The UK army of cyber reservists is open to the idea of hiring convicted hackers into its ranks. The new head of the Joint Cyber Reserve Unit, Lieutenant Colonel Michael White, told BBC Newsnight that applicants would be assessed on their skills and capabilities, rather than personality traits or past histories. Asked whether he …
Hiring convicted hackers
Would it not make more sense to hire the ones that don't make a habit of getting caught? I'm no expert, but I'd have thought that not getting caught would be the defining characteristic that separates the skilled hackers from the regular ones.
Re: Hiring convicted hackers
I'm struggling to think of any convicted UK hackers who demonstrated capabilities beyond that of the average skiddy. And, as you say, getting caught isn't much of an advert for your l33t skillz.
Re: Hiring convicted hackers
I don't think they're necessarily hiring them because of the knowledge and skills they have now, more because they have demonstrated an understanding of the field and can be trained to be better at it.
Not to mention being sufficiently interested in the field to risk going to jail for it.
Re: Hiring convicted hackers
The media, esp. BBC/Guardian, persists with this tired old 80s/90s meme, where any hacker is automatically labelled an elite genius. It hasn't dawned on them that defusing a bomb is more difficult than making one, and the real clever guys are those who detected, decoded and reverse-engineered the amateur's activities.
"That said, convicted hackers are likely to be some of the best in the business ...
Why, because they were roundly pwned ?
How depressing Lt Col White is invoking this childish myth to puff his own organization. It will certainly get attention from the media, but you have to wonder about his own technical appreciation.
Load of hyperbole
There seems to be ridiculous amounts of hyperbole in these quotes. Whilst rarely as security guards many banks to hire former bank robbers as 'security experts' to advice on potential attack vectors and weaknesses.
Whilst there are some convicted hackers who were purely profit motivated these people aren't likely to apply for a poorly paid government job. There are also many convicted hackers who were motivated by the challenge of seeing what they could do. There are also those who made stupid decisions as teenagers - the digital equivalent of being drunk and disorderly.
Re: Load of hyperbole
Absolutely. People want to play with the technology, with the tools, flirt with the dark side. If they are not allowed to work for the goodies then the baddies will let them play. If the goodies have all the toys and make them feel wanted, then assuming they pass vetting, what's not to love?
Computer misue act ?
I thought that attempting to crack/access/... someone else's computer was an offense under the computer misue act ? Does doing it while working for the government make it OK ?
This is different from going to war and killing people while you do it. (Murder is against the law innit ?). The point is that sending troops to somewhere is very publically visible and needs a debate in parliament. The trouble with ''cyber troops'' going on the offensive is that I can see this being authorised by some minion, or perhaps a government minister, - but without oversight. I can see this being used many, many times a year to attack ''obvious bad 'uns'' ... but ''obvious'' to who ?
I can see this being abused/misued.
Re: Computer misue act ?
It's not much different to any other type of special forces being deployed. These also happen with minimal oversight or visibility of the public. I've a feeling that is also abused but the impact of this abuse is much more deadly.
Re: Computer misue act ?
"Does doing it while working for the government make it OK ?"
Short answer, yes.
"This is different from going to war and killing people while you do it."
No not really it isn't.
Troops can be on patrol defending an area without being at war, and these "cyber troops" will be conducting defence as well as offense.
Equally, if those troops on a defence patrol see a horde of people with guns coming toward them they aren't going to wait for a government debate on whether to get into a fight or not. They will neutralise the immediate threat, identify the origin of the attack and then wait for higher ups to decide whether to retaliate further.
I see the same happening with the cyber warfare unit. A cyber attack is initiated against some UK based thing, the cyber unit counters and neutralises the source of the attack and passes on details to higher ups. They may then get ordered to carry out an attack against the known perpetrators.
I don't think that "UK Government to hire ex-hackers" is quite the same as "If they could get through the security process, if they had the capability that we would like, and if the vetting authority was happy, then why not,"
If someone has done their time and their offence is spent and they are good for the job/would fit in I don't have a problem with hiring an ex-con. I would have a problem if any one of the above hadn't been checked.
Other areas of the British armed forces take on those with a dodgy or criminal past - provided they think that they are suitable.
In fact, I recall that on that theme, Channel 4 had some success with "Bad Lads Army" where criminally-inclined types were given an army recruit type treatment and one or two ended up in the real thing.
Offering young and/or repeat offenders a stint in the armed services instead of a lengthy prison sentence has a long and proven successful history*. The armies and navies of history books were comprised primarily of the criminally inclined with the officer class being the equivalent of those who could pass today's background checks.
Super clean, rigidly upright people are generally the worst possible choice for any 'dirty' job. Those people have absolutely no idea how the other side operates. Those who don't break rules are unable to cope with those who, by definition, don't follow the rules. Not that you have to break the law to enforce it, that's ineptitude, but you have to understand how and why criminals do what they do to defeat them and 97% of the time the how and why logic chains that lead to criminal behavior are far, far away from 'simple'.
Saying that criminals are just lazy or looking for a quick payout is the oversimplification that leads cops to being so terrible at stopping criminals, they simply can't cope with complex situations so they attempt to scale them back into simple black and white scenarios.
*there is some history with over zealous 'recruiters' lowering the bar of defining criminality to increase the ranks of armed forces through dishonest measures, but that can be managed.
doesnt sound like they intend just hiring random komupta krims ...
"If they get through the security process .. had the capability we would like ... vetting authority was happy why not,"
So they have to 'like' the applicant/x-hacker. I dont mean like as in great-to-have-a-beer-with or has-great-taste-in-porn-lets-copy-each-others-HDD-some-time type like, but Like as in passes-the-deep-background-check-and-passes-the-psych-profiling-and-passes-their-desired-skill-requirement-and-passes-the-drug-testing-and-doesnt-gawk-at-the-women-in-the-office-too-much-and-passes-whatever-additional-scrutiny-they-put-on-him/her-due-to-previos-track-record. That kinda like.
And any criminal history can only make the vetting process easier - theres a whole bunch of information about the person and their personality, intentions etc already available from court proceedings, law enforcement records, investigating officers etc.
Oh, and the like works both ways i guess - said-x-hacker has to want the job enough to actually apply for it and put up with all the above bullshit (so rules out the ant-eye-authoratarian types, anyone just in it for the money etc - hey it almost vets its self).
Oh yeah, and Defense have been selectively hiring hackers for years. You dont hear about them because, well, its Defense.
Hitting people is risky
"David Emm ... said that hitting people who had proved themselves to be "motivated by money and misplaced ideals" was a risky strategy, at best. "
I don't know. We could reduce the risk by going in mob-handed. I'm sure that lots of us would like to hit people like that, probably starting with the banking industry.
Or maybe you meant "hiring"?
Colonel White and his colourful band of helpers
Will their servers be a Cloudbase?
Yeah, lets employ criminals to carry out criminal acts in the name of Gov
Maybe knife crime types can become butchers
Muggers can become doormen
etc etc etc.....
Its not like they're gonna be given guns...
STEP FORWARD GARY McKINNON.....
.....Your time has come sir !!!!
I suppose using DII would be a suitable punishment for hacking.....
I reckon there's a guy in the Eucadorean embassy who might qualify.
Maybe, does Defence have an employee work-from-home via VPN capability yet, or do they still rely on faxes to send stuff remotely? Said embassy person could fax commands to work, one of the highly skilled cyber-ops colleagues could type them in and fax the output back. Typical work day would look something like:
FAX to work: pwd
FAX from work: --REDACTED--
FAX to work: ls -la
FAX from work: --REDACTED--
FAX to work: thunderbird &
FAX from work: Can't open display: --REDACTED-- DISPLAY is not set
FAX to work: /usr/games/wargames
FAX from work: Would you like to play a game?
FAX to work: yes
FAX from work: --REDACTED-- The only winning move is not to play --REDACTED--
FAX to work: /usr/games/hangman
Will they work in mysterious ways?
and on that theme, Luke 15:7 everybody
So let me get this straight minister.. the UK.gov's hiring policy for defending the nations CyberSpace is to employ miscreants who weren't smart enough to avoid detection in the first place?
rE: Will they work in mysterious ways?
Knock on my door on a Sunday morning in your white shirt, shitty suit, clutching a copy of the bible or the watchtower or whatever, thats ok occasionally. But PLEASE keep your biblical spam away from here. TheRegister is sacred....
Re: rE: Will they work in mysterious ways?
I just thought that if Kevin Mitnick is allowed to make a living having "learned his lesson", and he pops up often enough giving talks, that it was only fair that we should allow others to do so as well. Turning their talents to the public good also seemed like a nice idea, both for the direct benefit and also that of perhaps enabling them to rebuild their reputaton and seek gainful employment outside of the reserves rather than being driven into the darker parts of the IT industry.
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- FOUR DAYS: That's how long it took to crack Galaxy S5 fingerscanner
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Did a date calculation bug just cost hard-up Co-op Bank £110m?