Recently I read some media articles and notes about a new portal that opened a few months ago: The Hacker's List. The idea of the portal, as can be seen in the hacker’s projects section, is that anyone can request the services of a hacker. Current 'jobs' listed include “Facebook hack”, “hack website”, “Gmail password hack”, and “stealing software from a small company”, amongst others. It brings to mind the age-old question I've been asked plenty of times before: Would you hire a hacker?
Before I begin, I should make an obligatory reference to the ambiguity that represents the use of the word “hacker”. A big issue with The Hacker's List is its loose definition of hacking, with not all the activities advertised framed within a legal or ethical scope, which makes it much more difficult to give a unique or complete answer.
Generally speaking, when considering the idea of “hiring a hacker”, my answer would be “Watch out!” and then I would ask the person “What kind of hacker?” and “What do you want to do?” With the purist definition of hacker, many of these activities cease to be hacking when they are undertaken for profit instead of mere curiosity, and at the same time, are not outlined among the professional actions defined under the concept of Ethical Hacking, where many hackers develop their professional careers.
Personally, I find it difficult to judge harshly those who look to hackers for “everyday wrongdoings”; I would be denying the “fun” or “curiosity” aspect of this discipline. However, opening a website to pay for those actions already begins to cross some lines that could be dangerous, at least in some cases. At the same time, hiring an unknown person to commit a “wrongdoing” for money is always dangerous; it is liable to backfire if the only thing that the other person is looking for is money. Why wouldn’t the person we are asking to perform a “malicious” action turn against us for more money? Hiring someone for these kind of activities will always be risky, and I would always advise caution because in the end, the party liable for the actions could be you, and many of these actions could comfortably constitute a criminal offense.
Hackers applying for opportunities on the site could also be a mixed bag: there may be some well-intentioned people, but others less so, making it difficult to offer a resounding YES or NO. Nevertheless, it is always a good thing to highlight the “carefulness” and the importance of checking as many things as you can about the person you are hiring and at least being careful about the personal data you provide.
For businesses, the question is even more complex: Would you hire a hacker? People often ask me: If someone comes to you looking for a position in your research team and confesses having “hacked”, would you hire him? This is a very difficult question and it depends on each case but I know great IT security professionals who have done some hacking in their past, when they were young, even overcoming the barriers of “fun” in some cases. And in spite of that, today many of them are great professionals whom I admire and respect, and who many years ago adopted a very clear position regarding what kind of work they want to do and their professional ethics. In fact, the greatest barrier to making this decision is knowing for certain if the willingness of the person to develop an ethical hacking career is genuine or not. Mostly the only element to determine this is the individual saying “these things are no longer for me, they are part of my youth”, and then it becomes a case of trust.
However, there are exceptions. A concrete example in our field would be considering someone for work in an antivirus laboratory, who years before had developed malware or managed a botnet. The answer to this is extremely easy: no. But there are some exceptional cases where I could be persuaded. There's a clear distinction between someone who developed ransomware to extort people aged 25, and someone who made a simple trojan to hack a friend as a joke, aged 13. I do not think it's crazy to hire a person who flirted with hacking in its healthiest form when young, who wants to use that knowledge to keep on hacking, but in a professional context.
Some will disagree with this and say that ethics should be consistent and all important, but I do think it's a little more grey than that.
To sum up, the word hacking has become incredibly complex, and websites such as The Hacker's List don't help clear this ambiguity, despite the good intentions they may have. Personally speaking, with the traditional definition of hacking, many times I have expressed a tentative yes to the question, but hopefully this longer answer will clearly show that it's far from a black and white issue.
What do you think? Would you hire a hacker?