cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Brewdawg
Contributor I

A reminder that the past matters

For all the good that Marcus Hutchins did with WannaCry, it looks like his past deeds have been confirmed.  Based on his response to it, he seems to be remorseful and trying to work on the right side of computer security.  

 

https://krebsonsecurity.com/2019/04/marcus-malwaretech-hutchins-pleads-guilty-to-writing-selling-ban...

 

I have always believed that the practice of hiring former Black Hats was questionable at best.  They have shown that they are willing to cross a line that people trying to uphold the law and keep things secure should not cross.  I have even told students in talks that I have given that walking the so-called 'Gray Hat' line was dangerous, and showed that you might be willing to cross the line. 

 

 

4 Replies
Fabio7
Newcomer I

Sad and true. However, we have to give to him and anyone who makes mistakes an opportunity to understand the wrongdoing and become a better person. So, I join Krebs' hope that the guy will learn the consequences of his actions and will realise how wrong was in doing what he did. The time will be the judge.

rslade
Influencer II


@Brewdawg wrote:

I have always believed that the practice of hiring former Black Hats was questionable at best.  They have shown that they are willing to cross a line that people trying to uphold the law and keep things secure should not cross.  I have even told students in talks that I have given that walking the so-called 'Gray Hat' line was dangerous, and showed that you might be willing to cross the line. 


Always an interesting debate.

 

I tend to agree with your position.  Over the (many, many!) years I've worked with some who started out by sailing close to the wind, in terms of ethics.  However, of those who I still consider useful contacts, there's nobody who actually crossed the line.  Those who made their name in blackhat circles I usually see as the infosec equivalent of all hat and no cattle.

 

That's the skill side.  On the practical side, I always tell my students that getting into the blackhat world doesn't teach you much of what you need for defence.  (A lot of those who initially tried have, eventually, agreed with me.)  If you are an attacker, you only need to be right once.  If you are a defender, you need to be right every time.  There's a decided difference in rigour.

 

And, more practically still, doing things that can get you into legal trouble can definitely modify your career options.  Even a long time down the road ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
CraginS
Defender I


@rslade wrote:
  ... Over the (many, many!) years I've worked with some who started out by sailing close to the wind, in terms of ethics.  However, of those who I still consider useful contacts, there's nobody who actually crossed the line.  ...

I expect Grandpa Rob to recall this event, from nearly 20 years ago, shortly after I earned my CISSP.

 

WHM, a nationally known, very prominent, high experience information security expert and CISSP, withdrew from appearing on a panel at a premier security conference, because one of the other panel members would be a convicted hacker, recently released from prison after completing the incarceration portion of his sentence. That hacker, now a well known security consultant, author, and speaker, was beginning his campaign to gain credibility as a legitimate white hat consultant. WHM's position was that it would be a violation of his commitment to the CISSP Code of Ethics to be seen associating with a convicted hacker. Members of the old CISSP Forum on Yahoo! had a lively discussion on the pros and cons of WHM's interpretation and decision, which WHM actively participated in. I don't recall that there was ever a single, common group position on his action. Some agreed with his decision, others disagreed, but all fully supported his action, based on his legitimate analysis of teh situation and the Code of Ethics.  

 

I suspect we would see the same discussion repeated in today's community, even to the split decision within the community on the correctness of his action.

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
rslade
Influencer II

I remember it well, and used it as an example in dealing with ethics in seminars.

 

Being much less famous than Bill, I wonder if I would have had the guts to take the same principled stand.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468