Back in the nineties, the glory days of Hacking, just after the golden age of the late eighties, many companies were starting to get into the whole Internet Security thing. Everyone and their brother had an Internet Security company and VC were just crawling over each other to give them money. One thing most of the early companies had in common was a staunch refusal to hire ‘hackers’. They would give speeches at conferences and say ‘We hire only the best security experts, but no hackers’ They would issue press releases that said the same thing. I remember reading these and laughing because all the hackers I knew worked at these very same companies. (The ISS XForce said this all the time, and everyone who worked there was a hacker.)
At the time this was a brand new industry that basically took shape over night. There were so many security startups you literally couldn’t through a rock without hitting one. Foundstone, Guardent, @Stake, and those are just the big names that I remember off the top of my head, there were dozens of other smaller firms all vying for a piece of the pie and for the ever decreasing pool of talent. Basically if you knew what a war dialer was, could run a file of hashes through L0phtCrack and knew how to clear your browser cache you were hired as a Security expert at a 100K a year. It was that easy.
So what did all us hackers do? Well, we got jobs naturally. We got jobs at the very same companies who said “We don’t hire hackers”. Very very few of us actually had criminal records and those who did usually had them sealed due to a juvenile status at the time. So when it came time to fill out the employment history on the job application you filled it out truthfully, Landscaper, Burger King, Tech Support, and now Security Expert. Nowhere did you write down ‘Hacker’. When we went into the job interview we did not wear a big sign around our necks that said ‘Hacker’.
At some point after @Stake acquired the hacker think tank L0pht Heavy Industries this whole ‘we don’t hire hackers’ thing started to change. A lot of companies saw that it added to their credibility to say that they had a hacker or two on staff or if they didn’t actually publicize it they definately didn’t make assinine statements like “We don’t hire Hackers”.
Well, I guess things have come around full circle. Because Enrique Salem over at Symantec has stated that “You always worry about [grey hats]. Symantec has a standing policy that we don’t hire anyone to be a part of our company who has done any kind of known hacking,” he said. “We will not employ hackers.”
Enrique has been at Symantec for 16 years now but maybe he was to busy doing whatever is was he was doing before he got the CEO job in April to realize that his company does hire hackers. Or at least they did ten years ago when they bought @Stake and its old L0pht (and CDC) members. (OK, so I guess technically they bought them and didn’t actually hire them but semantics.)(Hey, always wanted to make that pun, hehe) At least one of the old L0pht folks was still working there up until a few years ago.
But even now there are more people than I can count on one hand who I know personally that work at Symantec who are publicly well known hackers. They speak at Hacker cons, are known by their handles and call themselves hackers. They don’t go around advertising where they work but its not a big secret to those of us in the community. I don’t think they have criminal records and I doubt they go around breaking into other peoples computers but then hacker does not equal criminal.
If you want to go around and say “We don’t hire hackers” that’s fine, just realize that there aren’t going to be very many people left to hire and you sound like an idiot when you say it. (Hey, DHS, are you listening?)