Friday, April 29, 2011

Does hacking make you a better programmer?

You've heard about all the hackers who got caught and then received a killer job offering.

But then again, you've probably heard about IT workers who sabotaged their systems after being fired. Some people also argue that hacking is much easier than securing a system.

The question is, would you hire a hacker? And does hacking make a better programmer?

Addendum

The reason I ask this is that I know a few people who first became interested in programming because of hacking, and they seem to be fairly confident of their programming ability. As a result, it feels like people respect them as the best, but I always felt at least as capable even though I don't know as much about hacking as they do.

From stackoverflow
  • I would be cautious about hiring a hacker (just because I would be cautious of hiring anybody conducting criminal or quasi-criminal activities). I would look towards hiring one (especially for network security reasons) because they are familiar with finding holes others normally wouldn't, so their expertise in breaking into systems can be integral in learning how to make those systems better.

    The other question concerning hackers making better programmers...that's iffy. There are so many different types of hackers out there that it would be hard to say whether or not it would make them a better programmer. You could argue that hackers can become good programmers because a mind geared towards analysis would translate well into the analytical mind necessary for a good programmer.

    Dana the Sane : Good points, and the qualities that make a good hacker do not necessarily carry over to being a good team member. Also, I think it's particularly important to consider if the person will have problems ethically, i.e. following the rules, and representing your company in general.
    TheTXI : Agreed Dana. Whatever technical merits the hacker may have could possibly be overshadowed by personal red flags.
    Noldorin : There's no simple answer to this question (nor anything close really), but I think you've given a fair overview. Indeed, I wouldn't think there's any clear reason to consider a "hacker" to be an especially good programmer, in general. You might even consider their skills to be narrow and poorly suited to those required for a programming job.
  • Hacking teaches you about flawed software and introduces you to pragmatic difficulties in designing secure software. Per the original question I would hire a hacker to test out the security of my systems. I would likely avoid hiring a notorious hacker in projects involving HIPPA, PCI, or PII data.

  • I would definitely hire a hacker, but I'm not sure our definitions of hacker are identical. To me, a hacker is a passionate, driven, jack-of-all-trades coder who knows enough about everything to at least know where to look to figure out how to do anything. At my company we regularly hire hackers as we do a lot of things with scripting languages and low-level Unixy stuff (at least our team does.)

    Your question is actually whether or not you should hire a cracker. And it really depends on what the job description is, but as long as you trust him/her not to do anything illegal, I would hire if he or she is a good engineer. That's all that really matters to me.

    Dr. Zim : Haacked, but not hacked :D.
    Henrik Paul : +1 for the (oft confused) distinction between a hackaer and a cracker
  • Those are two completely different questions, but here goes:

    Would you hire a hacker?

    Seriously, why not? If your application is absolutely mission critical and security is of utmost concern, this is a great way to test your application for security flaws.

    Of course the more difficult part is finding out whether the hacker is the real thing or just a wanabe script kiddie.

    In my country a senator recently proposed to put up a hacking contest to test our country's new automated poll system, and I think it's a great way to find the weaknesses and establish the credibility of that system.

    Does hacking make a better programmer?

    Well, there are hackers and there are script kiddies. The difference between the two is while the first one is truly intelligible in finding flaws in the system, the other one only exploits known vulnerabilities using publicly available code.

    If that doesn't sound familiar, that's quite the same as difference between an Einstein and a Mort.

    Also, many hackers follow some kind of ethics wherein they vow to do no harm -- script kiddies simply don't care and "just want to have fun".

  • I would not hire a "hacker" (in the sense you mean: a suspected or convicted criminal) for one simple reason: If they are morally and ethically flexible enough to attack one system, what's to stop them from doing it again, and when they do, it's my company and my reputation that's on the line.

    Does hacking make you a better programmer?

    I would agree with TheTXI that some of the traits possessed by a hacker lend themselves to the making of a good programmer. These would include research ability, thinking outside the box, and logical analysis.

    On the other hand, a "hacker" is generally not a team player. They are often seeking their own fame, and not the success of their company or product.

  • Just my experience in "reverse engineering". I spent some time analyzing DLL entry points, parsing raw data files, and IP packet sniffing.

    I was able through logic and some creative guessing to figure out what was going over the wire, and what the bits in the files meant. From there I could hijack the wire protocol or intercept the external calls.

    It was fun, it was challenging, but it emphatically did NOT make me a better programmer. Didn't make me a worse one either. Exploiting weaknesses in compiled code is fundamentally different than good professional programming. I did learn a few things about program surface area, and methods of attack, but then I had to translate those into the program architecture. Those are more about structure than content.

    What is important to me in a "good" programmer is being able to produce code that is as complex as it needs to be, but no more. Being able to parse bits inside of an IP packet in your head is a good and fun skill, but tells me nothing about your software design skills.

    To answer the OP's question, I would hire a hacker if they were good at writing software. I don't think it makes you a better programmer. It may help in overall system design, but you can learn those lessons without the experience of being an attacker.

  • It's a lot easier to knock down the sand castle than it is to build one.

    The same applies to building software systems or criticizing legacy code.

  • Much hinges here on the agreed upon definition of "hacker".

    //Hackety hack hack hack.

    ;)

    Consider: coder vs. hacker vs. cracker vs. script kiddie vs. jedi vs. cyberpunk vs. ninja vs. code monkey vs. reverse engineer vs. criminal vs. mischevious person vs. felon vs. convicted felon vs. suspected felon vs. mastermind vs. chaotic good characters vs. chaotic evil doers vs. dictators vs. emperor vs. insurgent vs. terrorist vs. agents vs. neo vs. copyright violators vs. copy writers vs. spammers vs. marketers vs. telemarketers vs. spyware creators vs. computer virus creators, etc. etc., for example.

    Excellent programmers necessarily have done hacking before, in the "jedi" sense. Jedis rebelled against the empire, but were overall, good, though not technically law abiding.

    Most great programmers certainly associate themselves as being a hacker in the romantic cyberpunk sense of the word, however being a hacker does not imply a lack of morals or ethics.

    Some hackers may find that their conscience does not prohibit them from executing technological deeds that the general societal concensus may deem as questionable at best or worse reprehensible or worst yet, literally flat out unlawful. Free will does exist, of course.

    Reverse engineers and crackers are usually better than your average hacker at hacking.

    Personally I would never hire anyone who didn't at least know how to do some reverse engineering. It is necessarily a part of being a good engineer, from my perspective. Then again, I consider myself a fairly veteran coder/manager and have seen an abnormally high number of instances that completely justify reverse engineering for corporate gain and/or the avoidance of corporate death.

    I have never had a problem not doing cool/mischeivous things that I know I "could" do, if I "really wanted to". Free time is a good instant reward for moderate amounts of laziness. Who wants to go out of one's way to break laws? Come on. I have never identified what makes a criminal organization tick, except for the profit motive.

    Much depends on what you consider "profit". What you value. What you prize.

    Not all hackers are criminals. In fact, the vast majority are not.

    Someone intent on remaining a hardened criminal is probably not going to be someone you want to hire, but it depends on your situation. First of all, you may not even have the choice to hire a convicted felon depending on your industry or for your application. Are you in Government?

    Then again if you are dealing specifically with security and counter-security and counter-counter-security, it is virtually a requirement that you truly are "as smart as a fox" and that you have the salt to outsmart foxes should you be given a chance to accept such a mission.

    True masterminds would never get caught. If they ever got caught, they would have lost their prior status as a mastermind. Masterminds could be criminals but not felons, and probably wouldn't need to be hired by you for your measly bread. Some good masterminds probably are out there. I don't know any.

    You do want those jedis. You want the ninjas. You want cyberpunks. You want sleuths. You want vast gobs and gobs of intelligence. You want people who can fix any problem and are undeterred by bugs. You want people who know that anything truly is possible.

    It's just code.

    Highly intelligent systems of logic consider all options. So you're never going to find smart people to work for you who have not even considered doing something wrong in their entire life.

    If you are looking for law abiding citizens to work for you, it is best to look for people who at least portray outwardly some behavior that seems to imply an nice, common, internal value system that generally jives with what you think of as normal. You never know what is going on in peoples' heads. Just because someone has never been caught does not mean that everything that they do in their personal life is perfectly legal or ethical or moral. But there are lines.

    You probably don't want to hire people who are doing very bad things even on their own time. What you consider to be very bad things may vary, a lot.

    So called "ethical hacking" may not be illegal in your country, but could still be unethical.

    For Ego, For Self, For Family, For Country, For Humankind, For Earth, For the Time-Space Continuum / For God

    For God / For the Time-Space Continuum, For Earth, For Humankind, For Country, For Family, For Self, For Ego

    See also: Dungeons and Dragons Alignments.

    See also: Religion

    Generally, you want to hire people who fit your "Alignment", whether you be government or some sort of a crime boss.

    I consider myself sort of white/gray hat hacker. I have done black hat kinds of things before, never gotten caught, and don't plan on engaging in those kinds of activities on a regular basis.

    Doing anything in your personal or professional life that people could blackmail you for or put you behind bars for is generally dumb all the way around, whether you are a criminal mastermind, or a jedi knight, or just looking to hire one.

    Blackmailing people or collecting information that could be used to blackmail people is the worst offense, and certainly far worse than breaking into any system.

    I have worked in carrier scale email, job boards, banking and have had access to extremely ridiculous amounts of extremely sensitive data and have written apps against that stuff. I didn't get to do that by being a dodo brain in the first place.

    Whether you should have access to lots of data is kind of like asking whether or not you should have The One Ring from the the Lord of the Rings. Only those who you know have no interest in using it should have high levels of access.

    I have felt comfortable having been given official professional access to lots and lots of data on the premise that I could spider most of it myself anyways off the internet for free, were I ever in a real bind. Mostly it's like, why bother? What me worry? Who cares. I'm the type of person who wouldn't use The One Ring, even if I had it. That's why usually I have had to share the burden of being on the side of Good and have had to hope that the baddies never got in and have had to try my hardest to make sure that's how things have tended to gravitate. Who's really a baddie anyway though? I would like to think of you as my friend, and not my enemy. I don't want to see you to go to jail for anything you did with some ones and and with some zeroes. If you however, ever directly or indirectly knowingly put people's lives or liberties in jeopardy, whether in the name of the empire or in the name of the rebellion, shame on you. Don't do that. The fact is, there are lots of systems on which the safety of peoples' lives directly depend. No bad people should be running those systems. No people who could ever turn bad should be running those systems. Think about that. Should anyone have the keys to the kingdom?

    Triumvirates rock.

    Multikey systems rock.

    "You won't know who to trust." -Sneakers

    To build a truly secure system, trust no one -- not even yourself.

    Also, never invite a vampire into your home.

    Also, don't be like Mr. Smith from the Matrix.

    Also, don't bite the hand that feeds you.

    People are people. Find the heart to forgive.

    Strive to remember everything and to never delete anything.

    ;)

    Unknown : I don't think anyone can agree on the term hacker. But what I can tell you is that some of the people I know have rooted boxes behind proxies, but have never claimed to do anything irreversible like formatting the hd.

0 comments:

Post a Comment