Does It Make Sense To Hire A Convicted Cracker For Security Work?

from the too-much-risk? dept

InformationWeek is looking at whether or not companies are willing to hire hackers who were previously convicted of committing computer related crimes to help them with their own security (and, yes, before people go nuts in the comments, not all “hackers” are bad, but this is about those who broke the law and were convicted of it). The general consensus seems to be that high profile convicted hackers do end up with jobs — but not in doing security work. Often it’s in writing or speaking about it. Basically, many companies have found that there are many qualified security experts who can do the job who never broke the law — and, as one person points out: “Criminal records prove nothing except that you were stupid enough to get caught in the first place.” That may be a bit extreme, as some of the prosecutions over “hacking” that occurred a while back were based more on fear than on a real understanding of what was done. However, it does point out that a conviction hardly means that you’re qualified as a security expert.

Filed Under: ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Does It Make Sense To Hire A Convicted Cracker For Security Work?”

Subscribe: RSS Leave a comment
Jezsik says:

What about other "reformed" criminals?

Would you hire a convicted embezzler to do your accounting, a thief to do your housekeeping, an addict to work in your pharmacy? It really comes down to whether or not you can trust the person to overcome temptation again. In any event, getting convicted for something should certainly not give anyone credibility in that particular field.

Mike (profile) says:

Re: What about other "reformed" criminals?

Would you hire a convicted embezzler to do your accounting, a thief to do your housekeeping, an addict to work in your pharmacy?

Well, that’s a bit different, as the point of a convicted cracker is that they were successfully able to break security down — which is what you want of a security expert, especially if they’re doing penetration testing. The same isn’t true of the examples you describe

TheDock22 says:

Re: What about other "reformed" criminals?

I think a better example of this is law enforcement using informants to feed them information on criminal activity, which does happen.

I do think convicted hackers might make a good addition to a companies security team or hired as a consultant. There is a risk, but at least if anything happens it will be caught fairly quickly since your legit security experts are expecting this “hacker” to try and get through your defenses anyway.

moore850 (profile) says:

Al Capone, Bank Security?

That sounds like hiring Al Capone to guard a bank vault… major conflict of interest. If you want to hire someone with a background in actually committing real crime, then you are going to pay the price of extremely high risk. However, hiring someone with a slightly less than pristine past in terms of maybe a system hack here and there, who knows how to do it but doesn’t want to go to jail, that might be a way better bet. Common sense should prevail, i.e. who’s going to guard you against the convicted hacker, regardless of how secure your systems turn out to be? 99% of hacking is physical access, so be careful when ‘inviting the wolf into the henhouse’.

dellthinker says:

Re: Al Capone, Bank Security?

lmfao@ 99% of hacking is physical access. Sounds to me you’ve been watching too much CSI or whatever stupid T.V. shows people are watching these days.

To kindly correct you, 99% of _)real_ hacking is done via remote. If a system has several 0 day vulnerabilities then it is most likely able to be hacked. 7 out of 10 computer users( like yourself ) are pretty ignorant when it comes to computing security so its likely that it could happen to anyone who’s not Tech/Security savvy. Before you comment on something you dont know anything about you should seriously google it.

Mrrar says:


Just to provide context, I have an MS in Information Security. With that said, yes, companies that are concerned with security, in particular those who are focused on it, would be willing (and eager) to hire a ‘cracker.’

One example is the fellow who exploited.. Myspace? I believe Myspace.. with a simple JS attack that forced everyone who visited his page to add him as a friend, and then add the code to their own page that would add him as a friend to anyone who visited -those- pages… He ended up with a six figure salary at… Um… Hrm.. Symantec I believe? I can’t quite recall. That was a story.. I think it was given by Caleb Sima, can’t quite recall atm. It’s been a couple of years since the speaker, and I don’t take notes, so…

LadyBarb says:

Re: Security

To Mirrar, I have an MS in Information Security. With that said, yes, companies that are concerned with security, in particular those who are focused on it, would be willing (and eager) to hire a ‘cracker.’
If you truly are a Information Security MS, I am shocked that you would say such a thing.
#1. If someone is told never to hack again, that is what it means.
#2. Is hacking a felony?
#3. How could a law abiding company hire a convicted crimial? Would they hire a child molester to be a janitor in a junior high school? I don’t think so.
Can Martha Stewart run another company? I don’t think so.
I am a Criminal Investigator student and sir I am ashamed
that you with your MS would dare say such a thing. You of all people know that this is wrong as wrong can be.
There are too many law abiding men and women who are experts
at computers who I would hire before I would hire a convicted hacker. NO WAY NO HOW. To consider such a thing,
is assinine.

dellthinker says:

Re: Re: Security

Its really funny to see how ignorant people of today can really be.

Mrrar was correct, the people who do these types of ‘crimes’ as you so dully put it, are simply experimenting with systems. Some do it for fun or education and some do it for bad. What ever the reason is, that wouldnt hold them back in getting where they want seeing as they know how to secure someones network. And seeing how your a criminal investigator that further tells me that you have hardly a clue of what your talking about. You cant compare a child molester to a hacker.

Bitgolem says:

Who knows better?

Theives and hackers are often hired to do security work specifically because they know what the other side is trying. Who better to stop a hacker than a hacker? They replace the challenge of trying to get in with the challenge of trying to keep people out. It’s just a game to them anyway, so why shouldn’t someone profit?

GeneralEmergency (profile) says:

Depends upon the individual involved.

If you ever have worked with and around convicted hackers before (and I have), you can get a sense of what drives them as individuals. For some, it’s anger and insecurity, some are pranksters that don’t know the correct boundary of a joke, others, sadly have a egotistic and sociopathic core personality and then there is this one class of hacker that suffers from a relentless, overpowering curiosity that leads them into risk taking behaviours. This last type mellows with age and can make good hired help. The rest are wild cards in my opinion.

zcat says:

'hackers' are frequently unlike regular criminals

Most criminals learn what the need to know purely to reach the end goal; getting the goods.

Many (most?) hackers/crackers learn about computer security because it’s a game. Breaking into real live ‘secure’ sites means you’ve won, you’ve outsmarted and beaten the ‘professional’ security people.

So you invite them to play on the other team. Same game, except this time you’re playing the security guy and have to outsmart the hacker.

It’s like if you had a chess player that’s only ever played a game on the black side. If you let him play white he doesn’t care. It’s still the same game.

Le Blue Dude says:

Re: 'hackers' are frequently unlike regular crimin

I can understand that. Using this name I hang out on forums and catch/stop/hunt Trolls. Using other ID’s I am one. Note that when I troll, I just find the most disruptive thing to say, and when I troll hunt I don’t really care who I’m defending.

l3fty says:

Re: Re: 'hackers' are frequently unlike regular cr

Then you would be an example of the type that one wouldn’t want to hire. You may know the game from both sides, but your loyalty would always be in question. As may be your claims of security risks. Are they real or just a diversion? Are we opening ourself up somewhere else to fix this? They would always have to wonder, but such is the nature of security. Locks only keep honest people honest.

Jake says:

Historical Preccedents

The SOE and OSS were putting convicted burglars and forgers on the payroll back in the 1940s, and their successor organisations probably still do. If it’s good enough for them, why shouldn’t private industry follow their lead?
In fact, thinking about it, the ones who actually do it for financial gain would probably make the best employees; the kind who do it for the craic or to make their dicks look bigger would be too unreliable.

zcat says:

There's a difference..

Blackhats may pose as whitehats temporarily, aka ‘social engineering’. That’s different from switching sides.

If they’re employed as a security consultant, continuing to play a blackhat has become far too easy. The game has changed. They’re in it for the challenge, now the challenge is to beat the blackhats and they will play the whitehat role as well as they can.

This is assuming you’re dealing with a ‘pathological hacker’, someone like Mitnick for example, who is really just in it for the game. That you can’t always be sure of I guess.

Lawrence D'Oliveiro says:

Skills vs Morals

I think there can still be a legitimate way to make use of such people, without having to trust them with your sensitive secrets–use them as part of a penetration-testing team, as an attacker, not a defender. In other words, a situation where their propensity to break the rules can be used to advantage.

For some reason, I keep thinking of General Paul van Riper and his (in)famous handling of the “Millennium Challenge 2002” military exercise.

Lisa Westveld says:

Convictions prove...

The convictions prove that the convicted cracker wasn’t smart enough to crack any system without being discovered. Those crackers who have not been convicted are therefor a lot smarter. They manage to crack systems without anyone in the position to prove this. Thus, those who have not been convicted can be a lot more experienced. Those who are convicted are more useful to educate others with their speeches, in the hopes that any would-be cracker makes the same mistakes that they did.

Ferin says:

Not a bad idea

A good friend of mine spent most of his high school career finding new and creative ways to have the local FBI field agents visit his house and lecture him about messing with computer and telephone systems. Now he’s working as a computer security contractor for the pentagon. (As a side note we spent about a half hour on the phone laughing our asses off about the new “Cyber Command!”)

It’s not necessarily a bad idea to hire these people on, just to keep them out of trouble. I suppose what it comes down to is whether you think you can supervise their activities well enough to keep them out of trouble.

Anthony says:

some people are lame

Just because a person gets caught does not mean he is stupid, in fact by the time a burglar is actually caught he has comitted hundreds of burglaries previously.
The most smartest people have gotten caught, from high level heads of countries, to mafia, and so on, down to the most common criminal. If you go into prison for burglary, you come out a much better burglar. No alarms nor security systems can stop a burglar if he’s intent on getting what he wants…NO SECURITY SYSTEM! (other than Fort Knox)

Kimberly says:

You might need to know more about your spouses affairs, why they are on the phone for so long, keeping late nights, lying to your face when you ask, you need not find solution else where as darkwebsolutions has you covered and you can get remote access to your partners device, mails and so on, darkwebsolutions dot co has you covered

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...