I was catching up on security podcasts this week, and a brief statement in one of them really grabbed me. The panel was talking about people who steal online gaming accounts, I think. The exact content isn’t terribly important–what’s very important is what this person found in the forums where the people who perform this nefarious activity hang out. What she found was that there was one common sentiment that almost everyone there expressed, frequently.
They were bored, and they wished they had a job.
There was about a 30-second exchange after that, but I don’t think it’s enough.
As I recall, one said that a desire to have a job, so they can make money and have things is a very common human sentiment. True enough. That’s fair.
Another said that getting a security job is really hard. Yes. Yes it is. That’s a topic for another day, but I got rejected this week for a job that anyone who’s known me for five minutes would say was made with me in mind. They won’t find anyone in St. Louis better for that job than me, and anyone who’s looked at my resume says exactly the same thing, but somehow, they managed to find a reason to say I can’t do the job.
Yes, even if the job description is writing about security, and you have two security certifications, a journalism degree, multiple publications to your credit, and you’ve coauthored two winning contract proposals in the last 12 months, someone can still find a reason not to give you an interview. Incredible, I know.
Then they closed the discussion by saying that if you want things, sometimes it’s easier to just steal and resell gaming accounts than it is to use those skills to get a job.
I think they missed a chance for a really good discussion there. Because being a bad guy, stealing and reselling accounts, only addresses the desire to have money to buy things. It doesn’t address the boredom. It doesn’t address personal and professional growth, finding fulfillment, or anything else. It’s shallow.
And I know from my own observation that if that desire for growth and fulfillment remains too long, they’ll move on to other things. And where it stops depends more on the ability of the individual than anything else. Some may plateau at stealing e-commerce accounts. Some may plateau at writing malware.
It planted an idea in my mind. If we can somehow get the message to these bored black hats who want a job that they can get one and here’s how, we would have less computer crime going on. Some of these guys would trade in their black hats if they knew how.
And it makes sense. I know productive members of society now who, 20-25 years ago when they were teenagers with Commodores and modems, were doing things they shouldn’t be doing. Eventually they got jobs, and some were even able to go to college and learn things like Unix. One guy I knew was administering a large university’s Unix cluster by the time he was a junior. Four years earlier he had a reputation for being a phone phreak and a software cracker. I think he actually did a lot less of that than most people thought, but he did have that reputation, whether the characterization was fair or unfair.
It won’t work every time, but if we can get the word out that it is possible to go legit, and show the way, then we can get a few bad guys off the street and have a few more good guys out there to help us fend off the rest. Both are good.
But first I have to get through my own struggle to find a job, so I’m not sounding like a hypocrite. Last year it was easy–if you had a CISSP and looked like you were remotely interested in changing jobs, your phone rang like a prom queen who’d just dumped her boyfriend. This year is different. My phone rings, but it’s three different recruiters pitching the same job to me. And the interviews are tougher this year too, though that may be because I’m trying to move up a rung in the pay scale–if I’m changing jobs, I might as well apply for the jobs a step up from where I was a month ago, in addition to the ones that are equivalent, right?
I think some straight, honest talk about fumbling through the dark to find a security job would be a very good thing. I think once I know my way through the dark, I’m a good person to do that.