Comment by sukuriant
12 years ago
Why would the anti-virus industry refuse to hire people that had developed viruses? Aren't those the people that think like virus writers and could write better antivirus software? Same with the hacking half of that. Those are the people that best know how to secure systems.
Wouldn't it be the people that used to be blackhat and have transitioned to gray or white-hat hacking that would be the best people to provide their services for pen-testing/anti-virus writing/etc?
Is the probability of an so-called ex-virus-writer writing in exploits into the system higher than someone else?
Is their knowledge worth the chance?
Anti-virus endpoint software is essentially (and necessarily) a rootkit. Businesses installing antivirus software are placing an incredible amount of trust in the antivirus vendor.
Without trust, the antivirus vendor has no business whatsoever. As a result, they are (or jolly well should be) ultra-careful to earn that trust. This includes subjecting their employees to a certain degree of vetting.
In the age of cloud computing, the same relationship dynamics are observed between businesses and the cloud vendors to whom they entrust their data.
See? There it is again: Trust.
Important stuff.
because of their underlying lack of ethics. You need to have ethical hackers that are interested in the wellbeing/security of a community/society. Even if they know the systems from both perspectives, if they even have a moral deficiency, what's to stop them from committing insider attacks/writing exploits of the system? You cannot trust that type of people unless you know for certain that they have abandoned their prior convictions and truly follow white hat hacking, and knowing for certain is hard to do.
Given your assumptions, that makes sense; however, given what our parent commenter said, I came away with different assumptions.
From our parent: I used to work in the antivirus industry, and, as I recall, anything that even hinted at a history of hacking or virus-writing would lead to instant dismissal and black-listing (from pretty much the entire computer security industry). I imagine that the same prohibition would now apply to former government employees also.
They used the world "hacking", which I took to mean any form of hacking. We'd need the parent to respond to which one was meant, of course; but if it means any sort of hacking, from xbox modding to submitting bug and exploit reports to Google (which, how do you know if there's an exploit without trying to find it?), then hacking would include all of those people, including the people who you define as "ethical hackers".
If you're a known, aggressive and clearly unreformed cyber-saboteur, then it's pretty much a given that you shouldn't be hired to an anti-virus company since you probably are in there to commit insider attacks (I can't know for sure, I'm not in your brain) and it's reasonable to not hire you; however, if you're a tinkerer and inspector of things and dismantler of technology, then you would know how systems work and where issues are and could even be an asset, especially if you're very good at it. Depending on the author, both of those people could be seen as 'hackers'.
> From our parent: I used to work in the antivirus industry, and, as I recall, anything that even hinted at a history of hacking or virus-writing would lead to instant dismissal and black-listing (from pretty much the entire computer security industry).
A number of notable, convicted hackers have done additional work (whether employment or successful entrepreneurship or both) in the computer industry (in security-related or other subfields) after conviction. Kevin Mitnick, Julian Assange -- long before WikiLeaks -- and YC's cofounder Robert Tappan Morris are among the more notable examples.
1 reply →
I'd wager that most people's ethics are more malleable than that. Also, don't underestimate the power of the golden handcuffs.
Having a spouse, kids, and a nice house in a nice neighbourhood makes any kind of anti-social behaviour that much harder to justify from a purely pragmatic, never mind ethical point of view.
I.e. young men often have nothing much to lose and act accordingly.