Does It Make Sense To Hire A Convicted Cracker For Security Work?

from the too-much-risk? dept

Wed, Mar 12th 2008 1:13pm — Mike Masnick

InformationWeek is looking at whether or not companies are willing to hire hackers who were previously convicted of committing computer related crimes to help them with their own security (and, yes, before people go nuts in the comments, not all "hackers" are bad, but this is about those who broke the law and were convicted of it). The general consensus seems to be that high profile convicted hackers do end up with jobs -- but not in doing security work. Often it's in writing or speaking about it. Basically, many companies have found that there are many qualified security experts who can do the job who never broke the law -- and, as one person points out: "Criminal records prove nothing except that you were stupid enough to get caught in the first place." That may be a bit extreme, as some of the prosecutions over "hacking" that occurred a while back were based more on fear than on a real understanding of what was done. However, it does point out that a conviction hardly means that you're qualified as a security expert.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: convicted hackers, security

35 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Jezsik, 12 Mar 2008 @ 1:17pm

What about other "reformed" criminals?
Would you hire a convicted embezzler to do your accounting, a thief to do your housekeeping, an addict to work in your pharmacy? It really comes down to whether or not you can trust the person to overcome temptation again. In any event, getting convicted for something should certainly not give anyone credibility in that particular field.
[ link to this | view in chronology ]
- Mike (profile), 12 Mar 2008 @ 1:52pm
  
  Re: What about other "reformed" criminals?
  Would you hire a convicted embezzler to do your accounting, a thief to do your housekeeping, an addict to work in your pharmacy?
  
  Well, that's a bit different, as the point of a convicted cracker is that they were successfully able to break security down -- which is what you want of a security expert, especially if they're doing penetration testing. The same isn't true of the examples you describe
  [ link to this | view in chronology ]
  - JS Beckerist, 12 Mar 2008 @ 2:47pm
    
    Re: Re: What about other "reformed" criminals?
    Yeah more like, would you want to hire a thief to break into cars that the driver locked the keys in, or would you want to hire someone convicted of growing pot for your greenhouse. Same job, just different side of the law.
    [ link to this | view in chronology ]
- TheDock22, 12 Mar 2008 @ 2:14pm
  
  Re: What about other "reformed" criminals?
  I think a better example of this is law enforcement using informants to feed them information on criminal activity, which does happen.
  
  I do think convicted hackers might make a good addition to a companies security team or hired as a consultant. There is a risk, but at least if anything happens it will be caught fairly quickly since your legit security experts are expecting this "hacker" to try and get through your defenses anyway.
  [ link to this | view in chronology ]
Le Blue Dude, 12 Mar 2008 @ 1:53pm

Depends...
'pends on the person, ultimately. Cacking's a bit different then physical crimes....
[ link to this | view in chronology ]
- Le Blue Dude, 12 Mar 2008 @ 1:54pm
  
  Re: Depends...
  I need a new keyboard.... My keys don't register about a tenth of the time. That's really, really, absurdly often.
  [ link to this | view in chronology ]
moore850 (profile), 12 Mar 2008 @ 1:59pm

Al Capone, Bank Security?
That sounds like hiring Al Capone to guard a bank vault... major conflict of interest. If you want to hire someone with a background in actually committing real crime, then you are going to pay the price of extremely high risk. However, hiring someone with a slightly less than pristine past in terms of maybe a system hack here and there, who knows how to do it but doesn't want to go to jail, that might be a way better bet. Common sense should prevail, i.e. who's going to guard you against the convicted hacker, regardless of how secure your systems turn out to be? 99% of hacking is physical access, so be careful when 'inviting the wolf into the henhouse'.
[ link to this | view in chronology ]
- dellthinker, 17 Jun 2009 @ 10:42am
  
  Re: Al Capone, Bank Security?
  lmfao@ 99% of hacking is physical access. Sounds to me you've been watching too much CSI or whatever stupid T.V. shows people are watching these days.
  
  To kindly correct you, 99% of _)real_ hacking is done via remote. If a system has several 0 day vulnerabilities then it is most likely able to be hacked. 7 out of 10 computer users( like yourself ) are pretty ignorant when it comes to computing security so its likely that it could happen to anyone who's not Tech/Security savvy. Before you comment on something you dont know anything about you should seriously google it.
  [ link to this | view in chronology ]
Mrrar, 12 Mar 2008 @ 2:03pm

Security
Just to provide context, I have an MS in Information Security. With that said, yes, companies that are concerned with security, in particular those who are focused on it, would be willing (and eager) to hire a 'cracker.'

One example is the fellow who exploited.. Myspace? I believe Myspace.. with a simple JS attack that forced everyone who visited his page to add him as a friend, and then add the code to their own page that would add him as a friend to anyone who visited -those- pages... He ended up with a six figure salary at... Um... Hrm.. Symantec I believe? I can't quite recall. That was a story.. I think it was given by Caleb Sima, can't quite recall atm. It's been a couple of years since the speaker, and I don't take notes, so...
[ link to this | view in chronology ]
- LadyBarb, 29 Apr 2008 @ 11:29am
  
  Re: Security
  To Mirrar, I have an MS in Information Security. With that said, yes, companies that are concerned with security, in particular those who are focused on it, would be willing (and eager) to hire a 'cracker.'
  If you truly are a Information Security MS, I am shocked that you would say such a thing.
  #1. If someone is told never to hack again, that is what it means.
  #2. Is hacking a felony?
  #3. How could a law abiding company hire a convicted crimial? Would they hire a child molester to be a janitor in a junior high school? I don't think so.
  Can Martha Stewart run another company? I don't think so.
  I am a Criminal Investigator student and sir I am ashamed
  that you with your MS would dare say such a thing. You of all people know that this is wrong as wrong can be.
  There are too many law abiding men and women who are experts
  at computers who I would hire before I would hire a convicted hacker. NO WAY NO HOW. To consider such a thing,
  is assinine.
  [ link to this | view in chronology ]
  - dellthinker, 17 Jun 2009 @ 10:50am
    
    Re: Re: Security
    Its really funny to see how ignorant people of today can really be.
    
    Mrrar was correct, the people who do these types of 'crimes' as you so dully put it, are simply experimenting with systems. Some do it for fun or education and some do it for bad. What ever the reason is, that wouldnt hold them back in getting where they want seeing as they know how to secure someones network. And seeing how your a criminal investigator that further tells me that you have hardly a clue of what your talking about. You cant compare a child molester to a hacker.
    [ link to this | view in chronology ]
Bitgolem, 12 Mar 2008 @ 2:06pm

Who knows better?
Theives and hackers are often hired to do security work specifically because they know what the other side is trying. Who better to stop a hacker than a hacker? They replace the challenge of trying to get in with the challenge of trying to keep people out. It's just a game to them anyway, so why shouldn't someone profit?
[ link to this | view in chronology ]
Wesha, 12 Mar 2008 @ 2:09pm

Well, I would certainly hire a convicted safe-cracker as a consultant for my safe manufacturing company. After all, he knows a thing or two about safe safety.

See also: http://en.wikipedia.org/wiki/Frank_Abagnale
[ link to this | view in chronology ]
Anonymous Coward, 12 Mar 2008 @ 2:13pm

Auto Thieves
After my car was stolen the insurance company sent out an investigator that told me he was hired because he was an experience and convicted car thief.
[ link to this | view in chronology ]
Dan, 12 Mar 2008 @ 2:55pm

Sure
Like it makes sense to hire convicted pedophiles to babysit.

I suppose it might be ok if you NEVER plan to prosecute anyone for any incidents.

As soon as you bring in a convicted cracker you have given the rest of the world reasonable doubt.
[ link to this | view in chronology ]
NRK, 12 Mar 2008 @ 3:04pm

Don't hire the losers
Got caught, served time, you are a loser. Didn't get caught and have done it time and time again? Now that is the one I want to hire.
[ link to this | view in chronology ]
- Le Blue Dude, 12 Mar 2008 @ 3:18pm
  
  Re: Don't hire the losers
  eah, but they're harder to find, seeing as how if you knew how to find/contact them you would be legaly obligated to share this info with the police... That is to say they're hunted men, and the moment you verify their identity they are arrested.
  [ link to this | view in chronology ]
  - LBD, 12 Mar 2008 @ 3:48pm
    
    Re: Re: Don't hire the losers
    ... curse my Y
    [ link to this | view in chronology ]
Only Reads the Headline, 12 Mar 2008 @ 3:13pm

He can't help it. . .
. . if he's guilty of being white.
[ link to this | view in chronology ]
Only Reads the Headline, 12 Mar 2008 @ 3:13pm

He can't help it. . .
. . if he's guilty of being white.
[ link to this | view in chronology ]
- redhammy, 12 Mar 2008 @ 3:20pm
  
  Re: He can't help it. . .
  I just came here to make sure somebody made this joke. I was not disappointed.
  [ link to this | view in chronology ]
  - Only Reads the Headlines, 12 Mar 2008 @ 4:57pm
    
    Re: Re: He can't help it. . .
    I try to do my part.
    [ link to this | view in chronology ]
GeneralEmergency (profile), 12 Mar 2008 @ 3:15pm

Depends upon the individual involved.
If you ever have worked with and around convicted hackers before (and I have), you can get a sense of what drives them as individuals. For some, it's anger and insecurity, some are pranksters that don't know the correct boundary of a joke, others, sadly have a egotistic and sociopathic core personality and then there is this one class of hacker that suffers from a relentless, overpowering curiosity that leads them into risk taking behaviours. This last type mellows with age and can make good hired help. The rest are wild cards in my opinion.
[ link to this | view in chronology ]
zcat, 12 Mar 2008 @ 3:33pm

'hackers' are frequently unlike regular criminals
Most criminals learn what the need to know purely to reach the end goal; getting the goods.

Many (most?) hackers/crackers learn about computer security because it's a game. Breaking into real live 'secure' sites means you've won, you've outsmarted and beaten the 'professional' security people.

So you invite them to play on the other team. Same game, except this time you're playing the security guy and have to outsmart the hacker.

It's like if you had a chess player that's only ever played a game on the black side. If you let him play white he doesn't care. It's still the same game.
[ link to this | view in chronology ]
- Le Blue Dude, 12 Mar 2008 @ 3:50pm
  
  Re: 'hackers' are frequently unlike regular crimin
  I can understand that. Using this name I hang out on forums and catch/stop/hunt Trolls. Using other ID's I am one. Note that when I troll, I just find the most disruptive thing to say, and when I troll hunt I don't really care who I'm defending.
  [ link to this | view in chronology ]
  - l3fty, 12 Mar 2008 @ 4:48pm
    
    Re: Re: 'hackers' are frequently unlike regular cr
    Then you would be an example of the type that one wouldn't want to hire. You may know the game from both sides, but your loyalty would always be in question. As may be your claims of security risks. Are they real or just a diversion? Are we opening ourself up somewhere else to fix this? They would always have to wonder, but such is the nature of security. Locks only keep honest people honest.
    [ link to this | view in chronology ]
    - Le Blue Dude, 12 Mar 2008 @ 5:11pm
      
      Re: Re: Re: 'hackers' are frequently unlike regula
      My most common troll name is Asmodeus Thatcher. I never troll on forums which I'm troll hunting: Playing against myself is no fun.
      [ link to this | view in chronology ]
Jake, 12 Mar 2008 @ 4:49pm

Historical Preccedents
The SOE and OSS were putting convicted burglars and forgers on the payroll back in the 1940s, and their successor organisations probably still do. If it's good enough for them, why shouldn't private industry follow their lead?
In fact, thinking about it, the ones who actually do it for financial gain would probably make the best employees; the kind who do it for the craic or to make their dicks look bigger would be too unreliable.
[ link to this | view in chronology ]
zcat, 12 Mar 2008 @ 5:30pm

There's a difference..
Blackhats may pose as whitehats temporarily, aka 'social engineering'. That's different from switching sides.

If they're employed as a security consultant, continuing to play a blackhat has become far too easy. The game has changed. They're in it for the challenge, now the challenge is to beat the blackhats and they will play the whitehat role as well as they can.

This is assuming you're dealing with a 'pathological hacker', someone like Mitnick for example, who is really just in it for the game. That you can't always be sure of I guess.
[ link to this | view in chronology ]
Lawrence D'Oliveiro, 12 Mar 2008 @ 9:44pm

Skills vs Morals
I think there can still be a legitimate way to make use of such people, without having to trust them with your sensitive secrets--use them as part of a penetration-testing team, as an attacker, not a defender. In other words, a situation where their propensity to break the rules can be used to advantage.
For some reason, I keep thinking of General Paul van Riper and his (in)famous handling of the "Millennium Challenge 2002" military exercise.
[ link to this | view in chronology ]
Lisa Westveld, 13 Mar 2008 @ 3:58am

Convictions prove...
The convictions prove that the convicted cracker wasn't smart enough to crack any system without being discovered. Those crackers who have not been convicted are therefor a lot smarter. They manage to crack systems without anyone in the position to prove this. Thus, those who have not been convicted can be a lot more experienced. Those who are convicted are more useful to educate others with their speeches, in the hopes that any would-be cracker makes the same mistakes that they did.
[ link to this | view in chronology ]
Ferin, 13 Mar 2008 @ 5:04am

Not a bad idea
A good friend of mine spent most of his high school career finding new and creative ways to have the local FBI field agents visit his house and lecture him about messing with computer and telephone systems. Now he's working as a computer security contractor for the pentagon. (As a side note we spent about a half hour on the phone laughing our asses off about the new "Cyber Command!")

It's not necessarily a bad idea to hire these people on, just to keep them out of trouble. I suppose what it comes down to is whether you think you can supervise their activities well enough to keep them out of trouble.
[ link to this | view in chronology ]
Anthony, 24 Oct 2009 @ 3:51pm

some people are lame
Just because a person gets caught does not mean he is stupid, in fact by the time a burglar is actually caught he has comitted hundreds of burglaries previously.
The most smartest people have gotten caught, from high level heads of countries, to mafia, and so on, down to the most common criminal. If you go into prison for burglary, you come out a much better burglar. No alarms nor security systems can stop a burglar if he's intent on getting what he wants...NO SECURITY SYSTEM! (other than Fort Knox)
[ link to this | view in chronology ]
elisabetha, 1 Mar 2011 @ 10:54pm

best hacker i found
this hacker helps me alot. i would recommend him. his email is superhackerx@gmail.com
[ link to this | view in chronology ]
Kimberly, 25 Apr 2018 @ 2:58am

You might need to know more about your spouses affairs, why they are on the phone for so long, keeping late nights, lying to your face when you ask, you need not find solution else where as darkwebsolutions has you covered and you can get remote access to your partners device, mails and so on, darkwebsolutions dot co has you covered
[ link to this | view in chronology ]