In Response To: Hackers in the Workplace On June 2nd, Bob Sullivan released an excellent MSNBC article entitled "Perils of moonlighting as a hacker". This article opens with information on a Microsoft employee who found himself on the wrong side of an FBI raid. Sullivan goes on to question "Are hackers working all over the software industry?" Corporate minglers by day, hackers by night. But how prevalent are these types of characters, and are they a threat to your organization? Where do they stand ethically? Hackers in the Work Place After spending almost five years in the computer industry (most of it spent in security related positions), the amount of hackers working along side you may be astonishing. Every new contract, each new job, I would inevitably run into another person with some sort of 'hacker' background. Some were hackers long ago when the term held real meaning while others had simply read Phrack or 2600. Often times while working with a team doing a penetration test of a client system, I would find myself surrounded by hackers. By day, we addressed each other by first name. Our clients gave no sign they were aware of our background. By night, the team reverted to nicknames and a lighter atmosphere, and the real work began. Creativity hit its peak during the late evening and success achieved more often than not on 'off' hours. Was the fact that our group had hacker backgrounds of concern? Not at all. Each and every one of us were there to give the client what they wanted, no questions asked. To date, security audit teams populated with hackers have operated more ethically and more precisely than any other team I have been on. Hackers know their job is on the line and they could be looking for new work over the slightest screw up. That in mind, there is no reason to risk anything at all. Do hackers populate the security industry? You bet they do. Companies like ISS, NFR and NAI are litered with them. Those companies admitting to it is an entirely different story. Beyond Security The computer world doesn't revolve around the security of the systems. The entire basis of computer networks running from day to day is handled by a different set of techies. Network engineers and system administrators are the true backbone of any network. Often times these are the folks with an understanding of networks and protocols unmatched in the industry. Often times, these admins are hackers too. Some may use their knowledge to romp around the internet during the night, while others may be part of teams developing or upgrading free software. Regardless of their nocturnal or extracarricular activity, they typically perform their jobs better than most. More passive, and less noticed are the hackers that are just gaining speed in the world of hacking or business. Looking to get a foot in the door, they take positions doing low level tech support, helpdesk, or often hardware support. Despite some hackers having piercings or tattoos that match the stereotype, thousands interact with you day to day and go undetected. You eat lunch with them, you trust them with your keys and more. Like you, they dress in white shirt and a tie and blend in just fine. The Coverup Hackers (thanks largely in part to media hysteria) are considered to be malicious, unethical, and irresponsible. On the other hand, they are rumored to be the most technically gifted as well. This puts companies in a bind: do they hire hackers or not? Not surprisingly, they don't know (in more ways than one). To satisfy public opinion and customers, companies do NOT hire hackers, especially in the security industry. Behind closed doors, they hire hackers left and right. In some cases, they do it in ignorance of their new employee's background. They hire young men and women capable of doing the job, often willing to work for a lot less than national average salary. In other cases, security companies in particular, they hire hackers knowing full well the background and training that lead to their expertise. They know that the individuals have broken into computer systems, defaced web pages, and even deleted entire servers. These companies rely on the newly employed hackers to blend in with the rest of their team, or more often than not, work behind closed doors, away from customers. In today's computerized and supposed ethical world, image is everything. When you work with security firms, you can almost count on a small percentage of staff having a 'hacker' background. We all know it, why can't they admit to it? fin As you go about your daily work schedule, there are a few pointers that can help you spot these hackers. Odds are they will be the top technical people in your organization. They will be the ones coming up with ingenius solutions to bizarre problems. Often they will be the first in to work, and the last to log out at night. They are ethical and can be trusted as much as any of your other friends.
Brian Martin 06.10.99 (c)opyright 1999 Brian Martin -EOF