Does It Make Sense To Hire A Convicted Cracker For Security Work?

Reader Comments (rss)

(Flattened / Threaded)

1. What about other "reformed" criminals? by Jezsik on Mar 12th, 2008 @ 1:17pm

   Would you hire a convicted embezzler to do your accounting, a thief to do your housekeeping, an addict to work in your pharmacy? It really comes down to whether or not you can trust the person to overcome temptation again. In any event, getting convicted for something should certainly not give anyone credibility in that particular field.

   (reply to this comment) (link to this comment)

2. Re: What about other "reformed" criminals? by Mike on Mar 12th, 2008 @ 1:52pm

   Would you hire a convicted embezzler to do your accounting, a thief to do your housekeeping, an addict to work in your pharmacy?
   
   Well, that's a bit different, as the point of a convicted cracker is that they were successfully able to break security down -- which is what you want of a security expert, especially if they're doing penetration testing. The same isn't true of the examples you describe

   (reply to this comment) (link to this comment)

3. Depends... by Le Blue Dude on Mar 12th, 2008 @ 1:53pm

   'pends on the person, ultimately. Cacking's a bit different then physical crimes....

   (reply to this comment) (link to this comment)

4. Re: Depends... by Le Blue Dude on Mar 12th, 2008 @ 1:54pm

   I need a new keyboard.... My keys don't register about a tenth of the time. That's really, really, absurdly often.

   (reply to this comment) (link to this comment)

5. Al Capone, Bank Security? by moore850 on Mar 12th, 2008 @ 1:59pm

   That sounds like hiring Al Capone to guard a bank vault... major conflict of interest. If you want to hire someone with a background in actually committing real crime, then you are going to pay the price of extremely high risk. However, hiring someone with a slightly less than pristine past in terms of maybe a system hack here and there, who knows how to do it but doesn't want to go to jail, that might be a way better bet. Common sense should prevail, i.e. who's going to guard you against the convicted hacker, regardless of how secure your systems turn out to be? 99% of hacking is physical access, so be careful when 'inviting the wolf into the henhouse'.

   (reply to this comment) (link to this comment)

6. Security by Mrrar on Mar 12th, 2008 @ 2:03pm

   Just to provide context, I have an MS in Information Security. With that said, yes, companies that are concerned with security, in particular those who are focused on it, would be willing (and eager) to hire a 'cracker.'
   
   One example is the fellow who exploited.. Myspace? I believe Myspace.. with a simple JS attack that forced everyone who visited his page to add him as a friend, and then add the code to their own page that would add him as a friend to anyone who visited -those- pages... He ended up with a six figure salary at... Um... Hrm.. Symantec I believe? I can't quite recall. That was a story.. I think it was given by Caleb Sima, can't quite recall atm. It's been a couple of years since the speaker, and I don't take notes, so...

   (reply to this comment) (link to this comment)

7. Who knows better? by Bitgolem on Mar 12th, 2008 @ 2:06pm

   Theives and hackers are often hired to do security work specifically because they know what the other side is trying. Who better to stop a hacker than a hacker? They replace the challenge of trying to get in with the challenge of trying to keep people out. It's just a game to them anyway, so why shouldn't someone profit?

   (reply to this comment) (link to this comment)

8. by Wesha on Mar 12th, 2008 @ 2:09pm

   Well, I would certainly hire a convicted safe-cracker as a consultant for my safe manufacturing company. After all, he knows a thing or two about safe safety.
   
   See also: http://en.wikipedia.org/wiki/Frank_Abagnale

   (reply to this comment) (link to this comment)

9. Auto Thieves by Anonymous Coward on Mar 12th, 2008 @ 2:13pm

   After my car was stolen the insurance company sent out an investigator that told me he was hired because he was an experience and convicted car thief.

   (reply to this comment) (link to this comment)

10. Re: What about other "reformed" criminals? by TheDock22 on Mar 12th, 2008 @ 2:14pm

    I think a better example of this is law enforcement using informants to feed them information on criminal activity, which does happen.
    
    I do think convicted hackers might make a good addition to a companies security team or hired as a consultant. There is a risk, but at least if anything happens it will be caught fairly quickly since your legit security experts are expecting this "hacker" to try and get through your defenses anyway.

    (reply to this comment) (link to this comment)

11. Re: Re: What about other "reformed" criminals? by JS Beckerist on Mar 12th, 2008 @ 2:47pm

    Yeah more like, would you want to hire a thief to break into cars that the driver locked the keys in, or would you want to hire someone convicted of growing pot for your greenhouse. Same job, just different side of the law.

    (reply to this comment) (link to this comment)

12. Sure by Dan on Mar 12th, 2008 @ 2:55pm

    Like it makes sense to hire convicted pedophiles to babysit.
    
    I suppose it might be ok if you NEVER plan to prosecute anyone for any incidents.
    
    As soon as you bring in a convicted cracker you have given the rest of the world reasonable doubt.

    (reply to this comment) (link to this comment)

13. Don't hire the losers by NRK on Mar 12th, 2008 @ 3:04pm

    Got caught, served time, you are a loser. Didn't get caught and have done it time and time again? Now that is the one I want to hire.

    (reply to this comment) (link to this comment)

14. He can't help it. . . by Only Reads the Headline on Mar 12th, 2008 @ 3:13pm

    . . if he's guilty of being white.

    (reply to this comment) (link to this comment)

15. He can't help it. . . by Only Reads the Headline on Mar 12th, 2008 @ 3:13pm

    . . if he's guilty of being white.

    (reply to this comment) (link to this comment)

16. Depends upon the individual involved. by GeneralEmergency on Mar 12th, 2008 @ 3:15pm

    If you ever have worked with and around convicted hackers before (and I have), you can get a sense of what drives them as individuals. For some, it's anger and insecurity, some are pranksters that don't know the correct boundary of a joke, others, sadly have a egotistic and sociopathic core personality and then there is this one class of hacker that suffers from a relentless, overpowering curiosity that leads them into risk taking behaviours. This last type mellows with age and can make good hired help. The rest are wild cards in my opinion.

    (reply to this comment) (link to this comment)

17. Re: Don't hire the losers by Le Blue Dude on Mar 12th, 2008 @ 3:18pm

    eah, but they're harder to find, seeing as how if you knew how to find/contact them you would be legaly obligated to share this info with the police... That is to say they're hunted men, and the moment you verify their identity they are arrested.

    (reply to this comment) (link to this comment)

18. Re: He can't help it. . . by redhammy on Mar 12th, 2008 @ 3:20pm

    I just came here to make sure somebody made this joke. I was not disappointed.

    (reply to this comment) (link to this comment)

19. 'hackers' are frequently unlike regular criminals by zcat on Mar 12th, 2008 @ 3:33pm

    Most criminals learn what the need to know purely to reach the end goal; getting the goods.
    
    Many (most?) hackers/crackers learn about computer security because it's a game. Breaking into real live 'secure' sites means you've won, you've outsmarted and beaten the 'professional' security people.
    
    So you invite them to play on the other team. Same game, except this time you're playing the security guy and have to outsmart the hacker.
    
    It's like if you had a chess player that's only ever played a game on the black side. If you let him play white he doesn't care. It's still the same game.

    (reply to this comment) (link to this comment)

20. Re: Re: Don't hire the losers by LBD on Mar 12th, 2008 @ 3:48pm

    ... curse my Y

    (reply to this comment) (link to this comment)

21. Re: 'hackers' are frequently unlike regular crimin by Le Blue Dude on Mar 12th, 2008 @ 3:50pm

    I can understand that. Using this name I hang out on forums and catch/stop/hunt Trolls. Using other ID's I am one. Note that when I troll, I just find the most disruptive thing to say, and when I troll hunt I don't really care who I'm defending.

    (reply to this comment) (link to this comment)

22. Re: Re: 'hackers' are frequently unlike regular cr by l3fty on Mar 12th, 2008 @ 4:48pm

    Then you would be an example of the type that one wouldn't want to hire. You may know the game from both sides, but your loyalty would always be in question. As may be your claims of security risks. Are they real or just a diversion? Are we opening ourself up somewhere else to fix this? They would always have to wonder, but such is the nature of security. Locks only keep honest people honest.

    (reply to this comment) (link to this comment)

23. Historical Preccedents by Jake on Mar 12th, 2008 @ 4:49pm

    The SOE and OSS were putting convicted burglars and forgers on the payroll back in the 1940s, and their successor organisations probably still do. If it's good enough for them, why shouldn't private industry follow their lead?
    In fact, thinking about it, the ones who actually do it for financial gain would probably make the best employees; the kind who do it for the craic or to make their dicks look bigger would be too unreliable.

    (reply to this comment) (link to this comment)

24. Re: Re: He can't help it. . . by Only Reads the Headlines on Mar 12th, 2008 @ 4:57pm

    I try to do my part.

    (reply to this comment) (link to this comment)

25. Re: Re: Re: 'hackers' are frequently unlike regula by Le Blue Dude on Mar 12th, 2008 @ 5:11pm

    My most common troll name is Asmodeus Thatcher. I never troll on forums which I'm troll hunting: Playing against myself is no fun.

    (reply to this comment) (link to this comment)

26. There's a difference.. by zcat on Mar 12th, 2008 @ 5:30pm

    Blackhats may pose as whitehats temporarily, aka 'social engineering'. That's different from switching sides.
    
    If they're employed as a security consultant, continuing to play a blackhat has become far too easy. The game has changed. They're in it for the challenge, now the challenge is to beat the blackhats and they will play the whitehat role as well as they can.
    
    This is assuming you're dealing with a 'pathological hacker', someone like Mitnick for example, who is really just in it for the game. That you can't always be sure of I guess.

    (reply to this comment) (link to this comment)

27. Skills vs Morals by Lawrence D'Oliveiro on Mar 12th, 2008 @ 9:44pm

    I think there can still be a legitimate way to make use of such people, without having to trust them with your sensitive secrets--use them as part of a penetration-testing team, as an attacker, not a defender. In other words, a situation where their propensity to break the rules can be used to advantage.

    For some reason, I keep thinking of General Paul van Riper and his (in)famous handling of the "Millennium Challenge 2002" military exercise.

    (reply to this comment) (link to this comment)

28. Convictions prove... by Lisa Westveld on Mar 13th, 2008 @ 3:58am

    The convictions prove that the convicted cracker wasn't smart enough to crack any system without being discovered. Those crackers who have not been convicted are therefor a lot smarter. They manage to crack systems without anyone in the position to prove this. Thus, those who have not been convicted can be a lot more experienced. Those who are convicted are more useful to educate others with their speeches, in the hopes that any would-be cracker makes the same mistakes that they did.

    (reply to this comment) (link to this comment)

29. Not a bad idea by Ferin on Mar 13th, 2008 @ 5:04am

    A good friend of mine spent most of his high school career finding new and creative ways to have the local FBI field agents visit his house and lecture him about messing with computer and telephone systems. Now he's working as a computer security contractor for the pentagon. (As a side note we spent about a half hour on the phone laughing our asses off about the new "Cyber Command!")
    
    It's not necessarily a bad idea to hire these people on, just to keep them out of trouble. I suppose what it comes down to is whether you think you can supervise their activities well enough to keep them out of trouble.

    (reply to this comment) (link to this comment)

30. Re: Security by LadyBarb on Apr 29th, 2008 @ 11:29am

    To Mirrar, I have an MS in Information Security. With that said, yes, companies that are concerned with security, in particular those who are focused on it, would be willing (and eager) to hire a 'cracker.'
    If you truly are a Information Security MS, I am shocked that you would say such a thing.
    #1. If someone is told never to hack again, that is what it means.
    #2. Is hacking a felony?
    #3. How could a law abiding company hire a convicted crimial? Would they hire a child molester to be a janitor in a junior high school? I don't think so.
    Can Martha Stewart run another company? I don't think so.
    I am a Criminal Investigator student and sir I am ashamed
    that you with your MS would dare say such a thing. You of all people know that this is wrong as wrong can be.
    There are too many law abiding men and women who are experts
    at computers who I would hire before I would hire a convicted hacker. NO WAY NO HOW. To consider such a thing,
    is assinine.

    (reply to this comment) (link to this comment)

Add Your Comment