The New Hacker’s List and an Old Debate: Would you Hire a Hacker?

Recently I read some media articles and notes about a new portal that opened a few months ago: The Hacker’s List. The idea of the portal, as can be seen in the hacker’s projects section, is that anyone can request the services of a hacker. Current ‘jobs’ listed include “Facebook hack”, “hack website”, “Gmail password hack”, and “stealing software from a small company”, amongst others. It brings to mind the age-old question I’ve been asked plenty of times before: Would you hire a hacker?

Before I begin, I should make an obligatory reference to the ambiguity that represents the use of the word “hacker”. A big issue with The Hacker’s List is its loose definition of hacking, with not all the activities advertised framed within a legal or ethical scope, which makes it much more difficult to give a unique or complete answer.

Generally speaking, when considering the idea of “hiring a hacker”, my answer would be “Watch out!” and then I would ask the person “What kind of hacker?” and “What do you want to do?” With the purist definition of hacker, many of these activities cease to be hacking when they are undertaken for profit instead of mere curiosity, and at the same time, are not outlined among the professional actions defined under the concept of Ethical Hacking, where many hackers develop their professional careers.

Personally, I find it difficult to judge harshly those who look to hackers for “everyday wrongdoings”; I would be denying the “fun” or “curiosity” aspect of this discipline. However, opening a website to pay for those actions already begins to cross some lines that could be dangerous, at least in some cases. At the same time, hiring an unknown person to commit a “wrongdoing” for money is always dangerous; it is liable to backfire if the only thing that the other person is looking for is money. Why wouldn’t the person we are asking to perform a “malicious” action turn against us for more money? Hiring someone for these kind of activities will always be risky, and I would always advise caution because in the end, the party liable for the actions could be you, and many of these actions could comfortably constitute a criminal offense.

Hackers applying for opportunities on the site could also be a mixed bag: there may be some well-intentioned people, but others less so, making it difficult to offer a resounding YES or NO. Nevertheless, it is always a good thing to highlight the “carefulness” and the importance of checking as many things as you can about the person you are hiring and at least being careful about the personal data you provide.

For businesses, the question is even more complex: Would you hire a hacker? People often ask me: If someone comes to you looking for a position in your research team and confesses having “hacked”, would you hire him? This is a very difficult question and it depends on each case but I know great IT security professionals who have done some hacking in their past, when they were young, even overcoming the barriers of “fun” in some cases. And in spite of that, today many of them are great professionals whom I admire and respect, and who many years ago adopted a very clear position regarding what kind of work they want to do and their professional ethics. In fact, the greatest barrier to making this decision is knowing for certain if the willingness of the person to develop an ethical hacking career is genuine or not. Mostly the only element to determine this is the individual saying “these things are no longer for me, they are part of my youth”, and then it becomes a case of trust.

However, there are exceptions. A concrete example in our field would be considering someone for work in an antivirus laboratory, who years before had developed malware or managed a botnet. The answer to this is extremely easy: no. But there are some exceptional cases where I could be persuaded. There’s a clear distinction between someone who developed ransomware to extort people aged 25, and someone who made a simple trojan to hack a friend as a joke, aged 13. I do not think it’s crazy to hire a person who flirted with hacking in its healthiest form when young, who wants to use that knowledge to keep on hacking, but in a professional context.

Some will disagree with this and say that ethics should be consistent and all important, but I do think it’s a little more grey than that.

To sum up, the word hacking has become incredibly complex, and websites such as The Hacker’s List don’t help clear this ambiguity, despite the good intentions they may have. Personally speaking, with the traditional definition of hacking, many times I have expressed a tentative yes to the question, but hopefully this longer answer will clearly show that it’s far from a black and white issue.

What do you think? Would you hire a hacker?

Author , ESET

  • Maxamillion Mansionhouse III

    My answer is simple. No.

    You could definitely be talking to the FBI on the other end and you’re basically paying them to commit a crime. Seems too easy to put yourself on the bad side of some iron bars or get yourself jammed up, on probation and have a criminal record for the rest of your life over something really stupid to begin with.

  • James

    Yes; but buyers be aware!

  • Coyote

    “Before I begin, I should make an obligatory reference to the ambiguity that represents the use of the word “hacker”. A big issue with The Hacker’s List is its loose definition of hacking, with not all the activities advertised framed within a legal or ethical scope, which makes it much more difficult to give a unique or complete answer.”
    I never thought I’d read something like this. The word has been abused for so many years that I’m actually surprised it is here on welivesecurity.com. Thanks for this ad infinitum. The significance of it is as high as positive infinite; this is just not seen these days.

    “Generally speaking, when considering the idea of “hiring a hacker”, my answer would be “Watch out!” and then I would ask the person “What kind of hacker?” and “What do you want to do?” With the purist definition of hacker, many of these activities cease to be hacking when they are undertaken for profit instead of mere curiosity,”
    Same thing as above. As someone who has been above and below ground, as well as – as you put it – being a purist, I really hate the misuse of the original meaning. It is incredibly ironic too; without hackers – real – the Internet as we know it wouldn’t be what it is. No, make no mistake: those responsible for (especially the lower layers) the OSI model are in the original definition (and then consider the software side, and I mean unrelated to the Internet protocol implementations). At the same time, governments and media – both of which are the main reason the word was long ago tainted – are actually doing what they called hacking (but that actually has zero ethic). Ironically, a certain department in the US government, during The Cold War, were those who created the predecessor to the Internet. The term is near as convoluted as it could be (but I wouldn’t be surprised, either, if it ever gets more so).

    As for this issue: there’s another thing to watch out for (and frankly I have no problem with this when it happens) is that you might think you’re hiring a criminal (which really is what it comes down; pentesters and the like aren’t going to be advertising in this way, are they?) but you might instead be giving the authorities a reason to show you a warrant. Consider something else, too: your computer is at risk. Your computer at risk risks all computers. But forget other computers, that clearly isn’t your problem or wish anyway (but assuming you did have a problem with that you should still consider this); your computer at risk risks your personal information including potentially your identity (or enough information to take it) or finances or… list goes on. It’s a long list, too.

    Of course, I now see Maxamillion’s response and similar point with authorities. Yes, as (he?) put it, it is indeed really stupid.

    • Maxamillion Mansionhouse III

      For informational purposes I am a he, ha.

      I agree.
      I would think at least you’d have to assume they’re (the popo’s) going to be interested in watching something like this on some level: be it posting listings themselves and reeling the dummies that take the bait, or something like watching the transaction from a distance and pouncing after the crime has been committed.

      To me it seems way too full of risk.
      Yea you might get lucky and get what you want.
      Maybe get lucky a few times even but someone would have to think that with the variables of doing something like this, there could be many loose ends that lead back to you.
      After all you don’t really know how bad the person you paid might’ve messed up and do you think they’ll tell you they did or are they good enough to even know they left a trail somewhere?

      • Coyote

        For information purposes, I’m a male but I’m not a human. (Maybe quirky) humour aside, responding to a specific point you make, and how it is nothing new yet something so many miss (and give an analogy from the history books)
        This:
        “After all you don’t really know how bad the person you paid might’ve
        messed up and do you think they’ll tell you they did or are they good
        enough to even know they left a trail somewhere?”

        … is something far too many do not think about, in general. It is ironically how the Gestapo (I studied Nazi Germany extensively – it is an absolutely fascinating and while some might call me out here, the psychology is still fascinating to me, and frankly I enjoy history in general; the world didn’t learn from it anyway, and anyone is welcome to criticise me – it doesn’t at all bother me) operated; indeed, you had no idea if there was someone eavesdropping on your conversation (who might actually tell – unintentionally – someone else that is a spy, information that then leads to the original conversationalists to be taken into custody).. or if the person you’re talking to is really who they claim (or that they don’t actually say or show something to someone else who is a spy).

        On the other hand… in this case, it is a good thing: DDoS attacks are a huge waste of resources, for those directly involved, any potential backscatter and then there is also the Internet backbones (etc.) involved!

        And… you don’t need to assume they would watch this type of thing. They do. Whether they actually raid anyone is circumstantial but they’ve definitely done this type of thing before, and generally a very good thing indeed (arresting those who would otherwise solicit children for.. don’t even get me started on this!). This also includes journalists that do this type of thing (and good on them, especially with the potential abuse they endure)!

        • Maxamillion Mansionhouse III

          I heard a tactic used in Germany during that time that was more hands on was that they would send out communications to multiple journalists…basically telling them that they have dirt on the Nazis, want to meet them in person but in a secret location to disclose their secrets.

          As it was a numbers game, so many would agree to meet them and get the info they had….they would set up different times for the person(s) who agreed to meet them.

          Well the journalist would show up thinking he was meeting a person that was a traitor with a boatload of secrets on the Nazis and find himself standing in front of a couple of Nazis…to which then bad things would happen to that person for even agreeing to meet up with someone that had secrets that was willing to share them.

          This served as an example to anybody that heard the story….you never know who you might be letting know that you have dirt on those in power so better to not talk to anybody.

          • Coyote

            Indeed true. They really were organised (albeit to those who have studied that time, it is easy to pick a couple mistakes out as critically damaging them) and they abused trust, mistrust, fear, calm, and in general not even they would know the full story (and indeed there was infighting, including one leading to at the end of the war, not long before Hitler killed himself – April 30, 45 – that one high ranking official was immediately dismissed simply because of another had told Hitler)[1]. As for all this, it is most Interestingly to note a specific example of how they knew far too much for others’ comfort but yet they didn’t know as much as they would have believed: the Gestapo once offered a job to a Jew and this Jew in particular escaped two or three times (he was finally caught up with but he survived). Looking for a reference here…

            http://www.bbc.com/news/magazine-30811763

            (The BBC has some fascinating stuff). Yes, off topic and hopefully not a problem to the site; I think it does give more to the point of just how problematic that trust is and yet at the same time it is something most rely on.

            [1] It affected them too.

          • Maxamillion Mansionhouse III

            Thanks for that link. It was interesting to read.

Follow us

Copyright © 2017 ESET, All Rights Reserved.