Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Would You Hire a Former Black Hat?

Cliff posted more than 7 years ago | from the second-chance-career dept.

290

Mark Zenson asks: "Understanding the mindset of a hacker and the likes of one may be useful to counter security attacks, but apparently companies still object to hiring former, or even reformed, black hats." The article asks this question of several executives in the industry and for various reasons, many of them were skeptical to the idea of hiring such people. Would you give black hats a second chance if you were in their position?

cancel ×

290 comments

It All Depends on Their Maturity (4, Interesting)

eldavojohn (898314) | more than 7 years ago | (#16252845)

Would You Hire a Former Black Hat?
Depends, if I'm a manager at McDonald's, you bet your ass I'd hire him. Anti-social nerds make the best french fries.

But on a more serious note, I would hire anybody as long as they have the right personality. That's right, I've seen it happen too. People who don't know anything about computers are working in corporate America as programmers. They are one trick ponies and it would take me a few minutes to show others how to do that one trick. The questions I need answered are:
  • Can they work with people?
  • Can they dress well?
  • Do they shower?
  • Are they capable of staying after normal work hours every now and then to see to something getting finished?
  • Are they sensitive to other people and their surroundings?
If you answered "yes" to all these questions, you too are a potential "team member." In any business. Degrees help but are not required.

Judging by the stereotypical picture of a black hat that the media has given the public, I would guess they wouldn't pass the first bullet above. Judging by the few that I know, they are risks but at some point straightened up and are valuable employees to their companies. You just need to assess whether or not they've figured out that a steady source of income is way more rewarding than having "VIODENTIA RULEZ #1" spray painted on the RIAA's website once a year. And that "selling out" isn't really "selling out" but devoting some of your time to a large project in order to better your circumstances the rest of the time. If they're past that point, then you've got a potential for a great employee.

What's unfortunate for black hats is that there is a wealth of solid programmers from America, India and Russia (if they can make it here) who are more than willing to do anything. On top of that, they have no criminal background. So even if a Blackhat is more qualified, they're probably just dismissed since a thousand other people are eager for the work and meet the basic qualifications. Unfortunate, but something to think about if you want to delve into the dark side of computers and networks.

Re:It All Depends on Their Maturity (2, Insightful)

ericspinder (146776) | more than 7 years ago | (#16252953)

How about the one thing that truly distingues 'black hats':
  • Has a known history of fraud
A big salary doesn't mean honest living. The question wasn't if they could work in their general business, but top positions in security related IT jobs. Sure several years ago the most experienced security experts were reformed criminals, but these days training is available which doesn't eventually require a lawyer.

Re:It All Depends on Their Maturity (4, Insightful)

D-Cypell (446534) | more than 7 years ago | (#16253283)

I am not sure a "history of fraud" defines a black hat (according to my defination anyway).

Having worked with some people from this kind of background I would say that having them around in any kind of hi-tech start-up is a geniune asset. High IQ comes with the terroritory and I have also found that uber-geeks (as most dedicated black-hats are, by default) have a deep pride and sense of ownerships in their projects. I think that 'black hat' behaviour is more about ego than they would like to admit, and egos can be good if they make the owner strive to make their project the best out there.

There definatly will be a few assholes that try to screw you over, but I am not sure that it is fair to say there are more of these people in the 'ex black-hat' community than in the general population.

Re:It All Depends on Their Maturity (5, Interesting)

networkBoy (774728) | more than 7 years ago | (#16253767)

I was about so say something similar, but instead I will expound on your post.
I am a former "black hat" as the media would portray it. While I never did anything knowingly illegal for profit, I do/did hack systems for entertainment.

I was employed by a small company where I rapidly rose to the position of being a network admin for a lab that dealt with ethernet equipment and components. Some of our gear was capable of generating arbatrary data frames (sourse/desti IP & MAC address, any length up to 20Kbyte (1518 IEEE spec is 1518 Byte), any interframe gap down to ~4nS (spec 9.6nS)). So to say that the network took a punishing when some dimwhit plugged the test side of the gear into the support network is a gross understatement (said support network was directly connected to the corp net, which went down when this happened).

I was given a budget of a few tens of grand, a spare Cat7K router, and told to "make it work" so I did. I got to hack my self silly doing that job and maintaining the network. Just before we were sold, that lab had ~400 nodes of well mixed clients with hostile traffic patterns and I was able to maintain connectivity.

The key to keeping me from hacking the companies assets was to keep me busy. Safe to say I bet the same goes for any others of my ilk.
In my new company I have the Hacker creedo up on my office door. Just took the hacker creedo label off it. Everyone thinks it's the best statement since sliced bread. They're blown away when I tell them what it is. My management knows I'm a hacker, my peers know I'm a hacker. My IT department is less than loving of me (as I've modified thier standard windows build to suit my needs) but the know I'm a hacker and they tend to let me be.

Basically it all boils down to the following fact: I presented that I'm a hacker in my interview. I presented samples of my work. I was hired. This in a company of ~80K employees. My bosses-bosses-bosses-boss knows me by name. When we have a really sticky technological customer issue, I seemed to get tapped fairly predictably. From manually re-balling a 72 ball BGA part to hacking a mouse such that when an LED on a customer design turns on the logic analyzer will arm, I do it all. My best asset is my inner hacker.

-nB

Re:It All Depends on Their Maturity (3, Funny)

ajohn505 (1007097) | more than 7 years ago | (#16254059)

Man, you are really badass.

Re:It All Depends on Their Maturity (4, Interesting)

Vicissidude (878310) | more than 7 years ago | (#16253785)

Exactly. Law enforcement has asked the same question since the time of the first criminal and the first sheriff: Can you trust a former crook to enforce the law?

In law enforcement, they came to the conclusion long ago that the answer is no . Besides all the other qualifications for a police officer, they can't have a criminal record. In fact, they are required to pass a 300-question polygraph to make sure that they haven't committed any crimes in which they haven't gotten caught. Further, if a candidate fails a polygraph, the police can investigate and decide to press charges or just blackball you from any chance you have at getting a job with any other police agency.

That happened to one of my friends who applied for a police officer position here. His offense? As a 18-year-old high school senior, he dated and had sex with a 14-year-old female freshman. It was completely consensual, but the police investigated him for statutory rape. Because of that, he was blackballed, he would never become a policeman, and his 2 years of police academy were completely wasted.

Police know that if you've broken the law once, even if you weren't caught, then you're likely to break the law again. OR, like the case of my friend, you're not likely to enforce the laws that you broke. (In his case, the statutory rape law.)

It's the same thing with these black-hat hackers. I wouldn't trust them in top positions in security related IT jobs or in less-sensitive general business jobs.

Re:It All Depends on Their Maturity (2, Interesting)

thrashaholic (995412) | more than 7 years ago | (#16254015)

It should go both ways, if a cop breaks the law (almost every beat cop breaks the law daily, I assure you), they should never be allowed to work in law enforcement again.

Most times, however, they are reprimanded and sent on their merry way. Hell, breaking the law is all part of the job for most cops. Illegal searches, illegal profiling, illegal traffic manuevers, illegal harrasment, etc..when's the last time you saw a patrol vehicle doing the speed limit, or setting up a speed trap?

(Of course, I'm of the frame of mind that if a cop so much as litters they should be fired, no excuses.)

It's the same thing with these black-hat hackers. I wouldn't trust them in top positions in security related IT jobs or in less-sensitive general business jobs.

That's a pretty harsh attitude, considering that most of these CxO's also constantly break laws.

I wouldn't trust them in top level positions off the bat, but I don't think breaking some stupid DMCA-like law when you were 15 should preclude you from getting a general business job in your 20s. I mean, everyone's stolen something in their life time, admit it or not. Should nobody be allowed to work?

Re:It All Depends on Their Maturity (5, Insightful)

russ1337 (938915) | more than 7 years ago | (#16252987)

Are these big companies likening it to hiring a reformed bank robber as a teller, or a paedophile as a teacher?

Anyway, I thought the biggest part of being a 'black-hat' was to keep your online identity COMPLETLY SEPARTE from your real life ID... A big company should have no idea they've employed a 'former' black hat - at least if they were any good at it. If they got caught then he/she might not have the attention to detail you require for an employee in that field.

Re:It All Depends on Their Maturity (1, Offtopic)

TubeSteak (669689) | more than 7 years ago | (#16253139)

Either way, if the black hat is that good, but still risky, you can get insurance for that kind of thing.

You'll always see adverts for "Bonded/Insured"
http://www.answerbag.com/q_view.php/37146 [answerbag.com]

"BONDED - A bonded company has secured funds (controlled by the state) that are available for consumer's claims against the company. This money is directly available to you for various reasons as controlled by a state agency. [ depending on your state ]

INSURED - If the unspeakable happens, it's important that the contractor or company has insurance. In some cases, such as an injury: you as a home owner could be held liable - if the company has no insurance. [ depending on your state ]"

Replace "company" with "person"

Re:It All Depends on Their Maturity (1)

Neil Hodges (960909) | more than 7 years ago | (#16253259)

Usually pedophiles are hired as teachers before their employer knows, so you never know about those teachers.

Re:It All Depends on Their Maturity (4, Insightful)

Fulcrum of Evil (560260) | more than 7 years ago | (#16253631)

I'd hire a reformed bank robber to do a pen test on my bank, which is really what they're talking about.

Re:It All Depends on Their Maturity (4, Insightful)

ePhil_One (634771) | more than 7 years ago | (#16252991)

So even if a Blackhat is more qualified, they're probably just dismissed since a thousand other people are eager for the work and meet the basic qualifications. Unfortunate, but something to think about if you want to delve into the dark side of computers and networks.

My question is, why would they know of their "Black Hat" exploits? I have to admit I've skipped applicants who admitted to "hacking" in a black hat context (Not "I sniffed my neighbors WiFi to get free internet", but I hacked into a potential employers network and explored). It shows an inability to set bounds and a lack of understanding of appropriate/inappropriate. I'd rather have lower skills that I can trust over high skills that might be working against me.

Re:It All Depends on Their Maturity (5, Insightful)

sgt scrub (869860) | more than 7 years ago | (#16253121)

My observations as an old person by definition using your rules:

        * Can they work with people?
        * Can they dress well?
        * Do they shower?
        * Are they capable of staying after normal work hours every now and then to see to something getting finished?
        * Are they sensitive to other people and their surroundings?

Black Hat Hacker.
I am clean, charming, well dressed, always working, and my sensors are constantly monitoring people and places. I'm also perfectly cold and capable of taking every coin you own and are capable of borrowing. I will do this using my clean, charming, well dressed, and sensitive persona.

White Hat Hacker.
I showered today because I wasn't up all night playing WOW. Jeans, T-shirt, piercings, tatoos, uncombed long hair and beard are my personality, get over it. People are either cool or annoying. I try not to be around too many of them at one time but there is nothing wrong with that. Most of my friends are on IRC and WOW anyway. As long as I bang out enough code to meet my boss' requirements I'm golden.

Re:It All Depends on Their Maturity (1)

Frosty Piss (770223) | more than 7 years ago | (#16253309)

Jeans, T-shirt, piercings, tatoos, uncombed long hair and beard are my personality, get over it.

Offensive to the eyes and ears is 100% as bad as not showering. If you offend my other employees, I don't care how "golden" your code is, I can find someone who's code is just as "golden", and doesn't offend my other employees.

As long as I bang out enough code to meet my boss' requirements I'm golden.

Don't lose that job then, you may not find another like it.

Re:It All Depends on Their Maturity (1)

AuMatar (183847) | more than 7 years ago | (#16253583)

If your other employees are offended by Jeans, tshirts, tattos and piercings, the problem is with the other employee, not the coder.

Re:It All Depends on Their Maturity (5, Interesting)

msuzio (3104) | more than 7 years ago | (#16254053)

Exactly. The parent opinion is, in all seriousness, completely absurd. Get with the program, buddy, that's not how it actually works.

I'm at a stellar company, one of the best in its field. So good, in fact, that next month we're due to be acquired by one of the largest corporations in the world, because they want what we can deliver. Yippee for us, I know, but it still points out: we're not a bunch of moronic slackers.

I look around me at my fellow workers, all of whom bust their asses day in and day out to get the job done. I see plenty of the above marks of "offense". Somehow, we manage to be competant, well-mannered, hard-working people. Who just happen to (in many cases) be wearing Jeans, t-shirts, and have tattoos/piercings.

Maybe I'm just offended because right now, I've got all of the above. The whole wardrobe is black. My cube might have action figures and big pile of "alternative" music CDs in it. Oh, and I shave my head. Some people might think I'm a bit strange, although I myself think I'm relatively mild overall.

Regardless, I'm also among the absolute best programmers you will ever find. Seriously. It's 8pm, I've been here since 9am, and I'm not going to leave tonight until this particular bug is squashed. I'm dedicated, smart, and I love my job. Also, when I'm not here, I sometimes put on a suit and teach motivational speaking and personal growth courses. I blend in as well in that venue as I do when I'm out at the local bar filled with people in fetish gear and sporting more piercings in them than Custer on his worst day. The first impression in any of these places doesn't convey the totality of who I am, and most people who are open-minded enough to get to know me realize I've got a lot to offer.

So, sorry, buddy. I can find people who wear nice suits at any business school. Good programmers, who work their asses off and love it? Not so easy to find, and so long as they are willing to be a team player, they're a welcome addition to the crew.

Re:It All Depends on Their Maturity (3, Informative)

SageMusings (463344) | more than 7 years ago | (#16253763)

A stylish wardrobe is not a reliable indicator of a good worker, especially when we are discussing developers. I myself prefer black T-shirts and cargo pants. I also wear boots because I motorcycle into work. Does that mean my code, productivity, or relations with my co-workers suffers? So far, everything has been smooth.

We have plenty of the "dockers" crowd and even a few that wear a suit once-in-a-while. They are usually not technical types and their worth to the organization is certainly not any higher than mine.

When I was interviewed, two of the interviewers (developers) had actually worn shorts (not the norm but allowed) and asked me if I minded a laid-back environment. I knew then I was in the right place.

Re:It All Depends on Their Maturity (1)

lubricated (49106) | more than 7 years ago | (#16253973)

>> When I was interviewed, two of the interviewers (developers) had actually worn shorts (not the norm but allowed) and asked me if I minded a laid-back environment.

Spoken like a true northerner.

Re:It All Depends on Their Maturity (0)

Anonymous Coward | more than 7 years ago | (#16254045)

Jeans, T-shirt, piercings, tatoos, uncombed long hair and beard are my personality, get over it.

Working at a gas station is your destiny, get over it.

Refusing to show the most basic consideration for the appropriate is gross disrespect towards those around you. It's not about what YOU want 24/7. If you expect to be treated with respect, you have to give it to others. Until you grow up and learn that you'll always be banging out "enough to get by" and living from check to check. Someday you'll want more.

Re:It All Depends on Their Maturity (4, Insightful)

ObsessiveMathsFreak (773371) | more than 7 years ago | (#16253227)

* Can they work with people?
Fair enough. If my job requires me to be a part of a team, it's reasonable to ask that.

* Can they dress well?
Oh Gods. It depends on what you mean. If you mean my normal attaire is that uncomfortable garish dandy's outfit known as a three piece suit, I'll have to say no. The apparell oft proclaims the man, and I generally don't choose what clothes to wear based on what everyone else deems appropriate. If you need me to meet customers, I suppose, but for gods sakes why are you making me wear a shirt in my cubicle? Would anything else make you feel uncomfortable somehow?

* Do they shower?
This is reasonable. If you're going to ask me to do this every morning unconditionally, I'm gogint to ahve to say that if I choose the odd tuesday or so as a "wash the bits" morning and you take offense; you're standing to close inside my bubble.

* Are they sensitive to other people and their surroundings?
Of course I am! You'll never see me do or say anything inappropriate. Oh, wait. Do you mean by sensitive that I must take time away from my job to engage in vapid conversation to make insecure coworkers feel better? Must my meetings and greeting be peppered with trite reassurances and shallow smiles? Must I waste precious minutes of my life decoding and responding precisely to oh so many unfathomable and illogical social nuances, walking a tightrope of peril with each word I utter lest someone take grevious and irremediable offense and a misplaced clause or syllable. I'd rather just, you know, work.

* Are they capable of staying after normal work hours every now and then to see to something getting finished?
Oh, that kind of job. Sorry, despite what the above might lead one to imply, I do in fact have a life. Or at least, enough of a one not to waste it patching up someone elses mistakes.

Re:It All Depends on Their Maturity (1)

canuck57 (662392) | more than 7 years ago | (#16253473)

So even if a Blackhat is more qualified, they're probably just dismissed since a thousand other people are eager for the work and meet the basic qualifications. Unfortunate, but something to think about if you want to delve into the dark side of computers and networks.

Not really much to think about. I would not hire a person in McDonald's if they were convicted of steeling, especially cash.

So why would I hire a talented, but on the dark side black hat? So he can quietly rootkit my computers? As you mentioned, there are plenty who know how to hack but don't cross the line, those are the real rounded talent you want.

Re:It All Depends on Their Maturity (5, Informative)

Amoeba (55277) | more than 7 years ago | (#16253531)

What's unfortunate for black hats is that there is a wealth of solid programmers from America, India and Russia (if they can make it here) who are more than willing to do anything. On top of that, they have no criminal background. So even if a Blackhat is more qualified, they're probably just dismissed since a thousand other people are eager for the work and meet the basic qualifications. Unfortunate, but something to think about if you want to delve into the dark side of computers and networks.

eldavojohn, I was agreeing with everything you said up until this point. I'm the moderator for the SecurityFocus pentration-testing mail list and the CTO for a security firm specializing in pen-testing. At the level of skill I'm talking about there is no "thousand other people... and meet the basic qualifications" but a very limited number. That fact alone allows for some wiggle room for companies looking for candidates with a rare high-level skill set. Would I hire someone with a blackhat background? Sure, if they met the criteria you outlined above and played at the level I'm looking for because there aren't that many candidates out there looking for work.

Of course, while I would hope the decision would be a sound one I'd remain wary as it *is* risky... but people can change or grow up. Anyone who has been in the security industry for a good length of time has some skeletons in their closet. I was not always a lily-white scion of responsibility *cough*... but I grew up. Had the mistakes of my youth precluded me from working in the industry I might have turned out to be a very well-dressed, sensitive, thoughtful, extremely hireable burger flipper.

Re:It All Depends on Their Maturity (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16253725)

I think that the term 'blackhat' is fairly silly.

I prefer to think in terms of 'criminal activity' - where crime is subjective.

Monetary gain would be the primary differentiating factor here. Any form of credit card fraud, blackmail or other criminal/anti-social activities would be an instant 'no hire'. A blackhat who thought it would be '.. just cool to hack into NASA' and actually did - hire the guy. Now.

You can't benefit financially from breaking into NASA. You can't be out for revenge on something or other. The only possible motivation (unless you believe in aliens-controlling-mankind-etc) is 'because it looks like a challenge'. Just consider the knowledge you'd have to acquire to even start on something like this. People like that (and there and not many of them) you can put on all kinds of complex projects.

Also, a 15 year old messing with telco infrastructure is just a teenager doing what teenagers do. A 35 year old guy doing the same thing (and getting caught..) is a completely different matter.

Motivation and maturity are the key factors.

That said, I wouldn't even bother interviewing an applicant for a technical security position if they couldn't describe the implementation of a basic stack overflow exploit. If you don't understand stack structures - you shouldn't be in the technical security business.

(FYI I have worked on the sharp end of security in the ISP and financial sectors - not working there now, thank $DEITY)

Re:It All Depends on Their Maturity (1)

Rakishi (759894) | more than 7 years ago | (#16253863)

Can they work with people?
Are you capable of hiring a manager who can keep the stupidity of your company from reaching me? Are you capable of hiring managers who can deal with the team members and keep sanity or is that going to be my implicit job?

Can they dress well?
If you mean clean jeans, t-shirt and sneakers (optional in the coding area itself) then yes otherwise no. At best you get slacks, polo shirt and nice looking sneakers. That is unless the job involves dealing with other companies or people in which case proper attire only for such meetings.
Are they capable of staying after normal work hours every now and then to see to something getting finished?
Are you capable of paying me for it and/or otherwise compensating me? Are you capable of keeping this a rare event and hopefully one whose date is known in advance?

Are they sensitive to other people and their surroundings?
Are you capable of hiring people who aren't incapable of living outside an emotional bubble?

Being Offered a Job as a Black Hat (1)

c0d3r (156687) | more than 7 years ago | (#16252875)

How do you respond to a job offer as a black hat? I wonder what the NDA looks like.

Do you have a choice? (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16252887)

What self-respecting blackhat would admit to being one in a job interview?

Summary (2, Insightful)

skwang (174902) | more than 7 years ago | (#16252893)

Trust is hard to rebuild after others lose their trust in you.

Re:Summary (3, Insightful)

Anonymous Coward | more than 7 years ago | (#16253779)

But even harder to rebuild once you lost your trust in other people.

Trust goes both ways, it's a mutual phenomena, not sigularly subjective.

Trust is gained or lost through the fostering of a secure relationship or
by the abuse of the relationship, it does not exist a priori
or in isolation.

Understand this psychology and you are closer to understanding the "black hat".

I am always shocked at the shallow treatment the words "hacker" and "blackhat"
get on Slashdot, supposedly a bastion of that very "outsider" culture. Maybe you're
all fakes who just give it lip service to fit in somewhere.

As it stands, in the current commercial employment environment, the employee
still takes a far greater risk and is more vulnerable to abuse than the employer.
The employer wants it all on a plate with a spoon, to own your life and soul.
You don't need to be a "blackhat" to find yourself in a situation where industrial
sabotage is the only leverage you have left. I'm sure the words "disgruntled employee"
have some resonance there.

The question is therefore rhetorical, since no blackhat would be applying for a
commercial job if they were not already outside the abuse/mistrust mindset.

Personally, I'd hire a confessed blackhat on their skillset alone, but then make a big point
of overseeing their psychological/spiritual wellbeing, their happiness and fullfilment, in other words
treating them with respect Treating people with respect is the very thing most large organisations are incapable of doing and therefore why they should not hire blackhats. It's a clash of ideologies
and an accident waiting to happen.

So dont tell them (5, Interesting)

ninja_assault_kitten (883141) | more than 7 years ago | (#16252895)

I'm an ex-blackhat who's been working the security space for over 10 years now. My employers only know about my work experience; nothing prior to that. I'm very good at my job, I'm passionate about security, that's all that matters. As long as you're a blackhat who doesn't have a criminal record, you'll likely get a lot more value out of them than a cert crazy white hat who got into security cuz it's "cool".

Re:So dont tell them (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16253003)

You're old enough to have been in the industry 10 years, yet you still say 'cuz'? I smell script kiddie...

Re:So dont tell them (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16253375)

Good spot. My first reaction was "Oh yeah, I saw that movie too. The one about hackers." I don't buy into his hardcore, ex-blackhat hacker identity. Assuming he even had a computer 10 years ago, and is not in fact a teenager now, in 2006, then I'm sure he was just win-nuking unpatched windows 95 boxes, or even just swearing at people on IRC. In any case, he was probably just some malicious, punkass kid and not someone even remotely clever enough to realize any gains from his activities. The latter class of person is hard to come by, the former is not. Either way, he's a douchebag.

To give some credence to his claim, blackhat hackers often do what they do strictly for acclaim. That seems consistent with this guy's desire to step forward and identify himself as an ex-blackhat for some belated fame. Isn't that what blackhats crave more than anything--a bigass e-penis? Soooooo unimpressed.

Re:So dont tell them (0)

Anonymous Coward | more than 7 years ago | (#16253385)

isn't this the reason why most black hat's got into what they're doing, they think it "cool"?

Re:So dont tell them (2, Interesting)

crashelite (882844) | more than 7 years ago | (#16253557)

i would have to say any black hat is about 10K times more qualified then most white hats dew to the fact that black hats will have more experince. why you may ask? because the go where there not suppose to DUH! a white hat is limited to the variables they set up and are able to access, black hates can access any variables because they are not limited by the light only by their will and how protected they think they are from gettin caught, inet cafe with cd or flash bootable version of (insert OS here most would be linux) on a terminal and no cameras in the cafe then there pretty secure, as long as no one notices, but home computer with no firewall no proxy nothing at all just directly attackin a NSA server, then that is where we call it just plain stupid...

Re:So dont tell them (3, Informative)

Anonymous Coward | more than 7 years ago | (#16253615)

I'm also an ex-blackhat. Back in the day I stayed up late, did my thing, learnt a lot. It was never malicious really, but definately blackhat. I was a curious guy, who didn't have much of a sex life. Getting a sex life was good, but so is curiosity - find a direction for it.

These days I've got degrees, run a security company and have hired several people I knew from the scene who are excellent programmers, professionals, can wear a suit etc. I have also hired several that I suspect were blackhats in the past.

I look for good workers. I test their technical skills in the first interview (via a technical test) and then try and ascertain if they are a dedicated worker.

Would I want an untrustworthy snake, just trying to steal from my business working for me? No. But you can find those in the accounting profession just as easily as computing probably.

Hire smart people, give them responsibility - be loyal to them and expect loyalty.

Sure, I've had to fire people cause they're slackers - but everyone I've hired from the scene is dedicated, loyal, smart and hardworking.

I agree though. Keep your mouth shut, show your skills, curiosity and drive. Things I learnt in the scene have taken me a long way.

Re:So dont tell them (2, Interesting)

ninja_assault_kitten (883141) | more than 7 years ago | (#16253843)

well put.

of course I would (5, Funny)

EllynGeek (824747) | more than 7 years ago | (#16252899)

If I worked at Hewlett-Packard.

It depends. (2, Insightful)

onion2k (203094) | more than 7 years ago | (#16252923)

Would you give black hats a second chance if you were in their position?

It depends on the job they were applying for. Someone who has proven their ability to ignore the law in the past can no longer be trusted in a position of responsibility, therefore I wouldn't give them a job in any role that required any amount of access to business critical systems or information. I might be willing to hire one as a code monkey to churn out boring stuff that could easily be audited, but even then only if there were no other suitable applicants.

It sounds harsh, bu my job, and the jobs of my colleagues, are more important than giving someone else a break.

Re:It depends. (2, Insightful)

Cheapy (809643) | more than 7 years ago | (#16253679)

"Someone who has proven their ability to ignore the law in the past can no longer be trusted in a position of responsibility"

So I guess if I went over the speed limit I could never be held responsible again? I mean, that is ignoring the law.

Re:It depends. (1)

Anonymous Psychopath (18031) | more than 7 years ago | (#16253979)

That's a bit out of context, isn't it? And anyway, people who are hired to drive for a living can and do lose their jobs for moving violations. So the answer to your question is yes, in the context that your job involves driving.

All that being said, if I were hiring someone to drive I wouldn't care if they were a black hat.

If I were hiring someone to work on my IT systems, I would care very much and would probably take any other qualified candidate over a known black hat.

Re:It depends. (5, Insightful)

jlarocco (851450) | more than 7 years ago | (#16253809)

I might be willing to hire one as a code monkey to churn out boring stuff that could easily be audited, but even then only if there were no other suitable applicants.

Yes, that's exactly what you want. A *bored* (ex)black hat hacker.

Depends... (1)

jjohnson (62583) | more than 7 years ago | (#16252967)

How hard is it to hire similarly qualified people who *weren't* blackhats? If the only difference between two candidates is that one has a felony record, it's not a hard decision to make. While it may look to the blackhat like it was solely his record prevented him from getting the job, it's really the fact that he's not that rare a commodity.

Script kiddie vs Hacker (4, Insightful)

khasim (1285) | more than 7 years ago | (#16253205)

If the only difference between two candidates is that one has a felony record, it's not a hard decision to make.

Not only that, but also what they were doing during their "black hat" phase.

Running scripts you've downloaded to scan for default passwords on websites so you can post that you've "pwn3d" their site ... yeah, that's going to go real far in the interview.

On the other hand, knowing enough about TCP/IP to crack servers with an injection routine that you've written ... that would go VERY far in the interview for the right job.

Script kiddies are a dime a dozen. And their "knowledge" is just about useless in the corporate world. What else do you have that's better than I can find elsewhere without the issue of your past behaviour?

The same with social engineering attacks (unless you're hired by HP to investigate leaks).

Real hackers, on the other hand, are extremely valuable not only for the technical skills they've built up, but also because they're driven by problem solving and they are more than happy to get down to the metal.

Re:Script kiddie vs Hacker (2, Interesting)

jjohnson (62583) | more than 7 years ago | (#16253297)

This is a good point--how many people fairly labelled as blackhats are real hackers in the best sense of the word, vs. getting caught at something stupid and easily downloaded from a l33t site?

In fact, if someone was actually a blackhat, it would tend to count against them in my mind as a capable hacker because it implies that they got caught.

Takes one to know one. (4, Insightful)

b4jts (816849) | more than 7 years ago | (#16252975)

Takes one to know one, I suppose. Looking at what Frank Abagnale [wikipedia.org] did to improve security against bank fraud, I'm sure that a 'black hat' turned good could be of some use to a company.

No. (0)

Anonymous Coward | more than 7 years ago | (#16252977)

If you know he was a blackhat hacker, he can't be that good. Combine with trust issues and the answer is a clear No.

Depends on the history (1)

DeepCerulean (741098) | more than 7 years ago | (#16252983)

If their "black hat" days occurred when they were 16 and curious, what's the problem? If it was after High School, I doubt it.

Let's be realistic... (4, Insightful)

creimer (824291) | more than 7 years ago | (#16252985)

If the company is going to be ripped off, it will probably start in the boardroom as upper management are granted perks that they shouldn't have. One company I worked for is on the road to bankruptcy but the company is still paying for the CEO's $200K/year New York City apartment. This is the same management that banned free soda when they figured out that employees were taking a can or two home. Go figure.

Hire a black hat? (2, Insightful)

xymog (59935) | more than 7 years ago | (#16253027)

The situation is analogous to hiring a former embezzler as an accountant, and the answer is always, "It depends." The burden is on the former black hat to establish credibility and trustworthiness. The potential employer also needs to be aware of scenarios where the former black hat can still be a valuable, contributing employee.

I might not... (1, Interesting)

Anonymous Coward | more than 7 years ago | (#16253035)

I might not hire a former BlackHat. However, Microsoft did when they hired me. Not quite as black as many hats out there these days, not making bot nets and selling them, or forming open FTP servers for all sorts of horrible stuff, but discovering vulnerabilities and sending them to folks other than the makers of the product.

Blackhats aren't all shut-ins, as one comment on this thread already posted. The trick is finding those who went blackhat because it was more fun, and had more chances to dig deper into things than going whitehat would have.

Now, how sad would it be if I forgot to check to post AC?

The 80's are over (2, Insightful)

l0ungeb0y (442022) | more than 7 years ago | (#16253043)

Back in the day when networks were new and few people had the indepth understanding of what was still an arcane field, the recruiting of a blackhat made a lot of sense for trying to make more robust security solutions. But now, we have hundreds of thousands of qualified people and many IT Professionals are highly trained in the area of Network Security. And the blackhats these days by and large are either worm authors/botnet controllers or crackers who use scripted 'sploits to ply their trade. So no, I see no need for the Corporate Enterprise to open itself up to the liability it would face in the event of the "reformed" blackhat deciding to "play around" a little bit with employee data. There's already been enough fallout over loss of customer data and security concerns. Knowingly hiring a convicted felon to entrust that data to wold only serve to fuel lawsuits in the event a security breach did take place.

If a blackhat is skilled and "reformed" and truly interested in security, they can offer their services as an outside consultant.
Or perhaps the Military could make use of knowledgeable blackhats putting them on the front lines of electronic warfare.
But I agree that in the workplace they should be treated as any other convict when applying for a position.

Re:The 80's are over (2, Insightful)

EvanED (569694) | more than 7 years ago | (#16253273)

But now, we have hundreds of thousands of qualified people and many IT Professionals are highly trained in the area of Network Security

And yet we still have security holes out the wazoo. Clearly those hundreds of thousands of qualified people aren't doing enough.

Plus, how many of those hundreds of thousands of qualified people could explain how data execution protection is implemented on x86? How many of them even know that the x86 has a separate iTLB and dTLB? (My cynacism says "how many of them know what a TLB is at all", but we'll leave that behind...) And yet that knowledge is *essential* for understanding how the Shadow Walker rootkit works.

Re:The 80's are over (0)

Anonymous Coward | more than 7 years ago | (#16253425)

iTLB and dTLB... OOOOooooo... All that technical talk! You must be SMART!

Re:The 80's are over (1)

charlesnw (843045) | more than 7 years ago | (#16253823)

Ah the classic nerd/geek approach to a clear reasoned statement. Narrowly focus on a small part of it and completely ignore fact. I love it.
And yet we still have security holes out the wazoo. Clearly those hundreds of thousands of qualified people aren't doing enough.
Well there are several things that are responsible for this. 1. Lack of time/money/resources. 2. Business decision that says security isn't important or as high a priority as other things.
Plus, how many of those hundreds of thousands of qualified people could explain how data execution protection is implemented on x86? How many of them even know that the x86 has a separate iTLB and dTLB? (My cynacism says "how many of them know what a TLB is at all", but we'll leave that behind...) And yet that knowledge is *essential* for understanding how the Shadow Walker rootkit works.
Again a small/narrow response to a broad complex problem. The "information security professionals" are generally on the sysadmin side. There are quite a bit on the engineering/development side as well. Please expand your understanding of the real world and business before you make replies like you did.

Article has a good analogy (2, Interesting)

brunes69 (86786) | more than 7 years ago | (#16253057)

Ducklin said: "Let's say that you're shot during a mugging [incident]. As you drift into unconsciousness, would you find yourself saying 'Gosh, I hope the surgeon who operates on me used to be a street criminal because he must really understand gunshot wounds well if he actually shot the people?' You wouldn't think that."

Agree 100%.

Re:Article has a good analogy (3, Insightful)

phasm42 (588479) | more than 7 years ago | (#16253301)

That's a valid analogy for script kiddies. If a blackhat has serious skills (like finding and exploiting holes), these same skills can be used to find and block holes. The surgeon analogy falls apart here. How about if you were infected with an engineered biological agent. Someone who had experience making them would have some useful skills to offer you. The bank fraud example cited earlier is another good analogy.

Which isn't to say that hiring former blackhats is always a good choice. It's a matter of judgement -- has the person really reformed?

Re:Article has a good analogy (1)

TubeSteak (669689) | more than 7 years ago | (#16253317)

Ummm... that's an awful analogy.

A mugger with a gun is the equivalent of a script kiddy.

I'm not really sure why TFA included such a crappy analogy in an article about security jobs that require knowledge.

Re:Article has a good analogy (1)

EvanED (569694) | more than 7 years ago | (#16253337)

I disagree 100%. It's a stupid analogy.

You don't need to know the psychology of shooters to know how to treat a gunshot wound. Someone figured that out, it's taught to doctors, and we're all set. Similarly, SQL injections are known about, and ways of preventing them are known, so no, you shouldn't need a black hat to help secure you against those.

However, thinking up exploits is an entirely different matter. You can't defend yourself against something that you can't think of.

Re:Article has a good analogy (1)

superflyguy (910550) | more than 7 years ago | (#16253715)

If you know someone's likely to be sniping at you, wouldn't you rather have a sniper watching for them than a policeman with a pistol trained in an acadamy to fight an that he has at least some idea of the location of?

The sniper may be able to see the person who would shoot you, and shoot them first. I guarantee that sniper could conceal themself well enough that the police officer would never see them though, and they can shoot accurately at the police officer from farther away than the police officer can shoot back, so they can almost ignore the police officer.

Sure if they were checking the most well known vulnerabilities and not hidden, the academically trained hacker can protect you, and possibly even get them arrested. As with a policeman v. a common criminal. But if you're up against a BlackHat hacker who studies every detail of your defense while covering his tracks, the ex-BlackHat who studied your defenses just as well but with the benefit of inside knowledge will do you better.

Assuming, of course, that your ex-BlackHat is truly 'ex-'.

Re:Article has a good analogy (1)

frosty_tsm (933163) | more than 7 years ago | (#16253361)

The analogy is a bit off.

A street criminal only needs to pull the trigger. Even a script kiddie requires more of a level of understanding to be able to download other people's scripts, find a target, and get them to run.

Now, a better analogy would be: "I don't want to get mugged. Therefore I will talk to this guy who used to be a mugger and ask him how I can avoid getting mugged." The better of a mugger he used to be, the better his advice will be.

THAT's a good analogy. (1)

partisanX (1001690) | more than 7 years ago | (#16253453)

Or to use the doctor analogy... If you were drifting off into unconciousness and through some absurd set of circumstances, you had a choice of the doctor that was going to treat you, would you prefer a doc who did "off the record" treatment of gunshot wounds for criminals(which would likely meant he used his skills illegally), or would you prefer a "legitimate" doc who has never actually removed a gunshot wound yet but has never used his skills illegally? I know who I'd prefer.

But that's one fringe case. All things being equal, I would lean towards the guy without the shady background as I'm sure most would.

Re:THAT's a good analogy. (1)

frosty_tsm (933163) | more than 7 years ago | (#16253691)

Also a good analogy.

no, not likely (0)

Anonymous Coward | more than 7 years ago | (#16253073)

"Black hats" is just a funny way of saying "criminal". Would you hire a criminal? Just like all criminals, they serve no purpose in society except to waste the time and money of people who want to accomplish legitimate goals.

I'd be pretty hesitant to hire one.

But I bet the set of people I wouldn't hire based on personality and the set of so-called "reformed" black hats have tremendous overlap. I've been in this business a long time and I've seen the various personality types.

Dumb corporate types.. (1)

brennz (715237) | more than 7 years ago | (#16253075)

First of all, I've never heard of any of these interviewees. Have they done anything of note in security? I am committing a logical fallacy in asking this, but they don't carry any water in my security oriented meritocracy. As far as conferences go - I'd like to see a comparison of skillsets between attendees for say Defcon and Blackhat, excluding people attending both. I'll wager the Defcon crowd will win out anyways (not that defcon attendance = hacker, but it does mean more so than blackhat).

I'd much rather have a reformed blackhat on my team, than a white-hat. Simply judging from the people I've known in the industry, the people pushing the envelope have the greater skills and tend to have at least some illegal behaviour in the past.

Thinking as an attacker is a skill that requires cultivation too. You don't get this from Joe Software developer.

Well... (1, Interesting)

jellomizer (103300) | more than 7 years ago | (#16253077)

The real question is are Black Hat Hackers worth the potential risk (shown by their history). Being a Black Hat hacker doesn't mean you are any good at computers or security. Being labeled as a Black Hat Hacker means you were some Jerk Script Kiddy, who downloaded some scripts and took control of systems that they know is vulnerable. There are a lot fewer Black Hat hackers who are actually good at what they do. The Gray or White Hat hackers those are the ones you want to focus more on. They are more interested in breaking security to make it tighter, or for the Gray Hats make the tools for the Black Hats. Black Hacks will use what ever method is available to break in and cause damage. So if they are Reformed are they really that smart or just smart enough to type in some code word in 1337 speak, and there is a site where they can get some script. Vs. someone who know why the script works and what needs to be done to stop it.

I'd hire their services, but not them.. (1)

kabocox (199019) | more than 7 years ago | (#16253079)

I'd hire a "contracting" company that had their services to offer, but I wouldn't want to put them on my actual direct payroll. I'd always worry that they were collecting info on me off my system to use for the future. The less tech. savy a manager is, I'd bet the more that they'd want to cover their butts, just in case of that. I would use them for corporate IT theft on other companies, but would always would about how defended my own company is.

Would you hire a former jewelry thief... (1)

Jason1729 (561790) | more than 7 years ago | (#16253081)

Would you hire a former jewelry thief to guard your jewelery store? Giving him full access to your security system and allowing him to be in alone at night?

Re:Would you hire a former jewelry thief... (1)

phasm42 (588479) | more than 7 years ago | (#16253355)

This comment made me realize another key thing to look at when deciding whether to hire a former blackhat. Were their activities motivated by money, a desire to explore, or to just defy security? A jewel thief would fall almost exclusively in the first. It'd be difficult to really trust a blackhat that fell into the first category as well. But the second category is a good quality, and the third is more likely to fade with age, and overlaps with the second.

Re:Would you hire a former jewelry thief... (1)

Frosty Piss (770223) | more than 7 years ago | (#16253491)

This comment made me realize another key thing to look at when deciding whether to hire a former blackhat. Were their activities motivated by money, a desire to explore, or to just defy security?

It makes no difference at all in the final analysis; the damage is still there regardless of the motivation.

Maybe! (0)

Browzer (17971) | more than 7 years ago | (#16253089)

.
.
.

The question is always if they really reformed (1)

artifex2004 (766107) | more than 7 years ago | (#16253107)

You can never be sure someone is reformed; you only know when they fall back to their old ways, assuming you catch them.
Part of this is because of the ideological mindset; the ones who claim they did it all as a game still often think it's fun, and they seem to lack the subconscious barriers to antisocial behavior that normall tell people that it's destructive behavior. They may "go legit," but how do sociopaths grow ethical and/or moral senses?

These people still like manipulating people through different levels of social engineering. What says people like this won't just try to find other ways to screw with things or people, but in legal ways? What about those egos? Who really wants that in an organization?

If I were going to consider any former black hats at all, it would be those who did things like make spyware on contract in Eastern Europe, in order to feed their families, or something similar. I'd still be leery, but they at least have a situation of duress to claim. If I'm satisfied that they otherwise meet the profile of people I like to hire, I'd just have to worry that they feel rewarded enough that they can take care of their families. But I'd have that worry about all my employees.

Re:The question is always if they really reformed (0)

Anonymous Coward | more than 7 years ago | (#16253391)

You're preassuming that 'black hat' automatically implies no appreciation for ethics or morality. Although the term implies a level of initiation with the Dark Side of the Force, I'm not comfortable accepting the 'these guys are evil demons summoned from the 4th circle of hell' sentiment as a given. Ideally, you have some way to test for professionalism, which is the only quality that you likely care about as an employer.

Asolutely! (1)

JimXugle (921609) | more than 7 years ago | (#16253111)

I'd hire a former blackhat, but at the "You're hired" meeting, I'd say something along the lines of "Keep your nose clean. If you wanna take your lunch break and non-destructively poke around a little bit, I don't mind. But if you find anything that could pose a risk, I wanna know about it. Nothing illigal on corporate machines.After you leave this room, you're just another new employee... I won't bring up this topic again. Are we clear?"

Of corse... I wouldn't hire a blackhat just because they were a blackhat.

I would not hire a blackhat (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#16253117)

They most likely would not have a degree in CS, so that would make them pretty much worthless.

no way (1)

Greventls (624360) | more than 7 years ago | (#16253183)

I probably wouldn't. They are a liability. What happens if they get pissed during a meeting? What if the company is downsizing and they get laid off?

bah (-1)

Anonymous Coward | more than 7 years ago | (#16253215)

If the black hats want credibility and authenticity - then they shouldn't have spent all that time trying to get around it.

Would You Hire a Former Black Hat????/ (2, Interesting)

really? (199452) | more than 7 years ago | (#16253323)

Well, it would depend, wouldn't it.

In no particular order:
How do you know the "hat status" of a potential employee?
What does the law say in the jurisdiction you're in?
Are there other "hat free" candidates with the same skills?
Are you willing to take the risk?
Are there any benefits to the available position that the former "black hat" status offers? (Think, for example, of a truly reformed virus writer who still has contacts in the underground, but, who is now applying for a position in an antivirus company.)

Re:Would You Hire a Former Black Hat????/ (0)

Anonymous Coward | more than 7 years ago | (#16254023)

Well, yeah, those are the questions, dumb ass. I think we all know that. The point of the "story" is what are the answers?

Ethics. (1)

topham (32406) | more than 7 years ago | (#16253333)


Ethics, inspite of 'black hat' it is still possible for someone to be otherwise ethical. On the other hand, it isn't very likely.

The guy that spends his time concentrating on the 'how' of the hack, without much regard for the effect of the hack is more ethical than the guy performing the hack to steal credit card numbers.

One could potentially be a maturity issue, the other is intentionally criminal.

I could never trust someone who spent a few years stealing & using credit card numbers.

Someone I know was caught stealing cars, he was forced to pay restitution and has spent years being responsible. I like the guy, and he has a trusted position at a company; but it is only because you can see he has changed, he didn't stop doing it because it wasn't profitable any more.

Funny ... (0)

Anonymous Coward | more than 7 years ago | (#16253373)

I find the comments that people would rather hire a Black Hat over a White Hat to be amazing. Just the idea that I would be more likely to get a job BECAUSE I committed a felony to be crazy.

Would we rather hire a bouncer with a history of assault? "He's proven to be a good fighter in those situations ... and he's reformed, he's not going to get us in trouble".

Is the possibility of ruin worth that extra bit of experience the person has? How many times in history has this sort of thinking backfired for people? I agree that people should be given a second chance, but I also feel that you can't be stupid. Especially in business ... especially these days. In no time we're probably going to see the equivalent of Sarbanes Oxley hitting IT if we follow this sort of road. It only takes a few bad eggs to ruin it for us all. Do we want to set ourselves up for the fall?

direct objects (1)

Sebastopol (189276) | more than 7 years ago | (#16253381)

Would you give black hats a second chance if you were in their position?

Barring any severe self-esteem issues, if I were a black hat, of course I would give myself a second chance.

Grammar, people, GRAMMAR!

Re:direct objects (0, Funny)

Anonymous Coward | more than 7 years ago | (#16253561)

Would you give black hats a second chance if you were in there position? Satisfied?

Re:direct objects (0)

Anonymous Coward | more than 7 years ago | (#16253741)

>Would you give black hats a second chance if you were in there position? Satisfied?

I think you meant "their"... Grammar nazi corrected by spelling nazi; what is the world coming to?

Did none of you learn anything at school?!

I love the tagging for this one (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#16253427)

no, maybe, yes (tagging beta)

yeah.. (1)

kbox (980541) | more than 7 years ago | (#16253493)

.. I do have some painting and yard work that needs doing.. What do they charge?

It depends... (2, Insightful)

AxemRed (755470) | more than 7 years ago | (#16253501)

The term "black hat" can cover a lot of ground. In my mind, there's a big difference between someone who got in trouble for snooping around the university's network for the sake of curiosity and someone who attached a keygen trojan to something and put it out on the internet for the purpose of stealing credit card numbers. There's also a difference between someone who DoS'ed their school's webpage in high school and someone who DoS'ed their employer's webpage when they were 25.

Here's another thing to think about too... The only reason to hire a black hat over someone else would be that you know they have some experience in hacking. However, there are many people who have the same experience and never did anything illegal. Basically, you're sacrificing a varying amount of ethics in exchange for a guaranteed amount of skill. Also, in many cases, the skill that a black hat has proven is directly proportional to the ethics that he has disproven. That is, if you know enough of a hacker's exploits to know that he is very skilled, you also know that he has broken the law a sufficient number of times to prove it to you.

In all, I would say that hiring a black hat would be case-by-case for me. Someone who is a black hat because of a harmless, but illegal, mistake may pique my interest because of his proven ability to learn independently. Someone who hacked a private network years ago, but has since proven to be a responsible person, may end up being a skilled employee and worth a second chance. But, to me, someone who committed repeated damaging, malicious acts online is no better than someone who committed repeated damaging, malicious acts in real like, and they would not be worth the risk, regardless of skill. //Would you hire a multiple-time burglar to protect your home? //Sometimes it's best to trust the home-security companies, regardless of whether or not their employees have ever broken into a house.

Clear answer (2, Insightful)

Anonymous Coward | more than 7 years ago | (#16253573)

I would not hire a former thief in a supermarket as an detective
I would not hire somebody who took money from his employer in a bank
I would not hire an former drug addict as a saleperson in a pharmacy
I would not hire a former pedophile in an elementary school
I would not hire an murder as an social worker

So - no I would not hire somebody who fell one time to some temptation in a job where he is tempted each day.

A Blackhat as a programmer - maybe; as an administrator - no.

Re:Clear answer (1)

dominick (550229) | more than 7 years ago | (#16253899)

Actually, that isn't a clear answer.

It is one thing to touch another little boy's gonads, and another thing to touch 1's and 0's that don't belong to you.

This is a silly question (1)

Lord Ender (156273) | more than 7 years ago | (#16253591)

If the Black Hat was any good at all, you would have no way of knowing he was (or is) a black hat.

But if someone with a criminal record for cybercrime applied, there is NO WAY an informed manager would hire him. If he breaks the laws again, someone could go after you personally for negligence.

I would and have. (1)

Tancred (3904) | more than 7 years ago | (#16253593)

Lots of people do dumb things in their youth. Just evaluate the person as they currently are. There are certainly circumstances that would be hard to overlook for certain positions, but to forever eliminate from consideration anyone who ever did anything illegal with a computer seems a bit nuts. Would you refuse to hire someone that got caught shoplifting as a kid? What percentage of your coworkers did something dumb as a kid, whether they got caught or not?

I'd love to but.. (1)

Frightening (976489) | more than 7 years ago | (#16253655)

if they're a really good black-hat, you'll never know about them will you?

Yes.... and we're hiring... (1)

DangerTenor (104151) | more than 7 years ago | (#16253677)

http://geminisecurity.com/job.html [geminisecurity.com]

I'm not opposed in prinicple to hiring a former Black Hat. It still needs to be the right person for the job, and I still need to trust them. I have to get a real good feeling about the person to start off with, and the possibilities are endless.

Paul Ducklin is an idiot. (1)

CherniyVolk (513591) | more than 7 years ago | (#16253701)


Don't be alarmed, there are a lot of idiots in leading positions in large companies, just as there are many idiots born into affluency a.k.a. Venture Capitalists.

First, Paul has attempted to apply traditional business philosophies and the illusion of value to that of Open Source development. "[hackers] don't have to support their product [or] be absolutely reliable", is one hint. The illusion of "support"... well, I paid 15,000 (USD) for this SunFire server... called up Sun Microsystems and I have to pay 125 dollars for a valid account just to access their knowledge database.... support my ass. Or, call up Microsoft, and watch as your told (after the 10-20 dollars you have to pay to talk to a rep), to go to Dell or whoever made your computer; support my ass again. Companies do NOT want to be responsible for their products, they never have, they never will be. At least you more often get a REAL NAME of someone on an Open Source project; as for companies, many Class Action lawsuits have been filed throughout the world and throughout history.

Deadlines... yeah, as a developer of both proprietary software and open source software. Nothing diminishes the value and quality of a software project more than a "deadline". This is fact. This is widely known amongst developers. Traditional, archaic business leaders are so ignorant that when this fact is mentioned they honestly think we are joking. Infact, the concept of a deadline is the single biggest factor why proprietary software will never compare to open source software when it comes to quality and usefulness.

But, of all that Paul Ducklin claimed in his article, take this one on for size. "I don't know why people think if you can trot out 10 or 20 or 100 viruses[sp], you would be great at actually producing some antivirus technology that can deal with 200,000 different bits of malware,"

Here, the moron decides to misdirect the reader with numbers. I've developed security software myself. And, I've also analysed a number of security software packages and implementations. When it comes to virus detection, intrusion detection and all that biz, 99% of it is nothing but pattern matching routines in a loop. That's why most NIDs have a data pack which is nothing more than a conglomeration of known patterns to published forms of attacks. It is no different for Antivirus software. In short.... if you know regex really well, you don't need to know flip about security or how to implement an attack to identify one with software. This part really ticked me off, becuase as a person who identifies and writes my own exploits which I might or might not publish, this line of logic Paul wishes onto others is completely bullshit. Then he goes in, and tries to relate the luxuries of production in a less-tangible world (the world of computers where resources is nothing more than imagination and virtually no effort goes into typing) to the real world where you have to chop down a tree to get wood. What I'm talking about is his falsely applied analogy with being shot by an attacker, asking if a victim might logically wonder if the doctor had ever been a criminal to be that much more familiar with gunshot wounds. What he's trying to say, is a person that is able to exploit a problem is far less intelligable than a IT "doctor" who only really writes up a regex string to identify a problem.

I'll end this here. Becuase I doubt anyone here will take this article seriously. And if it's not enough to bash Paul Ducklin any more... he's a Chief Technical Officer of Sophos. Sophos is an antivirus company. As far as I'm concerned, his only target is the end-user, the moron, the impulse-double-clicker; those in his image.

My experience about this. (0)

Anonymous Coward | more than 7 years ago | (#16253777)

Hi!

when I want to hire someone, I just evaluate the candidates in several areas, but one of the most important is "honesty" (I leave several value things that can be stolen (usually money on the desk, or in the floor), and I leave him/her alone for some time, after the interview I review if something is missing), and a psicological test to determine if they can be "trusted".... Yes, I know, the test can be fooled if the person is smart enough, because of that, I also put everybody on a "test period", where I monitor them very closely, for at least two weeks (normally, it is extended to three months).

In fact, I hired an hacker, because I know him from a long time ago. That's why I knew he was a hacker....... Please, don't read the word "hacker" as "bad"... so many people make that mistake. A hacker is someone who likes to do difficult things, just for the pleasure of doing so.... so, in this order of ideas, almost any researcher is a hacker. Thus, we have "computer hacker" ---> someone who like the challenges in the computer field, and yes, a security system is a challenge, but there are many others. So, If I need to evaluate security anywhere, I need a hacker, I don't need somebody who will see the holes that are already reported, and that I can look for using nessus (or name your tool). A hacker can evaluate code for security bugs, and will report them, if he is a good person.

It is the same: if you have a gun, and you are a very good shooter ---> does it means that you will go out there and shoot anyone? I don't thing so... The same goes for martial arts: they could kill you, but they don't do it.

So, If I didn't knew this "hacker", I maybe would not call him "hacker", I would just say that he is someone with a great talent.

Then: How do you know the difference?: you can't.

Just like you don't know if the man that is walking in the street is a killer.

I hope this answer the question,

Soulhunter

errr...... (0)

Anonymous Coward | more than 7 years ago | (#16253867)

Yes. No. Maybe.... That tagging system you got there works great dunnit.

You may have no choice! (1)

Threni (635302) | more than 7 years ago | (#16253871)

In the UK, after a period of time you don't have to declare convictions, so you may be hiring people who have been in jail for hacking without knowing it.

would you hire someone useless and dishonest (2, Insightful)

tota (139982) | more than 7 years ago | (#16253987)

by hiring an ex-blackhat, at least you get:
* someone who can hack it - no CISSP is going to replace hands on skills
* someone who is willing to admit he has made mistakes in the past - which is more important than ever in the world of security: covering up mitakes doesn't help.

now, if he's good - it shouldn't even matter if he has been blackhat: the systems should be secure, especially from the inside job threat. And part of his job should be to make it provable that it is so.

Now, if all you want is some type of ISO certification stamp of approval - rubber stamp / get finance / show off, go hire some certified engineer with a long series of random acronyms on his CV, which may include MSCE in the lot - that should be a hint, but unfortunately depending on who does the recruitment it may not be a deciding factor...

Depends on the type of Black Hacker. (0)

Anonymous Coward | more than 7 years ago | (#16254049)

There is the uncommon form. A Legal Black Hacker.

As long as the contracts don't let them destroy you they are safe. Use good lawers.

These are normally the smarter than the run of the mill black hackers. Reason they don't do anything legally wrong. Only morrally. They give a harmless looking contract to a person that allowing the to destory there network. If they sign it legal black hackers do it.

They are just as evil. They hunt there pray. They enjoy it. There is no skill in just hacking illegaly in there mind. Its a art to do it in the law. Reason you can show you face to who you caused harm to. And watch the cry when they know there is nothing that can be done to the hacker that destoryed there network and backups.

The funny bit it the hunting they love and human expressions of suffering. So hunting down Illegal black hackers is just as much fun to them in most cases as long as they get to be present at the catching.

So yes I will trust a Black Hacker. Just a legal class black hacker. Note I will never trust a contract that a Legal Black Hacker give me. I would most likely get my own written.

Not reformed. (0)

Anonymous Coward | more than 7 years ago | (#16254069)

We aren't "reformed"...we've just found focus.

Mitnick Consulting (1)

treak007 (985345) | more than 7 years ago | (#16254071)

i don't think that Kevin Mitnick's past has stopped anyone from hiring him. Personally, I believe that "hackers" are job-worthy. Most likely, they are more experienced with computers then the average computer worker.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...