Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Path From Hacker To Security Consultant

Soulskill posted more than 5 years ago | from the curiosity-killed-the-cracker dept.

Security 96

CNet has a series of interviews with former hackers who ran afoul of the law in their youth, but later turned their skills toward a profession in security consulting. Adrian Lamo discusses taking "normal every day information resources and [arranging] them in improbable ways," describing a time when he broke into Excite@Home's system and ended up answering help desk questions from their users. Kevin Mitnick, famous for gaining access to many high-profile systems, warns today's young hackers not to follow in his footsteps, saying, "A lot of pen testers today have done unethical things in their past during their learning process, especially the older ones because there was no opportunity to learn about security. Back in the '70s and '80s, it was all self-taught. So a lot of the old-school hackers really learned on other people's systems. And at the time, I couldn't even afford my own computer." Mark Abene explains how he got interested in phone phreaking, and how it led to a prison term and a career in computer security. Like Mitnick, he says that easy access to powerful modern computers removes part of the motivation for breaking into other systems.

cancel ×

96 comments

Sorry! There are no comments related to the filter you selected.

Or maybe... (3, Insightful)

Anonymous Coward | more than 5 years ago | (#28495423)

They just realize they can hide better as security researchers. :)

Terrist's (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28495435)

Kill them all and let God choose which backups to restore.

Sounds familiar (5, Insightful)

unlametheweak (1102159) | more than 5 years ago | (#28495457)

And at the time, I couldn't even afford my own computer."

Don't do what I've done, do what I say. Things were also tougher for me. When I was a child I had to walk 20 miles to school everyday in a snow storm, through swamps and trying to avoid crocodiles. Things were tough. You kids today have it easy.

Re:Sounds familiar (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28495603)

I dunno, maybe they've learned a lesson and are trying to steer people away from needless hardship?

Re:Sounds familiar (1)

unlametheweak (1102159) | more than 5 years ago | (#28495637)

I dunno, maybe they've learned a lesson and are trying to steer people away from needless hardship?

Perhaps, but unless they've been in jail then it's probably just the same old hypocrisy and moral superiority based on age.

Re:Sounds familiar (2, Insightful)

anagama (611277) | more than 5 years ago | (#28495869)

As people age, they often realize that many of their youthful decisions, which seemed so correct at the time, were not such great ideas afterall. It's a natural part of growing up and the basis for the often heard cliche, "I if I knew then what I know now ..." Any person who gets to 40 and feels that he or she has made only correct decisions in life, probably has some sort of diagnosable condition because nobody does everything perfectly all the time.

Re:Sounds familiar (1)

unlametheweak (1102159) | more than 5 years ago | (#28495933)

As people age, they often realize that many of their youthful decisions, which seemed so correct at the time, were not such great ideas afterall.

I haven't noticed this. I have noticed that people tend to rationalize their behavior. Unfortunately people (personality-wise) change very little with age. So an impulsive ten year old will likely grow into an impulsive forty year old. And depressive people will remain depressive and honest people will remain deviant.

People will make excuses for their behavior if they get caught, and they will make excuses for their hypocrisy either way. There isn't much altruism in people. People only find religion after they've been condemned to death. If they manage to break out of jail they tend to lose that religion.

Re:Sounds familiar (0)

Anonymous Coward | more than 5 years ago | (#28496175)

As people age, they often realize that many of their youthful decisions, which seemed so correct at the time, were not such great ideas afterall.

I haven't noticed this. I have noticed that people tend to rationalize their behavior.

So, that's why you didn't listen to the old guy?

Re:Sounds familiar (1)

The Archon V2.0 (782634) | more than 5 years ago | (#28496239)

As people age, they often realize that many of their youthful decisions, which seemed so correct at the time, were not such great ideas afterall.

I haven't noticed this. I have noticed that people tend to rationalize their behavior.

Some people don't grow up. Some do. I did things as a teenager I have regrets over now because they were stupid or assholish. I understand WHY I did them, but I realize now they weren't the right choices to make in those situations. And in ten years I'll probably be kicking myself for something I'm doing now.

and honest people will remain deviant.

Freudian slip? :)

Re:Sounds familiar (1)

unlametheweak (1102159) | more than 5 years ago | (#28496285)

In general I'm looking at the big picture and not at individual incidents. The forest, not the trees per se.

and honest people will remain deviant.

Freudian slip? :)

I assure you those words were quite deliberate. No cognitive dissonance here.

Re:Sounds familiar (0)

Anonymous Coward | more than 5 years ago | (#28500605)

I probably misinterpret what you said, but let me say this. This sentence of yours "I have noticed that people tend to rationalize their behavior" made me co-relate in the sense that the behavior is always essentially irrational anyways. So saying later, that you have made a bad choice, is a hypocrisy too. Because bad or good, the choice was not rational, or may be not even yours. It was your subconscious, that was making choices.

Re:Sounds familiar (0)

Anonymous Coward | more than 5 years ago | (#28495895)

Perhaps, but unless they've been in jail then it's probably just the same old hypocrisy and moral superiority based on age.

Did you even read the summary? In the summary you can clearly read that one of them spent time in prison.

The one you quoted happens to be Kevin Mitnick, So he has been to jail to. A simple google search could have spared you the embarassement.

Re:Sounds familiar (1)

Rip Dick (1207150) | more than 5 years ago | (#28495941)

Just as a simple spell check could have spared you the embarrassment.

Re:Sounds familiar (1)

unlametheweak (1102159) | more than 5 years ago | (#28495977)

Did you even read the summary? In the summary you can clearly read that one of them spent time in prison.

Really? I obviously wasn't referring to that one person referred to in the summary, and I obviously am not embarrassed. I have been aware of Kevin Mitnick since the 1990s; there is no Google search necessary.

Re:Sounds familiar (1)

omeomi (675045) | more than 5 years ago | (#28496453)

Perhaps, but unless they've been in jail then it's probably just the same old hypocrisy and moral superiority based on age.

So, yes, Kevin Mitnick was pretty famously put into prison. From what I remember, he got a particularly harsh sentence because the general public didn't really understand what it was that he did. He wasn't even allowed to use the phone in jail because their was a silly belief that he could launch nuclear missiles by whistling tones into the receiver or something. He did something wrong, yes, but people confused real life with WarGames [wikipedia.org] and he got the short end of the stick. If anybody's learned this lesson the hard way, it's definitely Mitnick.

Re:Sounds familiar (1)

Cross-Threaded (893172) | more than 5 years ago | (#28495639)

That trick never works.

Re:Sounds familiar (1)

sco08y (615665) | more than 5 years ago | (#28496555)

When I was a child I had to walk 20 miles to school everyday in a snow storm, through swamps and trying to avoid crocodiles.

Yeah, I remember, when I was a child I actually had to walk to a library to borrow an actual book.

Don't do what I've done, do what I say

Sounds familiar. [nizkor.org]

Look, I'm not even saying that kids have it easy nowadays, far from it. I remember learning to program on a C-64. You could memorize all the important addresses. Your languages were BASIC and assembler. You had a grand total of 3 registers. You had no endian issues, no Unicode, nothing to install, nothing to configure. You just bought a subscription to Run magazine and started by copying the programs from it.

Things are different now, and I think it's better that it's harder and that the upcoming generation will adapt just as we did. All these guys are saying is that what made sense then doesn't make sense now, that much should be obvious, but kids are still idiots.

Re:Sounds familiar (1)

unlametheweak (1102159) | more than 5 years ago | (#28496743)

Don't do what I've done, do what I say

Sounds familiar. [nizkor.org]

FYI, and to keep things straight, I was making an observation and not making an argument to prove a point, so their is no hypocrisy fallacy here.

From hacker to help desk? (4, Funny)

petes_PoV (912422) | more than 5 years ago | (#28495479)

he broke into Excite@Home's system and ended up answering help desk questions from their users.

Sounds like he's still being punished for his "crimes".

Re:From hacker to help desk? (0)

Anonymous Coward | more than 5 years ago | (#28497137)

I can never get back the 30 seconds it took me to read this article dang it. Worst read I've ever seen on Slashdot.

Re:From hacker to help desk? (1)

adolf (21054) | more than 5 years ago | (#28502099)

Why did you read the article? Nobody else does.

Path from GOP leader to full-fledged homosexual (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28495509)

Some hackers are closeted nazis just like many in the GOP leadership are closeted homos.

Lamo. (-1, Flamebait)

descil (119554) | more than 5 years ago | (#28495529)

I'm sorry but... come on... dude is just pure lamesauce... & his whole family too.

Old adage. (3, Interesting)

dov_0 (1438253) | more than 5 years ago | (#28495555)

It takes one to know one. This works in all sorts of industries. The best teachers for example were often the worst behaved students.

Re:Old adage. (5, Insightful)

Antique Geekmeister (740220) | more than 5 years ago | (#28495617)

No, the best teachers really weren't the worst students. That's a silly idea.

The "worst behaved" students of my experience, and ossibly yours, are dead, massively crippled by their own foolishness, in jail, dying of AIDS or lung cancer, homeless, etc. Being homicidal, fundamentally stupid, a slut of any gender or orientation, constantly stoned, or spoiled does not help one as a teacher.

There are kinds of behaviors that are frowned on by authorities, for lots of understandable reasons, but help people be leaders or teachers. Curiousity, interest in others, love of particular types of knowledge, etc. can all hinder someone in school but pay off for teachers, true.

Re:Old adage. (4, Insightful)

dov_0 (1438253) | more than 5 years ago | (#28495699)

Maybe your experiences are different to mine.

Re:Old adage. (1)

that this is not und (1026860) | more than 5 years ago | (#28496145)

It does sound like he went to public school, and you went to private school.

Here's a clue: in public school, the really, really disruptive kids didn't 'disappear' from time to time.

Re:Old adage. (1)

endymion.nz (1093595) | more than 5 years ago | (#28498209)

Actually they have a tendancy to materialise half way through the week at the empty desk next to you.

Re:Old adage. (1)

MrMarket (983874) | more than 5 years ago | (#28496789)

Maybe your experiences are different to mine.

I think your right. Just a wild guess here, but you probably went to a public school in a rich suburb, and the GP probably teaches in the ghetto, where the "bad" end of the behavior spectrum has different motivations and higher stakes. Think John Hughes vs. Spike Lee.

Re:Old adage. (1)

dov_0 (1438253) | more than 5 years ago | (#28498689)

I didn't go to the 'nicest' schools, but I went to school in Melbourne, Australia. Yeah we have violence and drugs, but nothing like some schools in the US it would seem.

Re:Old adage. (0)

Anonymous Coward | more than 5 years ago | (#28502059)

In the US, the real losers in HS, usually stay losers through life. I can't imagine this being much different anywhere else. Yes, a small percentage of those people turn their lives around. And those who do, usually were not the real losers, they were just hanging out with the wrong crowd.

Re:Old adage. (1)

Antique Geekmeister (740220) | more than 5 years ago | (#28499987)

Apparently so. And to counter another poster, I attended both public and private schools, depending on various family circumstances. The private schools could _kick out_ the worst students, and dump them on the public schools to deal with. There were occasions where the private schools could also take on horrible cases that the public schools could not hope to handle properly: clergy who are willing to box a child's ears instead of public school teachers afraid to defend themselves were something I learned to applaud for the worst behavioral cases.

Re:Old adage. (1)

Chiindi (921151) | more than 5 years ago | (#28504437)

There are always some swimming at the shallow end of the gene pool! Ya can't help everyone.

Re:Old adage. (0)

Anonymous Coward | more than 5 years ago | (#28495657)

It takes one to know one.

Yes you are, but what am I?

Re:Old adage. (1)

Omniscient Lurker (1504701) | more than 5 years ago | (#28495745)

Academia wise the worst students at my school dropped out (~20 from my class) or got expelled (1 from my class) and didn't graduate so there is no way they can become teachers.

Re:Old adage. (0)

Anonymous Coward | more than 5 years ago | (#28496157)

Frank W. Abagnale

Re:Old adage. (4, Interesting)

thesandtiger (819476) | more than 5 years ago | (#28496199)

If by "worst behaved" you simply mean the ones that would challenge authority and "color outside the lines," then sure - those kinds of "misbehaviors" are pretty common among people who are really good at their job. That seems to be a pretty milquetoast version of "worst behaved" though.

As someone who went to Chicago Public Schools, I can say that the "worst behaved" students are the ones who were unable to handle any kind of structured environment, were disruptive and violent towards other students, were often high if they bothered to show up for classes, and generally couldn't handle even remedial work. The few of these kids that eventually straightened themselves out might make good mentors or counselors at programs to help at-risk children, but generally wouldn't be what I'd call good teachers because they're usually lacking the academic accomplishment that really good teachers must have.

On the issue of taking one to know one - I think it's possible to be a good security expert without being a convicted felon. Given the choice between hiring someone who is very good but a convicted felon vs. someone who is very good and who has the moral compass necessary to avoid committing acts that are criminal, I'll take the latter any time. There are *millions* of people the world over who do computer security - most of them without criminal records - it's not exactly like it's some kind of arcane art or a skillset so hard to come by that one must hire a (hopefully former) black-hat.

My guess is some of these guys are being hired by organizations who want to use their felony record as some kind of street cred - "Our security is the best; we've got one of the worst of the hackers in charge of it!" etc.

Re:Old adage. (0)

Anonymous Coward | more than 5 years ago | (#28512389)

Your argument is silly - of course it is better to have a great worker without a criminal record compared to an exact clone with that record.

In real life, however, things are somewhat different. First of all, how do you find your good security consultants? Secondly, how do they get good?

Note, however, the difference between types of security consultants - there are quite a lot of security you can acquire without dealing with people who often have done illegal or shady things, such as recommending smart policies that increase security - allowing people to choose passwords themselves with some recommendations and basic checking, for instance ("No, sir, you can't have your first name as your password. No, not even backwards. Backwards followed by '#1337!' - sure, that works.").

If, however, you want to test your system against penetration, you may need to go to the practical experts. I am not suggesting hiring "practising" criminals, by any means, but reformed ones could probably do the job - at least if they were not convicted on all charges because of lack of evidence etc.

Put Kevin Back! (0)

Anonymous Coward | more than 5 years ago | (#28495565)

Will someone please put kevin back in jail!?

Criminal record == no job (5, Insightful)

syousef (465911) | more than 5 years ago | (#28495577)

It is the exception, not the rule, that a hacker becomes employed as a highly paid consultant. A lot of jobs require security checks, which you will fail if you have a criminal record. Some places have the flexibility to allow exceptions. Most don't. Even if they do you have to prove you offer something so unique and worthwhile that an exception should be made.

It does happen. Hackers do sometimes get jobs. People also win the lottery. Doesn't mean it's smart to play against the odds.

Re:Criminal record == no job (1, Informative)

Anonymous Coward | more than 5 years ago | (#28495689)

Oh fuck!

I went and got busted for: drugs, hacking, running guns, spying on a defence contractor, and bribing a judge. I was planning on becoming the most bad-ass security consultant on Earth.

Re:Criminal record == no job (5, Insightful)

Captain Jack Taylor (976465) | more than 5 years ago | (#28496353)

Don't worry, you sound like a great candidate for President.

Re:Criminal record == no job (3, Interesting)

Anonymous Coward | more than 5 years ago | (#28495775)

"A lot of jobs"? You mean jobs where you're an employee.

This is why most of these guys are "consultants". That is, they run their own business and therefore don't typically require any of the normal checks that employees have to get. Some (government) things require security clearance but most stuff does not. All you need is a good reputation and proven skills.

Re:Criminal record == no job (3, Informative)

CaptainJeff (731782) | more than 5 years ago | (#28495901)

If you are hiring consultants to perform security-related functions, you're being negligent by not doing background checks and such on them. Any security-related processing you are doing on full-time employees should be done on contractors as well if they are doing similar jobs. If you're not doing that, you're doing it wrong.

Re:Criminal record == no job (1)

ColdWetDog (752185) | more than 5 years ago | (#28496349)

Indeed. In healthcare in the US, any felony conviction keeps you completely out of employment or consultancy. Period. Significant potential downsides for not vetting employees and consultants. Even in our tiny little hospital we have one FTE for all of the 'compliance' issues we're forced to follow. Not saying it makes any sense at all, but there it is.

Re:Criminal record == no job (0)

Anonymous Coward | more than 5 years ago | (#28496455)

Maybe in your state, but in NC convicted felons can become RNs, social workers, psychologists substance abuse counselors, LPN, CNAs and dental hygienists. And most of the national licensing boards and associations do not automatically deny certification to felons, although some have stringent requirements. I think many "felons" are not what you are assuming. There is a huge difference between a 16 year old deciding to buy a pound of pot, and getting smacked with a distribution charge, and a serial rapist. But what the fuck do I know, I was convicted of a felony at the age of 17 and went to prison.

Re:Criminal record == no job (0)

Anonymous Coward | more than 5 years ago | (#28500789)

Maybe in your state, but in NC convicted felons can become RNs, social workers, psychologists substance abuse counselors, LPN, CNAs and dental hygienists.

Pretty much agrees with what I've been led to believe: southerners are borderline retarded.

. There is a huge difference between a 16 year old deciding to buy a pound of pot, and getting smacked with a distribution charge, and a serial rapist. But what the fuck do I know, I was convicted of a felony at the age of 17 and went to prison.

Sure, that's why there are different classes of felonies, which is why you're not doing life or getting a trip to the chair. If you didn't realize the gravity of what you were doing with a pound of pot when you were 17 then you need not work with sensitive data, let alone being employed in the medical field where you could do real harm.

Most well-adjusted people I know of could have told you when they were between the ages of 10 and 12 that your actions were stupid. And then you got caught.. boo fucking hoo.

Short version: you're dumber than a brick, and your state is a joke.

Re:Criminal record == no job (1)

nhytefall (1415959) | more than 5 years ago | (#28504121)

Amen.

Re:Criminal record == no job (1)

alcourt (198386) | more than 5 years ago | (#28502713)

Most of the places I would work at have long standing policies that forbid the use of even gray hats in security. It doesn't matter if they are employees or contractors or consultants. If it is learned that you have a black hat record, you are out of security.

Seem harsh? Maybe, but it sure beats the alternative of hiring yet another pretend reformer.

Re:Criminal record == no job (3, Insightful)

smoker2 (750216) | more than 5 years ago | (#28496059)

It is the exception, not the rule, that a hacker becomes employed as a highly paid consultant.

How do you know ?
Surely if you were any good at it you wouldn't get caught, so no criminal record. It's only the ones who do get caught that have nothing to lose by exposing their past. And of course they're going to say "don't do it". I would argue that we need more people involved in it not less. Why should "the man" have everything his way ? Sometimes it is necessary to step outside the law, precisely because it is the law. If an authoritarian govt. says you can't access a website, should you just say "yes sir", or would you find a way to do it anyway ? I would have thought that with all the passive-aggressive angst on here recently regarding Irans internet policy, the answer should be obvious.

"Hacking" drives security, and keeps the corporations and the govt. awake. Information is control, why should the powers that be have all the control ?

Re:Criminal record == no job (1)

syousef (465911) | more than 5 years ago | (#28498709)

Surely if you were any good at it you wouldn't get caught

Eventually most criminals get complacent or unlucky and slip up and are caught.

Why should "the man" have everything his way

Really this is the best you've got? 1960s rhetoric that didn't make much sense even back then unless you were completely stoned?

"Hacking" drives security, and keeps the corporations and the govt. awake. Information is control, why should the powers that be have all the control ?

I see. You are stoned.

Re:Criminal record == no job (1, Interesting)

Anonymous Coward | more than 5 years ago | (#28496073)

Back in the late 90's (age 13-17) I was a "curious" about security. I did many things which would now be considered criminal or, at the very least, of ethical concern. I now hold the highest level security clearance you can get, helping to defend our military infrastructure. This is after admitting my youthful behavior to my investigators. Perhaps it is more about being caught than actually committing the crime? Or perhaps it was that I had grew out of it and proven myself a trustworthy individual? Probably a combination of both.

Re:Criminal record == no job (1)

tukang (1209392) | more than 5 years ago | (#28496307)

It is the exception, not the rule, that a hacker becomes employed as a highly paid consultant. A lot of jobs require security checks, which you will fail if you have a criminal record.

Hacker !imply Criminal

Yes, some hackers are criminals but not all are - and *a lot* of the ones who aren't are in fact highly paid consultants. Please stop spreading the misperception that hacking is criminal or unethical.

Re:Criminal record == no job (1)

syousef (465911) | more than 5 years ago | (#28498727)

Yes, some hackers are criminals but not all are - and *a lot* of the ones who aren't are in fact highly paid consultants. Please stop spreading the misperception that hacking is criminal or unethical.

I am not spreading any such misconceptions. In the context of this story we're talking about hackers who have broken the law but managed to get a job inspite of or notionally due to their experience with hacking.

Re:Criminal record == no job (1)

Opportunist (166417) | more than 5 years ago | (#28496785)

Thank you, I got here late.

A criminal record is NOT a recommendation paper. Quite the opposite. These people got their jobs despite a record. Not because. A criminal record is, essentially, the proof that you made a mistake. Else you wouldn't have been caught. They are the icons of hacking, and that's what landed them jobs. DESPITE their records.

That's not to say that there are no "white hats" that never crossed the legal lines. It's easier now today, who could afford a mainframe server in the 70s to test its security? You can easily afford something that is used as a server on the internet these days. Hell, you can install the relevant software on your machine. Or use one of your old machines, it will do as a hack target.

Re:Criminal record == no job (1)

Ihmhi (1206036) | more than 5 years ago | (#28501333)

Remember kids, criminals never make money! Just look at Martha Stewart, 50 Cent, and Don King!

Crackers, not hackers (0, Informative)

Anonymous Coward | more than 5 years ago | (#28495587)

I'm disappointed, Slashdot editor. Everyone here should know that people who break into other systems are crackers, while "hacker" simply refers to anyone with an interest in coding and computer technology.

Re:Crackers, not hackers (1)

GodfatherofSoul (174979) | more than 5 years ago | (#28495861)

I've always thought that distinction was a woeful attempt to separate the negative connotations from the "coolness" factor. The fact is, I'm a coder or a programmer or a software engineer for the initiated. A hacker is someone who hacks out code and I've been forced to work with more than enough of those crappy libraries to embrace the title.

Re:Crackers, not hackers (2, Informative)

Anonymous Coward | more than 5 years ago | (#28495885)

The widely-accepted definition of a hacker is different than your romanticized version of things. That horse has left the barn - you can be disappointed all you want but trust me, you're only bothering yourself with it.

I bet you insist on GNU/Linux, too.

Re:Crackers, not hackers (2, Interesting)

CaptainJeff (731782) | more than 5 years ago | (#28495889)

I'm disappointed, Slashdot reader/commenter. Everyone here should know that the meaning of the word "hacker" has changed over time and evolved to mean, most of the time, what "cracker" means. Word definitions change over time and this word has been assimilated with a new definition, accepted by the majority of the English-speaking world. If you want to hang on to the cracker vs hacker definitions, feel free. But most people have moved beyond this.

Plus, your definition of "hacker" is off anyway. In the classical sense, "hacker" means someone who experiments and gets something to do something it was not intended to do. Doesn't have to be code, doesn't have to be a computer, doesn't have to be anything in particular. The original targets/subjects of the earliest "hacking" (largely out of MIT) was the phone system, not programs or computers.

Re:Crackers, not hackers (1)

chefshoemaker (1485151) | more than 5 years ago | (#28496163)

So what if I am white and live in a mobile home in the woods. A Cracker can still be a Hacker. Got the latest and greatest Rent-To-Own Gateway PC Millenium Edition available. You Honkey.

Re:Crackers, not hackers (3, Insightful)

ActusReus (1162583) | more than 5 years ago | (#28495905)

Sorry, but I think it's time to acknowledge that there are some "Wordsmith Wars" that have simply been lost. Moreover, lost about 10-15 years ago. The general public is not going to refer to "Linux" as "GNU/Linux"... not going to use licensing terms like "Libre"... and thinks of "cracker" as a silly racial slur for white people.

general public (0)

Anonymous Coward | more than 5 years ago | (#28500673)

what is their influence on the people involved in the development of the GNU/Linux? I guess a bit less than worth mentioning.

Re:Crackers, not hackers (1)

endymion.nz (1093595) | more than 5 years ago | (#28498295)

People used to say 'computer hacker' because a person was a hacker of computers. When the computer prefix was dropped is about the time that crackers started being called hackers. There are other types of hacking... if you've ever tried to make one good Toyota out of five dead Toyotas, or tried to make a microwave do something it was never designed for, you should understand what hacking is.

Re:Crackers, not hackers (0)

Anonymous Coward | more than 5 years ago | (#28506335)

Listen, asshole- nobody asked you. When I need someone to design a webpage, or some phone monkey who can tell a bunch of senior citizens how to use a certain piece of software, I'll give you a call. But I've intentionally left you out of the loop on this one.

"Hacker" means "cracker," sorry, you lose :\

Software Pirate - IT Professional (2, Interesting)

bigrar (1097909) | more than 5 years ago | (#28495613)

Speaking from experience, it is difficult to get back into the workplace after a battle with law enforcement due to a high-tech crime. It is possible, however. Keep your nose clean and keep up with the industry and eventually you can regain a bit of trust. I am proof that it is possible, as I was once the subject of a Slashdot interview regarding a pretty public piracy case.

Re:Software Pirate - IT Professional (0)

Anonymous Coward | more than 5 years ago | (#28495701)

why do pirates prefer rar, btw? Does it compress a lot better?

Re:Software Pirate - IT Professional (1)

spiffmastercow (1001386) | more than 5 years ago | (#28499827)

no, because it lets you easily split files back in the days before there were a lot of compression technologies to choose from. Also, it has checksums that help when you're trying to correct corrupt downloads via parity files (i think.. haven't used newsgroups in a while)

Quit nitpicking (0, Troll)

Anonymous Coward | more than 5 years ago | (#28495633)

Hacker means cracker, end of story.

That what you call hacker, is just a hopeless virgin.

These days, unethical hacking only leads one place (0)

Anonymous Coward | more than 5 years ago | (#28495643)

Politics.

Not in my experience (4, Interesting)

Anonymous Coward | more than 5 years ago | (#28495735)

I worked at a company who shall remain anonymous. I worked there as their security consultant and was in charge of keeping the systems secure.

I noticed that their systems were insecure, I kept telling them that these things will get hacked, I kept telling them that they are wide open. Did they listen to me? No. They kept going on and on, I worked to patch as many holes as I can, but the system was insecure in itself (things like passwords stored in plain text on mysql databases etc...). Fixes I recommended were rejected by management because they would change things from how they were used to, or too expensive, or "but who would want to hack us" responses.

A few weeks ago our external servers get hacked (surprise surprise), and the hacker notifies the company. What do they do? They pay the guy 600 euros per domain (we have a lot of domains) to fix it for us. That dude had the ear of all management, everything he said went, they changed things that I've been recommending to them for months because he said so. And to finish it off, he earned more money in those two weeks working for this company than I did in the last 6 months, to make fixes I've been telling them to do since I got the job.

F*ck it, in future I will just break into computers and then offer them a huge fee to fix them, It seems to pay more to do it that way. The company didn't call the police, just kept it as quiet as possible so word didn't get out.

Posting anonymously for obvious reasons.

Re:Not in my experience (3, Insightful)

fluffy99 (870997) | more than 5 years ago | (#28495853)

Have you expressed this very directly to your management? Perhaps now they will be more receptive to your wisdom. If they aren't, you need to either find another job or recognize that they really don't give a crap and work with what you've got. Otherwise, continuing to complain when they don't care will just get you labeled a whiner, or worse a scapegoat when another intrusion happens.

Re:Not in my experience (2, Interesting)

bvankuik (203077) | more than 5 years ago | (#28506983)

That dude had the ear of all management, everything he said went, they changed things that I've been recommending to them for months because he said so.

I am reading a lot of stuff here that is very recognizable for me as well. The post ends somewhat bitterly. Instead I'd advise you brush up on your social skills and ask your employer in a good man to man conversation why your advice did not hit the mark and what you can do the next time. They might advise a couple of soft skills trainings and will probably be willing to pay for those. You'd probably also get something out of it.

Re:Not in my experience (1)

spinkham (56603) | more than 5 years ago | (#28523137)

Security is risk analysis. If you want your company to make security changes, you need to give the stakeholders the information they need to make decisions, in terms of dollars and cents and probabilities.
I would recommend you pick up a few books like "The New School of Information Security" and "Security Metrics: Replacing Fear, Uncertainty, and Doubt". They do a good job of helping you to see security risk through business eyes.

Me don't like (2, Insightful)

ZouPrime (460611) | more than 5 years ago | (#28495969)

I don't like these articles on hackers becoming security consultants. Obviously it has happened in the past - and the story itself covers well known examples, but doing information security for private corporation is so much, much, much much much more than pen testing and other skills typical crackers are good at. In practice, the vast majority of security professionals aren't ex-hackers, and that's a damn good thing.

Maybe it's because I'm actually working in the field, but I really don't like how the medias keep bringing back ex-hackers and present them as some kinds of security gurus, or worst, geek super stars. I don't think it is mature, and I don't think it is healthy. These individuals are criminals, and many have caused thousands if not millions of damages, or forced other people to spend countless hours to fix their mess. No matter how you look at this, this is not cool.

Re:Me don't like (0)

Anonymous Coward | more than 5 years ago | (#28496025)

just stop talking. go back to tweaking group policy or something.

Re:Me don't like (1)

cenc (1310167) | more than 5 years ago | (#28500877)

Several of the security companies chiefs in interviews flatly say they don't hire hackers. Why? Because they are lazy workers. Not they do not have talents or experience, but the kind of social background that produces the best of them also produces the worst sorts of employees. It was not about their encounters with the laws.

The Right Mentaltity (2, Insightful)

that this is not und (1026860) | more than 5 years ago | (#28496127)

Security Vendors need people with 'the cracker mentality' to join their ranks. Without 'morally gray' staffers, how could they supply regimes like the ones in Iran and China with the 'tools' they need to operate their repressive regimes? Morally blind nihilists, while not necessarily those to fill the ranks of the Ideologically 'pure' elite inside the regime, will always be necessary force.

The people that they can't EVER become involved with are the real hackers.

(Cheap) Background checks don't catch everything (0)

Anonymous Coward | more than 5 years ago | (#28497721)

Having been in security since the beginning of my IT career I have seen all kinds of companies. Most SMBs don't do background checks or drug testing. How many people with a hacker background (or any for that matter) are planning on working for a Fortune 100 company as a career goal? As a VP friend of mine once put it, "If I wanted to go through background checks and drug testing I would have gone to work for the CIA or FBI." He refuses to work for any company that does either of those, in the belief that it's not necessary to know those things to hire a person who can do their job, and the fact that it doesn't enhance shareholder value. It's OK to turn down a job on principal. I can also say that having been on the dealing end of the background checks, most vendor companies out there are worthless and you won't get the whole picture about a candidate. Most background checks only look at NCIC and not state or city/county level. If your HR department is paying $50 per person you're only getting the Federal level. If you want the whole picture you'll be paying about $1000-$2000 per candidate for city level screening if you check each and every city and county the candidate has ever lived in. The same goes for drug testing. The DOT accurate drug tests for commercial drivers cost anywhere from $150-$300. The cheap ones cost about $25 for 5 different drugs and aren't that accurate. I complained to someone in HR at a previous company I worked at about wasting the time and money for a drug test that was in all probability inaccurate. I was told that the drug testing was mainly for marketing purposes so the company could say they were a drug free workplace and bid on government contracts. HR had no interest in actually rooting out drug users, as they had no desire to actually find out for sure if anyone had a criminal record, hence the $50 background check. Basically if you didn't smoke weed a few weeks before coming on board you were golden. If you always got into bar fights or simply drive drunk all the time, the company wouldn't know about that either.

You can also be a security consultant without dealing with the equipment directly, which is what a lot of people are concerned with when it comes to consultants. I haven't logged into a firewall or an IDS in 6 years, but I used to develop IDS software early on. Security consulting for a lot of customers involves business process analysis mainly to determine if anything is broken. If you're doing ISO 27001 or COBIT consulting you probably won't be handling any of the equipment, but performing audits and writing project plans for the customer to implement. If a customer asks me to implement the recommendations I'll bounce them to a firm I trust and take a referral fee. If you've ever sat through a security audit with a Big 4 company, they spend most of their time performing interviews with IT staff, they'll shoulder surf or look at screen shots for random items, then charge you a ton of money for not really verifying anything. Most of them are CISA certified, but aren't technical which is really amusing.

There's enough work out there for everyone if you're willing to move to another city or travel for business, regardless of your background. If you're really in bad shape you create your own company and approach clients as a vendor, not an individual. LLC or Corporation filing fees are around $100 and I have yet to encounter anyone in the private sector who does background checks on firms performing work on premises.

I can personally relate... (0)

Anonymous Coward | more than 5 years ago | (#28498207)

I was caught hacking pbx's and calling cards and using them for call backs and call fwding to facilitate credit card and direct deposit scams in Australia..
I am now generally a profitable security consultant with my own vsp/telco ... but that took over 10 years a transition to complete and not a journey I would recommend for anyone either. There's much easier and quicker ways to get here... put it that way....

former hackers? (1)

plnix0 (807376) | more than 5 years ago | (#28500263)

CNet has a series of interviews with former hackers

If they're only former hackers, then they're useless as security consultants.

Re:former hackers? (1)

thenextstevejobs (1586847) | more than 5 years ago | (#28501107)

If they're only former hackers, then they're useless as security consultants.

well, most people choose to avoid divulging that theyre high tech criminals on a television show. just an idea...

Re:former hackers? (1)

plnix0 (807376) | more than 5 years ago | (#28504961)

well, most people choose to avoid divulging that theyre high tech criminals on a television show. just an idea...

Why bother? We're all criminals now, aren't we? That's what modern law is for.

On the other topic, if they really are former hackers, their employers must have been disappointed when their new employees showed up and no longer cared to know how their systems worked.

Black hat behavior is not necessary (1)

alcourt (198386) | more than 5 years ago | (#28502773)

A common theme of a lot of the replies seems to be that black hat behavior is the only way to learn computer security. Far from it. I don't need to have broken into an insecure network connection without permission to understand the problems of sending passwords in the clear. Often, it takes a little imagination, a bit of reasoning, and a bit of technical skill -- the same skills I often suggest for system administrators.

The best security analysts I've worked with are so strictly white hat that they've managed to get policies in place that prohibit black or gray hats from working in security in the companys I've been in. Is it perfect? No. Some people managed to mostly hide their historical black hat behavior. Once it was learned, a quiet black mark was placed against them and they were gently eased away from security work. There are enough good security professionals who have no history of breaking into computers without permission of the owner to fill the jobs requiring that level of technical skill.

Re:Black hat behavior is not necessary (0)

Anonymous Coward | more than 5 years ago | (#28549479)

This doesnt mean they actually know anything, it means those sysadmins have been lucky enough to not get caught.

or they actually know something

the fact is, many 'sysadmins' know jack about the systems they are running, then they cry crocodile tears when people who are competent and do understand security are hired to fix up their messes.

you know who these peopl are? security 'consultants' - if these 'rule-abiders' could think outside the box a little but to use a tired idiom, they might actually make half-decent security personnel. however, because of limited imagination, they are not.

This is stupid (1)

stanjam (1057588) | more than 5 years ago | (#28503669)

Why in the world would you hire someone who got "caught" hacking to do your security? There are plenty of people out there who know security but don't have a record of taking a company's information. Even most of the people who "hacked" didn't steal information, just got into stuff to see what we could do. Yet companies are hiring these people. Unbelievable. Like most things, the best never got busted, and many of them do security now. Let me tell you, it is a whole different game nowadays.

Re:This is stupid (1)

nhytefall (1415959) | more than 5 years ago | (#28504167)

I agree. Anyone who breaks/broke/will break into a closed/open system without authorization... is a criminal, and should be treated as such. To say one didn't "steal information", and therefore they are golden little poster child... is a liar. Entering a system "just to see what we could do" is the same concept as breaking into a Best Buy when they left the back door open, and just looking around at the pretty televisions. Just cause you don't take anything, doesn't mean that a crime has not occurred.

Re:This is stupid (1)

plnix0 (807376) | more than 5 years ago | (#28504983)

I agree. Anyone who breaks/broke/will break into a closed/open system without authorization...

Ah, but an open system is authorization.

Re:This is stupid (1)

nhytefall (1415959) | more than 5 years ago | (#28509873)

Really? Where did you come up with that brilliant idea, the movie "Hackers"?

I doubt that, in the legal sense, you could classify an "open" system as authorization to access said system.

By that definition, me running an unsecured wireless network and you accessing it is "authorization", however, the truth of the matter is you are trespassing on my real property.

If I leave my back gate open, and you walk in, you are still trespassing.
Accessing an "open" (and I use that term loosely) system... is the same thing.

Accessing ANY system without authorization of those that own said system, is still criminal. No matter how you may try to spin it.

Re:This is stupid (1)

plnix0 (807376) | more than 5 years ago | (#28536761)

By that definition, me running an unsecured wireless network and you accessing it is "authorization", however, the truth of the matter is you are trespassing on my real property.

I'm not trespassing on your real property when I'm on a public road in front of your house using your wireless signals which extend off your property. In fact, if I'm your next-door neighbor and your wireless signals reach to my property, there's a stronger argument that you are trespassing on my real property by allowing your electromagnetic signals to enter my property.

If I leave my back gate open, and you walk in, you are still trespassing.

The 'physical access' metaphor is a useful shortcut in some circumstances, but extending it to questions of ethics and morals is stretching the metaphor too far. The metaphor may do more harm than good by making it so easy to confuse and conflate the two concepts.

Re:This is stupid (1)

nhytefall (1415959) | more than 5 years ago | (#28536987)

To quote:
"I'm not trespassing on your real property when I'm on a public road in front of your house using your wireless signals which extend off your property. In fact, if I'm your next-door neighbor and your wireless signals reach to my property, there's a stronger argument that you are trespassing on my real property by allowing your electromagnetic signals to enter my property."

If you are on a public road in front of my house, then yes, you are physically located on public property. But (and this is the important part, so pay attention), as soon as you step one inch (including connecting to an access point originating on my real property... you are trespassing. In addition, since you using bandwidth you are not paying for, nor have authorization to use... you are committing larceny as well.

Not only is the 'physical access' metaphor valid, it also extends to the theft of services (in this case, bandwith), not owned, nor paid for, nor authorized for your use, by you. Liek it or lump it, I care not which, wardriving, bandwith theft, and accessing systems (closed or not) for which you do not have explicit rights to use, is still illegal.

Re:This is stupid (1)

stanjam (1057588) | more than 5 years ago | (#28505519)

I would agree. It isn't legal OR ethical to break into any system, I just wanted to post a difference between groups. There were a lot of people in the 80s who did this type of stuff. THere were those who stole, and those who explored, but who did not want to steal or cause damage. Both are against the law, but there are significant differences between these groups of people. I would be much more likely to hire the person who explored a bit in his youth, but maintained at least the moral and ethical code enough to not cause damage. At any rate, there are plenty of trained security professionals nowadays who do not have a history of criminal behavior. While I might listen to a reformed criminal about how he did what he did so we can create adequate defenses, I think hiring one to protect your systems is just plain stupid. There are plenty of better choices. I have my masters in IA, I teach IA. Why wouldn't you hire someone trained in IA, and who has the ethics to be trusted? Instead you would choose to hire someone with a criminal background who has stolen information in the past? If it works, great. If it doesn't, well, you will be exposed as a fool for hiring them! Would you hire a bank thief to protect your vault at night?

Re:This is stupid (1)

nhytefall (1415959) | more than 5 years ago | (#28509879)

Once a thief, always a thief.

PMP (1)

itomato (91092) | more than 5 years ago | (#28510313)

A Hacker with the proven ability to create and execute a project plan should be seriously employable.

Know what pieces overlap, understand how they impact the business, and what it takes to get from A to Z.

cheap wow gold (0)

Anonymous Coward | more than 5 years ago | (#28523959)

Weekends to peopleig2t [ig2t.net] mean that they can have a two-day wowgold4europe [wowgold4europe.net] good rest. For exampleï¼OE people gameusd [gameusd.org] can go out to enjoy themselves or get meinwowgold [meinwowgold.com] together with relatives and friends to talk with each storeingame [storeingame.net] other or watch interesting video tapes with the speebie [speebie.org] whole family.
Everyone spends agamegold [agamegold.org] weekends in his ownmmofly [mmofly.org] way. Within two days,some people can relax themselves by listening to musicï¼OE reading novelsï¼OEor watchingogeworld [ogeworld.org] films. Others perhaps are more active by playing basketballï¼OEwimming ormmorpgvip [mmorpgvip.net] dancing. Different people have different gamesavor [gamesavor.net] relaxations.
I often spend weekends withoggsale [oggsale.net] my family or my friends. Sometimes my parents take me on a visit to their old friends. Sometimesgamersell [gamersell.net] I go to the library to study or borrow some books tommovirtex [mmovirtex.net] gain much knowledge. I also go to see various exhibition to broadenrpg trader [rpg-trader.net] my vision. An excursion to seashore or mountain resorts is my favorite way of spending weekends. Weekends are always enjoyable for me.
igxe [igxe.org] swagvault [swagvault.org] oforu wowgold-usa [wowgold-usa.org] ignmax [ignmax.org] wowgoldlive [wowgoldlive.net] brogame [brogame.net] thsale [thsale.org] GoldRockU [goldrocku.net] brogame [brogame.us]
  swagvault [swagvault.us] goldsoon [goldsoon.us] oforu [oforu.us] igxe [www.igxe.us] thsale [thsale.us]

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?