What keeps a good security guy from turning to the dark side

I’m reading the excellent Blackhatonomics right now. And one thing I read in it reminded me of a question that someone asked me last year. I was probably the third or fourth guy with an advanced security certification he’d met, and he asked me one day what it is that keeps us from turning criminal.

I said, “Well, for one thing, good guys have much longer careers.”

I didn’t cite a specific example, but Blackhatonomics cited the case of Albert Gonzalez, the infamous hacker convicted of breaking into TJX, Dave & Buster’s, and others. His crime spree, which ended when he was captured in 2008, netted him $2.98 million.

He was convicted in 2010, and had to give back what was left of his fortune, and now is serving 20 years in a minimum-security prison.

I like my approach better.Maybe I make as much as he made–much more slowly, of course–or maybe I don’t. But I do OK for myself, and since I’ve been careful with my investments, if I have a lapse in employment of a few weeks, it’s not the end of the world. Whatever I make, I get to keep most of it.

He lived more lavishly than I did for a few years, but I’m pretty confident that now that he’s in prison, a modest life in the suburbs like mine would sound pretty good to him.

Ethics aside, the crime just doesn’t pay.

And even though it seems like the bad guys are winning–especially right now–eventually the good guys catch up. I found myself in a conversation Friday with someone a few levels above me, who was telling a story. EMC, the storage people, caught the Chinese hacking into their network. Nobody, he said, catches the Chinese in their network. They find out a few weeks or months or (gulp) years afterwards that they’ve been there. But EMC was using a product called Netwitness, and they nabbed them. After using Netwitness to catch a hacking group in progress, they bought the company.

They had another reason to buy it too, of course. Netwitness needs a lot of storage space, which gives EMC ample opportunity to sell large storage arrays.

Here’s the thing. Not every company can afford Netwitness right now. Or if they can afford it, they can’t afford the storage arrays and 14 people to run it. But once the stakes get high enough, they’ll find the money.

And what eventually happens to the hackers with bad intentions is that they run into someone who has the advanced technology, and they do what’s always worked everywhere else, only this time they get caught.

What Blackhatonomics points out is that cyber crime is about risk. For some people, it’s worth the risk, so they go bad. Others decide, for a variety of reasons, that it’s not worth the risk, so they don’t go down that road.

I’ve told this story before, but I had plenty of opportunities to go down that road. I knew phone phreakers when I was a teenager. I knew software crackers too. But I also knew it was possible to go to college, get a decent job, settle down in a middle-class suburb and be happy. What was I going to get that was worth throwing that away?

Nothing permanent. And notice I haven’t said a word about ethics. Even if I put ethics aside, someone like me has nothing to gain by going bad. That’s a strong argument.

If you found this post informative or helpful, please share it!