5009489
story
Comments: 96 +- IT: The Path From Hacker To Security Consultant on Saturday June 27 2009, @11:10AM
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
CNet has a series of interviews with former hackers who ran afoul of the law in their youth, but later turned their skills toward a profession in security consulting. Adrian Lamo discusses taking "normal every day information resources and [arranging] them in improbable ways," describing a time when he broke into Excite@Home's system and ended up answering help desk questions from their users. Kevin Mitnick, famous for gaining access to many high-profile systems, warns today's young hackers not to follow in his footsteps, saying, "A lot of pen testers today have done unethical things in their past during their learning process, especially the older ones because there was no opportunity to learn about security. Back in the '70s and '80s, it was all self-taught. So a lot of the old-school hackers really learned on other people's systems. And at the time, I couldn't even afford my own computer." Mark Abene explains how he got interested in phone phreaking, and how it led to a prison term and a career in computer security. Like Mitnick, he says that easy access to powerful modern computers removes part of the motivation for breaking into other systems.
It doesn't much signify whom one marries, for one is sure to find out
next morning it was someone else.
-- Will Rogers
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.
Or maybe... (Score:3, Insightful)
They just realize they can hide better as security researchers. :)
Sounds familiar (Score:5, Insightful)
And at the time, I couldn't even afford my own computer."
Don't do what I've done, do what I say. Things were also tougher for me. When I was a child I had to walk 20 miles to school everyday in a snow storm, through swamps and trying to avoid crocodiles. Things were tough. You kids today have it easy.
Re: (Score:1, Insightful)
I dunno, maybe they've learned a lesson and are trying to steer people away from needless hardship?
Re: (Score:1)
I dunno, maybe they've learned a lesson and are trying to steer people away from needless hardship?
Perhaps, but unless they've been in jail then it's probably just the same old hypocrisy and moral superiority based on age.
Re: (Score:3, Insightful)
Re: (Score:1)
As people age, they often realize that many of their youthful decisions, which seemed so correct at the time, were not such great ideas afterall.
I haven't noticed this. I have noticed that people tend to rationalize their behavior. Unfortunately people (personality-wise) change very little with age. So an impulsive ten year old will likely grow into an impulsive forty year old. And depressive people will remain depressive and honest people will remain deviant.
People will make excuses for their behavior if they get caught, and they will make excuses for their hypocrisy either way. There isn't much altruism in people. People only find religion after t
Re: (Score:2)
As people age, they often realize that many of their youthful decisions, which seemed so correct at the time, were not such great ideas afterall.
I haven't noticed this. I have noticed that people tend to rationalize their behavior.
Some people don't grow up. Some do. I did things as a teenager I have regrets over now because they were stupid or assholish. I understand WHY I did them, but I realize now they weren't the right choices to make in those situations. And in ten years I'll probably be kicking myself for something I'm doing now.
and honest people will remain deviant.
Freudian slip? :)
Re: (Score:2)
So, yes, Kevin Mitnick was pretty famously put into prison. From what I remember, he got a particularly harsh sentence because the general public didn't really understand what it was that he did. He wasn't even allowed to use the phone in jail because their was a silly belief that he could launch nuclear missiles by whistling tones into the receiver or something. He did something wr
Re: (Score:1)
Re: (Score:1)
Did you even read the summary? In the summary you can clearly read that one of them spent time in prison.
Really? I obviously wasn't referring to that one person referred to in the summary, and I obviously am not embarrassed. I have been aware of Kevin Mitnick since the 1990s; there is no Google search necessary.
Re: (Score:1)
That trick never works.
Re: (Score:2)
Yeah, I remember, when I was a child I actually had to walk to a library to borrow an actual book.
Sounds familiar. [nizkor.org]
Look, I'm not even saying that kids have it easy nowadays, far from it. I remember learning to program on a C-64. You could memorize all the important addresses. Your languages were BASIC and assembler. You had a grand total of 3 regist
From hacker to help desk? (Score:5, Funny)
he broke into Excite@Home's system and ended up answering help desk questions from their users.
Sounds like he's still being punished for his "crimes".
Re: (Score:2)
Why did you read the article? Nobody else does.
Old adage. (Score:4, Interesting)
Re:Old adage. (Score:5, Insightful)
No, the best teachers really weren't the worst students. That's a silly idea.
The "worst behaved" students of my experience, and ossibly yours, are dead, massively crippled by their own foolishness, in jail, dying of AIDS or lung cancer, homeless, etc. Being homicidal, fundamentally stupid, a slut of any gender or orientation, constantly stoned, or spoiled does not help one as a teacher.
There are kinds of behaviors that are frowned on by authorities, for lots of understandable reasons, but help people be leaders or teachers. Curiousity, interest in others, love of particular types of knowledge, etc. can all hinder someone in school but pay off for teachers, true.
Parent
Re:Old adage. (Score:5, Insightful)
Parent
Re: (Score:2)
Maybe your experiences are different to mine.
I think your right. Just a wild guess here, but you probably went to a public school in a rich suburb, and the GP probably teaches in the ghetto, where the "bad" end of the behavior spectrum has different motivations and higher stakes. Think John Hughes vs. Spike Lee.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re:Old adage. (Score:5, Interesting)
If by "worst behaved" you simply mean the ones that would challenge authority and "color outside the lines," then sure - those kinds of "misbehaviors" are pretty common among people who are really good at their job. That seems to be a pretty milquetoast version of "worst behaved" though.
As someone who went to Chicago Public Schools, I can say that the "worst behaved" students are the ones who were unable to handle any kind of structured environment, were disruptive and violent towards other students, were often high if they bothered to show up for classes, and generally couldn't handle even remedial work. The few of these kids that eventually straightened themselves out might make good mentors or counselors at programs to help at-risk children, but generally wouldn't be what I'd call good teachers because they're usually lacking the academic accomplishment that really good teachers must have.
On the issue of taking one to know one - I think it's possible to be a good security expert without being a convicted felon. Given the choice between hiring someone who is very good but a convicted felon vs. someone who is very good and who has the moral compass necessary to avoid committing acts that are criminal, I'll take the latter any time. There are *millions* of people the world over who do computer security - most of them without criminal records - it's not exactly like it's some kind of arcane art or a skillset so hard to come by that one must hire a (hopefully former) black-hat.
My guess is some of these guys are being hired by organizations who want to use their felony record as some kind of street cred - "Our security is the best; we've got one of the worst of the hackers in charge of it!" etc.
Parent
Criminal record == no job (Score:5, Insightful)
It is the exception, not the rule, that a hacker becomes employed as a highly paid consultant. A lot of jobs require security checks, which you will fail if you have a criminal record. Some places have the flexibility to allow exceptions. Most don't. Even if they do you have to prove you offer something so unique and worthwhile that an exception should be made.
It does happen. Hackers do sometimes get jobs. People also win the lottery. Doesn't mean it's smart to play against the odds.
Re: (Score:1, Informative)
Oh fuck!
I went and got busted for: drugs, hacking, running guns, spying on a defence contractor, and bribing a judge. I was planning on becoming the most bad-ass security consultant on Earth.
Re:Criminal record == no job (Score:5, Insightful)
Parent
Re: (Score:3, Interesting)
"A lot of jobs"? You mean jobs where you're an employee.
This is why most of these guys are "consultants". That is, they run their own business and therefore don't typically require any of the normal checks that employees have to get. Some (government) things require security clearance but most stuff does not. All you need is a good reputation and proven skills.
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
Most of the places I would work at have long standing policies that forbid the use of even gray hats in security. It doesn't matter if they are employees or contractors or consultants. If it is learned that you have a black hat record, you are out of security.
Seem harsh? Maybe, but it sure beats the alternative of hiring yet another pretend reformer.
Re:Criminal record == no job (Score:4, Insightful)
How do you know ?
Surely if you were any good at it you wouldn't get caught, so no criminal record. It's only the ones who do get caught that have nothing to lose by exposing their past. And of course they're going to say "don't do it". I would argue that we need more people involved in it not less. Why should "the man" have everything his way ? Sometimes it is necessary to step outside the law, precisely because it is the law. If an authoritarian govt. says you can't access a website, should you just say "yes sir", or would you find a way to do it anyway ? I would have thought that with all the passive-aggressive angst on here recently regarding Irans internet policy, the answer should be obvious.
"Hacking" drives security, and keeps the corporations and the govt. awake. Information is control, why should the powers that be have all the control ?
Parent
Re: (Score:2)
Surely if you were any good at it you wouldn't get caught
Eventually most criminals get complacent or unlucky and slip up and are caught.
Why should "the man" have everything his way
Really this is the best you've got? 1960s rhetoric that didn't make much sense even back then unless you were completely stoned?
"Hacking" drives security, and keeps the corporations and the govt. awake. Information is control, why should the powers that be have all the control ?
I see. You are stoned.
Re: (Score:2)
Hacker !imply Criminal
Yes, some hackers are criminals but not all are - and *a lot* of the ones who aren't are in fact highly paid consultants. Please stop spreading the misperception that hacking is criminal or unethical.
Re: (Score:2)
Yes, some hackers are criminals but not all are - and *a lot* of the ones who aren't are in fact highly paid consultants. Please stop spreading the misperception that hacking is criminal or unethical.
I am not spreading any such misconceptions. In the context of this story we're talking about hackers who have broken the law but managed to get a job inspite of or notionally due to their experience with hacking.
Re: (Score:2)
Thank you, I got here late.
A criminal record is NOT a recommendation paper. Quite the opposite. These people got their jobs despite a record. Not because. A criminal record is, essentially, the proof that you made a mistake. Else you wouldn't have been caught. They are the icons of hacking, and that's what landed them jobs. DESPITE their records.
That's not to say that there are no "white hats" that never crossed the legal lines. It's easier now today, who could afford a mainframe server in the 70s to test i
Re: (Score:2)
Remember kids, criminals never make money! Just look at Martha Stewart, 50 Cent, and Don King!
Software Pirate - IT Professional (Score:2, Interesting)
Re: (Score:2)
Not in my experience (Score:4, Interesting)
I worked at a company who shall remain anonymous. I worked there as their security consultant and was in charge of keeping the systems secure.
I noticed that their systems were insecure, I kept telling them that these things will get hacked, I kept telling them that they are wide open. Did they listen to me? No. They kept going on and on, I worked to patch as many holes as I can, but the system was insecure in itself (things like passwords stored in plain text on mysql databases etc...). Fixes I recommended were rejected by management because they would change things from how they were used to, or too expensive, or "but who would want to hack us" responses.
A few weeks ago our external servers get hacked (surprise surprise), and the hacker notifies the company. What do they do? They pay the guy 600 euros per domain (we have a lot of domains) to fix it for us. That dude had the ear of all management, everything he said went, they changed things that I've been recommending to them for months because he said so. And to finish it off, he earned more money in those two weeks working for this company than I did in the last 6 months, to make fixes I've been telling them to do since I got the job.
F*ck it, in future I will just break into computers and then offer them a huge fee to fix them, It seems to pay more to do it that way. The company didn't call the police, just kept it as quiet as possible so word didn't get out.
Posting anonymously for obvious reasons.
Re:Not in my experience (Score:4, Insightful)
Parent
Re: (Score:3, Interesting)
That dude had the ear of all management, everything he said went, they changed things that I've been recommending to them for months because he said so.
I am reading a lot of stuff here that is very recognizable for me as well. The post ends somewhat bitterly. Instead I'd advise you brush up on your social skills and ask your employer in a good man to man conversation why your advice did not hit the mark and what you can do the next time. They might advise a couple of soft skills trainings and will probably be willing to pay for those. You'd probably also get something out of it.
Re: (Score:2)
Security is risk analysis. If you want your company to make security changes, you need to give the stakeholders the information they need to make decisions, in terms of dollars and cents and probabilities.
I would recommend you pick up a few books like "The New School of Information Security" and "Security Metrics: Replacing Fear, Uncertainty, and Doubt". They do a good job of helping you to see security risk through business eyes.
Me don't like (Score:2, Insightful)
I don't like these articles on hackers becoming security consultants. Obviously it has happened in the past - and the story itself covers well known examples, but doing information security for private corporation is so much, much, much much much more than pen testing and other skills typical crackers are good at. In practice, the vast majority of security professionals aren't ex-hackers, and that's a damn good thing.
Maybe it's because I'm actually working in the field, but I really don't like how the media
Re: (Score:2)
Several of the security companies chiefs in interviews flatly say they don't hire hackers. Why? Because they are lazy workers. Not they do not have talents or experience, but the kind of social background that produces the best of them also produces the worst sorts of employees. It was not about their encounters with the laws.
The Right Mentaltity (Score:2, Insightful)
Security Vendors need people with 'the cracker mentality' to join their ranks. Without 'morally gray' staffers, how could they supply regimes like the ones in Iran and China with the 'tools' they need to operate their repressive regimes? Morally blind nihilists, while not necessarily those to fill the ranks of the Ideologically 'pure' elite inside the regime, will always be necessary force.
The people that they can't EVER become involved with are the real hackers.
Black hat behavior is not necessary (Score:2)
A common theme of a lot of the replies seems to be that black hat behavior is the only way to learn computer security. Far from it. I don't need to have broken into an insecure network connection without permission to understand the problems of sending passwords in the clear. Often, it takes a little imagination, a bit of reasoning, and a bit of technical skill -- the same skills I often suggest for system administrators.
The best security analysts I've worked with are so strictly white hat that they've m
PMP (Score:2)
A Hacker with the proven ability to create and execute a project plan should be seriously employable.
Know what pieces overlap, understand how they impact the business, and what it takes to get from A to Z.
Re: (Score:2)
Re: (Score:2, Informative)
The widely-accepted definition of a hacker is different than your romanticized version of things. That horse has left the barn - you can be disappointed all you want but trust me, you're only bothering yourself with it.
I bet you insist on GNU/Linux, too.
Re: (Score:2, Interesting)
Plus, your definition of "hacker" is off anyway. In
Re:Crackers, not hackers (Score:4, Insightful)
Parent