It's a variation on the old joke: What do hackers do when they graduate from high school and discover that food and housing cost money? They become security consultants.
That's essentially what happened to Marlinspike, though he walked away from a desk job at Twitter after they bought his security startup, Whisper Systems.
Black hats give way to green hats
As a longtime hacker, Marlinspike has noticed a dangerous shift in the attitude of those who like to expose the Internet's vulnerabilities. They used to do it for "lulz"; now they do it for money. They don't uncover zero-day exploits to publically demonstrate weaknesses in technology in an effort to goad companies or governments to do a better job securing their stuff; they do it on the sly to help repressive governments exert control over their citizens. More Moxie:
It's hard to say exactly when it happened, but these days, the insecurity of the Internet is now more predominantly leveraged by people that I dislike against people that I like. More often than not, that's by governments against people.
Simultaneously, the tension between "0day" vs "publish" has largely transformed into "sell secretly" vs "publish." In a sense, the AntiSec narrative has undergone a full inversion: This time, there are no "black hats" anymore, only "green hats" -- the color of money.
Of course, the worst offenders here aren't individual hackers who are bribed into working for The Man. They're multi-billion-dollar tech companies supplying the equipment that make repressive policies possible. Like Cisco, which is being sued for allegedly helping China to construct the Great Firewall. Or Nokia Siemens, which helped the government of Iran to locate and prosecute dissidents. Or Intel, whose security subsidiaries sold network filtering tech to governments in the Middle East and North Africa. Or AT&T, for that matter, when it allowed NSA spooks to install network surveillance equipment in one of its San Francisco data centers.
It's a long list, and I'm sure we only know about a fraction of what's really going on. Thanks to ethical hackers like Marlinspike, we now know just a scosh more.
Do tech companies have a moral obligation to avoid doing business with repressive regimes? Post your thoughts below or email me: firstname.lastname@example.org.
This article, "Now hiring hackers; leave your lulz and your ethics at the door," was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely's Notes from the Field blog, and subscribe to Cringely's Notes from the Underground newsletter.