Does It Make Sense To Hire A Convicted Cracker For Security Work?
from the too-much-risk? dept
InformationWeek is looking at whether or not companies are willing to hire hackers who were previously convicted of committing computer related crimes to help them with their own security (and, yes, before people go nuts in the comments, not all “hackers” are bad, but this is about those who broke the law and were convicted of it). The general consensus seems to be that high profile convicted hackers do end up with jobs — but not in doing security work. Often it’s in writing or speaking about it. Basically, many companies have found that there are many qualified security experts who can do the job who never broke the law — and, as one person points out: “Criminal records prove nothing except that you were stupid enough to get caught in the first place.” That may be a bit extreme, as some of the prosecutions over “hacking” that occurred a while back were based more on fear than on a real understanding of what was done. However, it does point out that a conviction hardly means that you’re qualified as a security expert.
Filed Under: convicted hackers, security
Comments on “Does It Make Sense To Hire A Convicted Cracker For Security Work?”
What about other "reformed" criminals?
Would you hire a convicted embezzler to do your accounting, a thief to do your housekeeping, an addict to work in your pharmacy? It really comes down to whether or not you can trust the person to overcome temptation again. In any event, getting convicted for something should certainly not give anyone credibility in that particular field.
Re: What about other "reformed" criminals?
Would you hire a convicted embezzler to do your accounting, a thief to do your housekeeping, an addict to work in your pharmacy?
Well, that’s a bit different, as the point of a convicted cracker is that they were successfully able to break security down — which is what you want of a security expert, especially if they’re doing penetration testing. The same isn’t true of the examples you describe
Re: Re: What about other "reformed" criminals?
Yeah more like, would you want to hire a thief to break into cars that the driver locked the keys in, or would you want to hire someone convicted of growing pot for your greenhouse. Same job, just different side of the law.
Re: What about other "reformed" criminals?
I think a better example of this is law enforcement using informants to feed them information on criminal activity, which does happen.
I do think convicted hackers might make a good addition to a companies security team or hired as a consultant. There is a risk, but at least if anything happens it will be caught fairly quickly since your legit security experts are expecting this “hacker” to try and get through your defenses anyway.
Depends...
‘pends on the person, ultimately. Cacking’s a bit different then physical crimes….
Re: Depends...
I need a new keyboard…. My keys don’t register about a tenth of the time. That’s really, really, absurdly often.
Al Capone, Bank Security?
That sounds like hiring Al Capone to guard a bank vault… major conflict of interest. If you want to hire someone with a background in actually committing real crime, then you are going to pay the price of extremely high risk. However, hiring someone with a slightly less than pristine past in terms of maybe a system hack here and there, who knows how to do it but doesn’t want to go to jail, that might be a way better bet. Common sense should prevail, i.e. who’s going to guard you against the convicted hacker, regardless of how secure your systems turn out to be? 99% of hacking is physical access, so be careful when ‘inviting the wolf into the henhouse’.
Re: Al Capone, Bank Security?
lmfao@ 99% of hacking is physical access. Sounds to me you’ve been watching too much CSI or whatever stupid T.V. shows people are watching these days.
To kindly correct you, 99% of _)real_ hacking is done via remote. If a system has several 0 day vulnerabilities then it is most likely able to be hacked. 7 out of 10 computer users( like yourself ) are pretty ignorant when it comes to computing security so its likely that it could happen to anyone who’s not Tech/Security savvy. Before you comment on something you dont know anything about you should seriously google it.
Security
Just to provide context, I have an MS in Information Security. With that said, yes, companies that are concerned with security, in particular those who are focused on it, would be willing (and eager) to hire a ‘cracker.’
One example is the fellow who exploited.. Myspace? I believe Myspace.. with a simple JS attack that forced everyone who visited his page to add him as a friend, and then add the code to their own page that would add him as a friend to anyone who visited -those- pages… He ended up with a six figure salary at… Um… Hrm.. Symantec I believe? I can’t quite recall. That was a story.. I think it was given by Caleb Sima, can’t quite recall atm. It’s been a couple of years since the speaker, and I don’t take notes, so…
Re: Security
To Mirrar, I have an MS in Information Security. With that said, yes, companies that are concerned with security, in particular those who are focused on it, would be willing (and eager) to hire a ‘cracker.’
If you truly are a Information Security MS, I am shocked that you would say such a thing.
#1. If someone is told never to hack again, that is what it means.
#2. Is hacking a felony?
#3. How could a law abiding company hire a convicted crimial? Would they hire a child molester to be a janitor in a junior high school? I don’t think so.
Can Martha Stewart run another company? I don’t think so.
I am a Criminal Investigator student and sir I am ashamed
that you with your MS would dare say such a thing. You of all people know that this is wrong as wrong can be.
There are too many law abiding men and women who are experts
at computers who I would hire before I would hire a convicted hacker. NO WAY NO HOW. To consider such a thing,
is assinine.
Re: Re: Security
Its really funny to see how ignorant people of today can really be.
Mrrar was correct, the people who do these types of ‘crimes’ as you so dully put it, are simply experimenting with systems. Some do it for fun or education and some do it for bad. What ever the reason is, that wouldnt hold them back in getting where they want seeing as they know how to secure someones network. And seeing how your a criminal investigator that further tells me that you have hardly a clue of what your talking about. You cant compare a child molester to a hacker.
Who knows better?
Theives and hackers are often hired to do security work specifically because they know what the other side is trying. Who better to stop a hacker than a hacker? They replace the challenge of trying to get in with the challenge of trying to keep people out. It’s just a game to them anyway, so why shouldn’t someone profit?
Well, I would certainly hire a convicted safe-cracker as a consultant for my safe manufacturing company. After all, he knows a thing or two about safe safety.
See also: http://en.wikipedia.org/wiki/Frank_Abagnale
Auto Thieves
After my car was stolen the insurance company sent out an investigator that told me he was hired because he was an experience and convicted car thief.
Sure
Like it makes sense to hire convicted pedophiles to babysit.
I suppose it might be ok if you NEVER plan to prosecute anyone for any incidents.
As soon as you bring in a convicted cracker you have given the rest of the world reasonable doubt.
Don't hire the losers
Got caught, served time, you are a loser. Didn’t get caught and have done it time and time again? Now that is the one I want to hire.
Re: Don't hire the losers
eah, but they’re harder to find, seeing as how if you knew how to find/contact them you would be legaly obligated to share this info with the police… That is to say they’re hunted men, and the moment you verify their identity they are arrested.
Re: Re: Don't hire the losers
… curse my Y
He can't help it. . .
. . if he’s guilty of being white.
He can't help it. . .
. . if he’s guilty of being white.
Re: He can't help it. . .
I just came here to make sure somebody made this joke. I was not disappointed.
Re: Re: He can't help it. . .
I try to do my part.
Depends upon the individual involved.
If you ever have worked with and around convicted hackers before (and I have), you can get a sense of what drives them as individuals. For some, it’s anger and insecurity, some are pranksters that don’t know the correct boundary of a joke, others, sadly have a egotistic and sociopathic core personality and then there is this one class of hacker that suffers from a relentless, overpowering curiosity that leads them into risk taking behaviours. This last type mellows with age and can make good hired help. The rest are wild cards in my opinion.
'hackers' are frequently unlike regular criminals
Most criminals learn what the need to know purely to reach the end goal; getting the goods.
Many (most?) hackers/crackers learn about computer security because it’s a game. Breaking into real live ‘secure’ sites means you’ve won, you’ve outsmarted and beaten the ‘professional’ security people.
So you invite them to play on the other team. Same game, except this time you’re playing the security guy and have to outsmart the hacker.
It’s like if you had a chess player that’s only ever played a game on the black side. If you let him play white he doesn’t care. It’s still the same game.
Re: 'hackers' are frequently unlike regular crimin
I can understand that. Using this name I hang out on forums and catch/stop/hunt Trolls. Using other ID’s I am one. Note that when I troll, I just find the most disruptive thing to say, and when I troll hunt I don’t really care who I’m defending.
Re: Re: 'hackers' are frequently unlike regular cr
Then you would be an example of the type that one wouldn’t want to hire. You may know the game from both sides, but your loyalty would always be in question. As may be your claims of security risks. Are they real or just a diversion? Are we opening ourself up somewhere else to fix this? They would always have to wonder, but such is the nature of security. Locks only keep honest people honest.
Re: Re: Re: 'hackers' are frequently unlike regula
My most common troll name is Asmodeus Thatcher. I never troll on forums which I’m troll hunting: Playing against myself is no fun.
Historical Preccedents
The SOE and OSS were putting convicted burglars and forgers on the payroll back in the 1940s, and their successor organisations probably still do. If it’s good enough for them, why shouldn’t private industry follow their lead?
In fact, thinking about it, the ones who actually do it for financial gain would probably make the best employees; the kind who do it for the craic or to make their dicks look bigger would be too unreliable.
There's a difference..
Blackhats may pose as whitehats temporarily, aka ‘social engineering’. That’s different from switching sides.
If they’re employed as a security consultant, continuing to play a blackhat has become far too easy. The game has changed. They’re in it for the challenge, now the challenge is to beat the blackhats and they will play the whitehat role as well as they can.
This is assuming you’re dealing with a ‘pathological hacker’, someone like Mitnick for example, who is really just in it for the game. That you can’t always be sure of I guess.
Skills vs Morals
I think there can still be a legitimate way to make use of such people, without having to trust them with your sensitive secrets–use them as part of a penetration-testing team, as an attacker, not a defender. In other words, a situation where their propensity to break the rules can be used to advantage.
For some reason, I keep thinking of General Paul van Riper and his (in)famous handling of the “Millennium Challenge 2002” military exercise.
Convictions prove...
The convictions prove that the convicted cracker wasn’t smart enough to crack any system without being discovered. Those crackers who have not been convicted are therefor a lot smarter. They manage to crack systems without anyone in the position to prove this. Thus, those who have not been convicted can be a lot more experienced. Those who are convicted are more useful to educate others with their speeches, in the hopes that any would-be cracker makes the same mistakes that they did.
Not a bad idea
A good friend of mine spent most of his high school career finding new and creative ways to have the local FBI field agents visit his house and lecture him about messing with computer and telephone systems. Now he’s working as a computer security contractor for the pentagon. (As a side note we spent about a half hour on the phone laughing our asses off about the new “Cyber Command!”)
It’s not necessarily a bad idea to hire these people on, just to keep them out of trouble. I suppose what it comes down to is whether you think you can supervise their activities well enough to keep them out of trouble.
some people are lame
Just because a person gets caught does not mean he is stupid, in fact by the time a burglar is actually caught he has comitted hundreds of burglaries previously.
The most smartest people have gotten caught, from high level heads of countries, to mafia, and so on, down to the most common criminal. If you go into prison for burglary, you come out a much better burglar. No alarms nor security systems can stop a burglar if he’s intent on getting what he wants…NO SECURITY SYSTEM! (other than Fort Knox)
best hacker i found
this hacker helps me alot. i would recommend him. his email is superhackerx@gmail.com
You might need to know more about your spouses affairs, why they are on the phone for so long, keeping late nights, lying to your face when you ask, you need not find solution else where as darkwebsolutions has you covered and you can get remote access to your partners device, mails and so on, darkwebsolutions dot co has you covered