June 30th, 2005 05:22 AM
Hiring Hackers As Security Consultants
Though this issue must have been raised in AO b4 i wud like to discuss the subject mentioned.
The subject of whether it is ethical to use former hackers to evaluate a network’s security is a topic that is often hotly debated. Brien Posey explores the pros and cons of using former hackers in such roles.
Although the practice has been going on for quite some time, the subject of whether or not you should hire reformed hackers as security consultants has been receiving a lot of press lately. This seems to be a very touchy issue, and there are strong opinions on both sides. Being that this issue has been generating so much heat, Brien Posey takes the opportunity to discuss both sides of the issue.
Read the full article @ http://www.windowsecurity.com/articl...nsultants.html
June 30th, 2005 06:15 AM
The only reason I wouldNT consider hiring a "hacker" is becasue they really cannot prove their credentials. So I would look for somone with certifications, and also look at resumes and interview. Its just really hard to PROVE you did any major hacks. and if you couldnt give me any good references, I wouldnt hire you.
June 30th, 2005 07:52 AM
Hiring hackers for network evaluation and pen-testing?? Have you ever heard about some one called his enemy to police his/her home .... like calling a robber to guard money .... the robber might not steal your money from the first time .. but be sure that some day he will come back to do it ....
Tha same principle applies here, if a hacker known what you are good at and weak at, he will use the info he has against your business .... I'd rather kill myself over hiring some one I pay to kill me ... this is common sense .... Oh! dear God! whay is that not common yet!
\"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster
June 30th, 2005 08:06 AM
Really. although possibly a bit idealistic. If your robber is paid enough money to make a decent living out of garding your money why would he stop ?
This is thinking that this person is not inheritly evil. You don't get someone who is only interestid in getting as rich as possible to do it.
I really think that employing a hacker although risky can work out really well. As long as the hacker is only interested in working with computers and nice techno tools testing his abilities then he can have a very nice life as a network administrator.
If he is malicous by heart and is only intersted in selling credit card numbers or confidential files to get rich fast. Then by all means throw them in jail and be done with them.
Since the beginning of time, Man has searched for the answers to the big questions: \'How did we get here?\' \'Is there life after death?\' \'Are we alone?\' But today, in this very theatre, you will be asked to answer the biggest question of them all...WHO LIVES IN A PINEAPPLE UNDER THE SEA?
June 30th, 2005 10:16 AM
Would anyone care to venture as to what the general age group of the people who fall under the category of 'hackers'(:P) would be?A lot'd be students perhaps..not completely bound by family ties and such?Somehow from what I've seen,a lot of people grow out of the 'black-hat' attitude with growing up and the pressures of earning a living.So well..if they're a bunch of idiots who're studying and fooling around,I suppose there's a fair chance that they're immature and might grow out of it.Honing people like that'd mean someone with solid experience..invaluable in a field like this.How about all this?Or am I rambling?
June 30th, 2005 11:07 AM
MoonWolf: I was disappointed... I clicked on that link expecting to see Sneakers.. it fits in quite well with this category.
I'll share a little story with all of you...
When I was finishing my 3rd semester of College we were about to go out on Co-op placements.. I applied for a few positions, two of them being the college I attend. One was in our Network Services dept and the other the Student Helpdesk. The NS interview was a disaster... being young (I feel so old these days.. hah) and cocky, I made some comments I shouldn't have. Why was I interested in the job? "Your border router used to be open to the public without adequate password protection or access lists, I wanted to see if it still is"... Where did you get your Windows NT experience? "In high school, the admins never came around to fix the computers, so I'd have to "access" the systems for various teachers in order to fix problems"... At the time I thought I was being funny... apparently I wasn't. I was hired to the Student Helpdesk and I've worked there to this day (6th semester) although that might change after a meeting in afew hours (been having a few wage problems lately but that's another story)... So I worked with the Student Helpdesk for my Co-op and stayed on parttime for my 4th semester... Time for another Co-op after that.. Now I had quite the reputation... first as a hacker (based on my comments in the interview)... it really hindered me at the onset of my position with the Student Helpdesk... but my hard work and interaction with others allowed me to prove myself... This time I was offered the co-op at NS... I returned to the Student Helpdesk (I'm a very loyal person).. but this time at least the offer had been extended.
When is a person labelled as a hacker? When they commit a crime? When they are convicted of a crime? Or when they display a curiosity... a willingness to learn more. If you want to get into the hats... I'd hire a 'white hat' without considering it... As far as a 'black hat'... well.. look at me.. Don't immediately place the person in a position of power... unless you trust them... but give them a chance... first impressions mean a lot but everyone deserves a second chance. I was able to prove myself... both with my technical and interpersonal skills... and that means a lot.
You also have to remember that a lot of this is sensationalized by the media... The term hacker doesn't necessarily refer to the guy who has discovered 100s of software vulerabilities, coded exploits for each, written his own operating system and on the side published a thesis for a new communication protocol that triples the available bandwidth using high end compression... The term hacker refers to someone that the media has made out to be a hero or a villain... How about Kevin Mitnick.... Canada's very own MafiaBoy (now he was french so you can't hold that against all Canadians j/k)... These are the people that get the label hacker.... and again what does the label "hacker" really mean...
The real question that I think they are trying to get at is Would you hire a convict... this is the same in any industry.. can you trust the person... because IT is the latest job craze.. it's again being sensationalized by the media... The media needs to stop lacing articles with terms like "hacker", "cracker", "script kiddie", etc.... and needs to get down to the bare bones of what's really at stake.... Do you, as an employer, have a moral or ethical dilema with hiring a reformed (as far as the penal system is concerned) convict?... no need to relate this specifically to IT... no need to use buzz words to get peoples attention... just what's really going on.
It's really a question of the ethics of the person who is hiring... and even then it's questionable... It's their opinion and it might not be right... Hiring someone because of a coined label is no better than hiring or not hiring someone because of religion, gender or race.... Hiring someone with a criminal record is another story (again see... label doesn't matter and the field doesn't matter.. we can be generic here... and we are... and this problem has existed for years in many fields)... With a criminal record, you'd most likely start the person on the ground floor and let them earn your trust and respect.... I would give them the keys to the vault on the first day of work... but I wouldn't deny them a chance either...
It's the media trying to make a new story plain and simple... The key is to not buy into the horse dung that they are shovelling.
There's my 2 cents on the subject..
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
June 30th, 2005 11:45 AM
You know thats a tough question. But how would a company know if they hired a real hacker, because "real" hackers never reveal who they are, and if they are any good they dont get caught. And If i was the CEO, the answer would be OH HELL NO i wouldnt hire one. For one I like to sleep at night, and knowing that im trusting someone who used to steal from other people to protect my network and not sell out to a higher bidder, would give me nightmares....let alone i would be plain out paranoid. And then i wont even think about what if the work relationship went sour, one minute your working...the next thing your whole network crashes and he just quits. Now as far as Certifications go, well I really dont look to far into them. I mean you got a Cert, gratz.....but some people can be really book smart but when it comes down to the real thing they might fail. And then you got people who arent that great at tests, but in the real world they know there stuff. So you have to be careful into reading into someone elses Certs. Yes I admit im one of those ppl who suck at tests, I missed my CISSP by 10pts, but I can hang with the best of them when it comes to making the right choice.
June 30th, 2005 12:19 PM
Rate well the response which ties this down to bare bones - would you hire a former criminal who is reformed? Yes, but he would have to earn my trust -
The guy in the film 'Catch me if you can' (the real one not LdiC) reformed from criminal to lawman.
But I also think the risk appetite of the business, not just the personal ethics of the hire manager come into play. e.g. if you are big business or big government, can you afford the risk of hiring someone with a 'dodgy' past. Answer: probably not. Whereas a small business where there is a closer and more intimate relationship with the person might make it possible.
Having said that, a lot of places ignore juvenile crimes when making assessments of a person's criminal tendencies (probably on the basis that if they didn't, they would have very few hirees). All teenagers do stupid stuff and judging people for what they did is teenagers is liking judging a dog for not being toilet trained as a puppy.
Most people have fully matured by 25, so post that age, I start to heavily doubt any claims of 'I am reformed'.
As for hackers, there are very few genuine ubergeeks. And the net of possible specialisms is now so wide, it would be difficult to be an expert in all areas. Even if I trusted the person and hired them as a security specialist, I would want them to round out their education. It isn't all bits and bytes and it isn't just about pen testing and vulnerability analsys. Remember layer 8 in the OSI model is relevant too. Certification shows that they are making the effort, results in the workplace demonstrate their competence.
No one can foresee the consequences of being clever.
June 30th, 2005 01:10 PM
This response is solely toward the originating post and the referenced article.
Actually, based on the author's conclusions, I thought the title was very misleading. Although there seemed to be sound advice in the conclusions, the title and body seemed to be more a way to justify his current role with a security company rather then supply facts ( possibly an attempt to manufacture credibility to the company he is affiliated with and at the same time justify it in his own mind? Obviously he knows his past is not secrete. )
Yes, this has been discussed before here. Since you apparently understand that, maybe you should have gotten off your lazy ass and done a bit of work and at least posted the links to such threads, even if you didn't bother to read them. It would give your post a little more legitimacy and just maybe some insight for those who missed them.
One of the major problems associated with this topic, even as the author has enumerated, is how Hacker is defined. The author of the article narrowly ( but broadly ) defines it as
In this context he is including person(s) who have only broken into systems with full authorization to do so. This is not consistent with the sensationalism of the title, nor with the author's own self representation of "Grey Hat " Hacker.
... someone who breaks into computer systems.
Now, to get to what I believe this thread was intended to discuss.
Should someone hire a person who is known to have improperly and illicitly used computers to manage and/or evaluate their computer system(s).
IMHO, generally NO!
The person has already shown they can not be trusted.
This is a key point. As the old adage goes, " do something right, no one remembers, do one thing wrong, no one ever forgets."
I will not go into the " then and now " mind-set as I have already discussed that here in AO previously, but the reason that many even consider hiring these people ( even as brought up by the author ) is lack of skills by others. Well, that appears to be the same type reasoning for them to appoint CIO's, or was that nepotism?
( Oh, are two rants in the same post considered bad form? )
I said, " generally ". Another old saying, " a leopard can't change its spots."
But they do accrue with age.
The time honored defense using the fact that a person was young ( in their teens ) is iffy at best. Yes, they lack common sense ( apparently, from studies I have encountered has to do with actual brain development, but that is another topic. ) If this is the person's only issue, then maybe hire them if they have matured, and if they have paid for ( and learned from ) their mistakes. But for many there were other motivating factors such as greed, vanity, ( can you list the seven deadly sins? ) These are inherent in a person, traits imbedded in their soles. These people can never be trusted.
I hope this answered your question, which begged a philosophical response.
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
June 30th, 2005 01:53 PM
As the question is posed, as a consultant, I see no problem. A consultant does just that, he consults. He doesn't touch your system except for analysis. All he does is advise and who is better to advise. He knows his stuff in and out.
Now, on the other hand would you hire an ex-convict as a hands on person? That is where it gets touchy for me. I say if you have a good hiring process and management has a good gut feeling for the person and he is not the only admin/hands on person then its all right. I just don't think that they should be hired blindly.