Doing Biz with Hackers: Do Bad Guys Make the Best Good Guys?

Tuesday, March 06, 2012

Rafal Los


Can the zebra change it's stripes? If you're a black hat hacker, will you always be one?  What if you're one of those "I messed up, I was busted, did time, but now I'm a good guy, trust me" types... do you deserve a 2nd (or 3rd...) chance? 

Does it make sense that the best people to teach you how to safeguard your valuables are the convicted crooks?

I know this is a touchy issue. I realize there are many in Infosec who do hero-worship to people who are "reformed" convicted criminals.

I also know many of you reading this already have an opinion formulated and yes, it's been discussed at length already repeatedly - but it's becoming relevant right now, and here's why.

If you look at how desperate many organizations are to hire good Information Security talent, you'll notice that the salaries are rising, and many of us are getting the recruiter call more and more often.  This is because as the need for qualified security professionals with real experience, understanding, and talent grows the pool of that talent hasn't kept up.  So... what to do then?

The significance of quality talent in Information Security can't be overlooked, because having a second-rate individual watching your organization's virtual piggy-bank is just as good as having no one.  Furthermore, it's not like there are thousands of ex-con hackers floating around out there looking for work - but I suspect there are more than you think.

Let's break this issue of reformed hackers down then.

Psychology - Can People "Change"?

I think at the root of this debate is the fundamental question of - do people change?  I have my personal opinions, but all-in-all I think people's nature does not change, but that does not speak to their motivations.  This can easily be turned into one of those arguments where we discuss the ethics of a poor man stealing a loaf of bread to feed his starving family - but let's not do that.  Let's instead discuss motivations in a matter-of-fact exercise.

I believe hackers fall into at least 3 categories.  There are those who were "young and stupid", there are those who "honestly didn't think they were doing harm", and then there are those who were/are "outright bad".

The first category I can almost sympathize with as many of us in our younger years got curious, weren't experienced or clear-thinking enough to "know better" and simply did something stupid.  Once.  We may have gotten caught, or not, but we now know better and it's not an exercise we wish to repeat again.  I'm inclined to cut these people a break especially if the history of doing bad things ends there, and they're willing to tell you about it in a way that makes sense.  A review of the issue followed by perhaps a probationary period and things should be OK, generally.

The second category is a case-by-case gray area and encompasses reverse engineering which is technically illegal but was don't for research purposes, and crimes which were committed and perhaps prosecuted in the name of the greater good.  I don't want to expand any further on that point on purpose - because it leads down a philosophical rabbithole I'm simply not willing to engage in at this point, in blog format. 

Again, these types of cases require a case-by-case review and assessment based on the situation they're being put in.  Would you hire a person with a conviction for burglary to set up your home security system?  The answer is probably different in different contexts when more specific information is provided.  Would you hire someone who was convicted of data theft to manage a cell center, or manage your databases?  These aren't trivial questions, and ones I'm sure HR departments deal with at least semi-regularly.

The final category is black-and-white, at least as far as I'm concerned.  If you have a conviction for identity theft (as a participant, an organizer, or a hacker) you're unlikely to be granted the opportunity for employment, or given access to, anything with a keyboard or other access which would facilitate your ability to do it again in the company seeking to hire you. 

Perhaps you'd be a good janitor - but even that's not likely in large corporations.  I don't see a whole lot of room for debate here, but I'm curious how others think. Phil Cox, CISO of RightScale had this to say:

"I think hiring "ex-hackers" is a case by case basis. An analogy to hiring those who have had trouble with the law. If it was a problem because of "youthful inhibition and naiveté" then I believe everyone deserves a second chance. If however, you are a convicted murderer, you don't get to baby sit my kids. If the ex-hacker was mature enough to have consciously mad the decision to "do harm", sorry no second chances. I would hire the first, I would not entertain the second.  The risk of the second gaining enough access to take me out is not something I am willing to risk. Besides, there are enough really good white-hats that you don't need the latter."

I am inclined to largely agree with Phil's generalization, maybe with a little less gray area, though. Jeff Reich a personal friend, experienced security executive and ISSA distinguished fellow had this comment:

"Zebras have stripes because of their DNA.  I am not suggesting that any recovering hacker cannot contribute to society and I believe that people, having paid debts to society, deserve opportunities to contribute.  The question at hand is what motivated hackers to their behavior in the first place?  Do we know that?"

"If not, then we cannot assume that the motivation is gone.  If we do know the motivation, what is sufficient demonstration that the associated incentive is no longer appealing?  If you are comfortable with having former thieves guard your valuables, you might be comfortable with a recovering hacker.  There are almost always better options out there with better reputations."

Not everyone feels the same as these two execs though.  There are certainly circumstances where you're looking to hire someone who clearly has to be able to be top-notch in the area of breaking and reversing. 

Perhaps you're working a security laboratory, or staffing penetration testers (I cringe writing this because this could get very, very ugly... think about it), or some other profession niche that doesn't require such strong convictions to do good.  Not that I'm in any way advocating that I believe that last sentence...  Xavier Ashe of IBM Security Systems had this to say: "I know several people that hold some pretty decent positions from "back in the day". So the answer is yes [I would hire them], if I needed him/her.

Definitely a unique perspective from the others so far, and one I don't think I'd share in.  I know here at the mothership we have a very strong Standards of Business Conduct policy - being a convicted criminal may likely disqualify you - although I'm not in HR to know for sure.

The point Jeff makes about motivations is a critical one.  If someone had motives to do evil, was caught and is put in a position where those motives don't directly apply - is it safe to hire them?  Will they find other motivations because they're easily influenced? 

Maybe your motivations were simply to make 'society aware' of how insecure that building's access system was when you reverse engineered it and exposed the flaws to the world - before you were arrested and prosecuted.  While your intentions are debatable, the actions clearly aren't... so this puts us back into that gray area.  Again, I'll reserve some of my personal commentary on the topic for more in-person conversations where it's not one-sided like a blog post.

Doing Business with Reformed Criminals

Let's add a bit of cold water to your face.  How many security consultancies or similar organizations do you think your company or organization has done business with that have staffed convicted hackers?  I can name at least 3 off the top of my head that many of you do business with every day that are proud of their "hacker heritage" and use that as a badge of honor and selling point.  How do you trust a company like that?

Let's try this again - how do you know whether the security company (or any company, really) you're doing business with is squeaky clean, or not?  I'm sure many of them simply don't advertise the criminal records of their employees, and some don't even tell you much about the consultant who will be performing your penetration test or widget analysis at all.  Do you request resumes?  Do you request background checks?  Do you do your own?

I'm asking these questions because they have very serious and real implications for today's world.  As a perfect example of what I'm stirring here - think about Anonymous.  Now, not to raise the fear flag, but how can any of us who run businesses be even remotely sure that one of our employees isn't providing information or access to the collective which wants to bring about anarchy and destroy businesses? 

Further still - if the government couldn't and can't seem to keep their own staff on the up-and-up, what snowball's chance in hell do the rest of us have?  I'm not saying it's even possible to know which way our employees' moral or intellectual compass points in secret - but it's sure something to think about when you're designing your systems, right?

What about the company that does your network monitoring, sells you your DLP, or performs your software security reviews?  Are you sure of their intentions, motivations and backgrounds?  Are you confident that none of those are staffed by people who have criminal convictions, or black-hat tendencies?  Have you even thought about this before? (I hope the answer is absolutely yes)...

Again, this all goes back to risk analysis.  How confident are you, the manager or owner of the risk that what you're bringing on board, or hiring on for outsourced work isn't going to actually increase your risk posture rather than decreasing it?  Have you heard the story of the company who hired a consultancy to do their systems review, got a clean bill of health only to realize that there were vulnerabilities discovered in the analysis but the analyst kept them to himself and sold them on the black market?  Probably not.

This is a Strange Business

In a business model where we depend on high-grade talent that absolutely must be more than just 'corporate do-gooders' who follow the rules the lines get blurry.  This is a fact of Information Security, and a fact of any security-related business.  Whether you're doing business with a private defense contractor, a bodyguard company, or an Information Security consultancy - the lines between white hat and black hat are a little gray. 

The law isn't so accommodating though, and if you're caught hiring someone knowingly who has a dark past and does bad things to your customers I can virtually guarantee you'll be roasted and toasted in the public eye and by your customers - but is it worth the risk?  As one of my favorite shows, Leverage, quotes - "sometimes the bad guys make the best good guys"... but is that really true?

What do you think?  If you're on LinkedIn, check this discussion thread out:

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Employment Network Security hackers Information Security Infosec Black Hat Skill Set Policies and Procedures Rafal Los
Post Rating I Like this!
Jackie Singh I understand this article and its viewpoint, but feel one point, in particular, should be clarified in a world where we are primarily dependent on databases to tell us whether someone has ever been on the opposite side of the law or not: All of the above is well and good so long as the potentially unsavory person you're hiring doesn't have an actual criminal record. There is still no reliable way to ferret out what someone's motivations are from the outset, even without taking into account what they might be after a conviction has occurred.

I would posit that in a community where such a large percentage of individuals learn their workforce skills in unsupervised, didactic, and sometimes illegal ways (in opposition to any other legal industry I can think of in today's day and age), a conviction might increase overall risk by a smaller amount than one would think.

The trust models in use by the hacker community since the 80's do not scale well, and the number of "information security professionals" rises, our processes will need to be revised to incorporate systems that allow us to measure and gamify trust and confidence among individuals.

I am currently working on such a project and expect it will be of great interest to our industry.
Jackie Singh *as the number of infosec professionals rises
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.