Ask HN: Recent computer hacking convictions and employability?
I'm completely self-taught, and while on bail, I did a lot of responsible disclosure. I collaborated closely with CIRT teams, system administrators, website developers, and government agencies to ensure the remediation of over 3,000 web-application vulnerabilities. I wrote technical reports, provided remediation guidance, and validated patches to ensure that security issues were properly closed (in an informal capacity). My first bug bounty contribution took place in 2012 which was a GET-based reflective XSS on a subdomain belonging to Microsoft.
Over 30 private and public sector entities have sent me letters of acknowledgement. I've also been inducted into a number of hall of fames for uncovering vulnerabilities. In 2019, I was also ranked 11th out of 25,000 active researchers on a bug bounty platform.
I can't just walk into employment with my skillset because I'm not particularly talented, just proficient in web-application security and various methodology used to identify vulnerabilities. This leads me to believe that I should look for entry-level positions but I've been told I'm overqualified. Some opinions would be appreciated.
157 comments
[ 3.0 ms ] story [ 232 ms ] thread[1]: https://darknetdiaries.com/episode/60/ [2]: https://www.hackerone.com/
In terms of employment, have you found it too difficult to make living off of bug bounties? Maybe there's crews that would see you as an asset. Or maybe contract based solo consultation?
Stop telling yourself that. You wouldn't be #11 out of 25,000 if you weren't talented.
As long as you're open about your past and convictions, and your legal standing permits employment doing the work you'd do, then there's nothing stopping you from applying.
When you see a job posting then look at what the requirements are. If you fit more than half then you should apply. The things you don't know can be learned on-the-fly. You'll no doubt have interviews that try to find your strong points and weak points. You'll have failures. But that's not a problem: everyone has those.
This is your market: there are tons of companies that are hiring for your skillset and you'll land a job quickly if you're good enough at the core skills that are needed... which I'm sure you are.
Edit: I would also add that I'm also completely self-taught. The only computer class I've taken was typing... and I got kicked out for cheating because it was boring. I've been employed in software for over 20 years and currently make $160k salary in TX, USA building software for drones. There are a lot of people in the computer industry who are self-taught. Don't let that stop you.
I like this advice.
I used to think I wasn't as good a programmer than a friend of mine because he had a larger breadth of skills than myself. Then I actually saw the code he was producing professionally ... and it was crap. It was functional sure, but not maintainable at all (if the business rules changed, then rewrites were awful).
Where I work now, the developer team that I joined were a bunch of amateurs pretending to write business applications. Their code (which I'm still refactoring 10 years later) is awful. I seemed like a super star to my managers because they never knew the difference from a good and bad coder.
That last paragraph wasn't meant to be employment advice. My point is, you never know how good you really are until you see how bad other people are. Couple that with the general self doubt we all sometimes experience, and you end up feeling like the worst in your field.
I'm self taught too. I started coding at age 7. We're the best because we love our particular skill so much that we made a fun hobby out of it. We stayed up way late into the night honing our craft. Etc, etc ... other inspiring reasons why we're awesome at what we do.
Edit:
> Edit: I would also add that I'm also completely self-taught. The only computer class I've taken was typing... and I got kicked out for cheating because it was boring.
Ha, I wrote my comment about being self-taught before you made your edit.
On the topic of cheating: In 6th grade spelling class, we had to write out our weekly spelling words 5 times each. We were allowed to handwrite, or type it out on a computer and hand in the printout. I wrote a computer program where I would input the spelling words as an array (only typing them once), and it would output a text file for me to print out and hand in.
Wow, I wonder what the goal of that exercise was. Copy/paste has been part of windows since at least 95, no? Regardless, I’d think the main goal of forcing repetitive writing is improving handwriting and word recognition, which require a pen(cil) and not a keyboard.
*Runs rapidly into the distance, screaming*
(Just found this thread, I know you'll probably never see this ;P)
This was in the days of Windows 3.1, and I was programming in QuickBasic 4.5 on DOS.
I think the word processor I used when typing may have been Word Perfect.
> Regardless, I’d think the main goal of forcing repetitive writing is improving handwriting and word recognition, which require a pen(cil) and not a keyboard.
I think the goal was for us to memorize spelling of the word. Maybe improved handwriting was a sub-goal, I don't know. By that age, I don't think teachers really focused on our penmanship. I consider word recognition to be more of a reading skill.
I was a lazy student. Spelling was never a priority for me. I never did well on tests because I never studied my spelling words. I was more into math and science. My parents never hassled me about my bad spelling test grades.
Clearly, to learn to spell words. In much the same way that kids have to practice arithmetic and saying "I just used a calculator to get the results" is fine in real life but not when you want to learn what addition is.
Something along the lines of "I must learn to behave in class and listen to my teacher" 100 times...
I asked if I could type the lines rather than hand-write...
4 lines of BASIC later.
certainly there's a inevitable associated presumption that criminal behaviour is caused by poor social awareness and so addressing the general area would also indirectly attack the unfortunately undeniable connected human behavioural profile that needs to be overcome.
100% this. We had someone who hid that he was previously gone to prison for robbing banks. He used his dad’s SSN and slipped through the cracks. He was terminated immediately when a girl who was mad at him called our company to let us know to get back at him.
You can’t know for sure if people will look past your history, but I can guarantee you don’t want to hide it and have them find out later or someone hold it over your head.
The place that is meant for you will be the one where you are accepted for who you are.
Dude already did his time, in my book the conviction doesn't exist anymore. My honest advice for ex-crims is to find small shops that don't run BG check (yes these places do exist) and never mention their crimes. After a 3-5 years in industry your past will be far enough behind you can get into most small businesses positions you are qualified for.
Would you allow a convicted sexual offender who did his time in jail take care of your child in a day care facility to which he got employed and didn't disclose his past conviction?
Things need to be put into perspective, and evaluated carefully.
With that said I don't think immediate termination was the right decision to make in that situation the parent comment described. Inclusion requires consideration and empathy, the company didn't demonstrate that.
I probably wouldn't like it if I found out they raped a (actual, not like statutory w/ a lying 17 y/o with fake ID like happened to Cody Wilson) child, because I believe the appropriate solution for that is the death penalty, and thus I don't see them as having completed their sentence. But if someone is out in society, I treat them based on the way I have observed them to treat myself and others, rather than what the government says. A lot of sex offenses are total BS such as someone urinated in public (which is socially acceptable in many places of the world).
And leading with hyperbolic "Think of the children" hand waving pearl clutching does nothing to put "things into perspective"
In the context of this thread we are talking about someone convicted of hacking wanting to work in IT again, not a child molester wanting to babysit your child.
So yes lets keep things in perspective shall we?
I fully understand and appreciate the purpose of our laws. The practice, however, is a different story. And unless we stop including as crimes things that I'm not willing to consider crimes, I can't support the way that "registered sex offender" is routinely used to destroy lives over childhood mistakes.
The law is intended to target adult pedophiles. But when the people involved are basically the same age, it isn't pedophilia!
Sadly--and I do mean this, I agree with your sentiment--what we believe and what is required by an organization in a sensitive industry (finance, education, defense) are different things. For example, if you want to operate as a public company in finance with industry-standard certifications, you must perform background checks and reject candidates with a criminal history involving financial crimes.
Schools and other educational institutions likewise are require to reject candidates with a criminal record that includes charges of violent crime, sexual offenses, or similar.
Lying about charges that aren't relevant to the filtering criteria will be noticed in such industries and be a big red flag to any HR rep or hiring manager reviewing an application. This also shields you from a situation where some other employee learns and disseminates unflattering information--if one's manager and HR has cleared that info, it's nobody else's business and you have avenues and support available to you to prevent discrimination due to a criminal history.
That really is not a factor, I have worked for a number of organizations that would never higher anyone convicted of a felony who did not have any sensitive requirements, were not dealing with money, or personal info, or anything important really
There is just a huge stigma when it comes to criminal records, which is doubly painful in a over criminalized society like we have in the US.
Fuck any half-way system where you're released of all judicial punishment but you can't work, vote, or own a gun. THAT is cruel and unusual punishment.
If someone can't be trusted to not abuse children, they need to be jailed or on probation until they can be trusted. Those people can't be trusted in public. If they've abused children through rape of small children or serious violence against the weak, just execute the low life. Children are everywhere, the idea an abuser is just fine being tempted with children everywhere, from the street to playground, except they'll be nice and honest and use their real SSN and identity when applying to work with children is a hilarious notion.
And frankly, unless proven otherwise, I assume sex convictions are something like pissing by the side of the road or a 19 year old banged their 16 y/o girlfriend. The government loves to imprison people for insane reasons and sex offender registry is a poor guide as to whether someone can be trusted with children.
That makes for a good argument not to trust them as much, generally speaking.
On the other hand, integrating them back into society (something that's lacking in the US) works well for most.
The whole premise is just laughable at face.
This think of the children trope is just bait IMO to try and get us to accept that there are second class citizens, and allow us to put restrictions and loss of freedoms on people who have completed their judicial punishment. If we can accept this we might accept ending their constitutional rights such as the right to vote, bear arms, or speak freely.
I understand the desire to protect children in this manner, I just think it's misguided and philosophically inconsistent.
We cant trust them because they re offend, but they re offend because of lack of opportunities created by society not trusting them....
It is certainly true for property crimes, drug crimes, and other such actions.
Violent crimes may be an exception to this, but then to the OP's point, if they are violent why are they out in the population to begin with?
It just seemed the question was phrased in terms of those being the only options, when in fact they are the very rare options. It seems that mostly people you hire are not going to do serious criminal things, either before or after you hire them.
Anyways, I've wholeheartedly recommended lying in certain situations on employment. (Don't lie about certified/licensed/bonded jobs, dont like to the state/feds, dont lie about stuff you cant do.)
A while back (2009), I was in a very bad run. Got laid off. Didn't have a job for 1.5y . And it's hard to get back in work without already having a job... You get the side-eyes of "why werent you working this time???" crap.
So, I started lying on my resumes. I found a company that went bankrupt 2 towns over, and put them as employed in a role I'm easily capable of. Am I lying? Absolutely. Can I do the role? Absolutely.
I got the job, unsurprisingly enough. And I was there for 1y, enough to get a better work history to get out of the rut I was in. And I hopped from there to a better position, all the while slowly cleaning up the fakeness from my resume all the while generating a valid work history.
It sucks, sure, that there's no good way to break in the work-world if you've been ejected. (Que entry-level jobs that require 5y experience...) Frankly, vs starvation, homelessness, destitution - you damn straight I'll lie. And if I have to, I will definitely do it again. Capitalism is stone-cold and heartless. And if that's what I have to be to survive in the work-world to make money, so be it.
After working in factory few months, I was able to get apartment. With apartment, I was able to get myself nice looking and clean and tech job.
My process from day labor/ homeless (save up enough for airbnb/hotel) -> wage job (save up for apartment) -> professional job at this point is pretty much a well oiled machine. Sadly the first two steps basically require dishonesty. I've only been through this a couple times in my life and hope not to again.
*This is all fiction, of course.
That's what remote work is for
Let's ignore the computer/security aspects of this particular situation, and come up with other examples.
If you are convicted of a financial crime, for example, you are not barred from working as an accountant. You can even get a license and work as a CPA.
But some companies may not be able to employ you as an accountant due to your conviction.
And, it is worth noting, you can certainly lose your license if you commit a relevant crime after getting your license (or for failing to report some other felony to the licensing board).
All the above varies considerably in the details between countries, and in the US between states (eg. in some states a conviction for a felony requires a hearing before the certification board before being allowed to take the relevant exam, and the board may not decide in your favor).
Circling back to computers and security, the situation is much more forgiving since there is no relevant licensing barrier; nevertheless, some companies may be restricted from employing people convicted of certain categories of crimes in particular functions: think of having access to a bank's or credit company's customer information and accounts, or a health provider's patient data. But even organizations that are subject to such restrictions have plenty of roles (potentially even security roles) that aren't affected by these restrictions (except by their own internal policies, anyway).
But I don't think companies here are ever barred to go further than the law. If employees have to be vetted, there is a department in the Ministry of Interior that does just that, they say yes or no without any detail as to why (and there is an appeal process that still doesn't involve the employer).
But here if you cook the books as a CPA, you will probably be barred from the job for at least a few years.
The longer it is in your past, the easier it is to overlook. It’s more about the actual charge than anything. Obviously some charges are harder to justify ignoring.
Source: I’m a felon. Been there, done that.
Also, you should list the country you're in. Who knows, someone on HN could reach out with an opportunity.
Everything you described about yourself would make you an excellent employee to have on hand at many cybersecurity firms. Create your resume and have a few people review it.
Also, review your appearance and language skills. Make sure you are presentable in an enterprise or conference room setting. If a cybersecurity firm hires you, don’t make them regret it if you can’t hold yourself in a professional environment.
Wow. Upvoting because this is such a succinct and powerful way to say this, and I’ve never heard it before. i. e. It’s not our job, domain, or in our interest to reject ourselves from a job we’re interested in before applying
Finding a job and finding a romantic partner turn out to be really similar processes -- it's a numbers game and you can't sit around waiting for the perfect opportunity.
Yes, you do. I don't know about other countries, but everywhere in the US runs a background check. You will get a reasonable "no" rate, but telling people your situation is very much better than looking like you were hiding it when they eventually find out.
OP probably would have the most success with a pen-testing firm or similar.
Other than that, it's just been straight skills and reputation. Even if it did come up he could always say that he assumed they would ask for a background check if they cared about this type of thing. Just let the man get some work and move on with his life.
I think the overall point doesn't really change. Apply. Let other people dismiss.
There seem to be some kinds of background check where maybe it is fine and others where it isn’t?
It looks like written permission is required, but, they can remove your candidacy for not accepting…so, it is not fully protected.
https://secureframe.com/blog/soc-2-background-checks
“By the time I was fourteen the nail in my wall would no longer support the weight of the rejection slips impaled upon it. I replaced the nail with a spike and went on writing.”
― Stephen King, On Writing: A Memoir of the Craft
https://www.goodreads.com/quotes/848294-by-the-time-i-was-fo...
I guess blackmail & fraud are a problem but if it was related to hacking I guess you'll still find a job. It's gonna be hard, but there are companies that care about your hacking skills, not about your past.
> This leads me to believe that I should look for entry-level positions but I've been told I'm overqualified
You sound like a senior pentester if you'd ask me...
The price of a zero day exploit is quite high (for both sides) and I have friends who make much more money than I do doing this.
That said they mostly work alone or in small groups in their basement rather than at a large security company.
I would hire (or at least interview you) with a prior conviction though I am not hiring for a security role.
I don't think the conviction is a serious impediment for employment in this particular field (since it's for a non-violent crime) though it might warrant supervision on your employer's side and I can definitely see the larger companies not wanting to take the risk.
[1] https://zerodium.com/program.html
A rational individual should look at bug bounties and exploit brokers and use the highest bidder.
I'm a security professional, and I think brokers are a net positive to the industry. The more that market makers expose the real price/cost of security flaws, the more investment will be made in defensive measures.
smart employers would kill to get someone like you
I personally know a guy who got convicted at an early age for similar stuff, he never had any trouble finding work, even worked for some governments
any decent security startup would do anything to get you
bro I'm actually jealous
also: freelancing of course, rarely seen background checks for freelancers
It depends what you did of course. In his case the only plausible "victim" was AT&T, and he disputes that too.
You clearly are talented so stop telling yourself that.
Have you thought about starting your own security consultancy?
https://www.riverloopsecurity.com/careers/
I can't guarantee anything, but just from what you've written here, I think they'd be interested in a conversation.
Blackmail and fraud are both offences that involve using others as means to ends, and require the ability to discount the damage and pain you cause to others. If I were hiring a coder (let alone a computer security consultant) I'd search for a long time before hiring someone with a record of that kind of untrustworthy behaviour.
Sorry to be blunt; I know that some companies pay good money to convicted criminal hackers for their expertise. But I think that's a deplorable practice; it encourages the view that hacking/cracking, blackmail and fraud are a sensible route into regular employment. I think those convictions should be a blocker.
A physician who harms his patients through negligence or malice gets struck-off.
A lawyer who steals his clients' money gets disbarred.
A banker who mismanages his clients' funds loses his banking licence.
If any of those was found guilty of using information from their clients to blackmail them, they'd have no future in their chosen trade - ever.
Or think of it this way...
Could someone not be a doctor if they had assaulted someone before medical school?
Would a lawyer not be able to be admitted to the bar if they had been convicted previously?
I'm actually not sure about those, they both might not be allowed. I just lean on the side of forgiveness once you've "paid your debt to society".
That's just the type of bullshit that makes pizza restaurants not wanting to have a person with a criminal record anywhere in the building. It's a form of vigilante punishment that continues to for the life of a felon, way past the point where their debt to society has been supposedly paid.
Employers should be banned to ask or process such information. "Is currently wanted or on parole" - legitimate question, "was ever convicted" - No, you have no right to know that, except very limited cases defined by law: working with children and the vulnerable, large sums of cash, working in the financial sector etc.
This guy seems to be on probation, and under supervision of SOCA - he hasn't yet completed his sentence. Are we talking USA? He's a felon, and in most US states he will never again be allowed to vote in elections.
In this country you don't have to disclose prior convictions to anyone, beyond a certain date - I think something like ten years. I agree with that. In the same way, expired convictions can't be taken into account in sentencing deliberations. I agree with that too - I do think convictions should expire. Past acts shouldn't follow you around forever. But if you're on probation now for two serious crimes, I think it's crazy to say that a prospective employer shouldn't be allowed to ask, and to rely on your answer on pain of instant dismissal.
And FWIW I don't agree with the US practice of denying felons the vote.
Are you based in the UK? That's probably relevant, it seems like a lot of the cybersecurity sector over here is very friendly with NCSC & SC is required for a lot of roles.
Continue with "therefore I know about system security...". Write a book, charge a huge rate as a consultant. I'm serious. If you act like a beaten-down person, you'll be treated as one.
It's classic making lemonade from lemons, but it can really work. If not, you've lost nothing.
What you need is to show people that you're not going to cause trouble for them, which is more of a social skill that you demonstrate at the interview. Try to acknowledge that you did something bad, don't use words that diminish it, and try to explain that you want to move on and you now want to be a positive force.
There's going to be some natural questions that everyone will ask, so consider them as set-pieces and practice your answers.
The market is hot now, so get some interviews and see what comes up.
Otherwise how do you demonstrate ethics to someone who doesn't know you, yet? :) Certainly not in a interview, that's just talk and smiles and promises.
There are also a lot of podcasts/etc that would be happy to have you tell your story. Huge upside to that IMO with reach and sharing to help keep future people out of trouble.
I truly believe people should be forgiven for past deeds and given the benefit of the doubt. I’m sure he will find good employment and I hope he has a good career in the security industry. He clearly knows his stuff.
if maybe that's not your thing and you want "a job" I'm sure many people will be willing to help, me included. feel free to contact me on Twitter @high_byte
Happy to have a chat -- I run VM for a large tech company and have a lot of openings
For most tech industry jobs, you'll be way overqualified and the rest of the team will be in awe.
Explaining why you have a criminal record is going to be a lot easier to someone who already thinks they want to hire you.