It has been a fairly common story, and part rumor, that intelligence agencies like to recruit young people active in the cyber criminal scene, and that the IT security industry also adapted this approach. They basically becomes part informer and part subject expert, especially since IT security expertise seems to be a difficult subject matter to teach in universities. When I studied IT security in university, about 10 years ago, I heard multiple version of this several times, with one student from my university getting employed because they managed to demonstrate a hack on a bank.
I always hope that such recruits had a bit tighter surveillance from their employee, but no one in the industry describes such recruits as "highly susceptible to extortion and coercion from current members of the same gang", and absolutely no one described them as members of violent street gang. It might have been a fair label but at most, such teens were describe as smart but mischievous. Might not be the best people to be responsible for national security, or peoples bank accounts, but it seemed to be the culture of that industry.
Has other people in the IT security industry had the similar experience of this culture?
Yes, I've seen a number of people with criminal records hired. I don't really want to present my comment as an argument against every point Krebs made. I don't really have an opinion on whether the individual mentioned is a suitable hire.
But in infosec a lot of people probably got into it because 'hacking' is cool and glorified by the media. It's rebellious and appeals to a lot of teens I think. I don't think it's as serious as Krebs suggested that you could be extorted or compromised. It seems like it's just a bunch of inexperienced people in a discord channel. Soliciting a DDoS on there, to me, just seems like youthful nonsense. If you were actually in some kind of criminal hacking enterprise I bet you would know not to make mistakes like leaving a paper trail to your identity in a discord channel where you solicited a crime.
I haven't seen the people with criminal records for cyber crimes be less trustworthy in the industry. Some of them just made stupid mistakes when they were younger and sometimes dumb kids get way overcharged for cyber crimes. For the most part I think it's fine for kids to go through a phase where they think it's cool but they don't really know what they are doing. A lot of people have done that. A lot of 13 yr old kids on the internet have talked about hacking banks and things like that and they aren't all going to be in a gang. Another analogy is how a lot of people get into chemistry because they like blowing things up. Not all those people are terrorists.
> Some of them just made stupid mistakes when they were younger and sometimes dumb kids get way overcharged for cyber crimes. For the most part I think it's fine for kids to go through a phase where they think it's cool but they don't really know what they are doing.
I think a lot of the concern is that these kids aren't out of that phase yet.
SIM swapping is where you spoof a caller identity of a target in order to make a phone call impersonating that individual and then drain his retirement fund into a crypto mixer.
He was never charged for these activities, let alone overcharged.
Agreed. There was a lot of stuff I thought was cool when I was 20 which I shudder to think about now, 20 years on. It took me a long time to grow up past those phases of my life.
Yeah. I'm all for kids hacking, and even hackers with criminal records getting a second chance at security firm. Hacking is done for a lot of reasons, it could be just an interest in solving puzzles, and they happened to get in trouble with the law.
The part I'm not digging, is they seem a bit young to be taking over the Treasury Dept, or any department. It seems like this would have been better done by an Accounting Audit Firm, not hackers.
Hackers are just trying to get in, get data. An accounting audit would be more about finding impropriety.
So, it seems on the surface like 'finding waste' is not the goal.
>> So, it seems on the surface like 'finding waste' is not the goal.
Finding waste is pretty easy. As we're seeing already, cutting the waste is harder than it looks:
- The Congressional Budget Office recently found that Congress provided $516 billion in appropriations this fiscal year to programs that had expired under federal law.
- Federal government agencies are using just 12% of the space in their headquarters buildings on average, according to the Public Buildings Reform Board, which is an independent federal agency focused on recommending the disposal of underutilized federal properties.
- The House Oversight Committee spent $3.3 billion on furniture over the past few years.
- The federal government made $247 billion worth of payment errors in fiscal year 2022 and $236 billion in 2023, according to the Government Accountability Office.
These errors, also known as improper payments, include overpayments or payments that should not have been made, such as to someone who died or someone no longer eligible for government programs.
Estimates show the federal government spent $2.7 trillion in payment errors since 2003.
Did any of those findings need teenage hackers to figure out?
Also, by the dates you supplied, it looks like Biden/Democrats were already successfully in-progress of cutting costs.
Every large organization needs reviews/audits to find waste. I think the problem with the 'right' is the idea that because there is waste, we should abolish government. But, every organization accumulates waste, and then needs to have a review process to make corrections. The whole burn it all down is pretty immature take on leadership.
There are numerous examples of American intelligence officials being turncoat because they were extorted and compromised. Compromise and extortion are the main things that spy agencies look for in turning people. It's all too common. This kid should be nowhere near federal databases or sensitive information on American citizens. How much background has DOGE done on him? With their 'Move Fast and Break Things' moniker, my guess is very little. You're also giving these kids access to huge swaths of sensitive information. Sure, intelligence agencies can recruit young hackers with shady backgrounds, but they are given narrow scopes to work with. And usually there's been some agreement that those individuals don't want to be black hats anymore.
People get clearances even if they've used hardcore drugs such as cocaine and various more serious crimes than computer crimes. The adjudication guides for clearances explain this in more detail. I have a friend who exploited RCE full-chain exploits on productions servers and used to DDoS. He got a TS/SCI clearance no problem and didn't even finish college. I interviewed too and admitted to that stuff. They cared more about me admitting to cheating in math at college lol.
TS/SCI clearance is a lot more about truthfulness. The adjudicators are looking for secrets that can be used as leverage. Publicly writing reviews for cannabis strains is not a risk. A Mormon secretly hiding alcoholic tendencies could be. I'm also told that owning foreign property is unfriendly countries, and debt are the other big reasons for clearance denial.
I have a theory that the normalization of homosexuality in the united states was a move by the security agencies to lower their exposure risk. If everything is cool, nothing is blackmail.
Blackmail is what sinks orgs because you have no idea who is going to be a mole.
> I have a theory that the normalization of homosexuality in the united states was a move by the security agencies to lower their exposure risk
the decades of civil rights expansions, first for women, then african-americans, then disabled, and eventually the gays -- that was all just the CIA trying to do recruiting 2% easier?
rather, homosexuality as a secondary non-lifestyle, non-professed interest, often in one-off scenarios, is WAY more common than culture would like to admit, and the intelligence agencies are in the perfect position to precisely observe that fact.
For the US:
Women ~50%
African Americans ~12%
Disabled ~ 20%
Homosexual ~7%
It’s a lot more than 2% for any one of those categories, let alone them all. You’ve comfortably described a group that forms the majority of the US population, even when allowing for the homosexual, African American, disabled woman, who is in all 4 ‘minorities’.
Why recruiting? It’s not as if gay people universally stayed away from these jobs. Given the times plenty probably didn’t understand or accept this part of who they were until careers were in full swing. The issue would have been stopping a risk that was already known and actively exploited.
I don’t think this is at all why normalization occurred, that intelligence communities had anything to do with it, but if they had then it wouldn’t need to have been for recruitment.
I'm not the parent comment, and I think I get the gist of what you're saying. To be fair to the parent comment though, it's not just making recruiting easier. It's reducing the risk of compromise within your organization. Just one compromised employee can present a tremendous risk, which is nothing to 2%.
I can see why that idea is tempting, but it doesn't seem to work.
Military had "don't ask don't tell" for a long time because legalisation and social acceptance are different (also seen in reverse order with cannabis). Even today, the percentage of people in the US who think society should not accept it, 21%, is higher than the percentage who are homosexual or bisexual: https://www.pewresearch.org/global/2020/06/25/global-divide-...
For this reason, there's still plenty who want to stay closeted.
If sexual liberation was driven from the top to reduce blackmail opportunity, I think there'd be a lot more desires whose taboo was lessened, not just homosexuality.
(Though perhaps I'm underestimating how much else has changed due to what hasn't; I'm sure "cheating on spouse" used to be a thing that killed political careers, clearly doesn't now).
It also feels like the social acceptability of trans people has moved backwards. (Just my perception, or has that actually shifted?)
That said, the logic you give is still sound, and I think the increasing ease of private surveilance means we must eliminate as many taboos as we can so that society can keep functioning.
I think broader acceptance of trans people has increased as long as you view acceptance as "do whatever you want with your body."
The big wedge trans issue I've seen is with children and puberty blockers which is much more complicated and I don't think can be boiled down to "acceptability of trans people."
The violent acts against trans people are up. They are the most hated group currently.
And it has zero to do with puberty blockers as a leader. They have issue with any kind of trans affirming care. It is simple. You demonize the thing that trans are using and then people fear it. It is basically impossible to believe it is driven by care for those kids. If they cared for trans kids, they would care about them when they are not on puberty blockers too.
But they dont, as far as they are concerned trans kids can all kill themselves and should be punished. It is just when they get trans affirming care that it becomes a problem for right.
> I think broader acceptance of trans people has increased as long as you view acceptance as "do whatever you want with your body."
Between Trump's repeated executive orders and Facebook for some reason feeling the need to explicitly call out that you can now call trans people mentally ill (but not other groups!) on their platform, we're well beyond riling up people who don't know anything and aren't impacted into nevertheless buying into this moral panic. We've 100% moved backwards on the "acceptability of trans people."
Screw especially unpopular, it has multiple downright illegal and unquestionably immoral ones.
But the gender ratio preference is fascinating. There are multiple ones I would have never guessed (e.g. cannibalism is much more interesting to women than it is to men, which is weird because of all the high profile cannibals that I can think of, none are female).
> It also feels like the social acceptability of trans people has moved backwards. (Just my perception, or has that actually shifted?)
You're not wrong, it certainly has. I think this is more of it having become a cause célèbre than actual transpeople standing up for their rights. As is so often the case, if a movement doesn't have a strong leader to "stop" the movement once it achieves what it was after, then it goes ever onward - partly because there's a group of people who derive their life meaning from it (stupid), partly because there's a group of people financially dependent upon it (disgusting).
As Michael Malice said in one of his episodes of Your Welcome, "They way they fucked up was going after people's kids. The normies will fight back when you do that."
I think you're both correct. For those that care about their fellow (hu)man, it is extremely important to improve people's lives, to live without fear and violence. Unfortunately for the politicians, it was often just an issue that could be spearheaded to avoid and "hide" other issues. Much like businesses that celebrate pride month, and then drop the issue and remain silent on it until the next year comes around, because people are too easily fooled by a perceived month of caring. I am not of the opinion that gay or LGBTQ+ rights were ever pushed in order to prevent blackmail, especially since in the US, it is often the side that fights against those rights that end up getting caught in controversy for the exact thing they fought against. Much like how you hear that homophobia and transphobia is often perpetrated by those that haven't accepted their sexuality.
As much as I would like to believe this, I highly suspect that the normalisation of homosexuality killed the forbidden fun for those high power psychopaths.
There's this idea that sharing in illegal or socially shunned activities is an effective way to establish strong personal ties, and strong personal ties can in turn help advance careers.
Which is why there were a lot of successful secretely gay people in politics even in the 19th century.
As homosexuality became accepted, there was a shift to "harder stuff" playing this role. Not by literally the same people, mind you, but over time the composition of who's powerful shifts towards people who engage in shunned activities to form their strong personal ties. And as more activities become socially accepted, the activities that are shunned and give people a leg up become increasingly worse.
I don't like this conclusion, but it's the strongest potential argument against social liberalism that I know of.
I have the impression that sexual harassment became the opposite. Something most successful man are blamed for, decades later when all possible proof have vanished. In terms of blackmail, the power seems much higher.
People who sexually harass are on supreme court and literally the president. For considerable amount of people, it is a positive sign that "the guy is like us".
I don't think anyone takes it as a positive. It's just not what voters vote on. If they support one candidate's policies more than another's, they won't flip because of that issue. The example of Bill Clinton demonstrates that this happens across the political spectrum, and his feminist supporters were the ones making this argument back then. They got criticized for being hypocritical, but in politics you have to prioritize.
I do actually think they see it as a positive. It is not just that they do not care. It is that it heightens his credit in their eyes and they get to see him as victim.
At the least, it often makes them feel empowered to speak out in favor of forgetting all about the issue, and emboldening them to push for whatever the politician pushes that they agree with. At least in the US, you can hop on social media and take a look at your local newspaper or news channel's posts, and see some of the truly insane comments (and I use insane here as in bringing up politics to promote their voted politician, or smear the other side, when the issue is something at a local level or unaffected by politics in any way).
This is pretty darn specific. It must be tiny fraction of applicants. Hell, most Americans never leave the United States in their lifetime. The security concern about heavy debts or debts to unfriendly counterparties makes sense to me. But what is the security concern with "owning foreign property is unfriendly countries"? They can take it from you?
You have to remember that the DC area workforce has a lot of immigrants, people married to immigrants, and people who've done significant overseas stints. Plus there is a need for hiring linguists and cultural experts with fluency in unfriendly languages.
I know of TS clearance holders who have significant ties to Iran, Syria, Russia, and Afghanistan, but have renounced those citizenships and are loyal to the US. The clearance process works to figure out what levers those countries could still pull on them - foreign property and close family still there are the big ones.
"Are you an untrustworthy person?" Are you likely to take a bribe? Will you get mad at your boss and try to burn the place down, literally or metaphorically? Will you be careless in a way that brings about the same, with no malice?
"Are you as trustworthy as anyone else, but subject to inhuman pressure?" Anyone would be vulnerable to having a relative threatened; you probably don't want to hire someone who would be apathetic to having their parents or child threatened. If that relative is already in unfriendly hands, that's a huge risk.
In some ways, a $100k house in a (hostile) foreign country is no different than a $100k bribe; it's just stuff. If you ignore a threat to your property in a scheme to extort you, you are $100k poorer than if you give in, just like if you turn down a bribe. But humans are prone to loss aversion. Having $1 taken from you is far worse than receiving $1 is good, even ignoring any sentimental value of the property in question. Some people will still be able to ignore the threat, not allow themselves to be compromised, but a lot of people will find it hard.
For a job where security is a concern and you have thousands or millions of perfectly cromulent candidates, it's not crazy to winnow the pool first by discarding everyone who's untrustworthy or has extra levers that can be used against them. You still have thousands or millions of great candidates left.
Yes they can, which is why there are many many factors considered in granting and maintaining a clearance. None of them are simple black and white things. For foreign property, it is very different owning a small vacation house and owning a house where 3 generations of your spouse’s family live or owning a commercial property that provides a significant income to you. A foreign government putting each of those things at risk would have very different implications.
Only if you don't take 30 seconds to think about it.
Of course you can be compromised without owning foreign property. But foreign property is a vector by which you can be compromised.
Doesn't it make sense an intelligence agency would want to know all the possible vectors by which potential employees could be compromised? For each vector you'll have certain remediation steps, up to and including "don't hire this person."
sure, but it's way easier for the FBI to request the title and deed for things in the US and track their history than an apartment building in Panama, or a plantation in Indonesia.
they need to hire people who speak Arabic, or Chinese, or Hindi, and have ties they can utilize in those countries -- or at least understand well enough to build ties.
overseas money and property, esp. in unfriendly countries, rapidly becomes a concern in that sense. go double agent, have a friend overseas give you some sweet improvements to your house on the cheap, then sell it later for 4x than it's worth, and repeat.
Maybe the US 3-letter agencies are a bit more forgiving, but when I worked in intelligence there were three deadly sins that would make you untouchable as a candidate:
- Drug use
- Financial crimes
- Close ties to hostile countries (China, Russia, Pakistan, Iran, North-Korea, etc.)
And at least in my country, it's not the intelligence agencies themselves that handle the security clearance, but rather a dedicated agency/authority that processes all the security clearances in the country.
Now, if you've never been arrested / charged / convicted on the two first points - who would know? I'm 100% some candidates would simply lie.
America has recently waved the security clearance process entirely for certain roles, so currently there isn't anything that is disqualifying right now.
Prior to that change, lying in the clearance process was the one thing that was absolutely disqualifying. As you noted candidates are incentivized to lie, and so "did you lie here, where it is likely to benefit you?" becomes an effective screening mechanism for people who are willing to compromise their ethics for personal gain.
US intelligence agencies really only care about your third point directly, everything else they care about only insofar as it can blackmail you or make you beholden to criminal interests.
They don't care if you're gay, but they care if you're closeted. They don't care if you do drugs, but they do care if it's such a problem you could become financially beholden to someone over it.
More accurately, they don’t necessarily care if you did drugs in the past. Current drug use, or very recent drug use is a risk, as addiction is a huge risk for both judgement and susceptibility to blackmail, and even controlled drug use is illegal. Also, being a previous drug addict extremely risky drug use can speak to your current judgement.
Making a judgement against someone based on where they randomly happened to be born is self-defeating as talented people who are security- and defense-oriented will just work for another place that you maybe don’t want them to work. Interestingly, most of the news I’ve come across of someone betraying national secrets has almost always concerned a white man, but maybe that’s just what I know.
If you have connections to a hostile country - family, friends, business, spouse, etc. they can (will) become targets of intel ops.
So your wife is from Russia? GRU or FSB will start to pressure family and friends of your spouse.
Anything that is worth anything to the enemies of your country, they will find a way. Which is why agencies that require top secret security clearance will rather just set the threshold extra high, and lose out on potentially good talent. Better to be safe than sorry.
That's a fair assessment. I will just point out that it's a bit simplistic to believe that ally or friendly countries don't have ideological opponents which could potentially do the same and target people based on ideology. Ideological grievances exist in any society regardless of similarities in country, race or religion. So I agree, that it's a tricky situation.
People often lie yeah. The polygraph has been proven to be pseudoscience and the tactic of we know you're lying about x to get you to spill the beans is common knowledge now.
The difficult thing, at 19, is that a person has had zero time to at all demonstrate that they have put drugs and/or other criminal activities behind them.
These guys worked for SpaceX anyway, so it's pretty much guaranteed that they were already cleared even before joining DOGE.
A lot of speculation and guessing on this topic, which is surprising from news outlets which pride themselves on "facts" and "truth"... I'm not even mentioning the fact that revealing the names, handles, identities of employees and clearing saying that they have admin rights on systems X and Y, is in itself a serious breach of cybersecurity...
Journalists' rights to publicize who works for the government is absolutely protected by the first amendment.
Republicans didn't have any problem with that when they used it to blow Valerie Plame's cover in political retaliation. Somehow now that it's Musk's army of channers stealing our data and breaking the government payment systems _some_ people have decided the first amendment is optional I guess.
Tangential, but the Plame thing was very much done by the political establishment types which tends to go beyond parties. For instance the person who outed her (Richard Armitage - Republican/Bush's Deputy Secretary of State) endorsed Clinton and was a never-Trumper. The motivation is that her husband's work (as well as her own) revealed that a lot of the pretext for the Iraq War was built on outright fabrications and lies. They apparently refused to play ball and were going public, so "they" destroyed her.
I think Democrat/Republican loses meaning in these sort of contexts. I've never once voted for a Republican in my life yet I also am extremely supportive of what's happening right now, mostly because of a strong anti-establishment inclining. I find that when powers grow too comfortable, they trend towards corruption and abuse, exactly of the Plame sort as but one tiny morsel of such. A bit of a shake-up now and then keeps everything far healthier for everybody (the country itself most of all), and it's far nicer doing it this way than by watering Jefferson's Tree of Liberty.
I assure you, as DOGE starts to look at the Pentagon, which has failed audits repeatedly, to 0 consequence, expect to hear all sorts of establishment Republican yelping.
Interns aren't around long enough to get security clearances and interns in defense companies usually work on non-classified work. The only vetting is "are you a citizen or lawful permanent resident?", for export compliance.
If an intern had access to any classified materials, it is because a crime was committed.
Internships with clearances are common in the Intelligence Community.
Homeland Security
“The Office of Intelligence and Analysis (I&A) Internship Program is for… an exciting career in homeland security and intelligence…all selected applicants must undergo and successfully complete a background investigation and be granted a Top Secret/SCI clearance” [1]
Department of State
“Students tentatively selected for the internship program must undergo a background investigation and receive either a Secret or Top Secret security clearance.” [2]
Office of Naval Intelligence
“All interns must receive security clearances at the interim or final top-secret level with access to sensitive compartmented information (TS/SCI).” [3]
Defense Intelligence Agency
“Summer Internship Program (SIP)… To be eligible, you must…Maintain a security clearance” [4]
> that intelligence agencies like to recruit young people active in the cyber criminal scene
Just linking this back to the story, am I mistaken in saying that DOGE is not an intelligence agency? (It certainly is a great position to exfiltrate information however.)
DOGE is a renamed Obama-era agency called the US Digital Service. This group basically tackles IT needs for different departments, which is how Elon is able to weasel his way into any department he decides to target.
First time I've seen this, and very interesting. I was aware of the USDS but not the DOGE connection. Presumably all the former employees were fired as the alien took over the host?
Yeah it was started after the Obamacare website debacle years ago. The intention was to have a group of IT professionals who could shuttle from various departments to help with different projects. Pretty innocuous, honestly. It was never intended to be used as a tool to dismantle the federal government.
The perfect place to exfiltrate information and absolutely no need for this level of security skills there unless they intended to break into government systems they were not given access to by e.g. the courts.
Their stated purpose is "to reduce wasteful and fraudulent federal spending". Organizations that have waste and fraudulent spending will not "give" access and will throw every obstruction in the way.
I'm not justifying anything. Every large organization gets audited and is required to allow outsiders in to review data. It's quite legal, necessary in fact. Nobody likes it. They don't call it "hacking".
If you read my original comment, it was about there not being a need for such security skills unless you have intentions to access the data regardless of what is put in your path. If you are denied access by the courts but you access it anyway, you are hacking. They also have no charter to audit, are not authorized by Congress, and are therefore already skirting the very knife edge of what is legal.
Skirting knife edges of legal is not illegal. Perhaps you are concerned about immoral, do you think it's immoral to review financial records?
I used an audit as an example. The agencies are acting as if their records cannot be reviewed unless they themselves vet they auditor which is suspicious given they are part of the executive branch.
By your logic, ex-cons are not employable because companies would not employ them unless they have intentions of using their skills.
Yes, if anyone hired a 19 year old ex-con into this role digging through the personal data of government employees... I would say it's pretty clear what their intention is. Furthermore there are established processes chartered by Congress for auditing and reviewing secure materials held by government agencies. Those require background checks, vetting, and proper processes. They don't involve random people hired a couple of weeks ago showing up and digging into whatever they feel like looking at.
They aren't "digging", they are looking for fraud and savings. They've have been vetted by elected officials, just not the ones that seem to have something to hide. I really don't think you know what their "intentions" are.
I don't think this conversation will go much further, please don't let me stand in the way of your outrage.
You don't know what they are doing other than what the said they are doing. Just because someone say's something about their motives, doesn't make it true. It sounds more like you have a position that you want to have promoted "auditing records for corruption reasons" (which is noble btw) and hoping the DOGE organization's behavior is lining up to that position. I'd be careful of this as it sounds more like cognitive bias.
This is true except for me wanting to promote anything. I have positions that I take and like to discuss with others, nothing more. I do hope it turns out to be an audit (and it certainly seems that way), but watch it cautiously for any deviation.
Ah yes, you don't like how things turned out and so you resort to characterizing me as outraged as though I'm somehow less capable of being logical than your are. Feel free to not engage with my comments in future. I'd much prefer that.
I think the implication is that if the person concerned (dox-ed again by Krebs) would pass an intelligence agency review, they should be OK for fraud investigation.
> They basically becomes part informer and part subject expert, especially since IT security expertise seems to be a difficult subject matter to teach in universities.
I don't think the argument they can act as an informer for things going on inside government agencies works. They've never been on the inside.
And I don't see what it has to do with IT security. What are they doing that's security related? Isn't what they're claiming to be doing pretty much data analysis?
The only overlapping skill I can see is a willingness to exfiltrate data, if they're doing that, without giving consideration to the rules or consequences.
I think the difference is in the kind of positions the "second chance" people get hired to. They aren't put in positions where they could cause significant wide scale harm with no auditing or barriers.
The debate isn't whether he should go to jail. The debate is whether he should get a clearance for some of the most powerful access someone can possibly get. He's not suitable. Why can't Musk replace him? He's just a kid.
Because, like Trump, he values loyalty above all else? That's the reason why he reinstated that other guy who resigned after his extreme-right social media posts were unearthed (https://www.theguardian.com/us-news/2025/feb/07/musk-doge-st...). That's also the reason why Trump pardoned all January 6 rioters, even those convicted of violent crimes. If it's his people vs. some random cops, he will always favor his people.
I think that in the cases you mention, the extreme-right social media posts appealed to Musk and Trump actively wants people to do violent crimes on behalf of his coup.
Neither case was them valuing loyalty over something else. They rewarded people who did exactly what they wanted.
"Suitable" depends on what the aim is. If this were a good faith effort to find "waste and fraud" then clearly not. But if the goal is to destroy the capacity of the government to place any restraints on enterprise (and in particular Musk's enterprises), and an assault on the rule of law in general, and the instantiation of a racist ideology, then he's ideal. The fact that they let him go in the first place was the surprising part as what he said was no worse than what many Trump appointees have done.
I see you are mixing up IT security jobs where you can hire „mischievous people” with IT admins.
I say 90% of security is admin work where one has access to various stuff.
Then you have red teams, pentesters, consultants- that don’t have ever privileged access to anything. They should find flaws and pass recommendations to IT admins. If they hack anything at all - it has to be outlined in scope and strictly monitored. For both sides protection as if „hacking person” doesn’t get blame for something he did not touch by him but at the same time someone pulled off something nasty.
I think you would be a bit surprised with both the university programs that teach it security, and also which companies that look to employ them.
IT security can be admins, it can be programmers that focus on exploit vunerbilities, it can be reverse engineers, it can be pentesters, it can be red teams, and it can be people with high domain knowledge in a very narrow field related to security. IT security is a very wide field.
IT security programs focuses a bit on everything, but as in my university, they gave the person responsible for the program a fairly free range to focus on what they thought was what the market wanted. Different universities will focus on different aspects.
The organizations that seek such employees are also quite wide. The military, the intelligence agency, large software companies, large companies with internet assets (like banks, but also game studios), government departments like the tax office, and then naturally we got all kind of IT security firms with red teams, pentesters, consultants and so on. A big hire of my class was also a network company developing network finger rules for deep packet inspections, which wanted people skilled with reverse engineering and decompiling (they may or may not have employed people who had experience cracking games).
Not saying IT security cannot be admins, sounds like you are bringing theoretical viewpoint. I already have some years of experience and certifications in the field - so it is hard to surprise me.
I am pointing out that in most places there is separation of duties so you don't give "red teamer" or "pentester" access to any databases when they are in offensive role.
Then most likely administrators (who can have formal education on paper called cybersecurity) who have loads of work so 90% is configuring and keeping all configuration proper will have requirements like background checks and you are not going to hire "mischevious people" for that role.
Security is a broad spectrum but still offensive testing is maybe 1-2% of the work that needs to be done, all those systems need people to configure them. Having good security 90% of work is waking up updating software and keeping configurations of systems documented and in proper state. If some company doesn't have their security posture basics fixed there is no point of doing "red team assessment" or a "pentest" with them, that would be waste of time.
I agree with you. When I was younger, I played a lot of Minecraft PVP servers, and for whatever reason these PVP servers cultivated a weird and toxic community of cyber criminals about them. For reference/star value, the recent headline of the kids stealing 200m in crypto via social engineering— I played with those very same people when I was younger. As in, the people who were sent to jail.
Their story repeats itself a dozen times over from my now-fragmented friend group from that time. Many young kids getting into ill-fated get rich quick schemes ranging from credit card fraud to refunding (mail fraud) all the way to sim swapping, blackmail, doxxing, and even real life violence and gang activity. A few of my earliest friends were just indicted for home invasions and armed robbery in some scheme to steal crypto. All of them from Minecraft, weirdly enough.
Anyways, those who didn’t end up in jail or “on the run” from participating in these stupid schemes, I tend to notice a common trend towards security related work. I know one guy who went from fraternizing with the same now-criminally-indicted people I hung around to working for the FBI’s cyber crimes unit (fitting, I guess). Another one now works with a defense contractor developing spyware, as far as I can tell. Many more work in different areas of cyber security and programming et al, including myself.
The cyber-crime adjacent to cyber security pipeline is very much so real.
Don't know about intellegence agencies but I got to know pentesters / red teamers at some large companiese, and they were cool but had a very unsavory side. Several times I found myself in conversations where they were admiting to serious crimes and unethical behavior. I suspect that you need to be passionate about wanting to do bad things if you want to be good at security.
Equating script kiddies to some genius cyberhackers worth recruiting is laughable when we literally have PHDs and 6 figure salary professionals willing to be recruited legally with zero baggage. Why are the top digital safety institutions hiring the very bottom of the barrel?
> Why are the top digital safety institutions hiring the very bottom of the barrel?
I don't know anything about "The Com" or top digital safety institutions.
But I do know that historically, some parts of hacker culture have drawn heavily from political theories of anti-authoritarianism, anarchism, and libertarianism.
If the authorities and rules intend that I not have access to something, and I have a fascination with bypassing that and getting access anyway, am I not subverting power structures in the most literal sense?
If large corporations believe they alone should control the software that runs on my printer, so that they can ensure only authentic supplies are used and premium features are only available on premium devices, while I believe every user should be able to modify their printer's software and behaviour without limit, including to bypass such restrictions - is this not an anarchist stance, opposing coercion and mechanisms that perpetuate control?
If the exploit-discovering side of cybersecurity is inherently anti-authority, recruiting people who've never defied an authority in their life might not be the best move.
Those kids make good "experts" in thier narrow fields, but that doesnt last long. They are generally not effective leaders, thier usefullness drying up as the state of the art moves on. Some grow up and learn how to operate as leaders in a corporate or government environment, but most burn out once they meet the next generation of golden childs.
That's actually ok in a military context. Most kids right out of highschool dont serve more than a handfull of years. Then they are the corporate world's problem.
They are not considered experts in their fields. They are not senior in their fields, so that criteria is already off the table, eg, how to deal with legacy, production, and high sensitivity systems in regulated environments. (There are COBOL servers there!) Data science and accounting are fields too, so not sure why that is ignored. So that leaves junior criteria. I taught in one of the depts of one of 'the better' ones, and his peers are publicly lauding him with laughable examples of 'excellence' -- nowhere close to examples we use for describing top students.
They sound like regular A/B-grade CS students: unproven new grads. Motivated and high-energy, yes, which is sensible for a junior low-trust role if they pass other basics like references and criminal checks. At our current company, we would not have hired several of them in our entry roles due to the obvious issues that our routine diligence would surface (in recent work history: associating with criminals & criminal orgs, repeat googleable public displays of racism, etc). And the rest, for likely not being at the level of top students applying to us, irrespective of evaluating on academics vs DIY. Their examples would need to be significantly more compelling to change the conversation.
If these hires exist (and I'm doubtful they do, at least at any scale beyond "this one kid is an actual genius!"), are they then given the "keys to the kingdom"? Musk/Trump wanted this kid to have what amounts to superuser access to the government purse, which is unheard of for any new hire, let alone one with this kid's background.
I’d also distinguish between the hacker to gets access to a forbidden system out of curiosity or for a challenge, from a person who pays a ddos service to attack someone they don’t like (one of the accused actions of this kid).
The latter displays no competency in hacking or cybersecurity, only the attempt to harm another.
My concern in their access to secure government systems is not their hacking competency (which has not been demonstrated), but their sociopathy which has.
Sociopathy is a very strong word, but they do show a pattern of criminal and anti-social behavior. This is not too uncommon in teens, and many young problem kids reform into good members of society either by being shown consequences for their negative behavior, or more or less naturally "mellowing out".
The issue here is that these kids seem to fail upwards, and as you say, get rewarded for anti-social behavior, which sets them on a terrible path for the future. In the Com chat log shared in the article, they made fun of Edward Coristine for his complete lack of programming skills, and the other "doxxed" members of the DOGE team have some smaller projects online as well. If that's the kind of code SpaceX and Tesla run on, I'd give all of their projects a very wide berth.
The guy who bought a DDOS and got fired from an anti-DDOS company for leaking secrets to a rival is an ex-Wall Street multimillionaire's son. He's never going to fail any way but up.
while I agree there's typically a big event where the state has incredible leverage over the subject that is part of the flip. As far as we can see in this story; there is no leverage. So for all we know this guy is doing what he did in his last job and selling secrets gained working here to competitors.
Imagine if DOGE feeds all the data they get their hands on into an LLM and he sells a copy of that to a foreign nation, allowing any other government a text-based interface to ask any questions of any of the internal workings of the US administration, government, citizens or even some of its secrets.
Even without the leverage, I think that former teenage hackers turned pentesters or three-letter-agency adjuncts are hired for specific skills on the understanding they're being watched and they're probably not getting access to much more than a sandbox or adversary data and the money and freedom's all in scrupulously obeying the rules
That feels a little different to hiring people with cracking credentials for auditing jobs, giving them full access to extensive government records (and possibly the right to backdoor them) in a move fast break things environment on the understanding that they're probably above the law and they're less likely to be punished than anyone barring their way.
I doubt the success rate of converting teenage tearaways to scrupulous white hats in boring businesses is 100% either....
I always hope that such recruits had a bit tighter surveillance from their employee, but no one in the industry describes such recruits as "highly susceptible to extortion and coercion from current members of the same gang", and absolutely no one described them as members of violent street gang. It might have been a fair label but at most, such teens were describe as smart but mischievous. Might not be the best people to be responsible for national security, or peoples bank accounts, but it seemed to be the culture of that industry.
Has other people in the IT security industry had the similar experience of this culture?