basic 2015 when what they really fucking need is somebody who's been a dot net developer since dot net 1.0 who writes code in a non-brain damaged dialect like C#--it all compiles to the same fucking MSIL.

Oh, but if you're a rock star like Mustafa Al-Bassam here, they'll roll out the red carpet!

Takeaway: if you want to go into tech to make a living, go blackhat. Get creative. Maybe hack some bank accounts. Steal bitcoins. Steal user credentials. Sell credit card numbers on the black market. Cause grief for megacorps. Build botnets and DDOS websites until the owner pays up. Send out trojans that encrypt and hold user data hostage for a modest sum of bitcoins, usually worth less than the data is worth were it to be destroyed. I hear a lot of these data ransom scams actually have good customer service! See, you can even work on your people skills as a blackhat!

Maybe make a load of cash this way, waaay more than you'll make for shit per hour/year. Then when you're ready to get a normal job and are tired of dodging the authorities, just publicly dox yourself, serve a token sentence, and get hired for god knows how much!

Whiskey tango foxtrot?!

Re:Rewarding Criminals!

[Raenex]

We have massive diversity problems because of asshole managers who demand that workers have zero personal life and 24/7/365 availability, driving women out of the industry.

Oh Christ, not this shit again. Women, as a general rule, are not as interested in tech as men are. And having to be available 24/7 seems like a much bigger problem than "massive diversity problems". Then again, not every tech job is like that.

Takeaway: if you want to go into tech to make a living, go blackhat. [..] Then when you're ready to get a normal job and are tired of dodging the authorities, just publicly dox yourself, serve a token sentence, and get hired for god knows how much!

No thanks. I'd rather not spend a year or multiple years in prison. And I'm not a thief.

Re:Rewarding Criminals!

[tehcyder]

Women, as a general rule, are not as interested in tech as men are

No, to paraphrase Raymond Chandler, some women are not as interested in tech as some men.

Re:Rewarding Criminals!

[hoggoth]

You sound upset that you behaved, did as you were told, and didn't get rewarded.

You are a salesperson. Everyone is a salesperson no matter what field you are in, and the product is yourself. Build an interesting 'brand' around yourself and you will get interest. Be a good little worker-ant in a quiet back room and you will not get noticed no matter how good you are. Mustafa isn't being rewarded for his poor ethics, he is being rewarded for having an interesting story that gets attention despite his poor ethics. You can be sure the guy making the decision to put Mustafa in charge of keeping their money safe had to think hard about giving the keys to this hacker. Lulsec was as much about marketing themselves (fame, 'leet cred') as about hacking.

Ha ha, no.

There is no reason to expect that a rapist's sex toy designs would sell better than anyone else's.

There is good reason to believe that someone with a demonstrated ability to break through ostensibly secure systems would be able to provide valuable insight into how to keep such systems safe from people like himself.

It isn't fair, but when hiring security consultants, one wants to make sure the person can get the job done.

Re:Ha ha, no.

Except that there are a lot more people with the skill to find vulnerabilities than there are high-profile crackers and DDoSers.

So it's like saying, "This person is obese, so clearly they would make a good food taster." No - all it means is that they're willing to spend a lot of time eating a lot of your food.

Re:Ha ha, no.

Crackers have proven their ability to defeat security systems. There is no room for doubt.

Many professionals have degrees, make claims, etc. Maybe they have the skills, and maybe they don't. Maybe they can only solve academic security issues and don't have good intuitions for real-world vulnerabilities. Or maybe they do. Maybe they have done penetration testing and reported lists of vulnerabilities, but that still doesn't give an objective indicator as to how realistic exploitation for those vulnerabilities is. It is a hard thing to prove.

Having broken in, proves.

Re:Ha ha, no.

The proof is that they claim to have exploited at least one vulnerability.

Firstly, that's not much of a track record. There's little in the way of structure to confirm that they're not just taking credit for others' work. If they did it only once or twice, they may just have got lucky - many vulnerabilities are trivial. People find them all the damn time, either accidentally or intentionally, but very few of them try to fuck people over running vulnerable software.

Secondly, and perhaps more importantly, their activity says more about their ethical values than their technical skills. I'd assume such a person was going to be collecting information to use against me if ever I did something that didn't please them, like terminate their contract because I no longer needed their services. There's good reason for professional bodies that have existed longer than computers have been a thing to judge certain people unfit to enter or to continue in the profession - sure, some of the best criminal minds who have evaded the law for years might make good upstanding detectives, but they'll be even better corrupt detectives.

Re:Ha ha, no.

You seem to be thinking like a technician.

Usually, the people hiring for these positions are not technicians.

Re:Ha ha, no.

[vel-ex-tech]

You have a point here.

This speaks to the complete state of disrepair the various fields in tech are in. Fast talking con artists can play bullshit buzzword bingo and get in even though they can't code their way out of a paper box.

I don't know what the answer is. Certifications have clearly shown to be inadequate. Degrees are so hopelessly watered down as to be meaningless (not to mention the cost of obtaining one is spiraling out of control thanks to the student-loan-college-industrial-complex).

I mean, I don't doubt the guy's skills. I haven't really maintained my skills lately because I no longer want to have anything to fucking do with tech, so he could probably take me to school. On the other hand, I doubt he could break into webapps I publish because I understand the underpinnings and RFCs and generally know what the fuck I'm doing. I may have said I'm not maintaining my skills, but the old rule of "validate all input and trust no input" is as true as the day I got into this field. Who says he's not just a metasploit jockey? I have that installed on my server in the clouds, just haven't had time or lately interest to learn how to use it for penetration testing.

You're point is valid if we remove all ethical concerns from the question. Do you really want somebody who had no problem defacing websites and stealing user data working for you? Maybe you do. I don't know. It's a free country.

It's just a damned shame that the state of the field is in such shambles.

Re:Ha ha, no.

[lucm]

At least they didn't give that one his own tv show

Re:Ha ha, no.

Or like a customer.

Mustafa

Isn't that a Lion King character or something ?

Re:Mustafa

[tehcyder]

Isn't that a Lion King character or something ?

That'll be Mustafa Pee, the incontinent hyena.

Growing up

[da_foz]

This really just feels like kids growing up.
They're having an 'oh crap' moment when they realize they need to own up to the mess they've made, deal with it, and get on with life. I'd say the difference in these cases if you try and compare with 20+ years ago is that in these cases the trouble they're able to cause is magnified by the wide reach and inter-connectivity of our current software systems.

Do they need to be held accountable for what they've done? Yes!
Should they be given the opportunity to atone by trying to make things better? Likely.

Re:Growing up

[hyades1]

Yeah...OK. So when Bush, Cheney, Blair and the rest of that foul crew own up and get held accountable, give me a call.

Re:Growing up

[lucm]

Roosevelt committed crimes against the economy and against the American people, and got away with it. There's quite a backlog when it comes to politics, Bush is minor leagues at best in that list.

Re:Growing up

An armed robber is not allowed to own a gun. Give these Ass Hats 20yrs probation with the proviso that they cannot own a computer or smart phone.
It was their means of criminality. They can get a shovel and a real job. Some people only serve to be a warning to the rest of society.

Re:Growing up

[tnk1]

That's sort of like saying we can't hold a murderer accountable because Bush started a war that got more people killed.

Of course we can. These kids fucked up. Now, if there is a punishment, it should certainly fit the crime, to be sure. 20 years in prison doesn't seem like it would be fair, but it shouldn't be a slap on the hand either.

I am definitely a little iffy on people hiring "retired" black hat hackers for their Red Team, if only because that tends to encourage hackers to black hat as a career path. When serving time is simply considered your stepping stone to a better non-criminal job, there's something wrong going on.

Note, he's not doing it to atone or because he cares if he screwed anyone. He's doing it so he can take credit so everyone knows he's a well-known hacker. Which then *improves* his resume. Would Bush admitting that he ran an impressive scam to start a war mean that he'd get kudos and a job offer because he clearly knows how to get things done? I wouldn't think so.

money

[softnewsit]

He goes to King's College... damn he has some serious money behind him

Trust?

If I heard he was working for that company, I would cease doing business with them entirely.

Who the fuck should trust this guy after the actions of lulzsec?

Lastly, they have created a lightning rod for their own back, people will target their security to pwn them, then brag.

Rethink your move, once you lose trust, it is either impossible or very very difficult to get back, especially in security and IT - CIA principle.

Re: Trust?

Ah, that explains why the CIA has given up trying to appear trustworthy.

i want to hack too

man, if that's what you got to do to get a BOSS job, then sign me up for anonymous then

ethics

One of the most important things for people who work in security is ethics. Sadly, it's also what the industry lacks the most. Also, most of these Anonymous-like "hax0rs" are just script kiddies, literally sqlmap and metasploit "operators".

So let them dig their own hole, hiring a unethical script kiddie. Worked out well for Kevin Mitnick. Uhhh, he rode the bus for free using "social engineering".... big fucking deal. How on earth does that make him qualified for security consultancy?

Stupid Hire

Did Cosmo hire Ray Rice to teach them about women's safety? Did Wells Fargo hire Butch Cassidy to guard the trains? Did any one want to hire John Dillinger to consult on Bank Security? When you hire a criminal, you get a criminal. What could possibly go wrong? A bunch of "smart guys" get beaten out of some money, then the thief calls to tell them how he did it and get paid again. What could go wrong?
Very Stupid, Get your money out of that company.

Re:Stupid Hire

[KGIII]

Actually, the dude who did all the counterfeiting ended up working for the FBI and then for the banks as a consultant and now designs things that are more difficult to counterfeit. He even got a movie named after him. Buggered if I can recollect the name but the person is a real person who has since moved on to do some computer security stuff if I recall the eWeek article.

Re:Stupid Hire

Frank Abagnale was portrayed in a movie, called Catch Me if You Can. However, he counterfeited checks, not money. He has, however, been an FBI consultant among other business since his release.

Kevin Mitnick was also featured in a movie, and has been involved in some securities work since release from prison, but I don't recall him doing any counterfeiting.

Re:Stupid Hire

[tehcyder]

When you hire a criminal, you get a criminal.

It depends on your view of rehabilitation.

Personally, I can see how a paedophile who has served his time in prison should be allowed to work so he's not just a drain on society, but that doesn't mean you'd employ him as a school caretaker.

Re:Stupid Hire

[KGIII]

That's his name and yeah, he had some computer fraud detection or counterfeit detection stuff going the last time I saw him mentioned somewhere. He's got his own business now (or did) and I think they even have some software that they sell. I'm pretty sure it's not typical end-user stuff.

It was a pretty good movie. I actually watched "Hackers" last night. Well, I tried to. I made it about halfway through. Given by the completed ratio, you can probably guess my opinion. I was less than impressed and could only make it so far into the movie.

I don't think I've seen the Mitnick movie. I'll definitely remember to look for it. I had no idea that there was a movie - there are a few documentaries. I typically only watch documentaries. As in, I've probably watched less than a dozen regular movies in the past year. I'm going to guess that the total number is less than ten, now that I think about it. I do, on the other hand, have documentaries going quite often, that or some streaming news radio.

At any rate, thanks. I'll check into the Mitnick movie tonight *if* I am still here and able to do so. Netflix or Hulu might have it. If not then, it's Mitnick, I'm sure one of the other sites will have it available for the low price of a few well crafted search terms.

Hacker wannabe Ghostshell

[georgech]

There's an interview on a romanian website with GhostShell where he explains why he doxed himself (it's in romanian, but google can translate it). I'm surprised this article didn't get pricked up by more news agencies: http://www.hotnews.ro/stiri-es... He's been working in a UK factory for the last 3 years, 12 hour shifts because nobody in the IT industry would hire him. He doesn't really have marketable skills and he looks like a script kiddie that probably can't hack specific targets, but aims scripts and tools at the internet hoping for the best.