Schneier on Security
A blog covering security and security technology.
« DARPA Research into Clean-Slate Network Security Redesign |
| The "Quake" Simulation and Risk Perception »
June 10, 2010
Any essay on hiring hackers quickly gets bogged down in definitions. What is a hacker, and how is he different from a cracker? I have my own definitions, but I'd rather define the issue more specifically: Would you hire someone convicted of a computer crime to fill a position of trust in your computer network? Or, more generally, would you hire someone convicted of a crime for a job related to that crime?
The answer, of course, is "it depends." It depends on the specifics of the crime. It depends on the ethics involved. It depends on the recidivism rate of the type of criminal. It depends a whole lot on the individual.
Would you hire a convicted pedophile to work at a day care center? Would you hire Bernie Madoff to manage your investment fund? The answer is almost certainly no to those two -- but you might hire a convicted bank robber to consult on bank security. You might hire someone who was convicted of false advertising to write ad copy for your next marketing campaign. And you might hire someone who ran a chop shop to fix your car. It depends on the person and the crime.
It can get even murkier. Would you hire a CIA-trained assassin to be a bodyguard? Would you put a general who led a successful attack in charge of defense? What if they were both convicted of crimes in whatever country they were operating in? There are different legal and ethical issues, to be sure, but in both cases the people learned a certain set of skills regarding offense that could be transferable to defense.
Which brings us back to computers. Hacking is primarily a mindset: a way of thinking about security. Its primary focus is in attacking systems, but it's invaluable to the defense of those systems as well. Because computer systems are so complex, defending them often requires people who can think like attackers.
Admittedly, there's a difference between thinking like an attacker and acting like a criminal, and between researching vulnerabilities in fielded systems and exploiting those vulnerabilities for personal gain. But there is a huge variability in computer crime convictions, and -- at least in the early days -- many hacking convictions were unjust and unfair. And there's also a difference between someone's behavior as a teenager and his behavior later in life. Additionally, there might very well be a difference between someone's behavior before and after a hacking conviction. It all depends on the person.
An employer's goal should be to hire moral and ethical people with the skill set required to do the job. And while a hacking conviction is certainly a mark against a person, it isn't always grounds for complete non-consideration.
"We don't hire hackers" and "we don't hire felons" are coarse generalizations, in the same way that "we only hire people with this or that security certification" is. They work -- you're less likely to hire the wrong person if you follow them -- but they're both coarse and flawed. Just as all potential employees with certifications aren't automatically good hires, all potential employees with hacking convictions aren't automatically bad hires. Sure, it's easier to hire people based on things you can learn from checkboxes, but you won't get the best employees that way. It's far better to look at the individual, and put those check boxes into context. But we don't always have time to do that.
Last winter, a Minneapolis attorney who works to get felons a fair shake after they served their time told of a sign he saw: "Snow shovelers wanted. Felons need not apply." It's not good for society if felons who have served their time can't even get jobs shoveling snow.
This essay previously appeared in Information Security as the first half of a point-counterpoint with Marcus Ranum. Marcus's half is here.
Posted on June 10, 2010 at 6:34 AM
• 52 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I guess you should never employ poachers as gamekeepers, either.
So, I guess that it doesn't "depends on the recidivism rate of the type of criminal" at all, does it? At least be consistent between your first paragraph and all subsequent paragraphs, eh? ;)
"employer's goal should be to hire moral and ethical people with the skill set required to do the job"
Does getting caught not show that their skills are not entirely 100%? Wouldn't I want to hire the people who don't get caught.
"there's a difference between thinking like an attacker and acting like a criminal, ...between researching vulnerabilities ... and exploiting those vulnerabilities for personal gain."
This difference needs to be more clearly defined in law and practice. The instinctive corporate response against security researchers seems to be "I'll Sue You!"
Personal gain is often not a reliable test. So I guess the law doesn't regard it as reasonable though it can be a mitigation during sentencing. Hackers, old-school, would hack for bragging rights. But the law doesn't say the act must involve personal gain. 18 USC 1030 talks about level of damage done. Copywrite law, for another example, says if you download a song, or copy and give away free a song you are in violation of the law.
Maybe the question is "Do I want to hire lawful people?" (as different from ethical people). Hackers tend to be chaotics. People who are demonstrable lawful are perhaps easier to predict, boring. Ethical people, on the other hand, may look at what your organization is doing and decide they 'can't be having with this at my stage in life.'
The "it depends" answer is the only intelligent to such a general question. I agree with you.
While reading your post I was thinking of John Keneth Galbraith who, in History of Econonomy and some other of his writings explained that no pre-defined solutions based upon pre-established ideology are usefull to solve real-life questions in Economy and that you always need to analyze your specific case, think about the possible solutions and take a decision based on your thinking, and not in your pre-established memory and ideology
Skinner, I believe most non-script-kiddie hackers primarily get caught due to overconfidence and getting sloppy rather than lack of skill. For example, think of TOR. It is a test of the user's patience rather than their skill.
That said, a criminal conviction doesn't make someone more skilled. A person with no convictions may have exactly the same skills and simply have better ethics.
@Bernardo Ramos " you always need to analyze your specific case"
Could this be why Economics isn't a science and should be classed with History as a field of study?
Without being able generalize from specific cases all you end up with is a field of data points.
@albino "a criminal conviction doesn't make someone more skilled. "
No. It makes them more visible. Creates a record that can be evaluated. Compare a data point (criminal conviction) that exists for candidate A with the lack of a comparable record for candidate B and, other things being equal, A doesn't make the cut.
Though time in prison is said to educate felons in better criminal methodology.
We absolutely should not hire ex felons to shovel snow, but we can hire ex-investment bankers to frame our economic policy.
I read Marcus Ranum counterpoint and he says: "I've got to say "it depends" -- but I definitely lean more toward "no" for a simple reason: it's harder to explain what happened if something goes wrong. ."
He also ends his essay with not wanting to hire an convicted felon even to handle a snow blower. Now if everyone thinks like him, where is the convicted felon ever going to get hired. By other felons in a criminal enterprise?
For me this somewhat like the prisoners dilemma game. If a company hires felons that company might loose out against a company that does not hire felons. But if no companies hire felons then the felons go back to doing crime and all companies looses.
I would hire a hacker. Would I hire a convicted felon or an individual who quite openly tells me they are trying to break the law?
Don't think so. Two reasons.
First from a liability reason. Companies are held accountable for the security people they hire. Once hired that person can be acting as the agent of the company. Acts by that agent can be held against the company.
Carly Fiorina hired private detectives to plug leaks in her board. They broke the law on her behalf. It didn't matter if she didn't give them explicit direction to pre-text the phone company about her employees and anyone they contacted. They were her agents and she was as culpable as they were. Beware the casual phrase "Use your own judgement. Do whatever it takes." Cause the person you said that too now has your authority to act in any dumbass way and you are responsible for it.
Second is neglience. If I hire a security company to guard my precious metals warehouse and they hire guards who are time served felons one of who robs the place. I can sue the security company for neglience and recover my loss.
If I hire a convicted hacker and on my behalf he does a security sweep that compromises a third-party causing damage to their operations and they sue. My insurance company is going to back away from me saying I breached due diligence by hiring a felon.
Hmm should you hire a hacker...
Well many many years ago I was on the edge of hacking and was involved in two cases. The first was the hacking of the BT Gold account of the then head of Acorn Computers that came to light on the "BBC Micro Live" program. I was not involved with the actual hack but I did make various statments of truth to the press to counter the PR Spin of BT personell.
The second case also involved BT this time there Prestel service. I was told and was shown how BT hadx put up a service for people develolping bulk update software. The service had an opening page with the admin password on it. The BT staff had been incredably lazy and just duplicated an existing server. Unfortunatly there software stored all the users passwords in a plain text file.
Robert Schifren and Steve Gold likewise had this brought to their attention and the spoke to me about it in the then GLC County Hall (now Satchi Gallery etc) on the banks of the river thames adjacent to Westminster bridge in London.
My advice to them was for gods sake don't go near Micronet 800 (another BT enterprise for computer clubs run by Dave Babski) or any other BT organisations as they had tried to do the equivalent of entrapment with me and due to just chance it had not panned out for them.
However they chose to be "honest" about it and demonstrfate it to BT staff.
The result they got draged into court on fraud charges and found guilty. After a long and tourtuous series of appearls the House of Lords told the Gov of the time "no way" and the two had their names cleared.
Oh and the result some increadably poor legislation called the Computer Misuse Act which one or two software developers received criminal convictions for simply trying to protect themselves from unscrupulous businesses...
I have spoken to many Hackers / Crackers / criminals since and like Bruce I have my own views on the subject.
But by and large would I employ a hacker if I was in a position to do so the answer is probably. A script kiddy or cracker no and a gun for hire selling to criminal gangs most definatly not.
Poachers do make good game keepers and you don't have to actually trust them implicitly, it is not an all or nothing choice.
I'm not speaking English very fluently, but can't the "no felon" sign be interpreted as "hard working people only"? (At least could the French literal translation read this way.)
Don't hire a hacker. Hire two or three - and make sure they know it's in their best interests to keep each other honest. ;-7
Also hire people to work with them who aren't of that mindset, but are simply the hard working, thorough, vigilant types willing to do their due diligence - the folks who are not above RTFMing or doing the tedious grunt work. Hackers often become arrogant, and as everyone here already knows, arrogance can be it's own reward when it comes to security. Sometimes the tortoise really does beat the hare.
I live in what has to be described as the "far boonies". There are what amount to a lot of crooks or just plain "slick dealers" around here. Mostly thieves or people trying to get a bit more than fair value out of any interaction.
As someone known to have pretty good resources, I've been asked by many to be what amounts to a fence -- buy their stolen goods, loan them money and so forth (maybe more like a pawn shop).
I universally tell them I have a non-compete with the banks and payday loan and pawnshops -- do that elsewhere, but if you're desparate for money (which is after all the main reason they come knocking) well, I have some decent paying honest work they could do and get paid the end of the day (none of these people ever would work for a week before a payday -- they are cash and on the instant sorts, which is probably why they are in the shape they are in).
Net result, though it's not unmitigated -- theft is zero here, and down in the neighborhood, and I get decent hard work done on my place for fair value.
By paying a little in what amounts to a low level protection racket I become pretty safe from them all, and they all want me as a friend. Not necessarily the ones I'd choose (and I'm not short of real friends of the honest and well off sorts) but, better than enemies, especially considering the subjects here.
When police have visited, they are in awe -- they say I have the most targeted theft items, and it's just a matter of time. I have guns (I'm a gunsmith at a hobby level), money, fancy electronic gear, super duper tools -- all the stuff people want to steal and sell. Law enforcement here is minimal, even as a fraction of the very small population, which I suppose is why certain people wind up here.
Along with a huge population of retirees -- kids left the farm and they didn't.
Funny, though -- that "matter of time" hasn't happened in two decades. There actually is a bit of honor among thieves or something similar, and by reaching down to help these guys (and getting help in return) a relationship is established that seems to work out.
Couldn't be that I've once in awhile demonstrated that I'm a dangerous guy to cross, could it? Nothing terribly overt, but having them work on say the rifle range as I repeatedly hole dimes at a couple hundred yards, or immolate a pistol target with many holes/second could have something to do with it?
Whatever, it's working, and as a result I have a ready crew of helpers, when and only when needed (mostly -- it's not like I can call a guy and he shows up, but someone is always showing up) and relative safety -- even protection by them from new "problems" -- the grapevine says "be nice to Doug as no other way is worth it". Being privy to the info on that grapevine also has benefits.
Is this morally wrong? It doesn't feel that way at the human-human level -- I help these guys, and as a result they do less wrong in the world to get themselves fed or high. So I think it's mostly win-win, but I bet someone here would have decent comment on the practice.
Government sure isn't solving this problem, so...I (and some others around here) take charge and do it ourselves, arguably much better than any government ever does -- any city is a joke compared to the harmony we experience here.
Certainly not completely ideal, but it does work.
I agree with 'It Depends'. Would I hire a hacker to perform scans on the network (with root password)? I don't think so. Would I hire Kevin Mitnick to talk to our employees about social engineering? In a heartbeat.
I know that Mitnick is still a sore subject with a lot of security guys and with good reason. Do I think he is 'reformed'? I kinda think so. Would I give him access to my network? If he really needs access to my network, he'll get it on his own. I don't need to help him. I'd only get in the way.
Agree with the "it depends". The crime someone is convicted of can have nothing to do with reality. To pick, possibly, the most emotionally charged example. Would I hire a convicted sex offender to work at a day care.
It depends on what they did. Someone can become a "sex offender" if as a teenager they sent a nude photo of a peer with the peers permission to someone else's cell phone. Is such a person really a sex offender? Nonsense. They had bad luck, and couldn't afford a good attorney.
The crime someone is convicted of can have little to do with what they have done. The legal system is full of misrepresentation. DA's twisting the truth to appear "tough on crime", plea bargains, etc.
Its not a matter of not trusting felons and trusting "non-criminals". You have to observe everyone. Most felons were honest at one time.
Labels are useless especially labels that cause us to stop observing and remembering that "it depends" is always important to keep in mind .
@edeion: The word "felon" in the US unequivocally means someone committed of a serious crime (felony) and, I believe, having been committed of a crime is a fair exclusion for hiring. (As in, not protected.)
Ranum's counterpoint is the reason I have a hard time paying any attention to him. Its black and white thinking. He always defaults to "denied". The world is grey - not black and white.
This whole discussion reminds of when I signed up for the CISSP exam. One of the questions was - "Do you associate with hackers?". Its an incredibly silly question. I answered yes and the form automatically was rejected. I had to call them up and tell them why it was a silly question and to get scheduled for the exam.
"It depends" really is the only answer. If I'm gonna hire anyone, no matter who, for a position requiring certain skills (from them) and trust (from me), I'm gonna interview them and try to get to know them, so in order to verify that they have the skills, and that I can trust them.
If someone's an ex-criminal, I'm gonna talk to them about that, of course. What happened? How often? How long ago? What changed since then?
I do believe in giving everyone a fair chance. There's limits, but there is a "one strike and you're out" mentality in our society that is shameful.
@ Doug (DCFusor),
"Cash pay on the day for casual labour"
Used to be a way of life long before and long after the Great Depression.
However the Gov didn't think they where getting their due in the 60's and started killing it off.
Now in "these times of terror" you have to be on a Gov DB somewhere or you are a defacto terrorist...
Somebody I used to know years ago only had their 1940's army pay book as identity and spent their life walking from farm to fam working for as little as a good meal and a barn to sleep in.
Their reason for living the way they did was what we would call PTSD these days. They got chewed up both physicaly and mentaly by what they had witnesed.
Where they a bad person, I'd of said not but it did not stop some police officers trying to turn them into a criminal.
Everybody is different and we all get a bad throw of the dice in our lives at some point what happens is often the equivalent of another throw of the dice, and the community you live in.
A lot of people don't want charity but as you say cann't for whatever reason behave in the Moaist manner that the Gov appears to require of citizens and the choice is often stark.
A simple hand to give a days pay is often all they need, it ain't charity it's community.
I know quoting Islamic words of wisdom etc is not a popular activity these days, but they have an ethos of not alowing their neighbour to starve if they can help them to help themselves.
Call it what people will but it used to be the glue that bound all societies together. And we have lost it at our cost as society decohears around us.
This has always been a bit of an annoyance to me. There are really two ways to learn this job... The legal way, and the illegal way. I am someone that took the legal, moral, ethical way of getting to where I am. It would likely have been a lot more fun, possibly easier, and infinitely more profitable to break the law in this process (college is expensive). When a company hires a criminal for their cracking skills, that takes a job from someone that followed the more difficult path, and it rewards someone for taking the easy/illegal route.
Should we re-elect our politicians?
@Clive "did not stop some police officers trying to turn them into a criminal."
The Travellers/Pikey problem. Suspicion between the settled and the nomadic is probably as old as Ur.
Most communities here in the US still have vagrancy laws.
"you say can't for whatever reason behave in the Moaist manner that the Gov appears to require "
I would go further than this though Clive. It's not just a government it's the requirements of an advanced civilization and say that the world that is becoming around us won't have room in it for lots of people. 90 years ago MOST (~70-80%) people in my country worked on farms. They rarely went to High School let alone College. In WWII, th 1940s or 70years ago, the military had to deal with the fact that most enlistees were illiterate.
Now most of us can read, fewer do math well and some can actually think. But what about the rest?
In my town before the crash our unemployment rate was down to between 1 and 2 percent. I saw people working the counter at
Burger King that couldn't handle it. (and if there is any least skilled job than fast food I don't know what it is.) That's
when I realized there's people that just can't join the work force, be productive citizens, count out change.
Remember an IQ of 100 is the AVERAGE that means 1/2 of all of us are on the 0-99 side.
If people can't exist in an advanced technological civilization what is their alternative?
When there was a Frontier people could go out there and scratch out a livilhood.
Now you can't feed yourself unless you have a job, are a criminal, or are getting assistence from the government.
The thought process or perspective makes a much bigger impact than the execution. Someone who can perceive vulnerabilities, and uses the information to pull a sophomoric prank might be more useful than a career criminal that moved to credit card fraud because it was less dangerous than stealing cars.
For computer security folks, we still can't beat Bruce's old "Uncle Milton's Ant Farm Test".
@Anonymous "Should we re-elect our politicians?"
Bruce, very well written.
"defending them often requires people who can think like attackers"
Thinking like an attacker versus acting like an attacker is the crux of the ethical dilemma, and authorization should be the litmus. The question, in other words, is if someone who thinks like an attacker has respect and understands the significance of authorization before acting like an attacker.
"many hacking convictions were unjust and unfair"
I would expand that to the sad reality that many convictions are unjust and unfair. Even death row convicts can later be found innocent.
Another troubling ethical issue can be found in one of your examples.
"Would you hire Bernie Madoff to manage your investment fund?"
"...an inmate badgered Madoff about the victims of his $65 billion scheme, and kept at it. According to K. C. White, a bank robber and prison artist who escorted a sick friend that evening, Madoff stopped smiling and got angry. 'Fuck my victims,' he said, loud enough for other inmates to hear. 'I carried them for twenty years, and now I’m doing 150 years.'"
The question is again about authorization and right/wrong definitions, but it extends from the hacker to those paying for hacking. It is easy to ask Madoff's clients whether they would have let him manage money if they knew he would get convicted. Everyone would likely say no. Much harder to ask his clients whether they would give him money to manage if he did not get caught yet they knew about the fraud.
jailbreaking an iphone is a felony violation of the DMCA punishable by ten years in federal prison. would you hire someone with a jailbroken iphone?
now that we're all past hiring felons, let's be clear, nearly everyone who has ever used a computer is a criminal. it just depends on the crime.
There is no difference between hiring hackers and employees.
1) Are the hires in control of their actions?
2) Do they need this job - have family, kids?
3) Do they exhibit traits of loyalty to company, or the greater society.
4) If they exhibit loyalty to the greater good, then it's not necessarily a good hire for the mafia, or government intelligence
5) Are there proper channels and resources for these hires' concerns to be voiced out and acted upon
6) Are they likely to take matter into their own hands?
@bernardo "no pre-defined solutions based upon pre-established ideology are usefull"
This is why in any Economics course they ask the same questions every year and change the answers.
Great article. I'd hire a hacker to hack me (deactivate me on the system) in a minute if I could. In fact, hackers might be the only way the COINTELPRO style domestic surveillance stuff going on now gets exposed to the public. I think its up to the hackers to expose Patriot Act Abuses, there's no other way to get the info out there.
I think that the two most important factors to consider when hiring someone who has been convicted of a crime are the motivation for the crime and the nature of the crime.
A minor crime (such as graffiti by a student or "demonstrating" a security system to be insecure in the wrong way) shouldn't be an obstacle to a later career.
A crime with a motivation that doesn't match the employment shouldn't be a problem. Someone who was convicted of financial fraud probably isn't going to be motivated to commit any crime while shoveling snow - but someone who was convicted of burglary would probably be tempted to case any office or home where they shoveled snow.
Someone who was convicted of a child sex offense would never be suitable for child-care work, but if they worked on a construction site (where children aren't allowed) then they would probably do OK - the crimes that they could possibly commit in that environment probably wouldn't tempt them.
So for hiring a hacker, if someone fooled around with computers to learn about them and went too far then they would probably be quite trustworthy running a network. Once they are the sysadmin they HAVE to know how things work and they are given full rights to learn, so their curiosity will be satisfied without crime.
If however someone committed computer crime as part of a financial fraud or extortion then there's probably no computer security work that they could do which wouldn't tempt them to commit more similar crimes. But I'm sure that they would do a good job shoveling snow!
I usually say "it depends" for any kind of hiring situation and I always want to give people a fair shake. But this is something I would have a hard time overlooking and here's why.
I'm a programmer myself and I don't consider illegal hacking to be the mark of a good programmer or a computer security expert. These days there's lots of ways to get the "problem solving thrill" of hacking and/or cracking and to demonstrate your computer prowess without actually breaking the law.
My day-to-day engineering job offers MANY different challenges and I've never felt the urge to hack or crack somebody else's system any more than I have urge to break into somebody's house. I may study *how* it's done and I might amuse myself trying to do it on my own system, just like I might take up lock-picking as a hobby. But I'm not actually going to rob my neighbor and neither am I going to hack somebody else's computer system. ( No, not even to ferret out violations of the Patriot Act. )
So I'm afraid that in most cases the lack of good judgement or outright dishonesty would prevail over any possible "talent" this person had. The person would have to prove to me that he or she had indeed changed. And it would have to be more than just "I went to prison because I was forced to."
Oh and speaking of that "talent": just how talented is a hacker who got *caught*?
Many people appear to be almost deliberatly missing the point about time since offence, and further the real value of the offence (not what LEA's claim to justify various things).
If somebody did something in their teens or some time ago the question has to be asked why have they not gone on to commit a crime since?
There are several answers to this question one being the opposite of @Kathy Ro's question,
"Oh and speaking of that "talent": just how talented is a hacker who got *caught*?"
Potentialy the answer is they have smartened up and are not making mistakes by which they can be identified.
However C.V.'s are actually not that difficult to check against various online DB's of companies and credit histories etc just time consuming (and yes you have a duty of care to the share holders to make adequate checks).
Conversly setting up a false ID with a an adiquate supportable history is not that easy, it costs time and effort as well as money (currently about 1000 in any major currency to get the documents to start from).
Now I know people "over egg" their C.V.'s but they shouldn't as it is in many jurisdictions a criminal offence (ostensibly fraud). And again in most places an employer can summarily dismis an employee when such is found on the employees C.V. (however using a false ID is in most juresdictions not a crime unless it is to gain some advantage).
The question then arises at what point need a prospective employee not mention a conviction?
This varies from jurisdiction to jurisdiction and on the type of crime/offence (tort / criminal / misdemeanor / etc). Then again depending on how they are employed they may not have to mention it at all (ie an employee of a sub-contractor).
Thus an organization should actually consider what their highring policy is and how they imdemnify themselves against the risk of employing people either directly or indirectly (ie externalise the risk onto others via sub-contracting etc).
This should not just be to their shareholders, or their insurers, but also to the consumers of their services.
However this needs to be tempered against the "common good" as others have pointed out a criminal that has no oportunity has no choice but to remain a criminal and thus a burden on society either directly through taxation or indirectly through insurance.
As I have said people sometimes need a hand to get back on their feet from time to time and importantly it is up to the employer how much trust they chose to give an employee and when.
However if you say "I will as a mater of policy discriminate against people for reason X" you cannot realisticaly be offended if others discriminate against you for whatever reason Y they happen to chose.
Also there is another point my father made to me when I was young and had done something that was inadvisable,
"If you have the brains to commit the perfect crime, you have the brains to earn more money honestly".
It is the question of "value" of an action be it illegal or not.
The point being "one off crime" does not pay sufficient to last you a life, large value crimes attract a lot of scrutiny not just from the authorities but the insurers and others such as other criminals and the realisable gain is thus disproportionately small ("two cents on the dollar").
Thus you have to become a career criminal with all the risks that entails to even hope to make crime pay.
The only difference between then and now is the force multiplier and zero cost action at a distance of the information world and it's potential for white collar crime. That is you can now commit hundreds if not thousands of low value crimes in many many jurisdictions outside of your own. Thus hope you stay under the radar of LEO lower limit on crime value (ie it is not proportionate to invest 100USD of LEO resources for a 25USD crime with no obvious conviction potential from the outset).
Now as a potential employer the real value of a persons crime needs to be considered not the faux value that prosecutors use for political reasons.
There is actually two asspects to this, one is to judge what the crime may have been about, the second a ready reconer for "stock loss".
Many many retail employers know that a small percentage of their employees may be, or are dishonest (as are their customers). The costs attributed to such low value crime is often called "stock loss".
However as with LEA's there is a threshold at which it crosses from being an annoying "cost of business" to something that has to be dealt with.
Thus there is an acceptance of what level of dishonesty is acceptable or not within any given business model an organisation uses.
Which leads you onto the "shoveling snow" point made by @ Russel Coker.
However it has another side, if a person is in a position of trust what value can they obtain by abusing that trust, or more correctly what level of harm can they cause to the organisation.
In many cases this might actually be less than the amount you pay them in a relativly short period of time thus there may be no incentive for them to betray the trust you put in them.
So it may be perfectly acceptable to employ a criminal because you either do not place trust in them or the gain they can make by breaching that trust is to small in comparison to just "doing the job" honestly.
There will always be exceptions but as with "stock loss" it's part and parcel of the cost of doing business.
Let's just use the term 'computer-crime felon' as 'hacker' has too many different meanings in different people's views. (I refrain to use the term myself outside of a very well defined social circle for this reason. It annoys me but I can do nothing about it.)
"It depends" is the only right answer here. Why? The answer is simple if scary: today's laws and legal practice are so badly broken that being convicted of a computer-related crime means nothing without context. All researchers of data security - from university professors to self-educated people - have to be extremely careful in order not to land in serious trouble. Some types of research are nearly impossible today without breaking some law. Gosh, even having some particular string of bits on some storage medium, regardless of your reason, intent, purpose, or actions you may have taken can make you a criminal.
Very tricky question?
Law abiding workers can also change their mindset if their financial/personal circumstances change, debts, gambling etc.
Criminals can also change for family reasons, bad experiences, jail time, etc.
I am with the 'Depends' group, alas it is that magic word again TRUST.
@ Clive on Profitability of One-off Crimes
Hmm. I think your description of one-off's is onto something, but not quite right yet. It assumes that any large one-off results in an effective investigation and majority of the money must be spent preventing getting caught. In my analysis of online crime, I've found this to be untrue.
I remember trying to figure out exactly how much it would take to prevent getting caught. The use of so many relays that each take a small cut means much value is lost. Even if we give up 75%, though, a $200k+ one-off still provides one year's salary in IT averages. A $500k hit lets you pay off your mortgage. A $1 million dollar hit leaves you with several hundred K: enough for a house, car and investing in a legit business. Part of the 75% was laundering. So, we have lots of one-offs that are laundered, any taxes paid, and produce substantial amounts of money for about two weeks to a months worth of work. How is this a "disproportionally small" gain? Most people, even IT guys, will never achieve that annual rate during their life time. One-off's pay.
Before I get to continuous crime, there's also a middle ground: periodic one-offs. Certain risk conscious criminal minds will do big heists spread out over long periods. As an anecdote, Marcinko of Rogue Warrior series mentioned a guy who worked one month out of the year, made around $100k-$250k, had a loyal attractive wife, and a small mansion in a country with decent infrastructure and low cost of living. What did this guy do for a living? He was a jewelry thief. I don't know what happened to him, but if he wasn't fictional then he's an example of a long stretch of one-offs. There are others that are verifiable but this one is a good illustration of the concept because there's little work (timewise), gain similar to first paragraph, and almost a year between hits. It's basically a one-off each year.
I agree that the most profitable scheme for the crooked hacker is a continuous stream of crime. Most who spend the effort to secure a one-off transaction will want more money. They are greedy people. My financial analysis found that one could build an infrastructure of sorts for anonymity, operations, and finances in a criminal organization. Each crime would utilize this infrastructure, making the average profit for each crime to be significantly better than 75%. As you'd expect, this scheme allows the cost to spread out amongst the crimes. This is the superior option for career criminals or people who think like them.
The moral of the story? One-offs can be very worthwhile depending on the individual, but a truly crooked individual is more likely to commit a string of crimes for a multitude of reasons. If someone went on a hacking spree, then quit, that person might be trustworthy. If a person was in online criminal enterprise, then they shouldn't be trusted. It takes a certain mindset to do it right for a long time and I sure as hell don't trust anyone with the mind of an efficient sociopath.
I am going to go against the grain here.
1. Hire felons? sure under certain circumstances. People should be given chance to start over.
2. Hire a hacker? Sure. I would hire to test security.
3. Have them design a security system? Probably not.
I believe that the terrorist mind or radicals of any kind are warped in their thinking. Pedos, etc. included. It will show up in other areas. By definition it will manifest in other ways, usually bad thought processes.
Security design is as much art as science. You can not just throw stuff at it. All our resources and we only find the keystone cops? I would not have a cop design a law. they are trained and their mindset is in other areas. It bugs me to see a burro or guard design a security system. You put cameras in a high crime area, they move two blocks over, wear hoodies, or spraypaint the cameras. The foot patrol will work better. Note: Most camera lenses, setup, etc. are wrong anyway for what they think they are accomplishing.
A hacker is good at finding ways to get in, not keep people out.
NOTE: glad to see the hackers break the sony update to remove OS options. I cheered. The war is on. Can sony keep them out? Not a chance. They can spent lots of money to keep people out and design security. Is this a good example for this discussion? Probably. Just my thoughts.
@Craig "that magic word again TRUST"
So what are the criteria to establish trust?
It depends on the person, the crime, and the exact nature of the position.
@ Bruce - this isnt the best article you have written. I dont think it helps that question it revolves around doesnt really make much sense either.
Hiring criminals is a mixed bag. In effect they have served their debt to society and while there is a risk of them returning to their past life, there is also the risk of any employee being corrupt, unethical and an undetected criminal. If you have staff, learn to live with it at times. (This assumes vetting isnt an issue)
Also, I dont see any reason to assume a convicted "hacker" is any better at what they do than anyone else. There is no reason to think they have a special skill set that a non criminal lacks. (Although this depends on where they served their time...)
There might be some PR value in bringing a high profile hacker into an organisation, but I doubt its very positive.
In effect, I would say let them apply like everyone else. If your recruitment process weeds out criminals, out they go. If it doesnt let them have a fair crack as if they had been conviced of shoplifting or assault.
" Would you hire a CIA-trained assassin to be a bodyguard? Would you put a general who led a successful attack in charge of defense? "
I think 99% of people would answer yes to both of them. Doesnt make it right but most people would.
Mr. Shneier, that is probably one of the most concise, accurate and clear definitions of "hacker". With respect, I would only suggest the definition be expanded out as the hacker mind can be applied ethically to any area of interest. Your definition would be specific to Security Hackers but many hackers have no interest in security if computers at all.
I was a hacker in my teens and early twenties. Never caught or convicted. Today I work in information security for a large financial institution, both designing and testing our security controls. I don't necessarily hide my past but I also don't volunteer info about it.
Does the company have a reason to worry about me? I don't think so. I started hacking to explore my limits and learn about computers. Now I can do that with permission and pay. No real motive to bite the hand that feeds me, or any other hands for that matter.
Does every hacker, or reformed hacker, think the same way? Nope. I agree with the case-by-case evaluation approach if you want to expand your talent pool.
Gosh, it must be nice to have a choice about hiring a hacker, sure helps overcome the moral hazard question.
As for hiring "convicted" vs "known hacker" I'd always have a strong preference for the un-convicted because he probably has better trade craft AND when caught had something tangible to trade. Put simply, jail tends to be for script kiddies and I have no use for these guys...
Generally speaking, all hiring decisions should be made on a case-by-case basis regardless of whether you believe the candidate to be a 'hacker' so the only difference is whether someone describes themselves as a hacker, whether they've been convicted of a computer crime and what type of crime that is.
Certainly if someone described themselves as a hacker in their CV it would make me more interested in them, not less - though I'd clearly have to ask them what they meant by the term at the interview stage. On the other hand, if someone had been convicted of computer crime my decision about whether to consider them for a job would very much depend on the crime itself. If we were talking about a 'crime of curiosity' it wouldn't have a negative impact on my decision but clearly if the crime were for personal gain (e.g. fraud, blackmail, extortion) then I would not consider them at all since these crimes bring up clear trust issues.
You could probably argue that activities such as phone phreaking and MTA / Oyster Card hacking are for personal gain but most people do these things out of curiosity unless the results were sold and traded in which case it edges towards genuine fraud. The only real worry I'd have about employing a convicted hacker would be that they may not be very good at working out where 'the line' is and may not be able to tell so easily when they're crossing it, this could be the line between legal and illegal, safe/dangerous, moral/immoral, fair/unfair - essentially knowing what the 'right thing to do' is very subjective but very important in a security role.
I suppose I have said the word trust a few times and this is vague.
For security the level of 'Trust' in terms of the level that compromise/attack can be absorbed without mission critical or safety critical consequences.
If you 'Trust' then have attack/compromise at lower levels you can recover, rebuild defenses and learn.
If you 'Trust' then have attack/compromise at the highest levels, this is much harder to recover from, if at all sometimes?
I know how to calculate the trust level of a system.
What are the criteria in establishing the trust level of a person?
@ BF Skinner
Actually, how do you calculate the trust level of a system? For me, increasing confidence has always been strong requirements gathering, secure architecture/design, and a corresponding implementation produced using low-defect processes. This produces measurable defect probabilities and maps code to requirements. Trust is an abstract concept, so how do you define and measure it?
As for people, I have some techniques to try to establish their trustworthiness. The most important thing to know is that a person isn't trustworthy or not in general: they are in certain situations. I know thieves who I trust to be around my personal property because their moral justification for stealing is that a $300 billion company won't miss the little things, but they don't steal from friends. The use cases of a system or processes of an organization may change the level of trust you can have in a person.
The next step is figuring out their personality type. I've found certain personality types are more likely to betray than others in normal situations. In extraordinary stress or circumstances, almost any type might fall short. I also determine if the person is risk-loving or risk-adverse by nature. Risk-adverse people will usually only do something if desperate or if they can certainly get away with it. I also look into past behavior, carefully interview friends/coworkers, and give little tests like leaving a cell phone lying around to see what happens to it. With all of the above techniques, I feel I can establish how trustworthy a person is with plenty of confidence. It doesn't always work out but no probabilistic scheme comes without a miss rate.
Great article. I can relate as I have been in this situation on a few occasions. I am a convicted felon, with a 3rd D.U.I. felony. My actions that caused this were when I was in college. I have grown exponentially since then, and I am now a I.T. Professional. I have been in a situation where my college professor was an I.T. Manager for an ISP in Mississippi and he didn't hire me because I was honest about my felony after college. I couldn't believe it because he knew what type of guy I was in college and I was his top student and he and I had a good relationship. I understood his place on it, but I couldn't understand the fact that he didn't even TRY to reason with me and the fact that he knew me very well and that this incident is over 10 years old. Nevertheless, I got employed as a Network Specialist at a University and, in my opinion, I think that the more you prove that you have changed (top-level I.T. certifications, proven improvement in your career, etc), will make felonies less important to hiring managers.
To hire a convicted felon, I would consider it, but I would also follow the maxim "Trust, but Verify". Computer security personnel are in a position to cause great damage. You need to design safeguards to be able to detect wrongdoing. This applies to felons and non-felons alike. After all, the non-felon you have hired might be as much of a criminal, but has never been caught.
I'm missing one aspect in this discussion, which I shortly discussed with Bruce during the Conference on Cyber Conflict last week.
The aspect I'm missing is the question whether it's wise to hire a convicted hacker as a forensic expert, given the chance that his past will probably be used by attorneys in court to undermine credibility.
Although the forensic expert might act fully professionally and ethically, the attorneys could very well attempt to undermine the credibility of the forensic expert, referring to his past.
@ Niels Groeneveld,
"The aspect I'm missing is the question whether it' wise to hire a convicted hacker as a forensic expert, given the chance that his past will probably be used by attorneys in court to undermine be used by attorneys in court to undermine credibility."
I don't know which jurisdiction you come from so the rules may be specific to the court system you have. And there is the issue of over generalisation in what I'm about to say.
An expert witness is actually apointed to the court to explain to both tribunals what the current state of the field of endevors "art or science" is.
This means they have to be recognised by the court which is a process that should not happen before the jurors, and oposing councsel should bring all points such as this up prior to the expert giving testomy to the jury.
This does not prevent opposing counsel bring up such things infront of the jurors but they would have to show relevance in the case at hand or why they did not bring it up prior to the expert testifying.
As for what an expert witness does it's to present evidence that would ordinarly be excluded (hearsay) in a manner that is acceptable to the court (opinion).
They should at all times be able to demonstrate where their "opinion" comes from and it's standing in the field of endeavor.
To do this they have to be able to demonstrate their own standing within the field of endeavor. This would normaly be by published articals or academic qualification and practice.
Which is fine for an established field of scientific endevor. You do however have a problem with non scientific fields of endeavor such as "art" in it's various forms (art is beauty, beauty is truth ;)
Here the standing would be by reputation in the field of endevor that is where those practicing recognise a person as having standing.
But what of new fields of endevor?
This is problematic as standing may have no meaning especialy if the field of endevor is covert. Thus the expert would either have been previously recognised by a court as an expert witness or have to demonstrate "practice" within the field of endevor to the courts satisfaction.
And perhaps oddly having a conviction for commiting a related crime has stood as standing in the past. Afterall who better than a safe breaker to explain to the tribunals how a safe may be broken into and what methods would work and would not work with a particular model of safe.
Thus it is upto counsel to present their expert to the court for initial acceptance, providing the expert can show impartiality to the case under examination their opinion will be accepted.
Now there is a catch, a court can "recognise" it's own expert and this can be the defendant. The judge has to be content with the fact that the person is the defendant but can show impartiality in their opinion...
This can and has been imposed on defendants by courts as a matter of lifes little necessities (it has drawbacks for the defendant). A defendant being recognised as an expert witness is not common but this has happened in ICT related cases.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.