Hackers would never be hired by security vendors....right?

Filed Under: Featured, Law & order, Malware

In a recent BBC article, reputable security firm McAfee is quoted saying, "I've never hired computer hackers but that's not to say I would never do that," says Raj Samani, chief technical officer of McAfee Europe.

Wow, I thought. Really?

OK, I admit, hacker is one those terms whose definitions has blurred in the last decade.

It used to be generally accepted as a term for someone who broke into websites or databases, either to look around, change stuff, steal stuff, infected stuff, etc.

Today, its meaning is much broader, but you can generally divide hacker types into three groups. You have bad-ass hackers, referred to as black hats, and the good guys, like penetration testers, called white hats.

And don't assume for a moment that there is not venn diagram of sorts, with a big fat grey hat area.

venn diagram of hackersThe hackers here don't really sit firmly in either camp. Grey hats will typically break into a system, and alert the company to a specific vulnerability that they exploited. But grey hats often go public about the details of the vulnerability, and many argue that this tells black hats how to break in and cause havoc.

Question is should security companies who create and push out software to customers open their doors to people known to have dabbled in grey and black-hat hacking?

Customers build a relationship based on trust with security vendors. After all, customers who buy security solutions like anti-virus or anti-spam grant security companies access to update computers and devices.

In the same way that I want my bank to vet really closely who they hire, I want my security vendors to be really careful and only put the smartest, most trustworthy and most deserving of experts in the pit to help protect me from all the nasty malware out there.

And on a personal level, I hate the idea that people dabble with black hacking, knowing they will be hired at the end of it by a reputable security vendor. It seems just wrong.

What do you think?

, , , ,

You might like

22 Responses to Hackers would never be hired by security vendors....right?

  1. abadidea · 1083 days ago

    If someone was a blackhat when they were 17, and they've since grown out of it, hire away. The simple fact is that a lot of bright people go through that stage.

    If someone's still an unabashed blackhat at age 34, I'd be a wee bit more worried about trusting them.

  2. Sean · 1083 days ago

    Is hacking limited to people that break “into websites or databases”?

    I would suggest the term has blurred because of the DMCA.

    Many people that consider themselves to be hackers – hack their own stuff. Or at least it is their own physical property. Corporations would argue that the encryption algorithms belong to them.

    So where to the people that hack encryption protections on the Sony PlayStation and/or iOS fit in? What color would you consider their hats to be?

  3. I'd consider myself a grey hat, although I'm interested in helping improve security, so I guess it should be a case by case thing. I wouldn't trust black hats though... unless there's good evidence they've changed ways

  4. You have your history of the term backwards. The original hackers hacked code to solve problems, which expanded to mean pushing the limits of systems to drive them beyond their designed limits or objectives. Good or bad was often a matter of perspective, and much of what we now consider criminal hacking was not illegal in the early days (and depending on jurisdiction may still not be illegal). Yes, we've lost the original meaning of the term hacker in the public, but folks in the hacker community know better. There is a better and more accurate word for what most people call a "hacker", it is a "criminal".

    This reminds me of Symantec's CEO Enrique Salem making the pronouncement that they NEVER hire hackers- proving he is either unaware of his company's history, or that he lies to suit the need. Symantec aggressively pursued and completed the acquisition of @stake, a great company- full of folks from L0pht Heavy Industries and Cult of the Dead Cow, pioneering hacker and hacktivist groups.

    Absolute edicts are generally a bad idea. Time passes, people grow, the world changes. There simply are not enough qualified security pros to fill demand, people with the right skills need to be vetted and the risk weighed against their value to the organization.

    • The I. G. · 1042 days ago

      I'm glad there's someone else around who has a little historical perspective.

      Often a hacker was the real hero of the day when a deadline had to be met
      and you couldn't wait for a vendor to go through the process of generating a fix
      for a problem.

      Indeed, many of the fixes ultimately promulgated by the vendors originated as
      customer hacks. The hacks were often distributed through a user association
      such as SHARE (Society to Help Avoid Redundant Effort) for IBM mainframes.

      I remember one bug that was around for years whose main symptom was that
      if you read in a datum of value 0.1 into a Fortran program it would print out as
      0.0999... which turned out, when I finally got fed up enough to analyze it, to be
      due to an unsound programming trick that IBM had inherited from United
      Aircraft. At least it was in the output formatting routine and not in the input side
      so the calculations were not affected by the error.

  5. I think you've taken an overly simplest view in this article. Real world doesn't work like that.

    It's a bit like saying that anyone who's ever driven over the speed limit, even by a few miles per hour is a lawbreaker and should be treated as such.

    Perhaps certain individual actions may be labelled as black / white / grey - but it's totally wrong to label people that way.

  6. DePariah · 1083 days ago

    Seems to me that you might as well have them on your side, as opposed to against you. To rehash an old phrase: if you cant beat em, pay em :D

  7. Myles · 1083 days ago

    I'd say that the hiring practices should be based more on the ethical and moral standings the applicant holds hold, and less on the type of hat they're wearing at the time?

  8. How about another option:

    "Yes, sometimes, depending upon what sort of hacking they have actually undertaken"?

    For the most part I think hiring black and grey hats could be problematic but there are some black hats who would definitely bring something to the table if hired.

    I also remember a recent article I read (possibly by Mikko Hypponen?) where it was suggested that some hackers in Russia and other similar areas knew no different and would be happy to switch sides as it were, if only they were given the opportunity...

  9. MasterS · 1082 days ago

    Should security vendors hire hackers?
    This all depends on how good the hacker is, if the hacker is a black hat and a extremely good one, yes they should hire him and give him or her a new direction to funnel their talents. However i also believe you should probably keep tabs on someone like this, as they may decide to do something nasty, its a tough call, as far as white and grey hat hackers go i think they would be mostly safe to hire.

  10. Michael · 1082 days ago

    And then there are hackers who aren't that interested in vulnerabilities or exploits, and don't fall into any 'x-hat' category.
    In other words, should a vendor employ somebody creative and with a passion for experimenting with technology? Without hackers, the vendor would pretty much be left with sales people who never look beyond the surface of Microsoft Windows, it wouldn't produce anything innovative, and it wouldn't be able to compete with other vendors. It makes me wonder if Samani knows what hacking is.

    From a security perspective, it's hard to see how anyone could become a decent programmer or infosec professional without being a hacker, and if they aren't being employed, the security vendor would lose business to vendors capable of doing a more meticulous job and threat assessments that take into account little-known vulnerabilities in new products.

    If the question refers to employing someone with a criminal past, maybe that's a matter of weighing up the benefits and risks.

  11. To be fair to Raj, it's possible we need more context than the BBC article provides.

    "Computer Hacker" is one of those terms that has shifted definition continuously over the past 40 or so years, shifting definition, broadening and narrowing in scope along the way.

    To add to the debate, would it be ethical to allow someone who had been a white hat hacker to join a security company in their marketing department? How about on their board of directors? What if it turned out that this person dabbled in grey hat hacking when they were young?

    How about someone who worked for a government intelligence agency and spent their time penetrating the cyber-defenses of rival countries? Can this person be trusted (would they even reveal that they had ever done this to future employers)?

  12. Andrew Rice · 1082 days ago

    Hi Carole,
    Hacker was a person who hacked away creating code. It was later hijacked to refer to people who broke into systems. Phreakers are people who hack into phone systems.

    In order to be at the leading edge of prevention, you have to understand the mindset of the bad folks. Hiring them is one way of doing this. If you do however, you have to consider they have shown that they are willing and able to do bad things and may well do the same again. I'm not saying that none will reform or should not be given a second chance, rather that you have to ensure you have control of what they do and perform secondary reviews of their work by a trusted expert. I certainly would not put them into direct access to valuable systems.

    Best regards
    Andrew Rice

  13. MikeyG · 1082 days ago

    I'd have to say I'm inherently opposed to rewarding someone who has consciously and purposefully used their skills to unlawfully gain access to other systems (for whatever reason...) There are plenty of pen-testers and red team professionals out there that are skilled in what they do without ever have "hacked" a system without authorization/acknowledgement.

    Hiring a known criminal (whether charged or not) is just bad business. And risky.

    With that said, and being a realist, there may be business rational for hiring such people for skilled pen-testers and red teamers are not cheap. Hiring the morally questionable may come cheaper. But that's just speculation, for I've never gone through the exercise of pricing out unethical hackers. ;)

  14. Joseph · 1082 days ago

    Look, I have a personal hacking lab that I have setup. I even took a picture of it for this reply:
    revisualized.com/rand_pix/20111104_overhead_desk.jpg
    I own and operate all of the equipment there. I am currently unemployed and have been studying about computers since the 90's. I have only gone to school for computer related stuff after I got laid off last year. Are people saying that I should not be hired by a company because "dabbled in hacking"? I have not broken any laws (that I am aware of.) To even offset my skill set I have even chosen to take Internet Law as an elective for my AAS-T degree. (Also because I actually like studying laws and the legal system.)
    Why should I be limited by my employment opportunity just because I take part in hacking exercises? Or because I have expanded my skill set to have knowledge in computer security?

  15. Red Frog · 1082 days ago

    Well, how do you get them to be legit? It is like if you tell a lie to the police or in court, how can you retain any credibility upon further examination? Pedophiles look for occupations where they can be with children. Can it be any different with a black-hat hacker? How can a security company know that black-hat hacker is not a double-agent for an underground hacker community?

  16. "It used to be generally accepted as a term for someone who broke into websites or databases, either to look around, change stuff, steal stuff, infected stuff, etc." Sorry Sophos but historically wrong. Sloppy journalists have changed the meaning over the years. (I expect better on an IT focused website than I do on the BBC.) You all need to spend some time with Steven Levy's book: https://secure.wikimedia.org/wikipedia/en/wiki/Ha... and Eric Raymond's : How to be a Hacker: http://catb.org/~esr/faqs/hacker-howto.html#what_... Eric Raymond specifically notes: "There is another group of people who loudly call themselves hackers, but aren't. These are people (mainly adolescent males) who get a kick out of breaking into computers and phreaking the phone system." These days the 'adolescent males' have been replaced by organised and disorganised criminals. In the old days they were called Crackers.

    Having said the above I think the terms White Hat, Grey Hat and Black Hat Hackers are now in common usage as they say in Scrabble.

    @joseph above is clearly White Hat. He breaks no laws and only works on systems he owns himself or hopefully in the future he will have permission from the owner in writing. He can be hired without any issues. They are they type of people who improve systems.

    As a general rule I would not want to be hiring Black Hat hackers. Vandalism and theft are not what I would look for in an employee whether in the physical world or the virtual world.

    The Grey Hats...One would have to look carefully. Did they commit their offence when they were 15 or when they were 45. I think a lot of us did dumb things when we were young and outgrow it.

    I also don't consider researchers who practice Full Disclosure to be unethical per se. As long as they are not violating a non-disclosure agreement with their employer they can even be considered White Hats. I consider many of the vendors who hide or deny vulnerabilities as far less ethical. Microsoft and Apple are notorious offenders here. https://secure.wikimedia.org/wikipedia/en/wiki/Fu...

    For any younger readers I have to make it clear. Be a White Hat. The pay is steady and there is pension. To quote Agent Smith in The Matrix, "One of these lives has a future, and one of them does not." Follow @joseph's example and build your own lab and learn the concepts at home or talk to your IT teacher. I used to be a Prison Officer so I can tell you gaol is not fun. Finally a good history article can be found in the references Palmer, C.C. (2001). "Ethical Hacking". IBM Systems Journal 40 (3): 769. at the bottom of this Wiki article: https://secure.wikimedia.org/wikipedia/en/wiki/Wh...

  17. roy jones jr · 1081 days ago

    All the more reason to not hire them. The one thing computer folks know is that their decisions they make are their own. No one forces you to hack; you start on your own accord. As such, when you start the path down that road, you should also realize the circumstances of what you will & won't be able to do in the future.

    If someone was known to be in 3 gangs that were known to do criminal activities and then 11yrs later wanted a job somewhere they most certainly won't walk right into IBM asking for a job. I know thats an extreme example but is related to the issue.

    • Genima · 1080 days ago

      You're using the modern-day media twisted version of the word 'hack'.
      From The Conscience of a Hacker (which you've no doubt never read):
      "My crime is that of curiosity."

      Your example is poor. 'Hacking' often demonstrates a passion for computing, creativity and an agile, inquisitive mind. Being in a bunch of gangs does not display aptitude in computing. Often young, extremely talented 'hackers' just need a more creative outlet for their capabilities than poking around other peoples systems.

  18. Davienthemoose · 1080 days ago

    For a moment, let's ignore the semantics about the term "hacker," and assume that all the nuanced issues of ethics in the field of information security are correctly described by your simple trinary system.

    Let's also focus only on the areas of information security which apply directly to code development and penetration testing (because I feel you've neatly excluded management, audit, legal, incident response and forensics, and risk management areas in the simplicity of your analysis).

    You are still asking the wrong question.

    You seem to assume that "black hat" hackers are "the bad asses," but label "white hat hackers" as almost an opposite level of ability. So, why not ask why you feel the abilities of a "black hat" hacker (your definition: someone who breaks the law) might be distinguished from that of a "white hat" hacker (your definition: someone who purely follows the rules)?

    Why not ask why a company would need one vs. the other?

    Why not ask whether companies can tell whether prospective job candidates will use their talents for good or ill?

    Why not ask whether companies are capable of using very talented people appropriately in infosec (avoid the alienation and disenfranchisement that so many associate with criminal activity)?

  19. roy jones jr · 1073 days ago

    "Often young, extremely talented 'hackers' just need a more creative outlet for their capabilities than poking around other peoples systems."

    I won't make excuses for them, Genima. They have all that talent and high level intellect, the thought process of "I shouldn't break into this financial server" should enter their mind. The reasons I've read and personally heard aren't justifications for malicious actions.

  20. Anonymous · 223 days ago

    So you wouldn't trust Kevin Mitnick's pentest company to audit your security? Too worried about the plethora of APT back doors they would leave in your network?

    Cuz after all Kevin was a black hat that's like 34.55% worse then a grey hat

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Hi. I am a social, brand and communications expert with 10 years in senior roles in the tech space. I'm currently Sophos' s Global Director of Social Media and Communities. Proudest work achievement? Creating and launching award-winning Naked Security. Outside work, I am a mean cook, an avid reader, a chronic insomniac, a podcast obsessive and blogger .