Hiring Hackers As Security Consultants

[cashmoney]

As the question is posed, as a consultant, I see no problem. A consultant does just that, he consults. He doesn't touch your system except for analysis. All he does is advise and who is better to advise. He knows his stuff in and out.

I would have to disagree with this statement. If you are going to hire a consultant to advise you on the security of your network. The consultant is going to have to do some hands on to provide a good assessment of the security. I understand your meaning if the consultant is coming in and looking at logs provided by the client, but even that gives the consultant a glimpse into possible holes in the security.

I'm not going to say don't hire a hacker, but you better be one step up on him until he can prove himself trustworthy.

[¤The¤Spe©ialist]

Actually you don't hear about it much. I remember that I could re-read the same old re-written articles such as this every five days when L0pht was about. After that you really don't see this article much now days... the whole thing was just a fad of the late 1990s.

However... name one person who's been arrested and can keep much of a steady job though yet alone in this industry. Let me explain what consultancy truely is in the real world, its freelance work basicly. In other words you will most likely need a second job just to cover expenses. With that said, I really don't have to further point it out that they're not just picking up some smelly mexican around the corner who can't keep a job.

These people have already established themselves as hire-able through some industry and get recomended for other small odd jobs.

[zencoder]

I've seen a lot of comments in this thread, and they all need to be addressed, before we can discuss the 'actual' question the poster made (at least, as I read it).

because "real" hackers never reveal who they are, and if they are any good they dont get caught.

I'm not sure how, or even if, to respond. They don't? Do you know every single 'hacker' ever, and their thoughts on this subject? As much as I hate to agree with him, TheSpecialist usually makes a good point on this subject...people who throw the word 'hacker' around like that usually don't rate paying attention to, let alone serious consideration.

The point is, that is an extremely broad statement, and completely arbitrary and probably founded in opinion and personal desire for an ideal, not 'truth'. Sorry, welcome to the real world. SOME of them may indeed act and think this way. But there are no definitives, when dealing with human nature.

I wouldn't consider hiring a "hacker" is becasue they really cannot prove their credentials

Well, I don't know if I agree with that, either. I've seen reference in articles and discussions where some of the most effective system compromisers work on Tiger Teams during the day, then go home and hack away at whatever interests them at night. These folks could have massively impressive credentials, and the fact that they may pursue illegitimate activities in the darkness of their own home is simply undetected (wow, that sounds nasty...not meant to.)

would you hire a former criminal who is reformed

Sure. But you are talking about finite literals, when there is trully no such thing in human nature (that should summon a response form Egaladiest)

The truth of the matter is, "hackers" is not a definitive term. It has been sensationalized by the media, the more technical and open source types have rallied a counter-attack and tried to make it a more legitimate, and we are left with a label that is uncertain at best, downright inaccurate and inappropriate to use at worst.

So, all that being said, let me paraphrase the core of panther_blacks original statement, as I interpret it as such:
the subject of hiring people who have previosuly had illegimitate or illegal intentions in their security assessment activities, whether for personal or professional benefit

While I don't entirely disagree with hiring those who have a history of illegal or illegitimate activity, I think it requires a great deal of consideration. Many people get all excited by the sensationalism of a "bad hacker turned good" (see: Kevin Mitnick).

But what is often overlooked is the fact that, in the Information Security industry, the product you are utimately buying is trust, integrity, and responsibility.

When you sign up for an Anti-Virus service, once all the legalese and contract nonsense is put aside, you are left with an agreement for one company to provide protection from virii to another company. When the customer company has a problem or failure, it is the responsibility of the provider to address this (again, depending on legalese and such.) The client TRUSTS the provider to uphold their end of the bargain.

There are no definitives. There is no way to completely and reliably know that a person is "good" or "bad" with their intentions. So when someone stands up and offers to provide a service, when they have a known history of illegal, unethical, or illicit activities, you should think long and hard before signing on with them.

1. Consider the following:
2. What are the 'actual' benefits
3. What are the risks
4. What would the stakeholders think
5. What would the public think
6. What would be the impact if the subject decided to use this opportunity to steal or attack your organization
7. What would be the impact if a similar company, without the "black hat history", used the same sort of opportunity against you

Using these sorts of definitives, I personally always come to the conclusion that if you have an alternative to hiring the 'bad hacker', then take it over the badboy.

If you hire a former blackhat, and he deceives you and rips you off, a lot of the reaction you will get is "well, he IS a criminal." If you hire the person with proper credentials and no 'bad-guy-history', and he does the same thing...well it happens. How can you guess someones intentions?

As HTRegz has shared with us, a reputation is a terrible thing to waste. He nearly did so completely unintentionally, simply through his lack of experience and savvy for dealing with the people who hire the security staff at his school (which can be understood, considering age, place in life, experience in the industry, etc.)

A good name, like good will, is got by many actions and lost by one.
Lord Jeffery Amherst (1717-1797)

[tenzenryu]

I still say if you are going to judge people on what they did in their teens, lock everyone up!

For example, according to the GB gov's home office, during my teens I was a serious recidivist. Now I'm in security.

Scratch that - maybe we should take teenagers to meet security consultants and tell them

"This is the only job you will be qualified to do if you don't reform your ways!"

[zencoder]

Originally posted here by zENGER
As the question is posed, as a consultant, I see no problem. A consultant does just that, he consults. He doesn't touch your system except for analysis. All he does is advise and who is better to advise. He knows his stuff in and out.

Now, on the other hand would you hire an ex-convict as a hands on person? That is where it gets touchy for me. I say if you have a good hiring process and management has a good gut feeling for the person and he is not the only admin/hands on person then its all right. I just don't think that they should be hired blindly.

Well, you may be correct with this. But you're still dealing with literals and definitions that are not constant. As a consultant, I am often turned loose inside a clients network with my laptop, to compromise what I can and report back. I also perform direct administration of services, as a consultant.

So while I agree with the sentiment of your statement, I need to make the point that 'consultants' don't always simply come 'consult'.

[zENGER]

Originally posted here by zencoder
Well, you may be correct with this. But you're still dealing with literals and definitions that are not constant. As a consultant, I am often turned loose inside a clients network with my laptop, to compromise what I can and report back. I also perform direct administration of services, as a consultant.

So while I agree with the sentiment of your statement, I need to make the point that 'consultants' don't always simply come 'consult'.

That begs the question, how focused on security are you if you let some outside, "consultant" have free rein on your system. In these cases I think the "consultant" and the tech staff need to work together. I personally wouldn't allow anyone, ex-hacker or not, to just do whatever they pleased on a network that I manage. I wouldn't hinder them from doing their job, but I would definately keep a close eye on them while they were doing it. Like what was pointed out earlier, what stops someone who has no criminal past from stepping over the line. You have to start somewhere.

[Egaladeist]

I've seen a lot of comments in this thread, and they all need to be addressed, before we can discuss the 'actual' question the poster made (at least, as I read it).

quote:
because "real" hackers never reveal who they are, and if they are any good they dont get caught.

The point is, that is an extremely broad statement, and completely arbitrary and probably founded in opinion and personal desire for an ideal, not 'truth'. Sorry, welcome to the real world. SOME of them may indeed act and think this way. But there are no definitives, when dealing with human nature.

As zencoder stated...it's not true if they're good they don't get caught...some do it to brag...to prove how smart they are, and can't keep their mouths shut...no matter how good they are. Or they tell a friend who rats them out...there are plenty of ways to get caught and still be very good at it.

quote:
would you hire a former criminal who is reformed

Sure. But you are talking about finite literals, when there is trully no such thing in human nature (that should summon a response form Egaladiest)

As I mentioned in another thread...if a person is truly reformed he is ' no longer ' the person that he was...but how can you tell if someone is truly reformed?...cross your fingers and hope for the best

Eg

[XTC46]

because "real" hackers never reveal who they are, and if they are any good they dont get caught

are you on crack? there are a lot of "real hackers" who reveal who they are and get caught. And many of them are VERY good. Look at all the people who write viruses and then release them, they are damn good at what they do and I would consider them hackers. Look through the 80s and 90s at all the people who got arrested, TONS of "hackers" got taken down, many were very good at what they did.

I wouldn't consider hiring a "hacker" is becasue they really cannot prove their credentials

Well, I don't know if I agree with that, either. I've seen reference in articles and discussions where some of the most effective system compromisers work on Tiger Teams during the day, then go home and hack away at whatever interests them at night. These folks could have massively impressive credentials, and the fact that they may pursue illegitimate activities in the darkness of their own home is simply undetected (wow, that sounds nasty...not meant to.)

ok, but tat this point you are hiring them on the basis of their day job, they wouldnt mention that at night they like to deface somstupidsite.com or break into random networks, and they would provide excellent references.

my point was, for a job like this (pen testing/ security auditin) you better have GOOD refrences. I wouldnt hire some guy with tons of certifications either unless he had experience, and people will to back him and his work. Any one can study for a certification and pass the test, anyone can claim they are some crazy hacker, show me proof of previous work, then we will talk jobs.

[therenegade]

Hmm..how about this train of thought?
Surely a mistake or two doesnt count?Most of us make mistakes,but paying for it with our careers doesnt seem fair(yes,I know that this is the immature point of view,but just consider it).Now,if you hire a black-hat who wants to leave that all behind and turn a new leaf..shouldnt companies try and consider the experience that they could be getting(additionally,they could keep the guy on a consultation basis and perhaps get away by giving him a lower salary?).How does this stand in the practical scenario? zencoder raises a valid point by pointing the reactions of the shareholders and/or the public..but how many shareholders actually keep track of some lameass who works in security in a practical scenario?Perhaps start them out lower with very little access and make them work their way up?Maybe by creating a policy that would involve more than one person part of the decision taking at every level?Or would that decrease inefficiency?
and uh,sorry about all the questions,I'd like to know how the industry works thats all

[Maestr0]

"There are people who don't accept, who aren't obedient. They are weeded out, they're driving taxi cabs, they're behavior problems. The long-term effect of this is to reward and foster subordination; it begins in kindergarten and goes all the way through your professional or other career. If you challenge authority, you get in one or another kind of trouble. Again, it's not 100 percent the case, and there are some areas of life were it's dramatically not the case, but on average and overwhelmingly in the outcomes, it holds."
-Noam Chomsky


-Maestr0