> I'm not particularly talented

Stop telling yourself that. You wouldn't be #11 out of 25,000 if you weren't talented.

As long as you're open about your past and convictions, and your legal standing permits employment doing the work you'd do, then there's nothing stopping you from applying.

When you see a job posting then look at what the requirements are. If you fit more than half then you should apply. The things you don't know can be learned on-the-fly. You'll no doubt have interviews that try to find your strong points and weak points. You'll have failures. But that's not a problem: everyone has those.

This is your market: there are tons of companies that are hiring for your skillset and you'll land a job quickly if you're good enough at the core skills that are needed... which I'm sure you are.

Edit: I would also add that I'm also completely self-taught. The only computer class I've taken was typing... and I got kicked out for cheating because it was boring. I've been employed in software for over 20 years and currently make $160k salary in TX, USA building software for drones. There are a lot of people in the computer industry who are self-taught. Don't let that stop you.

> Stop telling yourself that. You wouldn't be #11 out of 25,000 if you weren't talented.

I like this advice.

I used to think I wasn't as good a programmer than a friend of mine because he had a larger breadth of skills than myself. Then I actually saw the code he was producing professionally ... and it was crap. It was functional sure, but not maintainable at all (if the business rules changed, then rewrites were awful).

Where I work now, the developer team that I joined were a bunch of amateurs pretending to write business applications. Their code (which I'm still refactoring 10 years later) is awful. I seemed like a super star to my managers because they never knew the difference from a good and bad coder.

That last paragraph wasn't meant to be employment advice. My point is, you never know how good you really are until you see how bad other people are. Couple that with the general self doubt we all sometimes experience, and you end up feeling like the worst in your field.

I'm self taught too. I started coding at age 7. We're the best because we love our particular skill so much that we made a fun hobby out of it. We stayed up way late into the night honing our craft. Etc, etc ... other inspiring reasons why we're awesome at what we do.

Edit:

> Edit: I would also add that I'm also completely self-taught. The only computer class I've taken was typing... and I got kicked out for cheating because it was boring.

Ha, I wrote my comment about being self-taught before you made your edit.

On the topic of cheating: In 6th grade spelling class, we had to write out our weekly spelling words 5 times each. We were allowed to handwrite, or type it out on a computer and hand in the printout. I wrote a computer program where I would input the spelling words as an array (only typing them once), and it would output a text file for me to print out and hand in.

I got punishment for messing about in class and was instructed to"write lines"...

Something along the lines of "I must learn to behave in class and listen to my teacher" 100 times...

I asked if I could type the lines rather than hand-write...

4 lines of BASIC later.

> On the topic of cheating: In 6th grade spelling class, we had to write out our weekly spelling words 5 times each. We were allowed to handwrite, or type it out on a computer and hand in the printout. I wrote a computer program where I would input the spelling words as an array (only typing them once), and it would output a text file for me to print out and hand in.

Wow, I wonder what the goal of that exercise was. Copy/paste has been part of windows since at least 95, no? Regardless, I’d think the main goal of forcing repetitive writing is improving handwriting and word recognition, which require a pen(cil) and not a keyboard.

:) While writing my original post, I tried to mention that copy/paste wasn't common knowledge at the time, but couldn't form a communicative sentence on the matter. I certainly didn't know how to copy/paste at the time.

This was in the days of Windows 3.1, and I was programming in QuickBasic 4.5 on DOS.

I think the word processor I used when typing may have been Word Perfect.

> Regardless, I’d think the main goal of forcing repetitive writing is improving handwriting and word recognition, which require a pen(cil) and not a keyboard.

I think the goal was for us to memorize spelling of the word. Maybe improved handwriting was a sub-goal, I don't know. By that age, I don't think teachers really focused on our penmanship. I consider word recognition to be more of a reading skill.

I was a lazy student. Spelling was never a priority for me. I never did well on tests because I never studied my spelling words. I was more into math and science. My parents never hassled me about my bad spelling test grades.

> Wow, I wonder what the goal of that exercise was.

Clearly, to learn to spell words. In much the same way that kids have to practice arithmetic and saying "I just used a calculator to get the results" is fine in real life but not when you want to learn what addition is.

I did this in WordPerfect in dos, even though I could program in pascal. Getting a compiler on the same computer as a printer back then was the biggest chore :)

*Imagines writing a PostScript program that interprets Pascal, so the programs can be compiled on the printer*

*Runs rapidly into the distance, screaming*

(Just found this thread, I know you'll probably never see this ;P)

“As long as you're open about your past and convictions”

100% this. We had someone who hid that he was previously gone to prison for robbing banks. He used his dad’s SSN and slipped through the cracks. He was terminated immediately when a girl who was mad at him called our company to let us know to get back at him.

You can’t know for sure if people will look past your history, but I can guarantee you don’t want to hide it and have them find out later or someone hold it over your head.

The place that is meant for you will be the one where you are accepted for who you are.

> Not lying about convictions sounds great from the pious ivory tower or from seasoned professionals who may have enough experience that others are able to look beyond their past.

Sadly--and I do mean this, I agree with your sentiment--what we believe and what is required by an organization in a sensitive industry (finance, education, defense) are different things. For example, if you want to operate as a public company in finance with industry-standard certifications, you must perform background checks and reject candidates with a criminal history involving financial crimes.

Schools and other educational institutions likewise are require to reject candidates with a criminal record that includes charges of violent crime, sexual offenses, or similar.

Lying about charges that aren't relevant to the filtering criteria will be noticed in such industries and be a big red flag to any HR rep or hiring manager reviewing an application. This also shields you from a situation where some other employee learns and disseminates unflattering information--if one's manager and HR has cleared that info, it's nobody else's business and you have avenues and support available to you to prevent discrimination due to a criminal history.

>>what is required by an organization in a sensitive industry

That really is not a factor, I have worked for a number of organizations that would never higher anyone convicted of a felony who did not have any sensitive requirements, were not dealing with money, or personal info, or anything important really

There is just a huge stigma when it comes to criminal records, which is doubly painful in a over criminalized society like we have in the US.

I'm a huge believer that if people can't be trusted in society, they should be in jail, executed, or banished to someplace like Namibian desert / Siberia. A free man (after prison/probation) should be free; their conviction behind them and essentially erased. A free man can easily rape/murder/steal regardless of any BG check you put in place. If you're free, you have the full rights and priveleges of a free man including bearing guns or taking care of children or being CFO of a finance firm.

Fuck any half-way system where you're released of all judicial punishment but you can't work, vote, or own a gun. THAT is cruel and unusual punishment.

Why is it important that a convicted child abuser be free to take care of children once their punishment is over? There are plenty of other fields in which they could find employment.

I don't believe in having multiple classes of free citizens. If a free person wants to, they could easily abduct a child, barring them from taking care of kids is a laughable feel-good policy that insults the notion that there should be no free second class citizen.

If someone can't be trusted to not abuse children, they need to be jailed or on probation until they can be trusted. Those people can't be trusted in public. If they've abused children through rape of small children or serious violence against the weak, just execute the low life. Children are everywhere, the idea an abuser is just fine being tempted with children everywhere, from the street to playground, except they'll be nice and honest and use their real SSN and identity when applying to work with children is a hilarious notion.

And frankly, unless proven otherwise, I assume sex convictions are something like pissing by the side of the road or a 19 year old banged their 16 y/o girlfriend. The government loves to imprison people for insane reasons and sex offender registry is a poor guide as to whether someone can be trusted with children.

There is a huge grey area. Statistically, people who have committed a crime are more likely to commit crimes again than those who haven't.

That makes for a good argument not to trust them as much, generally speaking.

On the other hand, integrating them back into society (something that's lacking in the US) works well for most.

Which do you think is harder though, adbucting some kid into a stolen untrackable vehicle and go out into the wilderness where there's no chance in hell you'll be caught, or going to the trouble and length of becoming a childcare worker where your face and likely other details are exposed? Someone who is free can easily do the former, and with a stolen SSN and identity (this is laughably easy to get if you've ever worked in many factories you'll see tons of illegal immigrants with stolen SSN) can also easily do the latter.

The whole premise is just laughable at face.

This think of the children trope is just bait IMO to try and get us to accept that there are second class citizens, and allow us to put restrictions and loss of freedoms on people who have completed their judicial punishment. If we can accept this we might accept ending their constitutional rights such as the right to vote, bear arms, or speak freely.

I understand the desire to protect children in this manner, I just think it's misguided and philosophically inconsistent.

Well that depends on the crime, and a whole host of other factors including the fact that it is ciruclar logic.

We cant trust them because they re offend, but they re offend because of lack of opportunities created by society not trusting them....

It is certainly true for property crimes, drug crimes, and other such actions.

Violent crimes may be an exception to this, but then to the OP's point, if they are violent why are they out in the population to begin with?

That's a terrible analysis. I would bet that even the innocent people convicted of a crime are more liKely to commit a crime after and this speaks more to our poorly functioning justice system than the person convicted. Besides, statistically everyone is a criminal because the number of laws are uncountable and unknowable.

would you rather have a criminal who has not been caught work that job or someone who paid for what they have done and is working to improve?

option c

and how do you know option c is not option a? lol

Its not possible to be sure!

It just seemed the question was phrased in terms of those being the only options, when in fact they are the very rare options. It seems that mostly people you hire are not going to do serious criminal things, either before or after you hire them.

I see your point, and I'm in favor of inclusion in the workplace, but it's not all black and white.

Would you allow a convicted sexual offender who did his time in jail take care of your child in a day care facility to which he got employed and didn't disclose his past conviction?

Things need to be put into perspective, and evaluated carefully.

With that said I don't think immediate termination was the right decision to make in that situation the parent comment described. Inclusion requires consideration and empathy, the company didn't demonstrate that.

Are you aware that an estimated 1/4 of all registered sex offenders were themselves minors when they committed their offense? And age 14 is the single year that you're most likely to become a registered sex offender?

I fully understand and appreciate the purpose of our laws. The practice, however, is a different story. And unless we stop including as crimes things that I'm not willing to consider crimes, I can't support the way that "registered sex offender" is routinely used to destroy lives over childhood mistakes.

Or the number of registered sex offenders for peeing on the side of the interstate.

I wasn't aware of that, it's suprising and sad. Thanks for pointing that out.

It is not so surprising when you consider how many laws have fixed age limits. For example a 13 year old sends an intimate picture to a 14 year old friend, the 14 year old has just committed a crime by having that picture.

The law is intended to target adult pedophiles. But when the people involved are basically the same age, it isn't pedophilia!

Yeah not to mention no mens rea is needed for statutory rape. That is a 17 y/o could show you a passport and DL with her age as 18, and tell you and look like she is 18, yet you would still be convicted. Hardly any other crime has this kind of strict liability where honest and thorough due diligence doesn't absolve you of the crime.

>>>Things need to be put into perspective, and evaluated carefully.

And leading with hyperbolic "Think of the children" hand waving pearl clutching does nothing to put "things into perspective"

In the context of this thread we are talking about someone convicted of hacking wanting to work in IT again, not a child molester wanting to babysit your child.

So yes lets keep things in perspective shall we?

You're right. I'm sorry if I was disrespectful with the participants in the discussion and the OP, that wasn't my intetion. It's indeed a completely different situation.

Vouched because of the good conversations going on downthread. Parent is pretty crude. I can live with crudeneess and bring the quality of the conversation up.

Anyways, I've wholeheartedly recommended lying in certain situations on employment. (Don't lie about certified/licensed/bonded jobs, dont like to the state/feds, dont lie about stuff you cant do.)

A while back (2009), I was in a very bad run. Got laid off. Didn't have a job for 1.5y . And it's hard to get back in work without already having a job... You get the side-eyes of "why werent you working this time???" crap.

So, I started lying on my resumes. I found a company that went bankrupt 2 towns over, and put them as employed in a role I'm easily capable of. Am I lying? Absolutely. Can I do the role? Absolutely.

I got the job, unsurprisingly enough. And I was there for 1y, enough to get a better work history to get out of the rut I was in. And I hopped from there to a better position, all the while slowly cleaning up the fakeness from my resume all the while generating a valid work history.

It sucks, sure, that there's no good way to break in the work-world if you've been ejected. (Que entry-level jobs that require 5y experience...) Frankly, vs starvation, homelessness, destitution - you damn straight I'll lie. And if I have to, I will definitely do it again. Capitalism is stone-cold and heartless. And if that's what I have to be to survive in the work-world to make money, so be it.

Yeah when I wound up homeless, I started applying for lots of wage labor. I quickly found out they had no interest in hiring a college educated white-collar worker. I may or may not have discovered* that if I were to have changed my resume to all shit / labor jobs (while keeping everything else the same so I could remember the companies well), they would employ me. I would have been able to dig myself out of my rut and get stable employment in a factory until I could get back into tech.

After working in factory few months, I was able to get apartment. With apartment, I was able to get myself nice looking and clean and tech job.

My process from day labor/ homeless (save up enough for airbnb/hotel) -> wage job (save up for apartment) -> professional job at this point is pretty much a well oiled machine. Sadly the first two steps basically require dishonesty. I've only been through this a couple times in my life and hope not to again.

*This is all fiction, of course.

I wonder if the "not very talented" self depreciation might mean talent with soft / people / social skills (the depreciation does strongly point to this) and therefore suggest that getting some education and training / experience in these soft skills might be the key to finding employment.

certainly there's a inevitable associated presumption that criminal behaviour is caused by poor social awareness and so addressing the general area would also indirectly attack the unfortunately undeniable connected human behavioural profile that needs to be overcome.

I think they meant for the usual jobs unemployment would attempt to match with an ex-con.

Apply for everything. Let other people say no for you. If people find out about your past be 100% straight with them, but you don't need to be the one to bring it up. Work your hardest to provide value, ask for feedback and correct where necessary. You'll be fine. There's a lot of work in cybersecurity these days.

Also, you should list the country you're in. Who knows, someone on HN could reach out with an opportunity.

> Let other people say no for you.

Wow. Upvoting because this is such a succinct and powerful way to say this, and I’ve never heard it before. i. e. It’s not our job, domain, or in our interest to reject ourselves from a job we’re interested in before applying

Yes! I recently told this to a friend of mine. She kept saying "I won't apply for that job because I'm sure there are more qualified people applying" and I kept telling her "let them reject you, don't reject yourself".

Finding a job and finding a romantic partner turn out to be really similar processes -- it's a numbers game and you can't sit around waiting for the perfect opportunity.

I recently told my SO this exact thing. They were doubting whether to apply for a higher position because they might be rejected. I told them that not applying would definitely mean they wouldn't get the job, so at least applying means there's a chance.

>you don't need to be the one to bring it up

Yes, you do. I don't know about other countries, but everywhere in the US runs a background check. You will get a reasonable "no" rate, but telling people your situation is very much better than looking like you were hiding it when they eventually find out.

OP probably would have the most success with a pen-testing firm or similar.

Nope. The only background checks I've ever had working for Americans was law enforcement / intelligence agency software (I was working for a Canadian company and they sold to them) and a contract for the Nasdaq.

Other than that, it's just been straight skills and reputation. Even if it did come up he could always say that he assumed they would ask for a background check if they cared about this type of thing. Just let the man get some work and move on with his life.

Every job that requires SOC-2 compliance, which is most SaaS services, must require background checks for new employees.

https://secureframe.com/blog/soc-2-background-checks

I've seen background checks at most of the mid-to-large sized tech companies I've worked at.

I believe you, but I haven't. Though I haven't done much large sized tech company work other than the Nasdaq gig I mentioned, which was background checked.

I think the overall point doesn't really change. Apply. Let other people dismiss.

I think it might be fair to point out that just because they ran a BGC on you, doesn't mean your current employer told you they did. Background checks are incredibly common and the low-stakes kind are pretty cheap to just run ad-hoc.

Doesn't an employer need your consent to run a background check on you?

Ish? https://www.nolo.com/legal-encyclopedia/background-checks-fa...

There seem to be some kinds of background check where maybe it is fine and others where it isn’t?

It looks like written permission is required, but, they can remove your candidacy for not accepting…so, it is not fully protected.

100% this.

Everything you described about yourself would make you an excellent employee to have on hand at many cybersecurity firms. Create your resume and have a few people review it.

Also, review your appearance and language skills. Make sure you are presentable in an enterprise or conference room setting. If a cybersecurity firm hires you, don’t make them regret it if you can’t hold yourself in a professional environment.

This seems very appropriate and relevant:

“By the time I was fourteen the nail in my wall would no longer support the weight of the rejection slips impaled upon it. I replaced the nail with a spike and went on writing.”

― Stephen King, On Writing: A Memoir of the Craft

https://www.goodreads.com/quotes/848294-by-the-time-i-was-fo...

I've hired quite a few security folks in my time (some with criminal convictions) but my answer is an unhelpful one: it depends.

If you have a criminal conviction it's unlikely you'll get through the screening process with a regulated business (like banking, insurance, pharma etc) due to some 'out of the hiring managers hands' constraints those industries have. I've seen exceptions to this in the past, where a senior manager strongly advocated for the exception, but it's _very_ rare.

I've worked with several security people with criminal convictions in the past at non-regulated, FAANG and FAANG-like tech companies. They also usually have policies in place to prevent hires with criminal convictions, but the exception process there is easier, particularly in security teams where these convictions are more likely to occur in strong candidates.

The biggest concentration of folks with backgrounds like yours have been at security consultancies, in my experience. Combined with the experience you mentioned with bounties, that would be the place I'd spend most time looking. You might still get rejected from some, for example those with customers that require criminal background checks for employees or security clearance you couldn't get, but there are still quite a large percentage where you could find work. Personally, I've had conversations with external consultancies who say things like "I know you require criminal records checks on all our employees, which we're happy to do, but I want you know >50% of my team will fail them".

A couple of other things:

- No matter where you work, with your background there might be some kind of 'restriction' placed on what you work on and/or how you work (e.g. can't work on project Type X or must work from Office Y). If you do get through a process, ask about this before joining, as it might have an impact on how much you'd enjoy the role.

- Be open about your background. You sound like you would do that anyway, but the more open you are the better, you don't want this to be a surprise to people. What you're looking for is a strong advocate on the hiring team, so building trusting relationships with people will be important.

Don't be too down on yourself, you might have made some bad decisions, but you sound like a talented professional. The criminal justice system exists for people to serve their punishment and then move on with their lives. There are companies that will be delighted to hire you because of your skills. Your road may be a little tougher than for others, but that doesn't mean you can't end up professionally happy, fulfilled and well compensated.

What about for convictions like DWI?

Sort of similar to the above, will rule you out of certain roles with certain businesses but if you're open and honest about it you'll be able to find something. The OP having computer hacking (and more importantly, fraud) on their record will make it harder than a DWI, as a DWI isn't something 'work related' (unless you drive for a living, obviously).

The amount of time passed is also something I've seen have an impact (e.g. if you had a DWI 20 years ago vs one 6 weeks ago)

Your issue is not competence, nobody will doubt that you are capable.

What you need is to show people that you're not going to cause trouble for them, which is more of a social skill that you demonstrate at the interview. Try to acknowledge that you did something bad, don't use words that diminish it, and try to explain that you want to move on and you now want to be a positive force.

There's going to be some natural questions that everyone will ask, so consider them as set-pieces and practice your answers.

The market is hot now, so get some interviews and see what comes up.

Yep, the main hurdle here is the need for the OP to demonstrate that they left past ethics fully and firmly behind.

Demonstrate ethics? They'd have to be hired for that, I think.

Otherwise how do you demonstrate ethics to someone who doesn't know you, yet? :) Certainly not in a interview, that's just talk and smiles and promises.

I think the OP's 2nd and 3rd paragraphs are good demonstrations of their ethics. A track record of "doing good" and having lots of others vouch for you is a good way to demonstrate ethics to someone who doesn't know you yet.

Those paragraphs are not demonstrations of ethics, but of technical competence.

All you can do is give a good talk about why you're reformed. One thing that does work for you is that firms that decide to interview you must have given it some thought already, so there's got to be a chance.

On an episode of Darknet Diaries [1] (great podcast by the way), there was someone in a similar situation as you who goes by DAWGYG, who found his stride after incarceration on HackerOne [2]. If I remember correctly, he holds the record for highest single payout. You could give that a try, though income wouldn't be steady you'd effectively be working for yourself and utilizing your skillsets for good.

[1]: https://darknetdiaries.com/episode/60/ [2]: https://www.hackerone.com/

I bet there's lots of companies that would hire you, based on this particular HN thread alone. Here's what could be worth doing, and wouldn't take much time at all:

1. put together a one-page website, on a domain like firstnamelastname.com 2. Add a link to this page 3. Put a link to your website in your email signature

Done! Now everyone you ever email, if they want to know more about you, will know that you're _deeply_ proficient in certain domains, and it'll be up to them to decide that you might be a good fit.

Since you've got this particular charge against you, and the US makes it nearly impossible for people who have run afoul of the state to legally be paid, but you _might_ be able to open up a Stripe account, and create a "payment link" (https://stripe.com/payments/payment-links) for a one-off "roadmapping sessions" (https://doubleyourfreelancing.com/roadmapping/) where a company/team pays you $10,000 and you'll visit them (virtually or in person) for a day or two to talk about their thorniest security problem.

"The system" wants you to apply to (and be hired into) an entry-level position, but that would be a giant waste of your time and everyone else's.

I wrote this article for eager bootcamp grads, looking for their first job. You're not a bootcamp grad, but it _might_ be helpful to you: https://josh.works/remote-job-resources

As someone who hires many people it comes down to whether or not you are humble about it. Or, to be more blunt: if you're as ass about it.

Humble: "I have a bad thing on my record. I understand what I did wrong and want to move forward with my life, doing good work, and being a responsible citizen."

Jerk: "I got busted but those jerks din't see that I was helping them! It was all BS, dude!"

I'd gladly interview someone that got in trouble but shows humility about it.

Tom

P.S. I hate that this is true, and people will probably flame me for saying this. I don't know what you look like or how you dress, but you'll get a lot of mileage out of dressing and looking neat. (no tshirts, hair trimmed and not sloppy, etc.)

Off topic but I have to ask, sorry: Are you MySpace's Tom?

NotThatTom :)

Tbh I’ve always found downplaying it works better

A bunch of friends just look for and then sell vulnerabilities (the good ones to bug boundary programs the less ethical ones to governments or companies).

The price of a zero day exploit is quite high (for both sides) and I have friends who make much more money than I do doing this.

That said they mostly work alone or in small groups in their basement rather than at a large security company.

I would hire (or at least interview you) with a prior conviction though I am not hiring for a security role.

I don't think the conviction is a serious impediment for employment in this particular field (since it's for a non-violent crime) though it might warrant supervision on your employer's side and I can definitely see the larger companies not wanting to take the risk.

As someone in the security field, please don't sell exploits to brokers. Aside from the moral and ethical implications it's also doing a disservice to the industry in general.

Compare that to the ethical implications of megacorporations expecting private individuals to work for free or peanuts.

A rational individual should look at bug bounties and exploit brokers and use the highest bidder.

I'm a security professional, and I think brokers are a net positive to the industry. The more that market makers expose the real price/cost of security flaws, the more investment will be made in defensive measures.

Just out of curiosity what's "high"'

Very high, zerodium [1] offers from $10k to $1mil depending on the exploit.

[1] https://zerodium.com/program.html

500k-2m depending on severity is a good ballpark figure for numbers I’ve heard of

A former coworker of mine was a convicted "hacker" who did time in federal prison for it. Part of his story was told in Clifford Stoll's The Cuckoo's Egg. The coworker told me that he had stuck at the current company for many years because he felt that his reputation, including a Wikipedia page, would prevent him from getting another good job. I told him I thought it might help him more than hurt him, and he just shook his head sadly. But then a year later he did start a job hunt, and found an excellent high level position at a large successful outfit almost immediately. He's still there. They knew who he was and what he did. I think that rep helped him more than a little.

It depends what you did of course. In his case the only plausible "victim" was AT&T, and he disputes that too.

Many states and cities in the US have so-called "ban the box" laws that prohibit employers from asking about your criminal history during the initial hiring process or sometimes until a job offer has been made.

Explaining why you have a criminal record is going to be a lot easier to someone who already thinks they want to hire you.

> Serious Organised Crime Unit

Are you based in the UK? That's probably relevant, it seems like a lot of the cybersecurity sector over here is very friendly with NCSC & SC is required for a lot of roles.

Yeah I've noticed it as well. I suppose it's because the GCHQ can't necessarily pay enough for very talented individuals who are required for certain work, whereas defence companies are somewhat poured with funds. I've heard that a popular path is to start in the government, then to the private sector to earn bank, and then back to public.

I phoned GCHQ.

Own it, and capitalize on it! You've already written the first sentence of your sales pitch: "I was involved in a high-profile computer hacking case in 2015 which received international interest."

Continue with "therefore I know about system security...". Write a book, charge a huge rate as a consultant. I'm serious. If you act like a beaten-down person, you'll be treated as one.

It's classic making lemonade from lemons, but it can really work. If not, you've lost nothing.

Don't worry about the official criminal record. I've been a software developer for just over 20 years....had a DBS check once. Just once.

You clearly are talented so stop telling yourself that.

Have you thought about starting your own security consultancy?

the quandary of either hiring employees whose hacking efforts on my company's infrastructure I can defeat / defy and hiring someone who I can't protect myself from is going to come down to some very individual assessments that I don't believe a DBS check can help me with.

    I can't just walk into employment with my skillset 
    because I'm not particularly talented

Maybe in the world of cybersecurity where a lot of the talent is (from my outside perspective) pretty top end.

For most tech industry jobs, you'll be way overqualified and the rest of the team will be in awe.

In my experience a huge proportion of security roles are filled with checklist cowboys/girls. The cadre of people you're thinking of is a small part of the set.

This is my experience as well, a lot of pen testers seem to be possessed of an overblown sense of self-importance because they possess the capability to install the Debian distro kali, can run the aircrack suite, and know how to use wireshark. Wowsers.

- Stop with the self-deprecation BS. It's hurting you, in the eyes of yourself and others. But don't be cocky, just be humble.

- Own your past. You've paid the price to society. Go public and tell your story -- be it a sentence, a tweet, a paragraph, an article, a podcast episode[1], or a book. Putting it all out in the open will make you more hireable.

- Don't fsck it up. Grow your integrity and ethics, or at least maintain them and keep them impeccable. Keep that old saying[2] in mind, it's so very true in a case like yours.

- Connect with others in areas you are interested in. (Twitter seems to be great for cybersecurity)

- You did the blackmail thing as part of your crimes, so realize it will take time and effort to gain trust.

- If you have that particular hacker mindset, you can quickly acquire the modern skill sets.

1. Maybe Jack might want to have you on Darknet Diaries at some point, if your story is interesting enough? He does it in a story-telling style that takes the pressure off the guest that they would normally have in an hour-long interview format.

2. (NSFW quote about bridge building) https://www.quotes.net/mquote/73833

It seems you did BB stuff before, but ended up on the dark side. If you want to avoid sliding in there again, a "regular" security job might be a good idea.

It sounds a lot like pentesting in a web-focused team would match your skill set very well. But I suppose you already know that? I would not interview for Junior roles if I were you, or only if you're rejected higher p the latter. And if they tell you that you're overqualified, but the position and compensation appeal to you, just tell them you don't care and would be looking forward to work with them.

Regarding your conviction: This is most relevant if the clients require some sort of clearance. Also your employer needs be able to trust you, which means you have to demonstrate that you can be trusted (and add to that some blind trust from the would-be employer, but you not influence that too much).

There are also other security related positions, which you might enjoy. You already had contact with some large corps, maybe you could interview there?

Have you looked into auditing decentralized finance (defi) protocols? There is currently a huge demand and very low supply of good auditors. I believe there also are very many "anon" auditors in the space, so your past would not be a big problem I don't think.

Hacking is one thing. I understand the technical thrill. But blackmail and fraud? That's a human-to-human interaction, not human-to-machine. Once a person cross that line where you are harming another person at that level, there is no going back.

With blackmail and fraud convictions (and a 3-year prison sentence behind you), I would hope that nobody would give you a job with access to systems that enable you to get at personal information or money. That's their business, of course; but they'd presumably be exposed to an action for negligence if something went wrong as a result of them employing someone with that record.

Blackmail and fraud are both offences that involve using others as means to ends, and require the ability to discount the damage and pain you cause to others. If I were hiring a coder (let alone a computer security consultant) I'd search for a long time before hiring someone with a record of that kind of untrustworthy behaviour.

Sorry to be blunt; I know that some companies pay good money to convicted criminal hackers for their expertise. But I think that's a deplorable practice; it encourages the view that hacking/cracking, blackmail and fraud are a sensible route into regular employment. I think those convictions should be a blocker.

Yeah, once someone makes a mistake they should absolutely be barred from gainful employment forever! That will teach them... that they should remain criminals. Yeah!

Yeah. Well, No.

A physician who harms his patients through negligence or malice gets struck-off.

A lawyer who steals his clients' money gets disbarred.

A banker who mismanages his clients' funds loses his banking licence.

If any of those was found guilty of using information from their clients to blackmail them, they'd have no future in their chosen trade - ever.

Sure, but presumably they weren't working as a security engineer at the time.

Or think of it this way...

Could someone not be a doctor if they had assaulted someone before medical school?

Would a lawyer not be able to be admitted to the bar if they had been convicted previously?

I'm actually not sure about those, they both might not be allowed. I just lean on the side of forgiveness once you've "paid your debt to society".

> presumably be exposed to an action for negligence if something went wrong as a result of them employing someone with that record.

That's just the type of bullshit that makes pizza restaurants not wanting to have a person with a criminal record anywhere in the building. It's a form of vigilante punishment that continues to for the life of a felon, way past the point where their debt to society has been supposedly paid.

Employers should be banned to ask or process such information. "Is currently wanted or on parole" - legitimate question, "was ever convicted" - No, you have no right to know that, except very limited cases defined by law: working with children and the vulnerable, large sums of cash, working in the financial sector etc.

If you want work in computer security, then you really shouldn't have a record of fraud. If you want to make pizzas, then you're not likely to defraud anyone but your employer; so it's her lookout. A blackmail conviction is a danger to other staff; it's the employer's responsibility to protect their employees against that risk.

This guy seems to be on probation, and under supervision of SOCA - he hasn't yet completed his sentence. Are we talking USA? He's a felon, and in most US states he will never again be allowed to vote in elections.

In this country you don't have to disclose prior convictions to anyone, beyond a certain date - I think something like ten years. I agree with that. In the same way, expired convictions can't be taken into account in sentencing deliberations. I agree with that too - I do think convictions should expire. Past acts shouldn't follow you around forever. But if you're on probation now for two serious crimes, I think it's crazy to say that a prospective employer shouldn't be allowed to ask, and to rely on your answer on pain of instant dismissal.

And FWIW I don't agree with the US practice of denying felons the vote.

If I was in your position I would post your contact information, even a throw away account on this post as you’re on the front page of hn and you might never get to have this great of an opportunity again to find legal employment.

Given your skills, I would recommend a startup or a consultancy (anything self-employed). This way you shield yourself from having to worry about disclosing your past to others, worrying about background checks, or the self-taught part (which should be irrelevant but oh well). Plus you grow in whatever direction you wish.

If you want the job route then you need to apply to as many things as possible and find a story version that wont scare people off. Don't lie, just give them a well packaged insight into what happened in the past. You also have humility which is a great start.

Good luck!

The best way to describe your past is “ethically challenged”. I too am an ethically challenged individual but by being somewhat upfront about this with my managers it has made me into an asset the company can trust with certain projects they’d rather not talk about with the company at large. The team of developers I work with are not formally acknowledged as a team, but our work often involves assembling the output of various disjoint teams into one solution that they’d probably object to building themselves as a whole.

I don't see any issue hiring you, there is a drain of true talent in the field.

Be upfront and spin your story like Kevin Mitnick, publish a few articles and maintain a blog with your name and identity.

Get a polished LinkedIn and post examples of past work, or what if's/what would you do.

You most likely will not pass a background check for FINRA/Insurance companies, but who cares - those companies suck to work for anyway.

You will/can easily bypass that wall by opening up your own LLC and selling consulting services, and verticals like "email security" or just basic/stupid DKIM/DMARC/DNS setup. You'd be surprised how much billing hours MSP's make just doing that basic stuff. I bill $150-200, and SOW's I've seen have it much higher.

So take that as a floor.

You can walk into many employers, and own the entire staff easy, you'd be surprised how low the ceiling is at most companies and how true talent or disorganized companies truly are.

I've interviewed CISSIP/Full blown cert/degree peopel that couldn't even parse together a hello world or explain how to do a HTTP GET. It's that bad out there now.

Kevin Mitnick is running a cybersecurity business right now. Maybe reach out to him.

If you do run into trouble finding a job, you might have better luck in consulting or similar. My previous employer, employees are vetted by HR and (once your conviction would be raised) legal who would reject you for your record, but "independent security consultants" were vetted by the security team who were actually more understanding in that regard.

You need to shift your attitude towards the job search:

1) You're clearly very talented, the record you describe speaks for itself.

2) Use your past to your advantage. Larger more corporate companies might be afraid to employ someone like you (_might_!) but there are tonnes of startups that could see your record as an advantage. It's demonstrated proof of your abilities!

dude why don't you just continue working on bug bounties? #11 should be able to make 6 figures easy, probably 7 figures a year in bug bounties.

if maybe that's not your thing and you want "a job" I'm sure many people will be willing to help, me included. feel free to contact me on Twitter @high_byte

>I can't just walk into employment with my skillset

sure you can, give it a try

proficiency is talent on its own and being a self taught means only that you can learn (and being _very_ good at it, considering your story)

nothing's wrong with entry level job though, sounds like a solid place to start regardless of how much overqualified for that job you are - as long as you'll be doing what you love and there will be a clear promotion path for you

and even if there's none that job can still do you good if you threat it as a stepping stone - a warm up for better job to come

our past, things that happened before are important ofc but much more important things that will be, things that happens next

so chin up, looking forward to read your follow up success story in few months, best of luck!

I’d probably double down on going after any legal bounties corporations have posted. Whatever certs you can get too for the HR reps in your future. Oh and “aggressive compliance” to probation and any and all laws.

Edit-also, you do have highly valuable skills and knowledge. Maybe make some 30 minute to hour long video tutorials. Then start drafting up a 1-2 week course plan for taking professionals up to your level if they start with some basic dev/ops knowledge.

Think about ethical and legal ways to teach things too.

Edit 2-or just go to any of the net sec teaching/tutorial programs and say you’d like to teach your knowledge in a legally viable/acceptable way within their frameworks. Etc.

My company is hiring. I'm a firm believer that folks shouldn't be punished by the US justice system, but instead reformed.

I can't speak to your circumstances, but my team is hiring for folks like you and barring any policies I'm unaware of I'd be happy to help you make a connection. Details in my profile if you're interested.

On a more general note, there's currently a high, steady-state demand for AppSec, CloudSec, NetSec, and generalist technical security specialists with software backgrounds. There is work out there and I don't believe you'd have to accept an entry-level position to get it.

Following on - OP could also take an advisory role in a consulting firm - potentially in office strategy and implementation of penetration testing, etc.

This is probably unhelpful but you should consider just being a consultant for hire. I think your abilities will speak for themselves and your reputation will speak much louder than your lack of official training. I doubt you'd even need to disclose your criminal history for most clients.

Also you may find it better to network with hiring managers vs filling out online job applications. The HR screening is going to bury you many times where a human could help you side step it.

Your (unstated) goal is to rebuild trust and rebrand yourself. If I were you, I would start a small pentesting business. It's not trivial and isn't for everyone, but it would be the easiest (IMHO) path to that goal. There are thousands of books on how to begin that journey. Kevin Mitnick took this path.

https://en.wikipedia.org/wiki/Kevin_Mitnick

If you've done so well with bug bounties do you really need a job, can't you make a living doing that ? I'm personally very interested in the answer to that question because that's a route I'm considering pursuing myself, being for a variety of reasons, outside the window of traditional employability. But if with your skills you can't make a living at it then I certainly don't have a shot.

Not the OP, but personally I'd be worried about the inconsistency of income. Maybe in the span of 4 months you make $100k off various bounties, but then in the next 4 months you only make $10k.

Then there's also the extra taxed you have to pay when you're self-employed, and the cost of health insurance (assuming US here, OP didn't say where they're from). Some people just like the security of full-time, salaried employment, with benefits.

I've been in tech for years but my background was also 'non-traditional' (I didn't commit an crimes but definitely didn't have a relevant degree or connections etc) I would be happy to help you with some intro's to startups who would consider a candidate with your background.

Feel free to email the address in my bio and I can see if you're interested in talking to anyone in my network.

Good Luck!

straight up I have something UK based that I can propose that might get you set up as a independent consulting business timescale early this summer, might even know the right people for your situation as long as you are groovy with learning along the way with some steep curves. email address to reach me in my profile in a mo.. Very best luck with everything don't let 'em get you down!

Trace your family ancestry and look for any types of citizenship by descent you are eligible for. If you can get another passport leave, then change your name and start fresh. If you have the means you could even try citizenship by investment. For a few hundred grand you can get a new passport, but it might be tricky if they look into criminal past. Move to the Caribbean and work remotely.

Man it's not even that much money to get the new passport. Depending on where, but there is options well under that which will get you around (Panama for one)

It sounds like their problem at this point is probably travel restrictions.

You're quite employable, regardless of past. You goofed up as a teen (who hasn't) and most folks can look beyond that, esp in infosec.

My God that is impressive. You seem like you tried to make it sound easy with your last paragraph. Technically speaking, what were the top three most impactful things you mastered on the journey to where you are?

In terms of employment, have you found it too difficult to make living off of bug bounties? Maybe there's crews that would see you as an asset. Or maybe contract based solo consultation?

One of my main consulting clients is always looking for people who are interested in or experienced in cybersecurity research.

https://www.riverloopsecurity.com/careers/

I can't guarantee anything, but just from what you've written here, I think they'd be interested in a conversation.

Do you know @thedawgyg?

I guess blackmail & fraud are a problem but if it was related to hacking I guess you'll still find a job. It's gonna be hard, but there are companies that care about your hacking skills, not about your past.

> This leads me to believe that I should look for entry-level positions but I've been told I'm overqualified

You sound like a senior pentester if you'd ask me...

Do crypto bug bounties, Saurik just got paid $2 mill for a bug bounty in the ethereum virtual machine (sp?)

No employer needed! Just a willingness to read code at a low level and deep understanding of smart contracts and curiosity to exploit them in seemingly impossible ways. I think you could top Saurik’s bounty with a little more focus and dedication! Try it out and retire early!

Are you sure you want a typical job? To me, you look like an accomplished professional ready to run his own gig either by himself or by employing a handful of people. Find a market niche, work on your personal brand, advertise and get to work! I have no doubt your personal satisfaction will be equal or even greater than working for somebody else via a regular job.

For sure, corporate America is all about background checks so maybe being an independent contractor or consultant is the way forward?

This reads like an elaborate humble-brag. You'll have no problem finding a senior position in cyber security if that's what you want. Like others have mentioned, sounds like you could probably do a lot of good (for the public and yourself) hunting bug bounties.

Where are you based?

Happy to have a chat -- I run VM for a large tech company and have a lot of openings

Doing consulting as has been suggested sounds a good idea.

You could also write a book telling your story (if you're not a talented writer, there's ghost writers to assist) or do a Ph.D. with Ross Anderson and beccome a security researcher.

Try for a while the other advises, but also consider switching careers. Companies who pay for security are sometime paranoid and might not like a background like this. What about looking for entry level software development.

pre-apologize if you are looking to move beyond your past and I completely understand/please disregard my suggestion if that is the case... but tbh you sound like an ideal candidate to market _you_ as a brand. I'd keep doing bb and contact the platforms you are working on with your story. bb seems to be all about telling the story of how they can help people move out of doing things illegally and still make great money.

There are also a lot of podcasts/etc that would be happy to have you tell your story. Huge upside to that IMO with reach and sharing to help keep future people out of trouble.

I may be wrong but if he is who I think he is I suspect he may want to keep a lower profile due to the nature of the convictions. I suspect in his case shouting “hey, I did x” loudly on blogs and podcasts may be detrimental.

I truly believe people should be forgiven for past deeds and given the benefit of the doubt. I’m sure he will find good employment and I hope he has a good career in the security industry. He clearly knows his stuff.

I'm not an expert but your best bet is likely to double down on the bug bounty work.

There are people with lessor convictions from further back than you who still have issues finding full time jobs because of background checks.

Apply for the jobs you want. Be honest about your background and circumstances, let them rule you out, don’t rule yourself out before even giving yourself a chance.

Why don't you continue to do white hat hacking, and chase for bug bounties? Why would you ever want to be employed by some corporation?

You might want to apply to work at GiveSendGo. They just got had a newsworthy data breach and could probably use your talents.

Was this the TalkTalk hacking case?

Hope the kid receives 1/10th of the luck Dido Harding has in the aftermath...

seems so as the name matches the email he's put here

happy to have a chat with anyone that's interested: danielkelley@email.com

Open a company and offer webinars and get security contracts. Make millions.

Become a developer, never mention your struggles again post hire.

I’ve never worked anywhere that would hire an ex con. Have you?

The vast majority will, some won’t. Some aren’t even allowed to based on their investors, client set or subject matter.

The longer it is in your past, the easier it is to overlook. It’s more about the actual charge than anything. Obviously some charges are harder to justify ignoring.

Source: I’m a felon. Been there, done that.

I have never been asked this question for employment. In my country being forbidden to work in some area is an extra sentence that the judge would impose (it's mostly around being forbidden to manage a company, being elected, or using weapons) and would be checked by the probation officer, not the employer.

It isn't a matter of being forbidden to work in an industry, but rather that some companies may be forbidden to employ you (and even then, the restrictions may only be for certain roles).

Let's ignore the computer/security aspects of this particular situation, and come up with other examples.

If you are convicted of a financial crime, for example, you are not barred from working as an accountant. You can even get a license and work as a CPA.

But some companies may not be able to employ you as an accountant due to your conviction.

And, it is worth noting, you can certainly lose your license if you commit a relevant crime after getting your license (or for failing to report some other felony to the licensing board).

All the above varies considerably in the details between countries, and in the US between states (eg. in some states a conviction for a felony requires a hearing before the certification board before being allowed to take the relevant exam, and the board may not decide in your favor).

Circling back to computers and security, the situation is much more forgiving since there is no relevant licensing barrier; nevertheless, some companies may be restricted from employing people convicted of certain categories of crimes in particular functions: think of having access to a bank's or credit company's customer information and accounts, or a health provider's patient data. But even organizations that are subject to such restrictions have plenty of roles (potentially even security roles) that aren't affected by these restrictions (except by their own internal policies, anyway).

We have a famous example here of someone who is forever forbidden to work around financial markets, that include the IT systems and network equipment.

But I don't think companies here are ever barred to go further than the law. If employees have to be vetted, there is a department in the Ministry of Interior that does just that, they say yes or no without any detail as to why (and there is an appeal process that still doesn't involve the employer).

But here if you cook the books as a CPA, you will probably be barred from the job for at least a few years.

Yes, 100% of the places I worked at didn't care. the USA are a crazy place

That's what remote work is for

What was your motive?

My first offence occurred when I was 13 years old. I'd chalk it up to inexperience and a lack of ability to anticipate the consequences of my actions. I was really self-absorbed. I'm not the same person I was back then. It has almost been a decade.

Reminds me of a friend from my youth who started out pwning the school computers, and the last time I saw him in person (at age 18) we were in the local Apple store rolling our tits off on E when (without warning) he took down a large domain registrar from the demo laptops and we had to leg it.

Good times.

Totally employable.

employability? lmao

smart employers would kill to get someone like you

I personally know a guy who got convicted at an early age for similar stuff, he never had any trouble finding work, even worked for some governments

any decent security startup would do anything to get you

bro I'm actually jealous

also: freelancing of course, rarely seen background checks for freelancers