In Response To: Hackers in the Workplace

On June 2nd, Bob Sullivan released an excellent MSNBC article 
entitled "Perils of moonlighting as a hacker". This article opens with 
information on a Microsoft employee who found himself on the wrong side of an
FBI raid. Sullivan goes on to question "Are hackers working all over the 
software industry?"

Corporate minglers by day, hackers by night. But how prevalent are these
types of characters, and are they a threat to your organization? Where do 
they stand ethically?

Hackers in the Work Place

After spending almost five years in the computer industry (most of it
spent in security related positions), the amount of hackers working along
side you may be astonishing. Every new contract, each new job, I would
inevitably run into another person with some sort of 'hacker' background.
Some were hackers long ago when the term held real meaning while others
had simply read Phrack or 2600. 

Often times while working with a team doing a penetration test of a client
system, I would find myself surrounded by hackers. By day, we addressed
each other by first name. Our clients gave no sign they were aware of our
background. By night, the team reverted to nicknames and a lighter 
atmosphere, and the real work began. Creativity hit its peak during the late
evening and success achieved more often than not on 'off' hours.

Was the fact that our group had hacker backgrounds of concern? Not at all.
Each and every one of us were there to give the client what they wanted,
no questions asked. To date, security audit teams populated with hackers
have operated more ethically and more precisely than any other team I have
been on. Hackers know their job is on the line and they could be looking for
new work over the slightest screw up. That in mind, there is no reason to
risk anything at all.

Do hackers populate the security industry? You bet they do. Companies like
ISS, NFR and NAI are littered with them. Those companies admitting to it is 
an entirely different story.

Beyond Security

The computer world doesn't revolve around the security of the systems. The
entire basis of computer networks running from day to day is handled by 
a different set of techies. Network engineers and system administrators
are the true backbone of any network. Often times these are the folks with
an understanding of networks and protocols unmatched in the industry.

Often times, these admins are hackers too. Some may use their knowledge to
romp around the internet during the night, while others may be part of teams
developing or upgrading free software. Regardless of their nocturnal or
extracurricular activity, they typically perform their jobs better than
More passive, and less noticed are the hackers that are just gaining speed
in the world of hacking or business. Looking to get a foot in the door,
they take positions doing low level tech support, helpdesk, or often
hardware support. Despite some hackers having piercings or tattoos that
match the stereotype, thousands interact with you day to day and go undetected.
You eat lunch with them, you trust them with your keys and more. Like
you, they dress in white shirt and a tie and blend in just fine.

The Coverup

Hackers (thanks largely in part to media hysteria) are considered to be malicious,
unethical, and irresponsible. On the other hand, they are rumored to be the
most technically gifted as well. This puts companies in a bind: do they hire
hackers or not? 

Not surprisingly, they don't know (in more ways than one). To satisfy public
opinion and customers, companies do NOT hire hackers, especially in the
security industry. Behind closed doors, they hire hackers left and right.
In some cases, they do it in ignorance of their new employee's background. 
They hire young men and women capable of doing the job, often willing to work 
for a lot less than national average salary.

In other cases, security companies in particular, they hire hackers knowing
full well the background and training that lead to their expertise.
They know that the individuals have broken into computer systems, defaced
web pages, and even deleted entire servers. These companies rely on the
newly employed hackers to blend in with the rest of their team, or more
often than not, work behind closed doors, away from customers.

In today's computerized and supposed ethical world, image is everything.
When you work with security firms, you can almost count on a small percentage
of staff having a 'hacker' background. We all know it, why can't they admit
to it?


As you go about your daily work schedule, there are a few pointers that 
can help you spot these hackers. Odds are they will be the top technical
people in your organization. They will be the ones coming up with ingenious
solutions to bizarre problems. Often they will be the first in to work,
and the last to log out at night. They are ethical and can be trusted
as much as any of your other friends.

Brian Martin 06.10.99 (c)opyright 1999 Brian Martin -EOF