Comment by w_t_payne
12 years ago
I used to work in the antivirus industry, and, as I recall, anything that even hinted at a history of hacking or virus-writing would lead to instant dismissal and black-listing (from pretty much the entire computer security industry). I imagine that the same prohibition would now apply to former government employees also.
The sad fact of the matter is that we cannot trust individuals that have ever worked with these agencies, nor with the private contractors that supply them. The risk of insider attacks is too high. Equally, we cannot trust companies that employ those individuals.
If silicon valley is to recover the confidence of it's customers, it must go through the painful and heart-rending exercise of dismissing all employees with any connection whatsoever to government espionage. Many innocent people will lose their jobs, and will face the prospect of being excluded from high-tech employment in the private sector, but I cannot see any other way of regaining trust in our fundamental infrastructure.
Why would the anti-virus industry refuse to hire people that had developed viruses? Aren't those the people that think like virus writers and could write better antivirus software? Same with the hacking half of that. Those are the people that best know how to secure systems.
Wouldn't it be the people that used to be blackhat and have transitioned to gray or white-hat hacking that would be the best people to provide their services for pen-testing/anti-virus writing/etc?
Is the probability of an so-called ex-virus-writer writing in exploits into the system higher than someone else?
Is their knowledge worth the chance?
Anti-virus endpoint software is essentially (and necessarily) a rootkit. Businesses installing antivirus software are placing an incredible amount of trust in the antivirus vendor.
Without trust, the antivirus vendor has no business whatsoever. As a result, they are (or jolly well should be) ultra-careful to earn that trust. This includes subjecting their employees to a certain degree of vetting.
In the age of cloud computing, the same relationship dynamics are observed between businesses and the cloud vendors to whom they entrust their data.
See? There it is again: Trust.
Important stuff.
because of their underlying lack of ethics. You need to have ethical hackers that are interested in the wellbeing/security of a community/society. Even if they know the systems from both perspectives, if they even have a moral deficiency, what's to stop them from committing insider attacks/writing exploits of the system? You cannot trust that type of people unless you know for certain that they have abandoned their prior convictions and truly follow white hat hacking, and knowing for certain is hard to do.
Given your assumptions, that makes sense; however, given what our parent commenter said, I came away with different assumptions.
From our parent: I used to work in the antivirus industry, and, as I recall, anything that even hinted at a history of hacking or virus-writing would lead to instant dismissal and black-listing (from pretty much the entire computer security industry). I imagine that the same prohibition would now apply to former government employees also.
They used the world "hacking", which I took to mean any form of hacking. We'd need the parent to respond to which one was meant, of course; but if it means any sort of hacking, from xbox modding to submitting bug and exploit reports to Google (which, how do you know if there's an exploit without trying to find it?), then hacking would include all of those people, including the people who you define as "ethical hackers".
If you're a known, aggressive and clearly unreformed cyber-saboteur, then it's pretty much a given that you shouldn't be hired to an anti-virus company since you probably are in there to commit insider attacks (I can't know for sure, I'm not in your brain) and it's reasonable to not hire you; however, if you're a tinkerer and inspector of things and dismantler of technology, then you would know how systems work and where issues are and could even be an asset, especially if you're very good at it. Depending on the author, both of those people could be seen as 'hackers'.
2 replies →
I'd wager that most people's ethics are more malleable than that. Also, don't underestimate the power of the golden handcuffs.
Having a spouse, kids, and a nice house in a nice neighbourhood makes any kind of anti-social behaviour that much harder to justify from a purely pragmatic, never mind ethical point of view.
I.e. young men often have nothing much to lose and act accordingly.
> ... instant dismissal and black-listing (from pretty much the entire computer security industry)
I'm not sure where you got that from. A large percentage of the security industry is made up of people who got their start as blackhats.
That is sincerely what I had thought, as well.
I'm not sure if any security company would gain much by avoiding former government employees - you'd decline Abe Honest because he had worked in government earlier, but any Joe Infiltrator from NSA could come to your interview with CV, online profile + references/contacts claiming that he's worked in, say, Microsoft for 20 years.