http://www.wired.com/news/culture/0,1284,54838,00.html By Noah Shachtman 2:00 a.m. Aug. 30, 2002 PDT No too long ago, skilled hackers were rewarded with fat salaries and fancy titles after being busted for their shenanigans. Now, Max Vision -- a world-famous incarcerated hacker-turned-security-expert once making $250 an hour -- is happy to be getting minimum wage. These are tough times for hackers. Federal agencies now have broad new powers to spy on them, thanks to provisions in the anti-terrorist USA Patriot Act. The House of Representatives has passed a new law that will send convicted hackers to prison for life. And, the information technology job market is so soft, it's tough finding straight work. "We don't hire former hackers," said Jim Chapple, who leads security teams at Computer Sciences Corporation. "There are enough highly skilled people out there that we don't need ones with checkered backgrounds." That certainly rules out Vision, aka Max Ray Butler, a 30-year-old Idaho native. He recently served a year in a federal prison for intruding onto government and military computer networks in 1998. Life on the inside at Taft Correctional Institution, a low-security facility in the California desert, was bearable. The showers were private. His cellmate was harmless, a professor who had misspent federal grant money. But events in the outside world were heartbreaking. His wife, Kimi -- the only partner in his security consulting practice -- ran off with someone else just two months after Butler went to prison. Sharing a room with five others in an Oakland halfway house, Butler's still tortured by the loss. The pressure from the facility's managers hasn't made things any easier. The director recently threatened to send Butler back to jail if he didn't find a job. But landing work has not been easy. A recruiter for Robert Half International -- where Butler had his first network-penetration testing job, in 1997 -- was eager to bring him in. But when Butler told a supervisor about his felonious past, "his face just dropped," Butler said. "He ushered me out of his office, and that was it." Many companies are reluctant to give jobs to hackers. In a recent survey, according to Lawrence Walsh, an editor at Information Security magazine, only 14 percent of U.S. companies said they'd be willing to hire former hackers to help secure their networks. After months of hitting such roadblocks, Butler sent an e-mail to security-oriented lists requesting any kind of work. "I have been showing up at places that farm out manual labor (at) 5:30 a.m., and still haven't found any work," Butler wrote in that message. "Surely there is some open position at a security company in the area -- hire me as a janitor, but give me a cubicle and I'll do vulnerability research or help with security audits or have me sling HTML. Who will know?" It's ironic that Butler -- almost universally considered one of hacking's good guys -- would find himself in such a position. "He's done a lot of great things for the security community," said Eric Smith, the former Air Force computer crimes investigator who helped bust Butler. For years, Butler was an informant to the FBI, tipping agents off to technical developments like an encrypted IRC chat program. His website, Whitehats.com, cataloged hacker attacks and provided ways to detect them. He believed he was doing the right thing, too, when he launched an Internet worm that fixed a critical hole in the BIND domain-name server program, a then-ubiquitous program for matching IP addresses with website names. The Air Force and the FBI didn't take such a benign view. They raided his home shortly thereafter. Butler then confessed that his worm had created a back door, allowing him access to the systems he had fixed. In exchange for his freedom, the FBI pressured Butler to snoop on other hackers. He went along, up to a point. But he refused to wear a wiretap to record conversations with his friend and fellow hacker Matthew Harrigan, then the CTO of a San Francisco security firm. Butler was arrested shortly thereafter. Many in the security field said that hackers like Butler, the ones with real talent, will always be able to find straight work, no matter what they've done in the past. "Anyone who writes a good security application gets hammered with job offers. There are just not that many people skilled in computer security, and the need is huge," said one hacker, "The Pull," who also works in mainstream computer security. Others aren't so sure. "With so many corporations downsizing, there is a glut of talent competing for a very limited number of job opportunities," said Marquis Grove, who runs the SecurityNewsPortal.com website. One security professional who's been searching unsuccessfully for work added in an e-mail, "Since the 9/11 incident, companies are looking at any skills that a prospective employee has and thinking about what could possibly go wrong if this employee turned rogue." Fortunately for Butler, the response to his e-mail plea for work was tidal. He received several job offers right away. But he couldn't take the work -- the jobs were in other states, other countries, even. The halfway house's managers said Butler had to work within an hour of the facility. Finally, a former colleague, Steve Kirschbaum, who runs a security consultancy, Secure Information Systems, said Butler could work in his home office in Fremont for the minimum wage. If Butler lands any outside clients while under Kirschbaum's roof, they would split the profits. Though the halfway house takes a quarter of his meager salary, Butler was happy to finally have a job. But he can't start work yet. Butler's supervisors are currently checking with the Bureau of Prisons to see if his job is OK. Because, like many convicted hackers, Butler must get a parole officer's consent before he can use the Internet. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Sep 03 2002 - 04:29:51 PDT