Does It Make Sense To Hire A Convicted Cracker For Security Work?
from the too-much-risk? dept
InformationWeek is looking at whether or not companies are willing to hire hackers who were previously convicted of committing computer related crimes to help them with their own security (and, yes, before people go nuts in the comments, not all "hackers" are bad, but this is about those who broke the law and were convicted of it). The general consensus seems to be that high profile convicted hackers do end up with jobs -- but not in doing security work. Often it's in writing or speaking about it. Basically, many companies have found that there are many qualified security experts who can do the job who never broke the law -- and, as one person points out: "Criminal records prove nothing except that you were stupid enough to get caught in the first place." That may be a bit extreme, as some of the prosecutions over "hacking" that occurred a while back were based more on fear than on a real understanding of what was done. However, it does point out that a conviction hardly means that you're qualified as a security expert.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: convicted hackers, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
What about other "reformed" criminals?
[ link to this | view in chronology ]
Re: What about other "reformed" criminals?
Well, that's a bit different, as the point of a convicted cracker is that they were successfully able to break security down -- which is what you want of a security expert, especially if they're doing penetration testing. The same isn't true of the examples you describe
[ link to this | view in chronology ]
Re: Re: What about other "reformed" criminals?
[ link to this | view in chronology ]
Re: What about other "reformed" criminals?
I do think convicted hackers might make a good addition to a companies security team or hired as a consultant. There is a risk, but at least if anything happens it will be caught fairly quickly since your legit security experts are expecting this "hacker" to try and get through your defenses anyway.
[ link to this | view in chronology ]
Depends...
[ link to this | view in chronology ]
Re: Depends...
[ link to this | view in chronology ]
Al Capone, Bank Security?
[ link to this | view in chronology ]
Re: Al Capone, Bank Security?
To kindly correct you, 99% of _)real_ hacking is done via remote. If a system has several 0 day vulnerabilities then it is most likely able to be hacked. 7 out of 10 computer users( like yourself ) are pretty ignorant when it comes to computing security so its likely that it could happen to anyone who's not Tech/Security savvy. Before you comment on something you dont know anything about you should seriously google it.
[ link to this | view in chronology ]
Security
One example is the fellow who exploited.. Myspace? I believe Myspace.. with a simple JS attack that forced everyone who visited his page to add him as a friend, and then add the code to their own page that would add him as a friend to anyone who visited -those- pages... He ended up with a six figure salary at... Um... Hrm.. Symantec I believe? I can't quite recall. That was a story.. I think it was given by Caleb Sima, can't quite recall atm. It's been a couple of years since the speaker, and I don't take notes, so...
[ link to this | view in chronology ]
Re: Security
If you truly are a Information Security MS, I am shocked that you would say such a thing.
#1. If someone is told never to hack again, that is what it means.
#2. Is hacking a felony?
#3. How could a law abiding company hire a convicted crimial? Would they hire a child molester to be a janitor in a junior high school? I don't think so.
Can Martha Stewart run another company? I don't think so.
I am a Criminal Investigator student and sir I am ashamed
that you with your MS would dare say such a thing. You of all people know that this is wrong as wrong can be.
There are too many law abiding men and women who are experts
at computers who I would hire before I would hire a convicted hacker. NO WAY NO HOW. To consider such a thing,
is assinine.
[ link to this | view in chronology ]
Re: Re: Security
Mrrar was correct, the people who do these types of 'crimes' as you so dully put it, are simply experimenting with systems. Some do it for fun or education and some do it for bad. What ever the reason is, that wouldnt hold them back in getting where they want seeing as they know how to secure someones network. And seeing how your a criminal investigator that further tells me that you have hardly a clue of what your talking about. You cant compare a child molester to a hacker.
[ link to this | view in chronology ]
Who knows better?
[ link to this | view in chronology ]
See also: http://en.wikipedia.org/wiki/Frank_Abagnale
[ link to this | view in chronology ]
Auto Thieves
[ link to this | view in chronology ]
Sure
I suppose it might be ok if you NEVER plan to prosecute anyone for any incidents.
As soon as you bring in a convicted cracker you have given the rest of the world reasonable doubt.
[ link to this | view in chronology ]
Don't hire the losers
[ link to this | view in chronology ]
Re: Don't hire the losers
[ link to this | view in chronology ]
Re: Re: Don't hire the losers
[ link to this | view in chronology ]
He can't help it. . .
[ link to this | view in chronology ]
He can't help it. . .
[ link to this | view in chronology ]
Re: He can't help it. . .
[ link to this | view in chronology ]
Re: Re: He can't help it. . .
[ link to this | view in chronology ]
Depends upon the individual involved.
[ link to this | view in chronology ]
'hackers' are frequently unlike regular criminals
Many (most?) hackers/crackers learn about computer security because it's a game. Breaking into real live 'secure' sites means you've won, you've outsmarted and beaten the 'professional' security people.
So you invite them to play on the other team. Same game, except this time you're playing the security guy and have to outsmart the hacker.
It's like if you had a chess player that's only ever played a game on the black side. If you let him play white he doesn't care. It's still the same game.
[ link to this | view in chronology ]
Re: 'hackers' are frequently unlike regular crimin
[ link to this | view in chronology ]
Re: Re: 'hackers' are frequently unlike regular cr
[ link to this | view in chronology ]
Re: Re: Re: 'hackers' are frequently unlike regula
[ link to this | view in chronology ]
Historical Preccedents
In fact, thinking about it, the ones who actually do it for financial gain would probably make the best employees; the kind who do it for the craic or to make their dicks look bigger would be too unreliable.
[ link to this | view in chronology ]
There's a difference..
If they're employed as a security consultant, continuing to play a blackhat has become far too easy. The game has changed. They're in it for the challenge, now the challenge is to beat the blackhats and they will play the whitehat role as well as they can.
This is assuming you're dealing with a 'pathological hacker', someone like Mitnick for example, who is really just in it for the game. That you can't always be sure of I guess.
[ link to this | view in chronology ]
Skills vs Morals
I think there can still be a legitimate way to make use of such people, without having to trust them with your sensitive secrets--use them as part of a penetration-testing team, as an attacker, not a defender. In other words, a situation where their propensity to break the rules can be used to advantage.
For some reason, I keep thinking of General Paul van Riper and his (in)famous handling of the "Millennium Challenge 2002" military exercise.
[ link to this | view in chronology ]
Convictions prove...
[ link to this | view in chronology ]
Not a bad idea
It's not necessarily a bad idea to hire these people on, just to keep them out of trouble. I suppose what it comes down to is whether you think you can supervise their activities well enough to keep them out of trouble.
[ link to this | view in chronology ]
some people are lame
The most smartest people have gotten caught, from high level heads of countries, to mafia, and so on, down to the most common criminal. If you go into prison for burglary, you come out a much better burglar. No alarms nor security systems can stop a burglar if he's intent on getting what he wants...NO SECURITY SYSTEM! (other than Fort Knox)
[ link to this | view in chronology ]
best hacker i found
[ link to this | view in chronology ]
[ link to this | view in chronology ]