Recent computer hacking convictions and employability?

> I'm not particularly talented

Stop telling yourself that. You wouldn't be #11 out of 25,000 if you weren't talented.

As long as you're open about your past and convictions, and your legal standing permits employment doing the work you'd do, then there's nothing stopping you from applying.

When you see a job posting then look at what the requirements are. If you fit more than half then you should apply. The things you don't know can be learned on-the-fly. You'll no doubt have interviews that try to find your strong points and weak points. You'll have failures. But that's not a problem: everyone has those.

This is your market: there are tons of companies that are hiring for your skillset and you'll land a job quickly if you're good enough at the core skills that are needed... which I'm sure you are.

Edit: I would also add that I'm also completely self-taught. The only computer class I've taken was typing... and I got kicked out for cheating because it was boring. I've been employed in software for over 20 years and currently make $160k salary in TX, USA building software for drones. There are a lot of people in the computer industry who are self-taught. Don't let that stop you.

Apply for everything. Let other people say no for you. If people find out about your past be 100% straight with them, but you don't need to be the one to bring it up. Work your hardest to provide value, ask for feedback and correct where necessary. You'll be fine. There's a lot of work in cybersecurity these days.

Also, you should list the country you're in. Who knows, someone on HN could reach out with an opportunity.

I've hired quite a few security folks in my time (some with criminal convictions) but my answer is an unhelpful one: it depends.

If you have a criminal conviction it's unlikely you'll get through the screening process with a regulated business (like banking, insurance, pharma etc) due to some 'out of the hiring managers hands' constraints those industries have. I've seen exceptions to this in the past, where a senior manager strongly advocated for the exception, but it's _very_ rare.

I've worked with several security people with criminal convictions in the past at non-regulated, FAANG and FAANG-like tech companies. They also usually have policies in place to prevent hires with criminal convictions, but the exception process there is easier, particularly in security teams where these convictions are more likely to occur in strong candidates.

The biggest concentration of folks with backgrounds like yours have been at security consultancies, in my experience. Combined with the experience you mentioned with bounties, that would be the place I'd spend most time looking. You might still get rejected from some, for example those with customers that require criminal background checks for employees or security clearance you couldn't get, but there are still quite a large percentage where you could find work. Personally, I've had conversations with external consultancies who say things like "I know you require criminal records checks on all our employees, which we're happy to do, but I want you know >50% of my team will fail them".

A couple of other things:

- No matter where you work, with your background there might be some kind of 'restriction' placed on what you work on and/or how you work (e.g. can't work on project Type X or must work from Office Y). If you do get through a process, ask about this before joining, as it might have an impact on how much you'd enjoy the role.

- Be open about your background. You sound like you would do that anyway, but the more open you are the better, you don't want this to be a surprise to people. What you're looking for is a strong advocate on the hiring team, so building trusting relationships with people will be important.

Don't be too down on yourself, you might have made some bad decisions, but you sound like a talented professional. The criminal justice system exists for people to serve their punishment and then move on with their lives. There are companies that will be delighted to hire you because of your skills. Your road may be a little tougher than for others, but that doesn't mean you can't end up professionally happy, fulfilled and well compensated.

Your issue is not competence, nobody will doubt that you are capable.

What you need is to show people that you're not going to cause trouble for them, which is more of a social skill that you demonstrate at the interview. Try to acknowledge that you did something bad, don't use words that diminish it, and try to explain that you want to move on and you now want to be a positive force.

There's going to be some natural questions that everyone will ask, so consider them as set-pieces and practice your answers.

The market is hot now, so get some interviews and see what comes up.

On an episode of Darknet Diaries [1] (great podcast by the way), there was someone in a similar situation as you who goes by DAWGYG, who found his stride after incarceration on HackerOne [2]. If I remember correctly, he holds the record for highest single payout. You could give that a try, though income wouldn't be steady you'd effectively be working for yourself and utilizing your skillsets for good.

[1]: https://darknetdiaries.com/episode/60/ [2]: https://www.hackerone.com/

I bet there's lots of companies that would hire you, based on this particular HN thread alone. Here's what could be worth doing, and wouldn't take much time at all:

1. put together a one-page website, on a domain like firstnamelastname.com 2. Add a link to this page 3. Put a link to your website in your email signature

Done! Now everyone you ever email, if they want to know more about you, will know that you're _deeply_ proficient in certain domains, and it'll be up to them to decide that you might be a good fit.

Since you've got this particular charge against you, and the US makes it nearly impossible for people who have run afoul of the state to legally be paid, but you _might_ be able to open up a Stripe account, and create a "payment link" (https://stripe.com/payments/payment-links) for a one-off "roadmapping sessions" (https://doubleyourfreelancing.com/roadmapping/) where a company/team pays you $10,000 and you'll visit them (virtually or in person) for a day or two to talk about their thorniest security problem.

"The system" wants you to apply to (and be hired into) an entry-level position, but that would be a giant waste of your time and everyone else's.

I wrote this article for eager bootcamp grads, looking for their first job. You're not a bootcamp grad, but it _might_ be helpful to you: https://josh.works/remote-job-resources

As someone who hires many people it comes down to whether or not you are humble about it. Or, to be more blunt: if you're as ass about it.

Humble: "I have a bad thing on my record. I understand what I did wrong and want to move forward with my life, doing good work, and being a responsible citizen."

Jerk: "I got busted but those jerks din't see that I was helping them! It was all BS, dude!"

I'd gladly interview someone that got in trouble but shows humility about it.

Tom

P.S. I hate that this is true, and people will probably flame me for saying this. I don't know what you look like or how you dress, but you'll get a lot of mileage out of dressing and looking neat. (no tshirts, hair trimmed and not sloppy, etc.)

A bunch of friends just look for and then sell vulnerabilities (the good ones to bug boundary programs the less ethical ones to governments or companies).

The price of a zero day exploit is quite high (for both sides) and I have friends who make much more money than I do doing this.

That said they mostly work alone or in small groups in their basement rather than at a large security company.

I would hire (or at least interview you) with a prior conviction though I am not hiring for a security role.

I don't think the conviction is a serious impediment for employment in this particular field (since it's for a non-violent crime) though it might warrant supervision on your employer's side and I can definitely see the larger companies not wanting to take the risk.

A former coworker of mine was a convicted "hacker" who did time in federal prison for it. Part of his story was told in Clifford Stoll's The Cuckoo's Egg. The coworker told me that he had stuck at the current company for many years because he felt that his reputation, including a Wikipedia page, would prevent him from getting another good job. I told him I thought it might help him more than hurt him, and he just shook his head sadly. But then a year later he did start a job hunt, and found an excellent high level position at a large successful outfit almost immediately. He's still there. They knew who he was and what he did. I think that rep helped him more than a little.

It depends what you did of course. In his case the only plausible "victim" was AT&T, and he disputes that too.

Many states and cities in the US have so-called "ban the box" laws that prohibit employers from asking about your criminal history during the initial hiring process or sometimes until a job offer has been made.

Explaining why you have a criminal record is going to be a lot easier to someone who already thinks they want to hire you.

> Serious Organised Crime Unit

Are you based in the UK? That's probably relevant, it seems like a lot of the cybersecurity sector over here is very friendly with NCSC & SC is required for a lot of roles.

Own it, and capitalize on it! You've already written the first sentence of your sales pitch: "I was involved in a high-profile computer hacking case in 2015 which received international interest."

Continue with "therefore I know about system security...". Write a book, charge a huge rate as a consultant. I'm serious. If you act like a beaten-down person, you'll be treated as one.

It's classic making lemonade from lemons, but it can really work. If not, you've lost nothing.

Don't worry about the official criminal record. I've been a software developer for just over 20 years....had a DBS check once. Just once.

You clearly are talented so stop telling yourself that.

Have you thought about starting your own security consultancy?

    I can't just walk into employment with my skillset 
    because I'm not particularly talented

Maybe in the world of cybersecurity where a lot of the talent is (from my outside perspective) pretty top end.

For most tech industry jobs, you'll be way overqualified and the rest of the team will be in awe.

- Stop with the self-deprecation BS. It's hurting you, in the eyes of yourself and others. But don't be cocky, just be humble.

- Own your past. You've paid the price to society. Go public and tell your story -- be it a sentence, a tweet, a paragraph, an article, a podcast episode[1], or a book. Putting it all out in the open will make you more hireable.

- Don't fsck it up. Grow your integrity and ethics, or at least maintain them and keep them impeccable. Keep that old saying[2] in mind, it's so very true in a case like yours.

- Connect with others in areas you are interested in. (Twitter seems to be great for cybersecurity)

- You did the blackmail thing as part of your crimes, so realize it will take time and effort to gain trust.

- If you have that particular hacker mindset, you can quickly acquire the modern skill sets.

1. Maybe Jack might want to have you on Darknet Diaries at some point, if your story is interesting enough? He does it in a story-telling style that takes the pressure off the guest that they would normally have in an hour-long interview format.

2. (NSFW quote about bridge building) https://www.quotes.net/mquote/73833

It seems you did BB stuff before, but ended up on the dark side. If you want to avoid sliding in there again, a "regular" security job might be a good idea.

It sounds a lot like pentesting in a web-focused team would match your skill set very well. But I suppose you already know that? I would not interview for Junior roles if I were you, or only if you're rejected higher p the latter. And if they tell you that you're overqualified, but the position and compensation appeal to you, just tell them you don't care and would be looking forward to work with them.

Regarding your conviction: This is most relevant if the clients require some sort of clearance. Also your employer needs be able to trust you, which means you have to demonstrate that you can be trusted (and add to that some blind trust from the would-be employer, but you not influence that too much).

There are also other security related positions, which you might enjoy. You already had contact with some large corps, maybe you could interview there?

Have you looked into auditing decentralized finance (defi) protocols? There is currently a huge demand and very low supply of good auditors. I believe there also are very many "anon" auditors in the space, so your past would not be a big problem I don't think.

Hacking is one thing. I understand the technical thrill. But blackmail and fraud? That's a human-to-human interaction, not human-to-machine. Once a person cross that line where you are harming another person at that level, there is no going back.

If I was in your position I would post your contact information, even a throw away account on this post as you’re on the front page of hn and you might never get to have this great of an opportunity again to find legal employment.

Given your skills, I would recommend a startup or a consultancy (anything self-employed). This way you shield yourself from having to worry about disclosing your past to others, worrying about background checks, or the self-taught part (which should be irrelevant but oh well). Plus you grow in whatever direction you wish.

If you want the job route then you need to apply to as many things as possible and find a story version that wont scare people off. Don't lie, just give them a well packaged insight into what happened in the past. You also have humility which is a great start.

Good luck!

The best way to describe your past is “ethically challenged”. I too am an ethically challenged individual but by being somewhat upfront about this with my managers it has made me into an asset the company can trust with certain projects they’d rather not talk about with the company at large. The team of developers I work with are not formally acknowledged as a team, but our work often involves assembling the output of various disjoint teams into one solution that they’d probably object to building themselves as a whole.

I don't see any issue hiring you, there is a drain of true talent in the field.

Be upfront and spin your story like Kevin Mitnick, publish a few articles and maintain a blog with your name and identity.

Get a polished LinkedIn and post examples of past work, or what if's/what would you do.

You most likely will not pass a background check for FINRA/Insurance companies, but who cares - those companies suck to work for anyway.

You will/can easily bypass that wall by opening up your own LLC and selling consulting services, and verticals like "email security" or just basic/stupid DKIM/DMARC/DNS setup. You'd be surprised how much billing hours MSP's make just doing that basic stuff. I bill $150-200, and SOW's I've seen have it much higher.

So take that as a floor.

You can walk into many employers, and own the entire staff easy, you'd be surprised how low the ceiling is at most companies and how true talent or disorganized companies truly are.

I've interviewed CISSIP/Full blown cert/degree peopel that couldn't even parse together a hello world or explain how to do a HTTP GET. It's that bad out there now.

Kevin Mitnick is running a cybersecurity business right now. Maybe reach out to him.

If you do run into trouble finding a job, you might have better luck in consulting or similar. My previous employer, employees are vetted by HR and (once your conviction would be raised) legal who would reject you for your record, but "independent security consultants" were vetted by the security team who were actually more understanding in that regard.

You need to shift your attitude towards the job search:

1) You're clearly very talented, the record you describe speaks for itself.

2) Use your past to your advantage. Larger more corporate companies might be afraid to employ someone like you (_might_!) but there are tonnes of startups that could see your record as an advantage. It's demonstrated proof of your abilities!

dude why don't you just continue working on bug bounties? #11 should be able to make 6 figures easy, probably 7 figures a year in bug bounties.

if maybe that's not your thing and you want "a job" I'm sure many people will be willing to help, me included. feel free to contact me on Twitter @high_byte

>I can't just walk into employment with my skillset

sure you can, give it a try

proficiency is talent on its own and being a self taught means only that you can learn (and being _very_ good at it, considering your story)

nothing's wrong with entry level job though, sounds like a solid place to start regardless of how much overqualified for that job you are - as long as you'll be doing what you love and there will be a clear promotion path for you

and even if there's none that job can still do you good if you threat it as a stepping stone - a warm up for better job to come

our past, things that happened before are important ofc but much more important things that will be, things that happens next

so chin up, looking forward to read your follow up success story in few months, best of luck!

I’d probably double down on going after any legal bounties corporations have posted. Whatever certs you can get too for the HR reps in your future. Oh and “aggressive compliance” to probation and any and all laws.

Edit-also, you do have highly valuable skills and knowledge. Maybe make some 30 minute to hour long video tutorials. Then start drafting up a 1-2 week course plan for taking professionals up to your level if they start with some basic dev/ops knowledge.

Think about ethical and legal ways to teach things too.

Edit 2-or just go to any of the net sec teaching/tutorial programs and say you’d like to teach your knowledge in a legally viable/acceptable way within their frameworks. Etc.

My company is hiring. I'm a firm believer that folks shouldn't be punished by the US justice system, but instead reformed.

I can't speak to your circumstances, but my team is hiring for folks like you and barring any policies I'm unaware of I'd be happy to help you make a connection. Details in my profile if you're interested.

On a more general note, there's currently a high, steady-state demand for AppSec, CloudSec, NetSec, and generalist technical security specialists with software backgrounds. There is work out there and I don't believe you'd have to accept an entry-level position to get it.

This is probably unhelpful but you should consider just being a consultant for hire. I think your abilities will speak for themselves and your reputation will speak much louder than your lack of official training. I doubt you'd even need to disclose your criminal history for most clients.

Also you may find it better to network with hiring managers vs filling out online job applications. The HR screening is going to bury you many times where a human could help you side step it.

Your (unstated) goal is to rebuild trust and rebrand yourself. If I were you, I would start a small pentesting business. It's not trivial and isn't for everyone, but it would be the easiest (IMHO) path to that goal. There are thousands of books on how to begin that journey. Kevin Mitnick took this path.

https://en.wikipedia.org/wiki/Kevin_Mitnick

If you've done so well with bug bounties do you really need a job, can't you make a living doing that ? I'm personally very interested in the answer to that question because that's a route I'm considering pursuing myself, being for a variety of reasons, outside the window of traditional employability. But if with your skills you can't make a living at it then I certainly don't have a shot.

I've been in tech for years but my background was also 'non-traditional' (I didn't commit an crimes but definitely didn't have a relevant degree or connections etc) I would be happy to help you with some intro's to startups who would consider a candidate with your background.

Feel free to email the address in my bio and I can see if you're interested in talking to anyone in my network.

Good Luck!

straight up I have something UK based that I can propose that might get you set up as a independent consulting business timescale early this summer, might even know the right people for your situation as long as you are groovy with learning along the way with some steep curves. email address to reach me in my profile in a mo.. Very best luck with everything don't let 'em get you down!

Trace your family ancestry and look for any types of citizenship by descent you are eligible for. If you can get another passport leave, then change your name and start fresh. If you have the means you could even try citizenship by investment. For a few hundred grand you can get a new passport, but it might be tricky if they look into criminal past. Move to the Caribbean and work remotely.

You're quite employable, regardless of past. You goofed up as a teen (who hasn't) and most folks can look beyond that, esp in infosec.

My God that is impressive. You seem like you tried to make it sound easy with your last paragraph. Technically speaking, what were the top three most impactful things you mastered on the journey to where you are?

In terms of employment, have you found it too difficult to make living off of bug bounties? Maybe there's crews that would see you as an asset. Or maybe contract based solo consultation?

One of my main consulting clients is always looking for people who are interested in or experienced in cybersecurity research.

https://www.riverloopsecurity.com/careers/

I can't guarantee anything, but just from what you've written here, I think they'd be interested in a conversation.

Do you know @thedawgyg?

I guess blackmail & fraud are a problem but if it was related to hacking I guess you'll still find a job. It's gonna be hard, but there are companies that care about your hacking skills, not about your past.

> This leads me to believe that I should look for entry-level positions but I've been told I'm overqualified

You sound like a senior pentester if you'd ask me...

Do crypto bug bounties, Saurik just got paid $2 mill for a bug bounty in the ethereum virtual machine (sp?)

No employer needed! Just a willingness to read code at a low level and deep understanding of smart contracts and curiosity to exploit them in seemingly impossible ways. I think you could top Saurik’s bounty with a little more focus and dedication! Try it out and retire early!

Are you sure you want a typical job? To me, you look like an accomplished professional ready to run his own gig either by himself or by employing a handful of people. Find a market niche, work on your personal brand, advertise and get to work! I have no doubt your personal satisfaction will be equal or even greater than working for somebody else via a regular job.

For sure, corporate America is all about background checks so maybe being an independent contractor or consultant is the way forward?

This reads like an elaborate humble-brag. You'll have no problem finding a senior position in cyber security if that's what you want. Like others have mentioned, sounds like you could probably do a lot of good (for the public and yourself) hunting bug bounties.

Where are you based?

Happy to have a chat -- I run VM for a large tech company and have a lot of openings

Doing consulting as has been suggested sounds a good idea.

You could also write a book telling your story (if you're not a talented writer, there's ghost writers to assist) or do a Ph.D. with Ross Anderson and beccome a security researcher.

Try for a while the other advises, but also consider switching careers. Companies who pay for security are sometime paranoid and might not like a background like this. What about looking for entry level software development.

pre-apologize if you are looking to move beyond your past and I completely understand/please disregard my suggestion if that is the case... but tbh you sound like an ideal candidate to market _you_ as a brand. I'd keep doing bb and contact the platforms you are working on with your story. bb seems to be all about telling the story of how they can help people move out of doing things illegally and still make great money.

There are also a lot of podcasts/etc that would be happy to have you tell your story. Huge upside to that IMO with reach and sharing to help keep future people out of trouble.

I'm not an expert but your best bet is likely to double down on the bug bounty work.

There are people with lessor convictions from further back than you who still have issues finding full time jobs because of background checks.

Apply for the jobs you want. Be honest about your background and circumstances, let them rule you out, don’t rule yourself out before even giving yourself a chance.

Why don't you continue to do white hat hacking, and chase for bug bounties? Why would you ever want to be employed by some corporation?

You might want to apply to work at GiveSendGo. They just got had a newsworthy data breach and could probably use your talents.

Was this the TalkTalk hacking case?

happy to have a chat with anyone that's interested: danielkelley@email.com

Open a company and offer webinars and get security contracts. Make millions.

Become a developer, never mention your struggles again post hire.

What was your motive?

Totally employable.

employability? lmao

smart employers would kill to get someone like you

I personally know a guy who got convicted at an early age for similar stuff, he never had any trouble finding work, even worked for some governments

any decent security startup would do anything to get you

bro I'm actually jealous

also: freelancing of course, rarely seen background checks for freelancers