[ISN] Hackers Being Jobbed Out of Work

From: InfoSec News (isnat_private)
Date: Tue Sep 03 2002 - 02:07:37 PDT

  • Next message: InfoSec News: "RE: [ISN] Our raid on Downing St."

    By Noah Shachtman 
    2:00 a.m. Aug. 30, 2002 PDT 
    No too long ago, skilled hackers were rewarded with fat salaries and
    fancy titles after being busted for their shenanigans.
    Now, Max Vision -- a world-famous incarcerated
    hacker-turned-security-expert once making $250 an hour -- is happy to
    be getting minimum wage.
    These are tough times for hackers. Federal agencies now have broad new
    powers to spy on them, thanks to provisions in the anti-terrorist USA
    Patriot Act. The House of Representatives has passed a new law that
    will send convicted hackers to prison for life. And, the information
    technology job market is so soft, it's tough finding straight work.
    "We don't hire former hackers," said Jim Chapple, who leads security
    teams at Computer Sciences Corporation. "There are enough highly
    skilled people out there that we don't need ones with checkered
    That certainly rules out Vision, aka Max Ray Butler, a 30-year-old
    Idaho native. He recently served a year in a federal prison for
    intruding onto government and military computer networks in 1998.
    Life on the inside at Taft Correctional Institution, a low-security
    facility in the California desert, was bearable. The showers were
    private. His cellmate was harmless, a professor who had misspent
    federal grant money.
    But events in the outside world were heartbreaking. His wife, Kimi --
    the only partner in his security consulting practice -- ran off with
    someone else just two months after Butler went to prison.
    Sharing a room with five others in an Oakland halfway house, Butler's
    still tortured by the loss.
    The pressure from the facility's managers hasn't made things any
    easier. The director recently threatened to send Butler back to jail
    if he didn't find a job.
    But landing work has not been easy. A recruiter for Robert Half
    International -- where Butler had his first network-penetration
    testing job, in 1997 -- was eager to bring him in. But when Butler
    told a supervisor about his felonious past, "his face just dropped,"  
    Butler said. "He ushered me out of his office, and that was it."
    Many companies are reluctant to give jobs to hackers. In a recent
    survey, according to Lawrence Walsh, an editor at Information Security
    magazine, only 14 percent of U.S. companies said they'd be willing to
    hire former hackers to help secure their networks.
    After months of hitting such roadblocks, Butler sent an e-mail to
    security-oriented lists requesting any kind of work.
    "I have been showing up at places that farm out manual labor (at) 5:30
    a.m., and still haven't found any work," Butler wrote in that message.  
    "Surely there is some open position at a security company in the area
    -- hire me as a janitor, but give me a cubicle and I'll do
    vulnerability research or help with security audits or have me sling
    HTML. Who will know?"
    It's ironic that Butler -- almost universally considered one of
    hacking's good guys -- would find himself in such a position.
    "He's done a lot of great things for the security community," said
    Eric Smith, the former Air Force computer crimes investigator who
    helped bust Butler.
    For years, Butler was an informant to the FBI, tipping agents off to
    technical developments like an encrypted IRC chat program. His
    website, Whitehats.com, cataloged hacker attacks and provided ways to
    detect them.
    He believed he was doing the right thing, too, when he launched an
    Internet worm that fixed a critical hole in the BIND domain-name
    server program, a then-ubiquitous program for matching IP addresses
    with website names.
    The Air Force and the FBI didn't take such a benign view. They raided
    his home shortly thereafter. Butler then confessed that his worm had
    created a back door, allowing him access to the systems he had fixed.
    In exchange for his freedom, the FBI pressured Butler to snoop on
    other hackers. He went along, up to a point. But he refused to wear a
    wiretap to record conversations with his friend and fellow hacker
    Matthew Harrigan, then the CTO of a San Francisco security firm.  
    Butler was arrested shortly thereafter.
    Many in the security field said that hackers like Butler, the ones
    with real talent, will always be able to find straight work, no matter
    what they've done in the past.
    "Anyone who writes a good security application gets hammered with job
    offers. There are just not that many people skilled in computer
    security, and the need is huge," said one hacker, "The Pull," who also
    works in mainstream computer security.
    Others aren't so sure.
    "With so many corporations downsizing, there is a glut of talent
    competing for a very limited number of job opportunities," said
    Marquis Grove, who runs the SecurityNewsPortal.com website.
    One security professional who's been searching unsuccessfully for work
    added in an e-mail, "Since the 9/11 incident, companies are looking at
    any skills that a prospective employee has and thinking about what
    could possibly go wrong if this employee turned rogue."
    Fortunately for Butler, the response to his e-mail plea for work was
    tidal. He received several job offers right away.
    But he couldn't take the work -- the jobs were in other states, other
    countries, even. The halfway house's managers said Butler had to work
    within an hour of the facility.
    Finally, a former colleague, Steve Kirschbaum, who runs a security
    consultancy, Secure Information Systems, said Butler could work in his
    home office in Fremont for the minimum wage. If Butler lands any
    outside clients while under Kirschbaum's roof, they would split the
    Though the halfway house takes a quarter of his meager salary, Butler
    was happy to finally have a job. But he can't start work yet. Butler's
    supervisors are currently checking with the Bureau of Prisons to see
    if his job is OK. Because, like many convicted hackers, Butler must
    get a parole officer's consent before he can use the Internet.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 03 2002 - 04:29:51 PDT