The Path From Hacker To Security Consultant

CNet has a series of interviews with former hackers who ran afoul of the law in their youth, but later turned their skills toward a profession in security consulting. Adrian Lamo discusses taking "normal every day information resources and [arranging] them in improbable ways," describing a time when he broke into Excite@Home's system and ended up answering help desk questions from their users. Kevin Mitnick, famous for gaining access to many high-profile systems, warns today's young hackers not to follow in his footsteps, saying, "A lot of pen testers today have done unethical things in their past during their learning process, especially the older ones because there was no opportunity to learn about security. Back in the '70s and '80s, it was all self-taught. So a lot of the old-school hackers really learned on other people's systems. And at the time, I couldn't even afford my own computer." Mark Abene explains how he got interested in phone phreaking, and how it led to a prison term and a career in computer security. Like Mitnick, he says that easy access to powerful modern computers removes part of the motivation for breaking into other systems.

Or maybe...

[Anonymous Coward]

They just realize they can hide better as security researchers. :)

Sounds familiar

[unlametheweak]

And at the time, I couldn't even afford my own computer."

Don't do what I've done, do what I say. Things were also tougher for me. When I was a child I had to walk 20 miles to school everyday in a snow storm, through swamps and trying to avoid crocodiles. Things were tough. You kids today have it easy.

Criminal record == no job

[syousef]

It is the exception, not the rule, that a hacker becomes employed as a highly paid consultant. A lot of jobs require security checks, which you will fail if you have a criminal record. Some places have the flexibility to allow exceptions. Most don't. Even if they do you have to prove you offer something so unique and worthwhile that an exception should be made.

It does happen. Hackers do sometimes get jobs. People also win the lottery. Doesn't mean it's smart to play against the odds.

Re:Sounds familiar

[Anonymous Coward]

I dunno, maybe they've learned a lesson and are trying to steer people away from needless hardship?

Re:Old adage.

[Antique Geekmeister]

No, the best teachers really weren't the worst students. That's a silly idea.

The "worst behaved" students of my experience, and ossibly yours, are dead, massively crippled by their own foolishness, in jail, dying of AIDS or lung cancer, homeless, etc. Being homicidal, fundamentally stupid, a slut of any gender or orientation, constantly stoned, or spoiled does not help one as a teacher.

There are kinds of behaviors that are frowned on by authorities, for lots of understandable reasons, but help people be leaders or teachers. Curiousity, interest in others, love of particular types of knowledge, etc. can all hinder someone in school but pay off for teachers, true.

Re:Old adage.

[dov_0]

Maybe your experiences are different to mine.

Re:Not in my experience

[fluffy99]

Have you expressed this very directly to your management? Perhaps now they will be more receptive to your wisdom. If they aren't, you need to either find another job or recognize that they really don't give a crap and work with what you've got. Otherwise, continuing to complain when they don't care will just get you labeled a whiner, or worse a scapegoat when another intrusion happens.

Re:Sounds familiar

[anagama]

As people age, they often realize that many of their youthful decisions, which seemed so correct at the time, were not such great ideas afterall. It's a natural part of growing up and the basis for the often heard cliche, "I if I knew then what I know now ..." Any person who gets to 40 and feels that he or she has made only correct decisions in life, probably has some sort of diagnosable condition because nobody does everything perfectly all the time.

Re:Crackers, not hackers

[ActusReus]

Sorry, but I think it's time to acknowledge that there are some "Wordsmith Wars" that have simply been lost. Moreover, lost about 10-15 years ago. The general public is not going to refer to "Linux" as "GNU/Linux"... not going to use licensing terms like "Libre"... and thinks of "cracker" as a silly racial slur for white people.

Me don't like

[ZouPrime]

I don't like these articles on hackers becoming security consultants. Obviously it has happened in the past - and the story itself covers well known examples, but doing information security for private corporation is so much, much, much much much more than pen testing and other skills typical crackers are good at. In practice, the vast majority of security professionals aren't ex-hackers, and that's a damn good thing.

Maybe it's because I'm actually working in the field, but I really don't like how the medias keep bringing back ex-hackers and present them as some kinds of security gurus, or worst, geek super stars. I don't think it is mature, and I don't think it is healthy. These individuals are criminals, and many have caused thousands if not millions of damages, or forced other people to spend countless hours to fix their mess. No matter how you look at this, this is not cool.

Re:Criminal record == no job

[smoker2]

It is the exception, not the rule, that a hacker becomes employed as a highly paid consultant.

How do you know ?
Surely if you were any good at it you wouldn't get caught, so no criminal record. It's only the ones who do get caught that have nothing to lose by exposing their past. And of course they're going to say "don't do it". I would argue that we need more people involved in it not less. Why should "the man" have everything his way ? Sometimes it is necessary to step outside the law, precisely because it is the law. If an authoritarian govt. says you can't access a website, should you just say "yes sir", or would you find a way to do it anyway ? I would have thought that with all the passive-aggressive angst on here recently regarding Irans internet policy, the answer should be obvious.

"Hacking" drives security, and keeps the corporations and the govt. awake. Information is control, why should the powers that be have all the control ?

The Right Mentaltity

[that this is not und]

Security Vendors need people with 'the cracker mentality' to join their ranks. Without 'morally gray' staffers, how could they supply regimes like the ones in Iran and China with the 'tools' they need to operate their repressive regimes? Morally blind nihilists, while not necessarily those to fill the ranks of the Ideologically 'pure' elite inside the regime, will always be necessary force.

The people that they can't EVER become involved with are the real hackers.

Re:Criminal record == no job

[Captain Jack Taylor]

Don't worry, you sound like a great candidate for President.