Forgot your password?
typodupeerror

Would You Hire a Former Black Hat? 290

Posted by Cliff
from the second-chance-career dept.
Mark Zenson asks: "Understanding the mindset of a hacker and the likes of one may be useful to counter security attacks, but apparently companies still object to hiring former, or even reformed, black hats." The article asks this question of several executives in the industry and for various reasons, many of them were skeptical to the idea of hiring such people. Would you give black hats a second chance if you were in their position?
This discussion has been archived. No new comments can be posted.

Would You Hire a Former Black Hat?

Comments Filter:
  • by Anonymous Coward on Friday September 29, 2006 @06:19PM (#16252887)
    What self-respecting blackhat would admit to being one in a job interview?
  • Summary (Score:3, Insightful)

    by skwang (174902) on Friday September 29, 2006 @06:20PM (#16252893)
    Trust is hard to rebuild after others lose their trust in you.
  • It depends. (Score:3, Insightful)

    by onion2k (203094) on Friday September 29, 2006 @06:22PM (#16252923) Homepage
    Would you give black hats a second chance if you were in their position?

    It depends on the job they were applying for. Someone who has proven their ability to ignore the law in the past can no longer be trusted in a position of responsibility, therefore I wouldn't give them a job in any role that required any amount of access to business critical systems or information. I might be willing to hire one as a code monkey to churn out boring stuff that could easily be audited, but even then only if there were no other suitable applicants.

    It sounds harsh, bu my job, and the jobs of my colleagues, are more important than giving someone else a break.
  • by ericspinder (146776) on Friday September 29, 2006 @06:24PM (#16252953) Journal
    How about the one thing that truly distingues 'black hats':
    • Has a known history of fraud
    A big salary doesn't mean honest living. The question wasn't if they could work in their general business, but top positions in security related IT jobs. Sure several years ago the most experienced security experts were reformed criminals, but these days training is available which doesn't eventually require a lawyer.
  • by b4jts (816849) on Friday September 29, 2006 @06:26PM (#16252975)
    Takes one to know one, I suppose. Looking at what Frank Abagnale [wikipedia.org] did to improve security against bank fraud, I'm sure that a 'black hat' turned good could be of some use to a company.
  • by creimer (824291) on Friday September 29, 2006 @06:26PM (#16252985) Homepage
    If the company is going to be ripped off, it will probably start in the boardroom as upper management are granted perks that they shouldn't have. One company I worked for is on the road to bankruptcy but the company is still paying for the CEO's $200K/year New York City apartment. This is the same management that banned free soda when they figured out that employees were taking a can or two home. Go figure.
  • by russ1337 (938915) on Friday September 29, 2006 @06:26PM (#16252987)
    Are these big companies likening it to hiring a reformed bank robber as a teller, or a paedophile as a teacher?

    Anyway, I thought the biggest part of being a 'black-hat' was to keep your online identity COMPLETLY SEPARTE from your real life ID... A big company should have no idea they've employed a 'former' black hat - at least if they were any good at it. If they got caught then he/she might not have the attention to detail you require for an employee in that field.
  • by ePhil_One (634771) on Friday September 29, 2006 @06:26PM (#16252991) Journal
    So even if a Blackhat is more qualified, they're probably just dismissed since a thousand other people are eager for the work and meet the basic qualifications. Unfortunate, but something to think about if you want to delve into the dark side of computers and networks.

    My question is, why would they know of their "Black Hat" exploits? I have to admit I've skipped applicants who admitted to "hacking" in a black hat context (Not "I sniffed my neighbors WiFi to get free internet", but I hacked into a potential employers network and explored). It shows an inability to set bounds and a lack of understanding of appropriate/inappropriate. I'd rather have lower skills that I can trust over high skills that might be working against me.

  • by Anonymous Coward on Friday September 29, 2006 @06:28PM (#16253003)
    You're old enough to have been in the industry 10 years, yet you still say 'cuz'? I smell script kiddie...
  • Hire a black hat? (Score:2, Insightful)

    by xymog (59935) on Friday September 29, 2006 @06:29PM (#16253027)
    The situation is analogous to hiring a former embezzler as an accountant, and the answer is always, "It depends." The burden is on the former black hat to establish credibility and trustworthiness. The potential employer also needs to be aware of scenarios where the former black hat can still be a valuable, contributing employee.
  • The 80's are over (Score:3, Insightful)

    by l0ungeb0y (442022) on Friday September 29, 2006 @06:30PM (#16253043) Homepage Journal
    Back in the day when networks were new and few people had the indepth understanding of what was still an arcane field, the recruiting of a blackhat made a lot of sense for trying to make more robust security solutions. But now, we have hundreds of thousands of qualified people and many IT Professionals are highly trained in the area of Network Security. And the blackhats these days by and large are either worm authors/botnet controllers or crackers who use scripted 'sploits to ply their trade. So no, I see no need for the Corporate Enterprise to open itself up to the liability it would face in the event of the "reformed" blackhat deciding to "play around" a little bit with employee data. There's already been enough fallout over loss of customer data and security concerns. Knowingly hiring a convicted felon to entrust that data to wold only serve to fuel lawsuits in the event a security breach did take place.

    If a blackhat is skilled and "reformed" and truly interested in security, they can offer their services as an outside consultant.
    Or perhaps the Military could make use of knowledgeable blackhats putting them on the front lines of electronic warfare.
    But I agree that in the workplace they should be treated as any other convict when applying for a position.
  • by sgt scrub (869860) <saintium@y a h oo.com> on Friday September 29, 2006 @06:36PM (#16253121)
    My observations as an old person by definition using your rules:

            * Can they work with people?
            * Can they dress well?
            * Do they shower?
            * Are they capable of staying after normal work hours every now and then to see to something getting finished?
            * Are they sensitive to other people and their surroundings?

    Black Hat Hacker.
    I am clean, charming, well dressed, always working, and my sensors are constantly monitoring people and places. I'm also perfectly cold and capable of taking every coin you own and are capable of borrowing. I will do this using my clean, charming, well dressed, and sensitive persona.

    White Hat Hacker.
    I showered today because I wasn't up all night playing WOW. Jeans, T-shirt, piercings, tatoos, uncombed long hair and beard are my personality, get over it. People are either cool or annoying. I try not to be around too many of them at one time but there is nothing wrong with that. Most of my friends are on IRC and WOW anyway. As long as I bang out enough code to meet my boss' requirements I'm golden.
  • by khasim (1285) <brandioch.conner@gmail.com> on Friday September 29, 2006 @06:43PM (#16253205)
    If the only difference between two candidates is that one has a felony record, it's not a hard decision to make.

    Not only that, but also what they were doing during their "black hat" phase.

    Running scripts you've downloaded to scan for default passwords on websites so you can post that you've "pwn3d" their site ... yeah, that's going to go real far in the interview.

    On the other hand, knowing enough about TCP/IP to crack servers with an injection routine that you've written ... that would go VERY far in the interview for the right job.

    Script kiddies are a dime a dozen. And their "knowledge" is just about useless in the corporate world. What else do you have that's better than I can find elsewhere without the issue of your past behaviour?

    The same with social engineering attacks (unless you're hired by HP to investigate leaks).

    Real hackers, on the other hand, are extremely valuable not only for the technical skills they've built up, but also because they're driven by problem solving and they are more than happy to get down to the metal.
  • * Can they work with people?
    Fair enough. If my job requires me to be a part of a team, it's reasonable to ask that.

    * Can they dress well?
    Oh Gods. It depends on what you mean. If you mean my normal attaire is that uncomfortable garish dandy's outfit known as a three piece suit, I'll have to say no. The apparell oft proclaims the man, and I generally don't choose what clothes to wear based on what everyone else deems appropriate. If you need me to meet customers, I suppose, but for gods sakes why are you making me wear a shirt in my cubicle? Would anything else make you feel uncomfortable somehow?

    * Do they shower?
    This is reasonable. If you're going to ask me to do this every morning unconditionally, I'm gogint to ahve to say that if I choose the odd tuesday or so as a "wash the bits" morning and you take offense; you're standing to close inside my bubble.

    * Are they sensitive to other people and their surroundings?
    Of course I am! You'll never see me do or say anything inappropriate. Oh, wait. Do you mean by sensitive that I must take time away from my job to engage in vapid conversation to make insecure coworkers feel better? Must my meetings and greeting be peppered with trite reassurances and shallow smiles? Must I waste precious minutes of my life decoding and responding precisely to oh so many unfathomable and illogical social nuances, walking a tightrope of peril with each word I utter lest someone take grevious and irremediable offense and a misplaced clause or syllable. I'd rather just, you know, work.

    * Are they capable of staying after normal work hours every now and then to see to something getting finished?
    Oh, that kind of job. Sorry, despite what the above might lead one to imply, I do in fact have a life. Or at least, enough of a one not to waste it patching up someone elses mistakes.
  • by EvanED (569694) <evaned@nOspAm.gmail.com> on Friday September 29, 2006 @06:49PM (#16253273)
    But now, we have hundreds of thousands of qualified people and many IT Professionals are highly trained in the area of Network Security

    And yet we still have security holes out the wazoo. Clearly those hundreds of thousands of qualified people aren't doing enough.

    Plus, how many of those hundreds of thousands of qualified people could explain how data execution protection is implemented on x86? How many of them even know that the x86 has a separate iTLB and dTLB? (My cynacism says "how many of them know what a TLB is at all", but we'll leave that behind...) And yet that knowledge is *essential* for understanding how the Shadow Walker rootkit works.
  • by D-Cypell (446534) on Friday September 29, 2006 @06:50PM (#16253283)
    I am not sure a "history of fraud" defines a black hat (according to my defination anyway).

    Having worked with some people from this kind of background I would say that having them around in any kind of hi-tech start-up is a geniune asset. High IQ comes with the terroritory and I have also found that uber-geeks (as most dedicated black-hats are, by default) have a deep pride and sense of ownerships in their projects. I think that 'black hat' behaviour is more about ego than they would like to admit, and egos can be good if they make the owner strive to make their project the best out there.

    There definatly will be a few assholes that try to screw you over, but I am not sure that it is fair to say there are more of these people in the 'ex black-hat' community than in the general population.

  • by phasm42 (588479) on Friday September 29, 2006 @06:52PM (#16253301)
    That's a valid analogy for script kiddies. If a blackhat has serious skills (like finding and exploiting holes), these same skills can be used to find and block holes. The surgeon analogy falls apart here. How about if you were infected with an engineered biological agent. Someone who had experience making them would have some useful skills to offer you. The bank fraud example cited earlier is another good analogy.

    Which isn't to say that hiring former blackhats is always a good choice. It's a matter of judgement -- has the person really reformed?
  • by Anonymous Coward on Friday September 29, 2006 @06:58PM (#16253375)
    Good spot. My first reaction was "Oh yeah, I saw that movie too. The one about hackers." I don't buy into his hardcore, ex-blackhat hacker identity. Assuming he even had a computer 10 years ago, and is not in fact a teenager now, in 2006, then I'm sure he was just win-nuking unpatched windows 95 boxes, or even just swearing at people on IRC. In any case, he was probably just some malicious, punkass kid and not someone even remotely clever enough to realize any gains from his activities. The latter class of person is hard to come by, the former is not. Either way, he's a douchebag.

    To give some credence to his claim, blackhat hackers often do what they do strictly for acclaim. That seems consistent with this guy's desire to step forward and identify himself as an ex-blackhat for some belated fame. Isn't that what blackhats crave more than anything--a bigass e-penis? Soooooo unimpressed.
  • It depends... (Score:3, Insightful)

    by AxemRed (755470) on Friday September 29, 2006 @07:07PM (#16253501)
    The term "black hat" can cover a lot of ground. In my mind, there's a big difference between someone who got in trouble for snooping around the university's network for the sake of curiosity and someone who attached a keygen trojan to something and put it out on the internet for the purpose of stealing credit card numbers. There's also a difference between someone who DoS'ed their school's webpage in high school and someone who DoS'ed their employer's webpage when they were 25.

    Here's another thing to think about too... The only reason to hire a black hat over someone else would be that you know they have some experience in hacking. However, there are many people who have the same experience and never did anything illegal. Basically, you're sacrificing a varying amount of ethics in exchange for a guaranteed amount of skill. Also, in many cases, the skill that a black hat has proven is directly proportional to the ethics that he has disproven. That is, if you know enough of a hacker's exploits to know that he is very skilled, you also know that he has broken the law a sufficient number of times to prove it to you.

    In all, I would say that hiring a black hat would be case-by-case for me. Someone who is a black hat because of a harmless, but illegal, mistake may pique my interest because of his proven ability to learn independently. Someone who hacked a private network years ago, but has since proven to be a responsible person, may end up being a skilled employee and worth a second chance. But, to me, someone who committed repeated damaging, malicious acts online is no better than someone who committed repeated damaging, malicious acts in real like, and they would not be worth the risk, regardless of skill. //Would you hire a multiple-time burglar to protect your home? //Sometimes it's best to trust the home-security companies, regardless of whether or not their employees have ever broken into a house.
  • Clear answer (Score:2, Insightful)

    by Anonymous Coward on Friday September 29, 2006 @07:13PM (#16253573)
    I would not hire a former thief in a supermarket as an detective
    I would not hire somebody who took money from his employer in a bank
    I would not hire an former drug addict as a saleperson in a pharmacy
    I would not hire a former pedophile in an elementary school
    I would not hire an murder as an social worker

    So - no I would not hire somebody who fell one time to some temptation in a job where he is tempted each day.

    A Blackhat as a programmer - maybe; as an administrator - no.

  • by Fulcrum of Evil (560260) on Friday September 29, 2006 @07:18PM (#16253631)
    I'd hire a reformed bank robber to do a pen test on my bank, which is really what they're talking about.
  • Re:It depends. (Score:3, Insightful)

    by Cheapy (809643) on Friday September 29, 2006 @07:23PM (#16253679)
    "Someone who has proven their ability to ignore the law in the past can no longer be trusted in a position of responsibility"

    So I guess if I went over the speed limit I could never be held responsible again? I mean, that is ignoring the law.
  • by Anonymous Coward on Friday September 29, 2006 @07:27PM (#16253725)
    I think that the term 'blackhat' is fairly silly.

    I prefer to think in terms of 'criminal activity' - where crime is subjective.

    Monetary gain would be the primary differentiating factor here. Any form of credit card fraud, blackmail or other criminal/anti-social activities would be an instant 'no hire'. A blackhat who thought it would be '.. just cool to hack into NASA' and actually did - hire the guy. Now.

    You can't benefit financially from breaking into NASA. You can't be out for revenge on something or other. The only possible motivation (unless you believe in aliens-controlling-mankind-etc) is 'because it looks like a challenge'. Just consider the knowledge you'd have to acquire to even start on something like this. People like that (and there and not many of them) you can put on all kinds of complex projects.

    Also, a 15 year old messing with telco infrastructure is just a teenager doing what teenagers do. A 35 year old guy doing the same thing (and getting caught..) is a completely different matter.

    Motivation and maturity are the key factors.

    That said, I wouldn't even bother interviewing an applicant for a technical security position if they couldn't describe the implementation of a basic stack overflow exploit. If you don't understand stack structures - you shouldn't be in the technical security business.

    (FYI I have worked on the sharp end of security in the ISP and financial sectors - not working there now, thank $DEITY)

  • Re:Summary (Score:3, Insightful)

    by Anonymous Coward on Friday September 29, 2006 @07:32PM (#16253779)
    But even harder to rebuild once you lost your trust in other people.

    Trust goes both ways, it's a mutual phenomena, not sigularly subjective.

    Trust is gained or lost through the fostering of a secure relationship or
    by the abuse of the relationship, it does not exist a priori
    or in isolation.

    Understand this psychology and you are closer to understanding the "black hat".

    I am always shocked at the shallow treatment the words "hacker" and "blackhat"
    get on Slashdot, supposedly a bastion of that very "outsider" culture. Maybe you're
    all fakes who just give it lip service to fit in somewhere.

    As it stands, in the current commercial employment environment, the employee
    still takes a far greater risk and is more vulnerable to abuse than the employer.
    The employer wants it all on a plate with a spoon, to own your life and soul.
    You don't need to be a "blackhat" to find yourself in a situation where industrial
    sabotage is the only leverage you have left. I'm sure the words "disgruntled employee"
    have some resonance there.

    The question is therefore rhetorical, since no blackhat would be applying for a
    commercial job if they were not already outside the abuse/mistrust mindset.

    Personally, I'd hire a confessed blackhat on their skillset alone, but then make a big point
    of overseeing their psychological/spiritual wellbeing, their happiness and fullfilment, in other words
    treating them with respect Treating people with respect is the very thing most large organisations are incapable of doing and therefore why they should not hire blackhats. It's a clash of ideologies
    and an accident waiting to happen.
  • Re:It depends. (Score:5, Insightful)

    by jlarocco (851450) on Friday September 29, 2006 @07:35PM (#16253809) Homepage
    I might be willing to hire one as a code monkey to churn out boring stuff that could easily be audited, but even then only if there were no other suitable applicants.

    Yes, that's exactly what you want. A *bored* (ex)black hat hacker.

  • by tota (139982) on Friday September 29, 2006 @07:51PM (#16253987) Homepage
    by hiring an ex-blackhat, at least you get:
    * someone who can hack it - no CISSP is going to replace hands on skills
    * someone who is willing to admit he has made mistakes in the past - which is more important than ever in the world of security: covering up mitakes doesn't help.

    now, if he's good - it shouldn't even matter if he has been blackhat: the systems should be secure, especially from the inside job threat. And part of his job should be to make it provable that it is so.

    Now, if all you want is some type of ISO certification stamp of approval - rubber stamp / get finance / show off, go hire some certified engineer with a long series of random acronyms on his CV, which may include MSCE in the lot - that should be a hint, but unfortunately depending on who does the recruitment it may not be a deciding factor...
  • by ThoreauHD (213527) on Friday September 29, 2006 @08:19PM (#16254267)
    I am a bit confused about the iimplication. The black hat's.. well, they weren't called that in the beginning. I don't remember anyone but old people talking about your moral compass in regards to exploiting security holes. All information is knowable. It's a belief that borders on faith. In my circles, it was just assumed that you would do no harm to the whole. When a surgeon takes out your bulging appendix, he has to do some damage to make sure you survive in the end. That's a proper analogy to the successful "black hat" folks. Even if it meant OOB'ing Microsoft's site for 3 days(winnuke was brought up by a previous poster). A much worse scenario would ensue when a hospital was taken down because they(OS/ipsec company,etc.) ignore their own weakness.

    I have to tell you that the people I knew that did those things and worse are running your fortune 500 companies right now. The smartest don't get caught. Mitnick had an ego. These people don't. They are innately good at what they do and there is a higher than likely possibility that a "black hat" has saved your company from disaster more times than anyone else. That's my observation.

    There are those that destroy to destroy. They don't survive. It's natural law. Smart people know this. Smart people also know that you don't own information or thought- and everything can be altered. I don't think the connotation of "black hat" describes the best of us accurately. I think they are something different and you will see it when their intuition saves your company time and time again. Where the metal meets the meat, you would rather have a person who's been on the other side rather than some cert collector that's just guessing. Media likes to make their misconception reality because it lends them credence. Black Hat does not mean evil. Hacker does not mean cracker. They are not one and the same.
  • by evolseven (941210) on Friday September 29, 2006 @08:24PM (#16254309)
    hell we all break the law daily most likely.. there is probably some mundane code buried in some law somewhere that forbids me from making a post on a disccussion board on the last friday of a month.. The law anymore has become such a complex mess.. I personally say if you cant reduce a law to a one page document.. it gets thrown out.. anything more than a page is just retarded... Do not kill.. Do not steal.. Don't mess with your neighbors wife or cattle.. there's 7 more but basically.. Dont fuck with other people..
  • by Barryo_Stereo (546123) on Friday September 29, 2006 @09:45PM (#16254927)
    No, I wouldn't hire black hats. A person's ethics don't change a whole lot after their childhood and if they think that it is fine to damage and steal stuff as a teenager (no matter what stuff, computer related or not) then they will still think that there is no problem with that as an adult. Why give them an opportunity to do that when they've "had a bad day"?
  • by Kevin Stevens (227724) <kevstev@gmSLACKWAREail.com minus distro> on Friday September 29, 2006 @10:22PM (#16255129)
    There are many ways to dress well, a suit is not required.

    Like it or not, but every day, every single day, you are selling yourself. Now yes, the main criteria in our field to yourself by is definitely your intelligence/knowledge. But you know who the PHB's remember? That really smart guy that looked good and could provide a convincing argument to a group of people at their level and got along with everyone.

    I consider myself to dress pretty well, and I own 2 suits, which I wear only on interviews, weddings, funerals, and similar functions. I wear jeans alot, but not the 80's nuthuggers. Go to a mall, get yourself some decent jeans and some shirts (hint: the ones that are 80% off are there for a reason), button down... standard. Get a little creative to stand out a bit.

    It may depend, I work in finance, and my bosses from the business side are really sharp, they know their shit, and they take people with them when they get promoted often. So impressing them by trying to get on their level is more important than at a more techie-only firm like MS.

    And if none of the above reasons convince you, take a look at that cute asian girl (stereotype stereotype I know, but come on now there is some truth no?) in the cube on the other side of the floor. She's cute, which is cool, she can code and probably has a math or CS degree, which is hot, and when she starts talking about the advantages of the linux tcp/ip stack over windows, you just want to take your pants off. She is probably going to notice the guy that actually pays attention to his appearance than the legions of dudes wearing ratty years old t-shirts from computer companies.

    Just my $.02
  • by Rix (54095) on Friday September 29, 2006 @11:09PM (#16255389)
    You have a very strange definition of "all right".
  • by Mistshadow2k4 (748958) on Friday September 29, 2006 @11:36PM (#16255529) Journal
    A person's ethics don't change a whole lot after their childhood
    You need to get to know more people. I personally know no less than 4 who definitely changed their behavior in the ethical sense since childhood; I'm not exaggerating. Two of tem are a couple, in fact -- having a little girl made all the difference in the world with them. The other two simply grew up. Some people actually do grow up. People who say people don't change from childhood are often those who didn't themselves.
  • by Servo (9177) <dstringf@@@gmail...com> on Saturday September 30, 2006 @09:39AM (#16257711) Journal
    There is a high degree of risk in hiring anyone with a criminal background, regardless of the position. Employers need to be able to trust that person. A man convicted of rape would be the last person to work at the YWCA, so why would you expect that a person convicted of a computer crime be the first pick for a job working with computers and security?
  • by Antique Geekmeister (740220) on Saturday September 30, 2006 @09:56AM (#16257801)
    Simply working a 16 hour work day today doesn't prove anything about the quality of your code. Maybe if you'd gotten enough sleep last week, and weren't being so "personally motivated", you wouldn't have written that bug in the first place and would have saved yourself a whole workday this week.
  • by ClosedSource (238333) * on Saturday September 30, 2006 @04:48PM (#16260689)
    "Polygraphs are used to see if you're lying."

    No. Polygraphs are used to bluff you into telling the truth.

    There's an old story that may or may not be true about stupid criminals that the police had hooked up to a "lie detector" that was really just a copy machine. When they denied the allegations, a sheet of paper came out of the "detector" that said "lie", so they confessed.

    It's a funny story, but the truth is that the difference between using a polygraph to detect lies and using a copy machine is that the copy machine can also be used to make copies.

Two is not equal to three, even for large values of two.

Working...