Penetration Testing mailing list archives

Re: felons as pentesters

From: "J. Oquendo" <sil () infiltrated net>
Date: Fri, 03 Dec 2010 16:44:22 -0500

On 12/2/2010 11:57 AM, amir shadrazar wrote:

<snip>

I have a personal friend who has recently asked for my advice. He was
convicted of a felony for grand theft auto when he was 21 or so back
in the early 1990's and a separate misdemeanor charge for fraud. He
served his time, less than 1 year, paid restitution and completed
probation successfully in the mid '90s.


His age, etc., are completely irrelevant. He was convicted of a crime
period. No one is going to want to hear why. What they WILL want to know
is what has he done with himself in the interim. Has he grown
professionally, what has he done. Some companies are forgiving and some
aren't. In financial companies where bonding is concerned, the company
will have to pay a higher insurance premium so most of the times, they
won't bother with felons no matter what. This is what I call "the power
to punish" where no matter what someone has done in life, it will carry
on forever. Regardless if it was accidental, wrongful conviction, etc.,
at the end of the day, no one cares - sorry this is reality.


The questions are this (answer depending on the sector you work in):

Would you hire this person to work for your company providing internal
security and pentest services?


Depends on his experience

Would you (as a consulting firm) hire this person to perform
consulting and pentest services on behalf of your firm?

Would he ever be able to receive a security clearance (even a low
level secret clearance) and employment from the Federal government?

Yes he must demonstrate he is eligible for clearance.

"In 1985 and 1987, the police arrested and charged Applicant with
possession of marijuana, grand larceny and drug paraphernalia. He served
15 months in prison for these crimes. In 1997 and 2004, after out of
control arguing with his wife, the police arrested and charged him with
assault and battery. Applicant failed to list his 2004 arrest and the
amount of jail time served from the 1985 incident on his SF-86. He
learned the welding trade in prison, has worked regularly since leaving
prison, and has been steadily employed with his current employer for
five years. He and his wife are separated and he is seeking a divorce.
He has mitigated the government's security concerns under Guidelines J
and E. Guidelines J and E are found in favor of Applicant."
http://www.dod.gov/dodgc/doha/industrial/06-19914.h1.pdf

...

Applicant served six months in prison for his involvement in a car theft
in 1989 and less than a year for a drug offense in 1993-1994, and was
arrested for battery in February 1996 and in October 1996 for a drug
offense and a handgun offense, but he later became a highly respected
employee of a defense contractor. He received a Chapter 7 bankruptcy
discharge in September 2003, but he still owes a child support arrearage
and delinquent state taxes, which he was paying by payroll deduction
until he was terminated from his latest job for lack of a security
clearance. He erroneously answered "no" to questions on his security
clearance application about his criminal record. The allegations of
falsifying his SF-86 are rebutted, and the security concerns based on
criminal conduct and financial considerations are mitigated. Clearance
is granted. http://www.dod.gov/dodgc/doha/industrial/02-29259.h1.html

...

Applicant's mitigated security concerns over his criminal conduct,
personal conduct and alcohol issues. At each stage of the investigation
from 1996 to 2005, Applicant established he had no intent to falsify: in
three different security forms he repeatedly complied with his duty to
disclose adverse information on his arrest record and also provided
substantial adverse details in his 1998 statement. While he has multiple
misdemeanor arrests from 1988 to 2004, he has no recent incidents in the
past three years and has fully complied with all court-ordered alcohol
education and probation requirements after his alcohol-related arrests.
Clearance is granted.
http://www.dod.gov/dodgc/doha/industrial/05-08486.h1.html

...

Applicant is a 45-year-old mechanic who has been employed by a
contractor since July 1980. He has a lengthy history of criminal
activity, most of which is related to problems with alcohol. Between
1981 and 2001, he had at least five convictions for driving under the
influence, which included court-ordered attendance at the alcohol safety
action program each time. After the 2001 incident, Applicant decided to
stop drinking and has been sober. He did not deliberately falsify a
material fact in a question on his security clearance application.
Applicant has mitigated the criminal conduct, alcohol consumption, and
personal conduct security concerns. Clearance is granted.
http://www.dod.gov/dodgc/doha/industrial/05-15659.h1.html

---------------- / End article snippets.

He would have to disclose EVERYTHING he has ever done - cause guess
what... they'll find out anyway no matter how silly he thinks a
situation may be.

As for hiring felons, it all depends on the person, the crime and a
couple of other parameters. Mainly, what has he done in the meantime,
how long ago was his/her crime, what did he/she learn, are they or have
they integrated themselves back into a productive life. Poop happens in
life, people are people. To those who wouldn't/won't hire a felon,
apparently they're statistically unaware that:

There are 1 in 100 adults in the United States living behind bars 2010
http://www.pewcenteronthestates.org/uploadedFiles/Prison_Count_2010.pdf

1 out of every 36 Americans either were incarcerated on probation or parole
http://bjs.ojp.usdoj.gov/content/pub/pdf/ppus06.pdf
http://bjs.ojp.usdoj.gov/content/glance/tables/corr2tab.cfm

There will be a point in time where the numbers will be so high, many
will have no choice but to review their policies. Anyway, enough
polit(r)ic(k)s.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

felons as pentesters amir shadrazar (Dec 02)
- Re: felons as pentesters ByteWise (Dec 03)
- Re: felons as pentesters AK (Dec 03)
- Re: felons as pentesters J. Oquendo (Dec 03)
  - RE: felons as pentesters Mark Brunner (Dec 06)
    - Re: felons as pentesters J. Oquendo (Dec 07)
    - RE: felons as pentesters Mark Brunner (Dec 10)
    - RE: felons as pentesters Kevin L. Shaw, CISSP, GCIH, GPEN (Dec 10)
    - Re: felons as pentesters jc (Dec 10)
- Re: felons as pentesters Fred (Dec 06)
  - Re: felons as pentesters Kevin L. Shaw, CISSP, GCIH, GPEN (Dec 07)
    - Re: felons as pentesters The Doctor (Dec 10)