May 21st, 2004, 08:14 AM
That is lame. That would be like saying, "Hey you hired me to do security, but I can't do my job to the best of my abilities because of someone you hired." Personally I would take this move by HR as a compliment. To me it would mean they respect my knowledge and feel that I am capable of handling what needs to be done. Besides, wouldn't this be a good way to see if you are good at what you do? If he steps out of line then there should be policies already in place to handle him. Followed by criminal charges.
Also make it clear that you can not be held responsible for the integrity of the corporation's data and information systems as long as he is in the company's employment.
All I can say is this, John Draper. Captain Crunch But you folks say you wouldn't hire a brillant mind like this to work for you? Half the posters in that thread are bowing down at his feet. Nuff said!
The people who say "Well I would never hire a criminal" usually end up getting hacked, or robbed, because they have no ties to the underground where the professionals live. My way allows more jobs to people so they don't HAVE to rob banks, and stops the prison system from filling up with people who really just needed a chance.
Be safe and stay free
Your heart was talking, not your mind.
May 21st, 2004, 08:27 AM
LOL!! Nice one!
Yea, what do hackers and criminals know anyway right? ****, Apple was founded by a former phreak, CapnCrunch already got brought up....He was no professional. Ink Slingers, and every other tattoo parler I'd actually trust going to, were all founded by ex cons who learned the art in prison.
Bah, I don't need to keep talking, Dopey pretty much made my point for me with John. Who JP gave that custom member status too.
Bill Gates comes to mind though, lol, the hippy bastard.
Apple: Founded by phreaks and hippies.
Microsoft: Founded by hippies and an *******.
BSD: Created at the same place as LSD, and probably by the same people lol. *Looking at KDE screen saver showing Heroin*
Gnu Project: Founded by a software pirate named Richard Stallman. I don't think he is a pirate, but if he asked for a job someone would see he likes to "Give out secret code" and not hire him either.
Linus Torvalds: Can't hire him either, he may want to share your company secrets or something.
Hell, anyone who creates OpenSource software will no longer be able to find a job, as they believe like most hackers "Information should be free".
Damn, I hope Linus and Richard and Eric Raymond can find jobs so they don't have to turn into criminals! With the job market not hiring people "like that" because they can't be trusted. LOL.
I just thought of something that goes well with this;
I saw a movie with Eddie Murphy in it where he plays a poor dude who has to steal and so on, and these two stock trading people give him a car, house, and a job, and have one of the rich people who work for them framed and put in jail to see if he would turn to crime, while the other stopped.
Well, the dude they had framed turns to crime, and Eddie Murphy uses his street smarts to make them money....I can't remember the movie, but it shows my point in it. They took him off the street, gave him a job, and he turned out to be a good worker. He just needed his chance.
May 21st, 2004, 12:49 PM
Well now he`s already been givern the job theirs no point in trying to stop him working their, if you were to get him sacked because of pending court cases then i surspect in america that would violate some sort of civil rights.
I think Spyder32 gave the best advice, just sit down with him explain you know the whole situation and that you do feel a bit un easy with it. You might as well be up front with him and i`m sure by sitting down and having a good talk you`ll get a feel for whether he has learnt his lesson or not. Assuming hes not just another script kiddie and he actually knows what hes doing then theirs a good chance hes going to be a lot more knowledgable about computers than a lot of your colleagues who have just come straight into the job from uni.
At the end of the day theirs nothing wrong with being nervous about the situation but he should get the chance to prove that hes learnt his lesson and changed. After all i`m sure we`ve all made mistakes in the past, the important thing is that we`ve learnt from them.
Anyway thats just my thoughts on it all.
May 21st, 2004, 12:54 PM
Gore: The movie is Trading Places..... Very funny, but not real life.....
As far as your misunderstanding my comment about "not understanding" goes..... I'd like to think I'm pretty good at seeing what goes on on my network..... But I am fully aware that I still only understand a fraction of the traffic crossing my network at first glance. I am quite able to investigate and usually can come up with the intent of the traffic. On those occasions when I really don't know I look at the person involved and determine what they are capable of. We even have a little chat.....
In the case of this person my warning to them serves to clearly inform them that they stick to the AUP, they don't use my network as a playground, that I am watching them carefully and that their traffic had better be plain vanilla or I get a teeny bit "antsy". If they want to turn themselves around they will come to work, do what is asked and go home. If they want to play silly buggers they can do it from home..... Not on my network.
As it happens I was faced with a situation that I had little control over where a person who claimed to "know it all" was being hired within my network. The law was laid down in a similar fashion to that which I started in this thread with. A week later a secure tunnel was being built from his subnet to a home computer on Comcast. It didn't go anywhere since we don't use ssh and the egress is blocked. He had barely finished trying when his phone rung...... We had a discussion, his story was confirmed by a trusted person and the tunnel was allowed to go through - only to his address and an immediate alert is placed on the ssh traffic for the future...... He's been good..... The fact that I "caught him in the act" proved to him that I'm not a clueless admin, I am capable of watching and that he will never know when I am, day or night.
I kind of agree with Dopey but it's very much a personal thing and it's something where the employer should be looking very carefully at their admin. The question is simple, is my admin competent and does s/he realize their short-comings? If the answer to both questions is yes then the employer need only ask the admin "how do you feel about this". Then you go with the admin's gut feeling. The employer also needs to fully understand the risk. If the risk is the recipe to the company's french fry batter it probably isn't quite the same as if the company is a major bank...... However, it doesn't take a big level of risk before I fall firmly on JP's side of this fence....
I'd hire the kid, 'cos I'm a nice guy and I can manage the risk..... right up to the point he F's with my network or goes outside my comfort/understanding level..... Then you see the ugly side as I deposit his sorry a$$ on the pavement out front..... right or wrong..... he was told "plain vanilla".... He broke the rule..... Ta-ta.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
May 21st, 2004, 01:44 PM
I simply cannot fathom the thought processes behind some of these posts. The viewpoint that hackers make better security professionals, because they have practical field experience, is ludicrous at best. Simply the fact of being a former hacker does not automatically make an individual smarter, or more qualified for a job, than an educated security professional.
Now, a looming topic in the Security Arena these days is "Risk Assessment." Any IT employer that hires a former hacker or someone under judicial review for being a hacker, is not properly evaluating and managing their Risk. If the FDIC came into my workplace and found out that my company had hired a know hacker, the Feds would go through the rough and probably threaten to shut down my company's operations.
The question is not about wheter or not it was right, or wrong, to give the guy a second chance. The question is really about whether or not the company can trust the individual with access to data on the network. If I was in this position, I would have to say NO! We all make choices in this life that generate consequences, which we have to live with. If an individual makes bad choices in their life and suffers from those consequences, I will feel sorry for the individual. However, I would not be stupid enough to higher them in a technical role either, when you cannot know the individual's true intent.
Sure , it is possible that a companycould have hired 50 hackers to run the network and never even known it, but at least in not hiring a know hacker, the company has avoided one highly potential "Known Danger" to the network. Additionally if a company were to higher a known hacker, how much productive time would the company lose, while the security administrator is busy looking over the individual's virtual sholder to make sure that he/she is not prying the network open like a sea otter on an oyster shell.
All of this is like a government "double agent" question. Can the government trust the double agent? Of course not. The double agent has betrayed his/her country, why should the government think any serious loyalty is felt towards the new country of residence?
If you can't follow the double agent example, then consider the situation this way. Let's say that your neighbor has a dog that has a history of biting people. The neighbor being concerned about the dogs behaviour, sends the dog to obedience school. Once completing obedience school, the dog appears calmer and likeable within his fenced in back yard. Do you stick your hand within the confines of the back yard and risk being savagely bitten?
Rember that people define themselves by their actions and words. You have to make the decision of whether or not you want to buy into the definition being sold.
The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!
May 21st, 2004, 02:06 PM
I have to take two steps back from this topic and voice my opinion. Hopefully, I am far enough back so I don't get hit by the objects you are about to start throwing.
Okay, not everyone in the world is a "law abiding citizen". Everyone has some sort of skeleton in their closet, I for example like many of you used Napster for the wrong reason. As far as what this individual did, there may have been a reason for it (curiousity, malicious intent, bragging rights). However, I don't think he would be stupid enough to pull it in a corporate environment. If he does have malicious intents, it won't be until after he leaves and call it protection racket or anything else. The main reason will be due to the fact you alienated hit and made him feel uncomfortable in his stay at your company. I'm saying monitor him just like anyone else or he has descrimination against you. I don't think you are supposed to have knowledge of his history.
On the otherside, since when don't the security professionals have an ear to the streets? I try to stay one step ahead at all times. I have a pair of hands that send me a lot of the data I need, I probe my list of IRC chat rooms for information and I set up war games and ask questions about methods use and how they feel it could be more of a challenge. I'm not a black hat, nor was I ever one. I may not be able to pull off some of the things they can do, but I can speak and understand it.
I don't think you should really worry about this individual too much, your going to make the wrong move or say the wrong thing and risk your own job. Just remember, if he is good he will plant the evidence on you because he has a feeling you are after him. Call it protection racket, I call it thinking like your enemy.
May 21st, 2004, 03:39 PM
To the OP:
Have you considered sitting down and talking to said person?
Does this person have admin-level access?
What is your primary concern, that he will target your network, or use your network to target other networks?
If he is being prosecuted, he doesn't have a record yet.
From "currently being prosecuted for hacking a national chain store's network and stealing credit card numbers" it sounds like he is under a criminal investigation. There may be hiring policies at your company regarding this person and whether they can be hired on the basis of prior arrests / current prosecution. At the very least, your HR department should know about this even if they don't fire the person in question.
IMO, I don't think you have much to worry about, if he's being prosecuted correctly (that is to say he's guilty) he's probably intelligent enough to do keep a clean slate. All users on your network are a security risk, and they should all be monitored in a similar way. You *should* already have a configuration that will protect your network (and others) from a user who decides to attempt to do any number of nefarious things. That being said, you should definitely CYA (Cover Your Ass).
To Everyone else:
Everyone breaks the law in one way or another. Using any number of filesharing services to download video, music, or text, to speeding, to violating city by-laws.
Many laws are put in place to give the police officers cause to investigate suspicious looking people, and are not necessarily offensive. As an example: In my old hometown of Oshawa, it was illegal to ride your bike on any city street after 1 AM and before 5AM. It was also illegal to spit on the sidewalk. Those were both by-law examples, but there are other considerations, such as the lack of a muffler, driving without license plates, etc., etc.. Everyone abides by the law to some degree, but don't fool yourselves into believing you never break any laws.
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
May 21st, 2004, 04:03 PM
I was just getting ready to post a long reply when I read InfoTechGeek's and CHSH's posts above, which make my point exactly.
Being a system admin who has hired a ton of interns and student workers in the past -- and having gone through the experience of having to cut one loose because he was convicted of unlawful use of a computer system -- I have definitely been down this road before. Here is my take-away from the experience:
If you build your systems, your account policies, and your employee relations right you should be prepared even if your company hires Charles Manson or the guy who's going to write the next Sasser. Sure, it's more better to stop problems by not hiring trouble, but it's business as usual to make sure that people can only do what they're supposed to do on your network, no matter whatever they WANT to do.
I realize that this is a utopian view of things, but everything I do with access control lists and account policies has as much to do with preventing harm from the inside as it does stopping instrusions from the outside.
May 21st, 2004, 04:52 PM
Just thought I would make my comment stand out... I live by this rule every day!
Originally posted here by Info Tech Geek
Call it protection racket, I call it thinking like your enemy.
As the saying goes, keep you friends close and your enemies closer.
May 23rd, 2004, 01:00 AM
as they say the best person to catch a criminal is a criminal
i was known as "one of those known hackers" when i got hired as an IT tech and the admins tried to lock me down with guest status blah blah by the end of the first week i had more access to the network then the admin. the boss was a little edgy about letting me do anything on the network and when i discovered that ou r server was compromised i proceeded to show them how it was done (the old IIS unicode sploit ) after which they proceeded to accuse me that i had something to do with it... admins nowadays dont even keep up with the newest news they just keep things busniess as usual " if its broke dont try to fix it" at least hackers learn something new everyday and learn how to protect their networks..
down with the overpaid sysadmins and up with the 16 year old underpaid kids