'I Hired a Hacker': A Security Manager's Confession

Computerworld |  Career Add a new comment

February 26, 2001, 11:14 AM I'm sitting at my desk, having a cup of coffee and a toasted bagel when I notice this young, blond, pimply-faced kid standing outside my cube with this smirk on his red, puffy-cheeked face. I ask him what I can do for him, and he hands me a piece of paper with a Web site address written on it. It looks like an address that a customer would use to access the application that we host.

I ask what this is all about and he introduces himself as one of our company's application developers. He explains that he likes to "kinda hack a little bit" on the side and how he "discovered this" while playing around at home. I take the Web address, type it into my browser, hit Enter and a list of customer names, addresses, phone numbers and credit card numbers appears on screen.

Uh-oh. This information is normally supposed to be accessible only through a series



He introduces himself as one of our company's application developers and explains that he likes to 'kinda hack a little bit' on the side.

of authentications, but the address bypassed the authentication mechanisms and displayed the data. The kid goes on to explain to me how the application programming interface (API) isn't configured properly and how many other pages can be displayed by bypassing the authentication screens. I thank him for the information, take a few notes on the details of the authentication API and then begin to interview him.

He's just 23 years old and has been playing with Linux since he was 14, started programming at 16 (for fun, he says) and has had part-time and full-time jobs as a Unix and Windows NT administrator and as an application developer for the past six years. He has no college education (but has just enrolled), and security is his hobby.

Eureka! I've hit the jackpot. A perfect fit for my plan to conquer the world. Even better, the application development project he has been working on was finished and he had been expressing an interest in security for some time. To make a long story short, I put in a request to have this kid transferred into my group. He's Unix-savvy, bright, articulate and, best of all, he knows our business very well. He's been working as a developer for almost two years and therefore has an extreme in-depth knowledge of the application we host and sell to customers.

As many readers probably know, security professionals are extremely difficult to find. In my experience, there are many

It's difficult finding individuals with good communication skills combined with years of hands-on Unix, Windows NT, programming and, most important, hacking skills. Yes, hacking skills.

of what I call "articulate incompetents": those who make great managers but can't do the keystroking if their lives depended on it. They can address a variety of audiences and wow them with security lingo and pontifications on security best practices and the ramifications of weak security. But ask them to install and configure a firewall-to-firewall virtual private network and they don't have a clue. In a large or consulting organization, security professionals of that type will fare well and are often needed. In a start-up environment, however, even the manager needs to get his hands dirty.

What's difficult is finding a mix of well-rounded individuals with good communication skills and some business sense, combined with years of hands-on Unix, Windows NT, programming and, most important, hacking skills. Yes, that's right, hacking skills. I've been involved in many hiring processes and in my experience hackers make the best employees on a security team. They're dedicated, disciplined, savvy and very technical. Yes, I sometimes have funny feelings about these folks, but as long as they pass a full background check and they have a reputable resume, I'm comfortable.

I believe that 98 percent of the people in this world are genuinely good. Most hackers, when faced with the opportunity to take advantage of a weakness and exploit it for some fiduciary gain, will shy away. Take a look at most of the "hacked" Web pages out there. The verbiage is that of an adviser: "This Web site hacked by [whomever]," or "Your security sucks. Your original home page is here [link to page]." Yeah, it's embarrassing and makes you feel violated, but most hackers will stop after they've hacked the Web page. Don't get me wrong, I would never hire anyone who I felt was a criminal. I've got a fairly good sense about people, and I haven't made a hiring decision I've regretted. Anyway, that's my two cents on today's hackers and why I usually don't have a problem hiring them.

Shopping Spree Begins

    Add a comment

    Post a comment using one of these accounts
    Or join now
    At least 6 characters

    Note: Comment will appear soon after you have activated your account.
    Obscene/spam comments will be removed and accounts suspended.
    The information you submit is subject to our Privacy Policy and Terms of Service.

    ITworld LIVE

    Answers - Powered by ITworld

    ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

    Join Now

    New questions

    How to distribute apps to mobile employees?
    3 answers
    Why do VoIP calls over WiFi still get counted as "minutes used" by mobile providers?
    0 answers
    Which is better for password security, length or complexity?
    2 answers
    What are the chances that the cloud will kill off the PC?
    2 answers
    Where can I find tech services providers that focus on really small businesses?
    0 answers
    View more questions

    Ask a question

    Join Now or Sign In to ask a question.
    Ask a Question