Hug a Hacker Today

Hiring hackers is not just a plot twist in espionage movies. It's actually a sound business strategy.

Today, according to The Wall Street Journal, {complink 10867|Facebook} confirmed it has hired George Hotz, a programmer who is believed to be behind a recent hacking incident with {complink 5114|Sony Corp.}. It's a strategy IBM figured out years ago when it acquired Internet Security Systems (ISS), an Atlanta-based IT security company. ISS is the creator of the X-Force, a group of programmers and technicians within IBM ISS that exposes a company's vulnerabilities by trying to hack into its system. In most cases, it takes the X-Force a matter of minutes.

I had the opportunity to interview an X-Force team member a number of years ago while working as a freelancer. Here's how the X-Force works: A potential customer approaches IBM ISS for a systems evaluation. With the company's permission, the X-Force tries to hack into various security levels within the client's organization.

One X-Force team member told me it took about three minutes to get into a CFO's financial presentation to analysts, before it was publicly presented. The X-Force was able to download the presentation and send it back to the CFO. It was also able to change the presentation through the CFO's computer.

The X-Force doesn't just hack for potential customers. It conducts a worldwide threat assessment in real-time and regularly reports on its findings on a monthly, quarterly, and annual basis. Here's a sample of June's report, called Frequency:

    July’s update is quite large compared to the previous month. Nine of the 16 bulletins are rated Critical. Many of these can be exploited via Internet Explorer to gain remote code execution. Following is our thoughts on a few of these.

  • MS11-050: Cumulative Security Update for Internet Explorer
  • This update is rated critical for good reason. Eleven privately reported vulnerabilities in Internet Explorer were addressed, the majority of which could be leveraged to gain remote code execution (RCE) when rendering a malicious web page. The vulnerabilities affect the range of supported IE versions, 6 through 9. The majority of the remote code execution vulnerabilities require execution of script to lead to the memory corruption required for exploitation. A few of the vulnerabilities such as CVE-2011-1254 and CVE-2011-1256 furthermore require direct user interaction such as dragging and dropping or selection of text.

As part of its service, IBM ISS will provide clients with up-to-the-minute alerts. It also neutralizes any threat before it has a chance to penetrate a client's security system.

Clearly, there are a lot of issues around hiring hackers. Legitimate companies tend to hire “white hats” — hackers that can break into systems but are not malicious. “Black hat” hackers are the folks that can do a lot of damage. I don't remember talking to IBM ISS about its employee-vetting procedures, although I'm sure they are rigorous. (I'm not even sure how you'd go about placing a “hacker wanted” ad, although I'd say Facebook is a good place to start.)

Has your company knowingly hired a hacker? Let us know on the message board below.

17 comments on “Hug a Hacker Today

  1. Tim Votapka
    June 28, 2011

    I wonder if the term “hacker” will be phased out as this profession becomes more legitimized. I know one seasoned pro in Atlanta who prefers to be called a “computer security specialist.” When he first gave me that as his title, I – being one who likes to keep things simple – said “Oh, so you're  hacker!”

    He looked at his shoes for a second and then said “Well, yes but I get paid to do it!”



  2. mario8a
    June 28, 2011


    Banks were the first one hiring hackers long time ago, however it seems like the goverment has been using them for a long time also, I can't remember the name of the pretty girl recently arrested in NY, she was able to hack lots of checking accounts and get millions after that, mayge she can send her resume to IBM.




  3. hwong
    June 28, 2011

    Haven't people seen the movie Catch me if you can by Leonardo DiCaprio. He was arrested at the end but the government eventually hired him to be their secret workforce. It's similar theory to what this article is talking about.

  4. mario8a
    June 28, 2011


    I saw that movie long time ago, however there are so many real cases where Hackers are being hired for the companies or agencies they hack.

    in our company there are a lot of security systems and frequently changing the security settings.


  5. Mr. Roques
    June 28, 2011

    Well, they just realized that if they go after them, the rest of the hackers, which is a very close community, will go after the company.

    This creates a vicious cycle since when you hire a hacker, other hackers might be tempted to try the same thing and it never ends. Maybe the hackers work both sides and talk to hackers to attacker certain vulnerability, in order to sell their services, etc.

    I remember watching a 60 minutes episode, they were talking about “electronic Pearl Harbor” when hackers stole terabytes of information from the U.S. G. 

  6. AnalyzeThis
    June 28, 2011

    @Tvotapka, I don't think the hacker term will go away any time soon… I think it's just way too common and mainstream of a term at this point.

    When Sony's network was attacked recently, I didn't see many articles proclaiming that, “Sony security had been breached by an unknown organization or individual,” but I saw a lot of, “Sony got hacked by hackers.”

    As far as hiring hackers go, it's a mixed bag really: some hackers may be talented programmers in the sense that they can get things done quickly, but that doesn't mean their code is decipherable to others. Or maybe their code is very creative, but it doesn't scale or perform well. The downside to hiring a hacker as an engineer is that often they are self-taught, may lack a more general programming background, and may be too specialized or socially inexperienced to contribute to your team in a meaningful way.

    But again, it's a mixed bag and it all depends. I've seen success stories, I've seen failures.

  7. DataCrunch
    June 28, 2011

    I would think that there are firms that specialize in providing “hacking” type services to a variety of institutions (financial, banks, credit card, military, government, corporations, etc.) to detect gaps, risks and vulnerabilities.  I would also assume that they charge a hefty fee for this hacking service.  A hacker’s dream job.

  8. Houngbo_Hospice
    June 28, 2011

    Hacking can indeed be a lucrative activity. But there are some geeks who just hack for the pleasure of messing with people and money is not their primary motivation. But an intelligent hacker should rather turn his/her ability into business as did the X-Force guys.

  9. Tim Votapka
    June 28, 2011

    Well presented, balanced viewpoint on the pros and cons.

  10. Daniel
    June 29, 2011

    After wiki leaks incidents, most of the companies are trying to incorporate more number of hackers in their testing team, in order to make sure that their services are Hack free and to safe guard the vital data’s. Before that hackers found roles only with security software developing companies and now they have a chance with all most all service oriented companies. This is good because, everybody wants to safe guard their data.

  11. prabhakar_deosthali
    June 29, 2011

    Employing hackers is like using a double edged sword. While in service the hacker will help you find the holes in your securuty systems. Once out of the company he may use the same holes for his own advantage . It is like the locksmith who while making a duplicate key set for you can also keep a copy of it with him to be used for malpurposes later. And if you change your security just because the concerned hacker has left the job, what is the guarantee that there is no hole in the new system?. So you hire another hacker! the circle continues.


    June 29, 2011

    I believe hiring hackers is a legitimate work practise and part of the colorful environment we all live and work in these days.  However consider the folowing two scenarios:

    1) malicious hacker breaks into a company's network, steals $1M then leaves.

    2) legitimate “corporate Y team” charge the company $1M in consulting fees to hack in to their systemand tell them how it was done.

    Either way the poor company is $1M worse off.  The best hackers will become freelance mercenaries selling their services to the highest bidder.  It is a fine line between a legitimate service and criminality.

  13. Jay_Bond
    June 29, 2011

    This is an excellent article and topic. I think there is much to be gained by hiring hackers into your workforce. Granted, these aren't the “black hat” hackers. What better way to protect your system or get paid to help others than by hiring the people who best know how to circumvent the system. There are many consulting firms out there who have hired ex thieves to be security consultants and expose weaknesses. There always is a gamble that these people might try and double dip and get paid by the company and also try to steal some information.

  14. Taimoor Zubar
    June 29, 2011

    I recently read about DEFCON having a hacking conference for kids which would cater to children between the age of 8 and 16. The conference is suppossed to teach kids about the basics of hacking and give practical demonstrations as well. Imagine the havoc it can create if these kids start practicing hacking. They may end up targetting companies as well. I find it to be a really absurd idea.

  15. Himanshugupta
    June 30, 2011

    I believe that hacking should be part of the curriculum. Until and unless you do not know your enemy you can not prepare the defence.

  16. Himanshugupta
    June 30, 2011

    @flyingscot; the first senario people are called thiefs and second one businessman. It is amazing how fine the line is between the two. 

  17. Clairvoyant
    June 30, 2011

    Great article. It is indeed a good option to hire a 'safe hacker' to display the vulnerabilities within a company's computer network.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.