Jump to content

Hacking For Profit....legally?


murder_face
 Share

Recommended Posts

Way back before the advent of wifi I got myself into a lot of trouble hacking for profit. I was never what you would call good. The bulk of my hacking was social engineering, dumpster diving, breaking into switch rooms to connect to peoples networks(beige boxing?) and stuff like that. I made myself quite a bit of money using lots of different tricks for evil. The only problem with that was that my big payoff was a prison sentance.

When I got out a friend of mine told me that I would never have a job touching a computer again. So I got into the construction industry. Now days I have a family to support, and let me tell you construction is NOT the way to support a family. A lot has changed in the last 12 years. I'm 30 now and learing new things aren't exactly easy now. I never learned any programming languages or acquired any certifications or degrees. I still know a lot about a little I just don't know how to use it for good.

I guess the whole point of my rant is that I want to know if I am pursuing a lost cause or is there still actually hope for me to get a career in the IT field. I know due to the nature of my crimes I might not get an admin position at a bank....Where do I start? What do I polish up on? Are CompTIA certifications a good route to go? Am I too old now?

Link to comment
Share on other sites

I am no expert, and don't mean to be demeaning in any way but the chances of you getting a job up against say some one who didn't commit any crimes are not so good for you, but that's just stating the obvious, although employers are not meant to be selective towards candidates in any way it does go on, that's just the way of the world.

If you want to put you're hacking skills to good use become a pen tester, a self employed one ;) because again and not meaning to sound rotten but if you are trying to get a job in an area you have comited and office in its going to be come even more difficult, self employment is the way to go!

- Anton

Link to comment
Share on other sites

I agree with you %100 and that is actually the direction that I have been leaning. My biggest concern is presentation though.

I know there is another post on this forum about presenting vulnerabilties to an administrator, and I don't mean to be trying to start a new topic. I'm just not sure how to market myself though. I don't just want to show up in an admins office with a 17 gigabyte file of patient records because I live close to a hospital and they don't have proper "best practices" in place. I also don't want to get arrested. I just want to get paid.

I don't want to walk into a bank data center and tell them that their low voltage electrician left the combo to their switch room written inside of a sprinkler box outside the building so their electricians don't have to "bother" the building engineer to get in.

I don't want these peole to think of me as a deviant, but I do want them to know that they are vulnerable and I would like to make some money off of noticing these vulnerabilities. Hell 10 to 1 says they pay someone for this already. My biggest fear is that both scenarios that I have just pointed out inolve federal laws, and I don't want to have to explain to my 3 year old daughter that she can't see me anymore because daddy "noticed" something. I would rather explain to her that daddy gets paid to be observant.

So I guess the bottom line is how does someone market themselves as an independent pen tester, and show references without getting themselves into legal troubles?

Link to comment
Share on other sites

Legally, you could sell exploits through bounty programs. Sometimes companies will offer monetary rewards to people who find vulnerabilities in their systems. Look up some bounty programs and give it a go.

Semi legally you could sell exploits on the black market. You'd have to first develop some valuable exploits, and then build the right connections to someone who can market and sell your exploit (and they will take a cut). Generally speaking, it still pays better than selling to the company through a bounty program.

Doing the independent pen-tester thing... I've never seen that actually work except for guys who have already made a name for themselves in the industry.

Never go to any admin or company with a vulnerability you've discovered and ask them for money. It will look like extortion.

Link to comment
Share on other sites

There are plenty of successful people who have records for things in the past, just depends on your skill set, and what you actually did as the crime and how it shows on your record. I hate using his name as an example, but its the goto one everyone thinks of most of the time, and thats Kevin Mitnick. He runs his own security company, and gets paid to help people protect their systems against things he knew how to do prior to his arrests. Kevin Poulsen, I believe was arrested for rigging a phone system to win a Radio contest and did some time in jail and now hes a journalist, or tech writer for a number of magazines and papers. He now writes for Wired magazine.

So to answer your question, I think it depends on your intent and what you want to do with your skills. If you had skills to attack systems and knowledge of things to break them, then you should also have the same skill to defend against or find ways to fix and prevent the attacks you are capable of, and while you probably won't be getting an Admin position with a bank any time soon, doesn't mean a bank wouldn't hire you to test their security from an outside point of view. Know that your record and offenses will follow you, and accept that. Once you do, move on and push in the direction you want to go in. If you go back to the criminal side of it, well, thats your choice, but your options are based on your own intent and the amount of hard work you put into making it clear what you want to do today, and if that is to be on the other side of where you came from, to being on the "white hat" side of the fence, thats completely up to you. Your work will be exponentially harder because of your record, but it might also make some doors more open for you, since it shows you have experience with some level of skill that other security companies might hire you for that alone, since there are many companies who get paid to legally do what you did as crimes.

Its also partly who you know, more so than what you know, and unless you can network with the right people, you are going to find a lot of doors shut in your face until you find the right nitch. It also depends on the types of crimes you we're convicted of too, and how that stands on your permanent record, but I'd say you have nothing to lose and everything to gain in trying to get your way back into the field, only for work related reasons this time, vs strictly black market profits that landed you in jail.

Edited by digip
Link to comment
Share on other sites

Way back before the advent of wifi I got myself into a lot of trouble hacking for profit. I was never what you would call good. The bulk of my hacking was social engineering, dumpster diving, breaking into switch rooms to connect to peoples networks(beige boxing?) and stuff like that. I made myself quite a bit of money using lots of different tricks for evil. The only problem with that was that my big payoff was a prison sentance.

When I got out a friend of mine told me that I would never have a job touching a computer again. So I got into the construction industry. Now days I have a family to support, and let me tell you construction is NOT the way to support a family. A lot has changed in the last 12 years. I'm 30 now and learing new things aren't exactly easy now. I never learned any programming languages or acquired any certifications or degrees. I still know a lot about a little I just don't know how to use it for good.

I guess the whole point of my rant is that I want to know if I am pursuing a lost cause or is there still actually hope for me to get a career in the IT field. I know due to the nature of my crimes I might not get an admin position at a bank....Where do I start? What do I polish up on? Are CompTIA certifications a good route to go? Am I too old now?

I understand your pain, for I was a dumb kid once (SE for stealing guns). I was in prison for nearly a year, did 5 years probation, and not one time did I violate my conditions. Finding a job with that on your record is the hardest thing you will have to overcome. I contacted a lawyer and he told me it was going to cost around 2,000 dollars and I had to pay a retainer of 800. I do EVUS work (exterior plastering), and made prevailing wages, but they do not last long enough. Also, when winter hits, no money, no money, no money. What you do save up is promptly spent on bills.

I feel your pain... bud... I really do.

Link to comment
Share on other sites

I'd consult my uncle. Uncle Sam, whether it be civilian work or in the military, can provide some great opportunities to people like us who have a hard time being 9-5 robots.

You have to learn a programming language too, the more the better. This is a rewarding experience in and of itself.

Study a lot, then go talk to some small business owners in your area. Tell them you do reasonably priced freelance security work (many times small companies want good infosec people but don't have the money to pay large firms) and I think you could make a living doing that. I have several people who pay me hourly who I'll check in on once a month or so, and while I don't guarantee security, I make sure that they aren't easy targets and it works. You just have to get out there and try different things.

Edited by bobbyb1980
Link to comment
Share on other sites

You have supplied almost zero details as to what you were doing that got you in trouble in the first place, but taking in to account what you did tell us it appears you're talking from the same perspective that a criminal would use. Now please do not take that the wrong way (or anything I say for that matter) I'm mearly pointing out what I'm seeing. With that you cannot hack something then expect to sell that information to the owner of the network. That will land you back in jail. The only possible way to do what you're asking is to be up front with your customer base and say look, I went to jail for this (insert issue) and paid for my crime. I now consult for a living. I can be found at (insert url of your real tax paying business) and details of what we can offer are listed there as well. Create a rock solid contact that covers you in the event of problems and create a rock solid statement of work (don't do any work without them) - There have been lots of kids/adults alike that have gone to jail/prison and still went on to have great carriers in IT security, remember Kevin Mitnick? The MS Live kid? etc, etc...

Link to comment
Share on other sites

Thank you all for your advice. Ashi, I got busted for a lot of different things, luckily the crimes I was commiting were changed to charges that the DA knew how to prosectue. In the end I was charged with forgery, burglary, acquired access cards with intent to distribute, assault, and possession/manufacturing a deadly weapon. I plead "no contest" to everything and did my time. I know the scenarios that I presented sound like I'm up to my old criminal behavior, and that's what I want to stay away from.

I found a job listing at Disney for a Security Analyst, and it looks like I am WAY under qualified even without my criminal history. So for now it looks like I will still be a carpenter for awhile. I figure I will enroll in a few community college classes or a certification program that leads to an internship to get my foot in the door and work my way up from there.

One thing that did surprise me about the Disney job was that they wanted a c++ programmer, and the general concensus around the internet is to learn python/perl, php, and ruby.

Link to comment
Share on other sites

One of my scams was in relation to this place:

https://eroes.pacifi...eroes/eROES.jsp

The wierd thing about this link, is if you click it then it works. If you manually type out https://eroes.pacific.verizonwireless.com it brings you to a page that says "hello world" but of you omit the "s" in https then it takes you to the link i posted.

I am actually shocked that this system is still in place considering when I was arrested I had the login credentials of about 800 radio shack employees. This system stores any credit check that was done by that store(dependent on the login used), all customer information(ssn, credit card info, address, DOB, everything), sprint also had a similar system I can't remember the URL off of the top of my head though. Now defunct cingular had an 800 number you could call, all that was required for that was a dealer code that was very easy to ear hustle.

Edited by murder_face
Link to comment
Share on other sites

One thing that did surprise me about the Disney job was that they wanted a c++ programmer, and the general concensus around the internet is to learn python/perl, php, and ruby.

The consensus is to learn python/perl/php/rub/etc. FIRST, but don't stop there. C++ happens to be a horrible language for teaching to first-time programmers, but it's also a powerful and expressive language for professionals in many different fields. It shouldn't be the first language you learn, but neither should it be the last language you learn.

You can learn languages like Python or Ruby in a week or two. C++ will months to learn and years to master.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...