Would You Hire a Former Black Hat?

Mark Zenson asks: "Understanding the mindset of a hacker and the likes of one may be useful to counter security attacks, but apparently companies still object to hiring former, or even reformed, black hats." The article asks this question of several executives in the industry and for various reasons, many of them were skeptical to the idea of hiring such people. Would you give black hats a second chance if you were in their position?

It All Depends on Their Maturity

[eldavojohn]

Would You Hire a Former Black Hat?

Depends, if I'm a manager at McDonald's, you bet your ass I'd hire him. Anti-social nerds make the best french fries.

But on a more serious note, I would hire anybody as long as they have the right personality. That's right, I've seen it happen too. People who don't know anything about computers are working in corporate America as programmers. They are one trick ponies and it would take me a few minutes to show others how to do that one trick. The questions I need answered are:

• Can they work with people?
• Can they dress well?
• Do they shower?
• Are they capable of staying after normal work hours every now and then to see to something getting finished?
• Are they sensitive to other people and their surroundings?

If you answered "yes" to all these questions, you too are a potential "team member." In any business. Degrees help but are not required.

Judging by the stereotypical picture of a black hat that the media has given the public, I would guess they wouldn't pass the first bullet above. Judging by the few that I know, they are risks but at some point straightened up and are valuable employees to their companies. You just need to assess whether or not they've figured out that a steady source of income is way more rewarding than having "VIODENTIA RULEZ #1" spray painted on the RIAA's website once a year. And that "selling out" isn't really "selling out" but devoting some of your time to a large project in order to better your circumstances the rest of the time. If they're past that point, then you've got a potential for a great employee.

What's unfortunate for black hats is that there is a wealth of solid programmers from America, India and Russia (if they can make it here) who are more than willing to do anything. On top of that, they have no criminal background. So even if a Blackhat is more qualified, they're probably just dismissed since a thousand other people are eager for the work and meet the basic qualifications. Unfortunate, but something to think about if you want to delve into the dark side of computers and networks.

Re:

[ericspinder]

How about the one thing that truly distingues 'black hats':

• Has a known history of fraud

A big salary doesn't mean honest living. The question wasn't if they could work in their general business, but top positions in security related IT jobs. Sure several years ago the most experienced security experts were reformed criminals, but these days training is available which doesn't eventually require a lawyer.

Re:It All Depends on Their Maturity

[D-Cypell]

I am not sure a "history of fraud" defines a black hat (according to my defination anyway).

Having worked with some people from this kind of background I would say that having them around in any kind of hi-tech start-up is a geniune asset. High IQ comes with the terroritory and I have also found that uber-geeks (as most dedicated black-hats are, by default) have a deep pride and sense of ownerships in their projects. I think that 'black hat' behaviour is more about ego than they would like to admit, and egos can be good if they make the owner strive to make their project the best out there.

There definatly will be a few assholes that try to screw you over, but I am not sure that it is fair to say there are more of these people in the 'ex black-hat' community than in the general population.

Re:It All Depends on Their Maturity

[networkBoy]

I was about so say something similar, but instead I will expound on your post.
I am a former "black hat" as the media would portray it. While I never did anything knowingly illegal for profit, I do/did hack systems for entertainment.

I was employed by a small company where I rapidly rose to the position of being a network admin for a lab that dealt with ethernet equipment and components. Some of our gear was capable of generating arbatrary data frames (sourse/desti IP & MAC address, any length up to 20Kbyte (1518 IEEE spec is 1518 Byte), any interframe gap down to ~4nS (spec 9.6nS)). So to say that the network took a punishing when some dimwhit plugged the test side of the gear into the support network is a gross understatement (said support network was directly connected to the corp net, which went down when this happened).

I was given a budget of a few tens of grand, a spare Cat7K router, and told to "make it work" so I did. I got to hack my self silly doing that job and maintaining the network. Just before we were sold, that lab had ~400 nodes of well mixed clients with hostile traffic patterns and I was able to maintain connectivity.

The key to keeping me from hacking the companies assets was to keep me busy. Safe to say I bet the same goes for any others of my ilk.
In my new company I have the Hacker creedo up on my office door. Just took the hacker creedo label off it. Everyone thinks it's the best statement since sliced bread. They're blown away when I tell them what it is. My management knows I'm a hacker, my peers know I'm a hacker. My IT department is less than loving of me (as I've modified thier standard windows build to suit my needs) but the know I'm a hacker and they tend to let me be.

Basically it all boils down to the following fact: I presented that I'm a hacker in my interview. I presented samples of my work. I was hired. This in a company of ~80K employees. My bosses-bosses-bosses-boss knows me by name. When we have a really sticky technological customer issue, I seemed to get tapped fairly predictably. From manually re-balling a 72 ball BGA part to hacking a mouse such that when an LED on a customer design turns on the logic analyzer will arm, I do it all. My best asset is my inner hacker.

-nB

Re:

[ajohn505]

Man, you are really badass.

Re:It All Depends on Their Maturity

[Wiseleo]

I make no secret that I can make a compelling presentation on the subject of security and exploiting vulnerabilities with no preparation at any time of the day or night.

My clients know that when they need something done, I'll find a way to get it done for them. Data mining is a frequent request that deals with modifying underlying queries on public websites. I contact the data source, ask them if there are any limits on how their data can be accessed. Typically they have none. Good for the client who winds up saving 100s of hours of manual labor with my tricks. Another frequent request is making machines that were not designed for it talk to each other, which yields combined functionality of equipment that costs an order of magnitude more. They also know that when debugging an obscure problem, I have no problem reading register dumps and locating offending files and that this I did not learn that in school.

I have theoretical knowledge that could be used for nefarious purposes in practice quite easily, but my ethics standards prevent me from doing anything stupid. Besides, it is more fun to be paid to catch blackhats who are unfortunate enough to wonder into my domain.

Re:

[dknj]

I have theoretical knowledge that could be used for nefarious purposes in practice quite easily, but my ethics standards prevent me from doing anything stupid. Besides, it is more fun to be paid to catch blackhats who are unfortunate enough to wonder into my domain.

erm. what's stopping you from doing it? They may have nefarious uses in nature, but they also have some wildly fun practical applications. My favorite is an app I wrote recently that will randomly take all the letters in the current Word or no

Re:

[Gulthek]

I didn't realize that slashdot comments were thought to be good places to advertise.

Re:

[Jah-Wren Ryel]

I have the Hacker creedo up on my office door. Just took the hacker creedo label off it. Everyone thinks it's the best statement since sliced bread.

Pirate!

Re:

[Anonymous Coward]

I was employed by a small company where I rapidly rose to the position of being a network admin

I'd like to read the rest of your comment, but I just can't stop laughing every time I read "rose to the position of being a network admin"...

Re:It All Depends on Their Maturity

[Vicissidude]

Exactly. Law enforcement has asked the same question since the time of the first criminal and the first sheriff: Can you trust a former crook to enforce the law?

In law enforcement, they came to the conclusion long ago that the answer is no . Besides all the other qualifications for a police officer, they can't have a criminal record. In fact, they are required to pass a 300-question polygraph to make sure that they haven't committed any crimes in which they haven't gotten caught. Further, if a candidate fails a polygraph, the police can investigate and decide to press charges or just blackball you from any chance you have at getting a job with any other police agency.

That happened to one of my friends who applied for a police officer position here. His offense? As a 18-year-old high school senior, he dated and had sex with a 14-year-old female freshman. It was completely consensual, but the police investigated him for statutory rape. Because of that, he was blackballed, he would never become a policeman, and his 2 years of police academy were completely wasted.

Police know that if you've broken the law once, even if you weren't caught, then you're likely to break the law again. OR, like the case of my friend, you're not likely to enforce the laws that you broke. (In his case, the statutory rape law.)

It's the same thing with these black-hat hackers. I wouldn't trust them in top positions in security related IT jobs or in less-sensitive general business jobs.

Re:

[thrashaholic]

It should go both ways, if a cop breaks the law (almost every beat cop breaks the law daily, I assure you), they should never be allowed to work in law enforcement again.

Most times, however, they are reprimanded and sent on their merry way. Hell, breaking the law is all part of the job for most cops. Illegal searches, illegal profiling, illegal traffic manuevers, illegal harrasment, etc..when's the last time you saw a patrol vehicle doing the speed limit, or setting up a speed trap?

(Of course, I'm of the fr

Re:

[Vicissidude]

Cops are government officials, not regular citizens. There are exceptions to certain laws so they can perform their duties. This is the same as giving IT workers super-user status. Of course, this is beside the topic of discussion, which is hiring practises.

Police agencies don't hire law-breakers because they have to enforce the law. IT departments should not hire black-hat hackers because they have to enforce IT policies.

Re:

[evolseven]

hell we all break the law daily most likely.. there is probably some mundane code buried in some law somewhere that forbids me from making a post on a disccussion board on the last friday of a month.. The law anymore has become such a complex mess.. I personally say if you cant reduce a law to a one page document.. it gets thrown out.. anything more than a page is just retarded... Do not kill.. Do not steal.. Don't mess with your neighbors wife or cattle.. there's 7 more but basically.. Dont fuck with ot

Re:

[Zeinfeld]

In law enforcement, they came to the conclusion long ago that the answer is no . Besides all the other qualifications for a police officer, they can't have a criminal record.

And the same is true in computer security firms. We do not need hackers to know how hackers think. Its easy enough working out what they are up to looking at what they do.

Most blackhat hackers are full of bullshit about their expertise and their motivations. Kevin Mitnick was never a hot programmer, his exploits were mostly social e

Re:

[ClosedSource]

"Polygraphs are used to see if you're lying."

No. Polygraphs are used to bluff you into telling the truth.

There's an old story that may or may not be true about stupid criminals that the police had hooked up to a "lie detector" that was really just a copy machine. When they denied the allegations, a sheet of paper came out of the "detector" that said "lie", so they confessed.

It's a funny story, but the truth is that the difference between using a polygraph to detect lies and using a copy machine is that the

Re:

[Vicissidude]

You do know that polygraphs are a fraud, right?

I don't particularly care. I'm not arguing for or against those. You obviously missed my actual point for my bringing that up, which is that police agencies do not want anyone who committed a crime at all, whether they were captured, convicted, or not.

Were charges filed? Dropped? Was he found guilty? Sleeping with a 14-year old isn't always statutory rape - your local laws may differ.

I believe the age difference was enough to call it statutory rape

Re:It All Depends on Their Maturity

[russ1337]

Are these big companies likening it to hiring a reformed bank robber as a teller, or a paedophile as a teacher?

Anyway, I thought the biggest part of being a 'black-hat' was to keep your online identity COMPLETLY SEPARTE from your real life ID... A big company should have no idea they've employed a 'former' black hat - at least if they were any good at it. If they got caught then he/she might not have the attention to detail you require for an employee in that field.

Re:

[TubeSteak]

Either way, if the black hat is that good, but still risky, you can get insurance for that kind of thing.

You'll always see adverts for "Bonded/Insured"
http://www.answerbag.com/q_view.php/37146 [answerbag.com]

"BONDED - A bonded company has secured funds (controlled by the state) that are available for consumer's claims against the company. This money is directly available to you for various reasons as controlled by a state agency. [ depending on your state ]

INSURED - If the unspeakable happens, it's important that the contr

Re:It All Depends on Their Maturity

[Fulcrum of Evil]

I'd hire a reformed bank robber to do a pen test on my bank, which is really what they're talking about.

Of course they should hire them!

[megaditto]

If America is any indication, all people deserve a second chance.

Hell, we hired a former drug-addicted AWOL alcoholic to run our country, and even that turned out allright.

So give backhats a second chance!

Re:

[Rix]

You have a very strange definition of "all right".

Re:It All Depends on Their Maturity

[ePhil_One]

So even if a Blackhat is more qualified, they're probably just dismissed since a thousand other people are eager for the work and meet the basic qualifications. Unfortunate, but something to think about if you want to delve into the dark side of computers and networks.

My question is, why would they know of their "Black Hat" exploits? I have to admit I've skipped applicants who admitted to "hacking" in a black hat context (Not "I sniffed my neighbors WiFi to get free internet", but I hacked into a potential employers network and explored). It shows an inability to set bounds and a lack of understanding of appropriate/inappropriate. I'd rather have lower skills that I can trust over high skills that might be working against me.

Re:

[senatorpjt]

I'll take the high skills applicant that you pissed off by skipping and put him to work against you.

Re:It All Depends on Their Maturity

[sgt scrub]

My observations as an old person by definition using your rules:

        * Can they work with people?
        * Can they dress well?
        * Do they shower?
        * Are they capable of staying after normal work hours every now and then to see to something getting finished?
        * Are they sensitive to other people and their surroundings?

Black Hat Hacker.
I am clean, charming, well dressed, always working, and my sensors are constantly monitoring people and places. I'm also perfectly cold and capable of taking every coin you own and are capable of borrowing. I will do this using my clean, charming, well dressed, and sensitive persona.

White Hat Hacker.
I showered today because I wasn't up all night playing WOW. Jeans, T-shirt, piercings, tatoos, uncombed long hair and beard are my personality, get over it. People are either cool or annoying. I try not to be around too many of them at one time but there is nothing wrong with that. Most of my friends are on IRC and WOW anyway. As long as I bang out enough code to meet my boss' requirements I'm golden.

Re:

[Frosty Piss]

Jeans, T-shirt, piercings, tatoos, uncombed long hair and beard are my personality, get over it.

Offensive to the eyes and ears is 100% as bad as not showering. If you offend my other employees, I don't care how "golden" your code is, I can find someone who's code is just as "golden", and doesn't offend my other employees.

As long as I bang out enough code to meet my boss' requirements I'm golden.

Don't lose that job then, you may not find another like it.

Re:

[AuMatar]

If your other employees are offended by Jeans, tshirts, tattos and piercings, the problem is with the other employee, not the coder.

Re:It All Depends on Their Maturity

[msuzio]

Exactly. The parent opinion is, in all seriousness, completely absurd. Get with the program, buddy, that's not how it actually works.

I'm at a stellar company, one of the best in its field. So good, in fact, that next month we're due to be acquired by one of the largest corporations in the world, because they want what we can deliver. Yippee for us, I know, but it still points out: we're not a bunch of moronic slackers.

I look around me at my fellow workers, all of whom bust their asses day in and day out to get the job done. I see plenty of the above marks of "offense". Somehow, we manage to be competant, well-mannered, hard-working people. Who just happen to (in many cases) be wearing Jeans, t-shirts, and have tattoos/piercings.

Maybe I'm just offended because right now, I've got all of the above. The whole wardrobe is black. My cube might have action figures and big pile of "alternative" music CDs in it. Oh, and I shave my head. Some people might think I'm a bit strange, although I myself think I'm relatively mild overall.

Regardless, I'm also among the absolute best programmers you will ever find. Seriously. It's 8pm, I've been here since 9am, and I'm not going to leave tonight until this particular bug is squashed. I'm dedicated, smart, and I love my job. Also, when I'm not here, I sometimes put on a suit and teach motivational speaking and personal growth courses. I blend in as well in that venue as I do when I'm out at the local bar filled with people in fetish gear and sporting more piercings in them than Custer on his worst day. The first impression in any of these places doesn't convey the totality of who I am, and most people who are open-minded enough to get to know me realize I've got a lot to offer.

So, sorry, buddy. I can find people who wear nice suits at any business school. Good programmers, who work their asses off and love it? Not so easy to find, and so long as they are willing to be a team player, they're a welcome addition to the crew.

Re:It All Depends on Their Maturity

[Anonymous Coward]

So... shouldn't you be working on that bug?

Re:

[winkydink]

So good, in fact, that next month we're due to be acquired by one of the largest corporations in the world, because they want what we can deliver.

Bullshit! There is no way that you, an individual contributor programmer, would have the slightest inkling of any pending acquisition by one of the largest corporations in the world.

Re:It All Depends on Their Maturity

[Antique Geekmeister]

Simply working a 16 hour work day today doesn't prove anything about the quality of your code. Maybe if you'd gotten enough sleep last week, and weren't being so "personally motivated", you wouldn't have written that bug in the first place and would have saved yourself a whole workday this week.

Re:

[drsquare]

Why is it more acceptable to be offensive to the eye than to the nose?

Re:It All Depends on Their Maturity

[SageMusings]

A stylish wardrobe is not a reliable indicator of a good worker, especially when we are discussing developers. I myself prefer black T-shirts and cargo pants. I also wear boots because I motorcycle into work. Does that mean my code, productivity, or relations with my co-workers suffers? So far, everything has been smooth.

We have plenty of the "dockers" crowd and even a few that wear a suit once-in-a-while. They are usually not technical types and their worth to the organization is certainly not any higher than mine.

When I was interviewed, two of the interviewers (developers) had actually worn shorts (not the norm but allowed) and asked me if I minded a laid-back environment. I knew then I was in the right place.

Re:

[lubricated]

>> When I was interviewed, two of the interviewers (developers) had actually worn shorts (not the norm but allowed) and asked me if I minded a laid-back environment.

Spoken like a true northerner.

Re:

[SageMusings]

Actually, Southern Cali (Orange County). You know, land of the million dollar 600sq ft shack.

Re:

[Frosty Piss]

If these sorts of "demands" - clean casual office ware and a minimum of body hardware - are so "superficial", what's the problem? Put on a pair of Dockers, and change after work. Put in your nose ring on the way out the door after work. What's the big deal?

Re:

[ces]

If these sorts of "demands" - clean casual office ware and a minimum of body hardware - are so "superficial", what's the problem? Put on a pair of Dockers, and change after work. Put in your nose ring on the way out the door after work. What's the big deal?

It depends, I would suspect any West Coast technology company that expected "business casual" and "no visible piercings, tatoos, or weird hair" had far deeper problems than just thier dress code. On the other hand I would consider it a fairly enlightened

Re:It All Depends on Their Maturity

[ObsessiveMathsFreak]

* Can they work with people?

Fair enough. If my job requires me to be a part of a team, it's reasonable to ask that.

* Can they dress well?

Oh Gods. It depends on what you mean. If you mean my normal attaire is that uncomfortable garish dandy's outfit known as a three piece suit, I'll have to say no. The apparell oft proclaims the man, and I generally don't choose what clothes to wear based on what everyone else deems appropriate. If you need me to meet customers, I suppose, but for gods sakes why are you making me wear a shirt in my cubicle? Would anything else make you feel uncomfortable somehow?

* Do they shower?

This is reasonable. If you're going to ask me to do this every morning unconditionally, I'm gogint to ahve to say that if I choose the odd tuesday or so as a "wash the bits" morning and you take offense; you're standing to close inside my bubble.

* Are they sensitive to other people and their surroundings?

Of course I am! You'll never see me do or say anything inappropriate. Oh, wait. Do you mean by sensitive that I must take time away from my job to engage in vapid conversation to make insecure coworkers feel better? Must my meetings and greeting be peppered with trite reassurances and shallow smiles? Must I waste precious minutes of my life decoding and responding precisely to oh so many unfathomable and illogical social nuances, walking a tightrope of peril with each word I utter lest someone take grevious and irremediable offense and a misplaced clause or syllable. I'd rather just, you know, work.

* Are they capable of staying after normal work hours every now and then to see to something getting finished?

Oh, that kind of job. Sorry, despite what the above might lead one to imply, I do in fact have a life. Or at least, enough of a one not to waste it patching up someone elses mistakes.

Re:

[kthejoker]

Three piece suits are for garish dandies? Are you kidding? Is this what we've come to?

A sharp 3 piece suit is THE menswear. There is no substitute. Not to mention if you spent a couple hundred books, you wouldn't have to worry about them being uncomfortable.

If it was good enough for Cary Grant, it's good enough for me.

Re:

[rk]

"A sharp 3 piece suit is THE menswear."

Shit yeah. I love a nice suit. All the more reason I would hate to wear them to work every day, cheapening something I love as much as that to a work uniform. Bleah.

sucks to be you i guess...

[everphilski]

* Are they capable of staying after normal work hours every now and then to see to something getting finished? Oh, that kind of job. Sorry, despite what the above might lead one to imply, I do in fact have a life. Or at least, enough of a one not to waste it patching up someone elses mistakes.

Heh. Sucks to be you. You should try looking for a job you enjoy. When you find a job where you genuinely **want** to be there - the work is challenging and engaging and keeps you interested for 8+ hours a day - it is truly a joyful experiance. Hope you find it someday. Until then work is just a job, not a career.

Re:It All Depends on Their Maturity

[Kevin Stevens]

There are many ways to dress well, a suit is not required.

Like it or not, but every day, every single day, you are selling yourself. Now yes, the main criteria in our field to yourself by is definitely your intelligence/knowledge. But you know who the PHB's remember? That really smart guy that looked good and could provide a convincing argument to a group of people at their level and got along with everyone.

I consider myself to dress pretty well, and I own 2 suits, which I wear only on interviews, weddings, funerals, and similar functions. I wear jeans alot, but not the 80's nuthuggers. Go to a mall, get yourself some decent jeans and some shirts (hint: the ones that are 80% off are there for a reason), button down... standard. Get a little creative to stand out a bit.

It may depend, I work in finance, and my bosses from the business side are really sharp, they know their shit, and they take people with them when they get promoted often. So impressing them by trying to get on their level is more important than at a more techie-only firm like MS.

And if none of the above reasons convince you, take a look at that cute asian girl (stereotype stereotype I know, but come on now there is some truth no?) in the cube on the other side of the floor. She's cute, which is cool, she can code and probably has a math or CS degree, which is hot, and when she starts talking about the advantages of the linux tcp/ip stack over windows, you just want to take your pants off. She is probably going to notice the guy that actually pays attention to his appearance than the legions of dudes wearing ratty years old t-shirts from computer companies.

Just my $.02

Re:

[canuck57]

So even if a Blackhat is more qualified, they're probably just dismissed since a thousand other people are eager for the work and meet the basic qualifications. Unfortunate, but something to think about if you want to delve into the dark side of computers and networks.

Not really much to think about. I would not hire a person in McDonald's if they were convicted of steeling, especially cash.

So why would I hire a talented, but on the dark side black hat? So he can quietly rootkit my computers? As you men

Re:It All Depends on Their Maturity

[Amoeba]

What's unfortunate for black hats is that there is a wealth of solid programmers from America, India and Russia (if they can make it here) who are more than willing to do anything. On top of that, they have no criminal background. So even if a Blackhat is more qualified, they're probably just dismissed since a thousand other people are eager for the work and meet the basic qualifications. Unfortunate, but something to think about if you want to delve into the dark side of computers and networks.

eldavojohn, I was agreeing with everything you said up until this point. I'm the moderator for the SecurityFocus pentration-testing mail list and the CTO for a security firm specializing in pen-testing. At the level of skill I'm talking about there is no "thousand other people... and meet the basic qualifications" but a very limited number. That fact alone allows for some wiggle room for companies looking for candidates with a rare high-level skill set. Would I hire someone with a blackhat background? Sure, if they met the criteria you outlined above and played at the level I'm looking for because there aren't that many candidates out there looking for work.

Of course, while I would hope the decision would be a sound one I'd remain wary as it *is* risky... but people can change or grow up. Anyone who has been in the security industry for a good length of time has some skeletons in their closet. I was not always a lily-white scion of responsibility *cough*... but I grew up. Had the mistakes of my youth precluded me from working in the industry I might have turned out to be a very well-dressed, sensitive, thoughtful, extremely hireable burger flipper.

Re:

[Rakishi]

Can they work with people?
Are you capable of hiring a manager who can keep the stupidity of your company from reaching me? Are you capable of hiring managers who can deal with the team members and keep sanity or is that going to be my implicit job?

Can they dress well?
If you mean clean jeans, t-shirt and sneakers (optional in the coding area itself) then yes otherwise no. At best you get slacks, polo shirt and nice looking sneakers. That is unless the job involves dealing with other companies or people in w

Re:

[j-turkey]

Why are you sensitive about a question that nobody ever asked you? These are simply the qualities that the gpp looks for in an employee. It's not like you're interviewing to work in his group or anything.

One way or another, these are all reasonable things to investigate in order to find out whether or not a perspective employee will fit in at the company. Would you want to start at a new job and find out that you just can't work within their culture? In any case, I know that if I were interviewing you

Re:

[Rakishi]

Why are you sensitive about a question that nobody ever asked you? These are simply the qualities that the gpp looks for in an employee. It's not like you're interviewing to work in his group or anything.

Sometimes I feel like pointing things out to people in case they may learn from what I say (or not or whatever). If you post it on the internet prepare to be criticized for it; if you can't ignore, accept or counter the criticism get off the internet.

One way or another, these are all reasonable things to in

Re:

[Hal_Porter]

Can they work with people?

I never killed a coworker. You can't do much damage with a cheap keyboard, no matter how hard you swing it.

You have Dells, right? No problem. Wow, I aced this one.

Can they dress well?

Most days, I can pull on a pair of pants and grab a T shirt off the floor as I walk out the door. I find I'm more productive barefoot.

Do they shower?

Once I got pretty wet cycling to the office on my BMX.

Are they capable of staying after normal work hours every now and then to see to something getting f

Re:

[Barryo_Stereo]

No, I wouldn't hire black hats. A person's ethics don't change a whole lot after their childhood and if they think that it is fine to damage and steal stuff as a teenager (no matter what stuff, computer related or not) then they will still think that there is no problem with that as an adult. Why give them an opportunity to do that when they've "had a bad day"?

Re:

[Mistshadow2k4]

A person's ethics don't change a whole lot after their childhood

You need to get to know more people. I personally know no less than 4 who definitely changed their behavior in the ethical sense since childhood; I'm not exaggerating. Two of tem are a couple, in fact -- having a little girl made all the difference in the world with them. The other two simply grew up. Some people actually do grow up. People who say people don't change from childhood are often those who didn't themselves.

Summary

[skwang]

Trust is hard to rebuild after others lose their trust in you.

Re:

[Anonymous Coward]

But even harder to rebuild once you lost your trust in other people.

Trust goes both ways, it's a mutual phenomena, not sigularly subjective.

Trust is gained or lost through the fostering of a secure relationship or
by the abuse of the relationship, it does not exist a priori
or in isolation.

Understand this psychology and you are closer to understanding the "black hat".

I am always shocked at the shallow treatment the words "hacker" and "blackhat"
get on Slashdot, supposedly a bastion of that very "outsider" cult

So dont tell them

[ninja_assault_kitten]

I'm an ex-blackhat who's been working the security space for over 10 years now. My employers only know about my work experience; nothing prior to that. I'm very good at my job, I'm passionate about security, that's all that matters. As long as you're a blackhat who doesn't have a criminal record, you'll likely get a lot more value out of them than a cert crazy white hat who got into security cuz it's "cool".

Re:

[crashelite]

i would have to say any black hat is about 10K times more qualified then most white hats dew to the fact that black hats will have more experince. why you may ask? because the go where there not suppose to DUH! a white hat is limited to the variables they set up and are able to access, black hates can access any variables because they are not limited by the light only by their will and how protected they think they are from gettin caught, inet cafe with cd or flash bootable version of (insert OS here most w

Re:

[Anonymous Coward]

I'm also an ex-blackhat. Back in the day I stayed up late, did my thing, learnt a lot. It was never malicious really, but definately blackhat. I was a curious guy, who didn't have much of a sex life. Getting a sex life was good, but so is curiosity - find a direction for it.

These days I've got degrees, run a security company and have hired several people I knew from the scene who are excellent programmers, professionals, can wear a suit etc. I have also hired several that I suspect were blackhats in the pas

Re:

[ninja_assault_kitten]

well put.

of course I would

[EllynGeek]

If I worked at Hewlett-Packard.

It depends.

[onion2k]

Would you give black hats a second chance if you were in their position?

It depends on the job they were applying for. Someone who has proven their ability to ignore the law in the past can no longer be trusted in a position of responsibility, therefore I wouldn't give them a job in any role that required any amount of access to business critical systems or information. I might be willing to hire one as a code monkey to churn out boring stuff that could easily be audited, but even then only if there were no other suitable applicants.

It sounds harsh, bu my job, and the jobs of my colleagues, are more important than giving someone else a break.

Re:

[Cheapy]

"Someone who has proven their ability to ignore the law in the past can no longer be trusted in a position of responsibility"

So I guess if I went over the speed limit I could never be held responsible again? I mean, that is ignoring the law.

Re:

[kent_eh]

Someone who has proven their ability to ignore the law in the past can no longer be trusted in a position of responsibility"

Or, put another way...

"Fool me once, shame on you. Fool me twice, shame on me"

Re:It depends.

[jlarocco]

I might be willing to hire one as a code monkey to churn out boring stuff that could easily be audited, but even then only if there were no other suitable applicants.

Yes, that's exactly what you want. A *bored* (ex)black hat hacker.

Depends...

[jjohnson]

How hard is it to hire similarly qualified people who *weren't* blackhats? If the only difference between two candidates is that one has a felony record, it's not a hard decision to make. While it may look to the blackhat like it was solely his record prevented him from getting the job, it's really the fact that he's not that rare a commodity.

Script kiddie vs Hacker

[khasim]

If the only difference between two candidates is that one has a felony record, it's not a hard decision to make.

Not only that, but also what they were doing during their "black hat" phase.

Running scripts you've downloaded to scan for default passwords on websites so you can post that you've "pwn3d" their site ... yeah, that's going to go real far in the interview.

On the other hand, knowing enough about TCP/IP to crack servers with an injection routine that you've written ... that would go VERY far in the interview for the right job.

Script kiddies are a dime a dozen. And their "knowledge" is just about useless in the corporate world. What else do you have that's better than I can find elsewhere without the issue of your past behaviour?

The same with social engineering attacks (unless you're hired by HP to investigate leaks).

Real hackers, on the other hand, are extremely valuable not only for the technical skills they've built up, but also because they're driven by problem solving and they are more than happy to get down to the metal.

Re:

[jjohnson]

This is a good point--how many people fairly labelled as blackhats are real hackers in the best sense of the word, vs. getting caught at something stupid and easily downloaded from a l33t site?

In fact, if someone was actually a blackhat, it would tend to count against them in my mind as a capable hacker because it implies that they got caught.

Takes one to know one.

[b4jts]

Takes one to know one, I suppose. Looking at what Frank Abagnale [wikipedia.org] did to improve security against bank fraud, I'm sure that a 'black hat' turned good could be of some use to a company.

Let's be realistic...

[__aaclcg7560]

If the company is going to be ripped off, it will probably start in the boardroom as upper management are granted perks that they shouldn't have. One company I worked for is on the road to bankruptcy but the company is still paying for the CEO's $200K/year New York City apartment. This is the same management that banned free soda when they figured out that employees were taking a can or two home. Go figure.

Hire a black hat?

[xymog]

The situation is analogous to hiring a former embezzler as an accountant, and the answer is always, "It depends." The burden is on the former black hat to establish credibility and trustworthiness. The potential employer also needs to be aware of scenarios where the former black hat can still be a valuable, contributing employee.

The 80's are over

[l0ungeb0y]

Back in the day when networks were new and few people had the indepth understanding of what was still an arcane field, the recruiting of a blackhat made a lot of sense for trying to make more robust security solutions. But now, we have hundreds of thousands of qualified people and many IT Professionals are highly trained in the area of Network Security. And the blackhats these days by and large are either worm authors/botnet controllers or crackers who use scripted 'sploits to ply their trade. So no, I see no need for the Corporate Enterprise to open itself up to the liability it would face in the event of the "reformed" blackhat deciding to "play around" a little bit with employee data. There's already been enough fallout over loss of customer data and security concerns. Knowingly hiring a convicted felon to entrust that data to wold only serve to fuel lawsuits in the event a security breach did take place.

If a blackhat is skilled and "reformed" and truly interested in security, they can offer their services as an outside consultant.
Or perhaps the Military could make use of knowledgeable blackhats putting them on the front lines of electronic warfare.
But I agree that in the workplace they should be treated as any other convict when applying for a position.

Re:

[EvanED]

But now, we have hundreds of thousands of qualified people and many IT Professionals are highly trained in the area of Network Security

And yet we still have security holes out the wazoo. Clearly those hundreds of thousands of qualified people aren't doing enough.

Plus, how many of those hundreds of thousands of qualified people could explain how data execution protection is implemented on x86? How many of them even know that the x86 has a separate iTLB and dTLB? (My cynacism says "how many of them know what

Article has a good analogy

[brunes69]

Ducklin said: "Let's say that you're shot during a mugging [incident]. As you drift into unconsciousness, would you find yourself saying 'Gosh, I hope the surgeon who operates on me used to be a street criminal because he must really understand gunshot wounds well if he actually shot the people?' You wouldn't think that."

Agree 100%.

Re:Article has a good analogy

[phasm42]

That's a valid analogy for script kiddies. If a blackhat has serious skills (like finding and exploiting holes), these same skills can be used to find and block holes. The surgeon analogy falls apart here. How about if you were infected with an engineered biological agent. Someone who had experience making them would have some useful skills to offer you. The bank fraud example cited earlier is another good analogy.

Which isn't to say that hiring former blackhats is always a good choice. It's a matter of judgement -- has the person really reformed?

Re:

[TubeSteak]

Ummm... that's an awful analogy.

A mugger with a gun is the equivalent of a script kiddy.

I'm not really sure why TFA included such a crappy analogy in an article about security jobs that require knowledge.

Re:

[EvanED]

I disagree 100%. It's a stupid analogy.

You don't need to know the psychology of shooters to know how to treat a gunshot wound. Someone figured that out, it's taught to doctors, and we're all set. Similarly, SQL injections are known about, and ways of preventing them are known, so no, you shouldn't need a black hat to help secure you against those.

However, thinking up exploits is an entirely different matter. You can't defend yourself against something that you can't think of.

Dumb corporate types..

[brennz]

First of all, I've never heard of any of these interviewees. Have they done anything of note in security? I am committing a logical fallacy in asking this, but they don't carry any water in my security oriented meritocracy. As far as conferences go - I'd like to see a comparison of skillsets between attendees for say Defcon and Blackhat, excluding people attending both. I'll wager the Defcon crowd will win out anyways (not that defcon attendance = hacker, but it does mean more so than blackhat).

I'd much

Well...

[jellomizer]

The real question is are Black Hat Hackers worth the potential risk (shown by their history). Being a Black Hat hacker doesn't mean you are any good at computers or security. Being labeled as a Black Hat Hacker means you were some Jerk Script Kiddy, who downloaded some scripts and took control of systems that they know is vulnerable. There are a lot fewer Black Hat hackers who are actually good at what they do. The Gray or White Hat hackers those are the ones you want to focus more on. They are more int

I'd hire their services, but not them..

[kabocox]

I'd hire a "contracting" company that had their services to offer, but I wouldn't want to put them on my actual direct payroll. I'd always worry that they were collecting info on me off my system to use for the future. The less tech. savy a manager is, I'd bet the more that they'd want to cover their butts, just in case of that. I would use them for corporate IT theft on other companies, but would always would about how defended my own company is.

Would you hire a former jewelry thief...

[Jason1729]

Would you hire a former jewelry thief to guard your jewelery store? Giving him full access to your security system and allowing him to be in alone at night?

Re:

[phasm42]

This comment made me realize another key thing to look at when deciding whether to hire a former blackhat. Were their activities motivated by money, a desire to explore, or to just defy security? A jewel thief would fall almost exclusively in the first. It'd be difficult to really trust a blackhat that fell into the first category as well. But the second category is a good quality, and the third is more likely to fade with age, and overlaps with the second.

Re:

[Frosty Piss]

This comment made me realize another key thing to look at when deciding whether to hire a former blackhat. Were their activities motivated by money, a desire to explore, or to just defy security?

It makes no difference at all in the final analysis; the damage is still there regardless of the motivation.

The question is always if they really reformed

[artifex2004]

You can never be sure someone is reformed; you only know when they fall back to their old ways, assuming you catch them.
Part of this is because of the ideological mindset; the ones who claim they did it all as a game still often think it's fun, and they seem to lack the subconscious barriers to antisocial behavior that normall tell people that it's destructive behavior. They may "go legit," but how do sociopaths grow ethical and/or moral senses?

These people still like manipulating people through different l

Would You Hire a Former Black Hat????/

[really?]

Well, it would depend, wouldn't it.

In no particular order:
How do you know the "hat status" of a potential employee?
What does the law say in the jurisdiction you're in?
Are there other "hat free" candidates with the same skills?
Are you willing to take the risk?
Are there any benefits to the available position that the former "black hat" status offers? (Think, for example, of a truly reformed virus writer who still has contacts in the underground, but, who is now applying for a position in an antivirus company.)

Ethics.

[topham]

Ethics, inspite of 'black hat' it is still possible for someone to be otherwise ethical. On the other hand, it isn't very likely.

The guy that spends his time concentrating on the 'how' of the hack, without much regard for the effect of the hack is more ethical than the guy performing the hack to steal credit card numbers.

One could potentially be a maturity issue, the other is intentionally criminal.

I could never trust someone who spent a few years stealing & using credit card numbers.

Someone I know was

direct objects

[Sebastopol]

Would you give black hats a second chance if you were in their position?

Barring any severe self-esteem issues, if I were a black hat, of course I would give myself a second chance.

Grammar, people, GRAMMAR!

It depends...

[AxemRed]

The term "black hat" can cover a lot of ground. In my mind, there's a big difference between someone who got in trouble for snooping around the university's network for the sake of curiosity and someone who attached a keygen trojan to something and put it out on the internet for the purpose of stealing credit card numbers. There's also a difference between someone who DoS'ed their school's webpage in high school and someone who DoS'ed their employer's webpage when they were 25.

Here's another thing to think about too... The only reason to hire a black hat over someone else would be that you know they have some experience in hacking. However, there are many people who have the same experience and never did anything illegal. Basically, you're sacrificing a varying amount of ethics in exchange for a guaranteed amount of skill. Also, in many cases, the skill that a black hat has proven is directly proportional to the ethics that he has disproven. That is, if you know enough of a hacker's exploits to know that he is very skilled, you also know that he has broken the law a sufficient number of times to prove it to you.

In all, I would say that hiring a black hat would be case-by-case for me. Someone who is a black hat because of a harmless, but illegal, mistake may pique my interest because of his proven ability to learn independently. Someone who hacked a private network years ago, but has since proven to be a responsible person, may end up being a skilled employee and worth a second chance. But, to me, someone who committed repeated damaging, malicious acts online is no better than someone who committed repeated damaging, malicious acts in real like, and they would not be worth the risk, regardless of skill. //Would you hire a multiple-time burglar to protect your home? //Sometimes it's best to trust the home-security companies, regardless of whether or not their employees have ever broken into a house.

Re:

[SageMusings]

"Basically, you're sacrificing a varying amount of ethics in exchange for a guaranteed amount of skill"

A self-professed black-hat (criminal) does not equate to possessing rare, technical skills. Criminals are not necessarily smart. They are merely unbound by societal norms...No more, no less.

Clear answer

[Anonymous Coward]

I would not hire a former thief in a supermarket as an detective
I would not hire somebody who took money from his employer in a bank
I would not hire an former drug addict as a saleperson in a pharmacy
I would not hire a former pedophile in an elementary school
I would not hire an murder as an social worker

So - no I would not hire somebody who fell one time to some temptation in a job where he is tempted each day.

A Blackhat as a programmer - maybe; as an administrator - no.

Re:

[senatorpjt]

I can't see a blackhat even wanting to be an admin. If you already have access, it's boring.

This is a silly question

[Lord Ender]

If the Black Hat was any good at all, you would have no way of knowing he was (or is) a black hat.

But if someone with a criminal record for cybercrime applied, there is NO WAY an informed manager would hire him. If he breaks the laws again, someone could go after you personally for negligence.

I would and have.

[Tancred]

Lots of people do dumb things in their youth. Just evaluate the person as they currently are. There are certainly circumstances that would be hard to overlook for certain positions, but to forever eliminate from consideration anyone who ever did anything illegal with a computer seems a bit nuts. Would you refuse to hire someone that got caught shoplifting as a kid? What percentage of your coworkers did something dumb as a kid, whether they got caught or not?

Re:

[MMaestro]

Would you refuse to hire someone that got caught shoplifting as a kid?

If the kid shoplifted thousands/millions of dollars worth of merchandise, hell yeah I'd refuse to hire the person. Fool me once, shame on you. Fool me twice, shame on me.

And you can't exactly compare "doing something dumb as a kid" with hacking/nuking/blackmailing a corporation/company.

Paul Ducklin is an idiot.

[CherniyVolk]

Don't be alarmed, there are a lot of idiots in leading positions in large companies, just as there are many idiots born into affluency a.k.a. Venture Capitalists.

First, Paul has attempted to apply traditional business philosophies and the illusion of value to that of Open Source development. "[hackers] don't have to support their product [or] be absolutely reliable", is one hint. The illusion of "support"... well, I paid 15,000 (USD) for this SunFire server... called up Sun Microsystems and I have to pay

would you hire someone useless and dishonest

[tota]

by hiring an ex-blackhat, at least you get:
* someone who can hack it - no CISSP is going to replace hands on skills
* someone who is willing to admit he has made mistakes in the past - which is more important than ever in the world of security: covering up mitakes doesn't help.

now, if he's good - it shouldn't even matter if he has been blackhat: the systems should be secure, especially from the inside job threat. And part of his job should be to make it provable that it is so.

Now, if all you want is some type of ISO certification stamp of approval - rubber stamp / get finance / show off, go hire some certified engineer with a long series of random acronyms on his CV, which may include MSCE in the lot - that should be a hint, but unfortunately depending on who does the recruitment it may not be a deciding factor...

Knowledge vs. Action

[trainsnpep]

Learning how something works is respectable. Deliberately screwing it up with the knowledge of how it works? Not at all. If someone is considered / considers his- or herself a "Black Hat" hacker, you need to think about what they're learning from you, and how that will affect your business. 99.9% of the time, that's not a risk worth taking. On the other hand if someone has an in-depth knowledge of a specific subject and they're responsible enough not to use that inappropriately, they're someone you wan

Does black hat mean evil or wrong?

[ThoreauHD]

I am a bit confused about the iimplication. The black hat's.. well, they weren't called that in the beginning. I don't remember anyone but old people talking about your moral compass in regards to exploiting security holes. All information is knowable. It's a belief that borders on faith. In my circles, it was just assumed that you would do no harm to the whole. When a surgeon takes out your bulging appendix, he has to do some damage to make sure you survive in the end. That's a proper analogy to the successful "black hat" folks. Even if it meant OOB'ing Microsoft's site for 3 days(winnuke was brought up by a previous poster). A much worse scenario would ensue when a hospital was taken down because they(OS/ipsec company,etc.) ignore their own weakness.

I have to tell you that the people I knew that did those things and worse are running your fortune 500 companies right now. The smartest don't get caught. Mitnick had an ego. These people don't. They are innately good at what they do and there is a higher than likely possibility that a "black hat" has saved your company from disaster more times than anyone else. That's my observation.

There are those that destroy to destroy. They don't survive. It's natural law. Smart people know this. Smart people also know that you don't own information or thought- and everything can be altered. I don't think the connotation of "black hat" describes the best of us accurately. I think they are something different and you will see it when their intuition saves your company time and time again. Where the metal meets the meat, you would rather have a person who's been on the other side rather than some cert collector that's just guessing. Media likes to make their misconception reality because it lends them credence. Black Hat does not mean evil. Hacker does not mean cracker. They are not one and the same.

Oh HR, you so crazy

[Y-Crate]

Hire one? I've built an entire company with the combined efforts of former Black Hats.

Y-Crate
CEO - Setec Astronomy

Generally, yes

[iamacat]

• Should you hire a graphics designer who ever smoked pot?
  
• Marry a 30 year old guy/woman who had some flings in college?
  
• Hire a developer with 10 years of experience who got root access to a few university service to impress girls?
  

There are always risks involved, but excluding top 1/3 of candidates from your list is stupid. If you are good at something, chances are you played around a bit in your formative years.

No! Hell No...

[ElitistWhiner]

WhiteHats know more than a BlackHat only from priviledged access. WhiteHats don't know what a BlackHat knows, hence asymetric warfare rules have WhiteHats at a disadvantage from the start.

It's understandable

[Angst Badger]

People hire convicted felons all the time. What they generally don't do is to hire them in roles that were central to their offenses. It's one thing to hire a convicted pedophile to balance the books, but quite another to put him in charge of the company daycare.

The unchallenged assumption here, of course, is that a "black hat" necessarily has any special qualification for a security job. It's like assuming that a graffiti artist will have any useful insights into formulating a graffiti-resistant exterior p

News flash: Employers don't like hiring excons.

[Servo]

There is a high degree of risk in hiring anyone with a criminal background, regardless of the position. Employers need to be able to trust that person. A man convicted of rape would be the last person to work at the YWCA, so why would you expect that a person convicted of a computer crime be the first pick for a job working with computers and security?

Re:

[senatorpjt]

Honest? You'd have to be borderline retarded to try to steal shit during a job interview.