Column: In Response To..
Hackers in the Workplace
On June 2nd, Bob Sullivan released an excellent MSNBC article
entitled "Perils of moonlighting as a hacker". This article
opens with information on a Microsoft employee who found
himself on the wrong side of an FBI raid. Sullivan goes on to
question "Are hackers working all over the software industry?"
Corporate minglers by day, hackers by night. But how prevalent
are these types of characters, and are they a threat to your
organization? Where do they stand ethically?
Hackers in the Work Place
After spending almost five years in the computer industry
(most of it spent in security related positions), the amount
of hackers working along side you may be astonishing. Every
new contract, each new job, I would inevitably run into
another person with some sort of 'hacker' background.
Some were hackers long ago when the term held real meaning
while others had simply read Phrack or 2600.
Often times while working with a team doing a penetration test
of a client system, I would find myself surrounded by hackers.
By day, we addressed each other by first name. Our clients
gave no sign they were aware of our background. By night, the
team reverted to nicknames and a lighter atmosphere, and the
real work began. Creativity hit its peak during the late
evening and success achieved more often than not on 'off'
hours.
Was the fact that our group had hacker backgrounds of concern?
Not at all. Each and every one of us were there to give the
client what they wanted, no questions asked. To date, security
audit teams populated with hackers have operated more
ethically and more precisely than any other team I have been
on. Hackers know their job is on the line and they could be
looking for new work over the slightest screw up. That in
mind, there is no reason to risk anything at all.
Do hackers populate the security industry? You bet they do.
Companies like ISS, NFR and NAI are litered with them.
Those companies admitting to it is an entirely different
story.
Beyond Security
The computer world doesn't revolve around the security of the
systems. The entire basis of computer networks running from
day to day is handled by a different set of techies. Network
engineers and system administrators are the true backbone of
any network. Often times these are the folks with an
understanding of networks and protocols unmatched in the
industry.
Often times, these admins are hackers too. Some may use their
knowledge to romp around the internet during the night, while
others may be part of teams developing or upgrading free
software. Regardless of their nocturnal or extracarricular
activity, they typically perform their jobs better than most.
More passive, and less noticed are the hackers that are just
gaining speed in the world of hacking or business. Looking to
get a foot in the door, they take positions doing low level
tech support, helpdesk, or often hardware support. Despite
some hackers having piercings or tattoos that match the
stereotype, thousands interact with you day to day and go
undetected. You eat lunch with them, you trust them with your
keys and more. Like you, they dress in white shirt and a tie
and blend in just fine.
The Coverup
Hackers (thanks largely in part to media hysteria) are
considered to be malicious, unethical, and irresponsible. On
the other hand, they are rumored to be the most technically
gifted as well. This puts companies in a bind: do they hire
hackers or not?
Not surprisingly, they don't know (in more ways than one). To
satisfy public opinion and customers, companies do NOT hire
hackers, especially in the security industry. Behind closed
doors, they hire hackers left and right. In some cases, they
do it in ignorance of their new employee's background. They
hire young men and women capable of doing the job, often
willing to work for a lot less than national average salary.
In other cases, security companies in particular, they hire
hackers knowing full well the background and training that
lead to their expertise. They know that the individuals have
broken into computer systems, defaced web pages, and even
deleted entire servers. These companies rely on the newly
employed hackers to blend in with the rest of their team, or
more often than not, work behind closed doors, away from
customers.
In today's computerized and supposed ethical world, image is
everything. When you work with security firms, you can almost
count on a small percentage of staff having a 'hacker'
background. We all know it, why can't they admit to it?
fin
As you go about your daily work schedule, there are a few
pointers that can help you spot these hackers. Odds are they
will be the top technical people in your organization. They
will be the ones coming up with ingenius solutions to bizarre
problems. Often they will be the first in to work, and the
last to log out at night. They are ethical and can be trusted
as much as any of your other friends.
Brian Martin
Copyright 1999 Brian Martin
HNN Editors Note: HNN has received email from Network Flight Recorder
Inc. stating that they do not hire known 'hackers' as mentioned in
this article. Brian Martin did not mean to imply NFR was necessarily
"littered" with hackers, but that many large security companies DO
hire them, knowingly or not.