Hackers Being Jobbed Out of Work

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/culture/0,1284,54838,00.html

By Noah Shachtman 
2:00 a.m. Aug. 30, 2002 PDT 

No too long ago, skilled hackers were rewarded with fat salaries and
fancy titles after being busted for their shenanigans.

Now, Max Vision -- a world-famous incarcerated
hacker-turned-security-expert once making $250 an hour -- is happy to
be getting minimum wage.

These are tough times for hackers. Federal agencies now have broad new
powers to spy on them, thanks to provisions in the anti-terrorist USA
Patriot Act. The House of Representatives has passed a new law that
will send convicted hackers to prison for life. And, the information
technology job market is so soft, it's tough finding straight work.

"We don't hire former hackers," said Jim Chapple, who leads security
teams at Computer Sciences Corporation. "There are enough highly
skilled people out there that we don't need ones with checkered
backgrounds."

That certainly rules out Vision, aka Max Ray Butler, a 30-year-old
Idaho native. He recently served a year in a federal prison for
intruding onto government and military computer networks in 1998.

Life on the inside at Taft Correctional Institution, a low-security
facility in the California desert, was bearable. The showers were
private. His cellmate was harmless, a professor who had misspent
federal grant money.

But events in the outside world were heartbreaking. His wife, Kimi --
the only partner in his security consulting practice -- ran off with
someone else just two months after Butler went to prison.

Sharing a room with five others in an Oakland halfway house, Butler's
still tortured by the loss.

The pressure from the facility's managers hasn't made things any
easier. The director recently threatened to send Butler back to jail
if he didn't find a job.

But landing work has not been easy. A recruiter for Robert Half
International -- where Butler had his first network-penetration
testing job, in 1997 -- was eager to bring him in. But when Butler
told a supervisor about his felonious past, "his face just dropped,"  
Butler said. "He ushered me out of his office, and that was it."

Many companies are reluctant to give jobs to hackers. In a recent
survey, according to Lawrence Walsh, an editor at Information Security
magazine, only 14 percent of U.S. companies said they'd be willing to
hire former hackers to help secure their networks.

After months of hitting such roadblocks, Butler sent an e-mail to
security-oriented lists requesting any kind of work.

"I have been showing up at places that farm out manual labor (at) 5:30
a.m., and still haven't found any work," Butler wrote in that message.  
"Surely there is some open position at a security company in the area
-- hire me as a janitor, but give me a cubicle and I'll do
vulnerability research or help with security audits or have me sling
HTML. Who will know?"

It's ironic that Butler -- almost universally considered one of
hacking's good guys -- would find himself in such a position.

"He's done a lot of great things for the security community," said
Eric Smith, the former Air Force computer crimes investigator who
helped bust Butler.

For years, Butler was an informant to the FBI, tipping agents off to
technical developments like an encrypted IRC chat program. His
website, Whitehats.com, cataloged hacker attacks and provided ways to
detect them.

He believed he was doing the right thing, too, when he launched an
Internet worm that fixed a critical hole in the BIND domain-name
server program, a then-ubiquitous program for matching IP addresses
with website names.

The Air Force and the FBI didn't take such a benign view. They raided
his home shortly thereafter. Butler then confessed that his worm had
created a back door, allowing him access to the systems he had fixed.

In exchange for his freedom, the FBI pressured Butler to snoop on
other hackers. He went along, up to a point. But he refused to wear a
wiretap to record conversations with his friend and fellow hacker
Matthew Harrigan, then the CTO of a San Francisco security firm.  
Butler was arrested shortly thereafter.

Many in the security field said that hackers like Butler, the ones
with real talent, will always be able to find straight work, no matter
what they've done in the past.

"Anyone who writes a good security application gets hammered with job
offers. There are just not that many people skilled in computer
security, and the need is huge," said one hacker, "The Pull," who also
works in mainstream computer security.

Others aren't so sure.

"With so many corporations downsizing, there is a glut of talent
competing for a very limited number of job opportunities," said
Marquis Grove, who runs the SecurityNewsPortal.com website.

One security professional who's been searching unsuccessfully for work
added in an e-mail, "Since the 9/11 incident, companies are looking at
any skills that a prospective employee has and thinking about what
could possibly go wrong if this employee turned rogue."

Fortunately for Butler, the response to his e-mail plea for work was
tidal. He received several job offers right away.

But he couldn't take the work -- the jobs were in other states, other
countries, even. The halfway house's managers said Butler had to work
within an hour of the facility.

Finally, a former colleague, Steve Kirschbaum, who runs a security
consultancy, Secure Information Systems, said Butler could work in his
home office in Fremont for the minimum wage. If Butler lands any
outside clients while under Kirschbaum's roof, they would split the
profits.

Though the halfway house takes a quarter of his meager salary, Butler
was happy to finally have a job. But he can't start work yet. Butler's
supervisors are currently checking with the Bureau of Prisons to see
if his job is OK. Because, like many convicted hackers, Butler must
get a parole officer's consent before he can use the Internet.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.