Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Businesses IT

Would You Hire A Hacker? 466

theodp writes "A German security company has divided opinion in the IT industry by offering a job to the teen charged with creating Sasser. Silicon.com asks its CIO Jury: Would you hire a hacker? and finds the jury split down the middle, with one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother."
This discussion has been archived. No new comments can be posted.

Would You Hire A Hacker?

Comments Filter:
  • No, no, no! (Score:5, Informative)

    by Anonymous Coward on Wednesday September 22, 2004 @03:56PM (#10322806)
    That's not hacker! It's cracker. Hackers create, crackers destroy.

    -ESR (fake)

    Hacker != Cracker. How-to. [catb.org]
    • Re:No, no, no! (Score:5, Insightful)

      by Dr Reducto ( 665121 ) on Wednesday September 22, 2004 @03:57PM (#10322830) Journal
      Yeah, I don't think this kid is all too bright compared to a lot of other hackers. I mean, for one, he got caught.
      • Re:No, no, no! (Score:5, Informative)

        by ePhil_One ( 634771 ) on Wednesday September 22, 2004 @04:11PM (#10323027) Journal
        Yeah, I don't think this kid is all too bright compared to a lot of other hackers. I mean, for one, he got caught.

        For another, he's clearly subject to certain moral lapses.

        I've been given this opportunity before, an applicant admited to hacking into a company to demonstrate his abilities and knowledge; they hired him. While I recognized his potential to help secure our network, could I trust him not to monitor peoples mail for his own amusement, access private data like salaries, "attack" computers of folks he didn't like, or otherwise cause trouble?

        It took a slam dunk "Hire him" to a long debate, we wound up not making an offer.

        • Yeah, if someone shows that they are immature, you should not reward them. They won't change at all. Maybe the company is just doing it for publicity/shareholders: We hire ex-hackers so that we can secure YOUR network, or some other bullshit marketing line.
          • Re:No, no, no! (Score:5, Insightful)

            by jhoffoss ( 73895 ) on Wednesday September 22, 2004 @04:33PM (#10323298) Journal
            This would fail even more quickly. Most of my clients are stressed out as it is when they bring my firm in. The one thing we have that they take comfort in is our integrity. Without that, we would be out of a job.

            If a company's entire basis is the fact that their employees do not (or did not, if truly grey hat...) have integrity, they're sunk before they leave dock.

            In the same breath, I will just state what I have seen someone else on /. state, and I found humorous: black hats are good hackers, white hats are good fakers, and grey hats are good liars.

        • Re:No, no, no! (Score:5, Insightful)

          by dead sun ( 104217 ) <[aranach] [at] [gmail.com]> on Wednesday September 22, 2004 @05:05PM (#10323738) Homepage Journal
          So is what's being said here equate to 'if the applicant hadn't admitted to hacking a company to demonstrate knowledge, and instead plausibly lied about having worked in a "test" environment configured just like a real company, the debate wouldn't have happened'?

          I'm sorry, but at least the person you didn't make an offer to was willing to come forth about it, let people know that he found that sort of behavior acceptable, and give a chance to lay down a set of rules that are perhaps more fitting to his particular morals. He was decent enough to give that opportunity.

          I wonder how many people you've worked with have ever done the same things as this individual but haven't owned up to it. I wonder if anybody you've worked with monitored mail for their own amusement and just never set off warning flags during the interview process.

          It's one thing to catch somebody doing something after giving them a chance (because of not being told about certain behaviors or not). It's another entirely to deny them a chance after they're trying to be out in the open with you.

          Why would a spy come out and say they're a spy? It sets off alarms and unless you're just that damn good, blows any future chance of spying you have. Why would a cracker come out and declare they're a cracker unless they're willing to change their tune while on the job? I guess, unless you're looking for feints within feints.

          • Re:No, no, no! (Score:3, Insightful)

            by ePhil_One ( 634771 )
            So is what's being said here equate to 'if the applicant hadn't admitted to hacking a company to demonstrate knowledge, and instead plausibly lied about having worked in a "test" environment configured just like a real company, the debate wouldn't have happened'?

            Nope. Why? Because hiding the fact means that he knows what he did was wrong. Because he admits to it in an interview, its a sign he doesn't view it as wrong. I don't care if he likes pornography, but if he brings it up in an interview, thats a s

      • Re:No, no, no! (Score:3, Insightful)

        by microsopht ( 811294 )
        Yeah, I don't think this kid is all too bright compared to a lot of other hackers. I mean, for one, he got caught.

        If a hacker gets caught , doesnt have to mean he isnt bright.Eg:Mitnick.He is the role model for many.

    • Re:No, no, no! (Score:5, Insightful)

      by DogDude ( 805747 ) on Wednesday September 22, 2004 @04:05PM (#10322948)
      Hackers create, crackers destroy.

      And while you are busy trying to make this assertion to a hiring manager, somebody else who doesn't deal with pedantic stuff like "hacker vs cracker" is taking your job.
    • Re:No, no, no! (Score:2, Insightful)

      by microsopht ( 811294 )
      Many websites scream the other way round, and some hacking guys like to say they are crackers [ positive connatation they want].

      somesites suggest.
      hacker=harmful.
      cracker=has the skills like hacker but uses them for good purpose ,like providing security etc.

      Its not my opinion ,but what I have seen in websites.

    • Crackers don't destroy. Crackers crack or break into... not always with malicious intent. I'm sure this thread is going to shoot off a lot of BS for little script kiddies and wannabe hackers... because it really seems to have already.

      Yes. I would hire a hacker. What's he going to do? Write a virus to destroy the company network? His skills seem to be pretty much limited and I'm sure that prison time offered at him would really change the guy. Getting paid to do something he wants to do would not be somet
    • Amen! (Score:5, Funny)

      by PCM2 ( 4486 ) on Wednesday September 22, 2004 @04:14PM (#10323072) Homepage
      Hear hear! I can't stand how many people keep making this simple mistake. By calling destructive computer criminals "hackers," you're bringing down everybody who codes for the love of it. Lots of us have been calling ourselves hackers for years, only now to get painted with this negative brush.

      I don't expect the mainstream press to know any better, but this is Slashdot. Can we please try to keep our definitions straight?

      A hacker is a skilled, passionate computer programmer -- nothing more.

      A person who commits malicious computer crimes is a biscuit. Like those evil software pirates who walk around with those parrots on their shoulders: "Polly want a biscuit!" Get it right, people.
      • Re:Amen! (Score:3, Interesting)

        by fitten ( 521191 )
        Lots of us have been calling ourselves hackers for years,

        The "hacker code" that I grew up by was: "Hacker" is sort of an honorific. You can't call yourself a hacker. Others have to call you a hacker. If you call yourself a hacker, you almost assuredly aren't one.
        • You should probably add to your defintion there a part about the person calling you a hacker actually knowing what the hell they're talking about... because by your current wording, i'd be a hacker. I'm not. My boss occasionally refers to me as "hacker" at work (other choice nicknames are "Dell", "Pentium", and "Bum-bum-bum-bum!" which is supposed to be the chimes from the Intel commercials. He tried to call me "Compaq" one time but I gave him a dirty look so he doesn't do that anymore).
          My hacking skills t
      • Re:Amen! (Score:3, Insightful)

        by Kehvarl ( 812337 )
        Why should computer criminals be called "Crackers"? What have they done to deserve their own special descriptor? Nothing constructive. computer criminals should be laeled as criminals with the nearest normally-applying label. If you break into a machine without proper authorization and make off with privae or sensitive data, that probably falls under some existing laws against expionage. same applies to any computer crime. If there is no pre-existing label for the crime, why not? is it something that
      • Language is a living thing, it evolves and word usage changes. Hacker is a negative thing in this context, talk to a kernel dev or a FreeBSD developer and maybe it won't be. Gay used to mean a happy person, and ignorant was uninformed, neither definition is what the general use is now so get over it.

        BTW a hacker was not a skilled, passionate computer programmer, it was someone who created an ugly kludge to quickly solve a problem.
  • Extreme comparisons (Score:5, Interesting)

    by AKAImBatman ( 238306 ) * <akaimbatman@gmaiBLUEl.com minus berry> on Wednesday September 22, 2004 @03:56PM (#10322807) Homepage Journal
    [O]ne IT Director [said] doing so would be like hiring serial-killing doctor

    A little extreme on the allegories, aren't we? Virus writing is not exactly like taking out a knife and killing someone. (Although it may result in the shutdown of systems that support people's lives. I'd tend to blame this on the idiots who use Windows for those systems, though.)

    As for hiring him, I think my answer would be "maybe". I certainly wouldn't hire him because of his transgressions, but rather despite them. Basically, everyone should be entitled to a second chance. If this employer believes that the guy has a lot of talent and is repentant of his past deeds, then give him another shot! He'll have to try damn hard to remove the stigma from his deeds, but try hard enough and he might just turn his life around.
    • I am willing to bet that the serial killer has excellent medical and killing skills... That same person also has a greater chance of committing a crime than your average joe off the street.

      So, yeah, the hacker might have great talent in his specialty and he might even be worth your time to keep on your side as a defensive measure but you have to remember that he does have a good chance of still committing another crime.

      Everyone deserves a second chance (especially when they were young and stupid as you d
    • by epiphani ( 254981 ) <epiphani@dal . n et> on Wednesday September 22, 2004 @04:02PM (#10322901)
      A little extreme on the allegories, aren't we?

      Agreed. If we want to stick with the Doctor example, I would equate it more towards someone performing impressive medical research without a license. Or practicing medicine without a license.

      Most of these virus writers are teenagers with no formal education and no job prospects as a result. Writing something like this proves they're not only talented, but quite bored. Give them something positive to work on, and a paycheck to boot, and im sure good results will come of it.

      I think the fact that these teens exist is a result of the stupidity of the system to depend on education metrics to represent knowledge and value.
      • by stratjakt ( 596332 ) on Wednesday September 22, 2004 @04:30PM (#10323266) Journal
        It doesn't necessarily prove any talent at all.

        It proves they go to their favorite hacker website, download some proof of concept code, and wrap some VBScript around it.

        I wouldn't call Sasser a work of genious, but a work of pure assholery. He didn't invent something, or do it to prove a point. The point was proven, the exploit was known. He did it to be a 1337 h4x0r.

        I think the fact that these teens exist is a result of their own stupidity. Guess what, you want to commit crimes for attention, it just might fuck your entire life up.

        Try and get a job in retail with a shoplifting conviction. Try and get a job as a kindergarten teacher with an assault conviction. Try and get anywhere in politics with virually any conviction greater than a traffic violation.

        Boo hoo for teens too stupid to realize actions have consequences, sometimes life long consequences. And I'm sick of people blaming "the education system" or "society".

        This kid was mentally developed enough to know what he was doing was wrong, and did it anyways. He's lucky to be offered a job doing anything more technical than digging holes in the dirt.
    • by shawn(at)fsu ( 447153 ) on Wednesday September 22, 2004 @04:04PM (#10322923) Homepage
      I can see three potential problems with this.

      1) The possibility that this might motivate other crackers to unleash the next big worm to find a job.

      2) What about the poor shmuck that does nothing wrong and gets passed up for a job.

      3) Say you hire him and he goes back to his old ways. Wouldn't you be somewhat liable for damages caused to you clients.

      As I said potential and possibly extreme situations.
      • by einhverfr ( 238914 ) <[moc.liamg] [ta] [srevart.sirhc]> on Wednesday September 22, 2004 @04:15PM (#10323090) Homepage Journal
        I read a couple or articles on this case by the time it hit /. So here is what I have to say.

        First, I think that this kid has been punished pretty severely already. His *dad* got fired over it, and he has recieved his share of death threats. This is not something you can just take lightly, especially when one's actions affect those close to the perpetrator. BTW I do think that firing the guy's dad is a little severe. Indeed these actions were what motivated the German security firm to offer a job to the kid.

        Secondly, the comparison to the serial-killing doctor is quite misguided. In this case, it is more like hiring the serial-killing doctor as a pathologist. He *might* make a really good pathologist. But there are no guarantees.

        Finally, at least in the US, our legal system recognizes that teenagers are not as capable of considering consequences of their actions as adults,and there are some scientific studies which have been published in the last few years that may provide a solid scientific case for challenging those states which allow the death penalty for individuals under the age of 18 who commit capital crimes. If you say that "we will never allow anyone in this field to ever hire a teenager who commits this crime" then you are placing, IMO, unbalanced consequences for the misguided and even criminal actions of such individuals.
    • by attam ( 806532 )
      but try hard enough and he might just turn his life around

      i dislike the implication that his life needs to be "turned around." the kid made some dumb decisions about how to use his intelligence, i hardly think that makes him a terrible person. correct me if im wrong but i dont think he tried to rob a bank or gain in any other way except for, perhaps, recognition.

      bad decision != bad person.
      • i dislike the implication that his life needs to be "turned around."

        Why? He may not be a bad kid, but he's still in deep shit. Right now he probably feels like his life is over. If he's smart, he'll make the best use of this opportunity as he possibly can. If he does well, he'll actually have a chance at other opportunities in the future.

        Ergo, it's a chance to "turn his life around".
    • A little extreme on the allegories, aren't we? Virus writing is not exactly like taking out a knife and killing someone. (Although it may result in the shutdown of systems that support people's lives. I'd tend to blame this on the idiots who use Windows for those systems, though.)

      Do you really want to blame the victim, because of what OS they used? Think through your argument. If you got mugged, should someone be able to tell the cops "well, look at him, not too strong... it's his fault for being such an

      • Do you really want to blame the victim, because of what OS they used? Think through your argument. If you got mugged, should someone be able to tell the cops "well, look at him, not too strong... it's his fault for being such an easy target".

        Actually, I wish more victims would take responsibility for some of their actions. If somebody leaves the door to their house wide open, or if they decided to go jogging in the nude in NY Central Park, Or downtown Dallas, do you really think that the victim shares no

  • Bad analogy (Score:5, Insightful)

    by Anonymous Coward on Wednesday September 22, 2004 @03:56PM (#10322813)
    It'd be more like hiring a doctor who was convicted of illegal cloning experiments to work on alternatives to organ transplants.
  • Mitnick (Score:5, Insightful)

    by Klar ( 522420 ) * <curchin@g m a i l .com> on Wednesday September 22, 2004 @03:56PM (#10322817) Homepage Journal
    doing so would be like hiring serial-killing doctor
    Well, if he's good with a knife..

    Honestly though, if a hacker has payed his debt to society and now wants to help businesses prevent what he was doing(Kevin Mitnick), why not let them? Having the most knowledgeable person for the job might just save you from being hacked by someone else--as long as you can trust the person.
    • --as long as you can trust the person.

      Precisely -- there's two possiblities as to the mindset of the people writing these things.

      A) They don't truly understand the actual gravity of their actions.

      If this is the case, I certainly wouldn't want to be hiring this kid. If he doesn't understand the global effect (probably to the tune of millions, maybe even billions of dollars) in the form of downtime, manpower involved in dealing with the problems, and actual cash forked over to repair people to get c

      • Re:Mitnick (Score:4, Interesting)

        by System.out.println() ( 755533 ) on Wednesday September 22, 2004 @04:36PM (#10323331) Journal
        I would propose a third possiblity:
        C) He did not predict the impact his actions would have.

        Consider how many viruses are written that never amount to anything - a few dozen infections, you get on the antivirus list, and no one cares about your virus anymore. (Have you seen the length of those virus definition lists?) Consider that, in all likelihood, the kid associated with people who had written lots of viruses like that - probably even authored some himself. What do you think he would perceive the odds of making a virus this impactful to be? About the same odds that setting off a firecracker would burn down a city block: yes, they should be charged with arson, but don't assume that they meant to set it all on fire. They were just bored and wanted to see a few sparks.
    • Re:Mitnick (Score:5, Insightful)

      by SpecBear ( 769433 ) on Wednesday September 22, 2004 @04:38PM (#10323366)
      One word: liability
      It's not just about how you feel about it, it's how your clients feel as well.

      There's always the danger that one of your employees is going do something evil. But hiring a known black hat makes you highly vulnerable. What happens when your competitor is giving a presentation to a potential client and says, "Yeah, those guys at FooCorp hired the guy who wrote that virus that took down GreatBigWebSite.com. I wouldn't trust that guy with my customer data, would you? Do you really want to do business with a company the rewards criminal behavior?" What percent of your potential business would you lose?
  • hacker? (Score:5, Insightful)

    by BoldAC ( 735721 ) on Wednesday September 22, 2004 @03:56PM (#10322820)
    What a loaded question?

    Would I hire a worm-writing kid? No.

    Would I hire a gray-hat security genius? Absolutely.

    • Re:hacker? (Score:3, Insightful)

      by El ( 94934 )
      Yes, but only if assured nobody would ever find out. The point is, you don't want to go around rewarding harmful behaviour -- that will only encourage more people to engage in it.
    • Re:hacker? (Score:3, Interesting)

      by Veridium ( 752431 )
      That's exactly what I was thinking. OTOH, I don't know the details of Sasser or how much intelligence it took to write it, but the kid's only 18. I think giving him a shot to make legitimate money, provided he's got the smarts, is better than blacklisting him. We all make idiotic choices when we're younger, some of them have a greater impact than others. It's not like he's a serial killing doctor(that analogy was completely over the top).
    • Re:hacker? (Score:3, Interesting)

      by MMaestro ( 585010 )
      Better yet, hire both. Setup a closed network system of computer running your software, outside of your main computers, and let them both run insane. Have the worm-writing kid try to break/hack/destroy/erase/etc your software while gray-hat security genius trys to plug every hole, bug, and mistake in the software while fixing the problems worm-writing kid exploits.

      End result : Software is insanely optimized, thanks to worm-writing kid who has insight on the program so you KNOW he's gonna break it at least

  • Yes and No (Score:2, Informative)

    by nickgrieve ( 87668 )
    Hacker yes, Cracker No.
  • by stratjakt ( 596332 ) on Wednesday September 22, 2004 @03:57PM (#10322829) Journal
    A security company might benefit from his experience, or even just the marketting angle "the best hackers work for us!"

    In the field I'm in, he'd be a liability. We do government stuff, relating to law enforcement, and while we're not a bunch of angels, we don't want any skeletons in our closet either.

  • wow... (Score:5, Funny)

    by Izago909 ( 637084 ) * <tauisgod@g m a i l . com> on Wednesday September 22, 2004 @03:57PM (#10322832)
    ...with one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother.
    I bet Freud would have a few things to say about that subject..
  • Depends... (Score:2, Interesting)

    by nordicfrost ( 118437 ) *
    On, among other things, the definition of hacker. I talked to RMS (while he was in Oslo), on the subject of hacker vs. cracker. I would, no doubt, hire a hacker. I would have serious difficulties hiring a cracker. But, I would consider it. I might even hire two, both unaware of the other, to verify the work.
  • Sure; (caveat) (Score:3, Informative)

    by Emugamer ( 143719 ) * on Wednesday September 22, 2004 @03:58PM (#10322845) Homepage Journal
    I know a lot of people who are "Hackers" who work in IT... Hiring someone who writes worms and virii though? not bloody likely... Hackers aren't always malicious, and more then likely they know what they are doing with system administration then someone whore just reads a few FAQs and manuals...
  • I wouldn't hire one (Score:5, Interesting)

    by alatesystems ( 51331 ) <chris&chrisbenard,net> on Wednesday September 22, 2004 @03:58PM (#10322849) Homepage Journal
    It might be nice while they're working for you, but if you piss them off(who hasn't been an employer and had an employee pissed off?) then they have inside knowledge about your company and the ability to hack.

    On the other hand, I wouldn't consider these VBS writers "hackers". They are just glorified script kiddies. Don't reward that behavior.

    Chris
    • by rho ( 6063 ) on Wednesday September 22, 2004 @05:00PM (#10323676) Journal
      The ability? No, lots of folks have the "ability". He's already demonstrated the will to do something he knew would be (or hoped would be, which is more or less the same thing) extremely destructive.

      The kid is a punk. He may always be a punk. Maybe some folks think it would be okay to hire him, but I bet most of the people who would give him a chance have never built a business themselves. When you've got this thing, this business that you've spent God knows how much time and effort building, why would you risk the whole thing by hiring a known punk? All the reasons I can think of--publicity, potential ability, altruism--fails the "will the baby eat tonight" test.

      Publicity? Why not hire a well-known porn star to pose for photographs and post them daily to your web site. You'd get publicity and traffic and less risk. Ability? There's gobs of similarly talented nerds out there. If Slashdot is to judge, there's a glut of CS majors who were fired by GW Bush the same day he was inaugerated. Altruism? Give to Greenpeace.

      The kid should be punted into a workhouse and made to do free tech support for the companies he harmed. Each company, in alphabetical order, until their damages have been paid back. I doubt he'd make it past the "B's" before croaking.

      (A side note: Slashdotters always say that owning a tool that could be used for illegal activity is fine, and people should only be prosecuted if they use the tools for actual illegal activity. You're probably heard the litany in any random YRO article. Well, here's a punk kid who broke the law--let's see some fucking prosecution, eh?)

  • Or in this case a script kiddie who's probably been hanging around /. to much. At any rate, I wouldn't hire one this soon after he had "learned his lesson." I'd wait and see if he can contribute to society before trusting him with my boxen. But if he's got a clean record after a few years, and has proven that he's trustworthy, and has the skills, yeah, probably.
  • I tend to think that just because someone creates a virus that happens to work well, and causes massive amounts of destruction isn't a horrible person at heart.

    I think if you've ever done any amount of prgramming, you've been there before, little mental masturbations of doing bad things to people to clever programming.

    This is like refusing to hire someone because they got a speeding ticket, or downloaded music off of the internet.
  • by staticdaze ( 597246 ) on Wednesday September 22, 2004 @04:00PM (#10322868)
    Fear the day that you ever have to let him go.
  • by ShatteredDream ( 636520 ) on Wednesday September 22, 2004 @04:00PM (#10322871) Homepage
    If they want to learn more about their "trade" and the company that hires them properly handles all of the information it could then extract out of them, then whatever damage the kid could do would be mitigated by how much the security guys could learn. I for one say go for it, if the company that is going to hire this person knows what it's doing on collecting data about any and all work the cracker will be doing for them.

    Sometimes the best way to learn about your enemy really is to contain them and see how they think. Who knows, maybe the security guys could find out enough to actually get an insight into how to properly go about proactively handling security threats posed by worms?
    • In this case, I don't think there's a whole lot to be learned.

      The Sassar work exploited a hole in LSASS that Microsoft patched on 4/14, the worm itself was discovered in the wild some time later than that, around 5/1 as best I can remember.

      The lesson? Keep you crap patched and you won't get as many worms. How can observing this guy give any insight into that?
  • Hackers and Hiring (Score:5, Interesting)

    by Archangel Michael ( 180766 ) on Wednesday September 22, 2004 @04:00PM (#10322875) Journal
    I think it would depend on the QUALITY of the hack. A poorly written hack that breaks out in the wild, that causes unintended results would prevent me from hiring said person.

    However, if the hack is an elegant piece of code, that does exactly and only what the author indended would be something I would consider.

    Originality also would count. The creative nature of the hack would also weigh in. This prevents script kiddies from modifying existing hacks from the "application" for the job.

    In otherwords, I would evaluate each hack and make judgements on the over all skill, novelty and execution of the hack, all skills needed for any programming job.
  • Comment removed based on user account deletion
  • by MicroBerto ( 91055 ) on Wednesday September 22, 2004 @04:01PM (#10322889)
    If your company designs high quality locks (haha like Kryptonite U-Locks), would you hire the best lockpick around, even though he once used his skills to break into 7/11 and steal a bunch of stuff? Personally, I would. You need people to think outside of the box and go against the grain of your culture once in a while, IMO.

    Note: I'm not saying that this chump is the best programmer around, I'm sure he's not. But if he's a great man for the job and can think of things that you and I won't, then I'm on.

  • If that's true then the answer's "no".

    If it was like hiring Hannible Lecter, then I would probably say go for it, he has some great stories not to mention a few interesting recipes.

    Of course, it would be important to keep your "petty torments" to a minimum.

    myke
  • by jallen02 ( 124384 ) on Wednesday September 22, 2004 @04:03PM (#10322920) Homepage Journal
    There are PLENTY of information security white hats that are just as talented, if not more talented, than the black hats. If we are truly talking about hiring a "black hat cracker". Even if they were exceptionally skilled it would depend on the individual.

    They commited a computer crime. That is a liability, not an asset. All in all their benefits as a skilled IT professional would have to outweigh their liabilities (being busted for a computer crime). It is a factor that goes into the equation. I would say that in most cases it would be enough to lean me towards not hiring them. I think its a pretty serious thing to hack someone elses system. There are PLENTY of ways to make a name for yourself in a white hat way. Writing papers, studying info sec and staying on top of the field and becoming a noted voice in the communities is one. Ultimately if you need negative publicity to be known (and or hired) your just being lazy :)

    Jeremy
  • Make more worms? (Score:3, Interesting)

    by nizo ( 81281 ) on Wednesday September 22, 2004 @04:03PM (#10322921) Homepage Journal
    Not to play devil's advocate or anything, but if worm writers start getting high paying jobs (especially if they get lots of media coverage) wouldn't this encourage people to write more worms? Hey look, I can destroy all these machines, become famouse, get stuck on probation, and get great job offers!
  • by Anonymous Coward on Wednesday September 22, 2004 @04:04PM (#10322925)
    The FBI hired Frank Abagnale Jr. as a counterfeit specialist and it turned out to be a good thing. Why? Because he was just a freaking teenage KID that happened to be misguided through lack of maturity. If this teen hacker was given a little direction and purpose with his life then he could steer everything completely around.

    I can't believe that comment about hiring him being similar to hiring a serial killer as a doctor. The director that spoke that comment is an idiot.
  • Depends (Score:5, Insightful)

    by jhagler ( 102984 ) on Wednesday September 22, 2004 @04:04PM (#10322933)
    I think I would look at what type of hacker they are.

    Is it someone who knows systems inside and out and enjoys toying with them? Then definitely yes.

    Is it a script kiddie who just took someone elses work and capitalized on it? Definitely not.

    The issue is not about elitism, it's about attitude, someone who has gone to the effort to learn something and apply it is in a whole different world than someone who is so socially mal-adjusted they feel the need to tweak the latest worm to say "I RULEZ" and sends it back out.

  • Not for that job! (Score:3, Insightful)

    by loteck ( 533317 ) on Wednesday September 22, 2004 @04:06PM (#10322955) Homepage
    Would I hire an extortionist to be my accountant?
    Would I hire a thief to manage my inventory?
    Would I hire a sadist to manage my HR (Catbert obviously excluded)?

    Would I hire a sex offender to babysit my children?

    No.
    Yes, they did pay their debt to society/do their time. I might hire them to do other things away from their area of conviction, but I'm not going to dangle temptation in front of their face. Does that seem like just straight common sense to anyone but me?
  • by eddy ( 18759 ) on Wednesday September 22, 2004 @04:06PM (#10322956) Homepage Journal

    The Hacker FAQ [plethora.net].

  • I did hire a hacker! (Score:5, Informative)

    by Offwhite98 ( 101400 ) on Wednesday September 22, 2004 @04:06PM (#10322961) Homepage
    And he worked out great. We both had similar skills and were able to hammer out a lot of code. We do not work together anymore, but I still work with hackers. If you do not enjoy pulling things apart to see how they work and hack them to do new things you should not be writing software.
  • Hell yeah (Score:2, Redundant)

    by Sanity ( 1431 )
    I'm a hacker [catb.org], why wouldn't anyone hire me?

    I remember a day when /. newbies would be roasted for confusing the terms hacker and cracker - now the editors do it :-/

  • Nope. (Score:5, Interesting)

    by captnitro ( 160231 ) * on Wednesday September 22, 2004 @04:07PM (#10322975)
    Use of the term 'hacker' here is a misnomer. Would I hire someone who has a broad technical ability and excels in why things do and don't work? Absolutely. But allow me to go on a little old-man rant here (and hell, I'm in my 20s): viruses these days aren't what they used to be.

    In the 1980s-1990s, you could pick up a copy of 2600 and read the code for a relatively complicated polymorphing boot sector virus -- complicated because it took a good knowledge of assembler, specific system calls, the boot process on a PC, etc., among other things. With a few tweaks, it would be slow-incubating, but deadly.

    The internet has changed the way we deal with security, because no longer is the question "How clever is the virus?" so much as it is "How cautious is the user?" Example: the "Microsoft Office 2004 Beta" for Mac appeared on P2P networks a few months ago. When run, it deleted the contents of your user folder. Devastating, yes, but nothing I couldn't do myself without programming knowledge. So the 'virus' wasn't clever, tricky, or even unique in function, except for the method of delivery, which was social in nature -- not technical.

    The same applies to security holes in your OS. Whether the hole should be patched is another discussion, but taking the obvious routes through those holes to bring down computers isn't particularly noteworthy. If everyone at my office has VNC installed without a password, and I go delete their My Documents folder at noon today, am I a hacker? No. I'm just a prick.

    So when you ask, "would I hire a hacker?" Yes.

    But when you ask, "would I hire someone who creates/uses something annoying and not that special; requiring a moderate level of programming skill if at all; that relies on the user to activate it or a major security flaw in the OS?" Absolutely not. These kids' salaries should be going to sociologists who can better analyze group behavior, and real coders, not scr1pt k1dd13z.
  • Unemployed script kiddie? Try cracking. In the end, the only things potential employers remember from the headlines are your name and your apparent security expertise. I think this well and truly proves that any publicity is good publicity.

    Would I hire a cracker/hacker if I were in the market? No. There are equally skilled or more skilled (unemployed) programmers or security guys whose ethics and loyalty I can depend on.
  • by here4fun ( 813136 ) on Wednesday September 22, 2004 @04:08PM (#10322985) Homepage Journal
    It is not about skill or knowledge, it is about "Can I trust this person?". If someone can write a virus, that might demonstrate good knowledge. Releasing the virus shows the person either did not think about the damage they would make, or worse, they did not care. I would not want someone like that in my company or organization. I happen to think those kinds of people belong in jail, because sooner or later they will do something as stupid as the common thug.
  • First of all white people are just plain evil!! Kill Whitey! just kidding.... I'm whitey too...

    Anyway, NO. I would not hire a person responsible for such destruction for two really good reasons:

    1. You can never be sure of their moral alignment no matter how much money you pay him
    2. Doing so would provide additional incentive to people who want to add "I wrote Monkey.B" to his resume to get their next job.

    It is a bad idea and sets a bad example for others.
  • with one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother.

    The problem with this analogy is that the doctor in question has not demonstrated extraordinary skills or aptitude in his chosen career and would not necessarily benefit the ailing mother.

    The hacker, on the other hand, has clearly demonstrated skill (not a typical script kiddie), interest and aptitude in his (decidedly skewed) hobby.

    So it's not a question of hiring *just*

  • Depends (Score:4, Insightful)

    by Gyorg_Lavode ( 520114 ) on Wednesday September 22, 2004 @04:10PM (#10323013)
    Would I hire the Sasser worm kid? Never.

    Would I hire com Adrian Lamo? Yeah.

    It depends a lot on the intent of the attack and what was done once it was successful. Also on the personal morals of the individual.

  • Granted, I haven't tried to write anything but is it that hard to really write a good virus? I would think a good security 'professional' with years of experience defending such attacks would be a better candidate then an 18 year old kid. If they aren't, well, maybe they should be more worried about finding suitable employee's.
  • by Telastyn ( 206146 )
    Would I hire some kiddie who managed to modify someone else's worm code? No.

    Would I spend 1 programmer year salary to get my company's name plastered on the news across the world? Yeah, I'd wager that's a great deal.
  • IMO, sys-admin script writing in Perl, Pyton or whatever is similar to black-hat hacking. Scripts are written that report current IP addy, software installed, uptime, MAC addy, etc. How is this different from getting info from spam bots or DDOS zombies? Some of our scripts have come in handy for stolen laptops. The laptops phone home when the user logs on reporting MAC addy, IP, GW, SNM, etc... we call the cops who in turn call the ISP who then provide an address and bam, the thief is caught. Knowing a bit
  • Stupid CIOs (Score:4, Funny)

    by Lord Kano ( 13027 ) on Wednesday September 22, 2004 @04:16PM (#10323101) Homepage Journal
    one IT Director saying doing so would be like hiring serial-killing doctor Harold Shipman to treat your ailing and aged mother.

    Being that Shipman is dead, it would be really stupid to hire him for anything.

    LK
  • by leuk_he ( 194174 ) on Wednesday September 22, 2004 @04:24PM (#10323204) Homepage Journal
    Security is all about trust. Would you trust software written by an ex-virus writer? Or would you use the software recommanded by your local guru?

  • by Spackler ( 223562 ) on Wednesday September 22, 2004 @04:34PM (#10323312) Journal
    Of course, none of us were alive to see this, but when medicine was just starting out, the best doctors employed grave robbers to get bodies on which to practice and learn. It was against the law, and against the church, but they needed a place to learn without killing people. Now, I guess the question I ask is, would you want a doctor who had never seen the inside of a person to be the one helping your dear old mother?
  • Nope (Score:4, Insightful)

    by papasui ( 567265 ) on Wednesday September 22, 2004 @05:15PM (#10323857) Homepage
    I believe his actions speak for the quality of his charector.
  • by Mr Tall ( 767172 ) on Wednesday September 22, 2004 @05:23PM (#10323930)
    We had a lesser, but similar situation at the company where I work. This guy applied for a programming job, and his entire coding experience consisted of writing spamming tools.

    He'd openly, and seemingly without shame, listed all his spammer tools on his CV (resume for you over-the-pond types)

    I desperately tried to get the guy doing the recruiting to hire him, just so I'd get an opportunity to beat the shit out of the filthy bastard.
  • by Billy Donahue ( 29642 ) on Wednesday September 22, 2004 @06:54PM (#10324749)
  • by theolein ( 316044 ) on Wednesday September 22, 2004 @07:27PM (#10324980) Journal
    The IT Director who made the Shipman comparison should be fucking fired. Just what kind of values does a man have when he equates a mass murderer with a teenage computer virus writer? My god, the kid is exactly that, a kid! He isn't a violent drug crazed sociopath, he's doing what many kids do, i.e. messing around to see what he can do and how far he can go, with the exception that he got caught.

    This kind of fanatic mentality, where a stupid fucking computer (or a song or movie on the internet) becomes more valuable than people's lives, is a sad testament to the state of our society.

    You think I'm over the top? Why is it that people who download songs from the internet get punished harder than the executives of corrupt and failing corporations?

    If you give someone a chance, after he or she has messed up, especially as a teen, they might or might not do something useful with their lives. But if you dismiss them outright, you are condemning them for the rest of their lives.

    Way to go fuckers.
  • Why is he qualified? (Score:4, Interesting)

    by MacGabhain ( 198888 ) on Wednesday September 22, 2004 @08:01PM (#10325154)

    Why on earth should we assume that someone who can break security has the slightest knowledge of how to fix security? I can break regular glass with a rock, but have no clue how to make shatter-proof glass.

    Keeping to computer security: Say a particular system has 5000 current, undiscovered ways of being broken into (or just broken). Breaking into it requires finding one of them. But you have to find 2500 of them just to have a 50% chance of finding the one the hack.. err... cracker finds. If a typical passibly decent hacker can find 5 holes, he'd have over a 95% chance of finding one of the ones the security team, that found 2500, missed.

    Yes, I wouldn't hire a computer criminal because of his ethical problems. I also wouldn't hire him because if he actually thinks that breaking into a system makes him qualified to work securing systems, he clearly knows nothing about securing systems.

    • Why on earth should we assume that someone who can break security has the slightest knowledge of how to fix security? I can break regular glass with a rock, but have no clue how to make shatter-proof glass.

      Sure, but some companies actually have more than one employee.

      They might have one guy who designs locks, and a SEPERATE PERSON who tries to break them.
      While a theif might not know how to design a lock, he could still be perfectly suited for a job as a tester.
  • by digital photo ( 635872 ) on Wednesday September 22, 2004 @10:37PM (#10326026) Homepage Journal

    I'm a big believer in second chances and turning over leaves, but we are talking about a person who has demonstrated a weakness of moral fiber.

    Whether or not the individual is good(skillwise) or not is irrelevant. What is relevant is how one goes about redeeming themselves in the eyes of the community.

    I suppose it comes down to your company's comfort level. It is alot like the transition homes where families take in young ex-criminals to help give them a second chance. Sometimes, you honestly see great things come from second chances. Other times, you get a family who is robbed by the one they entrusted.

    It doesn't take a rocket scientist to write a replicating piece of code. It doesn't take alot of brains to take an existing one and modify it either.

    Which brings one to wonder why hire someone whose only done these things?

    The only apparent benefit is to use him to get at other virii writers through association online and by monitoring his access and communications. By hiring him, they increase his profile and will likely draw the attention of script kiddies who will get caught by the firm.

    Otherwise, such a hire only risks stock prices and makes the company liable for future damages.

  • stuff that matters (Score:3, Insightful)

    by monsterhead78 ( 815842 ) on Thursday September 23, 2004 @12:33AM (#10326550) Homepage
    Ok, first off, hacker is a very missunderstood word and not defined properly, by definition a hacker is a self trained computer professional / programmer.

    Would I hire a hacker? The answer is absolutely; hire someone who learns on their own without some instructor holding their hand.

    Hackers have the best problem solveing, and deductive reasoning skills of anyone in the IT industry not to mention attention to detail. One could only be so lucky to have one on staff (and you probably do).

    Don't get me wrong, there are definitly milicious hackers (crackers) who find joy in compromising, stealing, and destroying systems and networks, but to be honest, most of them do not get cought, and if they do, one needs to wonder, how good are they anyway if they got cought.

  • a double-standard (Score:3, Insightful)

    by maxpublic ( 450413 ) on Thursday September 23, 2004 @01:35AM (#10326803) Homepage
    Here we have the morally righteous leading the charge against hiring hackers who've engaged in criminal activities in the past because they can't ever be trusted again; and yet these same folks keep voting in Congressmen who themselves have criminal records, ranging from DUIs to bribery to racketeering to assault to spousal abuse to sexual misconduct with minors.

    So I guess the message here is that you can't afford to compromise when it comes to hiring IT staff, but you don't have to be nearly as selective when voting in members of the legislative branch of your government.

    This'd be funny if it weren't so pathetic.

    (You can google the criminal records of your Congressmen rather easily on your own, so there's no need for a link - do it yourself. You may find the results enlightening. Or not. This is slashdot, after all.)

    Max

Single tasking: Just Say No.

Working...